From Fedora Project Wiki

Line 7: Line 7:
 
= How to test =
 
= How to test =
  
=== 1. Get settings of 'work' zone ===
+
Get settings of 'work' zone
  
 
   firewall-cmd --zone=work --list-all
 
   firewall-cmd --zone=work --list-all
  
=== 2. Enable service 'samba-client' in zone 'work' ===
+
Enable service 'samba-client' in zone 'work'
  
 
   firewall-cmd --zone=work --add-service=samba-client
 
   firewall-cmd --zone=work --add-service=samba-client
Line 28: Line 28:
 
   firewall-cmd --zone=work --list-services
 
   firewall-cmd --zone=work --list-services
  
should contain samba-client
+
should contain samba-client.
  
=== 3. Disable service 'samba-client' in zone 'work' ===
+
Now undo the previous change.
 +
You can either manually remove the service
  
 
   firewall-cmd --zone=work --remove-service=samba-client
 
   firewall-cmd --zone=work --remove-service=samba-client
 +
 +
or just restart firewalld,
 +
 +
  service firewalld restart
 +
 +
because the change we did has not been permanent.
 +
 +
  firewall-cmd --zone=work --list-all
 +
 +
should now show the same output as for the first time, i.e. no samba-client.

Revision as of 09:51, 27 September 2012

Description

This is the test case to check if runtime changes of firewall zones are usable.

Settings in the zone done with firewall-cmd (without --permanent switch) are only valid till reboot or firewalld service restart.

How to test

Get settings of 'work' zone

 firewall-cmd --zone=work --list-all

Enable service 'samba-client' in zone 'work'

 firewall-cmd --zone=work --add-service=samba-client

To check (as root) if it has been enabled:

 iptables-save | grep work

These two lines should be in the output:

 -A IN_ZONE_work_allow -p udp -m udp --dport 137 -j ACCEPT
 -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT

And

 firewall-cmd --zone=work --list-services

should contain samba-client.

Now undo the previous change. You can either manually remove the service

 firewall-cmd --zone=work --remove-service=samba-client

or just restart firewalld,

 service firewalld restart

because the change we did has not been permanent.

 firewall-cmd --zone=work --list-all

should now show the same output as for the first time, i.e. no samba-client.