Yes it was removed from F17 Final. I was lucky enough to have gotten it by default in the Beta release of F17.
[EDIT]
However you can install it still via yum or the software "Add/Remove" tool.
[/EDIT]
I know many are squeamish about command line tools and hand editing config files. I am a 20 year veteran of command line tools so I am not so quick to jump in to GUI based tools. I have seen one too many GUI tools foobar my configs in the past too.
With that said, IMHO the command line tool (firewall-cmd) is very straight forward:
Code:
firewall-cmd --add --service=ipp-client
firewall-cmd --list=all
This should temporarily add the needed ports in FirewallD for network printer protocols. If you also want to *share* printers you will need to add service ipp
Code:
firewall-cmd --add --service=ipp
firewall-cmd --list=all
Again this is a temporary change and will only remain until you restart FirewallD or reboot. You will need to edit the config files to make it permanent.
As to the config files, they are just xml which is very readable and if you follow the simple structure it can be easy to get a simplistic firewall up and running.
The default configs reside in:
/usr/lib/firewalld/
there are 3 directories under that one. The directories are "icmptypes", "services", and "zones".
You can easily understand what each folder holds if you are AT ALL familiar with firewalls.
The main configs that YOU (the admin user running as root) deal with live under:
/etc/firewalld/
It has the same folders (icmptypes, services, and zones), but they are all empty. The only file found in this directory tree is "firewalld.conf" and I bet you can guess what that's for.. It tells firewalld what "zone" config to load (among other things). The reason the directories are empty is so that you can copy the default icmptype/service/zone config files from "/usr/lib/firewalld" into "/etc/firewalld" under the correct location and OVERRIDE the default.
When you first look at "/etc/firewalld/firewalld.conf" you see that it is set to use the "public" zone.
It is advisable to leave it as public until you are more comfortable with zones and you are sure the zone does not need this level of protection!
Since there is no public.xml file under "/etc/firewalld/zones" firewalld looks to "/usr/lib/firewalld/zones" and finds "public.xml" and loads that zone definition.
To change that default definition you simply copy public.xml from "/usr/lib/firewalld/zones" to "/etc/firewalld/zones".
Code:
sudo cp -v /usr/lib/firewalld/zones/public.xml /etc/firewalld/zones/"
then edit it to add the ports or more simply the services you want to open.
The original:
Code:
<?xml version="1.0" encoding="utf-8"?>
<zone name="public">
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
</zone>
Now becomes:
Code:
<?xml version="1.0" encoding="utf-8"?>
<zone name="public">
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="ipp"/>
<service name="ipp-client"/>
</zone>
and viola! You now have opened the ports for cups (client and server), and ssh You have also closed the dhcpd over ipv6 port as well!
Like wise if you find that you need to modify the ssh service config, namely if you have told ssh to run on another port besides 22, you will need to edit the ssh.xml service config.
Again, we don't want to modify the default config, we want to copy the correct config to our firewalld config tree under "/etc".
Code:
cp -v /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/
Now edit that file as needed:
Assuming you change the original port (22) to (222) to obscure it from brute force attempts.
The original:
Code:
<?xml version="1.0" encoding="utf-8"?>
<service name="ssh">
<short>SSH</short>
<description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
<port protocol="tcp" port="22"/>
</service>
Now becomes:
Code:
<?xml version="1.0" encoding="utf-8"?>
<service name="ssh">
<short>SSH</short>
<description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
<port protocol="tcp" port="222"/>
</service>
and again it was that simple. You can use either of the commands below to load the changes
Code:
firewall-cmd --reload
Code:
systemctl reload firewalld.service
Note there are also other commands for systemct like "restart" and for firewall-cmd like "--complete-reload", but as previously stated in this thread, the documentation is a bit sparse currently so I am not sure exactly how "offline" these commands render firewall, even if only for a fraction of a second. With that said, the point of firewalld is to be able to reload changes WITHOUT dropping existing connections or blocking new connections for any amount of time so I recommend sticking with the simple "reload" for systemctl or firewall-cmd.
BTW, if you just want to TEST changes without editing the config, run the firewall-cmd to add a port or service to the running rules. This does not change the saved configs so a reload will revert your changes.
Example:
Code:
firewall-cmd --add --service=ssh
or:
Code:
firewall-cmd --add --port=8080/tcp
Hope that helps some of you out there!
Linear Mode
