Hi,
I want to allow traffic of the ospf protocol in the work zone. But I found no way to do this, besides custom iptables commands and firewall-cmd --direct rules which are not persistent. There are more than 100 protocols listed in /etc/protocols, so there should be a way to allow a custom protocol.
My best try: firewall-cmd --direct --add-rule ipv4 filter INPUT 99 -d 224.0.0.5 -p ospf -j ACCEPT
How can I get this use case to work with firewalld? Or will this be never supported? I'm trying all this on freshly installed a Fedora 18. What chain should I use? INPUT works for me, but there are others which look more correct, like IN_ZONE_work_allow, IN_ZONE_work or IN_ZONE_work_direct
Regards, Stefan Hellermann
Hello,
On 12/20/2012 02:58 PM, Stefan Hellermann wrote:
Hi,
I want to allow traffic of the ospf protocol in the work zone. But I found no way to do this, besides custom iptables commands and firewall-cmd --direct rules which are not persistent. There are more than 100 protocols listed in /etc/protocols, so there should be a way to allow a custom protocol.
My best try: firewall-cmd --direct --add-rule ipv4 filter INPUT 99 -d 224.0.0.5 -p ospf -j ACCEPT
the best way to do this for now is to define a new service. There you can use protocols besides tcp and udp. Please have a look at the firewalld.service man page.
I have created a test service entry (/etc/firewalld/services/ospf.xml) for the line above:
<?xml version="1.0" encoding="utf-8"?> <service> <short>OSPF</short> <description></description> <port protocol="ospf" port=""/> <destination ipv4="224.0.0.5"/> </service>
How can I get this use case to work with firewalld? Or will this be never supported? I'm trying all this on freshly installed a Fedora 18. What chain should I use? INPUT works for me, but there are others which look more correct, like IN_ZONE_work_allow, IN_ZONE_work or IN_ZONE_work_direct
Just add the file and (permanently) enable the OSPF service in the work zone.
Regards, Stefan Hellermann _______________________________________________ firewalld-users mailing list firewalld-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users
Thanks, Thomas
Hi!
the best way to do this for now is to define a new service. There you can use protocols besides tcp and udp. Please have a look at the firewalld.service man page.
I have created a test service entry (/etc/firewalld/services/ospf.xml) for the line above:
<?xml version="1.0" encoding="utf-8"?>
<service> <short>OSPF</short> <description></description> <port protocol="ospf" port=""/> <destination ipv4="224.0.0.5"/> </service>
Thanks! Nice solution!
Is there a plan to add more service.xml files to the firewalld package? Should packages install their own service.xml files? In this case their are at least two routing daemons in fedora which can use the OSPF protocol (quagga and bird).
Regards, Stefan Hellermann
firewalld-users@lists.fedorahosted.org