From Fedora Project Wiki

(Created page with "= Description = This is the test case to check if firewalld and NetworkManager are working together. = How to test = 1. Connect to a network and check if the network is part o...")
 
No edit summary
Line 9: Line 9:
   firewall-cmd --list=all --zone=public
   firewall-cmd --list=all --zone=public


The output should look like this:
The output should look like this ('em1' is in used as an example):


   firewall-cmd --list=all --zone=public
   firewall-cmd --list=all --zone=public

Revision as of 12:21, 16 March 2012

Description

This is the test case to check if firewalld and NetworkManager are working together.

How to test

1. Connect to a network and check if the network is part of the default zone:

 firewall-cmd --list=all --zone=public

The output should look like this ('em1' is in used as an example):

 firewall-cmd --list=all --zone=public
 zone: public
 interfaces: em1
 services: dhcpv6-client, ssh

You can also check the resulting firewall directly:

 iptables-save | grep ZONES

The result should be something like this:

 :POSTROUTING_ZONES - [0:0]
 :PREROUTING_ZONES - [0:0]
 -A PREROUTING -j PREROUTING_ZONES
 -A POSTROUTING -j POSTROUTING_ZONES
 :PREROUTING_ZONES - [0:0]
 -A PREROUTING -j PREROUTING_ZONES
 :FORWARD_ZONES - [0:0]
 :INPUT_ZONES - [0:0]
 -A INPUT -j INPUT_ZONES
 -A FORWARD -j FORWARD_ZONES
 -A FORWARD_ZONES -i em1 -j FWDI_ZONE_public
 -A FORWARD_ZONES -o em1 -j FWDO_ZONE_public
 -A INPUT_ZONES -i em1 -j IN_ZONE_public

'em1' is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone.

2. Change the zone of a connection.

Add ZONE=work to the ifcfg file of the connection.

As root use an editor and add "ZONE=work" to the end of the ifcfg file of that connection. The result should look like this:

 UUID="......................"
 NM_CONTROLLED="yes"
 BOOTPROTO="dhcp"
 DEVICE="em1"
 ONBOOT=yes
 HWADDR=.........
 TYPE=Ethernet
 DEFROUTE=yes
 PEERDNS=yes
 PEERROUTES=yes
 IPV4_FAILURE_FATAL=yes
 IPV6INIT=no
 NAME="System em1":
 ZONE=work

NetworkManager will automatically reconnect and the zone will be set accordingly:

 firewall-cmd --list=all --zone=work

The output should look like this:

 zone: work
 interfaces: em1
 services: ipp-client, dhcpv6-client, ssh

3. Remove the ZONE from the ifcfg file again and the interface will be placed into the default zone 'public'.

4. Set a new default zone in the firewalld config file as root with an editor:

The result will look like this:

 # default zone
 # The default zone used if an empty zone string is used.
 # Default: public
 DefaultZone=home

Reload firewalld:

 firewall-cmd --reload

Reinitiate the connection in NetworkManager and check if the conneciton is using the new default zone:

 firewall-cmd --list=all --zone=home

You can also set the default zone with 'firewalld-cmd --set-default-zone=zone', but at the moment there is a SELinux problem with this - it forbids firewalld to write in it's own configuration directory. This will be fixed.