今天鬼打牆了2個小時, 原來是 rocky 8.6 預設就幫我開好防火牆, 因為是同一個營運商的虛擬主機, 我以為隔壁的Ubuntu 18,20,22 都沒有防火牆了, Rocky 應該也沒有, 結果猜錯.
遇到的情況是, 本機用 localhost/127.0.0.1 或是該主機的內部IP:192.168.x.x 去連 tomcat 服務都正常, 但從對外IP連進來主機就會顯示錯誤.
Windows 版的 curl 顯示錯誤訊息:
curl: (28) Failed to connect to x.x.x.68 port 8888 after 21023 ms: Timed out
在 Rocky 主機上的curl:
curl: (7) Failed to connect to x.x.x.68 port 8610: No route to host
因為遠端桌面服務 3389 是有連線進去, 一用指令查, 才發現防火牆開著:
sudo service firewalld status 
使用 sudo service firewalld stop 讓服務停止後, 所有功能都正常了. 還是順便來學一下怎麼在 firewalld 裡開port 好了.
To see all open ports:
firewall-cmd --list-ports
You can see all of your configurations and settings at once with:
firewall-cmd --list-allTo add a port to your firewall zone (thus opening it for use), just run this command, 增加 port 的方式:
sudo firewall-cmd --zone=public --add-port=8080/tcp附註: 服務沒開會顯示錯誤訊息:
FirewallD is not running
開啟服務:
sudo service firewalld start查看, 目前預設的zone, 預設應該是在 public
sudo firewall-cmd --get-default-zoneTo remove a port, just reverse the command with a single word change, 如果要拿掉 port:
firewall-cmd --zone=public --remove-port=8080/tcp如果 8080 已經移除了, 重覆移除也會寫成功, 同時也會有警告訊息:
Warning: NOT_ENABLED: '8080:tcp' not in 'public'
Warning: Seriously, read this next bit.
By default, all changes to firewalld‘s configuration are temporary. If you restart the whole firewalld service, or restart your machine, none of your changes to the firewall will be saved unless you do one of two very specific things.
But once you have a working configuration, you can save your changes permanently with, 最後, 要永久寫入設定值, 不然重開機又要重新加入一次, 很麻煩.
sudo firewall-cmd --runtime-to-permanent寫入之後, 為避免同步的錯誤, 可以手動 reload 一次.
sudo firewall-cmd --reload
Warning: You must update your firewall settings to accept new port. Otherwise the following command will lock down your ssh access.
資料來源
firewalld for Beginners
https://docs.rockylinux.org/guides/security/firewalld-beginners/
Initial Settings : Firewall
https://www.server-world.info/en/note?os=Rocky_Linux_8&p=initial_conf&f=2
