On Tue, Oct 3, 2017 at 11:36 AM, Yedidyah Bar David <didi@redhat.com> wrote:

I think it should be safe to manually edit /etc/sysconfig/iptables
in that case.

Of course, verify on a test system.

Also, you might be happy to know that in 4.2 we'll support firewalld,
which is much nicer to work with than patching/generating
/etc/sysconfig/iptables.
See also:

https://bugzilla.redhat.com/show_bug.cgi?id=995362

OK, thanks. It worked.

Nice to see the news about firewalld.

And if I want to do the same for the engine, that indeed is configured with firewalld?

Currently on it I see this kind of configuration:

[root@ovmgr1 ~]# firewall-cmd --get-default-zone

public

[root@ovmgr1 ~]#

[root@ovmgr1 ~]# firewall-cmd --get-active-zones

public

interfaces: ens192

[root@ovmgr1 ~]#

It seems nrpe is already an usable predefined service:

[root@ovmgr1 ~]# firewall-cmd --get-services | tr -s ' ' '\n' | grep nrpe

nrpe

[root@ovmgr1 ~]#

So, based on current config, I can add it this way:

firewall-cmd --permanent --add-service=nrpe

firewall-cmd --reload

This way it should survive an engine reboot, but will it survive an engine-setup command run when updating configuration or when upgrading between minor/major updates?

Or should I manage also some oVirt managed files on engine?

Thanks,

Gianluca