Skip to content

How to Fix Firewall Blocking Application Traffic Error

DodaTech Updated 2026-06-24 3 min read

In this tutorial, you'll learn about How to Fix Firewall Blocking Application Traffic Error. We cover key concepts, practical examples, and best practices.

The Problem

Your application cannot connect to a database, API, or other service:

Connection refused

Or:

Connection timed out

A firewall (software or hardware) is blocking traffic on the required port.

Quick Fix

1. Check UFW status (Ubuntu/Debian)

# Check if UFW is active and list rules
sudo ufw status verbose

# If UFW is active but the port is not allowed:
sudo ufw allow 3000/tcp  # Allow your app port
sudo ufw allow 5432/tcp  # Allow PostgreSQL
sudo ufw allow 6379/tcp  # Allow Redis

# Allow from specific IP only
sudo ufw allow from 192.168.1.100 to any port 3000

# Reload
sudo ufw reload

2. Check firewalld (RHEL/CentOS/Fedora)

# Check current rules
sudo firewall-cmd --list-all

# Add a port
sudo firewall-cmd --permanent --add-port=3000/tcp
sudo firewall-cmd --permanent --add-port=5432/tcp

# Add a service
sudo firewall-cmd --permanent --add-service=http
sudo firewall-cmd --permanent --add-service=https

# Add a rich rule (specific source)
sudo firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="10.0.0.0/24" port protocol="tcp" port="3000" accept'

# Reload
sudo firewall-cmd --reload

3. Check iptables (any Linux)

# List all rules
sudo iptables -L -n -v

# Look for REJECT or DROP rules on your port

# Allow traffic on port 3000
sudo iptables -A INPUT -p tcp --dport 3000 -j ACCEPT

# Save rules (varies by distro)
sudo iptables-save > /etc/iptables/rules.v4

4. Check cloud security groups

For cloud providers, the instance-level firewall is not the only barrier:

# AWS — check security group rules
aws ec2 describe-security-groups --group-ids sg-12345

# GCP — check VPC firewall rules
gcloud compute firewall-rules list

# Azure — check NSG rules
az network nsg rule list --nsg-name my-nsg

Ensure inbound rules allow the required port from the correct source CIDR.

5. Test connectivity

# Test port reachability
nc -zv 192.168.1.50 3000

# Expected: Connection to 192.168.1.50 port 3000 [tcp/*] succeeded!

# Test from the application server to the database server
telnet db.internal 5432

# Use nmap to see open ports
nmap -p 3000,5432,6379 192.168.1.50

6. Check container firewalls

Docker containers have their own network rules:

# Check Docker network
docker network ls
docker network inspect bridge

# Ensure the container port is exposed
docker run -p 3000:3000 myapp

# Check Docker's iptables rules
sudo iptables -L DOCKER -n

7. Check SELinux/AppArmor

SELinux may block the application even when the firewall allows it:

# Check SELinux status
getenforce

# Check SELinux denials
sudo ausearch -m avc -ts recent

# Allow the port for a specific service
sudo semanage port -a -t http_port_t -p tcp 3000

Prevention

  • Document all required ports and their purpose.
  • Use infrastructure-as-code to manage firewall rules.
  • Keep firewall rules as restrictive as possible — allow only needed ports from specific sources.
  • Use a configuration management tool to enforce consistent rules.
  • Monitor firewall logs for denied traffic.
  • Test connectivity after every firewall change.

Common Mistakes with blocking

  1. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks
  2. Using return to exit a function early instead of wrapping a pure value in the monad
  3. Mixing let bindings with <- bindings in do notation, producing type errors

These mistakes appear frequently in real-world FIREWALL code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### How do I find which firewall is blocking my traffic?

Use nc -zv target port (netcat) to test the port. If it fails, check each firewall layer: local iptables, UFW/firewalld, cloud security groups, and any network firewall appliance.

What is the difference between a port being closed and filtered?

Closed means the port is reachable but nothing is listening. Filtered means the firewall is dropping packets (no response). A timeout usually means filtered. Connection refused usually means closed.

Can I temporarily disable the firewall for testing?

Yes, but only temporarily: sudo ufw disable (UFW), sudo systemctl stop firewalld (firewalld), or stop the cloud provider's firewall. Re-enable immediately after testing.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro