Newly deployed Fedora 20 systems use now firewalld - this seems to work, except that the CF3 policy hub is unable to reach its clients.
On each client, I have a service definition such as:
root@myhost:/etc/firewalld/services/# cat cfengine3.xml
<?xml version="1.0" encoding="utf-8"?>
<service version="1.0">
<short>CFEngine3</short>
<description>CFEngine 3</description>
<port protocol="tcp" port="5308"/>
<destination ipv4="<my policy hub IP"/>
</service>
Such service is in turn declared into the "work" zone file.
cat work.xml
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="bru"/>
<service name="cfengine3"/>
<service name="ipp"/>
<service name="ipp-client"/>
<service name="mdns"/>
<service name="mountd"/>
<service name="nfs"/>
<service name="rpc-bind"/>
<service name="samba-client"/>
<service name="ssh"/>
</zone>
From the CF3 policy hub, nmap reports the 5308/tcp as "filtered", such as in:
[root@policyhub ~]$ nmap -p 5308 myhost
Starting Nmap 5.51 (
http://nmap.org ) at 2014-07-24 15:49 CDT
Nmap scan report for myhost (XXX.XXX.XXX.XXX)
Host is up (0.00043s latency).
rDNS record for XXX.XXX.XXX.XXX:
myhost.mydomain.comPORT STATE SERVICE
5308/tcp filtered cfengine
MAC Address: B8:AC:6F:31:XX:XX (Dell)
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
Is there any misconception in my approach ? How do I get CF3 traffic thru ? As of my understanding, there is no syntax component such as <source ipv4=xxx.xxx.xxx.yyy /> and that seems to be missing... So my access attempts fail always and therefore CF3 fails to run... Only fully stopping firewalld will CF3 work.
Thanks