From Fedora Project Wiki

m
 
(4 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= Description =
= Description =


This is the test case to check if firewall zones are usable.  
This is the test case to check if '''runtime''' changes of firewall zones are usable.  


Settings in the zone done with firewall-cmd or with the D-BUS interface are only valid till reboot or firewalld service restart.
Settings in the zone done with ''firewall-cmd'' (without ''--permanent'' switch) are only valid till reboot or firewalld service restart.


= How to test =
= How to test =


1. Get settings of 'work' zone
Get settings of ''work'' zone


   firewall-cmd --list=all --zone=work
   firewall-cmd --zone=work --list-all


2. Enable service 'samba-client' in zone 'work'
Enable service ''samba-client'' in zone ''work''


   firewall-cmd --add --zone=work --service=samba-client
   firewall-cmd --zone=work --add-service=samba-client


To check if it has been enabled:
To check (as root) if it has been enabled:


   iptables-save | grep work
   iptables-save | grep work
Line 24: Line 24:
   -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT
   -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT


3. Disable service 'samba-client' in zone 'work'
And


   firewall-cmd --remove --zone=work --service=samba-client
   firewall-cmd --zone=work --list-services


4. Get a list of all supported services:
should contain ''samba-client''.


  firewall-cmd --list=services
Now undo the previous change.
You can either manually remove the service


The result should be:
  firewall-cmd --zone=work --remove-service=samba-client


   cluster-suite pop3s bacula-client smtp ipp radius bacula ftp mdns samba
or just restart firewalld,
  dhcpv6-client dns openvpn imaps samba-client http https telnet libvirt ssh
 
  ipsecipp-client amanda-client tftp-client dhcpv6 nfs tftp libvirt-tls
  service firewalld restart
 
because the change we did has not been permanent.
 
   firewall-cmd --zone=work --list-all
 
should now show the same output as for the first time, i.e. no ''samba-client''.
 
For more examples see also [http://fedoraproject.org/wiki/FirewallD#Runtime_zone_handling http://fedoraproject.org/wiki/FirewallD]

Latest revision as of 17:18, 11 December 2012

Description

This is the test case to check if runtime changes of firewall zones are usable.

Settings in the zone done with firewall-cmd (without --permanent switch) are only valid till reboot or firewalld service restart.

How to test

Get settings of work zone

 firewall-cmd --zone=work --list-all

Enable service samba-client in zone work

 firewall-cmd --zone=work --add-service=samba-client

To check (as root) if it has been enabled:

 iptables-save | grep work

These two lines should be in the output:

 -A IN_ZONE_work_allow -p udp -m udp --dport 137 -j ACCEPT
 -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT

And

 firewall-cmd --zone=work --list-services

should contain samba-client.

Now undo the previous change. You can either manually remove the service

 firewall-cmd --zone=work --remove-service=samba-client

or just restart firewalld,

 service firewalld restart

because the change we did has not been permanent.

 firewall-cmd --zone=work --list-all

should now show the same output as for the first time, i.e. no samba-client.

For more examples see also http://fedoraproject.org/wiki/FirewallD