From Fedora Project Wiki

Associated release criterion
This test case is associated with the Basic_Release_Criteria#firewall-configuration release criterion. If you are doing release validation testing, a failure of this test case may be a breach of that release criterion. If so, please file a bug and nominate it as blocking the appropriate milestone, using the blocker bug nomination page.


This test case checks that the default configuration of the system firewall for the Server product is as required in the Server/Technical_Specification.

How to test

  1. Install the Fedora Server release you wish to test, in graphical or text mode, with one or more server roles selected, and without doing anything otherwise to affect firewall configuration.
  2. Boot the installed system, and check the firewall configuration:
    sudo iptables -L -v is the most detailed and 'close to the metal' way to check, but may be too complex readily to understand
    sudo firewall-cmd --list-all [--zone <zone>] should list active services and open ports in the default or specified firewall zone (e.g. 'FedoraServer', 'home', 'public' etc)
    sudo firewall-cmd --get-zone-of-interface=<interface> should return which zone an interface is in
    To do a functional test, you can manually attempt to connect to various ports with a telnet or netcat-like utility from another system, or use a port scanning tool only if you are the admin for both systems and the network itself or have permission from the relevant admin(s)

Expected Results

  1. The firewall should be configured as specified in the Server/Technical_Specification#Firewall - that is, the ssh and Cockpit ports must be open, and the only other ports that may be open are those associated with the role(s) deployed during installation and dhcpv6-client (which is needed for IPv6 operation).