From Fedora Project Wiki

Revision as of 12:24, 16 March 2012 by Twoerner (talk | contribs)

Description

This is the test case to check if firewalld and NetworkManager are working together.

How to test

1. Connect to a network and check if the network is part of the default zone: 

 firewall-cmd --list=all --zone=public

The output should look like this ('em1' is in used as an example): 

 zone: public
 interfaces: em1
 services: dhcpv6-client, ssh

To see the zone of active devices: 

 nmcli -f NAME,DEVICES,ZONE con status

The output should look like this: 

 NAME                      DEVICES    ZONE
 System em1                em1        not set

'not set' means to use the default zone.

You can also check the resulting firewall directly: 

 iptables-save | grep ZONES

The result should be something like this: 

 :POSTROUTING_ZONES - [0:0]
 :PREROUTING_ZONES - [0:0]
 -A PREROUTING -j PREROUTING_ZONES
 -A POSTROUTING -j POSTROUTING_ZONES
 :PREROUTING_ZONES - [0:0]
 -A PREROUTING -j PREROUTING_ZONES
 :FORWARD_ZONES - [0:0]
 :INPUT_ZONES - [0:0]
 -A INPUT -j INPUT_ZONES
 -A FORWARD -j FORWARD_ZONES
 -A FORWARD_ZONES -i em1 -j FWDI_ZONE_public
 -A FORWARD_ZONES -o em1 -j FWDO_ZONE_public
 -A INPUT_ZONES -i em1 -j IN_ZONE_public

'em1' is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone.

2. Change the zone of a connection.

Add ZONE=work to the ifcfg file of the connection.

As root use an editor and add "ZONE=work" to the end of the ifcfg file of that connection. The result should look like this: 

 UUID="......................"
 NM_CONTROLLED="yes"
 BOOTPROTO="dhcp"
 DEVICE="em1"
 ONBOOT=yes
 HWADDR=.........
 TYPE=Ethernet
 DEFROUTE=yes
 PEERDNS=yes
 PEERROUTES=yes
 IPV4_FAILURE_FATAL=yes
 IPV6INIT=no
 NAME="System em1":
 ZONE=work

NetworkManager will automatically reconnect and the zone will be set accordingly: 

 firewall-cmd --list=all --zone=work

The output should look like this: 

 zone: work
 interfaces: em1
 services: ipp-client, dhcpv6-client, ssh

3. Remove the ZONE from the ifcfg file again and the interface will be placed into the default zone 'public'.

4. Set a new default zone in the firewalld config file as root with an editor:

The result will look like this: 

 # default zone
 # The default zone used if an empty zone string is used.
 # Default: public
 DefaultZone=home

Reload firewalld: 

 firewall-cmd --reload

Reinitiate the connection in NetworkManager and check if the conneciton is using the new default zone: 

 firewall-cmd --list=all --zone=home

You can also set the default zone with 'firewalld-cmd --set-default-zone=zone', but at the moment there is a SELinux problem with this - it forbids firewalld to write in it's own configuration directory. This will be fixed.

Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_firewalld_and_NetworkManager&oldid=277875"