No edit summary |
|||
Line 103: | Line 103: | ||
You can also set the default zone with 'firewalld-cmd --set-default-zone=zone', but at the moment there is a SELinux problem with this - it forbids firewalld to write in it's own configuration directory. This will be fixed. | You can also set the default zone with 'firewalld-cmd --set-default-zone=zone', but at the moment there is a SELinux problem with this - it forbids firewalld to write in it's own configuration directory. This will be fixed. | ||
If you reconnect with NetworkManager the interface of the connection will be placed in the new default zone. |
Revision as of 12:29, 16 March 2012
Description
This is the test case to check if firewalld and NetworkManager are working together.
How to test
1. Connect to a network and check if the network is part of the default zone:
firewall-cmd --list=all --zone=public
The output should look like this ('em1' is in used as an example):
zone: public interfaces: em1 services: dhcpv6-client, ssh
To see the zone of active devices:
nmcli -f NAME,DEVICES,ZONE con status
The output should look like this:
NAME DEVICES ZONE System em1 em1 not set
'not set' means to use the default zone.
You can also check the resulting firewall directly:
iptables-save | grep ZONES
The result should be something like this:
:POSTROUTING_ZONES - [0:0] :PREROUTING_ZONES - [0:0] -A PREROUTING -j PREROUTING_ZONES -A POSTROUTING -j POSTROUTING_ZONES :PREROUTING_ZONES - [0:0] -A PREROUTING -j PREROUTING_ZONES :FORWARD_ZONES - [0:0] :INPUT_ZONES - [0:0] -A INPUT -j INPUT_ZONES -A FORWARD -j FORWARD_ZONES -A FORWARD_ZONES -i em1 -j FWDI_ZONE_public -A FORWARD_ZONES -o em1 -j FWDO_ZONE_public -A INPUT_ZONES -i em1 -j IN_ZONE_public
'em1' is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone.
2. Change the zone of a connection.
Add ZONE=work to the ifcfg file of the connection.
As root use an editor and add "ZONE=work" to the end of the ifcfg file of that connection. The result should look like this:
UUID="......................" NM_CONTROLLED="yes" BOOTPROTO="dhcp" DEVICE="em1" ONBOOT=yes HWADDR=......... TYPE=Ethernet DEFROUTE=yes PEERDNS=yes PEERROUTES=yes IPV4_FAILURE_FATAL=yes IPV6INIT=no NAME="System em1": ZONE=work
NetworkManager will automatically reconnect and the zone will be set accordingly:
firewall-cmd --list=all --zone=work
The output should look like this:
zone: work interfaces: em1 services: ipp-client, dhcpv6-client, ssh
nm-applet does not have support for zones, yet. This will be added soon.
3. Remove the ZONE from the ifcfg file again
Reconnect with NetworkManager and the interface will be placed into the default zone 'public'.
4. Set a new default zone in the firewalld config file as root with an editor:
The result will look like this:
# default zone # The default zone used if an empty zone string is used. # Default: public DefaultZone=home
Reload firewalld:
firewall-cmd --reload
Reinitiate the connection in NetworkManager and check if the conneciton is using the new default zone:
firewall-cmd --list=all --zone=home
You can also set the default zone with 'firewalld-cmd --set-default-zone=zone', but at the moment there is a SELinux problem with this - it forbids firewalld to write in it's own configuration directory. This will be fixed.
If you reconnect with NetworkManager the interface of the connection will be placed in the new default zone.