Description

This is the test case to check if firewalld and NetworkManager are working together.

How to test

1. Connect to a network and check if the network is part of the default zone:

Show all supported zones:

 firewall-cmd --get-zones

The output should lok like this:

 drop work internal trusted home dmz public block external

Show all active zones with the interfaces belonging to the zones:

 firewall-cmd --get-active-zones

The output should look like this ('em1' is in used as an example):

 public: em1

List all settings of the public zone:

 firewall-cmd --list=all --zone=public

The output should look like this:

 zone: public
 interfaces: em1
 services: dhcpv6-client, ssh

To see the zone of active devices:

 nmcli -f NAME,DEVICES,ZONE con status

The output should look like this:

 NAME                      DEVICES    ZONE
 System em1                em1        not set

'not set' means to use the default zone.

You can also check the resulting firewall directly:

 iptables-save | grep ZONES

The result should be something like this:

 :POSTROUTING_ZONES - [0:0]
 :PREROUTING_ZONES - [0:0]
 -A PREROUTING -j PREROUTING_ZONES
 -A POSTROUTING -j POSTROUTING_ZONES
 :PREROUTING_ZONES - [0:0]
 -A PREROUTING -j PREROUTING_ZONES
 :FORWARD_ZONES - [0:0]
 :INPUT_ZONES - [0:0]
 -A INPUT -j INPUT_ZONES
 -A FORWARD -j FORWARD_ZONES
 -A FORWARD_ZONES -i em1 -j FWDI_ZONE_public
 -A FORWARD_ZONES -o em1 -j FWDO_ZONE_public
 -A INPUT_ZONES -i em1 -j IN_ZONE_public

'em1' is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone.

2. Change the zone of a connection.

Add ZONE=work to the ifcfg file of the connection.

As root use an editor and add "ZONE=work" to the end of the ifcfg file of that connection. The result should look like this:

 UUID="......................"
 NM_CONTROLLED="yes"
 BOOTPROTO="dhcp"
 DEVICE="em1"
 ONBOOT=yes
 HWADDR=.........
 TYPE=Ethernet
 DEFROUTE=yes
 PEERDNS=yes
 PEERROUTES=yes
 IPV4_FAILURE_FATAL=yes
 IPV6INIT=no
 NAME="System em1":
 ZONE=work

NetworkManager will automatically reconnect and the zone will be set accordingly:

 firewall-cmd --list=all --zone=work

The output should look like this:

 zone: work
 interfaces: em1
 services: ipp-client, dhcpv6-client, ssh

nm-applet does not have support for zones, yet. This will be added soon.

3. Remove the ZONE from the ifcfg file again

Reconnect with NetworkManager and the interface will be placed into the default zone 'public'.

4. Set a new default zone in the firewalld config file as root with an editor:

The result will look like this:

 # default zone
 # The default zone used if an empty zone string is used.
 # Default: public
 DefaultZone=home

Reload firewalld:

 firewall-cmd --reload

Reinitiate the connection in NetworkManager and check if the conneciton is using the new default zone:

 firewall-cmd --list=all --zone=home

You can also set the default zone with 'firewalld-cmd --set-default-zone=zone', but at the moment there is a SELinux problem with this - it forbids firewalld to write in it's own configuration directory. A bug for this has already been filed: https://bugzilla.redhat.com/show_bug.cgi?id=804083

If you reconnect with NetworkManager the interface of the connection will be placed in the new default zone.