# unblocking ports



## psyc (Apr 21, 2013)

I have added 

```
allow tcp from any to me dst-port 82 in via em0
```
but when I hit myserver:82 the page doesn't load. To confirm the server is running I did

```
# netstat -an | grep 82
tcp4       0      0 *.82                   *.*                    LISTEN
```
and

```
# sockstat -L4p 82
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS      
www      nginx      62583 9  tcp4   *:82                  *:*
www      nginx      62582 9  tcp4   *:82                  *:*
www      nginx      62581 9  tcp4   *:82                  *:*
www      nginx      62580 9  tcp4   *:82                  *:*
root     nginx      62579 9  tcp4   *:82                  *:*
```
Which means port 80 is running, but my firewall is blocking it. I can confirm I added the port 82 in the firewall with

```
# ipfw list
00010 allow ip from any to any via lo0
00020 allow tcp from me to any out setup keep-state
00021 allow ip from me to any out
05000 allow udp from any to me dst-port 25 in via em0
05000 allow udp from any 53 to me in via em0
05001 allow tcp from any to me dst-port 22 in via em0
05001 allow tcp from any to me dst-port 80 in via em0
05001 allow tcp from any to me dst-port 443 in via em0
05001 allow tcp from 168.192.0.100 to me dst-port 3306 in via em0
05010 allow icmp from me to any
05010 allow icmp from any to me
05010 allow ipv6-icmp from me to any
05010 allow ipv6-icmp from any to me
05110 unreach port udp from any to me dst-port 33435-33524
65000 deny log logamount 100 ip from any to any
65100 allow tcp from any to me dst-port 82 in via em0
65535 allow ip from any to any
```
How do I open the port in FreeBSD ?


----------



## ShelLuser (Apr 21, 2013)

psyc said:
			
		

> I have added
> 
> ```
> allow tcp from any to me dst-port 82 in via em0
> ```


Added to what?



			
				psyc said:
			
		

> but when I hit myserver:82 the page doesn't load. To confirm the server is running I did
> 
> ```
> # netstat -an | grep 82
> ...


No, it means that there is a process _listening_ on port 82. Ports do not run, they only get compiled .

A bit more serious though; it can really help to make things more understandable by using the right jargon.

Another thing; how exactly do you "hit" your server on port 82 anyway? Because for all I know your method of testing could simply be flawed thus making you come to any possible wrong conclusions.

The reason I'm thinking in this direction is because I can see other services being active on this machine as well; SSH, native HTTP, HTTPS, and so on. Do those services work or can't you reach those either?

For what it's worth I'd first try to check if this is working at all, simply try something like `$ telnet 127.0.0.1 82`. When that works try this again but from another computer (and do make sure to replace the 127.0.0.1 with the right IP address).


----------



## psyc (Apr 21, 2013)

ShelLuser said:
			
		

> Added to what?


ipfw, like 
	
	



```
ipfw add allow tcp from any to me dst-port 82 in via em0
```



			
				ShelLuser said:
			
		

> how exactly do you "hit" your server on port 82 anyway?


Via a browser: http://i.p.address:82.

Port 80 is working perfectly, if I hit http://i.p.address the page loads perfectly. SSH is disabled currently.



			
				ShelLuser said:
			
		

> The reason I'm thinking in this direction is because I can see other services being active on this machine as well; SSH, native HTTP, HTTPS, and so on. Do those services work or can't you reach those either?


`$ telnet 127.0.0.1 82` doesn't give any response, unable to connect, operation timed out, even `$ telnet 127.0.0.1` doesn't give any response, same operation timed out. I did change the IP too.


----------



## usdmatt (Apr 21, 2013)

Your firewall setup looks a bit strange. You seem to be using an 'open' style configuration - where the last rule is an allow all. The idea being that you add deny rules above this to stop the stuff you don't want. Personally I think the 'closed' style is much better where the last rule (65535) is a deny all, and you just add rules to allow the connections you want.

You have added a deny all rule to make it act like a closed firewall, but then the new rule you've added to allow port 82 is below this, so connections to port 82 are blocked. The first thing would be to modify whatever is creating that ruleset so that the rule to open port 82 goes higher up, preferably with the other rules you have to open ports 22,25,80,etc.

This doesn't explain why you got connection failed telnetting to 127.0.0.1 on port 82 though. Connection to 127.0.0.1 go via lo0 which should be allowed by your first rule. That suggests to me that nginx wasn't running when you tested that - according to your `netstat`, nginx is configured to listen on all interfaces so I'd be surprised for you to get no response at all from it unless you've changed something else since posting that info above.

Just running `telnet 127.0.0.1` will give you no connection as that will try and connect to the telnet port, 23, which should be closed.


----------



## psyc (Apr 22, 2013)

I am new to firewall setup, and the system seems to use ipfw, I was reading here in the forum that pf is preferred method, but I am not so sure about it. I am still open to any recommendations how it should be done and what is the best practice. 

I have solved the issue as you suggested by placing the allow port 82 just below allow port 80 and restarting the ipfw opened the port for me. 

Nginx is configured to listen in just two ports 80 and 82.


----------

