From Fedora Project Wiki

(Created page with "= Description = This is the test case to check if firewall zones are usable. = How to test = 1. Get settings of 'work' zone firewall-cmd --list=all --zone=work 2. Enable ...")
 
No edit summary
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Description =
= Description =


This is the test case to check if firewall zones are usable.  
This is the test case to check if '''runtime''' changes of firewall zones are usable.
 
Settings in the zone done with ''firewall-cmd'' (without ''--permanent'' switch) are only valid till reboot or firewalld service restart.


= How to test =
= How to test =


1. Get settings of 'work' zone
Get settings of ''work'' zone


   firewall-cmd --list=all --zone=work
   firewall-cmd --zone=work --list-all


2. Enable service 'samba-client' in zone 'work'
Enable service ''samba-client'' in zone ''work''


   firewall-cmd --add --zone=work --service=samba-client
   firewall-cmd --zone=work --add-service=samba-client


To check if it has been enabled:
To check (as root) if it has been enabled:


   iptables-save | grep work
   iptables-save | grep work
Line 22: Line 24:
   -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT
   -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT


3. Disbable service 'samba-client' in zone 'work'
And
 
  firewall-cmd --zone=work --list-services
 
should contain ''samba-client''.
 
Now undo the previous change.
You can either manually remove the service
 
  firewall-cmd --zone=work --remove-service=samba-client
 
or just restart firewalld,


   firewall-cmd --remove --zone=work --service=samba-client
   service firewalld restart


4. Get a list of all suported services:
because the change we did has not been permanent.


   firewall-cmd --list=services
   firewall-cmd --zone=work --list-all


The result should be:
should now show the same output as for the first time, i.e. no ''samba-client''.


  cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba
For more examples see also [http://fedoraproject.org/wiki/FirewallD#Runtime_zone_handling http://fedoraproject.org/wiki/FirewallD]
  dhcpv6-client dns openvpn imaps samba-client http https telnet libvirt ssh
  ipsecipp-client amanda-client tftp-client dhcpv6 nfs tftp libvirt-tls

Latest revision as of 17:18, 11 December 2012

Description

This is the test case to check if runtime changes of firewall zones are usable.

Settings in the zone done with firewall-cmd (without --permanent switch) are only valid till reboot or firewalld service restart.

How to test

Get settings of work zone 

 firewall-cmd --zone=work --list-all

Enable service samba-client in zone work 

 firewall-cmd --zone=work --add-service=samba-client

To check (as root) if it has been enabled: 

 iptables-save | grep work

These two lines should be in the output: 

 -A IN_ZONE_work_allow -p udp -m udp --dport 137 -j ACCEPT
 -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT

And 

 firewall-cmd --zone=work --list-services

should contain samba-client.

Now undo the previous change. You can either manually remove the service 

 firewall-cmd --zone=work --remove-service=samba-client

or just restart firewalld, 

 service firewalld restart

because the change we did has not been permanent. 

 firewall-cmd --zone=work --list-all

should now show the same output as for the first time, i.e. no samba-client.

For more examples see also http://fedoraproject.org/wiki/FirewallD

Retrieved from "https://fedoraproject.org/w/index.php?title=QA:Testcase_use_firewalld_zones&oldid=314546"