+   - Name: Setting a key shortcut to run an application in GNOME

+     File: proc_setting-key-shortcut

+   - Name: Creating disk partitions

+     File: creating-a-disk-partition-in-linux

+ #  - Name: (FIX ME!) Identifying Wayland problems

+ #    File: debug-wayland-problems

+ include::en-US/modules/proc_revoking-gpg-keys.adoc[leveloffset=+1]

+ :experimental:

+ 

+ :parent-context: {context}

+ 

+ [id='disk-partition-in-linux-{context}']

+ = Creating a disk partition in Linux

+ :context: using-parted

+ 

+ include::en-US/modules/con_disk-partition-linux.adoc[leveloffset=+1]

+ include::en-US/modules/proc_creating-a-disk-partition-in-linux.adoc[leveloffset=+1]

+ include::en-US/modules/ref_help-mkpart.adoc[leveloffset=+1]

+ 

+ :context: {parent-context}

+ :experimental:

+ :imagesdir: ./images

+ [[using-firewalld]]

+ = Using firewalld

+ :leveloffset: +1

+ include::en-US/modules/con_firewalld.adoc[]

+ include::en-US/modules/proc_checking_firewalld.adoc[]

+ include::en-US/modules/proc_installing_firewalld.adoc[]

+ include::en-US/modules/proc_starting_firewalld.adoc[]

+ include::en-US/modules/proc_stopping_firewalld.adoc[]

+ include::en-US/modules/con_runtime_and_permanent_firewalld.adoc[]

+ include::en-US/modules/proc_changing_runtime_firewalld.adoc[]

+ include::en-US/modules/con_controlling_ports_firewalld.adoc[]

+ include::en-US/modules/proc_opening_ports_firewalld.adoc[]

+ include::en-US/modules/proc_closing_ports_firewalld.adoc[]

+ :leveloffset: 0

+ // Module included in the following assemblies:

+ //

+ // firewalld.adoc

+ 

+ 

+ [id='controlling-ports-firewalld-fedora']

+ 

+ = Controlling ports using firewalld

+ 

+ == What are ports?

+ Ports are logical devices that enable an operating system to receive and distinguish network traffic and forward it accordingly to system services. These are usually represented by a daemon that listens on the port, that is it waits for any traffic coming to this port.

+ 

+ Normally, system services listen on standard ports that are reserved for them. The httpd daemon, for example, listens on port 80. However, system administrators may configure daemons to listen on different ports to enhance security.

+ // Module included in the following assemblies:

+ //

+ // creating-a-disk-partition-in-linux-using-the-parted-command.adoc

+ :experimental:

+ 

+ [#{context}-disk-partition-linux]

+ = Disk Partitioning in Linux

+ 

+ Creating and deleting partitions in Linux is a regular practice because storage devices (such as hard drives and USB drives) must be structured in some way before they can be used. In most cases, large storage devices are divided into separate sections called partitions. Partitioning also allows you to divide your hard drive into isolated sections, where each section behaves as its own hard drive. Partitioning is particularly useful if you run multiple operating systems.

+ // Module included in the following assemblies:

+ //

+ // firewalld.adoc

+ 

+ [id='concept-firewalld-fedora']

+ = Using firewalld

+ 

+ == What is firewalld?

+ 

+ A _firewall_ is a way to protect machines from any unwanted traffic from outside. It enables users to control incoming network traffic on host machines by defining a set of _firewall rules_. These rules are used to sort the incoming traffic and either block it or allow through.

+ 

+ `firewalld` is a firewall service daemon that provides a dynamic customizable host-based firewall with a `D-Bus` interface. Being dynamic, it enables creating, changing, and deleting the rules without the necessity to restart the firewall daemon each time the rules are changed.

+ 

+ `firewalld` uses the concepts of _zones_ and _services_, that simplify the traffic management.

+ 

+ `_Zones_` are predefined sets of rules. Network interfaces and sources can be assigned to a zone. The traffic allowed depends on the network your computer is connected to and the security level this network is assigned. Firewall services are predefined rules that cover all necessary settings to allow incoming traffic for a specific service and they apply within a zone.

+ 

+ `_Services_` use one or more ports or addresses for network communication. Firewalls filter communication based on ports. To allow network traffic for a service, its ports must be open. `firewalld` blocks all traffic on ports that are not explicitly set as open. Some zones, such as trusted, allow all traffic by default.

+ 

+ .Additional resources

+ 

+ For more information about using firewalld and configuring zones and services, see link:https://firewalld.org/documentation/[firewalld documentation] or link:https://fedoraproject.org/wiki/Firewalld[Fedora wiki:firewalld]

+ // Module included in the following assemblies:

+ //

+ // firewalld.adoc

+ 

+ [id='concept-runtime-and-permanent-firewalld-fedora']

+ 

+ = Runtime and permanent settings

+ 

+ Any changes made while firewalld is running will be lost when firewalld is restarted. When firewalld is restarted, the settings revert to their permanent values.

+ 

+ These changes are said to be made in _runtime mode_.

+ 

+ To make the changes persistent across reboots, apply them again using the `--permanent` option. Alternatively, to make changes persistent while firewalld is running, use the `--runtime-to-permanent _firewall-cmd_` option.

+ 

+ If you make changes while firewalld is running using only the `--permanent` option, they do not become effective until firewalld is restarted. However, restarting firewalld briefly stops the networking traffic, causing disruption to your system.

+ // Module included in the following assemblies:

+ //

+ // firewalld.adoc

+ 

+ [id='changing_runtime_firewalld_fedora']

+ 

+ = Changing settings in runtime and permanent configuration using CLI

+ 

+ Using the CLI, you can only modify either runtime or permanent mode. To modify the firewall settings in permanent mode, use the `--permanent` option with the `firewall-cmd` command.

+ 

+ ----

+ $ sudo firewall-cmd --permanent <other options>

+ ----

+ 

+ Without this option, the command modifies runtime mode.

+ To change settings in both modes, you can use two methods:

+ 

+ * Change runtime settings and then make them permanent as follows:

+ 

+ . Change the runtime settings:

+ +

+ `firewall-cmd <other options>`

+ +

+ . Use `--runtime-to-permanent` to make the changes permanent.

+ +

+ `firewall-cmd --runtime-to-permanent`

+ 

+ * Set permanent settings and reload the settings into runtime mode:

+ 

+ . Make the changes in permanent mode:

+ +

+ `firewall-cmd --permanent <other options>`

+ +

+ . Reload the settings:

+ +

+ `firewall-cmd --reload`

+ 

+ The first method allows you to test the settings before you apply them to permanent mode.

+ 

+ [NOTE]

+ ====

+ It is possible that an incorrect setting will result in a user locking themselves out of a machine. To prevent this, use the `--timeout` option. Using this option means that after a specified amount of time, any change reverts to its previous state.

+ You can not use the `--permanent` option with the `--timeout` option.

+ 

+ For example, to add the SSH service for 15 minutes use this command:

+ ----

+ $ sudo firewall-cmd --add-service=ssh --timeout 15m

+ ----

+ The SSH service will be available until access is removed after 15 minutes.

+ ====

+ // Module included in the following assemblies:

+ //

+ // firewalld.adoc

+ 

+ // Base the file name and the ID on the module title. For example:

+ // * file name: doing-procedure-a.adoc

+ // * ID: [id='doing-procedure-a']

+ // * Title: = Doing procedure A

+ 

+ // The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken.

+ [id=checking-firewalld-fedora]

+ // The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide.

+ = Checking the firewalld status

+ 

+ == Viewing the current status of `firewalld`

+ 

+ The firewall service, `firewalld`, is installed on the system by default. Use the `firewalld` CLI interface to check that the service is running.

+ 

+ To see the status of the service:

+ 

+ ----

+ $ sudo firewall-cmd --state

+ ----

+ 

+ For more information about the service status, use the [command]`systemctl status` sub-command:

+ 

+ ----

+ $ sudo systemctl status firewalld

+ firewalld.service - firewalld - dynamic firewall daemon

+    Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor pr

+    Active: active (running) since Mon 2017-12-18 16:05:15 CET; 50min ago

+      Docs: man:firewalld(1)

+  Main PID: 705 (firewalld)

+     Tasks: 2 (limit: 4915)

+    CGroup: /system.slice/firewalld.service

+            └─705 /usr/bin/python3 -Es /usr/sbin/firewalld --nofork --nopid

+ ----

+ 

+ Furthermore, it is important to know how `firewalld` is set up and which rules are in force before you try to edit the settings. To display the firewall settings, see <<sec-Viewing_Current_firewalld_Settings>>

+ 

+ [[sec-Viewing_Current_firewalld_Settings]]

+ == Viewing current firewalld settings

+ 

+ [[sec-Viewing_Allowed_Services_Using_GUI]]

+ === Viewing allowed services using GUI

+ 

+ To view the list of services using the graphical [application]*firewall-config* tool, press the kbd:[Super] key to enter the Activities Overview, type [command]`firewall`, and press kbd:[Enter]. The [application]*firewall-config* tool appears. You can now view the list of services under the `Services` tab.

+ 

+ Alternatively, to start the graphical firewall configuration tool using the command-line, enter the following command:

+ 

+ [subs="quotes, macros"]

+ ----

+ $ [command]`firewall-config`

+ ----

+ 

+ The `Firewall Configuration` window opens. Note that this command can be run as a normal user, but you are prompted for an administrator password occasionally.

+ ////

+ [[exam-firewall_config_services]]

+ .The Services tab in firewall-config

+ 

+ image::images/firewall-config-services.png[A screenshot of the firewall configuration tool - the Services tab]

+ ////

+ [[sec-Viewing_firewalld_Settings_Using_CLI]]

+ === Viewing firewalld settings using CLI

+ 

+ With the CLI client, it is possible to get different views of the current firewall settings. The [option]`--list-all` option shows a complete overview of the `firewalld` settings.

+ 

+ `firewalld` uses zones to manage the traffic. If a zone is not specified by the [option]`--zone` option, the command is effective in the default zone assigned to the active network interface and connection.

+ 

+ To list all the relevant information for the default zone:

+ 

+ ----

+ $ firewall-cmd --list-all

+ public

+   target: default

+   icmp-block-inversion: no

+   interfaces:

+   sources:

+   services: ssh dhcpv6-client

+   ports:

+   protocols:

+   masquerade: no

+   forward-ports:

+   source-ports:

+   icmp-blocks:

+   rich rules:

+ ----

+ 

+ [NOTE]

+ ====

+ To specify the zone for which to display the settings, add the [option]`--zone=pass:attributes[{blank}]_zone-name_pass:attributes[{blank}]` argument to the [command]`firewall-cmd --list-all` command, for example:

+ ----

+ ~]# firewall-cmd --list-all --zone=home

+ home

+   target: default

+   icmp-block-inversion: no

+   interfaces:

+   sources:

+   services: ssh mdns samba-client dhcpv6-client

+ ... [output truncated]

+ 

+ ----

+ ====

+ 

+ To see the settings for particular information, such as services or ports, use a specific option. See the `firewalld` manual pages or get a list of the options using the command help:

+ 

+ ----

+ $ firewall-cmd --help

+ 

+ Usage: firewall-cmd [OPTIONS...]

+ 

+ General Options

+   -h, --help           Prints a short help text and exists

+   -V, --version        Print the version string of firewalld

+   -q, --quiet          Do not print status messages

+ 

+ Status Options

+   --state              Return and print firewalld state

+   --reload             Reload firewall and keep state information

+ ... [output truncated]

+ ----

+ 

+ For example, to see which services are allowed in the current zone:

+ 

+ ----

+ $ firewall-cmd --list-services

+ samba-client ssh dhcpv6-client

+ ----

+ 

+ Listing the settings for a certain subpart using the CLI tool can sometimes be difficult to interpret. For example, you allow the `SSH` service and `firewalld` opens the necessary port (22) for the service. Later, if you list the allowed services, the list shows the `SSH` service, but if you list open ports, it does not show any. Therefore, it is recommended to use the [option]`--list-all` option to make sure you receive a complete information.

+ // Module included in the following assemblies:

+ //

+ // firewalld.adoc

+ 

+ // Base the file name and the ID on the module title. For example:

+ // * file name: doing-procedure-a.adoc

+ // * ID: [id='doing-procedure-a']

+ // * Title: = Doing procedure A

+ 

+ // The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken.

+ [id=closing-ports-firewalld-fedora]

+ // The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide.

+ = Closing a port

+ 

+ When an open port is no longer needed, close that port in firewalld. It is highly recommended to close all unnecessary ports as soon as they are not used because leaving a port open represents a security risk.

+ 

+ .Closing a port using the command line

+ 

+ To close a port, remove it from the list of allowed ports:

+ 

+ . List all allowed ports:

+ +

+ ----

+ $ firewall-cmd --list-ports

+ ----

+ +

+ [WARNING]

+ ====

+ This command will only give you a list of ports that have been opened as ports. You will not be able to see any open ports that have been opened as a service. Therefore, you should consider using the --list-all option instead of --list-ports.

+ ====

+ +

+ . Remove the port from the allowed ports to close it for the incoming traffic:

+ +

+ ----

+ $ sudo firewall-cmd --remove-port=port-number/port-type

+ ----

+ +

+ . Make the new settings persistent:

+ +

+ ----

+ $ sudo firewall-cmd --runtime-to-permanent

+ ----

+ [id='configuring-xorg-as-default-gnome-session']

+ = Configuring Xorg as the default GNOME session

+ 

+ To run GNOME in X11, click the gear icon on the Fedora log in screen and select *GNOME on Xorg*, or complete the following steps:

+ 

+ [discrete]

+ == Procedure

+ 

+ . Open `/etc/gdm/custom.conf` and uncomment `WaylandEnable=false`.

+ 

+ . Add the following line to the `[daemon]` section:

+ 

+   DefaultSession=gnome-xorg.desktop

+ 

+ . Save the `custom.conf` file.

+ // Module included in the following assemblies:

+ //

+ // firewalld.adoc

+ 

+ [id='configuring_firewalld_fedora']

+ 

+ = Modifying Settings in runtime and permanent configuration using CLI

+ 

+ Using the CLI, you do not modify the firewall settings in both modes at the same time. You only modify either runtime or permanent mode. To modify the firewall settings in the permanent mode, use the --permanent option with the firewall-cmd command.

+ 

+ ----

+ $ sudo firewall-cmd --permanent <other options>

+ ----

+ 

+ Without this option, the command modifies runtime mode.

+ To change settings in both modes, you can use two methods:

+ 

+ Change runtime settings and then make them permanent as follows:

+ ----

+ $ sudo firewall-cmd <other options>

+ $ sudo firewall-cmd --runtime-to-permanent

+ ----

+ 

+ Set permanent settings and reload the settings into runtime mode:

+ 

+ ----

+ $ sudo firewall-cmd --permanent <other options>

+ $ sudo firewall-cmd --reload

+ ----

+ 

+ The first method allows you to test the settings before you apply them to the permanent mode.

+ 

+ [Note]

+ ====

+ 

+ It is possible, especially on remote systems, that an incorrect setting results in a user locking themselves out of a machine. To prevent such situations, use the `--timeout` option. After a specified amount of time, any change reverts to its previous state. Using this options excludes the --permanent option.

+ For example, to add the SSH service for 15 minutes:

+ 

+ ----

+ $ sudo firewall-cmd --add-service=ssh --timeout 15m

+ ----

+ 

+ ====

+ // Module included in the following assemblies:

+ //

+ // <List assemblies here, each on a new line>

+ 

+ // Base the file name and the ID on the module title. For example:

+ // * file name: proc_creating-a-disk-partition-in-linux.adoc

+ // * ID: [id='creating-a-disk-partition-in-linux']

+ 

+ // The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken.

+ [id='creating-a-disk-partition-in-linux_{context}']

+ // The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide.

+ = Creating a Disk Partition in Linux

+ // Start the title of a procedure module with a verb, such as Creating or Create. See also _Wording of headings_ in _The IBM Style Guide_.

+ 

+ This procedure describes how to partition a storage disk in Linux using the `parted` command.

+ 

+ .Procedure

+ 

+ . List the partitions using the `parted -l` command to identify the storage device you want to partition. Typically, the first hard disk (`/dev/sda` or `/dev/vda`) will contain the operating system, so look for another disk to find the one you want. For example:

+ +

+ ----

+ $ sudo parted -l

+ [sudo] password for user:

+ Model: ATA RevuAhn_850X1TU5 (scsi)

+ Disk /dev/vdc: 512GB

+ Sector size (logical/physical): 512B/512B

+ Partition Table: msdos

+ Disk Flags:

+ 

+ Number  Start   End    Size   Type     File system  Flags

+  1      1049kB  525MB  524MB  primary  ext4         boot

+  2      525MB   512GB  512GB  primary               lvm

+ ----

+ +

+ . Open the storage device. Use the `parted` command to begin working with the selected storage device. For example:

+ +

+ ----

+ $ sudo parted /dev/vdc

+ GNU Parted 3.2

+ Using /dev/vdc

+ Welcome to GNU Parted! Type 'help' to view a list of commands.

+ (parted)

+ ----

+ +

+ [IMPORTANT]

+ ====

+ Be sure to indicate the specific device you want to partition. If you just enter `parted` without a device name, it will randomly select a storage device to modify.

+ ====

+ +

+ . Set the partition table type to `gpt`, then enter `Yes` to accept it.

+ +

+ ----

+ (parted) mklabel gpt

+ Warning: the existing disk label on /dev/vdc will be destroyed

+ and all data on this disk will be lost. Do you want to continue?

+ Yes/No? Yes

+ ----

+ +

+ [NOTE]

+ ====

+ The `mklabel` and `mktable` commands are both used for making a partition table on a storage device. At time of writing, the supported partition tables are: `aix`, `amiga`, `bsd`, `dvh`, `gpt`, `mac`, `ms-dos`, `pc98`, `sun`, and `loop`. Remember `mklabel` will not make a partition, rather it will make a partition table.

+ ====

+ . Review the partition table of the storage device.

+ +

+ ----

+ (parted) print

+ Model: Virtio Block Device (virtblk)

+ Disk /dev/vdc: 1396MB

+ Sector size (logical/physical): 512B/512B

+ Partition Table: gpt

+ Disk Flags:

+ Number Start End Size File system Name Flags

+ ----

+ +

+ . Create a new partition using the following command. For example, 1396 MB on partition 0:

+ +

+ ----

+ (parted) mkpart primary 0 1396MB

+ 

+ Warning: The resulting partition is not properly aligned for best performance

+ Ignore/Cancel? I

+ 

+ (parted) print

+ Model: Virtio Block Device (virtblk)

+ Disk /dev/vdc: 1396MB

+ Sector size (logical/physical): 512B/512B

+ Partition Table: gpt

+ Disk Flags:

+ Number Start   End     Size    File system Name Flags

+ 1      17.4kB  1396MB  1396MB  primary

+ ----

+ +

+ [NOTE]

+ ====

+ Providing a partition name under GPT is a must; in the above example, primary is the name, not the partition type. In a GPT partition table, the partition type is used as partition name. 

+ ====

+ +

+ . Quit using the `quit` command. Changes are automatically saved when you quit `parted`.

+ +

+ ----

+ (parted) quit

+ Information: You may need to update /etc/fstab. 

+ $

+ ----

+ +

+ 

+ See the `xorg.conf(5)` man page for more information.

+ = Enabling Third party repositories

+ `$ su`

+ `# dnf --enablerepo=<reponame>`

+ // Module included in the following assemblies:

+ //

+ // <List assemblies here, each on a new line>

+ 

+ // Base the file name and the ID on the module title. For example:

+ // * file name: doing-procedure-a.adoc

+ // * ID: [id='doing-procedure-a']

+ // * Title: = Doing procedure A

+ 

+ // The ID is used as an anchor for linking to the module. Avoid changing it after the module has been published to ensure existing links are not broken.

+ [id='doing-one-procedure_{context}']

+ // The `context` attribute enables module reuse. Every module's ID includes {context}, which ensures that the module has a unique ID even if it is reused multiple times in a guide.

+ = Doing one procedure

+ // Start the title of a procedure module with a verb, such as Creating or Create. See also _Wording of headings_ in _The IBM Style Guide_.

+ 

+ This paragraph is the procedure module introduction: a short description of the procedure.

+ 

+ .Prerequisites

+ 

+ * A bulleted list of conditions that must be satisfied before the user starts following this assembly.

+ * You can also link to other modules or assemblies the user must follow before starting this assembly.

+ * Delete the section title and bullets if the assembly has no prerequisites.

+ 

+ .Procedure

+ 

+ . Start each step with an active verb.

+ 

+ . Include one command or action per step.

+ 

+ . Use an unnumbered bullet (*) if the procedure includes only one step.

+ 

+ .Additional resources

+ 

+ * A bulleted list of links to other material closely related to the contents of the procedure module.

+ * For more details on writing procedure modules, see the link:https://github.com/redhat-documentation/modular-docs#modular-documentation-reference-guide[Modular Documentation Reference Guide].

+ * Use a consistent system for file names, IDs, and titles. For tips, see _Anchor Names and File Names_ in link:https://github.com/redhat-documentation/modular-docs#modular-documentation-reference-guide[Modular Documentation Reference Guide].

+ 

+ 

+ == Do I have FirewallD on my system?

+ 

+ FirewallD is the default firewall service for current releases of Fedora and is enabled by default.

+ If you are not sure whether FirewallD is on your Fedora installation use the following commands to check.