Bug 1155972

Summary: [RFE] Please extend the list of PREDEFINED services of firewalld for other common services
Product: [Fedora] Fedora Reporter: Răzvan Sandu <rsandu2004>
Component: firewalldAssignee: Eric Garver <egarver>
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: azrdev, jpopelka, riehecky, twoerner, xzhou
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1046471, 1150656, 1186984, 1242392    
Bug Blocks:    

Description Răzvan Sandu 2014-10-23 10:14:19 UTC 
Description of problem:

In order to encourage the use of the new firewalld instead of iptables-based services, allowing sysadmins to switch easily, please extend the list of PREDEFINED services of firewalld (in /usr/lib/firewalld/services/) for other common services, such as POP3, POP3S or GRE tunnels.

As an example, here's the much larger list of "services" from shorewall (macros from the /usr/share/shorewall/). Names are self-explanatory:

macro.A_AllowICMPs
macro.A_DropDNSrep
macro.A_DropUPnP
macro.AllowICMPs
macro.Amanda
macro.Auth
macro.BGP
macro.BitTorrent
macro.BitTorrent32
macro.BLACKLIST
macro.Citrix
macro.CVS
macro.DAAP
macro.DCC
macro.DHCPfwd
macro.Distcc
macro.DNS
macro.Drop
macro.DropDNSrep
macro.DropUPnP
macro.Edonkey
macro.Finger
macro.FTP
macro.Git
macro.GNUnet
macro.Gnutella
macro.GRE
macro.HKP
macro.HTTP
macro.HTTPS
macro.ICPV2
macro.ICQ
macro.IMAP
macro.IMAPS
macro.IPIP
macro.IPP
macro.IPPbrd
macro.IPPserver
macro.IPsec
macro.IPsecah
macro.IPsecnat
macro.IRC
macro.Jabberd
macro.JabberPlain
macro.JabberSecure
macro.JAP
macro.Jetdirect
macro.L2TP
macro.LDAP
macro.LDAPS
macro.Mail
macro.mDNS
macro.MSNP
macro.MSSQL
macro.Munin
macro.MySQL
macro.NNTP
macro.NNTPS
macro.NTP
macro.NTPbi
macro.NTPbrd
macro.OpenVPN
macro.OSPF
macro.PCA
macro.Ping
macro.POP3
macro.POP3S
macro.PostgreSQL
macro.PPtP
macro.Printer
macro.Razor
macro.Rdate
macro.RDP
macro.Reject
macro.Rfc1918
macro.RIPbi
macro.RNDC
macro.Rsync
macro.SANE
macro.SixXS
macro.SMB
macro.SMBBI
macro.SMBswat
macro.SMTP
macro.SMTPS
macro.SNMP
macro.SPAMD
macro.Squid
macro.SSH
macro.Submission
macro.SVN
macro.Syslog
macro.Telnet
macro.Telnets
macro.TFTP
macro.Time
macro.Trcrt
macro.VNC
macro.VNCL
macro.Web
macro.Webcache
macro.Webmin
macro.Whois


Version-Release number of selected component (if applicable):

firewalld-0.3.9-7.el7.noarch
shorewall-4.5.4-1.el6.noarch (present in EPEL)


Actual results:

The list of predefined services in firewalld does not include some very common services, requiring the manual creation of xml files under /etc/firewalld/services/


Expected results:

Even if they are not used by default, in zones, xml files for common services (even the insecure ones) should be predefined (present under /usr/lib/firewalld/services/).

The files should have pretty standardised names and internnal comments, creating (as much as possible) a common, cross-distro paradigm for firewalls, easily understandable and portable from one firewall solution to another.
Comment 1 Vladislav Grigoryev 2015-09-17 18:08:30 UTC 
Some more widely used missing services:

==> /etc/firewalld/services/asterisk.xml <==
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Asterisk</short>
  <description>Asterisk is a software implementation of a telephone private branch exchange (PBX).</description>
  <port protocol="udp" port="5060"/>
</service>

==> /etc/firewalld/services/darkstat.xml <==
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>darkstat</short>
  <description>darkstat is a network traffic analyzer.</description>
  <port protocol="tcp" port="667"/>
</service>

==> /etc/firewalld/services/deluge.xml <==
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Deluge Daemon</short>
  <description>Deluge Daemon provides an interface to manage Deluge BitTorrent client.</description>
  <port protocol="tcp" port="8112"/>
  <port protocol="tcp" port="58846"/>
</service>

==> /etc/firewalld/services/imap.xml <==
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>IMAP</short>
  <description>The Internet Message Access Protocol (IMAP) allows a local client to access email on a remote server. If you plan to provide a IMAP service (e.g. with dovecot), enable this option.</description>
  <port protocol="tcp" port="143"/>
</service>

==> /etc/firewalld/services/munin.xml <==
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Munin</short>
  <description>Network-wide graphing framework Munin Node.</description>
  <port protocol="tcp" port="4949"/>
</service>

==> /etc/firewalld/services/ntop.xml <==
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>ntop</short>
  <description>ntop is a network traffic probe that shows the network usage.</description>
  <port protocol="tcp" port="3000"/>
</service>

==> /etc/firewalld/services/samba-dc.xml <==
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Samba AD DC</short>
  <description>Samba Active Directory Domain Controller.</description>
  <port protocol="tcp" port="88"/>
  <port protocol="udp" port="88"/>
  <port protocol="tcp" port="135"/>
  <port protocol="udp" port="137"/>
  <port protocol="udp" port="138"/>
  <port protocol="tcp" port="139"/>
  <port protocol="tcp" port="389"/>
  <port protocol="udp" port="389"/>
  <port protocol="tcp" port="445"/>
  <port protocol="tcp" port="464"/>
  <port protocol="udp" port="464"/>
  <port protocol="tcp" port="636"/>
  <port protocol="tcp" port="1024"/>
  <port protocol="tcp" port="3268"/>
  <port protocol="tcp" port="3269"/>
</service>

==> /etc/firewalld/services/sieve.xml <==
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>ManageSieve</short>
  <description>The ManageSieve service is used to manage a user's Sieve script collection. If you plan to provide a ManageSieve service (e.g. with dovecot), enable this option.</description>
  <port protocol="tcp" port="4190"/>
</service>

==> /etc/firewalld/services/submission.xml <==
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Mail Submission Agent</short>
  <description>The Mail Submission Agent (MSA) receives electronic mail messages from a mail user agent (MUA) and cooperates with a mail transfer agent (MTA) for delivery of the mail. If you plan to provide a Mail Submission Agent (e.g. with postfix), enable this option.</description>
  <port protocol="tcp" port="587"/>
</service>

==> /etc/firewalld/services/transmission.xml <==
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Transmission Daemon</short>
  <description>Transmission Daemon provides an interface to manage Transmission BitTorrent client.</description>
  <port protocol="tcp" port="9091"/>
</service>

==> /etc/firewalld/services/xmpp-proxy.xml <==
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>XMPP (Jabber) proxy</short>
  <description>Extensible Messaging and Presence Protocol (XMPP) proxy service provides faster file transfer between two XMPP clients.</description>
  <port protocol="tcp" port="7777"/>
</service>
Comment 2 Răzvan Sandu 2015-09-18 00:25:41 UTC 
Hello,

I would add Tinc VPN (http://www.tinc-vpn.org/), which is a kind of OpenVPN on steroids, mesh-capable. It uses port 655 on both TCP and UDP.

==> /etc/firewalld/services/tinc.xml <==
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Tinc VPN</short>
  <description>Tinc is a mesh-capable VPN solution, SSL-based. Please see http://www.tinc-vpn.org/ .</description>
  <port protocol="tcp" port="655"/>
  <port protocol="udp" port="655"/>
</service>

Best regards,
Răzvan