--- title: About the firewalld Resource --- # firewalld Use the `firewalld` InSpec audit resource to test that firewalld is configured to allow and deny access to specific hosts, services and ports on a system. A firewalld has a number of zones that can be configured to allow and deny access to specific hosts, services, and ports.
## Syntax describe firewalld do it { should be_running } its('default_zone') { should eq 'public' } it { should have_service_enabled_in_zone('ssh', 'public') } it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') } end Use the where clause to test open interfaces, sources, and services in active zones. describe firewalld.where { zone == 'public' } do its('interfaces') { should cmp ['enp0s3', 'eno2'] } its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] } its('services') { should cmp ['ssh', 'icmp'] } end
## Supported Properties ### interfaces The `interfaces` property is used in conjunction with the where class to display open interfaces in an active zone. describe firewalld.where { zone == 'public' } do its('interfaces') { should cmp ['enp0s3', 'eno2'] } end ### sources The `sources` property is used in conjunction with the where class to display open sources in an active zone. describe firewalld.where { zone == 'public' } do its('sources') { should cmp ['192.168.1.0/24', '192.168.1.2'] } end ### services The `services` property is used in conjunction with the where class to display open services in an active zone. describe firewalld.where { zone == 'public' } do its('services') { should cmp ['ssh', 'icmp'] } end ### default_zone The `default_zone` property displays the default active zone to be used. its('default_zone') { should eq 'public' }
## Matchers For a full list of available matchers please visit our [matchers page](https://www.inspec.io/docs/reference/matchers/). ### `be_installed` The `be_installed` matcher tests if the firewalld service is installed: it { should be_installed } ### `be_running` The `be_running` matcher tests if the firewalld service is running: it { should be_running } ### have_zone `have_zone` returns true or false if the zone is set on firewalld. It does not mean the zone is active. it { should have_zone('public') } ### `have_service_enabled_in_zone` `have_service_enabled_in_zone` returns true or false if the service is allowed in the specified zone. it { should have_service_enabled_in_zone('ssh', 'public') } ### `have_port_enabled_in_zone` `have_port_enabled_in_zone` returns true or false if the port is allowed in the specified zone. it { should have_port_enabled_in_zone('22/tcp', 'public') } ### `have_rule_enabled` `have_rule_enabled` returns true or false if the rich-rule has been specified in the zone. it { should have_rule_enabled('family=ipv4 source address=192.168.0.14 accept', 'public') } It is not necessary to add the "rule" string, and you can start with the optional flags that are used in firewalld and end with the action