Firewalld

Written by James McDonald

June 29, 2014

Just trying to enable nginx on Fedora 20

yum install nginx

systemctl enable nginx.service

service nginx start
# or the new way
systemctl start nginx

At this point I still can’t connect with a remote computer so need to figure out how enable the firewall to allow port 80 (http)

Before firewalld you could just add rules with iptables but firewalld controls firewall now.

You need to identify the zone that your physical network adaptor is in

firewall-cmd –list-all-zones | more

home
  interfaces: 
  sources: 
  services: dhcpv6-client http ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

internal
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

public (default, active)
  interfaces: p4p1
  sources: 
  services: dhcpv6-client ipp ipp-client mdns samba ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules: 

My ethernet connection is in the public zone and it’s name is p4p1

So once I know this I can add a service to that zone.

To get a list of all available services

firewall-cmd --get-services
amanda-client amanda-k5-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql privoxy proxy-dhcp puppetmaster radius rpc-bind samba samba-client sane smtp ssh synergy telnet tftp tftp-client tor-socks transmission-client vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

To get my enabled serivces

firewall-cmd --list-services
dhcpv6-client ipp ipp-client mdns samba ssh

Now we need to add the correct service to the zone associated with our physical network adaptor

firewall-cmd --zone=public --add-service=http
success

I believe a reboot will remove the rule so you need to specify that it’s permanent too

firewall-cmd --zone=public --add-service=http --permanent
success

While you are at it. Probably want to enable https too.

# enable it now
firewall-cmd --zone=public --add-service=https
success
# make it persist across reboots
firewall-cmd --zone=public --add-service=https --permanent success

Then you can check if it added ok

[root@bb01 ~]# firewall-cmd --list-services
dhcpv6-client http ipp ipp-client mdns samba ssh

# you can specify zone if it's other than than the default
[root@bb01 ~]# firewall-cmd --list-services --zone=public
dhcpv6-client http ipp ipp-client mdns samba ssh

Make sure you have added the service permanently. Check with the –permanent flag

firewall-cmd --list-services --permanent
dhcpv6-client http https ipp ipp-client mdns samba ssh

Removing the services if you don’t want it enabled for that zone

firewall-cmd --zone=public --remove-service=http

 

 

 

 

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

You May Also Like…

How to Research a CPU Upgrade

How to Research a CPU Upgrade

Upgrade Time! Doing a lot of VMWare Workstation virtualization to create labs for self-study and training. Finding...