From Fedora Project Wiki

No edit summary
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
= Description =
= Description =


This is the test case to check if runtime changes of firewall zones are usable.  
This is the test case to check if '''runtime''' changes of firewall zones are usable.  


Settings in the zone done with firewall-cmd (without --permanent switch) are only valid till reboot or firewalld service restart.
Settings in the zone done with ''firewall-cmd'' (without ''--permanent'' switch) are only valid till reboot or firewalld service restart.


= How to test =
= How to test =


=== 1. Get settings of 'work' zone ===
Get settings of ''work'' zone


   firewall-cmd --zone=work --list-all
   firewall-cmd --zone=work --list-all


=== 2. Enable service 'samba-client' in zone 'work' ===
Enable service ''samba-client'' in zone ''work''


   firewall-cmd --zone=work --add-service=samba-client
   firewall-cmd --zone=work --add-service=samba-client
Line 28: Line 28:
   firewall-cmd --zone=work --list-services
   firewall-cmd --zone=work --list-services


should contain samba-client
should contain ''samba-client''.


=== 3. Disable service 'samba-client' in zone 'work' ===
Now undo the previous change.
You can either manually remove the service


   firewall-cmd --zone=work --remove-service=samba-client
   firewall-cmd --zone=work --remove-service=samba-client
or just restart firewalld,
  service firewalld restart
because the change we did has not been permanent.
  firewall-cmd --zone=work --list-all
should now show the same output as for the first time, i.e. no ''samba-client''.
For more examples see also [http://fedoraproject.org/wiki/FirewallD#Runtime_zone_handling http://fedoraproject.org/wiki/FirewallD]

Latest revision as of 17:18, 11 December 2012

Description

This is the test case to check if runtime changes of firewall zones are usable.

Settings in the zone done with firewall-cmd (without --permanent switch) are only valid till reboot or firewalld service restart.

How to test

Get settings of work zone

 firewall-cmd --zone=work --list-all

Enable service samba-client in zone work

 firewall-cmd --zone=work --add-service=samba-client

To check (as root) if it has been enabled:

 iptables-save | grep work

These two lines should be in the output:

 -A IN_ZONE_work_allow -p udp -m udp --dport 137 -j ACCEPT
 -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT

And

 firewall-cmd --zone=work --list-services

should contain samba-client.

Now undo the previous change. You can either manually remove the service

 firewall-cmd --zone=work --remove-service=samba-client

or just restart firewalld,

 service firewalld restart

because the change we did has not been permanent.

 firewall-cmd --zone=work --list-all

should now show the same output as for the first time, i.e. no samba-client.

For more examples see also http://fedoraproject.org/wiki/FirewallD