QA:Testcase firewalld and NetworkManager

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(One intermediate revision by one user not shown)
Line 75: Line 75:
===== network-manager-applet (GNOME, Xfce) =====
===== network-manager-applet (GNOME, Xfce) =====
You need [ network-manager-applet-]
You need [ network-manager-applet-]
which should populate [ updates-testing] soon.
from [ updates-testing] repo.
''System Settings'' -> ''Network'', select the connection, click on ''Options...'' and go to ''Generic'' tab. Change ''Firewall zone'' combo box and press ''Save...''.
''System Settings'' -> ''Network'', select the connection, click on ''Options...'' and go to ''General'' tab. Change ''Firewall zone'' combo box and press ''Save...''.
===== kde-plasma-networkmanagement (KDE) =====
===== kde-plasma-networkmanagement (KDE) =====

Latest revision as of 12:09, 12 December 2012


[edit] Description

Firewalld needs NetworkManager, which tells firewalld what network interface belongs to which zone. This is the test case to check if firewalld and NetworkManager are working together.

[edit] How to test

[edit] 1. Connect to a network and check if the network is part of the default zone:

Show all supported zones:

 firewall-cmd --get-zones

The output should look like this:

 drop work internal trusted home dmz public block external

Show all active zones with the interfaces belonging to the zones:

 firewall-cmd --get-active-zones

The output should look like this (em1 is in used as an example):

 public: em1

List all settings of the public zone:

 firewall-cmd --zone=public --list-all

The output should look like this:

 zone: public
 interfaces: em1
 services: mdns dhcpv6-client ssh

To see the zone of active devices with nmcli (the NetworkManager command line client):

 nmcli -f NAME,DEVICES,ZONE con status

The output should look like this:

 NAME                      DEVICES    ZONE
 System em1                em1        --

-- means to use the default zone.

You can also check (as root) the resulting firewall directly:

 iptables-save | grep ZONES

The result should be something like this:

 :INPUT_ZONES - [0:0]
 -A FORWARD_ZONES -i em1 -j FWDI_ZONE_public
 -A FORWARD_ZONES -o em1 -j FWDO_ZONE_public
 -A INPUT_ZONES -i em1 -j IN_ZONE_public

em1 is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone.

[edit] 2. Change the zone of a connection.

To change a zone of connection you can either use NetworkManager GUI or edit the connection configuration files manually.

[edit] Using a NetworkManager GUI

[edit] network-manager-applet (GNOME, Xfce)

You need network-manager-applet- from updates-testing repo.

System Settings -> Network, select the connection, click on Options... and go to General tab. Change Firewall zone combo box and press Save....

[edit] kde-plasma-networkmanagement (KDE)

System Settings -> Network Settings, select the connection and click on Edit.... Change Firewall zone combo box and press OK.

After you change the zone in either network-manager-applet or kde-plasma-networkmanagement try the following commands to make sure the zone has been correctly changed.

 firewall-cmd --get-active-zones
 nmcli -f NAME,DEVICES,ZONE con status

[edit] Editing connection configuration files

Add ZONE=work to the /etc/sysconfig/network-scripts/ifcfg-* file of the connection.

As root use an editor and add for example ZONE=work to the end of the ifcfg- file of that connection in /etc/sysconfig/network-scripts/. The result should look similar to this (only the last line is important):

 NAME="System em1":

NetworkManager will automatically reconnect and the zone will be set accordingly:

 firewall-cmd --zone=work --list-all

The output should look like this:

 zone: work
 interfaces: em1
 services: ipp-client mdns dhcpv6-client ssh

Also check the output of

 firewall-cmd --get-zone-of-interface=em1

[edit] 3. Remove the ZONE from the ifcfg file again

After you remove the ZONE line from ifcfg file, NetworkManager will place the interface back into the default zone public.

[edit] 4. Set a new default zone in the firewalld config file as root with an editor:

The firewalld config file is: /etc/firewalld/firewalld.conf

Change the DefaultZone to look like this:

 # default zone
 # The default zone used if an empty zone string is used.
 # Default: public

Reload firewalld:

 firewall-cmd --reload

Check if the connection is using the new default zone:

 firewall-cmd --get-zone-of-interface=em1
 firewall-cmd --zone=home --list-all

You can also set the default zone with firewall-cmd --set-default-zone=zone (no need to reload firewalld).