problem hub
Read-only firstFirewall port blocked on Linux
Prove the service is listening, then read host firewall rules before opening ports.
Safest first command
ss -ltnp
Before you run this
Expected output: Listening TCP sockets with local address, port, and process details when permissions allow.
When not to use it: Do not open firewall ports before proving the service should be reachable and is listening on the intended address.
Expected output example
LISTEN 0 4096 127.0.0.1:8080 0.0.0.0:* users:(("app",pid=4242,fd=7))
How to read the result
A listener on 127.0.0.1 is local-only. A public listener still may be blocked by UFW, firewalld, nftables, iptables, or provider firewalls.
What to check next
No LISTEN row for the port
Means: The firewall may not be the first problem; the service is not accepting connections locally.
Next step: Inspect service state before changing firewall rules.
Listener is localhost-only
Means: The app is not bound to a public address.
Next step: Check service config and reverse proxy path.
Host firewall denies or lacks the port
Means: Firewall policy may block intended traffic.
Next step: Read UFW, firewalld, and nftables state before adding rules.
Firewall decision tree
Check listener, bind address, host firewall, and provider firewall in that order. Opening a port without confirming the service owner can expose the wrong process.
ss -ltnpsudo ufw status verbosesudo firewall-cmd --list-allsudo nft list ruleset
Bad fixes to avoid
Do not open broad ranges or 0.0.0.0 exposure before confirming service owner, intended port, and upstream cloud firewall policy.
Common causes
- Service not listening
- Bound only to localhost
- Host firewall deny policy
- Cloud/provider firewall block
- Wrong port or protocol
What not to change yet
- Do not add allow rules before checking the listener.
- Do not assume UFW is the only firewall layer.
- Do not expose admin ports publicly without access controls.
Stop and escalate if
- The next step could interrupt users, remove data, or lock out access.
- The output includes secrets, customer data, or private infrastructure details.
- You cannot explain the blast radius of the repair command.
supporting commands
Command path
Guides and drills
- Port already in use hub Use when the intended port is already owned by another process.