Bug 806511 - firewalld: There is no documented way to add persistent firewall rules
firewalld: There is no documented way to add persistent firewall rules
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: firewalld (Show other bugs)
17
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-03-24 06:37 EDT by Pavel Šimerda (pavlix)
Modified: 2013-09-03 20:33 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-01-18 15:39:20 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Pavel Šimerda (pavlix) 2012-03-24 06:37:34 EDT
firewalld-0.2.4-1.fc17.noarch

# rpm -ql firewalld | grep bin
/usr/bin/firewall-cmd
/usr/sbin/firewalld

# man firewalld
No manual entry for firewalld

# man firewall-cmd | grep -E 'persist|perm|save'
# 

From: https://fedoraproject.org/wiki/FirewallD/#Permanent_and_Temporary_Configuration


Phase 2: Fedora 17 (planned)

    D-BUS interface cleanup and extensions
    Finalize firewall-applet and firewall-config
    Permanent and temporary firewall rules
    Zone support
Comment 1 Pavel Šimerda (pavlix) 2012-04-01 12:35:00 EDT
This firewalld settings also prevents me from printing after every reboot.

I usually need to specify at least:

firewall-cmd --add --service=mdns

Multicast DNS is a critical feature for local network printing and thus for Linux office use.
Comment 2 Matthew Booth 2012-04-10 09:48:29 EDT
Experimentation suggests that XML configuration files under /usr/lib/firewalld can be overridden by equivalently named files under /etc/firewalld. I can't find the schema documented anywhere, although it doesn't appear to be too complicated.

firewall-cmd --reload didn't do the job picking these changes up: a service restart was required.
Comment 3 Jiri Popelka 2012-04-20 05:36:52 EDT
(In reply to comment #0)
> # man firewalld
> No manual entry for firewalld

Will be part of forthcoming firewalld release.

> # man firewall-cmd | grep -E 'persist|perm|save'

Updated firewall-cmd(1) will be part of forthcoming firewalld release.

> Phase 2: Fedora 17 (planned)
>     D-BUS interface cleanup and extensions

done

>     Finalize firewall-applet and firewall-config

firewall-config will not be finished before F-17 GOLD (see http://lists.fedoraproject.org/pipermail/devel/2012-April/166039.html)

>     Permanent and temporary firewall rules

Adding of permanent rules will be described in firewalld(1), firewalld.zone(5).
Meanwhile see also bug #811307, comment #11.
Adding of temporary rules will be described in updated firewall-cmd(1).

>     Zone support

Support itself is done.
However we don't have a GUI to change default zone - atm one can use 'firewall-cmd --set-default-zone=<zone> (this only firewall-cmd command does permanent change) or change it in /etc/firewalld/firewalld.conf.
Also when one wants to change the zone for some connection/interface to other than default, (s)he needs to add e.g. 'ZONE=home' to /etc/sysconfig/network-scripts/ifcfg-<iface> because we don't have a GUI for this - original idea long time ago was that this would be part of GUI to NetworkManager (the place where you set all the other properties of network connection).

(In reply to comment #1)
> This firewalld settings also prevents me from printing after every reboot.
> I usually need to specify at least:
> firewall-cmd --add --service=mdns
> Multicast DNS is a critical feature for local network printing and thus for
> Linux office use.

You just need to set (see above) the default zone to 'home' or 'internal'.

(In reply to comment #2)
> Experimentation suggests that XML configuration files under /usr/lib/firewalld
> can be overridden by equivalently named files under /etc/firewalld. I can't
> find the schema documented anywhere, although it doesn't appear to be too
> complicated.

Man pages will be part of forthcoming firewalld release.
Meanwhile see also bug #811307, comment #11.

> firewall-cmd --reload didn't do the job picking these changes up: a service
> restart was required.

Seems like bug #804814.
Comment 4 Thomas Woerner 2012-04-20 14:47:32 EDT
There is a new man page for firewalld, that explains how to do this.

Fixed upstream:
http://git.fedorahosted.org/git?p=firewalld.git;a=commit;h=0b6e8020d0c25152f868b77712698724e1324a70
Comment 5 Tom Horsley 2012-04-22 10:21:45 EDT
I assume the kernel iptables is the same under the hood. Why not just make firewalld apply any setting laying around in an /etc/sysconfig/iptables file at startup? (If such a file happens to exist, having been copied from a working setup from before the time of firewalld). I know this just makes far too much sense, but could we for once make an exception to the rule that new and improved and totally undocumented features must never provide any backward compatibility?
Comment 6 Jiri Popelka 2012-05-23 11:46:40 EDT
(In reply to comment #4)
> There is a new man page for firewalld, that explains how to do this.

Shipped with firewalld-0.2.5-1.fc17.
https://admin.fedoraproject.org/updates/firewalld-0.2.5-1.fc17
Closing
Comment 7 Miloslav Trmač 2012-11-09 11:25:54 EST
(In reply to comment #3)
> (In reply to comment #0)
> > # man firewalld
> > No manual entry for firewalld
> 
> Will be part of forthcoming firewalld release.
> 
> > # man firewall-cmd | grep -E 'persist|perm|save'
> 
> Updated firewall-cmd(1) will be part of forthcoming firewalld release.

At least reading the code, firewall-cmd has some --permanent, but the man page doesn't mention this.
Comment 8 Jiri Popelka 2013-01-14 10:49:31 EST
(In reply to comment #7)
> At least reading the code, firewall-cmd has some --permanent, but the man
> page doesn't mention this.

Should be fixed with
http://git.fedorahosted.org/cgit/firewalld.git/commit/?id=b9ab392809ca32009adf57abdf5cd4d3ebcb146c
Comment 9 Fedora Update System 2013-01-14 11:20:43 EST
firewalld-0.2.12-1.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/firewalld-0.2.12-1.fc18
Comment 10 Fedora Update System 2013-01-14 21:29:14 EST
Package firewalld-0.2.12-1.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing firewalld-0.2.12-1.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-0810/firewalld-0.2.12-1.fc18
then log in and leave karma (feedback).
Comment 11 Fedora Update System 2013-01-18 15:39:23 EST
firewalld-0.2.12-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.