From Fedora Project Wiki

m
Line 1: Line 1:
= Description =
= Description =


This is the test case to check if runtime changes of firewall zones are usable.  
This is the test case to check if '''runtime''' changes of firewall zones are usable.  


Settings in the zone done with firewall-cmd (without --permanent switch) are only valid till reboot or firewalld service restart.
Settings in the zone done with ''firewall-cmd'' (without ''--permanent'' switch) are only valid till reboot or firewalld service restart.


= How to test =
= How to test =


Get settings of 'work' zone
Get settings of ''work'' zone


   firewall-cmd --zone=work --list-all
   firewall-cmd --zone=work --list-all


Enable service 'samba-client' in zone 'work'
Enable service ''samba-client'' in zone ''work''


   firewall-cmd --zone=work --add-service=samba-client
   firewall-cmd --zone=work --add-service=samba-client
Line 28: Line 28:
   firewall-cmd --zone=work --list-services
   firewall-cmd --zone=work --list-services


should contain samba-client.
should contain ''samba-client''.


Now undo the previous change.
Now undo the previous change.
Line 43: Line 43:
   firewall-cmd --zone=work --list-all
   firewall-cmd --zone=work --list-all


should now show the same output as for the first time, i.e. no samba-client.
should now show the same output as for the first time, i.e. no ''samba-client''.

Revision as of 10:20, 27 September 2012

Description

This is the test case to check if runtime changes of firewall zones are usable.

Settings in the zone done with firewall-cmd (without --permanent switch) are only valid till reboot or firewalld service restart.

How to test

Get settings of work zone

 firewall-cmd --zone=work --list-all

Enable service samba-client in zone work

 firewall-cmd --zone=work --add-service=samba-client

To check (as root) if it has been enabled:

 iptables-save | grep work

These two lines should be in the output:

 -A IN_ZONE_work_allow -p udp -m udp --dport 137 -j ACCEPT
 -A IN_ZONE_work_allow -p udp -m udp --dport 138 -j ACCEPT

And

 firewall-cmd --zone=work --list-services

should contain samba-client.

Now undo the previous change. You can either manually remove the service

 firewall-cmd --zone=work --remove-service=samba-client

or just restart firewalld,

 service firewalld restart

because the change we did has not been permanent.

 firewall-cmd --zone=work --list-all

should now show the same output as for the first time, i.e. no samba-client.