Bug 877035

Summary: Add config files to firewalld for vncserver
Product: [Fedora] Fedora Reporter: Brent Baude <bbaude>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 18CC: jpopelka, karsten, mgrf, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Fixed In Version: firewalld-0.2.10-1.fc18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-15 12:30:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 846990    

Description Brent Baude 2012-11-15 15:10:04 UTC
Description of problem:

It looks like firewalld doesn't allow vnc to work by default.  We discussed this with Thomas Woerner on Nov 15th and he asked me to file this bugz.

Version-Release number of selected component (if applicable):

How reproducible:

install vncserver and attempt to connect with firewalld running

Comment 1 Thomas Woerner 2012-11-15 16:41:31 UTC
I will add a vnc-server service entry. But it will not be enabled by default.

Comment 2 Brent Baude 2012-11-19 16:18:05 UTC
Thanks Thomas, when you check the change in and kick off a build, can you let us know?  Also, can you put in a comment here on how to change default off to default on just so we have some history?

Comment 3 Thomas Woerner 2012-11-20 14:37:19 UTC
This is the service entry I am adding right now:

<?xml version="1.0" encoding="utf-8"?>
  <short>Virtual Network Computing Server (VNC)</short>
  <description>A VNC server provides an external accessible X session. Enable this option if you plan to provide a VNC server with direct access. The access will be possible for displays :0 to :3. If you plan to provide access with SSH, do not open this option and use the via option of the VNC viewer.</description>
  <port protocol="tcp" port="5900-5903"/>

Comment 4 Thomas Woerner 2012-11-20 16:06:01 UTC
Here is the package build for F-18:


To permanently enable the vnc-server service in firewalld, use:

firewall-cmd --permanent [--zone=public] --add-service=vnc-server
firewall-cmd [--zone=public] --add-service=vnc-server

To permanently disable the vnc-server service again:

firewall-cmd --permanent [--zone=public] --remove-service=vnc-server
firewall-cmd [--zone=public] --remove-service=vnc-server

With firewalld version 0.2.10, the default zone (public) will be used if you are not using the option --zone=<zone> for permanent settings to be compatible to the non permanent options.

Using only the permanent options will enable the settings after firewalld reload or restart. If you need the settings immediately also, use the command with and without the --permanent option.

Comment 5 Thomas Woerner 2012-11-20 16:10:42 UTC
If you want to enable vnc-server in a kickstart post script, you have to use firewall-offline-cmd, that is using lokkig arguments right because of anaconda:

firewall-offline-cmd --service=vnc-server

This will enable vnc-server in the default zone.