Podman ports and firewalld

 February 24, 2023

A few weeks ago, I was doing a security check on one of my machines to ensure that everything was secure when I noticed that there were some ports open that I was surprised to find out. The way I discovered those ports was by checking some ports with netcat (nc -zv IP_ADDRESS PORT). I was expecting those ports to be closed, and I got surprised when netcat claimed to be able to connect to them.

This machine uses firewalld as firewall, so I first ran firewall-cmd --list-all. The result was not what I was expecting: those ports were not listed as open. Checking with ss -tulpn, it became clear that the daemons were bound to the 0.0.0.0 address. There was still something off, because what’s the point of using firewalld if it is not blocking the traffic?

Since this machine runs in a cloud provider, I’ve speculated that the problem was caused by some networking black magic the provider was playing, such as making traffic appear from a local address or skipping the firewall. Testing other services, it became apparent that was not the case and that only processes run by Podman were affected. I started to suspect the problem was that, for some reason, Podman traffic was not passing through firewalld. To check if this was true, I used nft list ruleset, which allows dumping the raw nftables rules that the kernel has. Among the various rules I was expecting, I found:

tcp dport 12345 counter packets 0 bytes 0 dnat to 10.88.0.1:12345

The presence of this rule means that the traffic reaching port 12345 was directly redirected to the container’s port without going through the firewall. I quickly constrained the port to the local address and solved the issue.

I think this short story is essential for three reasons:

Containers are Linux, and debugging containers behaviors can be done in a very similar way as for any other Linux process
It is crucial to often test for security vulnerability and do it in multiple ways. If I had limited myself to checking which ports were opened on firewalld I would never have found those ports to be open
If you are using Podman with exposed ports, check if those are open immediately!

 Containers, Linux, Security

 firewalld, Podman

Say something

Comments

marky on 2023-02-27 14:05:26 UTC said:

i just noticed the same thing, how did you manage to close that port from public ip?

nothing i do seams to be working

thanks

Fabio Alessandro Locati on 2023-02-27 15:36:21 UTC said:

Hey marky,

My solution was to bind the podman port to localhost, which can be done in one of the following modes:

If you are running it from CLI, you can use -p 127.0.0.1:12345:12345
If you are using the Kubernetes Pod manifest, by specifing hostIP: 127.0.0.1 like:

ports:
  - containerPort: 12345
    hostPort: 12345
    hostIP: 127.0.0.1

I hope this helps!