No edit summary |
No edit summary |
||
(One intermediate revision by one other user not shown) | |||
Line 13: | Line 13: | ||
The result should be: | The result should be: | ||
cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba | cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba | ||
dhcpv6-client | dhcpv6-client https openvpn imaps samba-client http dns ntp vnc-server | ||
telnet libvirt ssh ipsec ipp-client amanda-client tftp-client nfs tftp libvirt-tls | |||
*Get a list of services that are currently allowed in zone ''work'': | *Get a list of services that are currently allowed in zone ''work'': | ||
Line 45: | Line 45: | ||
*If you want to revert the change you can either: | *If you want to revert the change you can either: | ||
firewall-cmd --permanent --zone=work --remove-service=smtp | firewall-cmd --permanent --zone=work --remove-service=smtp | ||
or remove the ''<service name="smtp"/>'' line from ''/etc/firewalld/zones/ | or remove the ''<service name="smtp"/>'' line from ''/etc/firewalld/zones/work.xml'' | ||
or you can simply delete the ''/etc/firewalld/zones/ | or you can simply delete the ''/etc/firewalld/zones/work.xml'' | ||
so firewalld will load the default ''/usr/lib/firewalld/zones/ | so firewalld will load the default ''/usr/lib/firewalld/zones/work.xml'' | ||
configuration file of the zone. | configuration file of the zone. | ||
Latest revision as of 16:32, 12 December 2012
Description
This is the test case to check if persistent changes of firewall zones are usable.
Settings in the zone done with firewall-cmd --permanent should survive reboot or firewalld service restart.
How to test
- Get a list of all supported services:
firewall-cmd --get-services
The result should be:
cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba dhcpv6-client https openvpn imaps samba-client http dns ntp vnc-server telnet libvirt ssh ipsec ipp-client amanda-client tftp-client nfs tftp libvirt-tls
- Get a list of services that are currently allowed in zone work:
firewall-cmd --zone=work --list-services
should show: ipp-client mdns dhcpv6-client ssh
- Now we'll permanently allow smtp in zone work. We can either use
firewall-cmd --permanent --zone=work --add-service=smtp
and check that smtp was added to configuration file of the zone:
grep smtp /etc/firewalld/zones/work.xml
desired output: <service name="smtp"/>
Or we can change the configuration file manually with:
cp /usr/lib/firewalld/zones/external.xml /etc/firewalld/zones/ vim /etc/firewalld/zones/external.xml
add <service name="smtp"/> and save the file.
- We need to reload firewalld so the change in configuration file gets loaded
firewall-cmd --reload
- Check that smtp is among:
firewall-cmd --zone=work --list-services
and
iptables-save | grep work
should show
-A IN_ZONE_work_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
- Now reboot or service firewalld restart and make sure the change is persistent, i.e. the smtp service is still allowed.
- If you want to revert the change you can either:
firewall-cmd --permanent --zone=work --remove-service=smtp
or remove the <service name="smtp"/> line from /etc/firewalld/zones/work.xml
or you can simply delete the /etc/firewalld/zones/work.xml so firewalld will load the default /usr/lib/firewalld/zones/work.xml configuration file of the zone.
In all cases you need to reload firewalld so the stored configuration becomes active.
For more examples see also http://fedoraproject.org/wiki/FirewallD