-   Fedora (
-   -   Permanent Configuration for firewalld (

wmakowski 01-23-2013 09:33 PM

Permanent Configuration for firewalld
I have two separate issues that I have not been able to figure out with the change from iptables to firewalld. Since firewalld is lightly documented the solutions are avoiding me.

1) I use openvpn to access my server from the internet. In iptables tun0 was a trusted interface to allow access to services and data. The command

firewall-cmd --zone=trusted --add-interface=tun0
allows me to open it up temporarily, but after a restart I would have to enter this command again. I tried

firewall-cmd --permanent --zone=trusted --add-interface=tun0
but it exited the program and showed the man page. I have opened a bug on this, but was hoping someone may have run into it already.

2) I need to set up the nf_conntrack_netbios_ns and ip_nat_ftp helper modules in firewalld to allow ftp connections to external systems from other computers on my LAN. It looks like this is done using a firewalld service configuration file (see man firewalld.service). I will be working through this, but would like to hear from anyone that has set this up. Thanks!


wmakowski 01-24-2013 09:01 AM

One of the developers of firewalld replied back to the Bug I opened for not being able to make a permanent entry for tun0. He thought it might be configurable from within NetworkManager or /etc/sysconfig/network-scripts, but since this interface is created dynamically by openvpn it does not show up. He also suggested that I could make my default zone trusted and assign other zones to the other interfaces. I felt this could unintentionally open a hole further down the road.

I did come up with a workaround of my own. By making an ExecStartPost entry in /lib/systemd/system/openvpn@xxxxxx.service for the first firewall-cmd above, I don't have to worry about executing the command manually after a restart.

All times are GMT -5. The time now is 05:25 PM.