How to check the IP:PORT firewall uses?

mohtashims · September 24, 2017, 4:57am

I have my firewall process running

[root@development_techx tmp]# ps -ef | grep firewall
root     21169     1  0 08:50 ?        00:00:00 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

I wish to know what ip : port number it is using. Can you please tell me how can i find out ?

I tried the below command but does not seem to give me a port number in the output:

netstat -anp | grep 21169
unix  3      [ ]         STREAM     CONNECTED     771780   21169/python

This will help me monitor if the firewall service is running or not from a remote monitoring server or a monitoring system like Uptime Robot

Can you please tell me how can i find out what port number; is the firewall process listening ON; inorder to monitor the firewall service from a remote system?

Chubler_XL · September 24, 2017, 11:31pm

The Firewall isn't a service that listens on a particular port so netstat will not be able to identify if it is running like it can for other services (like apache).

You could use firewall-cmd to enquire on the firewall status like this:

# firewall-cmd --state
running

mohtashims · September 25, 2017, 9:15am

I thought every running process including firewall process has to have a socket [IP Port] associated with it.

Not sure if firewall process was excluded from the rule, becoz the firewall process port does not show up no matter what.

This makes me believe that there can be processes like firewalld that can run without acquiring a port ? Interesting but some new concept to me.

Also, from @Chubler_XL's statement I understand that there is no way to remotely monitor the firewall like we monitor SMTP [port 25] or SSH [port 22].

Are both my understanding correct ?

Corona688 · September 25, 2017, 11:19am

Nope. Not at all.

bakunin · September 25, 2017, 5:11pm

Correct.

A firewall is not a service, but a software controlling the network operation of a system:

Let us start with a router: a router basically is a system with two network interfaces which stand in different IP-networks and a machinery in between which relays traffice between these two networks from one interface to the other, based on some rules (the "routing table"). Routing takes place on layer 3 of the network and hence the router "operates at layer 3".

A firewall is a similar machinery but operates on (more correctly: on top of) layer 4: again two network interfaces homed in different IP-networks, but the machinery (usually some software - the firewall process) in between operates on layer 4 and relays layer-4-packets (TCP, UDP, and similar protocols) between these two interfaces.

Per default all packets are "not relayed" (blocked) this way. By configuring rules some of these packets are allowed nonetheless and therefore indeed relayed.

There are two fundamental ways such firewalls operate: packet-filtering and stateful inspection.

In packet filtering the rules state which port of a certain IP on one side may communicate with which port on which IP on the other side. No effort is made to monitor the communication other than allowing some IP/port/destination/origin-combinations and blocking everything else.

Stateful inspection is different: packets are interpreted and their content is checked. Packets (or, rather, whole connections) are allowed/disallowed based on these checks. This needs a lot more computing and is a lot more intrusive than packet filtering and therefore real-world firewalls are usually a combination of both packet filters and some stateful inspection.

I hope this helps.

bakunin