Tag Archive for 'rules'

Add permanent rules to FirewallD

Someone at work wanted to know how to add rules permanently to FirewallD, Fedora’s dynamic firewall (iptables), so I’m posting it in case it’s useful to someone else.

Get the default zone, this is usually “public”:
firewall-cmd --get-active-zones

List services on that zone:
firewall-cmd --zone=public --list-all

Add required TCP ports (let’s do port 80):
firewall-cmd --permanent --zone=public --add-port=80/tcp

If you need a UDP port:
firewall-cmd --permanent --zone=public --add-port=123/udp

You could restart the firewall for them to take affect, or set the rules again without the –permanent option to add them dynamically.

Restart firewall:
systemctl restart firewalld.service

You can also specify services, rather than ports if you like.

sudo firewall-cmd --permanent --zone=public --add-service=http

You’re done!

PolicyKit Javascript rules with catchall

So the desktop is ruled by PolicyKit which is awesome. It includes sets of rules about who can run certain actions (such as mounting an internal drive).

The rules are read in lexical order from the /etc/polkit-1/rules.d and /usr/share/polkit-1/rules.d directories.

You can get a list of available actions with the command:
$ pkaction

There may come a time when you want to tweak those rules though, to make management of your system easier. For example, managing virt-manager without a password if you’re in the wheel group (the rule is org.libvirt.unix.manage). If so, you can create one with a name like “10-my-policy.rules” in either directory above.

polkit.addRule(function(action, subject) {
if (action.id == "org.libvirt.unix.manage" &&
subject.isInGroup("wheel") && subject.active) {
return polkit.Result.YES;

Some related tasks have several actions, like configuring cups:
$ pkaction |grep cups

Previously, before the new javascript format, one could match all those actions with:

That doesn’t work with js though, so this is how you can do it:
polkit.addRule(function(action, subject) {
if (action.id.indexOf("org.opensuse.cupspkhelper.mechanism") == 0 &&
subject.isInGroup("wheel") && subject.active) {
return polkit.Result.YES;

Changes are picked up straight away, so just save the file and test!