<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">Chris,<br>
<br>
My understanding is that firewalld "services" are where we're
heading but I'm not entirely<br>
sure how much or how little of these are fully supported/available
yet. <br>
<br>
I've copied Thomas - he'll know :-)<br>
<br>
-m<br>
<br>
<br>
<br>
On 08/26/2014 10:26 AM, Chris Whittle wrote:<br>
</div>
<blockquote
cite="mid:CANyEwjRCtuTCYxpyFkVrpG-0KE3uz5vLgkJ7fYHM03maq81z9w@mail.gmail.com"
type="cite">
<div dir="ltr">Here is what I found that seems to work from <a
moz-do-not-send="true"
href="http://adam.younglogic.com/2013/04/firewall-d-for-freeipa/">http://adam.younglogic.com/2013/04/firewall-d-for-freeipa/</a>
<div>
<div><br>
</div>
<div>It only has to be ran once...
<div>
<br>
</div>
<div>
<div>cat >/etc/firewalld/services/kerberos.xml
<<EOD</div>
<div><?xml version="1.0" encoding="utf-8"?></div>
<div><service></div>
<div> <short>kerberos</short></div>
<div> <description>Kerberos</description></div>
<div> <port protocol="tcp" port="88"/></div>
<div> <port protocol="udp" port="88"/></div>
<div></service></div>
<div>EOD</div>
<div><br>
</div>
<div> cat >/etc/firewalld/services/kpasswd.xml
<<EOD</div>
<div><?xml version="1.0" encoding="utf-8"?></div>
<div><service></div>
<div> <short>kpasswd</short></div>
<div> <description>kpasswd</description></div>
<div> <port protocol="tcp" port="464"/></div>
<div> <port protocol="udp" port="464"/></div>
<div></service></div>
<div>EOD</div>
<div><br>
</div>
<div> cat >/etc/firewalld/services/ldap.xml
<<EOD</div>
<div><?xml version="1.0" encoding="utf-8"?></div>
<div><service></div>
<div> <short>ldap</short></div>
<div> <description>Lightweight Directory Access
Protocol</description></div>
<div> <port protocol="tcp" port="389"/></div>
<div></service></div>
<div>EOD</div>
<div><br>
</div>
<div>
cat >/etc/firewalld/services/ldaps.xml <<EOD</div>
<div><?xml version="1.0" encoding="utf-8"?></div>
<div><service></div>
<div> <short>ldaps</short></div>
<div> <description>Lightweight Directory Access
Protocol over SSL</description></div>
<div> <port protocol="tcp" port="636"/></div>
<div></service></div>
<div>EOD</div>
<div><br>
</div>
<div> firewall-cmd --permanent --zone=public
--add-service=dns</div>
<div> firewall-cmd --permanent --zone=public
--add-service=http</div>
<div> firewall-cmd --permanent --zone=public
--add-service=https</div>
<div> firewall-cmd --permanent --zone=public
--add-service=kerberos</div>
<div> firewall-cmd --permanent --zone=public
--add-service=kpasswd</div>
<div>
firewall-cmd --permanent --zone=public
--add-service=ldap</div>
<div> firewall-cmd --permanent --zone=public
--add-service=ldaps</div>
<div> firewall-cmd --permanent --zone=public
--add-service=ntp</div>
<div> firewall-cmd --reload</div>
</div>
<div><br>
</div>
</div>
</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Tue, Aug 26, 2014 at 9:22 AM, Mark
Heslin <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mheslin@redhat.com" target="_blank">mheslin@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi Chris,<br>
<br>
Take a look at the attached snippet - it will walk you
through configuring firewalld<br>
with named chains on RHEL 7. You don't have to use named
chains but makes managing <br>
multiple chains cleaner. Do make sure you 'mask'
iptables - only using 'disable' can still cause <br>
conflicts in some circumstances.<br>
<br>
This is extracted from the recently published reference
architecture "Integrating OpenShift Enterprise<br>
with IdM in RHEL 7":<br>
<br>
<a moz-do-not-send="true"
href="https://access.redhat.com/articles/1155603"
target="_blank">https://access.redhat.com/articles/1155603</a>
(The <a moz-do-not-send="true" href="http://redhat.com"
target="_blank">redhat.com</a> links are not yet in
place).<br>
<br>
The context here was for an IdM server but I also used
the same approach for the IdM replica<br>
and RHEL 7 clients.<br>
<br>
hth,<br>
<br>
-m
<div class=""><br>
<br>
<br>
On 08/25/2014 10:22 PM, Chris Whittle wrote:<br>
</div>
</div>
<div class="">
<blockquote type="cite">
<div dir="ltr">I've got my server up and running great
with one exception every time I reboot I have to
login and flush the iptables or nothing can connect.
<div><br>
</div>
<div>I've found a ton of fixes and none seem to
work, I'm on FC20 does anyone have experience with
it and wouldn't mind helping?</div>
</div>
<br>
<fieldset></fieldset>
<br>
</blockquote>
<br>
<br>
</div>
<span class="HOEnZb"><font color="#888888">
<pre cols="72">--
Red Hat Reference Architectures
Follow Us: <a moz-do-not-send="true" href="https://twitter.com/RedHatRefArch" target="_blank">https://twitter.com/RedHatRefArch</a>
Plus Us: <a moz-do-not-send="true" href="https://plus.google.com/u/0/b/114152126783830728030/" target="_blank">https://plus.google.com/u/0/b/114152126783830728030/</a>
Like Us: <a moz-do-not-send="true" href="https://www.facebook.com/rhrefarch" target="_blank">https://www.facebook.com/rhrefarch</a>
</pre>
</font></span></div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
Red Hat Reference Architectures
Follow Us: <a class="moz-txt-link-freetext" href="https://twitter.com/RedHatRefArch">https://twitter.com/RedHatRefArch</a>
Plus Us: <a class="moz-txt-link-freetext" href="https://plus.google.com/u/0/b/114152126783830728030/">https://plus.google.com/u/0/b/114152126783830728030/</a>
Like Us: <a class="moz-txt-link-freetext" href="https://www.facebook.com/rhrefarch">https://www.facebook.com/rhrefarch</a>
</pre>
</body>
</html>