Red Hat Bugzilla – Bug 806511
firewalld: There is no documented way to add persistent firewall rules
Last modified: 2013-09-03 20:33:49 EDT
firewalld-0.2.4-1.fc17.noarch # rpm -ql firewalld | grep bin /usr/bin/firewall-cmd /usr/sbin/firewalld # man firewalld No manual entry for firewalld # man firewall-cmd | grep -E 'persist|perm|save' # From: https://fedoraproject.org/wiki/FirewallD/#Permanent_and_Temporary_Configuration Phase 2: Fedora 17 (planned) D-BUS interface cleanup and extensions Finalize firewall-applet and firewall-config Permanent and temporary firewall rules Zone support
This firewalld settings also prevents me from printing after every reboot. I usually need to specify at least: firewall-cmd --add --service=mdns Multicast DNS is a critical feature for local network printing and thus for Linux office use.
Experimentation suggests that XML configuration files under /usr/lib/firewalld can be overridden by equivalently named files under /etc/firewalld. I can't find the schema documented anywhere, although it doesn't appear to be too complicated. firewall-cmd --reload didn't do the job picking these changes up: a service restart was required.
(In reply to comment #0) > # man firewalld > No manual entry for firewalld Will be part of forthcoming firewalld release. > # man firewall-cmd | grep -E 'persist|perm|save' Updated firewall-cmd(1) will be part of forthcoming firewalld release. > Phase 2: Fedora 17 (planned) > D-BUS interface cleanup and extensions done > Finalize firewall-applet and firewall-config firewall-config will not be finished before F-17 GOLD (see http://lists.fedoraproject.org/pipermail/devel/2012-April/166039.html) > Permanent and temporary firewall rules Adding of permanent rules will be described in firewalld(1), firewalld.zone(5). Meanwhile see also bug #811307, comment #11. Adding of temporary rules will be described in updated firewall-cmd(1). > Zone support Support itself is done. However we don't have a GUI to change default zone - atm one can use 'firewall-cmd --set-default-zone=<zone> (this only firewall-cmd command does permanent change) or change it in /etc/firewalld/firewalld.conf. Also when one wants to change the zone for some connection/interface to other than default, (s)he needs to add e.g. 'ZONE=home' to /etc/sysconfig/network-scripts/ifcfg-<iface> because we don't have a GUI for this - original idea long time ago was that this would be part of GUI to NetworkManager (the place where you set all the other properties of network connection). (In reply to comment #1) > This firewalld settings also prevents me from printing after every reboot. > I usually need to specify at least: > firewall-cmd --add --service=mdns > Multicast DNS is a critical feature for local network printing and thus for > Linux office use. You just need to set (see above) the default zone to 'home' or 'internal'. (In reply to comment #2) > Experimentation suggests that XML configuration files under /usr/lib/firewalld > can be overridden by equivalently named files under /etc/firewalld. I can't > find the schema documented anywhere, although it doesn't appear to be too > complicated. Man pages will be part of forthcoming firewalld release. Meanwhile see also bug #811307, comment #11. > firewall-cmd --reload didn't do the job picking these changes up: a service > restart was required. Seems like bug #804814.
There is a new man page for firewalld, that explains how to do this. Fixed upstream: http://git.fedorahosted.org/git?p=firewalld.git;a=commit;h=0b6e8020d0c25152f868b77712698724e1324a70
I assume the kernel iptables is the same under the hood. Why not just make firewalld apply any setting laying around in an /etc/sysconfig/iptables file at startup? (If such a file happens to exist, having been copied from a working setup from before the time of firewalld). I know this just makes far too much sense, but could we for once make an exception to the rule that new and improved and totally undocumented features must never provide any backward compatibility?
(In reply to comment #4) > There is a new man page for firewalld, that explains how to do this. Shipped with firewalld-0.2.5-1.fc17. https://admin.fedoraproject.org/updates/firewalld-0.2.5-1.fc17 Closing
(In reply to comment #3) > (In reply to comment #0) > > # man firewalld > > No manual entry for firewalld > > Will be part of forthcoming firewalld release. > > > # man firewall-cmd | grep -E 'persist|perm|save' > > Updated firewall-cmd(1) will be part of forthcoming firewalld release. At least reading the code, firewall-cmd has some --permanent, but the man page doesn't mention this.
(In reply to comment #7) > At least reading the code, firewall-cmd has some --permanent, but the man > page doesn't mention this. Should be fixed with http://git.fedorahosted.org/cgit/firewalld.git/commit/?id=b9ab392809ca32009adf57abdf5cd4d3ebcb146c
firewalld-0.2.12-1.fc18 has been submitted as an update for Fedora 18. https://admin.fedoraproject.org/updates/firewalld-0.2.12-1.fc18
Package firewalld-0.2.12-1.fc18: * should fix your issue, * was pushed to the Fedora 18 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing firewalld-0.2.12-1.fc18' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2013-0810/firewalld-0.2.12-1.fc18 then log in and leave karma (feedback).
firewalld-0.2.12-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.