No edit summary |
mNo edit summary |
||
(5 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
= Description = | = Description = | ||
Firewalld needs NetworkManager, which tells firewalld what network interface belongs to which zone. | |||
This is the test case to check if firewalld and NetworkManager are working together. | This is the test case to check if firewalld and NetworkManager are working together. | ||
Line 19: | Line 20: | ||
firewall-cmd --get-active-zones | firewall-cmd --get-active-zones | ||
The output should look like this ('em1' is in used as an example): | The output should look like this (''em1'' is in used as an example): | ||
public: em1 | public: em1 | ||
Line 33: | Line 34: | ||
services: mdns dhcpv6-client ssh | services: mdns dhcpv6-client ssh | ||
To see the zone of active devices with nmcli (the NetworkManager command line client): | To see the zone of active devices with ''nmcli'' (the NetworkManager command line client): | ||
nmcli -f NAME,DEVICES,ZONE con status | nmcli -f NAME,DEVICES,ZONE con status | ||
Line 40: | Line 41: | ||
NAME DEVICES ZONE | NAME DEVICES ZONE | ||
System em1 em1 | System em1 em1 -- | ||
' | ''--'' means to use the default zone. | ||
You can also check (as root) the resulting firewall directly: | You can also check (as root) the resulting firewall directly: | ||
Line 66: | Line 65: | ||
-A INPUT_ZONES -i em1 -j IN_ZONE_public | -A INPUT_ZONES -i em1 -j IN_ZONE_public | ||
'em1' is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone. | ''em1'' is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone. | ||
=== 2. Change the zone of a connection. === | === 2. Change the zone of a connection. === | ||
To change a zone of connection you can either use NetworkManager GUI or edit the connection configuration files manually. | |||
==== Using a NetworkManager GUI ==== | |||
===== network-manager-applet (GNOME, Xfce) ===== | |||
You need [https://koji.fedoraproject.org/koji/buildinfo?buildID=372214 network-manager-applet-0.9.7.0-6.git20121211.fc18] | |||
from [https://admin.fedoraproject.org/updates/network-manager-applet-0.9.7.0-6.git20121211.fc18 updates-testing] repo. | |||
As root use an editor and add | ''System Settings'' -> ''Network'', select the connection, click on ''Options...'' and go to ''General'' tab. Change ''Firewall zone'' combo box and press ''Save...''. | ||
===== kde-plasma-networkmanagement (KDE) ===== | |||
''System Settings'' -> ''Network Settings'', select the connection and click on ''Edit...''. Change ''Firewall zone'' combo box and press ''OK''. | |||
After you change the zone in either ''network-manager-applet'' or ''kde-plasma-networkmanagement'' try the following commands to make sure the zone has been correctly changed. | |||
firewall-cmd --get-active-zones | |||
nmcli -f NAME,DEVICES,ZONE con status | |||
==== Editing connection configuration files ==== | |||
Add ''ZONE=work'' to the ''/etc/sysconfig/network-scripts/ifcfg-*'' file of the connection. | |||
As root use an editor and add for example ''ZONE=work'' to the end of the ifcfg- file of that connection in ''/etc/sysconfig/network-scripts/''. | |||
The result should look similar to this (only the last line is important): | |||
UUID="......................" | UUID="......................" | ||
Line 102: | Line 123: | ||
firewall-cmd --get-zone-of-interface=em1 | firewall-cmd --get-zone-of-interface=em1 | ||
=== 3. Remove the ZONE from the ifcfg file again === | === 3. Remove the ZONE from the ifcfg file again === | ||
After you remove the ZONE line from ifcfg file, NetworkManager will place the interface back into the default zone 'public'. | After you remove the ZONE line from ifcfg file, NetworkManager will place the interface back into the default zone ''public''. | ||
=== 4. Set a new default zone in the firewalld config file as root with an editor: === | === 4. Set a new default zone in the firewalld config file as root with an editor: === | ||
The firewalld config file is: /etc/firewalld/firewalld.conf | The firewalld config file is: ''/etc/firewalld/firewalld.conf'' | ||
Change the DefaultZone to look like this: | Change the ''DefaultZone'' to look like this: | ||
# default zone | # default zone | ||
Line 129: | Line 148: | ||
firewall-cmd --zone=home --list-all | firewall-cmd --zone=home --list-all | ||
You can also set the default zone with 'firewall-cmd --set-default-zone=zone' (no need to reload firewalld). | You can also set the default zone with ''firewall-cmd --set-default-zone=zone'' (no need to reload firewalld). |
Latest revision as of 12:09, 12 December 2012
Description
Firewalld needs NetworkManager, which tells firewalld what network interface belongs to which zone. This is the test case to check if firewalld and NetworkManager are working together.
How to test
1. Connect to a network and check if the network is part of the default zone:
Show all supported zones:
firewall-cmd --get-zones
The output should look like this:
drop work internal trusted home dmz public block external
Show all active zones with the interfaces belonging to the zones:
firewall-cmd --get-active-zones
The output should look like this (em1 is in used as an example):
public: em1
List all settings of the public zone:
firewall-cmd --zone=public --list-all
The output should look like this:
zone: public interfaces: em1 services: mdns dhcpv6-client ssh
To see the zone of active devices with nmcli (the NetworkManager command line client):
nmcli -f NAME,DEVICES,ZONE con status
The output should look like this:
NAME DEVICES ZONE System em1 em1 --
-- means to use the default zone.
You can also check (as root) the resulting firewall directly:
iptables-save | grep ZONES
The result should be something like this:
:POSTROUTING_ZONES - [0:0] :PREROUTING_ZONES - [0:0] -A PREROUTING -j PREROUTING_ZONES -A POSTROUTING -j POSTROUTING_ZONES :PREROUTING_ZONES - [0:0] -A PREROUTING -j PREROUTING_ZONES :FORWARD_ZONES - [0:0] :INPUT_ZONES - [0:0] -A INPUT -j INPUT_ZONES -A FORWARD -j FORWARD_ZONES -A FORWARD_ZONES -i em1 -j FWDI_ZONE_public -A FORWARD_ZONES -o em1 -j FWDO_ZONE_public -A INPUT_ZONES -i em1 -j IN_ZONE_public
em1 is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone.
2. Change the zone of a connection.
To change a zone of connection you can either use NetworkManager GUI or edit the connection configuration files manually.
Using a NetworkManager GUI
network-manager-applet (GNOME, Xfce)
You need network-manager-applet-0.9.7.0-6.git20121211.fc18 from updates-testing repo.
System Settings -> Network, select the connection, click on Options... and go to General tab. Change Firewall zone combo box and press Save....
kde-plasma-networkmanagement (KDE)
System Settings -> Network Settings, select the connection and click on Edit.... Change Firewall zone combo box and press OK.
After you change the zone in either network-manager-applet or kde-plasma-networkmanagement try the following commands to make sure the zone has been correctly changed.
firewall-cmd --get-active-zones nmcli -f NAME,DEVICES,ZONE con status
Editing connection configuration files
Add ZONE=work to the /etc/sysconfig/network-scripts/ifcfg-* file of the connection.
As root use an editor and add for example ZONE=work to the end of the ifcfg- file of that connection in /etc/sysconfig/network-scripts/. The result should look similar to this (only the last line is important):
UUID="......................" NM_CONTROLLED="yes" BOOTPROTO="dhcp" DEVICE="em1" ONBOOT=yes HWADDR=......... TYPE=Ethernet DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="System em1": ZONE=work
NetworkManager will automatically reconnect and the zone will be set accordingly:
firewall-cmd --zone=work --list-all
The output should look like this:
zone: work interfaces: em1 services: ipp-client mdns dhcpv6-client ssh
Also check the output of
firewall-cmd --get-zone-of-interface=em1
3. Remove the ZONE from the ifcfg file again
After you remove the ZONE line from ifcfg file, NetworkManager will place the interface back into the default zone public.
4. Set a new default zone in the firewalld config file as root with an editor:
The firewalld config file is: /etc/firewalld/firewalld.conf
Change the DefaultZone to look like this:
# default zone # The default zone used if an empty zone string is used. # Default: public DefaultZone=home
Reload firewalld:
firewall-cmd --reload
Check if the connection is using the new default zone:
firewall-cmd --get-zone-of-interface=em1 firewall-cmd --zone=home --list-all
You can also set the default zone with firewall-cmd --set-default-zone=zone (no need to reload firewalld).