Hi,
While looking at the firewall page of node1 (settings → firewall), I see that Cockpit is listed as a service with TCP port 9090 in the public zone. I never installed cockpit, so I wonder why this service is listed with an open TCP port by default?
TIA
also the below command does not list the cockpit service:
systemctl --type=service
The port is open by default to be able to use cockpit immediately after installation, see Firewall — NS8 documentation
Thanks, how odd. I think it should not be defined as a service at all if not installed, Let alone have ‘already opened’ ports for ‘convencience’. I think this is a security issue.
I removed the port with this command:
firewall-cmd --permanent --service=cockpit --remove-port=9090/tcp
and tried to remove the service by this command:
firewall-cmd --zone=public --remove-service=cockpit
followed by:
firewall-cmd --reload
Now the port is closed but the firewall clustermanager page still shows the cockpit service. How can I remove this service completely, and how to add it in back again IF one would like to install cockpit?
TIA
edit: I see that cockpit TCP port is open by default by design ( Rocky Linux 10 : Initial Settings : Use Web Admin Console : Server World ) Still odd in my view.
If there’s no service listening on that port, nothing bad can happen.
I agree that the “most secure/least information” way is to filter all ports and disable ping. (drop instead reject)
As on a Nethserver some default ports need to be open (i.e. HTTP/HTTPS) it doesn’t matter if there are some other closed ports IMO.
Filter port:
firewall-cmd --permanent --service=cockpit --remove-port=9090/tcp
firewall-cmd --permanent --remove-service=cockpit
firewall-cmd --reload
Open port:
firewall-cmd --permanent --service=cockpit --add-port=9090/tcp
firewall-cmd --permanent --add-service=cockpit
firewall-cmd --reload