From Fedora Project Wiki

(Created page with "= Description = This is the test case to check if firewall zones are usable. = How to test = 1. Get settings of 'work' zone firewall-cmd --list=all --zone=work 2. Enable ...")
 
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
 
= Description =
 
= Description =
  
This is the test case to check if firewall zones are usable.  
+
This is the test case to check if '''runtime''' changes of firewall zones are usable.
 +
 
 +
Settings in the zone done with ''firewall-cmd'' (without ''--permanent'' switch) are only valid till reboot or firewalld service restart.
  
 
= How to test =
 
= How to test =
  
1. Get settings of 'work' zone
+
Get settings of ''work'' zone
  
   firewall-cmd --list=all --zone=work
+
   firewall-cmd --zone=work --list-all
  
2. Enable service 'samba-client' in zone 'work'
+
Enable service ''samba-client'' in zone ''work''
  
   firewall-cmd --add --zone=work --service=samba-client
+
   firewall-cmd --zone=work --add-service=samba-client
  
To check if it has been enabled:
+
To check (as root) if it has been enabled:
  
 
   iptables-save | grep work
 
   iptables-save | grep work
Line 22: Line 24:
 
   -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT
 
   -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT
  
3. Disbable service 'samba-client' in zone 'work'
+
And
 +
 
 +
  firewall-cmd --zone=work --list-services
 +
 
 +
should contain ''samba-client''.
 +
 
 +
Now undo the previous change.
 +
You can either manually remove the service
 +
 
 +
  firewall-cmd --zone=work --remove-service=samba-client
 +
 
 +
or just restart firewalld,
  
   firewall-cmd --remove --zone=work --service=samba-client
+
   service firewalld restart
  
4. Get a list of all suported services:
+
because the change we did has not been permanent.
  
   firewall-cmd --list=services
+
   firewall-cmd --zone=work --list-all
  
The result should be:
+
should now show the same output as for the first time, i.e. no ''samba-client''.
  
  cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba
+
For more examples see also [http://fedoraproject.org/wiki/FirewallD#Runtime_zone_handling http://fedoraproject.org/wiki/FirewallD]
  dhcpv6-client dns openvpn imaps samba-client http https telnet libvirt ssh
 
  ipsecipp-client amanda-client tftp-client dhcpv6 nfs tftp libvirt-tls
 

Latest revision as of 17:18, 11 December 2012

Description

This is the test case to check if runtime changes of firewall zones are usable.

Settings in the zone done with firewall-cmd (without --permanent switch) are only valid till reboot or firewalld service restart.

How to test

Get settings of work zone

 firewall-cmd --zone=work --list-all

Enable service samba-client in zone work

 firewall-cmd --zone=work --add-service=samba-client

To check (as root) if it has been enabled:

 iptables-save | grep work

These two lines should be in the output:

 -A IN_ZONE_work_allow -p udp -m udp --dport 137 -j ACCEPT
 -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT

And

 firewall-cmd --zone=work --list-services

should contain samba-client.

Now undo the previous change. You can either manually remove the service

 firewall-cmd --zone=work --remove-service=samba-client

or just restart firewalld,

 service firewalld restart

because the change we did has not been permanent.

 firewall-cmd --zone=work --list-all

should now show the same output as for the first time, i.e. no samba-client.

For more examples see also http://fedoraproject.org/wiki/FirewallD