From Fedora Project Wiki

Line 1: Line 1:
= Description =
= Description =


This is the test case to check if firewall zones are usable.  
This is the test case to check if runtime changes of firewall zones are usable.  


Settings in the zone done with firewall-cmd or with the D-BUS interface are only valid till reboot or firewalld service restart.
Settings in the zone done with firewall-cmd (without --permanent switch) are only valid till reboot or firewalld service restart.


= How to test =
= How to test =
Line 9: Line 9:
=== 1. Get settings of 'work' zone ===
=== 1. Get settings of 'work' zone ===


   firewall-cmd --list=all --zone=work
   firewall-cmd --zone=work --list-all


=== 2. Enable service 'samba-client' in zone 'work' ===
=== 2. Enable service 'samba-client' in zone 'work' ===


   firewall-cmd --add --zone=work --service=samba-client
   firewall-cmd --zone=work --add-service=samba-client


To check if it has been enabled:
To check (as root) if it has been enabled:


   iptables-save | grep work
   iptables-save | grep work
Line 24: Line 24:
   -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT
   -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT


=== 3. Disable service 'samba-client' in zone 'work' ===
And


   firewall-cmd --remove --zone=work --service=samba-client
   firewall-cmd --zone=work --list-services


=== 4. Get a list of all supported services: ===
should contain samba-client


  firewall-cmd --list=services
=== 3. Disable service 'samba-client' in zone 'work' ===
 
The result should be:


   cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba
   firewall-cmd --zone=work --remove-service=samba-client
  dhcpv6-client dns openvpn imaps samba-client http https telnet libvirt ssh
  ipsecipp-client amanda-client tftp-client dhcpv6 nfs tftp libvirt-tls

Revision as of 15:46, 6 September 2012

Description

This is the test case to check if runtime changes of firewall zones are usable.

Settings in the zone done with firewall-cmd (without --permanent switch) are only valid till reboot or firewalld service restart.

How to test

1. Get settings of 'work' zone

 firewall-cmd --zone=work --list-all

2. Enable service 'samba-client' in zone 'work'

 firewall-cmd --zone=work --add-service=samba-client

To check (as root) if it has been enabled:

 iptables-save | grep work

These two lines should be in the output:

 -A IN_ZONE_work_allow -p udp -m udp --dport 137 -j ACCEPT
 -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT

And

 firewall-cmd --zone=work --list-services

should contain samba-client

3. Disable service 'samba-client' in zone 'work'

 firewall-cmd --zone=work --remove-service=samba-client