From Fedora Project Wiki

(Created page with "=== 1. Get a list of all supported services: === firewall-cmd --get-services The result should be: cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba...")
 
No edit summary
 
(3 intermediate revisions by one other user not shown)
Line 1: Line 1:
=== 1. Get a list of all supported services: ===
= Description =


firewall-cmd --get-services
This is the test case to check if '''persistent''' changes of firewall zones are usable.
 
Settings in the zone done with ''firewall-cmd --permanent'' should survive reboot or firewalld service restart.
 
= How to test =
 
*Get a list of all supported services:
 
  firewall-cmd --get-services


The result should be:
The result should be:


   cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba  
   cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba
   dhcpv6-client dns openvpn imaps samba-client http https telnet libvirt ssh  
   dhcpv6-client https openvpn imaps samba-client http dns ntp vnc-server
  ipsecipp-client amanda-client tftp-client dhcpv6 nfs tftp libvirt-tls
  telnet libvirt ssh ipsec ipp-client amanda-client tftp-client nfs tftp libvirt-tls
 
*Get a list of services that are currently allowed in zone ''work'':
  firewall-cmd --zone=work --list-services
should show: ''ipp-client mdns dhcpv6-client ssh''
 
*Now we'll permanently allow ''smtp'' in zone ''work''. We can either use
  firewall-cmd --permanent --zone=work --add-service=smtp
and check that ''smtp'' was added to configuration file of the zone:
  grep smtp /etc/firewalld/zones/work.xml
desired output: ''<service name="smtp"/>''
 
Or we can change the configuration file manually with:
  cp /usr/lib/firewalld/zones/external.xml /etc/firewalld/zones/
  vim /etc/firewalld/zones/external.xml
add ''<service name="smtp"/>'' and save the file.
 
*We need to reload firewalld so the change in configuration file gets loaded
  firewall-cmd --reload
*Check that ''smtp'' is among:
  firewall-cmd --zone=work --list-services
and
  iptables-save | grep work
should show
  -A IN_ZONE_work_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
 
*Now reboot or ''service firewalld restart'' and make sure the change is persistent, i.e. the ''smtp'' service is still allowed.
 
*If you want to revert the change you can either:
  firewall-cmd --permanent --zone=work --remove-service=smtp
or remove the  ''<service name="smtp"/>'' line from ''/etc/firewalld/zones/work.xml''
 
or you can simply delete the ''/etc/firewalld/zones/work.xml''
so firewalld will load the default ''/usr/lib/firewalld/zones/work.xml''
configuration file of the zone.
 
In all cases you need to reload firewalld so the stored configuration becomes active.
 
 
For more examples see also [http://fedoraproject.org/wiki/FirewallD#Permanent.2Fpersistent_zone_handling http://fedoraproject.org/wiki/FirewallD]

Latest revision as of 16:32, 12 December 2012

Description

This is the test case to check if persistent changes of firewall zones are usable.

Settings in the zone done with firewall-cmd --permanent should survive reboot or firewalld service restart.

How to test

  • Get a list of all supported services:
 firewall-cmd --get-services

The result should be:

 cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba
 dhcpv6-client https openvpn imaps samba-client http dns ntp vnc-server
 telnet libvirt ssh ipsec ipp-client amanda-client tftp-client nfs tftp libvirt-tls
  • Get a list of services that are currently allowed in zone work:
 firewall-cmd --zone=work --list-services

should show: ipp-client mdns dhcpv6-client ssh

  • Now we'll permanently allow smtp in zone work. We can either use
 firewall-cmd --permanent --zone=work --add-service=smtp

and check that smtp was added to configuration file of the zone:

 grep smtp /etc/firewalld/zones/work.xml 

desired output: <service name="smtp"/>

Or we can change the configuration file manually with:

 cp /usr/lib/firewalld/zones/external.xml /etc/firewalld/zones/
 vim /etc/firewalld/zones/external.xml

add <service name="smtp"/> and save the file.

  • We need to reload firewalld so the change in configuration file gets loaded
 firewall-cmd --reload
  • Check that smtp is among:
 firewall-cmd --zone=work --list-services

and

 iptables-save | grep work

should show

 -A IN_ZONE_work_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
  • Now reboot or service firewalld restart and make sure the change is persistent, i.e. the smtp service is still allowed.
  • If you want to revert the change you can either:
 firewall-cmd --permanent --zone=work --remove-service=smtp

or remove the <service name="smtp"/> line from /etc/firewalld/zones/work.xml

or you can simply delete the /etc/firewalld/zones/work.xml so firewalld will load the default /usr/lib/firewalld/zones/work.xml configuration file of the zone.

In all cases you need to reload firewalld so the stored configuration becomes active.


For more examples see also http://fedoraproject.org/wiki/FirewallD