<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Tue, Oct 3, 2017 at 11:36 AM, Yedidyah Bar David <span dir="ltr">&lt;<a href="mailto:didi@redhat.com" target="_blank">didi@redhat.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-"><br>
<br>
</span>I think it should be safe to manually edit /etc/sysconfig/iptables<br>
in that case.<br>
<br>
Of course, verify on a test system.<br>
<br>
Also, you might be happy to know that in 4.2 we&#39;ll support firewalld,<br>
which is much nicer to work with than patching/generating<br>
/etc/sysconfig/iptables.<br>
See also:<br>
<br>
<a href="https://bugzilla.redhat.com/show_bug.cgi?id=995362" rel="noreferrer" target="_blank">https://bugzilla.redhat.com/<wbr>show_bug.cgi?id=995362</a><br>
<span class="gmail-"><br></span><span class="gmail-HOEnZb"><font color="#888888"><br>
</font></span></blockquote></div><br></div><div class="gmail_extra">OK, thanks. It worked.</div><div class="gmail_extra"><br></div><div class="gmail_extra">Nice to see the news about firewalld.</div><div class="gmail_extra"><br></div><div class="gmail_extra">And if I want to do the same for the engine, that indeed is configured with firewalld?</div><div class="gmail_extra"><br></div><div class="gmail_extra">Currently on it I see this kind of configuration:</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">[root@ovmgr1 ~]# firewall-cmd --get-default-zone</div><div class="gmail_extra">public</div><div class="gmail_extra">[root@ovmgr1 ~]# </div><div class="gmail_extra"><br></div><div class="gmail_extra">[root@ovmgr1 ~]# firewall-cmd --get-active-zones<br></div><div class="gmail_extra">public</div><div class="gmail_extra">  interfaces: ens192</div><div class="gmail_extra">[root@ovmgr1 ~]# </div><div class="gmail_extra"><br></div><div class="gmail_extra">It seems nrpe is already an usable predefined service:</div><div class="gmail_extra"><div class="gmail_extra">[root@ovmgr1 ~]# firewall-cmd --get-services | tr -s &#39; &#39; &#39;\n&#39; | grep nrpe</div><div class="gmail_extra">nrpe</div><div class="gmail_extra">[root@ovmgr1 ~]# </div></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">So, based on current config,  I can add it this way:</div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_extra">firewall-cmd --permanent --add-service=nrpe</div><div class="gmail_extra">firewall-cmd --reload<br></div></div></div><div class="gmail_extra"><br></div><div class="gmail_extra">This way it should survive an engine reboot, but will it survive an engine-setup command run when updating configuration or when upgrading between minor/major updates?</div><div class="gmail_extra">Or should I manage also some oVirt managed files on engine?</div><div class="gmail_extra"><br></div><div class="gmail_extra">Thanks,</div><div class="gmail_extra">Gianluca</div></div>