-1

I have set up two firewall rules, one opens port 9092 and the other opens port 999. I followed steps outlined here. Here is the picture:

enter image description here

When I execute netstat -tuplen, I get the following:

enter image description here

and non of those ports are there. Also, when I use telnet ip 999 or telnet ip 9092, I do not get any responses. Note that for port 9092, I used Target tags: tag1 and added it to Network tags on my VM but for port 999 it is set to All instances in the network. In addition, when I use gcloud to open a port I get the following message:

user1@instance:~$ gcloud compute firewall-rules create port8000 --allow tcp:8000 --source-tags=tags02 --source-ranges=0.0.0.0/0 --description="blah"
Creating firewall...failed.                                                                                                        
ERROR: (gcloud.compute.firewall-rules.create) Could not fetch resource:
 - Request had insufficient authentication scopes.

What am I doing wrong and how I can fix it?

Saeed
  • 598
  • 10
  • 19
  • You need to run some server program that listens on those ports. – Gordon Davisson May 29 '22 at 06:02
  • @Gordon Davisson: Can you please let me know how I can do it with Python (or linux)? I need a document to read through for it. Also, is there a command line that help me to check if they are open or not? – Saeed May 29 '22 at 06:41
  • It depends entirely on what service you're trying to offer on those ports. For example, if they're supposed to be web (http/https) servers, you might run Apache or nginx. – Gordon Davisson May 29 '22 at 14:57

1 Answers1

-1

Regarding the error you got with the gcloud command, the command looks right. The reason for the "insufficient authentication scopes" error is because it looks like you're trying to run this gcloud command from a GCE VM and there's a scope attached to it.

The default scope should be Allow default access. Here, you won't have access to the API required to add/modify firewall rules. You have to shutdown the VM, update the scope (change it to Allow full access to all Cloud APIs) and start it up again (if you wish to run this from your VM). Otherwise, just use cloud shell.

EDIT: I didn't realize you didn't have anything running that listens on 999 or 9092, so of course you're not going to get any sort of response. If you need a quick listener then use netcat (nc) to run a listener on the port you want (e.g. nc -l 999)

Glen Yu
  • 698
  • 1
  • 3
  • 9
  • Is the flag `Allow full access to all Cloud APIs` problematic for the firewall rule that I have created or with the `gcloud` command line that I have executed? I believe what your are suggesting is a remedy for the second method that I have proposed but I in the first method I did it on the console and I am trying to figure out why that one does not work. If these are the case, can you please remove your statement since it does not answer my question. This way others can think and help me. Or you can left it on my question as a comment. – Saeed May 29 '22 at 06:37
  • It depends. If your VM is a bastion and you have it locked down, it's ok to give it full access. Optionally, you can select the scopes you want to give API access to (which I believe should be the `Cloud Platform`). Honestly, I would recommend just starting up a Cloud Shell within your project and run your `gcloud` command in there – Glen Yu May 29 '22 at 13:24