From Fedora Project Wiki
(Created page with "=== 1. Get a list of all supported services: === firewall-cmd --get-services The result should be: cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba...") |
No edit summary |
||
| Line 1: | Line 1: | ||
= | = Description = | ||
firewall-cmd --get-services | This is the test case to check if '''persistent''' changes of firewall zones are usable. | ||
Settings in the zone done with ''firewall-cmd --permanent'' should survive reboot or firewalld service restart. | |||
= How to test = | |||
*Get a list of all supported services: | |||
firewall-cmd --get-services | |||
The result should be: | The result should be: | ||
| Line 8: | Line 16: | ||
dhcpv6-client dns openvpn imaps samba-client http https telnet libvirt ssh | dhcpv6-client dns openvpn imaps samba-client http https telnet libvirt ssh | ||
ipsecipp-client amanda-client tftp-client dhcpv6 nfs tftp libvirt-tls | ipsecipp-client amanda-client tftp-client dhcpv6 nfs tftp libvirt-tls | ||
*Get a list of services that are currently allowed in zone ''work'': | |||
firewall-cmd --zone=work --list-services | |||
should show: ''ipp-client mdns dhcpv6-client ssh'' | |||
*Now we'll permanently allow ''smtp'' in zone ''work''. We can either use | |||
firewall-cmd --permanent --zone=work --add-service=smtp | |||
and check that ''smtp'' was added to configuration file of the zone: | |||
grep smtp /etc/firewalld/zones/work.xml | |||
desired output: ''<service name="smtp"/>'' | |||
Or we can change the configuration file manually with: | |||
cp /usr/lib/firewalld/zones/external.xml /etc/firewalld/zones/ | |||
vim /etc/firewalld/zones/external.xml | |||
add ''<service name="smtp"/>'' and save the file. | |||
*We need to reload firewalld so the change in configuration file gets loaded | |||
firewall-cmd --reload | |||
*Check that ''smtp'' is among: | |||
firewall-cmd --zone=work --list-services | |||
and | |||
iptables-save | grep work | |||
should show | |||
-A IN_ZONE_work_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT | |||
*Now reboot or ''service firewalld restart'' and make sure the change is persistent, i.e. the ''smtp'' service is still allowed. | |||
*If you want to revert the change you can either: | |||
firewall-cmd --permanent --zone=work --remove-service=smtp | |||
or remove the ''<service name="smtp"/>'' line from ''/etc/firewalld/zones/external.xml'' | |||
or you can simply delete the ''/etc/firewalld/zones/external.xml'' | |||
so firewalld will load the default ''/usr/lib/firewalld/zones/external.xml'' | |||
configuration file of the zone. | |||
In all cases you need to reload firewalld so the stored configuration becomes active. | |||
Revision as of 10:19, 27 September 2012
Description
This is the test case to check if persistent changes of firewall zones are usable.
Settings in the zone done with firewall-cmd --permanent should survive reboot or firewalld service restart.
How to test
- Get a list of all supported services:
firewall-cmd --get-services
The result should be:
cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba dhcpv6-client dns openvpn imaps samba-client http https telnet libvirt ssh ipsecipp-client amanda-client tftp-client dhcpv6 nfs tftp libvirt-tls
- Get a list of services that are currently allowed in zone work:
firewall-cmd --zone=work --list-services
should show: ipp-client mdns dhcpv6-client ssh
- Now we'll permanently allow smtp in zone work. We can either use
firewall-cmd --permanent --zone=work --add-service=smtp
and check that smtp was added to configuration file of the zone:
grep smtp /etc/firewalld/zones/work.xml
desired output: <service name="smtp"/>
Or we can change the configuration file manually with:
cp /usr/lib/firewalld/zones/external.xml /etc/firewalld/zones/ vim /etc/firewalld/zones/external.xml
add <service name="smtp"/> and save the file.
- We need to reload firewalld so the change in configuration file gets loaded
firewall-cmd --reload
- Check that smtp is among:
firewall-cmd --zone=work --list-services
and
iptables-save | grep work
should show
-A IN_ZONE_work_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
- Now reboot or service firewalld restart and make sure the change is persistent, i.e. the smtp service is still allowed.
- If you want to revert the change you can either:
firewall-cmd --permanent --zone=work --remove-service=smtp
or remove the <service name="smtp"/> line from /etc/firewalld/zones/external.xml
or you can simply delete the /etc/firewalld/zones/external.xml so firewalld will load the default /usr/lib/firewalld/zones/external.xml configuration file of the zone.
In all cases you need to reload firewalld so the stored configuration becomes active.