QA:Testcase persistent firewalld zones

From FedoraProject

(Difference between revisions)
Jump to: navigation, search
(Created page with "=== 1. Get a list of all supported services: === firewall-cmd --get-services The result should be: cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba...")
 
 
(3 intermediate revisions by one user not shown)
Line 1: Line 1:
=== 1. Get a list of all supported services: ===
+
= Description =
  
firewall-cmd --get-services
+
This is the test case to check if '''persistent''' changes of firewall zones are usable.
 +
 
 +
Settings in the zone done with ''firewall-cmd --permanent'' should survive reboot or firewalld service restart.
 +
 
 +
= How to test =
 +
 
 +
*Get a list of all supported services:
 +
 
 +
  firewall-cmd --get-services
  
 
The result should be:
 
The result should be:
  
   cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba  
+
   cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba
   dhcpv6-client dns openvpn imaps samba-client http https telnet libvirt ssh  
+
   dhcpv6-client https openvpn imaps samba-client http dns ntp vnc-server
  ipsecipp-client amanda-client tftp-client dhcpv6 nfs tftp libvirt-tls
+
  telnet libvirt ssh ipsec ipp-client amanda-client tftp-client nfs tftp libvirt-tls
 +
 
 +
*Get a list of services that are currently allowed in zone ''work'':
 +
  firewall-cmd --zone=work --list-services
 +
should show: ''ipp-client mdns dhcpv6-client ssh''
 +
 
 +
*Now we'll permanently allow ''smtp'' in zone ''work''. We can either use
 +
  firewall-cmd --permanent --zone=work --add-service=smtp
 +
and check that ''smtp'' was added to configuration file of the zone:
 +
  grep smtp /etc/firewalld/zones/work.xml
 +
desired output: ''<service name="smtp"/>''
 +
 
 +
Or we can change the configuration file manually with:
 +
  cp /usr/lib/firewalld/zones/external.xml /etc/firewalld/zones/
 +
  vim /etc/firewalld/zones/external.xml
 +
add ''<service name="smtp"/>'' and save the file.
 +
 
 +
*We need to reload firewalld so the change in configuration file gets loaded
 +
  firewall-cmd --reload
 +
*Check that ''smtp'' is among:
 +
  firewall-cmd --zone=work --list-services
 +
and
 +
  iptables-save | grep work
 +
should show
 +
  -A IN_ZONE_work_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
 +
 
 +
*Now reboot or ''service firewalld restart'' and make sure the change is persistent, i.e. the ''smtp'' service is still allowed.
 +
 
 +
*If you want to revert the change you can either:
 +
  firewall-cmd --permanent --zone=work --remove-service=smtp
 +
or remove the  ''<service name="smtp"/>'' line from ''/etc/firewalld/zones/work.xml''
 +
 
 +
or you can simply delete the ''/etc/firewalld/zones/work.xml''
 +
so firewalld will load the default ''/usr/lib/firewalld/zones/work.xml''
 +
configuration file of the zone.
 +
 
 +
In all cases you need to reload firewalld so the stored configuration becomes active.
 +
 
 +
 
 +
For more examples see also [http://fedoraproject.org/wiki/FirewallD#Permanent.2Fpersistent_zone_handling http://fedoraproject.org/wiki/FirewallD]

Latest revision as of 16:32, 12 December 2012

[edit] Description

This is the test case to check if persistent changes of firewall zones are usable.

Settings in the zone done with firewall-cmd --permanent should survive reboot or firewalld service restart.

[edit] How to test

  • Get a list of all supported services:
 firewall-cmd --get-services

The result should be:

 cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba
 dhcpv6-client https openvpn imaps samba-client http dns ntp vnc-server
 telnet libvirt ssh ipsec ipp-client amanda-client tftp-client nfs tftp libvirt-tls
  • Get a list of services that are currently allowed in zone work:
 firewall-cmd --zone=work --list-services

should show: ipp-client mdns dhcpv6-client ssh

  • Now we'll permanently allow smtp in zone work. We can either use
 firewall-cmd --permanent --zone=work --add-service=smtp

and check that smtp was added to configuration file of the zone:

 grep smtp /etc/firewalld/zones/work.xml 

desired output: <service name="smtp"/>

Or we can change the configuration file manually with:

 cp /usr/lib/firewalld/zones/external.xml /etc/firewalld/zones/
 vim /etc/firewalld/zones/external.xml

add <service name="smtp"/> and save the file.

  • We need to reload firewalld so the change in configuration file gets loaded
 firewall-cmd --reload
  • Check that smtp is among:
 firewall-cmd --zone=work --list-services

and

 iptables-save | grep work

should show

 -A IN_ZONE_work_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
  • Now reboot or service firewalld restart and make sure the change is persistent, i.e. the smtp service is still allowed.
  • If you want to revert the change you can either:
 firewall-cmd --permanent --zone=work --remove-service=smtp

or remove the <service name="smtp"/> line from /etc/firewalld/zones/work.xml

or you can simply delete the /etc/firewalld/zones/work.xml so firewalld will load the default /usr/lib/firewalld/zones/work.xml configuration file of the zone.

In all cases you need to reload firewalld so the stored configuration becomes active.


For more examples see also http://fedoraproject.org/wiki/FirewallD