QA:Testcase firewalld and NetworkManager

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
m
 
(2 intermediate revisions by 2 users not shown)
Line 68: Line 68:
  
 
=== 2. Change the zone of a connection. ===
 
=== 2. Change the zone of a connection. ===
 +
 +
To change a zone of connection you can either use NetworkManager GUI or edit the connection configuration files manually.
 +
 +
==== Using a NetworkManager GUI ====
 +
 +
===== network-manager-applet (GNOME, Xfce) =====
 +
You need [https://koji.fedoraproject.org/koji/buildinfo?buildID=372214 network-manager-applet-0.9.7.0-6.git20121211.fc18]
 +
from [https://admin.fedoraproject.org/updates/network-manager-applet-0.9.7.0-6.git20121211.fc18 updates-testing] repo.
 +
 +
''System Settings'' -> ''Network'', select the connection, click on ''Options...'' and go to ''General'' tab. Change ''Firewall zone'' combo box and press ''Save...''.
 +
 +
===== kde-plasma-networkmanagement (KDE) =====
 +
''System Settings'' -> ''Network Settings'', select the connection and click on ''Edit...''. Change ''Firewall zone'' combo box and press ''OK''.
 +
 +
 +
After you change the zone in either ''network-manager-applet'' or ''kde-plasma-networkmanagement'' try the following commands to make sure the zone has been correctly changed.
 +
 +
  firewall-cmd --get-active-zones
 +
  nmcli -f NAME,DEVICES,ZONE con status
 +
 +
==== Editing connection configuration files ====
  
 
Add ''ZONE=work'' to the ''/etc/sysconfig/network-scripts/ifcfg-*'' file of the connection.  
 
Add ''ZONE=work'' to the ''/etc/sysconfig/network-scripts/ifcfg-*'' file of the connection.  
Line 102: Line 123:
  
 
   firewall-cmd --get-zone-of-interface=em1
 
   firewall-cmd --get-zone-of-interface=em1
 
In KDE (nm-applet in GNOME hasn't supported this yet) you should be able to change the zone also in ''System Settings -> Network Settings'', select the connection and click on ''Edit...'', change the zone in ''Firewall zone'' combo box and press ''OK''.
 
  
 
=== 3. Remove the ZONE from the ifcfg file again ===
 
=== 3. Remove the ZONE from the ifcfg file again ===

Latest revision as of 12:09, 12 December 2012

Contents

[edit] Description

Firewalld needs NetworkManager, which tells firewalld what network interface belongs to which zone. This is the test case to check if firewalld and NetworkManager are working together.

[edit] How to test

[edit] 1. Connect to a network and check if the network is part of the default zone:

Show all supported zones:

 firewall-cmd --get-zones

The output should look like this:

 drop work internal trusted home dmz public block external

Show all active zones with the interfaces belonging to the zones:

 firewall-cmd --get-active-zones

The output should look like this (em1 is in used as an example):

 public: em1

List all settings of the public zone:

 firewall-cmd --zone=public --list-all

The output should look like this:

 zone: public
 interfaces: em1
 services: mdns dhcpv6-client ssh

To see the zone of active devices with nmcli (the NetworkManager command line client):

 nmcli -f NAME,DEVICES,ZONE con status

The output should look like this:

 NAME                      DEVICES    ZONE
 System em1                em1        --

-- means to use the default zone.

You can also check (as root) the resulting firewall directly:

 iptables-save | grep ZONES

The result should be something like this:

 :POSTROUTING_ZONES - [0:0]
 :PREROUTING_ZONES - [0:0]
 -A PREROUTING -j PREROUTING_ZONES
 -A POSTROUTING -j POSTROUTING_ZONES
 :PREROUTING_ZONES - [0:0]
 -A PREROUTING -j PREROUTING_ZONES
 :FORWARD_ZONES - [0:0]
 :INPUT_ZONES - [0:0]
 -A INPUT -j INPUT_ZONES
 -A FORWARD -j FORWARD_ZONES
 -A FORWARD_ZONES -i em1 -j FWDI_ZONE_public
 -A FORWARD_ZONES -o em1 -j FWDO_ZONE_public
 -A INPUT_ZONES -i em1 -j IN_ZONE_public

em1 is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone.

[edit] 2. Change the zone of a connection.

To change a zone of connection you can either use NetworkManager GUI or edit the connection configuration files manually.

[edit] Using a NetworkManager GUI

[edit] network-manager-applet (GNOME, Xfce)

You need network-manager-applet-0.9.7.0-6.git20121211.fc18 from updates-testing repo.

System Settings -> Network, select the connection, click on Options... and go to General tab. Change Firewall zone combo box and press Save....

[edit] kde-plasma-networkmanagement (KDE)

System Settings -> Network Settings, select the connection and click on Edit.... Change Firewall zone combo box and press OK.


After you change the zone in either network-manager-applet or kde-plasma-networkmanagement try the following commands to make sure the zone has been correctly changed.

 firewall-cmd --get-active-zones
 nmcli -f NAME,DEVICES,ZONE con status

[edit] Editing connection configuration files

Add ZONE=work to the /etc/sysconfig/network-scripts/ifcfg-* file of the connection.

As root use an editor and add for example ZONE=work to the end of the ifcfg- file of that connection in /etc/sysconfig/network-scripts/. The result should look similar to this (only the last line is important):

 UUID="......................"
 NM_CONTROLLED="yes"
 BOOTPROTO="dhcp"
 DEVICE="em1"
 ONBOOT=yes
 HWADDR=.........
 TYPE=Ethernet
 DEFROUTE=yes
 PEERDNS=yes
 PEERROUTES=yes
 IPV4_FAILURE_FATAL=yes
 IPV6INIT=no
 NAME="System em1":
 ZONE=work

NetworkManager will automatically reconnect and the zone will be set accordingly:

 firewall-cmd --zone=work --list-all

The output should look like this:

 zone: work
 interfaces: em1
 services: ipp-client mdns dhcpv6-client ssh

Also check the output of

 firewall-cmd --get-zone-of-interface=em1

[edit] 3. Remove the ZONE from the ifcfg file again

After you remove the ZONE line from ifcfg file, NetworkManager will place the interface back into the default zone public.

[edit] 4. Set a new default zone in the firewalld config file as root with an editor:

The firewalld config file is: /etc/firewalld/firewalld.conf

Change the DefaultZone to look like this:

 # default zone
 # The default zone used if an empty zone string is used.
 # Default: public
 DefaultZone=home

Reload firewalld:

 firewall-cmd --reload

Check if the connection is using the new default zone:

 firewall-cmd --get-zone-of-interface=em1
 firewall-cmd --zone=home --list-all
 

You can also set the default zone with firewall-cmd --set-default-zone=zone (no need to reload firewalld).