QA:Testcase firewalld and NetworkManager

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(5. Set a new default zone in the firewalld config file as root with an editor:)
Line 5: Line 5:
 
= How to test =
 
= How to test =
  
=== 1. Have correct packages ===
+
=== 1. Connect to a network and check if the network is part of the default zone: ===
You need NetworkManager version >= 0.9.3.995-0.4.git20120302.fc17 and selinux-policy version >= 3.10.0-93.fc17.
+
 
+
The update of selinux-policy-targeted is important. Otherwise you will end up in {{bz|804587}}.
+
 
+
If there are avc messages about NetworkManager not being able to connect to firewalld in /var/log/messages, please relabel your system with 'restorecon -rv /'.
+
 
+
=== 2. Connect to a network and check if the network is part of the default zone: ===
+
  
 
Show all supported zones:
 
Show all supported zones:
Line 32: Line 25:
 
List all settings of the public zone:
 
List all settings of the public zone:
  
   firewall-cmd --list=all --zone=public
+
   firewall-cmd --zone=public --list-all
  
 
The output should look like this:
 
The output should look like this:
Line 38: Line 31:
 
   zone: public
 
   zone: public
 
   interfaces: em1
 
   interfaces: em1
   services: dhcpv6-client, ssh
+
   services: mdns dhcpv6-client ssh
  
 
To see the zone of active devices with nmcli (the NetworkManager command line client):
 
To see the zone of active devices with nmcli (the NetworkManager command line client):
Line 53: Line 46:
 
Zones are set in NetworkManager and the ifcfg- files in '/etc/sysconfig/network-scripts/'
 
Zones are set in NetworkManager and the ifcfg- files in '/etc/sysconfig/network-scripts/'
  
You can also check the resulting firewall directly:
+
You can also check (as root) the resulting firewall directly:
  
 
   iptables-save | grep ZONES
 
   iptables-save | grep ZONES
Line 75: Line 68:
 
'em1' is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone.
 
'em1' is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone.
  
=== 3. Change the zone of a connection. ===
+
=== 2. Change the zone of a connection. ===
  
 
Add ZONE=work to the ifcfg file of the connection.  
 
Add ZONE=work to the ifcfg file of the connection.  
  
As root use an editor and add "ZONE=work" to the end of the ifcfg- file of that connection in '/etc/sysconfig/network-scripts/'. The result should look like this:
+
As root use an editor and add "ZONE=work" to the end of the ifcfg- file of that connection in '/etc/sysconfig/network-scripts/'. The result should look similar to this (only the last line is important):
  
 
   UUID="......................"
 
   UUID="......................"
Line 98: Line 91:
 
NetworkManager will automatically reconnect and the zone will be set accordingly:
 
NetworkManager will automatically reconnect and the zone will be set accordingly:
  
   firewall-cmd --list=all --zone=work
+
   firewall-cmd --zone=work --list-all
  
 
The output should look like this:
 
The output should look like this:
Line 104: Line 97:
 
   zone: work
 
   zone: work
 
   interfaces: em1
 
   interfaces: em1
   services: ipp-client, dhcpv6-client, ssh
+
   services: ipp-client mdns dhcpv6-client ssh
  
nm-applet does not have support for zones, yet. This will be added soon.
+
Also check the output of
  
=== 4. Remove the ZONE from the ifcfg file again ===
+
  firewall-cmd --get-zone-of-interface=em1
  
Reconnect with NetworkManager and the interface will be placed into the default zone 'public'.
+
In KDE (nm-applet in GNOME hasn't supported this yet) you should be able to change the zone also in 'System Settings' -> 'Network Settings', select the connection and click on 'Edit...', change the zone in 'Firewall zone' combo box and press 'OK'.  
  
=== 5. Set a new default zone in the firewalld config file as root with an editor: ===
+
=== 3. Remove the ZONE from the ifcfg file again ===
 +
 
 +
After you remove the ZONE line from ifcfg file, NetworkManager will place the interface back into the default zone 'public'.
 +
 
 +
=== 4. Set a new default zone in the firewalld config file as root with an editor: ===
  
 
The firewalld config file is: /etc/firewalld/firewalld.conf
 
The firewalld config file is: /etc/firewalld/firewalld.conf
  
The result will look like this:
+
Change the DefaultZone to look like this:
  
 
   # default zone
 
   # default zone
Line 127: Line 124:
 
   firewall-cmd --reload
 
   firewall-cmd --reload
  
Reinitiate the connection in NetworkManager by clicking on the connection. NM will reconnect then. NetworkManager tells firewalld to add the interface used by a connection to a zone.
+
Check if the connection is using the new default zone:
 
+
Ceck if the conneciton is using the new default zone:
+
 
+
  firewall-cmd --list=all --zone=home
+
 
+
You can also set the default zone with 'firewall-cmd --set-default-zone=zone', but at the moment there is a SELinux problem with this - it forbids firewalld to write in it's own configuration directory. A bug for this has already been filed: {{bz|804083}}
+
  
If you reconnect with NetworkManager the interface of the connection will be placed in the new default zone.
+
  firewall-cmd --get-zone-of-interface=em1
 +
  firewall-cmd --zone=home --list-all
 +
 
 +
You can also set the default zone with 'firewall-cmd --set-default-zone=zone' (no need to reload firewalld).

Revision as of 14:41, 6 September 2012

Contents

Description

This is the test case to check if firewalld and NetworkManager are working together.

How to test

1. Connect to a network and check if the network is part of the default zone:

Show all supported zones:

 firewall-cmd --get-zones

The output should look like this:

 drop work internal trusted home dmz public block external

Show all active zones with the interfaces belonging to the zones:

 firewall-cmd --get-active-zones

The output should look like this ('em1' is in used as an example):

 public: em1

List all settings of the public zone:

 firewall-cmd --zone=public --list-all

The output should look like this:

 zone: public
 interfaces: em1
 services: mdns dhcpv6-client ssh

To see the zone of active devices with nmcli (the NetworkManager command line client):

 nmcli -f NAME,DEVICES,ZONE con status

The output should look like this:

 NAME                      DEVICES    ZONE
 System em1                em1        not set

'not set' means to use the default zone.

Zones are set in NetworkManager and the ifcfg- files in '/etc/sysconfig/network-scripts/'

You can also check (as root) the resulting firewall directly:

 iptables-save | grep ZONES

The result should be something like this:

 :POSTROUTING_ZONES - [0:0]
 :PREROUTING_ZONES - [0:0]
 -A PREROUTING -j PREROUTING_ZONES
 -A POSTROUTING -j POSTROUTING_ZONES
 :PREROUTING_ZONES - [0:0]
 -A PREROUTING -j PREROUTING_ZONES
 :FORWARD_ZONES - [0:0]
 :INPUT_ZONES - [0:0]
 -A INPUT -j INPUT_ZONES
 -A FORWARD -j FORWARD_ZONES
 -A FORWARD_ZONES -i em1 -j FWDI_ZONE_public
 -A FORWARD_ZONES -o em1 -j FWDO_ZONE_public
 -A INPUT_ZONES -i em1 -j IN_ZONE_public

'em1' is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone.

2. Change the zone of a connection.

Add ZONE=work to the ifcfg file of the connection.

As root use an editor and add "ZONE=work" to the end of the ifcfg- file of that connection in '/etc/sysconfig/network-scripts/'. The result should look similar to this (only the last line is important):

 UUID="......................"
 NM_CONTROLLED="yes"
 BOOTPROTO="dhcp"
 DEVICE="em1"
 ONBOOT=yes
 HWADDR=.........
 TYPE=Ethernet
 DEFROUTE=yes
 PEERDNS=yes
 PEERROUTES=yes
 IPV4_FAILURE_FATAL=yes
 IPV6INIT=no
 NAME="System em1":
 ZONE=work

NetworkManager will automatically reconnect and the zone will be set accordingly:

 firewall-cmd --zone=work --list-all

The output should look like this:

 zone: work
 interfaces: em1
 services: ipp-client mdns dhcpv6-client ssh

Also check the output of

 firewall-cmd --get-zone-of-interface=em1

In KDE (nm-applet in GNOME hasn't supported this yet) you should be able to change the zone also in 'System Settings' -> 'Network Settings', select the connection and click on 'Edit...', change the zone in 'Firewall zone' combo box and press 'OK'.

3. Remove the ZONE from the ifcfg file again

After you remove the ZONE line from ifcfg file, NetworkManager will place the interface back into the default zone 'public'.

4. Set a new default zone in the firewalld config file as root with an editor:

The firewalld config file is: /etc/firewalld/firewalld.conf

Change the DefaultZone to look like this:

 # default zone
 # The default zone used if an empty zone string is used.
 # Default: public
 DefaultZone=home

Reload firewalld:

 firewall-cmd --reload

Check if the connection is using the new default zone:

 firewall-cmd --get-zone-of-interface=em1
 firewall-cmd --zone=home --list-all
 

You can also set the default zone with 'firewall-cmd --set-default-zone=zone' (no need to reload firewalld).