I've got something like this: $ sudo firewall-cmd --permanent --list-all [sudo] password for afayzullin: public (default) interfaces: sources: services: dhcpv6-client dns http https kerberos kpasswd ldap ldaps ntp ssh ports: 7389/tcp masquerade: no forward-ports: icmp-blocks: rich rules:
26.08.2014 20:37, Mark Heslin пишет: > Chris, > > My understanding is that firewalld "services" are where we're heading > but I'm not entirely > sure how much or how little of these are fully supported/available yet. > > I've copied Thomas - he'll know :-) > > -m > > > > On 08/26/2014 10:26 AM, Chris Whittle wrote: >> Here is what I found that seems to work from >> http://adam.younglogic.com/2013/04/firewall-d-for-freeipa/ >> >> It only has to be ran once... >> >> cat >/etc/firewalld/services/kerberos.xml <<EOD >> <?xml version="1.0" encoding="utf-8"?> >> <service> >> <short>kerberos</short> >> <description>Kerberos</description> >> <port protocol="tcp" port="88"/> >> <port protocol="udp" port="88"/> >> </service> >> EOD >> >> cat >/etc/firewalld/services/kpasswd.xml <<EOD >> <?xml version="1.0" encoding="utf-8"?> >> <service> >> <short>kpasswd</short> >> <description>kpasswd</description> >> <port protocol="tcp" port="464"/> >> <port protocol="udp" port="464"/> >> </service> >> EOD >> >> cat >/etc/firewalld/services/ldap.xml <<EOD >> <?xml version="1.0" encoding="utf-8"?> >> <service> >> <short>ldap</short> >> <description>Lightweight Directory Access Protocol</description> >> <port protocol="tcp" port="389"/> >> </service> >> EOD >> >> cat >/etc/firewalld/services/ldaps.xml <<EOD >> <?xml version="1.0" encoding="utf-8"?> >> <service> >> <short>ldaps</short> >> <description>Lightweight Directory Access Protocol over >> SSL</description> >> <port protocol="tcp" port="636"/> >> </service> >> EOD >> >> firewall-cmd --permanent --zone=public --add-service=dns >> firewall-cmd --permanent --zone=public --add-service=http >> firewall-cmd --permanent --zone=public --add-service=https >> firewall-cmd --permanent --zone=public --add-service=kerberos >> firewall-cmd --permanent --zone=public --add-service=kpasswd >> firewall-cmd --permanent --zone=public --add-service=ldap >> firewall-cmd --permanent --zone=public --add-service=ldaps >> firewall-cmd --permanent --zone=public --add-service=ntp >> firewall-cmd --reload >> >> >> >> On Tue, Aug 26, 2014 at 9:22 AM, Mark Heslin <mhes...@redhat.com >> <mailto:mhes...@redhat.com>> wrote: >> >> Hi Chris, >> >> Take a look at the attached snippet - it will walk you through >> configuring firewalld >> with named chains on RHEL 7. You don't have to use named chains >> but makes managing >> multiple chains cleaner. Do make sure you 'mask' iptables - only >> using 'disable' can still cause >> conflicts in some circumstances. >> >> This is extracted from the recently published reference >> architecture "Integrating OpenShift Enterprise >> with IdM in RHEL 7": >> >> https://access.redhat.com/articles/1155603 (The redhat.com >> <http://redhat.com> links are not yet in place). >> >> The context here was for an IdM server but I also used the same >> approach for the IdM replica >> and RHEL 7 clients. >> >> hth, >> >> -m >> >> >> >> On 08/25/2014 10:22 PM, Chris Whittle wrote: >>> I've got my server up and running great with one exception every >>> time I reboot I have to login and flush the iptables or nothing >>> can connect. >>> >>> I've found a ton of fixes and none seem to work, I'm on FC20 >>> does anyone have experience with it and wouldn't mind helping? >>> >>> >> >> >> -- >> >> Red Hat Reference Architectures >> >> Follow Us: https://twitter.com/RedHatRefArch >> Plus Us: https://plus.google.com/u/0/b/114152126783830728030/ >> Like Us: https://www.facebook.com/rhrefarch >> >> > > > -- > > Red Hat Reference Architectures > > Follow Us: https://twitter.com/RedHatRefArch > Plus Us: https://plus.google.com/u/0/b/114152126783830728030/ > Like Us: https://www.facebook.com/rhrefarch > > -- С уважением, Артур Файзуллин
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
