The firewall page in cluster admin shows removed ports

LayLow · September 25, 2025, 11:22am

I found that in the settings → firewall → node1 → public zones

Previously assigned port forwarding regarding ssh are displayed under TCP ports (all of them which are removed previously).

The firewall-cmd --list-all command shows: (where xxxx is the currently forwarded port to ssh 22)

 masquerade: no
  forward-ports: 
	port=xxxx:proto=tcp:toport=22:toaddr=
  source-ports: 
  icmp-blocks: 
  rich rules:

So here I do not see previously assigned forwarded ports. So it seems that the settings page in cluster-admin is not showing the correct port.

@mrmarkuz can this post be seperated and filed as a bug please?

mrmarkuz · September 25, 2025, 12:03pm

I’m not sure if it’s really a bug as the opened firewall ports are correctly shown on the firewall page, just the “toport” is missing.
It could be a feature to add the “toports” to the firewall page.
What do you think about it?

LayLow · September 25, 2025, 12:07pm

I think it the other way around, the list command shows the correct port, and the firewall page in cluster admin shows previously used ports too. So I changed the SSH port 3 times, and all ‘old’ ports are also listed on the firewall page, whilst they have been deleted and not is use anymore.

Somehow old ports are stored somewhere and queried by the firewall page in the UI.

mrmarkuz · September 25, 2025, 12:10pm

Thanks, now I got it.

EDIT:

After changing sshd port from 2222 to 2019 both ports are shown on the firewall page:

EDIT2:

The ports are still in the service and should be removed from there, so I’m again unsure if it’s really a bug.

root@contabo:~# firewall-cmd --info-service=ssh
ssh
  ports: 2222/tcp 2019/tcp
  protocols: 
  source-ports: 
  modules: 
  destination: 
  includes: 
  helpers: