Bug 806511 - firewalld: There is no documented way to add persistent firewall rules
Summary: firewalld: There is no documented way to add persistent firewall rules
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: 17
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-03-24 10:37 UTC by Pavel Šimerda (pavlix)
Modified: 2013-09-04 00:33 UTC (History)
7 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2013-01-18 20:39:20 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Pavel Šimerda (pavlix) 2012-03-24 10:37:34 UTC
firewalld-0.2.4-1.fc17.noarch

# rpm -ql firewalld | grep bin
/usr/bin/firewall-cmd
/usr/sbin/firewalld

# man firewalld
No manual entry for firewalld

# man firewall-cmd | grep -E 'persist|perm|save'
# 

From: https://fedoraproject.org/wiki/FirewallD/#Permanent_and_Temporary_Configuration


Phase 2: Fedora 17 (planned)

    D-BUS interface cleanup and extensions
    Finalize firewall-applet and firewall-config
    Permanent and temporary firewall rules
    Zone support

Comment 1 Pavel Šimerda (pavlix) 2012-04-01 16:35:00 UTC
This firewalld settings also prevents me from printing after every reboot.

I usually need to specify at least:

firewall-cmd --add --service=mdns

Multicast DNS is a critical feature for local network printing and thus for Linux office use.

Comment 2 Matthew Booth 2012-04-10 13:48:29 UTC
Experimentation suggests that XML configuration files under /usr/lib/firewalld can be overridden by equivalently named files under /etc/firewalld. I can't find the schema documented anywhere, although it doesn't appear to be too complicated.

firewall-cmd --reload didn't do the job picking these changes up: a service restart was required.

Comment 3 Jiri Popelka 2012-04-20 09:36:52 UTC
(In reply to comment #0)
> # man firewalld
> No manual entry for firewalld

Will be part of forthcoming firewalld release.

> # man firewall-cmd | grep -E 'persist|perm|save'

Updated firewall-cmd(1) will be part of forthcoming firewalld release.

> Phase 2: Fedora 17 (planned)
>     D-BUS interface cleanup and extensions

done

>     Finalize firewall-applet and firewall-config

firewall-config will not be finished before F-17 GOLD (see http://lists.fedoraproject.org/pipermail/devel/2012-April/166039.html)

>     Permanent and temporary firewall rules

Adding of permanent rules will be described in firewalld(1), firewalld.zone(5).
Meanwhile see also bug #811307, comment #11.
Adding of temporary rules will be described in updated firewall-cmd(1).

>     Zone support

Support itself is done.
However we don't have a GUI to change default zone - atm one can use 'firewall-cmd --set-default-zone=<zone> (this only firewall-cmd command does permanent change) or change it in /etc/firewalld/firewalld.conf.
Also when one wants to change the zone for some connection/interface to other than default, (s)he needs to add e.g. 'ZONE=home' to /etc/sysconfig/network-scripts/ifcfg-<iface> because we don't have a GUI for this - original idea long time ago was that this would be part of GUI to NetworkManager (the place where you set all the other properties of network connection).

(In reply to comment #1)
> This firewalld settings also prevents me from printing after every reboot.
> I usually need to specify at least:
> firewall-cmd --add --service=mdns
> Multicast DNS is a critical feature for local network printing and thus for
> Linux office use.

You just need to set (see above) the default zone to 'home' or 'internal'.

(In reply to comment #2)
> Experimentation suggests that XML configuration files under /usr/lib/firewalld
> can be overridden by equivalently named files under /etc/firewalld. I can't
> find the schema documented anywhere, although it doesn't appear to be too
> complicated.

Man pages will be part of forthcoming firewalld release.
Meanwhile see also bug #811307, comment #11.

> firewall-cmd --reload didn't do the job picking these changes up: a service
> restart was required.

Seems like bug #804814.

Comment 4 Thomas Woerner 2012-04-20 18:47:32 UTC
There is a new man page for firewalld, that explains how to do this.

Fixed upstream:
http://git.fedorahosted.org/git?p=firewalld.git;a=commit;h=0b6e8020d0c25152f868b77712698724e1324a70

Comment 5 Tom Horsley 2012-04-22 14:21:45 UTC
I assume the kernel iptables is the same under the hood. Why not just make firewalld apply any setting laying around in an /etc/sysconfig/iptables file at startup? (If such a file happens to exist, having been copied from a working setup from before the time of firewalld). I know this just makes far too much sense, but could we for once make an exception to the rule that new and improved and totally undocumented features must never provide any backward compatibility?

Comment 6 Jiri Popelka 2012-05-23 15:46:40 UTC
(In reply to comment #4)
> There is a new man page for firewalld, that explains how to do this.

Shipped with firewalld-0.2.5-1.fc17.
https://admin.fedoraproject.org/updates/firewalld-0.2.5-1.fc17
Closing

Comment 7 Miloslav Trmač 2012-11-09 16:25:54 UTC
(In reply to comment #3)
> (In reply to comment #0)
> > # man firewalld
> > No manual entry for firewalld
> 
> Will be part of forthcoming firewalld release.
> 
> > # man firewall-cmd | grep -E 'persist|perm|save'
> 
> Updated firewall-cmd(1) will be part of forthcoming firewalld release.

At least reading the code, firewall-cmd has some --permanent, but the man page doesn't mention this.

Comment 8 Jiri Popelka 2013-01-14 15:49:31 UTC
(In reply to comment #7)
> At least reading the code, firewall-cmd has some --permanent, but the man
> page doesn't mention this.

Should be fixed with
http://git.fedorahosted.org/cgit/firewalld.git/commit/?id=b9ab392809ca32009adf57abdf5cd4d3ebcb146c

Comment 9 Fedora Update System 2013-01-14 16:20:43 UTC
firewalld-0.2.12-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/firewalld-0.2.12-1.fc18

Comment 10 Fedora Update System 2013-01-15 02:29:14 UTC
Package firewalld-0.2.12-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.2.12-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-0810/firewalld-0.2.12-1.fc18
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2013-01-18 20:39:23 UTC
firewalld-0.2.12-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.