From Fedora Project Wiki

(Created page with "=== 1. Get a list of all supported services: === firewall-cmd --get-services The result should be: cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba...")
 
No edit summary
Line 1: Line 1:
=== 1. Get a list of all supported services: ===
= Description =


firewall-cmd --get-services
This is the test case to check if '''persistent''' changes of firewall zones are usable.
 
Settings in the zone done with ''firewall-cmd --permanent'' should survive reboot or firewalld service restart.
 
= How to test =
 
*Get a list of all supported services:
 
  firewall-cmd --get-services


The result should be:
The result should be:
Line 8: Line 16:
   dhcpv6-client dns openvpn imaps samba-client http https telnet libvirt ssh  
   dhcpv6-client dns openvpn imaps samba-client http https telnet libvirt ssh  
   ipsecipp-client amanda-client tftp-client dhcpv6 nfs tftp libvirt-tls
   ipsecipp-client amanda-client tftp-client dhcpv6 nfs tftp libvirt-tls
*Get a list of services that are currently allowed in zone ''work'':
  firewall-cmd --zone=work --list-services
should show: ''ipp-client mdns dhcpv6-client ssh''
*Now we'll permanently allow ''smtp'' in zone ''work''. We can either use
  firewall-cmd --permanent --zone=work --add-service=smtp
and check that ''smtp'' was added to configuration file of the zone:
  grep smtp /etc/firewalld/zones/work.xml
desired output: ''<service name="smtp"/>''
Or we can change the configuration file manually with:
  cp /usr/lib/firewalld/zones/external.xml /etc/firewalld/zones/
  vim /etc/firewalld/zones/external.xml
add ''<service name="smtp"/>'' and save the file.
*We need to reload firewalld so the change in configuration file gets loaded
  firewall-cmd --reload
*Check that ''smtp'' is among:
  firewall-cmd --zone=work --list-services
and
  iptables-save | grep work
should show
  -A IN_ZONE_work_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
*Now reboot or ''service firewalld restart'' and make sure the change is persistent, i.e. the ''smtp'' service is still allowed.
*If you want to revert the change you can either:
  firewall-cmd --permanent --zone=work --remove-service=smtp
or remove the  ''<service name="smtp"/>'' line from ''/etc/firewalld/zones/external.xml''
or you can simply delete the ''/etc/firewalld/zones/external.xml''
so firewalld will load the default ''/usr/lib/firewalld/zones/external.xml''
configuration file of the zone.
In all cases you need to reload firewalld so the stored configuration becomes active.

Revision as of 10:19, 27 September 2012

Description

This is the test case to check if persistent changes of firewall zones are usable.

Settings in the zone done with firewall-cmd --permanent should survive reboot or firewalld service restart.

How to test

  • Get a list of all supported services:
 firewall-cmd --get-services

The result should be:

 cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba 
 dhcpv6-client dns openvpn imaps samba-client http https telnet libvirt ssh 
 ipsecipp-client amanda-client tftp-client dhcpv6 nfs tftp libvirt-tls
  • Get a list of services that are currently allowed in zone work:
 firewall-cmd --zone=work --list-services

should show: ipp-client mdns dhcpv6-client ssh

  • Now we'll permanently allow smtp in zone work. We can either use
 firewall-cmd --permanent --zone=work --add-service=smtp

and check that smtp was added to configuration file of the zone:

 grep smtp /etc/firewalld/zones/work.xml 

desired output: <service name="smtp"/>

Or we can change the configuration file manually with:

 cp /usr/lib/firewalld/zones/external.xml /etc/firewalld/zones/
 vim /etc/firewalld/zones/external.xml

add <service name="smtp"/> and save the file.

  • We need to reload firewalld so the change in configuration file gets loaded
 firewall-cmd --reload
  • Check that smtp is among:
 firewall-cmd --zone=work --list-services

and

 iptables-save | grep work

should show

 -A IN_ZONE_work_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
  • Now reboot or service firewalld restart and make sure the change is persistent, i.e. the smtp service is still allowed.
  • If you want to revert the change you can either:
 firewall-cmd --permanent --zone=work --remove-service=smtp

or remove the <service name="smtp"/> line from /etc/firewalld/zones/external.xml

or you can simply delete the /etc/firewalld/zones/external.xml so firewalld will load the default /usr/lib/firewalld/zones/external.xml configuration file of the zone.

In all cases you need to reload firewalld so the stored configuration becomes active.