What ports need to be allowed past the firewall?

[MaximilianKohler]

I have listmonk running on port 5870:

docker ps
CONTAINER ID   IMAGE                      COMMAND                  CREATED         STATUS                    PORTS                                       NAMES
f3b9c4a688dc   listmonk/listmonk:latest   "./listmonk"             2 minutes ago   Up 38 seconds             0.0.0.0:5870->9000/tcp, :::5870->9000/tcp   listmonk_app
f8d43916e568   postgres:13                "docker-entrypoint.s…"   13 days ago     Up 38 seconds (healthy)   0.0.0.0:9432->5432/tcp, :::9432->5432/tcp   listmonk_db

I was getting an "nginx 502 bad gateway" error before adding port 9000 to TCP_OUT of my firewall. Adding port 5870 did nothing.

I was still getting a bunch of error doing x: dial tcp 172.18.0.2:5432: connect: connection timed out, so I added 5432 to TCP_OUT and TCP_IN but it didn't work. Since docker ps shows 0.0.0.0:9432->5432/tcp I also tried 5432:9432 and 5432,9432, which didn't work, but 9432:5432 to TCP_OUT worked. I wonder then if I should be using 5870:9000 instead of 9000?

According to a search, 5870:9000 opens all ports between 5870 and 9000, so it would be better to only open 9000. Strange then that 5432:9432 doesn't work but 9432:5432 does. Do I really need to open all ports between 5432 and 9432? Is that what 9432:5432 even does? (EDIT: someone said that IS what it does and I shouldn't do it since it opens too many ports)

I have no idea what I'm doing. Is adding ports to TCP_IN the best way to do this? I saw in a guide for a similar email app that they used "custom TCP" (no idea if it was in/out) and only allowed their personal IP address, so that seems different.

[knadh]

9432:5432 exposes port 5432 inside the container via the port 9432 on the host, making the service accessible outside the container on that port. In Docker, it's basically $host_port:$internal_container_port. It's a:b map forwarding traffic from a to b, not a range.

[MaximilianKohler]

I think you're referring to the line in the docker-compose.yml? https://github.com/knadh/listmonk/blob/7c991677eb57df1ae3f081dad5eb378258cce2eb/docker-compose.yml#L20C1-L20C18

I'm referring to the lines in my firewall config https://petalhost.com/blog/how-to-allow-the-port-in-csf-firewall.

I did more testing

Does not work:

5432:9432 
9432:11000
100:11000

Worked:

9432:5432 
1:110000
100:110000
10000:110000
50000:110000
90000:110000
100000:110000
110000
100000

So simply opening one port -- either 100,000 OR 110,000 stops the error doing x: dial tcp 172.18.0.2:5432: connect: connection timed out error....

Perhaps there's something unique about those big ports, but this https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers doesn't give me any clues. EDIT: Oh, yes there is:

Error: FASTSTART: (TCP_OUT IPv4) [] [iptables-restore v1.4.21: invalid port/service `100000' specified]. Try restarting csf with FASTSTART disabled, at line 5790

I guess setting an invalid port is disabling the firewall or something. 70,000 is invalid but 60,000 is not, but using 60,000 doesn't fix the error.

So 9432:5432 worked because it's an invalid port range which disabled the firewall.

Error: FASTSTART: (TCP_OUT IPv4) [] [iptables-restore v1.4.21: invalid portrange (min > max)]. Try restarting csf with FASTSTART disabled, at line 5790

And even 1:60000 (in and out) doesn't work. So maybe it's something else in the firewall.

Per https://discuss.elastic.co/t/error-fleet-server-failed-context-canceled-error-dial-tcp-172-18-0-2-i-o-timeout/306411/3 I found the docker network inspect command.

docker network ls
NETWORK ID     NAME                DRIVER    SCOPE
47f5b46070d0   bridge              bridge    local
2f1937b81c6c   host                host      local
248eba388dfb   listmonk_listmonk   bridge    local
632a3a18dd6d   none                null      local

docker network inspect listmonk_listmonk

listmonk_listmonk
172.18.0.0
172.18.0.1

listmonk_app
172.18.0.3/16

listmonk_db
172.18.0.2/16

So it's the listmonk_db IP that's having trouble connecting.

I found service docker restart at https://forum.configserver.com/viewtopic.php?t=12046 which surprisingly worked, but they say it's only a temporary fix, and I confirmed that restarting my firewall (CSF Firewall) "unfixes it". I guess the solution is to find a way to allow the listmonk IPs past CSF firewall.

I also see 2023/11/29 09:39:05 error fetching campaigns: read tcp 172.18.0.2:58264->172.18.0.3:5432: read: connection timed out. What is port 58264? I see 33318 and 46526 here:

netstat -plant | grep docker
tcp        0      0 0.0.0.0:5870            0.0.0.0:*               LISTEN      12679/docker-proxy
tcp        0      0 0.0.0.0:9432            0.0.0.0:*               LISTEN      12424/docker-proxy
tcp        0      0 172.18.0.1:33318        172.18.0.2:9000         ESTABLISHED 12679/docker-proxy
tcp        0      0 127.0.0.1:5870          127.0.0.1:46526         ESTABLISHED 12679/docker-proxy
tcp6       0      0 :::5870                 :::*                    LISTEN      12684/docker-proxy
tcp6       0      0 :::9432                 :::*                    LISTEN      12429/docker-proxy

I added all of these ports 9432,5432,5870,33318,46525 to TCP and TCP6 IN and OUT, but that didn't fix it.

[MaximilianKohler]

This looks to be the solution CSF Firewall docker configuration (nvm). I'll try it later. Have other people who are using docker run into similar issues with their firewall?

EDIT:

I followed the directions in the link above and added additional lines for listmonk_listmonk's IPs:

172.17.0.0/16 # docker
172.18.0.0/16 # listmonk 
iptables -t nat -A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 172.18.0.0/16 ! -o docker0 -j MASQUERADE

But it didn't work.

EDIT:

It seems to be some unique problem with CSF Firewall & docker. I wasn't able to solve it but I bypassed it by not using docker to install & run listmonk. See https://community.centminmod.com/threads/installing-an-email-server-listmonk-postgresql-on-a-new-vhost-in-addition-to-a-forum-xenforo.24123/#post-97999 and the following comments.

EDIT: this worked https://forum.configserver.com/viewtopic.php?p=28680#p28680

[MaximilianKohler]

SMTP ports (usually 465 and/or 587 #1615) need to be allowed (TCP out & in?) at least. #1504 #952 #623

And some server hosts (Hetzner, etc.) block SMTP ports so you have to get permission to unblock them. https://docs.hetzner.com/cloud/servers/faq/#why-can-i-not-send-any-mails-from-my-server