I just installed Fedora 20 on my desktop and I'm playing with firewalld
for the first time. I read the docs and with the new rich-rules I think
I'm a happy camper so far. I have some questions & observations:
# firewall-config (GUI app)
I opened a bugzilla because every time you start the app it starts
# Target for a Zone
When using firewall-config and you switch to permanent configuration, in
order to edit one of the zone properties, there's a Target drop-down
list there. When I changed ACCEPT to DROP for the public zone (my
default) I noticed only the FORWARD chain was changed. I did an
"iptables -L -n -v" in order to confirm this. The actual chain
affected is FWDI_public (where the last REJECT rule is replaced by a
DROP). Shouldn't the IN_public (for public zone) have a DROP statement
as well? Since it doesn't have it, a REJECT from the default INPUT chain
is what gets applied. Is this a bug?
Also, when I do this I loose all my connections (can't browse the web,
anything..). I have dissected the resulting iptable rules and I only
see the change in the FWDI_public chain. Nothing else. I can't find the
culprit. I have to change the target back to ALLOW for things to get
In a nutshell, I would like all packets to be dropped for all services
that are not allowed. How can I do this via
firewall-cmd/firewall-config? I know there's a drop zone but still
would like to learn how to change the default target for a given zone.
What does it mean for a zone to be immutable? Is it that, once loaded,
you can't change it? (add/remove rules)? When I change my default zone
to the drop zone, I still can add/remove services from it.
# Best Practices
If I'm going to add/remove services for a given zone, is it better to
just clone one zone and have one of my own? Should I leave all the stock
zones as they are?
Thanks in advance.