Revision as of 09:51, 27 September 2012

Description

This is the test case to check if runtime changes of firewall zones are usable.

Settings in the zone done with firewall-cmd (without --permanent switch) are only valid till reboot or firewalld service restart.

Get settings of 'work' zone

 firewall-cmd --zone=work --list-all

Enable service 'samba-client' in zone 'work'

 firewall-cmd --zone=work --add-service=samba-client

To check (as root) if it has been enabled:

 iptables-save | grep work

These two lines should be in the output:

 -A IN_ZONE_work_allow -p udp -m udp --dport 137 -j ACCEPT
 -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT

And

 firewall-cmd --zone=work --list-services

should contain samba-client.

Now undo the previous change. You can either manually remove the service

 firewall-cmd --zone=work --remove-service=samba-client

or just restart firewalld,

 service firewalld restart

because the change we did has not been permanent.

 firewall-cmd --zone=work --list-all

should now show the same output as for the first time, i.e. no samba-client.

@@ Line 7: / Line 7: @@
 = How to test =
-=== 1. Get settings of 'work' zone ===
+Get settings of 'work' zone
    firewall-cmd --zone=work --list-all
-=== 2. Enable service 'samba-client' in zone 'work' ===
+Enable service 'samba-client' in zone 'work'
    firewall-cmd --zone=work --add-service=samba-client
@@ Line 28: / Line 28: @@
    firewall-cmd --zone=work --list-services
-should contain samba-client
+should contain samba-client.
-=== 3. Disable service 'samba-client' in zone 'work' ===
+Now undo the previous change.
+You can either manually remove the service
    firewall-cmd --zone=work --remove-service=samba-client
+or just restart firewalld,
+  service firewalld restart
+because the change we did has not been permanent.
+  firewall-cmd --zone=work --list-all
+should now show the same output as for the first time, i.e. no samba-client.