I’m running a rootless podman container listening on port 8080 on OpenSUSE Tumbleweed.

From the same host, there’s no problem accessing the container. Trying to access the container remotely fails due to firewalld blocking the connection.

What I don’t understand is this:

If I configure firewalld to forward port 80 to the container on port 8080 using

firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080

I can access the container from a remote computer using port 80.

However, if I try:

firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=8080

I’m not able to reach the container. It seems that every port I try will work except for port 8080 in this case, and I can’t find any references explaining why this might be the case.

What’s going on here? Is it a conflict by trying to forward a port to itself? Is there any way to allow port 8080? Trying to allow port 8080 in the public zone fails as well.

  • Deebster@programming.dev
    link
    fedilink
    English
    arrow-up
    3
    ·
    11 days ago

    firewall-cmd --add-forward-port=port=8080:proto=tcp:toport=8080

    I’m not sure what you’re trying to achieve here; it’s already on port 8080 so this is at best a no-op. Normally you can’t bind two things to the same port and the second attempt would fail.

    This feels like an XY problem - what is your desired outcome? Just to access port 8080 from another computer?

    I have rootless podman set up similarly on Fedora. I have Caddy running on 1080 (HTTP) and 1443 (HTTPS) and this handles the reverse proxying to my other containers, including one on port 8000. Port 8000 is open in the firewall to allow direct access, left over from testing (I have an external firewall that filters out this port to most IPs).

    $ sudo firewall-cmd --list-all
    public (default, active)
      target: default
      ingress-priority: 0
      egress-priority: 0
      icmp-block-inversion: no
      interfaces: eth0
      sources:
      services: dhcpv6-client http http3 https mdns ssh
      ports: 8000/tcp
      protocols:
      forward: yes
      masquerade: no
      forward-ports:
            port=443:proto=tcp:toport=1443:toaddr=
            port=443:proto=udp:toport=1443:toaddr=
            port=80:proto=tcp:toport=1080:toaddr=
      source-ports:
      icmp-blocks:
      rich rules:
    $ sudo netstat -lnp | grep :8000
    tcp6       0      0 :::8000                 :::*                    LISTEN      2509/rootlessport
    $
    
    • bravemonkeyOP
      link
      fedilink
      arrow-up
      2
      ·
      10 days ago

      So ‘it’s already on port 8080’ makes sense, but as I mentioned, no remote computers on the same LAN can reach that port (they can ping the host with no issue), and that’s what I’m trying to resolve. I’m not using a reverse proxy.

      Through further testing it looks like I’d missed adding the firewall rule to allow port 8080 TCP to the public zone; I currently have it added it to the ‘trusted’ zone which came from some online guides regarding rootlet podman but that didn’t resolve it. I’m sure I’d added it to the public zone previously as well to test with it not working so removed it, but it is now so I’ll have to keep testing a bit to ensure it’s repeatable.

      • Deebster@programming.dev
        link
        fedilink
        arrow-up
        2
        ·
        10 days ago

        If it’s losing the settings when you reboot, you can do firewall-cmd --runtime-to-permanent which does what the name suggests. Alternatively, you can use the --permanent flag when adding new services.