I wanted know if there is any existing information on how to manage
dynamically changing services using firewalld. If there are none
existing, could you please let us know if the approach we're following
below is correct.
We want to provide firewalld service configuration for GlusterFS. One
of the properties of GlusterFS is that it has a set of fixed ports,
and a set of dynamic ports, which need to be opened.
We propose to ship 2 firewalld services with GlusterFS.
- glusterfs-static - This contains the list of static ports that
should be opened up. This is placed in /usr/lib/firewalld/services
- glusterfs-dynamic - This will contain the list of dynamic ports.
This will be shipped empty, and be placed in /etc/firewalld/services .
The ports in this service will be kept updated by a couple of scripts,
which hook into the glusterfs start/stop events.
The scripts, add or remove ports from the glusterfs-dyanmic.xml file,
and call `firewall-cmd --reload` to have firewalld reload
configuration. We do it this way, instead of using a dbus call because
we want the configuration to be persisted, and also applied live.
We've tested this, and this works. But we'd like to validate this
solution with you guys.
Do you see any issues with our approach? Is there anything we could do
to improve the solution.
For reference, the glusterfs bug and proposed solution are available
at  and .
PS: Apologies if I should have posted this to the users list instead.
here is a new branch that adds MAC source address support to firewalld:
MAC sources can be used in rich rules and also as source bindings in
zones. There is a limitation though with MAC source bindings in zones:
Port forwarding and masquerading rules in the zones do not have an
effect for the MAC sources.
Please give it a try and report the issues you are running into.