<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I've got something like this:<br>
<br>
$ sudo firewall-cmd --permanent --list-all<br>
[sudo] password for afayzullin: <br>
public (default)<br>
interfaces: <br>
sources: <br>
services: dhcpv6-client dns http https kerberos kpasswd ldap ldaps
ntp ssh<br>
ports: 7389/tcp<br>
masquerade: no<br>
forward-ports: <br>
icmp-blocks: <br>
rich rules:<br>
<br>
<div class="moz-cite-prefix">26.08.2014 20:37, Mark Heslin пишет:<br>
</div>
<blockquote cite="mid:53FC9BAF.8060108@redhat.com" type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<div class="moz-cite-prefix">Chris,<br>
<br>
My understanding is that firewalld "services" are where we're
heading but I'm not entirely<br>
sure how much or how little of these are fully
supported/available yet. <br>
<br>
I've copied Thomas - he'll know :-)<br>
<br>
-m<br>
<br>
<br>
<br>
On 08/26/2014 10:26 AM, Chris Whittle wrote:<br>
</div>
<blockquote
cite="mid:CANyEwjRCtuTCYxpyFkVrpG-0KE3uz5vLgkJ7fYHM03maq81z9w@mail.gmail.com"
type="cite">
<div dir="ltr">Here is what I found that seems to work from <a
moz-do-not-send="true"
href="http://adam.younglogic.com/2013/04/firewall-d-for-freeipa/">http://adam.younglogic.com/2013/04/firewall-d-for-freeipa/</a>
<div>
<div><br>
</div>
<div>It only has to be ran once...
<div> <br>
</div>
<div>
<div>cat >/etc/firewalld/services/kerberos.xml
<<EOD</div>
<div><?xml version="1.0" encoding="utf-8"?></div>
<div><service></div>
<div> <short>kerberos</short></div>
<div> <description>Kerberos</description></div>
<div> <port protocol="tcp" port="88"/></div>
<div> <port protocol="udp" port="88"/></div>
<div></service></div>
<div>EOD</div>
<div><br>
</div>
<div> cat >/etc/firewalld/services/kpasswd.xml
<<EOD</div>
<div><?xml version="1.0" encoding="utf-8"?></div>
<div><service></div>
<div> <short>kpasswd</short></div>
<div> <description>kpasswd</description></div>
<div> <port protocol="tcp" port="464"/></div>
<div> <port protocol="udp" port="464"/></div>
<div></service></div>
<div>EOD</div>
<div><br>
</div>
<div> cat >/etc/firewalld/services/ldap.xml
<<EOD</div>
<div><?xml version="1.0" encoding="utf-8"?></div>
<div><service></div>
<div> <short>ldap</short></div>
<div> <description>Lightweight Directory Access
Protocol</description></div>
<div> <port protocol="tcp" port="389"/></div>
<div></service></div>
<div>EOD</div>
<div><br>
</div>
<div> cat >/etc/firewalld/services/ldaps.xml
<<EOD</div>
<div><?xml version="1.0" encoding="utf-8"?></div>
<div><service></div>
<div> <short>ldaps</short></div>
<div> <description>Lightweight Directory Access
Protocol over SSL</description></div>
<div> <port protocol="tcp" port="636"/></div>
<div></service></div>
<div>EOD</div>
<div><br>
</div>
<div> firewall-cmd --permanent --zone=public
--add-service=dns</div>
<div> firewall-cmd --permanent --zone=public
--add-service=http</div>
<div> firewall-cmd --permanent --zone=public
--add-service=https</div>
<div> firewall-cmd --permanent --zone=public
--add-service=kerberos</div>
<div> firewall-cmd --permanent --zone=public
--add-service=kpasswd</div>
<div> firewall-cmd --permanent --zone=public
--add-service=ldap</div>
<div> firewall-cmd --permanent --zone=public
--add-service=ldaps</div>
<div> firewall-cmd --permanent --zone=public
--add-service=ntp</div>
<div> firewall-cmd --reload</div>
</div>
<div><br>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Aug 26, 2014 at 9:22 AM, Mark
Heslin <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mheslin@redhat.com" target="_blank">mheslin@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi Chris,<br>
<br>
Take a look at the attached snippet - it will walk you
through configuring firewalld<br>
with named chains on RHEL 7. You don't have to use
named chains but makes managing <br>
multiple chains cleaner. Do make sure you 'mask'
iptables - only using 'disable' can still cause <br>
conflicts in some circumstances.<br>
<br>
This is extracted from the recently published
reference architecture "Integrating OpenShift
Enterprise<br>
with IdM in RHEL 7":<br>
<br>
<a moz-do-not-send="true"
href="https://access.redhat.com/articles/1155603"
target="_blank">https://access.redhat.com/articles/1155603</a>
(The <a moz-do-not-send="true"
href="http://redhat.com" target="_blank">redhat.com</a>
links are not yet in place).<br>
<br>
The context here was for an IdM server but I also used
the same approach for the IdM replica<br>
and RHEL 7 clients.<br>
<br>
hth,<br>
<br>
-m
<div class=""><br>
<br>
<br>
On 08/25/2014 10:22 PM, Chris Whittle wrote:<br>
</div>
</div>
<div class="">
<blockquote type="cite">
<div dir="ltr">I've got my server up and running
great with one exception every time I reboot I
have to login and flush the iptables or nothing
can connect.
<div><br>
</div>
<div>I've found a ton of fixes and none seem to
work, I'm on FC20 does anyone have experience
with it and wouldn't mind helping?</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
<span class="HOEnZb"><font color="#888888">
<pre cols="72">--
Red Hat Reference Architectures
Follow Us: <a moz-do-not-send="true" href="https://twitter.com/RedHatRefArch" target="_blank">https://twitter.com/RedHatRefArch</a>
Plus Us: <a moz-do-not-send="true" href="https://plus.google.com/u/0/b/114152126783830728030/" target="_blank">https://plus.google.com/u/0/b/114152126783830728030/</a>
Like Us: <a moz-do-not-send="true" href="https://www.facebook.com/rhrefarch" target="_blank">https://www.facebook.com/rhrefarch</a>
</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Red Hat Reference Architectures
Follow Us: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://twitter.com/RedHatRefArch">https://twitter.com/RedHatRefArch</a>
Plus Us: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://plus.google.com/u/0/b/114152126783830728030/">https://plus.google.com/u/0/b/114152126783830728030/</a>
Like Us: <a moz-do-not-send="true" class="moz-txt-link-freetext" href="https://www.facebook.com/rhrefarch">https://www.facebook.com/rhrefarch</a>
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
С уважением, Артур Файзуллин</pre>
</body>
</html>