If you use fly.io as a reverse proxy, you might be surprised to find that when you run a port scan it looks like all ports are open.
This can look like a potential security issue, especially if all your proxy needs to do is route web traffic somewhere.
Fortunately this is just an example of Fly’s Default-Deny security policy without specifically exposing a port within your fly.toml file, it can’t get forwarded to your app within Fly. Let’s see this in action.
First let’s prove the port appears to be open. Using netcat (nc), we can confirm that the telnet port is open;
nc -vz site-on-fly.com 23
Connection to site-on-fly.com port 23 [tcp/telnet] succeeded!
Here the -v flag means verbose, so give us any output you’ve got! and the -z flag means scan for a listening daemon without sending any data to them. site-on-fly.com is our example website, and 23 is the conventional telnet port.
As an aside; If we removed the -z flag and piped some data in with our request, we would normally expect some feedback, try it on a server that accepts telnet connections and then try it on your site on fly.
Anyway, let’s try and connect with telnet;
telnet site-on-fly.com 23
Trying 1.2.3.4...
Connected to site-on-fly.com.
Escape character is '^]'.
Connection closed by foreign host.
It correctly matches the domain with an IP address, and then thinks it is connected, due to the port being open and accepting traffic.
It then immediately disconnects, because on Fly’s side, it is trying to forward the port, notices you haven’t enabled that particular port so closes the connection. There is no telnet service running so there is nothing it can do.