Firewall-cmd lists the port open but nmap says it's closed

Linux Server Administration
1

Hello everyone

I am trying to open a port (which it seems is already open) on a CentOS7 machine but although I can see the port open, nmap reports that it is closed. Why does nmap does not see that the port is open?

[root@trape 2024]# firewall-cmd --permanent --zone=public --add-port=39474/tcp
Warning: ALREADY_ENABLED: 39474:tcp
success
[root@trape 2024]# firewall-cmd --reload
success
[root@trape 2024]# nmap -p 39474 localhost

Starting Nmap 6.40 ( http://nmap.org ) at 2024-04-24 11:24 BST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000092s latency).
Other addresses for localhost (not scanned): 127.0.0.1
PORT      STATE  SERVICE
39474/tcp closed unknown

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

[root@trape 2024]# firewall-cmd --list-port
27008/tcp 53000/tcp 39474/tcp

Thank you

2

Hello,

  1. Check if Anything’s Listening: First, make sure something is actually running on port 39474. Use ss -tuln | grep 39474 or netstat -tuln | grep 39474 to check. If nothing shows up, that’s why nmap says it’s closed—because there’s no service listening. The nmap will show port closed if there are no services listening on that port

  2. SELinux Might Be in the Way: If SELinux is on, it could be messing with your port settings. Try turning it off temporarily ( if possible, as this might not be an option for production servers ) with setenforce 0, then check the port again with nmap.

  3. Double-Check Firewall Settings: You’ve opened the port in the firewall, but it’s worth checking again. Use firewall-cmd --list-all-zones to make sure everything looks right.

  4. Try Scanning the External IP: Instead of localhost, use your server’s actual IP address for the nmap scan. Sometimes, scanning localhost acts differently.

  5. Additional Firewall Layer: Depending on your setup, especially if your server is a virtual host , there might be another firewall layer at the provider level. Check if there’s a network-level firewall that also needs to configure the port.

Here is another trick I use for troubleshooting. The nc command allows you to instantly open any port on you host and then you can check whether that port is open with nmap. For example:

Open port with nc:
nc -l -p 35555
Then open another terminal either localhost or remote and try that port to see if it is open:

$ nmap -p 35555 localhost
Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-26 11:07 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000069s latency).
Other addresses for localhost (not scanned): ::1

PORT      STATE SERVICE
35555/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

image
image1000×772 52.3 KB

Hope this helps…
Lubos

3

Dear Lubos

Thank you very much for your reply and for sharing your nc tip.
Indeed, nmap shows 39474 as open when I do

nc -l -p 39474

on localhost.

Also,

firewall-cmd --list-all-zones
shows
(only the public zone has ports)

public (active)
target: default
icmp-block-inversion: no
interfaces: bond0 bond0.3012 bond0.39 bond0.3176
sources:
services: dhcpv6-client ssh
ports: 6817/udp 6817/tcp 6818/tcp 7321/tcp 6819/tcp 4505-4506/tcp 27008/tcp 53000/tcp 39474/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

With your explanation my understanding is that this particular port is open but is not listening to any particular service at the moment and that is why nmap says it is closed.

4

Yes, this appears to be the case. Just the mere fact that your were able to run command: nc -l -p 39474 proves that there is no service on your host listening on that particular port. Otherwise the nc command will output: nc: Address already in use