From Fedora Project Wiki

mNo edit summary
 
(19 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= Description =
= Description =


Firewalld needs NetworkManager, which tells firewalld what network interface belongs to which zone.
This is the test case to check if firewalld and NetworkManager are working together.
This is the test case to check if firewalld and NetworkManager are working together.


Line 7: Line 8:
=== 1. Connect to a network and check if the network is part of the default zone: ===
=== 1. Connect to a network and check if the network is part of the default zone: ===


  firewall-cmd --list=all --zone=public
Show all supported zones:


The output should look like this ('em1' is in used as an example):
  firewall-cmd --get-zones
 
The output should look like this:
 
  drop work internal trusted home dmz public block external
 
Show all active zones with the interfaces belonging to the zones:
 
  firewall-cmd --get-active-zones
 
The output should look like this (''em1'' is in used as an example):
 
  public: em1
 
List all settings of the public zone:
 
  firewall-cmd --zone=public --list-all
 
The output should look like this:


   zone: public
   zone: public
   interfaces: em1
   interfaces: em1
   services: dhcpv6-client, ssh
   services: mdns dhcpv6-client ssh


To see the zone of active devices:
To see the zone of active devices with ''nmcli'' (the NetworkManager command line client):


   nmcli -f NAME,DEVICES,ZONE con status
   nmcli -f NAME,DEVICES,ZONE con status
Line 22: Line 41:


   NAME                      DEVICES    ZONE
   NAME                      DEVICES    ZONE
   System em1                em1        not set
   System em1                em1        --


'not set' means to use the default zone.
''--'' means to use the default zone.


You can also check the resulting firewall directly:
You can also check (as root) the resulting firewall directly:


   iptables-save | grep ZONES
   iptables-save | grep ZONES
Line 46: Line 65:
   -A INPUT_ZONES -i em1 -j IN_ZONE_public
   -A INPUT_ZONES -i em1 -j IN_ZONE_public


'em1' is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone.
''em1'' is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone.


=== 2. Change the zone of a connection. ===
=== 2. Change the zone of a connection. ===


Add ZONE=work to the ifcfg file of the connection.  
To change a zone of connection you can either use NetworkManager GUI or edit the connection configuration files manually.
 
==== Using a NetworkManager GUI ====
 
===== network-manager-applet (GNOME, Xfce) =====
You need [https://koji.fedoraproject.org/koji/buildinfo?buildID=372214 network-manager-applet-0.9.7.0-6.git20121211.fc18]
from [https://admin.fedoraproject.org/updates/network-manager-applet-0.9.7.0-6.git20121211.fc18 updates-testing] repo.
 
''System Settings'' -> ''Network'', select the connection, click on ''Options...'' and go to ''General'' tab. Change ''Firewall zone'' combo box and press ''Save...''.
 
===== kde-plasma-networkmanagement (KDE) =====
''System Settings'' -> ''Network Settings'', select the connection and click on ''Edit...''. Change ''Firewall zone'' combo box and press ''OK''.
 
 
After you change the zone in either ''network-manager-applet'' or ''kde-plasma-networkmanagement'' try the following commands to make sure the zone has been correctly changed.
 
  firewall-cmd --get-active-zones
  nmcli -f NAME,DEVICES,ZONE con status
 
==== Editing connection configuration files ====
 
Add ''ZONE=work'' to the ''/etc/sysconfig/network-scripts/ifcfg-*'' file of the connection.  


As root use an editor and add "ZONE=work" to the end of the ifcfg file of that connection. The result should look like this:
As root use an editor and add for example ''ZONE=work'' to the end of the ifcfg- file of that connection in ''/etc/sysconfig/network-scripts/''.
The result should look similar to this (only the last line is important):


   UUID="......................"
   UUID="......................"
Line 71: Line 112:
NetworkManager will automatically reconnect and the zone will be set accordingly:
NetworkManager will automatically reconnect and the zone will be set accordingly:


   firewall-cmd --list=all --zone=work
   firewall-cmd --zone=work --list-all


The output should look like this:
The output should look like this:
Line 77: Line 118:
   zone: work
   zone: work
   interfaces: em1
   interfaces: em1
   services: ipp-client, dhcpv6-client, ssh
   services: ipp-client mdns dhcpv6-client ssh
 
Also check the output of


nm-applet does not have support for zones, yet. This will be added soon.
  firewall-cmd --get-zone-of-interface=em1


=== 3. Remove the ZONE from the ifcfg file again ===
=== 3. Remove the ZONE from the ifcfg file again ===


Reconnect with NetworkManager and the interface will be placed into the default zone 'public'.
After you remove the ZONE line from ifcfg file, NetworkManager will place the interface back into the default zone ''public''.


=== 4. Set a new default zone in the firewalld config file as root with an editor: ===
=== 4. Set a new default zone in the firewalld config file as root with an editor: ===


The result will look like this:
The firewalld config file is: ''/etc/firewalld/firewalld.conf''
 
Change the ''DefaultZone'' to look like this:


   # default zone
   # default zone
Line 98: Line 143:
   firewall-cmd --reload
   firewall-cmd --reload


Reinitiate the connection in NetworkManager and check if the conneciton is using the new default zone:
Check if the connection is using the new default zone:
 
  firewall-cmd --list=all --zone=home


You can also set the default zone with 'firewalld-cmd --set-default-zone=zone', but at the moment there is a SELinux problem with this - it forbids firewalld to write in it's own configuration directory. This will be fixed.
  firewall-cmd --get-zone-of-interface=em1
  firewall-cmd --zone=home --list-all
 
You can also set the default zone with ''firewall-cmd --set-default-zone=zone'' (no need to reload firewalld).

Latest revision as of 12:09, 12 December 2012

Description

Firewalld needs NetworkManager, which tells firewalld what network interface belongs to which zone. This is the test case to check if firewalld and NetworkManager are working together.

How to test

1. Connect to a network and check if the network is part of the default zone:

Show all supported zones:

 firewall-cmd --get-zones

The output should look like this:

 drop work internal trusted home dmz public block external

Show all active zones with the interfaces belonging to the zones:

 firewall-cmd --get-active-zones

The output should look like this (em1 is in used as an example):

 public: em1

List all settings of the public zone:

 firewall-cmd --zone=public --list-all

The output should look like this:

 zone: public
 interfaces: em1
 services: mdns dhcpv6-client ssh

To see the zone of active devices with nmcli (the NetworkManager command line client):

 nmcli -f NAME,DEVICES,ZONE con status

The output should look like this:

 NAME                      DEVICES    ZONE
 System em1                em1        --

-- means to use the default zone.

You can also check (as root) the resulting firewall directly:

 iptables-save | grep ZONES

The result should be something like this:

 :POSTROUTING_ZONES - [0:0]
 :PREROUTING_ZONES - [0:0]
 -A PREROUTING -j PREROUTING_ZONES
 -A POSTROUTING -j POSTROUTING_ZONES
 :PREROUTING_ZONES - [0:0]
 -A PREROUTING -j PREROUTING_ZONES
 :FORWARD_ZONES - [0:0]
 :INPUT_ZONES - [0:0]
 -A INPUT -j INPUT_ZONES
 -A FORWARD -j FORWARD_ZONES
 -A FORWARD_ZONES -i em1 -j FWDI_ZONE_public
 -A FORWARD_ZONES -o em1 -j FWDO_ZONE_public
 -A INPUT_ZONES -i em1 -j IN_ZONE_public

em1 is the interface used by NetworkManager for the connection. NM will automatically add the interface of a connection to the default zone.

2. Change the zone of a connection.

To change a zone of connection you can either use NetworkManager GUI or edit the connection configuration files manually.

Using a NetworkManager GUI

network-manager-applet (GNOME, Xfce)

You need network-manager-applet-0.9.7.0-6.git20121211.fc18 from updates-testing repo.

System Settings -> Network, select the connection, click on Options... and go to General tab. Change Firewall zone combo box and press Save....

kde-plasma-networkmanagement (KDE)

System Settings -> Network Settings, select the connection and click on Edit.... Change Firewall zone combo box and press OK.


After you change the zone in either network-manager-applet or kde-plasma-networkmanagement try the following commands to make sure the zone has been correctly changed.

 firewall-cmd --get-active-zones
 nmcli -f NAME,DEVICES,ZONE con status

Editing connection configuration files

Add ZONE=work to the /etc/sysconfig/network-scripts/ifcfg-* file of the connection.

As root use an editor and add for example ZONE=work to the end of the ifcfg- file of that connection in /etc/sysconfig/network-scripts/. The result should look similar to this (only the last line is important):

 UUID="......................"
 NM_CONTROLLED="yes"
 BOOTPROTO="dhcp"
 DEVICE="em1"
 ONBOOT=yes
 HWADDR=.........
 TYPE=Ethernet
 DEFROUTE=yes
 PEERDNS=yes
 PEERROUTES=yes
 IPV4_FAILURE_FATAL=yes
 IPV6INIT=no
 NAME="System em1":
 ZONE=work

NetworkManager will automatically reconnect and the zone will be set accordingly:

 firewall-cmd --zone=work --list-all

The output should look like this:

 zone: work
 interfaces: em1
 services: ipp-client mdns dhcpv6-client ssh

Also check the output of

 firewall-cmd --get-zone-of-interface=em1

3. Remove the ZONE from the ifcfg file again

After you remove the ZONE line from ifcfg file, NetworkManager will place the interface back into the default zone public.

4. Set a new default zone in the firewalld config file as root with an editor:

The firewalld config file is: /etc/firewalld/firewalld.conf

Change the DefaultZone to look like this:

 # default zone
 # The default zone used if an empty zone string is used.
 # Default: public
 DefaultZone=home

Reload firewalld:

 firewall-cmd --reload

Check if the connection is using the new default zone:

 firewall-cmd --get-zone-of-interface=em1
 firewall-cmd --zone=home --list-all
 

You can also set the default zone with firewall-cmd --set-default-zone=zone (no need to reload firewalld).