From Fedora Project Wiki

Associated release criterion
This test case is associated with the Basic_Release_Criteria#firewall-configuration release criterion. If you are doing release validation testing, a failure of this test case may be a breach of that release criterion. If so, please file a bug and nominate it as blocking the appropriate milestone, using the blocker bug nomination page.


Description

This test case tests whether configuring the firewall works correctly in a kickstart-driven installation.

Setup

  1. Prepare a test system (virtual or real) with sufficient memory to install Fedora, an empty hard disk (or such that you do not mind losing the contents of all connected hard disks: this test WILL wipe all hard disks connected to the test system), and (ideally) a network connection and another system from which you can connect to the test system

How to test

  1. Boot using a dedicated installer image for the Fedora release you wish to test
  2. At the boot menu, edit the options for one of the "Install Fedora" options to include the parameter http://fedorapeople.org/groups/qa/kickstarts/firewall-configured-net.ks
  3. The installation should run unattended: allow it to complete
  4. Boot the installed system and log in as 'root' with password 'anaconda'
  5. Run firewall-cmd --state
  6. Run firewall-cmd --query-service ftp
  7. Run firewall-cmd --query-port imap/tcp
  8. Run firewall-cmd --query-port 1234/udp
  9. Run firewall-cmd --query-port 47/tcp
  10. If possible, enable a service on one of the allowed ports (e.g. an FTP server) and try connecting to it from another system on the local network
  11. If possible, enable a service on a port not allowed by default or in the kickstart and try connecting to it from another system on the local network

Expected Results

  1. firewall-cmd --state should report running
  2. All firewall-cmd query commands should report yes
  3. Connecting to a running service on one of the allowed ports from other systems should work (so long as no other firewalls or similar are in the way)
  4. Connecting to a running service on a port not allowed by the kickstart or by default for the tested image should NOT work