Back to problems

problem hub

Read-only first

Firewall port blocked on Linux

Prove the service is listening, then read host firewall rules before opening ports.

Safest first command

ss -ltnp

Before you run this

Expected output: Listening TCP sockets with local address, port, and process details when permissions allow.

When not to use it: Do not open firewall ports before proving the service should be reachable and is listening on the intended address.

Expected output example

LISTEN 0 4096 127.0.0.1:8080 0.0.0.0:* users:(("app",pid=4242,fd=7))

How to read the result

A listener on 127.0.0.1 is local-only. A public listener still may be blocked by UFW, firewalld, nftables, iptables, or provider firewalls.

What to check next

No LISTEN row for the port

Means: The firewall may not be the first problem; the service is not accepting connections locally.

Next step: Inspect service state before changing firewall rules.

Find Listening Ports with ss

Listener is localhost-only

Means: The app is not bound to a public address.

Next step: Check service config and reverse proxy path.

Inspect One Service Without Pager Traps

Host firewall denies or lacks the port

Means: Firewall policy may block intended traffic.

Next step: Read UFW, firewalld, and nftables state before adding rules.

Read UFW Policy Verbosely

Firewall decision tree

Check listener, bind address, host firewall, and provider firewall in that order. Opening a port without confirming the service owner can expose the wrong process.

  1. ss -ltnp
  2. sudo ufw status verbose
  3. sudo firewall-cmd --list-all
  4. sudo nft list ruleset

Bad fixes to avoid

Do not open broad ranges or 0.0.0.0 exposure before confirming service owner, intended port, and upstream cloud firewall policy.

Common causes

  • Service not listening
  • Bound only to localhost
  • Host firewall deny policy
  • Cloud/provider firewall block
  • Wrong port or protocol

What not to change yet

  • Do not add allow rules before checking the listener.
  • Do not assume UFW is the only firewall layer.
  • Do not expose admin ports publicly without access controls.

Stop and escalate if

  • The next step could interrupt users, remove data, or lock out access.
  • The output includes secrets, customer data, or private infrastructure details.
  • You cannot explain the blast radius of the repair command.

supporting commands

Command path

Guides and drills