Podman ports and firewalld
February 24, 2023
A few weeks ago, I was doing a security check on one of my machines to ensure that everything was secure when I noticed that there were some ports open that I was surprised to find out.
The way I discovered those ports was by checking some ports with netcat (
nc -zv IP_ADDRESS PORT).
I was expecting those ports to be closed, and I got surprised when netcat claimed to be able to connect to them.
This machine uses
firewalld as firewall, so I first ran
The result was not what I was expecting: those ports were not listed as open.
ss -tulpn, it became clear that the daemons were bound to the
There was still something off, because what’s the point of using
firewalld if it is not blocking the traffic?
Since this machine runs in a cloud provider, I’ve speculated that the problem was caused by some networking black magic the provider was playing, such as making traffic appear from a local address or skipping the firewall.
Testing other services, it became apparent that was not the case and that only processes run by Podman were affected.
I started to suspect the problem was that, for some reason, Podman traffic was not passing through
To check if this was true, I used
nft list ruleset, which allows dumping the raw
nftables rules that the kernel has.
Among the various rules I was expecting, I found:
tcp dport 12345 counter packets 0 bytes 0 dnat to 10.88.0.1:12345
The presence of this rule means that the traffic reaching port
12345 was directly redirected to the container’s port without going through the firewall.
I quickly constrained the port to the local address and solved the issue.
I think this short story is essential for three reasons:
- Containers are Linux, and debugging containers behaviors can be done in a very similar way as for any other Linux process
- It is crucial to often test for security vulnerability and do it in multiple ways. If I had limited myself to checking which ports were opened on
firewalldI would never have found those ports to be open
- If you are using Podman with exposed ports, check if those are open immediately!