From Fedora Project Wiki

Revision as of 10:19, 27 September 2012 by Jpopelka (talk | contribs)

Description

This is the test case to check if persistent changes of firewall zones are usable.

Settings in the zone done with firewall-cmd --permanent should survive reboot or firewalld service restart.

How to test

  • Get a list of all supported services:
 firewall-cmd --get-services

The result should be:

 cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba 
 dhcpv6-client dns openvpn imaps samba-client http https telnet libvirt ssh 
 ipsecipp-client amanda-client tftp-client dhcpv6 nfs tftp libvirt-tls
  • Get a list of services that are currently allowed in zone work:
 firewall-cmd --zone=work --list-services

should show: ipp-client mdns dhcpv6-client ssh

  • Now we'll permanently allow smtp in zone work. We can either use
 firewall-cmd --permanent --zone=work --add-service=smtp

and check that smtp was added to configuration file of the zone:

 grep smtp /etc/firewalld/zones/work.xml 

desired output: <service name="smtp"/>

Or we can change the configuration file manually with:

 cp /usr/lib/firewalld/zones/external.xml /etc/firewalld/zones/
 vim /etc/firewalld/zones/external.xml

add <service name="smtp"/> and save the file.

  • We need to reload firewalld so the change in configuration file gets loaded
 firewall-cmd --reload
  • Check that smtp is among:
 firewall-cmd --zone=work --list-services

and

 iptables-save | grep work

should show

 -A IN_ZONE_work_allow -p tcp -m tcp --dport 25 -m conntrack --ctstate NEW -j ACCEPT
  • Now reboot or service firewalld restart and make sure the change is persistent, i.e. the smtp service is still allowed.
  • If you want to revert the change you can either:
 firewall-cmd --permanent --zone=work --remove-service=smtp

or remove the <service name="smtp"/> line from /etc/firewalld/zones/external.xml

or you can simply delete the /etc/firewalld/zones/external.xml so firewalld will load the default /usr/lib/firewalld/zones/external.xml configuration file of the zone.

In all cases you need to reload firewalld so the stored configuration becomes active.