No edit summary |
No edit summary |
||
| Line 52: | Line 52: | ||
In all cases you need to reload firewalld so the stored configuration becomes active. | In all cases you need to reload firewalld so the stored configuration becomes active. | ||
For more examples see also [http://fedoraproject.org/wiki/FirewallD#Permanent.2Fpersistent_zone_handling http://fedoraproject.org/wiki/FirewallD] | |||
Revision as of 17:19, 11 December 2012
Description
This is the test case to check if persistent changes of firewall zones are usable.
Settings in the zone done with firewall-cmd --permanent should survive reboot or firewalld service restart.
How to test
- Get a list of all supported services:
firewall-cmd --get-services
The result should be:
cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba dhcpv6-client dns openvpn imaps samba-client http https telnet libvirt ssh ipsecipp-client amanda-client tftp-client dhcpv6 nfs tftp libvirt-tls
- Get a list of services that are currently allowed in zone work:
firewall-cmd --zone=work --list-services
should show: ipp-client mdns dhcpv6-client ssh
- Now we'll permanently allow smtp in zone work. We can either use
firewall-cmd --permanent --zone=work --add-service=smtp
and check that smtp was added to configuration file of the zone:
grep smtp /etc/firewalld/zones/work.xml
desired output: <service name="smtp"/>
Or we can change the configuration file manually with:
cp /usr/lib/firewalld/zones/external.xml /etc/firewalld/zones/ vim /etc/firewalld/zones/external.xml
add <service name="smtp"/> and save the file.
- We need to reload firewalld so the change in configuration file gets loaded
firewall-cmd --reload
- Check that smtp is among:
firewall-cmd --zone=work --list-services
and
iptables-save | grep work
should show
-A IN_ZONE_work_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
- Now reboot or service firewalld restart and make sure the change is persistent, i.e. the smtp service is still allowed.
- If you want to revert the change you can either:
firewall-cmd --permanent --zone=work --remove-service=smtp
or remove the <service name="smtp"/> line from /etc/firewalld/zones/external.xml
or you can simply delete the /etc/firewalld/zones/external.xml so firewalld will load the default /usr/lib/firewalld/zones/external.xml configuration file of the zone.
In all cases you need to reload firewalld so the stored configuration becomes active.
For more examples see also http://fedoraproject.org/wiki/FirewallD