1. The /usr/lib/udev/rules.d/60-net.rules file defines that the /lib/udev/rename_device helper utility searches for the HWADDR parameter in /etc/sysconfig/network-scripts/ifcfg-* files. If the value set in the variable matches the MAC address of an interface, the helper utility renames the interface to the name set in the DEVICE parameter of the file.
2. The /usr/lib/udev/rules.d/71-biosdevname.rules file defines that the biosdevname utility renames the interface according to its naming policy, provided that it was not renamed in the previous step.
3. The /usr/lib/udev/rules.d/75-net-description.rules file defines that udev examines the network interface device and sets the properties in udev-internal variables, that will be processed in the next step. Note that some of these properties might be undefined.

4. The /usr/lib/udev/rules.d/80-net-setup-link.rules file calls the net_setup_link udev built-in which then applies the policy. The following is the default policy that is stored in the /usr/lib/systemd/network/99-default.link file:

   [Link]
   NamePolicy=kernel database onboard slot path
   MACAddressPolicy=persistent

   With this policy, if the kernel uses a persistent name, udev does not rename the interface. If the kernel does not use a persistent name, udev renames the interface to the name provided by the hardware database of udev. If this database is not available, Red Hat Enterprise Linux falls back to the mechanisms described above.

   Alternatively, set the NamePolicy parameter in this file to mac for media access control (MAC) address-based interface names.

5. The /usr/lib/udev/rules.d/80-net-setup-link.rules file defines that udev renames the interface based on the udev-internal parameters in the following order:

   1. ID_NET_NAME_ONBOARD
   2. ID_NET_NAME_SLOT
   3. ID_NET_NAME_PATH

   If one parameter is not set, udev uses the next one. If none of the parameters are set, the interface is not renamed.

Procedure

1. Boot the Red Hat Enterprise Linux 8 installation media.
2. In the boot manager, select Install Red Hat Enterprise Linux 8, and press the Tab key to edit the entry.

3. Append the net.ifnames=0 parameter to the kernel command line:

   vmlinuz... net.ifnames=0

4. Press Enter to start the installation.

Procedure

1. Edit the /etc/default/grub file and append the net.ifnames=0 parameter to the GRUB_CMDLINE_LINUX variable:

   GRUB_CMDLINE_LINUX="... *net.ifnames=0

2. Rebuild the grub.cfg file:

   • On a system with UEFI boot mode:

     # grub2-mkconfig -o /boot/efi/EFI/redhat/grub.cfg

   • On a system with legacy boot mode:

     # grub2-mkconfig -o /boot/grub2/grub.cfg

3. If you use interface names in configuration files or scripts, you must manually update them.

4. Reboot the host:

   # reboot

Procedure

1. Set the SYSLOGADDR to the IP address of the syslogd server in the /etc/sysconfig/netconsole file to match the IP address of the syslogd server. For example:

   SYSLOGADDR=192.168.0.1

2. Restart the netconsole.service.

    ~]# systemctl restart netconsole.service

3. Enable netconsole.service to run after rebooting the system.

    ~]# systemctl enable netconsole.service

4. View the netconsole messages from the client in the /var/log/messages file (default) or in the file specified in rsyslog.conf.

    ~]# cat /var/log/messages

Procedure

1. Start the nmtui tool:

   ~]$ nmtui

   The text user interface appears.

   Figure 6.1. The NetworkManager text user interface starting menu

   
2. To navigate, use the arrow keys or press Tab to step forwards and press Shift+Tab to step back through the options. Press Enter to select an option. The Space bar toggles the status of a check box.

1. managed - under the NetworkManager control. A managed device may be connected, meaning that it is activated and configured, or disconnected, meaning that it is not configured but ready to be activated again.
2. unmanaged - NetworkManager does not control it.

Procedure

1. To list the currently available network connections:

   ~]$ nmcli con show
   NAME              UUID                                  TYPE            DEVICE
   Auto Ethernet     9b7f2511-5432-40ae-b091-af2457dfd988  802-3-ethernet  --
   ens3              fb157a65-ad32-47ed-858c-102a48e064a2  802-3-ethernet  ens3
   MyWiFi            91451385-4eb8-4080-8b82-720aab8328dd  802-11-wireless wlan0

   Note that the NAME field in the output always denotes the connection ID (name). It is not the interface name even though it might look the same. In the second connection shown above, ens3 in the NAME field is the connection ID given by the user to the profile applied to the interface ens3. In the last connection shown, the user has assigned the connection ID MyWiFi to the interface wlan0.

   Adding an Ethernet connection means creating a configuration profile which is then assigned to a device. Before creating a new profile, review the available devices as follows:

   ~]$ nmcli device status
   DEVICE  TYPE      STATE         CONNECTION
   ens3    ethernet  disconnected  --
   ens9    ethernet  disconnected  --
   lo      loopback  unmanaged     --

2. To set the device unmanaged by the NetworkManager:

   ~]$ nmcli device set ifname managed no

1. where {COMMON_OPTIONS} are the aliases or property names, see Aliases and Property names.

2. where [IP_OPTIONS] are the IP addresses:

   • For IPv4 addresses: ip4
   • For IPv6 addresses: ip6
3. where [NETMASK] is the network mask width. For example, 255.255.255.0 is the network mask for the prefix 198.51.100.0/24.

4. where [GATEWAY] is the gateway information:

   • For IPv4 addresses: gw4
   • For IPv6 addresses: gw6

1. To create a connection profile with an IPv4 address:

   ~]$ nmcli c add type ethernet ifname eth0 con-name "My Connection" ip4 192.168.2.100/24 gw4 192.168.2.1
   Connection 'new-ens33' (f0c23472-1aec-4e84-8f1b-be8a2ecbeade) successfully added.

2. To activate the created connection:

   ~]$ nmcli c up _"My Connection"

3. To view the created connection:

   ~]$ nmcli c show "My Connection"

Procedure

1. To modify one or more properties of a connection profile, use the following command:

   ~]$ nmcli c modify

   For example, to change the connection.id from "My Connection" to "My favorite connection" and the connection.interface-name to eth1:

   ~]$ nmcli c modify "My Connection" connection.id "My favorite connection" connection.interface-name eth1

2. To apply changes after a modified connection using nmcli, activate again the connection by entering:

   ~]$ nmcli con up "My favorite connection"
   Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/16)

3. To view the modified connection, enter the nmcli con show con-name command.

Procedure

1. Press the Super key to enter the Activities Overview, type Settings, and press Enter. Then, select the Network tab on the left-hand side, and the Network settings tool appears:

   Figure 8.2. Opening the network settings window

   

2. Click the plus button to add a new connection:

   • For Wired connections, click the plus button next to Wired entry and configure the connection.
   • For VPN connections, click the plus button next to VPN entry. If you want to add an IPsec VPN, click on IPsec based VPN and configure the connection.
   • For Wi-Fi connections, click the Wi-Fi entry on the left-hand side in the Settings menu and configure the connection.

Procedure

1. Setting two IPv4 DNS server addresses:

   ~]$ nmcli con mod test-lab ipv4.dns "8.8.8.8 8.8.4.4"

   Note that this will replace any previously set DNS servers.

   Alternatively, to set two IPv6 DNS server addresses:

   ~]$ nmcli con mod test-lab ipv6.dns "2001:4860:4860::8888 2001:4860:4860::8844"

   Note that this will replace any previously set DNS servers.

2. To add additional DNS servers to any previously set, use the + prefix:

   ~]$ nmcli con mod test-lab +ipv4.dns "8.8.8.8 8.8.4.4"

   ~]$ nmcli con mod test-lab +ipv6.dns "2001:4860:4860::8888 2001:4860:4860::8844"

3. To activate the new Ethernet connection:

   ~]$ nmcli con up test-lab ifname ens9
   Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)

4. To review the status of the devices and connections:

   ~]$ nmcli device status
   DEVICE  TYPE      STATE      CONNECTION
   ens3    ethernet  connected  my-office
   ens9    ethernet  connected  test-lab
   lo      loopback  unmanaged  --

5. To view detailed information about the newly configured connection:

Procedure

1. To change the host name sent by a host to a DHCP server, modify the dhcp-hostname property:

   ~]$ nmcli con modify my-office my-office ipv4.dhcp-hostname host-name ipv6.dhcp-hostname host-name

2. To change the IPv4 client ID sent by a host to a DHCP server, modify the dhcp-client-id property:

   ~]$ nmcli con modify my-office my-office ipv4.dhcp-client-id client-ID-string

   There is no dhcp-client-id property for IPv6, dhclient to create an identifier for IPv6. See the dhclient(8) man page for details.

3. To ignore the DNS servers sent to a host by a DHCP server, modify the ignore-auto-dns property:

   ~]$ nmcli con modify my-office my-office ipv4.ignore-auto-dns yes ipv6.ignore-auto-dns yes

Procedure

1. Press the Super key to enter the Activities Overview, type Settings and press Enter. Then, select the Network menu entry on the left-hand side, and the Network settings tool appears, see Opening the Network Settings Window

2. Select the Wired network interface

   The system creates and configures a single wired connection profile called Wired by default. More than one profile can be created for an interface and applied as needed. The default profile cannot be deleted but its settings can be changed.

3. Edit the default Wired profile by clicking the gear wheel icon to edit an existing connection or click the plus button and then set the configuration options for a new connection.

Procedure

1. Open a terminal, and enter:

   $ nm-connection-editor

2. Click the + button to add a new connection.
3. Select the Ethernet connection type, and click Create.
4. On the Ethernet tab, select a device and, optionally, further Ethernet-related settings.
5. On the IPv4 Settings tab, configure the IPv4 settings. For example, set a static IPv4 address, network mask, default gateway, and DNS server:
6. On the IPv6 Settings tab, configure the IPv6 settings. For example, set a static IPv6 address, network mask, default gateway, and DNS server:
7. Save the connection.
8. Close nm-connection-editor.

Procedure

1. To create a Wi-Fi connection profile with static IP configuration:

   ~]$ nmcli con add con-name MyCafe ifname wlan0 type wifi ssid MyCafe ` `ip4 192.168.100.101/24 gw4 192.168.100.1

2. To check a specific property, for example mtu:

   ~]$ nmcli connection show id MyCafe | grep mtu
   802-11-wireless.mtu:                     auto

3. To change the property of a setting:

   ~]$ nmcli connection modify id MyCafe 802-11-wireless.mtu 1350

4. To verify the change:

   ~]$ nmcli connection show id MyCafe | grep mtu
   802-11-wireless.mtu:                     1350

Procedure

1. Press the Super key to enter the Activities Overview, type Wi-Fi and press Enter. In the left-hand-side menu entry you see the list of available networks.

2. Select the gear wheel icon to the right of the Wi-Fi connection name that you want to edit, and the editing connection dialog appears. The Details menu window shows the connection details where you can make further configuration.

   Options

   1. If you select Connect automatically, NetworkManager auto-connects to this connection whenever NetworkManager detects that it is available. If you do not want NetworkManager to connect automatically, clear the check box. Note that when the check box is clear, you have to select that connection manually in the network connection icon’s menu to cause it to connect.
   2. To make a connection available to other users, select the Make available to other users check box.

   3. You can also control the background data usage. If you leave Restrict background data usage unspecified (default), then NetworkManager tries to download data that you are actively using. Otherwise, select the check box and NetworkManager sets the connection as metered, and applies restriction on the background data usage.

      Note

      To delete a Wi-Fi connection, click the Forget Connection red box.

3. Select the Identity menu entry to see the basic configuration options.

   SSID — The Service Set Identifier (SSID) of the access point (AP).

   BSSID — The Basic Service Set Identifier (BSSID) is the MAC address, also known as a hardware address, of the specific wireless access point you are connecting to when in Infrastructure mode. This field is blank by default, and you are able to connect to a wireless access point by SSID without having to specify its BSSID. If the BSSID is specified, it will force the system to associate to a specific access point only. For ad-hoc networks, the BSSID is generated randomly by the mac80211 subsystem when the ad-hoc network is created. It is not displayed by NetworkManager.

   MAC address — The MAC address allows you to associate a specific wireless adapter with a specific connection (or connections).

   Cloned Address — A cloned MAC address to use in place of the real hardware address. Leave blank unless required.

4. For further IP address configuration , select the IPv4 and IPv6 menu entries.

   By default, both IPv4 and IPv6 are set to automatic configuration depending on current network settings. This means that addresses such as the local IP address, DNS address, and other settings will be detected automatically when the interface connects to a network. If a DHCP server assigns the IP configuration in this network, this is sufficient, but you can also provide static configuration in the IPv4 and IPv6 Settings. In the IPv4 and IPv6 menu entries, you can see the following settings:

   • IPv4 Method

     • Automatic (DHCP) — Choose this option if the network you are connecting to uses Router Advertisements (RA) or a DHCP server to assign dynamic IP addresses. You can see the assigned IP address in the Details menu entry.
     • Link-Local Only — Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be assigned as per RFC 3927 with prefix 169.254/16.
     • Manual — Choose this option if you want to assign IP addresses manually.
     • Disable — IPv4 is disabled for this connection.

   • DNS

     If Automatic is ON, and no DHCP server is available that assigns DNS servers to this connection, switch it to OFF to enter the IP address of a DNS server separating the IPs by comma.

   • Routes

     Note that in the Routes section, when Automatic is ON, routes from Router Advertisements (RA) or DHCP are used, but you can also add additional static routes. When OFF, only static routes are used.

     • Address — Enter the IP address of a remote network, sub-net, or host.
     • Netmask — The netmask or prefix length of the IP address entered above.
     • Gateway — The IP address of the gateway leading to the remote network, sub-net, or host entered above.
     • Metric — A network cost, a preference value to give to this route. Lower values will be preferred over higher values.

   • Use this connection only for resources on its network

     Select this check box to prevent the connection from becoming the default route.

     Alternatively, to configure IPv6 settings in a Wi-Fi connection, select the IPv6 menu entry:

   • IPv6 Method

     • Automatic — Choose this option to use IPv6 Stateless Address AutoConfiguration (SLAAC) to create an automatic, stateless configuration based on the hardware address and Router Advertisements (RA).
     • Automatic, DHCP only — Choose this option to not use RA, but request information from DHCPv6 directly to create a stateful configuration.
     • Link-Local Only — Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be assigned as per RFC 4862 with prefix FE80::0.
     • Manual — Choose this option if you want to assign IP addresses manually.
     • Disable — IPv6 is disabled for this connection.
   • The DNS, Routes, Use this connection only for resources on its network fields are common to IPv4 settings.

5. To configure Security settings in a Wi-Fi connection, select the Security menu entry. The following configuration options are available:

   • Security

     • None — Do not encrypt the Wi-Fi connection.
     • WEP 40/128-bit Key — Wired Equivalent Privacy (WEP), from the IEEE 802.11 standard. Uses a single pre-shared key (PSK).

     • WEP 128-bit Passphrase — An MD5 hash of the passphrase to derive a WEP key.

       Warning

       If the Wi-Fi use no encryption, WEP, or WPA, do not use the network because it is insecure and everyone can read the data you send over this network.

     • LEAP — Lightweight Extensible Authentication Protocol, from Cisco Systems.
     • Dynamic WEP (802.1X) — WEP keys are changed dynamically.
     • WPA & WPA2 Personal — Wi-Fi Protected Access (WPA), from the draft IEEE 802.11i standard. A replacement for WEP. Wi-Fi Protected Access II (WPA2), from the 802.11i-2004 standard. Personal mode uses a pre-shared key (WPA-PSK).
     • WPA & WPA2 Enterprise — WPA for use with a RADIUS authentication server to provide IEEE 802.1X network access control.
   • Password — Enter the password to be used in the authentication process.
6. Once you have finished the configuration, click the Apply button to save it.

Procedure

1. To refresh the available Wi-Fi connection list:

   ~]$ nmcli device wifi rescan

2. To view the available Wi-Fi access points:

   ~]$ nmcli dev wifi list
   
   IN-USE  SSID      MODE   CHAN  RATE        SIGNAL  BARS  SECURITY
   ...
           MyCafe    Infra  3     405 Mbit/s  85      ▂▄▆█  WPA1 WPA2

3. To connect to a Wi-Fi connection using nmcli:

   ~]$ nmcli dev wifi connect SSID-Name password wireless-password

   For example:

   ~]$ nmcli dev wifi connect MyCafe password wireless-password

   Note that if you want to disable the Wi-Fi state:

   ~]$ nmcli radio wifi off

Procedure

1. Open the GNOME Shell network connection icon menu from the top right-hand corner of the screen.
2. Select Wi-Fi Not Connected.
3. Click the Select Network option.

4. Click the name of the network to which you want to connect, and then click Connect.

   Note that if you do not see the network, the network might be hidden.

5. If the network is protected by a password or encryption keys are required, enter the password and click Connect.

   Note that if you do not know the password, contact the administrator of the Wi-Fi network.

6. If the connection is successful, the name of the network is visible in the connection icon menu and the wireless indicator is on the top right-hand corner of the screen.

Procedure

1. For a wireless connection, set the authenticated key-mgmt (key management) protocol. It configures the keying mechanism for a secure wifi connection.
2. Configure the 802-1x authentication settings.

Procedure

1. Set the IP address of the default gateway.

   For example, to set the IPv4 address of the default gateway on the example connection to 192.0.2.1:

   $ sudo nmcli connection modify example ipv4.gateway "192.0.2.1"

   For example, to set the IPv6 address of the default gateway on the example connection to 2001:db8::1:

   $ sudo nmcli connection modify example ipv6.gateway "2001:db8::1"

2. Restart the network connection for changes to take effect. For example, to restart the example connection using the command line:

   $ sudo nmcli connection up example

   Warning

   All connections currently using this network connection are temporarily interrupted during the restart.

3. Optionally, verify that the route is active.

   To display the IPv4 default gateway:

   $ ip -4 route
   default via 192.0.2.1 dev example proto static metric 100

   To display the IPv6 default gateway:

   $ ip -6 route
   default via 2001:db8::1 dev example proto static metric 100 pref medium

Procedure

1. Open the nmcli interactive mode for the required connection. For example, to open the nmcli interactive mode for the example connection:

   $ sudo nmcli connection edit example

2. Set the default gateway.

   For example, to set the IPv4 address of the default gateway on the example connection to 192.0.2.1:

   nmcli> set ipv4.gateway 192.0.2.1

   For example, to set the IPv6 address of the default gateway on the example connection to 2001:db8::1:

   nmcli> set ipv6.gateway 2001:db8::1

3. Optionally, verify that the default gateway was set correctly:

   nmcli> print
   ...
   ipv4.gateway:                           192.0.2.1
   ...
   ipv6.gateway:                           2001:db8::1
   ...

4. Save the configuration:

   nmcli> save persistent

5. Restart the network connection for changes to take effect:

   nmcli> activate example

   Warning

   All connections currently using this network connection are temporarily interrupted during the restart.

6. Leave the nmcli interactive mode:

   nmcli> quit

7. Optionally, verify that the route is active.

   To display the IPv4 default gateway:

   $ ip -4 route
   default via 192.0.2.1 dev example proto static metric 100

   To display the IPv6 default gateway:

   $ ip -6 route
   default via 2001:db8::1 dev example proto static metric 100 pref medium

Procedure

1. Open a terminal, and enter nm-connection-editor:

   $ nm-connection-editor

2. Select the connection to modify, and click the gear wheel icon to edit the existing connection.

3. Set the IPv4 default gateway. For example, to set the IPv4 address of the default gateway on the connection to 192.0.2.1:

   1. Open the IPv4 Settings tab.

   2. Enter the address in the gateway field next to the IP range the gateway’s address is within:

      

4. Set the IPv6 default gateway. For example, to set the IPv6 address of the default gateway on the connection to 2001:db8::1:

   1. Open the IPv6 tab.

   2. Enter the address in the gateway field next to the IP range the gateway’s address is within:

      

5. Click OK.
6. Click Save.

7. Restart the network connection for changes to take effect. For example, to restart the example connection using the command line:

   $ sudo nmcli connection up example

   Warning

   All connections currently using this network connection are temporarily interrupted during the restart.

8. Optionally, verify that the route is active.

   To display the IPv4 default gateway:

   $ ip -4 route
   default via 192.0.2.1 dev example proto static metric 100

   To display the IPv6 default gateway:

   $ ip -6 route
   default via 2001:db8::1 dev example proto static metric 100 pref medium

Procedure

1. Set the IPv4 default gateway. For example, to set the IPv4 address of the default gateway on the connection to 192.0.2.1:

   1. Open the IPv4 tab.

   2. Enter the address in the gateway field next to the IP range the gateway’s address is within:

      

2. Set the IPv6 default gateway. For example, to set the IPv6 address of the default gateway on the connection to 2001:db8::1:

   1. Open the IPv6 tab.

   2. Enter the address in the gateway field next to the IP range the gateway’s address is within:

      

3. Click Apply.

4. Back in the Network window, disable and re-enable the connection by switching the button for the connection to Off and back to On for changes to take effect.

   Warning

   All connections currently using this network connection are temporarily interrupted during the restart.

5. Optionally, verify that the route is active.

   To display the IPv4 default gateway:

   $ ip -4 route
   default via 192.0.2.1 dev example proto static metric 100

   To display the IPv6 default gateway:

   $ ip -6 route
   default via 2001:db8::1 dev example proto static metric 100 pref medium

Procedure

1. Add the static route to the example connection:

   $ sudo nmcli connection modify example +ipv4.routes "192.0.2.0/24 198.51.100.1"

   To set multiple routes in one step, pass the individual routes comma-separated to the command. For example, to add a route to the 192.0.2.0/24 and 203.0.113.0/24 networks, both routed through the 198.51.100.1 gateway, enter:

   $ sudo nmcli connection modify example +ipv4.routes "192.0.2.0/24 198.51.100.1, 203.0.113.0/24 198.51.100.1"

2. Optionally, verify that the routes were added correctly to the configuration:

   $ nmcli connection show example
   ...
   ipv4.routes:        { ip = 192.0.2.1/24, nh = 198.51.100.1 }
   ...

3. Restart the network connection:

   $ sudo nmcli connection up example

   Warning

   Restarting the connection briefly disrupts connectivity on that interface.

4. Optionally, verify that the route is active:

   $ ip route
   ...
   192.0.2.0/24 via 198.51.100.1 dev example proto static metric 100

Procedure

1. Open the IPv4 tab.
2. Optionally, disable automatic routes by clicking the On button in the Routes section of the IPv4 tab to use only static routes. If automatic routes are enabled, Red Hat Enterprise Linux uses static routes and routes received from a DHCP server.

3. Enter the address, netmask, gateway, and optionally a metric value:

   

4. Click Apply.

5. Back in the Network window, disable and re-enable the connection by switching the button for the connection to Off and back to On for changes to take effect.

   Warning

   Restarting the connection briefly disrupts connectivity on that interface.

6. Optionally, verify that the route is active:

   $ ip route
   ...
   192.0.2.0/24 via 198.51.100.1 dev example proto static metric 100

Procedure

1. Open a terminal and enter nm-connection-editor:

   $ nm-connection-editor

2. Select the example connection and click the gear wheel icon to edit the existing connection.
3. Open the IPv4 tab.
4. Click the Routes button.

5. Click the Add button and enter the address, netmask, gateway, and optionally a metric value.

   

6. Click OK.
7. Click Save.

8. Restart the network connection for changes to take effect. For example, to restart the example connection using the command line:

   $ sudo nmcli connection up example

9. Optionally, verify that the route is active:

   $ ip route
   ...
   192.0.2.0/24 via 198.51.100.1 dev example proto static metric 100

Procedure

1. Open the nmcli interactive mode for the example connection:

   $ sudo nmcli connection edit example

2. Add the static route:

   nmcli> set ipv4.routes 192.0.2.0/24 198.51.100.1

3. Optionally, verify that the routes were added correctly to the configuration:

   nmcli> print
   ...
   ipv4.routes:        { ip = 192.0.2.1/24, nh = 198.51.100.1 }
   ...

   The ip attribute displays the network to route and the nh attribute the gateway (next hop).

4. Save the configuration:

   nmcli> save persistent

5. Restart the network connection:

   nmcli> activate example

   Warning

   When you restart the connection, all connections currently using this connection will be temporarily interrupted.

6. Leave the nmcli interactive mode:

   nmcli> quit

7. Optionally, verify that the route is active:

   $ ip route
   ...
   192.0.2.0/24 via 198.51.100.1 dev example proto static metric 100

Procedure

1. Open a terminal, and enter nm-connection-editor:

   $ nm-connection-editor

2. Click the + button to add a new connection.
3. Select the VLAN connection type, and click Create.

4. On the VLAN tab:

   1. Select the parent interface.
   2. Select the VLAN id. Note that the VLAN must be within the range from 0 to 4094.
   3. By default, the VLAN connection inherits the maximum transmission unit (MTU) from the parent interface. Optionally, set a different MTU value.

   4. Optionally, set the name of the VLAN interface and further VLAN-specific options.

      

5. On the IPv4 Settings tab, configure the IPv4 settings. For example, set a static IPv4 address, network mask, default gateway, and DNS server:
6. On the IPv6 Settings tab, configure the IPv6 settings. For example, set a static IPv6 address, network mask, default gateway, and DNS server:
7. Click Save to save the VLAN connection.
8. Close nm-connection-editor.

9. Optionally, verify the settings:

   # ip -d addr show vlan10
   4: vlan10@enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
       link/ether 52:54:00:d5:e0:fb brd ff:ff:ff:ff:ff:ff promiscuity 0
       vlan protocol 802.1Q id 10 <REORDER_HDR> numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
       inet 192.0.2.1/24 brd 192.0.2.255 scope global noprefixroute vlan10
          valid_lft forever preferred_lft forever
       inet6 fe80::8dd7:9030:6f8e:89e6/64 scope link noprefixroute
          valid_lft forever preferred_lft forever

Procedure

1. Optionally, display the available network interfaces:

   # ip address show
   1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
       link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
       inet 127.0.0.1/8 scope host lo
          valid_lft forever preferred_lft forever
       inet6 ::1/128 scope host
          valid_lft forever preferred_lft forever
   2: enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
       link/ether 52:54:00:d5:e0:fb brd ff:ff:ff:ff:ff:ff

2. Create the VLAN interface. For example, to create a VLAN interface named vlan10 that uses enp1s0 as its parent interface and that tags packets with VLAN ID 10, enter:

   # nmcli connection add type vlan con-name vlan10 ifname vlan10 vlan.parent enp1s0 vlan.id 10

   Note that the VLAN must be within the range from 0 to 4094.

3. By default, the VLAN connection inherits the maximum transmission unit (MTU) from the parent interface. Optionally, set a different MTU value:

   # nmcli connection modify vlan10 802-3-ethernet.mtu 2000

4. Configure the IPv4 settings. For example, to set a static IPv4 address, network mask, default gateway, and DNS server to the vlan10 connection, enter:

   # nmcli connection modify vlan10 ipv4.addresses '192.0.2.1/24'
   # nmcli connection modify vlan10 ipv4.gateway '192.0.2.254'
   # nmcli connection modify vlan10 ipv4.dns '192.0.2.253'
   # nmcli connection modify vlan10 ipv4.method manual

5. Configure the IPv6 settings. For example, to set a static IPv6 address, network mask, default gateway, and DNS server to the vlan10 connection, enter:

   # nmcli connection modify vlan10 ipv6.addresses '2001:db8::1/32'
   # nmcli connection modify vlan10 ipv6.gateway '2001:db8::fffe'
   # nmcli connection modify vlan10 ipv6.dns '2001:db8::fffd'
   # nmcli connection modify vlan10 ipv6.method manual

6. Optionally, verify the settings:

   # ip -d addr show vlan10
   4: vlan10@enp1s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
       link/ether 52:54:00:d5:e0:fb brd ff:ff:ff:ff:ff:ff promiscuity 0
       vlan protocol 802.1Q id 10 <REORDER_HDR> numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
       inet 192.0.2.1/24 brd 192.0.2.255 scope global noprefixroute vlan10
          valid_lft forever preferred_lft forever
       inet6 fe80::8dd7:9030:6f8e:89e6/64 scope link noprefixroute
          valid_lft forever preferred_lft forever

Procedure

1. Create a bridge interface. For example, to create the bridge interface named bridge0, enter:

   # nmcli connection add type bridge con-name bridge0 ifname bridge0

2. Configure the IPv4 settings. For example, to set a static IPv4 address, network mask, default gateway, and DNS server of the bridge0 connection, enter:

   # nmcli connection modify bridge0 ipv4.addresses '192.0.2.1/24'
   # nmcli connection modify bridge0 ipv4.gateway '192.0.2.254'
   # nmcli connection modify bridge0 ipv4.dns '192.0.2.253'
   # nmcli connection modify bridge0 ipv4.method manual

3. Configure the IPv6 settings. For example, to set a static IPv6 address, network mask, default gateway, and DNS server of the bridge0 connection, enter:

   # nmcli connection modify bridge0 ipv6.addresses '2001:db8::1/32'
   # nmcli connection modify bridge0 ipv6.gateway '2001:db8::fffe'
   # nmcli connection modify bridge0 ipv6.dns '2001:db8::fffd'
   # nmcli connection modify bridge0 ipv6.method manual

4. Optionally, configure further properties of the bridge. For example, to set the Spanning Tree Protocol (STP) priority of bridge0 to 16384, enter:

   # nmcli connection modify bridge0 bridge.priority '16384'

   By default, STP is enabled.

5. Optionally, display the network interfaces, and note the names of the interfaces you want to add to the bridge as a slave in the next step:

   # nmcli device
   DEVICE  TYPE      STATE         CONNECTION
   enp1s0  ethernet  connected     enp1s0
   enp7s0  ethernet  disconnected  --
   enp8s0  ethernet  disconnected  --
   lo      loopback  unmanaged     --

6. Assign the port interfaces to the bridge’s connection. For example, to add the interfaces named enp7s0 and enp8s0 to the bridge0 connection, enter:

   # nmcli connection add type ethernet slave-type bridge con-name bridge0-port1 ifname enp7s0 master bridge0
   # nmcli connection add type ethernet slave-type bridge con-name bridge0-port2 ifname enp8s0 master bridge0

7. Activate the connection. For example, to activate the bridge0 connection, enter:

   # nmcli connection up bridge0

8. Verify that the slave devices are connected, and the CONNECTION column displays the slave’s connection name:

   # nmcli  device
   DEVICE   TYPE      STATE      CONNECTION
   ...
   enp7s0   ethernet  connected  bridge0-port1
   enp8s0   ethernet  connected  bridge0-port2

   Red Hat Enterprise Linux activates master and slave devices when the system boots. By activating any slave connection, the master is also activated. However, in this case, only one slave connection is activated. By default, activating the master does not automatically activate the slaves. However, you can enable this behavior by setting:

   1. Enable the connection.autoconnect-slaves parameter of the bridge connection:

      # nmcli connection modify bridge0 connection.autoconnect-slaves 1

   2. Reactivate the bridge:

      # nmcli connection up bridge0

9. Optionally, use the following command to display the status of the bridge:

   # bridge link show bridge0
   3: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master bridge0 state forwarding priority 32 cost 100
   4: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master bridge0 state listening priority 32 cost 100

Procedure

1. Open a terminal, and enter nm-connection-editor:

   $ nm-connection-editor

2. Click the + button to add a new connection.

3. Select the Bridge connection type, and click Create.

   1. Optionally, set the name of the bridge interface in the Interface name field.

   2. Click the Add button to add a network interface as a slave to the bridge.

      1. Select the connection type of the interface. For example, select Ethernet for a wired connection.
      2. Optionally, set a connection name for the slave device.
      3. In the Device field on the Ethernet tab, select the network interface you want to add as a slave to the bridge.
      4. Click Save.

   3. Repeat the previous step for each interface you want to add to the bridge.

      

      1. Optionally, configure further bridge settings, such as Spanning Tree Protocol (STP) options.
4. On the IPv4 Settings tab, configure the IPv4 settings. For example, set a static IPv4 address, network mask, default gateway, and DNS server:
5. On the IPv6 Settings tab, configure the IPv6 settings. For example, set a static IPv6 address, network mask, default gateway, and DNS server:
6. Save the bridge connection.
7. Close nm-connection-editor.

8. Optionally, use the following command to display the status of the bridge:

   # bridge link show bridge0
   3: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master bridge0 state forwarding priority 32 cost 100
   4: enp8s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master bridge0 state listening priority 32 cost 100

Procedure

1. Install the teamd and NetworkManager-team packages:

   # yum install teamd NetworkManager-team

Procedure

1. Create the team interface. For example, to create a team interface that uses the activebackup runner and both the interface and connection named team0, enter:

   # nmcli connection add type team con-name team0 ifname team0 team.runner activebackup

2. Optionally, set a link watcher. For example, to set the ethtool link watcher, modify the team0 connection:

   # nmcli connection modify team0 team.link-watchers "name=ethtool"

   Link watchers support different parameters. To set parameters for a link watcher, specify them space-separated in the name property. Note that the name property must be surrounded by quotes. For example, to use the ethtool link watcher and set its delay-up parameter to 2500 milliseconds (2.5 seconds):

   # nmcli connection modify team0 team.link-watchers "name=ethtool delay-up=2500"

   To set multiple link watchers and each of them with specific parameters, the link watchers must be separated by a comma. The following example sets the ethtool link watcher with the delay-up parameter and the arp_ping link watcher with the source-host and target-host parameter:

   # nmcli connection modify team0 team.link-watchers "name=ethtool delay-up=2, name=arp_ping source-host=192.0.2.1 target-host=192.0.2.2"

3. Configure the IPv4 settings. For example, to set a static IPv4 address, network mask, default gateway, and DNS server of the team0 connection, enter:

   # nmcli connection modify team0 ipv4.addresses '192.0.2.1/24'
   # nmcli connection modify team0 ipv4.gateway '192.0.2.254'
   # nmcli connection modify team0 ipv4.dns '192.0.2.253'
   # nmcli connection modify team0 ipv4.method manual

4. Configure the IPv6 settings. For example, to set a static IPv6 address, network mask, default gateway, and DNS server of the team0 connection, enter:

   # nmcli connection modify team0 ipv6.addresses '2001:db8::1/32'
   # nmcli connection modify team0 ipv6.gateway '2001:db8::fffe'
   # nmcli connection modify team0 ipv6.dns '2001:db8::fffd'
   # nmcli connection modify team0 ipv6.method manual

5. Optionally, display the network interfaces, and note the names of the interfaces you want to add to the team in the next step:

   # nmcli device
   DEVICE  TYPE      STATE         CONNECTION
   enp1s0  ethernet  connected     enp1s0
   enp7s0  ethernet  disconnected  --
   enp8s0  ethernet  disconnected  --
   lo      loopback  unmanaged     --

   Important

   You can only use network interfaces in a team that are not assigned to any connection. In the above example, you can only use the enp7s0 and enp8s0 interfaces.

6. Assign the port interfaces to the team’s connection. For example, to add the interfaces named enp7s0 and enp8s0 to the team0 connection:

   # nmcli connection add type ethernet slave-type team con-name team0-port1 ifname enp7s0 master team0
   # nmcli connection add type ethernet slave-type team con-name team0-port2 ifname enp8s0 master team0

7. Activate the connection. For example, to activate the team0 connection:

   # nmcli connection up team0

8. Optionally, display the status of the team:

   # teamdctl team0 state
   setup:
     runner: activebackup
   ports:
     enp7s0
       link watches:
         link summary: up
         instance[link_watch_0]:
           name: ethtool
           link: up
           down count: 0
     enp8s0
       link watches:
         link summary: up
         instance[link_watch_0]:
           name: ethtool
           link: up
           down count: 0
   runner:
     active port: enp7s0

   In the example, both ports are up.

Procedure

1. Open a terminal, and enter nm-connection-editor:

   $ nm-connection-editor

2. Click the + button to add a new connection.
3. Select the Team connection type, and click Create.

4. On the Team tab:

   1. Optionally, set the name of the team interface in the Interface name field.

   2. Click the Add button to add a network interface as a slave to the team.

      1. Select the connection type of the interface. For example, select Ethernet for a wired connection.
      2. Optionally, set a connection name for the slave device.

      3. In the Device field on the Ethernet tab, select the network interface you want to add as a slave to the team.

         Important

         You can only use network interfaces in a team that are not configured.

      4. Click Save.

   3. Repeat the previous step for each interface you want to add to the team.

      

   4. Click the Advanced button to set advanced options to the team connection.

      1. On the Runner tab, select the runner.
      2. On the Link Watcher tab, set the link link watcher and its optional settings.
      3. Click OK.
5. On the IPv4 Settings tab, configure the IPv4 settings. For example, set a static IPv4 address, network mask, default gateway, and DNS server:
6. On the IPv6 Settings tab, configure the IPv6 settings. For example, set a static IPv6 address, network mask, default gateway, and DNS server:
7. Click Save to save the team connection.
8. Close nm-connection-editor.

9. Optionally, display the status of the team:

   # teamdctl team0 state
   setup:
     runner: activebackup
   ports:
     enp7s0
       link watches:
         link summary: up
         instance[link_watch_0]:
           name: ethtool
           link: up
           down count: 0
     enp8s0
       link watches:
         link summary: up
         instance[link_watch_0]:
           name: ethtool
           link: up
           down count: 0
   runner:
     active port: enp7s0

Procedure

1. Create a bond interface. For example, to create a bond interface that uses the active-backup mode and both the interface and the connection are named bond0, enter:

   # nmcli connection add type bond con-name bond0 ifname bond0 bond.options "mode=active-backup"

   To additionally set a Media Independent Interface (MII) monitoring interval, add the miimon=interval option to the bond.options property. For example, to use the same command but, additionally, set the MII monitoring interval to 1000 milliseconds (1 second), enter:

   # nmcli connection add type bond con-name bond0 ifname bond0 bond.options "mode=active-backup,miimon=1000"

2. Configure the IPv4 settings. For example, to set a static IPv4 address, network mask, default gateway, and DNS server to the bond0 connection, enter:

   # nmcli connection modify bond0 ipv4.addresses '192.0.2.1/24'
   # nmcli connection modify bond0 ipv4.gateway '192.0.2.254'
   # nmcli connection modify bond0 ipv4.dns '192.0.2.253'
   # nmcli connection modify bond0 ipv4.method manual

3. Configure the IPv6 settings. For example, to set a static IPv6 address, network mask, default gateway, and DNS server of the bond0 connection, enter:

   # nmcli connection modify bond0 ipv6.addresses '2001:db8::1/32
   # nmcli connection modify bond0 ipv6.gateway '2001:db8::fffe'
   # nmcli connection modify bond0 ipv6.dns '2001:db8::fffd'
   # nmcli connection modify bond0 ipv6.method manual

4. Optionally, display the network interfaces, and note names of interfaces you plan to add to the bond:

   # # nmcli device
   DEVICE  TYPE      STATE         CONNECTION
   enp1s0  ethernet  connected     enp1s0
   enp7s0  ethernet  disconnected  --
   enp8s0  ethernet  disconnected  --
   lo      loopback  unmanaged     --

5. Assign port interfaces to the bond’s connection. For example, to add the interfaces named enp7s0 and enp8s0 to the bond0 connection:

   # nmcli connection add type ethernet slave-type bond con-name bond0-port1 ifname enp7s0 master bond0
   # nmcli connection add type ethernet slave-type bond con-name bond0-port2 ifname enp8s0 master bond0

6. Activate the connection. For example, to activate the bond0 connection:

   # nmcli connection up bond0

7. Verify that the slave devices are connected, and the CONNECTION column displays the slave’s connection name:

   # nmcli device
   DEVICE   TYPE      STATE      CONNECTION
   ...
   enp7s0   ethernet  connected  bond0-port1
   enp8s0   ethernet  connected  bond0-port2

   Red Hat Enterprise Linux activates master and slave devices when the system boots. By activating any slave connection, the master is also activated. However, in this case, only one slave connection is activated. By default, activating the master does not automatically activate the slaves. However, you can enable this behavior by setting:

   1. Enable the connection.autoconnect-slaves parameter of the bond’s connection:

      # nmcli connection modify bond0 connection.autoconnect-slaves 1

   2. Reactivate the bridge:

      # nmcli connection up bond0

8. Optionally, display the status of the bond:

   # cat /proc/net/bonding/bond0
   Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
   
   Bonding Mode: fault-tolerance (active-backup)
   Primary Slave: None
   Currently Active Slave: enp7s0
   MII Status: up
   MII Polling Interval (ms): 100
   Up Delay (ms): 0
   Down Delay (ms): 0
   
   Slave Interface: enp7s0
   MII Status: up
   Speed: Unknown
   Duplex: Unknown
   Link Failure Count: 0
   Permanent HW addr: 52:54:00:d5:e0:fb
   Slave queue ID: 0
   
   Slave Interface: enp8s0
   MII Status: up
   Speed: Unknown
   Duplex: Unknown
   Link Failure Count: 0
   Permanent HW addr: 52:54:00:b2:e2:63
   Slave queue ID: 0

   In the example, both ports are up.

Procedure

1. Open a terminal, and enter nm-connection-editor:

   $ nm-connection-editor

2. Click the + button to add a new connection.
3. Select the Bond connection type, and click Create.

4. On the Bond tab:

   1. Optionally, set the name of the bond interface in the Interface name field.

   2. Click the Add button to add a network interface as a slave to the bond.

      1. Select the connection type of the interface. For example, select Ethernet for a wired connection.
      2. Optionally, set a connection name for the slave device.

      3. In the Device field on the Ethernet tab, select the network interface you want to add as a slave to the bond.

         Important

         You can only use network interfaces in a bond that are not configured.

      4. Click Save.

   3. Repeat the previous step for each interface you want to add to the bond:

      

   4. Optionally, set other options, such as the Media Independent Interface (MII) monitoring interval.

5. On the IPv4 Settings tab, configure the IPv4 settings. For example, set a static IPv4 address, network mask, default gateway, and DNS server:

   

6. On the IPv6 Settings tab, configure the IPv6 settings. For example, set a static IPv6 address, network mask, default gateway, and DNS server:

   

7. Click Save to save the bond connection.
8. Close nm-connection-editor.

9. Optionally, display the status of the bond:

   $ cat /proc/net/bonding/_bond0_
   Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)
   
   Bonding Mode: fault-tolerance (active-backup)
   Primary Slave: None
   Currently Active Slave: enp7s0
   MII Status: up
   MII Polling Interval (ms): 100
   Up Delay (ms): 0
   Down Delay (ms): 0
   
   Slave Interface: enp7s0
   MII Status: up
   Speed: Unknown
   Duplex: Unknown
   Link Failure Count: 0
   Permanent HW addr: 52:54:00:d5:e0:fb
   Slave queue ID: 0
   
   Slave Interface: enp8s0
   MII Status: up
   Speed: Unknown
   Duplex: Unknown
   Link Failure Count: 0
   Permanent HW addr: 52:54:00:b2:e2:63
   Slave queue ID: 0

   In the example, both ports are up.

Procedure

1. Select the Identity menu entry to see the basic configuration options:

   General

   Gateway — The name or IP address of the remote VPN gateway.

   Authentication

   Type

   • IKEv2 (Certificate)- client is authenticated by certificate. It is more secure (default).

   • IKEv1 (XAUTH) - client is authenticated by username and password, or secret (PSK).

     The following configuration settings are available under the Advanced section:

     Figure 17.1. Advanced options of a VPN connection

     
     Warning

     When configuring an IPsec based VPN connection using the gnome-control-center application, the Advanced dialog will only display the configuration, but will not allow doing any change. As a consequence, users cannot change any advanced IPsec options. Use the nm-connection-editor or nmcli tools instead to perform configuration of the advanced properties.

     Identification

     Domain — If required, enter the Domain Name.

     Security

   • Phase1 Algorithms — corresponds to the ike Libreswan parameter — enter the algorithms to be used to authenticate and set up an encrypted channel.

   • Phase2 Algorithms — corresponds to the esp Libreswan parameter — enter the algorithms to be used for the IPsec negotiations.

     • Check the Disable PFS field to turn off Perfect Forward Secrecy (PFS)to ensure compatibility with old servers that do not support PFS.
   • Phase1 Lifetime — corresponds to the ikelifetime Libreswan parameter — how long the key used to encrypt the traffic will be valid.

   • Phase2 Lifetime — corresponds to the salifetime Libreswan parameter — how long how long a particular instance of a connection should last before expiring.

     Note that the encryption key should be changed from time to time for security reasons.

   • Remote network — corresponds to the rightsubnet Libreswan parameter — the destination private remote network that should be reached throught the VPN.

     • Check the narrowing field to enable narrowing. Note that it is only effective in IKEv2 negotiation.
   • Enable fragmentation — corresponds to the fragmentation Libreswan parameter — whether or not to allow IKE fragmentation. Valid values are yes (default), or no.
   • Enable Mobike — corresponds to the mobike Libreswan parameter — whether to allow MOBIKE (RFC 4555) to enable a connection to migrate its endpoint without needing to restart the connection from scratch. This is used on mobile devices that switch between wired, wireless or mobile data connections. The values are no (default) or yes.

2. For further configuration, select the IPv4 menu entry:

   • IPv4 Method

     • Automatic (DHCP) — Choose this option if the network you are connecting to uses Router Advertisements (RA) or a DHCP server to assign dynamic IP addresses.
     • Link-Local Only — Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be assigned as per RFC 3927 with prefix 169.254/16.
     • Manual — Choose this option if you want to assign IP addresses manually.
     • Disable — IPv4 is disabled for this connection.

   • DNS

     In the DNS section, when Automatic is ON, switch it to OFF to enter the IP address of a DNS server you want to use separating the IPs by comma.

   • Routes

     Note that in the Routes section, when Automatic is ON, routes from Router Advertisements (RA) or DHCP are used, but you can also add additional static routes. When OFF, only static routes are used.

     • Address — Enter the IP address of a remote network, sub-net, or host.
     • Netmask — The netmask or prefix length of the IP address entered above.
     • Gateway — The IP address of the gateway leading to the remote network, sub-net, or host entered above.
     • Metric — A network cost, a preference value to give to this route. Lower values will be preferred over higher values.

   • Use this connection only for resources on its network

     Select this check box to prevent the connection from becoming the default route. Selecting this option means that only traffic specifically destined for routes learned automatically over the connection or entered here manually will be routed over the connection.

3. Alternatively, to configure IPv6 settings in a VPN connection, select the IPv6 menu entry:

   • IPv6 Method

     • Automatic — Choose this option to use IPv6 Stateless Address AutoConfiguration (SLAAC) to create an automatic, stateless configuration based on the hardware address and Router Advertisements (RA).
     • Automatic, DHCP only — Choose this option to not use RA, but request information from DHCPv6 directly to create a stateful configuration.
     • Link-Local Only — Choose this option if the network you are connecting to does not have a DHCP server and you do not want to assign IP addresses manually. Random addresses will be assigned as per RFC 4862 with prefix FE80::0.
     • Manual — Choose this option if you want to assign IP addresses manually.

     • Disable — IPv6 is disabled for this connection.

       Note that DNS, Routes, Use this connection only for resources on its network are common to IPv4 settings.

4. Once you have finished editing the VPN connection, click the Add button to customize the configuration or the Apply button to save it for the existing one.
5. Switch the profile to ON to active the VPN connection.

Procedure

1. Open a terminal, and enter:

   $ nm-connection-editor

2. Click the + button to add a new connection.
3. Select the IPsec based VPN connection type, and click Create.

4. On the VPN tab:

   1. Enter the host name or IP address of the VPN gateway into the Gateway field, and select an authentication type. Based on the authentication type, you must enter different additional information:

      • IKEv2 (Certifiate) authenticates the client by using a certificate, which is more secure. This setting requires:

        • The nickname of the certificate in the IPsec NSS database

      • IKEv1 (XAUTH) authenticates the user by using a user name and password (pre-shared key). This setting requires that you enter the following values:

        • User name
        • Password
        • Group name
        • Secret

   2. If the remote server specifies a local identifier for the IKE exchange, enter the exact string in the Remote ID field. In the remote server runs Libreswan, this value is set in the server’s leftid parameter.

      

   3. Optionally, configure additional settings by clicking the Advanced button. You can configure the following settings:

      • Identification

        • Domain — If required, enter the domain name.

      • Security

        • Phase1 Algorithms corresponds to the ike Libreswan parameter. Enter the algorithms to be used to authenticate and set up an encrypted channel.

        • Phase2 Algorithms corresponds to the esp Libreswan parameter. Enter the algorithms to be used for the IPsec negotiations.

          • Check the Disable PFS field to turn off Perfect Forward Secrecy (PFS) to ensure compatibility with old servers that do not support PFS.
        • Phase1 Lifetime corresponds to the ikelifetime Libreswan parameter. This parameter defines how long the key used to encrypt the traffic is valid.
        • Phase2 Lifetime corresponds to the salifetime Libreswan parameter. This parameter defines how long a security association is valid.

      • Connectivity

        • Remote network corresponds to the rightsubnet Libreswan parameter and defines the destination private remote network that should be reached through the VPN.

          • Check the narrowing field to enable narrowing. Note that it is only effective in the IKEv2 negotiation.
        • Enable fragmentation corresponds to the fragmentation Libreswan parameter and defines whether or not to allow IKE fragmentation. Valid values are yes (default), or no.
        • Enable Mobike corresponds to the mobike Libreswan parameter. The parameter defines whether to allow Mobility and Multihoming Protocol (MOBIKE) (RFC 4555) to enable a connection to migrate its endpoint without needing to restart the connection from scratch. This is used on mobile devices that switch between wired, wireless or mobile data connections. The values are no (default) or yes.

5. On the IPv4 Settings tab, select the IP assignment method and, optionally, set additional static addresses, DNS servers, search domains, and routes.

   

6. Save the connection.
7. Close nm-connection-editor.

Procedure

1. To configure an interface named em1 with dynamic network settings using ifcfg files, create a file with the name ifcfg-em1 in the /etc/sysconfig/network-scripts/ directory that contains:

   DEVICE=em1
   BOOTPROTO=dhcp
   ONBOOT=yes

2. To configure an interface to send a different host name to the DHCP server, add the following line to the ifcfg file:

   DHCP_HOSTNAME=hostname

3. To configure an interface to send a different fully qualified domain name (FQDN) to the DHCP server, add the following line to the ifcfg file:

   DHCP_FQDN=fully.qualified.domain.name

   Note

   Only one directive, either DHCP_HOSTNAME or DHCP_FQDN, should be used in a given ifcfg file. In case both DHCP_HOSTNAME and DHCP_FQDN are specified, only the latter is used.

4. To configure an interface to use particular DNS servers, add the following lines to the ifcfg file:

     PEERDNS=no
     DNS1=ip-address
     DNS2=ip-address

   where ip-address is the address of a DNS server. This will cause the network service to update /etc/resolv.conf with the specified DNS servers specified. Only one DNS server address is necessary, the other is optional.

1. As an example, modify the ifcfg file with the following row, which will make the connection available only to the users listed:

   USERS="joe bob alice"

Procedure

1. To ignore link negotiation, set the following parameters:

   ~]# nmcli connection modify connection_name 802-3-ethernet.auto-negotiate no 802-3-ethernet.speed 0 802-3-ethernet.duplex ""

   Note, that the auto-negotiation parameter is not disabled even if the speed and duplex parameters are not set and the auto-negotiation parameter is set to no.

2. To enforce the auto-negotiation activation, enter the following command:

   ~]# nmcli connection modify connection_name 802-3-ethernet.auto-negotiate yes 802-3-ethernet.speed 0 802-3-ethernet.duplex ""

   That allows to negotiate all the available speed and duplex modes supported by the NIC.

   You can also enable auto-negotiation while advertising and allowing only one speed/duplex mode. This can be useful if you want to enforce 1000BASE-T and 10GBASE-T Ethernet link configuration, as these standards mandate auto-negotiation enabled. To enforce 1000BASE-T standard:

   ~]# nmcli connection modify connection_name 802-3-ethernet.auto-negotiate yes 802-3-ethernet.speed 1000 802-3-ethernet.duplex full

3. To manually set the speed and duplex link settings, enter the following command:

   ~]# nmcli connection modify connection_name 802-3-ethernet.auto-negotiate no 802-3-ethernet.speed [speed in Mbit/s] 802-3-ethernet.duplex [full|half]

Procedure

1. Create a CAK/CKN pair. For example, the following command generates a 16-byte key in hexadecimal notation:

   ~]$ dd if=/dev/urandom count=16 bs=1 2> /dev/null | hexdump -e '1/2 "%02x"'

2. Create the wpa_supplicant.conf configuration file and add the following lines to it:

   ctrl_interface=/var/run/wpa_supplicant
   eapol_version=3
   ap_scan=0
   fast_reauth=1
   
   network={
       key_mgmt=NONE
       eapol_flags=0
       macsec_policy=1
   
       mka_cak=0011... # 16 bytes hexadecimal
       mka_ckn=2233... # 32 bytes hexadecimal
   }

   Use the values from the previous step to complete the mka_cak and mka_ckn lines in the wpa_supplicant.conf configuration file.

   For more information, see the wpa_supplicant.conf(5) man page.

3. Assuming you are using eth0 to connect to your network, start wpa_supplicant using the following command:

   ~]# wpa_supplicant -i eth0 -Dmacsec_linux -c wpa_supplicant.conf

Procedure

1. Create and configure the first VRF device:

   1. Create the VRF device and assign it to a routing table. For example, to create a VRF device named blue that is assigned to the 1001 routing table:

      # ip link add dev blue type vrf table 1001

   2. Enable the blue device:

      # ip link set dev blue up

   3. Assign a network device to the VRF device. For example, to add the eth0 Ethernet device to the blue VRF device:

      # ip link set dev eth0 master blue

   4. Enable the eth0 device:

      # ip link set dev eth0 up

   5. Assign an IP address and subnet mask to the eth0 device. For example, to set it to 192.0.2.1/24:

      # ip addr add dev eth0  192.0.2.1/24

2. Create and configure the next VRF device:

   1. Create the VRF device and assign it to a routing table. For example, to create a VRF device named red that is assigned to the 1002 routing table:

      # ip link add dev red type vrf table 1002

   2. Enable the red device:

      # ip link set dev red up

   3. Assign a network device to the VRF device. For example, to add the eth1 Ethernet device to the red VRF device:

      # ip link set dev eth1 master red

   4. Enable the eth1 device:

      # ip link set dev eth1 up

   5. Assign the same IP address and subnet mask to the eth1 device as you used for eth0 in the blue VRF domain:

      # ip addr add dev eth1  192.0.2.1/24

3. Optionally, create further VRF devices as described above.

Procedure

1. Create the /etc/NetworkManager/dispatcher.d/pre-up.d/01-vrf file with the following content:

   #!/bin/sh
   
   interface=$1
   
   if [ $interface = eth0 ]; then
       # If the interface is "eth0", set the variable for the VRF
       # device name to "blue" and the variable for the routing
       # table to "1001"
       vrf=blue
       id=1001
   elif [ $interface = eth1 ]; then
       # If the interface is "eth1", set the variable for the VRF
       # device name to "red" and the variable for the routing
       # table to "1002"
       vrf=red
       id=1002
   else
       # For all other devices stop executing the script here
       exit 0
   fi
   
   # Create the VRF device if it does not exist, and assign
   # the VRF device to its routing table
   ip link show dev $vrf || ip link add dev $vrf type vrf table $id
   
   # Enable the VRF device
   ip link set dev $vrf up
   
   # Assign the Ethernet interface to the VRF device
   ip link set dev $interface master $vrf

2. Set the x bits to the /etc/NetworkManager/dispatcher.d/pre-up.d/01-vrf file to make it executable:

   # chmod 0755 /etc/NetworkManager/dispatcher.d/pre-up.d/01-vrf

Procedure

1. Edit the /etc/frr/daemons configuration file, and enable the required daemons for your system.

   For example, to enable the ripd daemon, include the following line:

   ripd=yes

   Warning

   The zebra daemon must always be enabled, so that you must set zebra=yes to be able to use FRR.

   Important

   By default, /etc/frr/daemons contains [daemon_name]=no entries for all daemons. Therefore, all daemons are disabled, and starting FRR after a new installation of the system has no effect.

2. Start the frr service:

   # systemctl start frr

3. Optionally, you can also set FRR to start automatically on boot:

   # systemctl enable frr

1. Edit the /etc/frr/daemons configuration file, and modify the line for the required daemons to state yes instead of no.

   For example, to enable the ripd daemon:

   ripd=yes

2. Reload the frr service:

   # systemctl reload frr

1. Edit the /etc/frr/daemons configuration file, and modify the line for the required daemons to state no instead of yes.

   For example, to disable the ripd daemon:

   ripd=no

2. Reload the frr service:

   # systemctl reload frr

Procedure

1. Within the /etc/frr/ directory, create a configuration file for the required daemon, and name the file as follows:

   [daemon_name].conf

   For example, to further configure the eigrpd daemon, create the eigrpd.conf file in the mentioned directory.

2. Populate the new file with the required content.

   For configuration examples of particular FRR daemons, see the /usr/share/doc/frr/ directory.

3. Reload the frr service:

   # systemctl reload frr

1. The service renames the existing files:

   • /var/lib/dhcpd/dhcpd.leases to /var/lib/dhcpd/dhcpd.leases~
   • /var/lib/dhcpd/dhcpd6.leases to /var/lib/dhcpd/dhcpd6.leases~
2. The service writes all known leases to the newly created /var/lib/dhcpd/dhcpd.leases and /var/lib/dhcpd/dhcpd6.leases files.

1. Copy the /usr/lib/systemd/system/dhcpd.service file to the /etc/systemd/system/ directory:

   # cp /usr/lib/systemd/system/dhcpd.service /etc/systemd/system/

   Do not edit the /usr/lib/systemd/system/dhcpd.service file. Future updates of the dhcp-server package can override the changes.

2. Edit the /etc/systemd/system/dhcpd.service file, and append the names of the interface, that dhcpd should listen on to the command in the ExecStart parameter:

   ExecStart=/usr/sbin/dhcpd -f -cf /etc/dhcp/dhcpd.conf -user dhcpd -group dhcpd --no-pid $DHCPDARGS enp0s1 enp7s0

   This example configures that dhcpd listens only on the enp0s1 and enp7s0 interfaces.

3. Reload the systemd manager configuration:

   # systemctl daemon-reload

4. Restart the dhcpd service:

   # systemctl restart dhcpd.service

1. Copy the /usr/lib/systemd/system/dhcpd6.service file to the /etc/systemd/system/ directory:

   # cp /usr/lib/systemd/system/dhcpd6.service /etc/systemd/system/

   Do not edit the /usr/lib/systemd/system/dhcpd6.service file. Future updates of the dhcp-server package can override the changes.

2. Edit the /etc/systemd/system/dhcpd6.service file, and append the names of the interface, that dhcpd should listen on to the command in the ExecStart parameter:

   ExecStart=/usr/sbin/dhcpd -f -6 -cf /etc/dhcp/dhcpd6.conf -user dhcpd -group dhcpd --no-pid $DHCPDARGS enp0s1 enp7s0

   This example configures that dhcpd listens only on the enp0s1 and enp7s0 interfaces.

3. Reload the systemd manager configuration:

   # systemctl daemon-reload

4. Restart the dhcpd service:

   # systemctl restart dhcpd.service

1. Edit the /etc/dhcp/dhcpd.conf file:

   1. Optionally, add global parameters that dhcpd uses as default if no other directives contain these settings:

      option domain-name "example.com";
      default-lease-time 86400;

      This example sets the default domain name for the connection to example.com, and the default lease time to 86400 seconds (1 day).

   2. Add the authoritative statement on a new line:

      authoritative;

      Important

      Without the authoritative statement, the dhcpd service does not answer DHCPREQUEST messages with DHCPNAK if a client asks for an address that is outside of the pool.

   3. For each IPv4 subnet directly connected to an interface of the server, add a subnet declaration:

      subnet 192.0.2.0 netmask 255.255.255.0 {
        range 192.0.2.20 192.0.2.100;
        option domain-name-servers 192.0.2.1;
        option routers 192.0.2.1;
        option broadcast-address 192.0.2.255;
        max-lease-time 172800;
      }

      This example adds a subnet declaration for the 192.0.2.0/24 network. With this configuration, the DHCP server assigns the following settings to a client that sends a DHCP request from this subnet:

      • A free IPv4 address from the range defined in the range parameter
      • IP of the DNS server for this subnet: 192.0.2.1
      • Default gateway for this subnet: 192.0.2.1
      • Broadcast address for this subnet: 192.0.2.255
      • The maximum lease time, after which clients in this subnet release the IP and send a new request to the server: 172800 seconds (2 days)

2. Optionally, configure that dhcpd starts automatically when the system boots:

   # systemctl enable dhcpd

3. Start the dhcpd service:

   # systemctl start dhcpd

1. Edit the /etc/dhcp/dhcpd6.conf file:

   1. Optionally, add global parameters that dhcpd uses as default if no other directives contain these settings:

      option dhcp6.domain-search "example.com";
      default-lease-time 86400;

      This example sets the default domain name for the connection to example.com, and the default lease time to 86400 seconds (1 day).

   2. Add the authoritative statement on a new line:

      authoritative;

      Important

      Without the authoritative statement, the dhcpd service does not answer DHCPREQUEST messages with DHCPNAK if a client asks for an address that is outside of the pool.

   3. For each IPv6 subnet directly connected to an interface of the server, add a subnet declaration:

      subnet6 2001:db8:0:1::/64 {
        range6 2001:db8:0:1::20 2001:db8:0:1::100;
        option dhcp6.name-servers 2001:db8:0:1::1;
        max-lease-time 172800;
      }

      This example adds a subnet declaration for the 2001:db8:0:1::/64 network. With this configuration, the DHCP server assigns the following settings to a client that sends a DHCP request from this subnet:

      • A free IPv6 address from the range defined in the range6 parameter.
      • The IP of the DNS server for this subnet is 2001:db8:0:1::1.

      • The maximum lease time, after which clients in this subnet release the IP and send a new request to the server is 172800 seconds (2 days).

        Note that IPv6 requires uses router advertisement messages to identify the default gateway.

2. Optionally, configure that dhcpd6 starts automatically when the system boots:

   # systemctl enable dhcpd6

3. Start the dhcpd6 service:

   # systemctl start dhcpd6

1. Edit the /etc/dhcp/dhcpd.conf file:

   1. Optionally, add global parameters that dhcpd uses as default if no other directives contain these settings:

      option domain-name "example.com";
      default-lease-time 86400;

      This example sets the default domain name for the connection to example.com, and the default lease time to 86400 seconds (1 day).

   2. Add the authoritative statement on a new line:

      authoritative;

      Important

      Without the authoritative statement, the dhcpd service does not answer DHCPREQUEST messages with DHCPNAK if a client asks for an address that is outside of the pool.

   3. Add a shared-network declaration, such as the following, for IPv4 subnets that are not directly connected to an interface of the server:

      shared-network example {
        option domain-name-servers 192.0.2.1;
        ...
      
        subnet 192.0.2.0 netmask 255.255.255.0 {
          range 192.0.2.20 192.0.2.100;
          option routers 192.0.2.1;
        }
      
        subnet 198.51.100.0 netmask 255.255.255.0 {
          range 198.51.100.20 198.51.100.100;
          option routers 198.51.100.1;
        }
        ...
      }

      This example adds a shared network declaration, that contains a subnet declaration for both the 192.0.2.0/24 and 198.51.100.0/24 networks. With this configuration, the DHCP server assigns the following settings to a client that sends a DHCP request from one of these subnets:

      • The IP of the DNS server for clients from both subnets is: 192.0.2.1.
      • A free IPv4 address from the range defined in the range parameter, depending on from which subnet the client sent the request.
      • The default gateway is either 192.0.2.1 or 198.51.100.1 depending on from which subnet the client sent the request.

   4. Add a subnet declaration for the subnet the server is directly connected to and that is used to reach the remote subnets specified in shared-network above:

      subnet 203.0.113.0 netmask 255.255.255.0 {
      }

      Note

      If the server does not provide DHCP service to this subnet, the subnet declaration must be empty as shown in the example. Without a declaration for the directly connected subnet, dhcpd does not start.

2. Optionally, configure that dhcpd starts automatically when the system boots:

   # systemctl enable dhcpd

3. Start the dhcpd service:

   # systemctl start dhcpd

1. Edit the /etc/dhcp/dhcpd6.conf file:

   1. Optionally, add global parameters that dhcpd uses as default if no other directives contain these settings:

      option dhcp6.domain-search "example.com";
      default-lease-time 86400;

      This example sets the default domain name for the connection to example.com, and the default lease time to 86400 seconds (1 day).

   2. Add the authoritative statement on a new line:

      authoritative;

      Important

      Without the authoritative statement, the dhcpd service does not answer DHCPREQUEST messages with DHCPNAK if a client asks for an address that is outside of the pool.

   3. Add a shared-network declaration, such as the following, for IPv6 subnets that are not directly connected to an interface of the server:

      shared-network example {
        option domain-name-servers 2001:db8:0:1::1:1
        ...
      
        subnet6 2001:db8:0:1::1:0/120 {
          range6 2001:db8:0:1::1:20 2001:db8:0:1::1:100
        }
      
        subnet6 2001:db8:0:1::2:0/120 {
          range6 2001:db8:0:1::2:20 2001:db8:0:1::2:100
        }
        ...
      }

      This example adds a shared network declaration that contains a subnet6 declaration for both the 2001:db8:0:1::1:0/120 and 2001:db8:0:1::2:0/120 networks. With this configuration, the DHCP server assigns the following settings to a client that sends a DHCP request from one of these subnets:

      • The IP of the DNS server for clients from both subnets is 2001:db8:0:1::1:1.

      • A free IPv6 address from the range defined in the range6 parameter, depending on from which subnet the client sent the request.

        Note that IPv6 requires uses router advertisement messages to identify the default gateway.

   4. Add a subnet6 declaration for the subnet the server is directly connected to and that is used to reach the remote subnets specified in shared-network above:

      subnet6 2001:db8:0:1::50:0/120 {
      }

      Note

      If the server does not provide DHCP service to this subnet, the subnet6 declaration must be empty as shown in the example. Without a declaration for the directly connected subnet, dhcpd does not start.

2. Optionally, configure that dhcpd6 starts automatically when the system boots:

   # systemctl enable dhcpd6

3. Start the dhcpd6 service:

   # systemctl start dhcpd6

1. Edit the /etc/dhcp/dhcpd.conf file:

   1. Add a host declaration:

      host server.example.com {
      	hardware ethernet 52:54:00:72:2f:6e;
      	fixed-address 192.0.2.130;
      }

      This example configures the DHCP server to always assigns the 192.0.2.130 IP address to the host with the 52:54:00:72:2f:6e MAC address.

      The dhcpd service identifies systems by the MAC address specified in the fixed-address parameter, and not by the name in the host declaration. As a consequence, you can set this name to any string that does not match other host declarations. To configure the same system for multiple networks, use a different name, otherwise, dhcpd fails to start.

   2. Optionally, add further settings to the host declaration that are specific for this host.

2. Restart the dhcpd service:

   # systemctl start dhcpd

1. Edit the /etc/dhcp/dhcpd6.conf file:

   1. Add a host declaration:

      host server.example.com {
      	hardware ethernet 52:54:00:72:2f:6e;
      	fixed-address6 2001:db8:0:1::200;
      }

      This example configures the DHCP server to always assign the 2001:db8:0:1::20 IP address to the host with the 52:54:00:72:2f:6e MAC address.

      The dhcpd service identifies systems by the MAC address specified in the fixed-address6 parameter, and not by the name in the host declaration. As a consequence, you can set this name to any string, as long as it is unique to other host declarations. To configure the same system for multiple networks, use a different name because, otherwise, dhcpd fails to start.

   2. Optionally, add further settings to the host declaration that are specific for this host.

2. Restart the dhcpd6 service:

   # systemctl start dhcpd6

1. Edit the /etc/dhcp/dhcpd.conf file:

   1. Add a group declaration:

      group {
        option domain-name-servers 192.0.2.1;
      
        host server1.example.com {
          hardware ethernet 52:54:00:72:2f:6e;
          fixed-address 192.0.2.130;
        }
      
        host server2.example.com {
          hardware ethernet 52:54:00:1b:f3:cf;
          fixed-address 192.0.2.140;
        }
      }

      This group definition groups two host entries. The dhcpd service applies the value set in the option domain-name-servers parameter to both hosts in the group.

   2. Optionally, add further settings to the group declaration that are specific for these hosts.

2. Restart the dhcpd service:

   # systemctl start dhcpd

1. Edit the /etc/dhcp/dhcpd6.conf file:

   1. Add a group declaration:

      group {
        option dhcp6.domain-search "example.com";
      
        host server1.example.com {
          hardware ethernet 52:54:00:72:2f:6e;
          fixed-address 2001:db8:0:1::200;
        }
      
        host server2.example.com {
          hardware ethernet 52:54:00:1b:f3:cf;
          fixed-address 2001:db8:0:1::ba3;
        }
      }

      This group definition groups two host entries. The dhcpd service applies the value set in the option dhcp6.domain-search parameter to both hosts in the group.

   2. Optionally, add further settings to the group declaration that are specific for these hosts.

2. Restart the dhcpd6 service:

   # systemctl start dhcpd6

1. Stop the dhcpd service:

   # systemctl stop dhcpd

2. Rename the corrupt lease database:

   # mv /var/lib/dhcpd/dhcpd.leases /var/lib/dhcpd/dhcpd.leases.corrupt

3. Restore the copy of the lease database that the dhcp service created when it refreshed the lease database:

   # cp -p /var/lib/dhcpd/dhcpd.leases~ /var/lib/dhcpd/dhcpd.leases

   Important

   If you have a more recent backup of the lease database, restore this backup instead.

4. Start the dhcpd service:

   # systemctl start dhcpd

1. Stop the dhcpd6 service:

   # systemctl stop dhcpd6

2. Rename the corrupt lease database:

   # mv /var/lib/dhcpd/dhcpd6.leases /var/lib/dhcpd/dhcpd6.leases.corrupt

3. Restore the copy of the lease database that the dhcp service created when it refreshed the lease database:

   # cp -p /var/lib/dhcpd/dhcpd6.leases~ /var/lib/dhcpd/dhcpd6.leases

   Important

   If you have a more recent backup of the lease database, restore this backup instead.

4. Start the dhcpd6 service:

   # systemctl start dhcpd6

1. Install the dhcp-relay package:

   # yum install dhcp-relay

2. Copy the /lib/systemd/system/dhcrelay.service file to the /etc/systemd/system/ directory:

   # cp /lib/systemd/system/dhcrelay.service /etc/systemd/system/

   Do not edit the /usr/lib/systemd/system/dhcrelay.service file. Future updates of the dhcp-relay package can override the changes.

3. Edit the /etc/systemd/system/dhcrelay.service file, and append the -i interface parameter, together with a list of IP addresses of DHCPv4 servers that are responsible for the subnet:

   ExecStart=/usr/sbin/dhcrelay -d --no-pid -i enp1s0 192.0.2.1

   With these additional parameters, dhcrelay listens for DHCPv4 requests on the enp1s0 interface and forwards them to the DHCP server with the IP 192.0.2.1.

4. Reload the systemd manager configuration:

   # systemctl daemon-reload

5. Optionally, configure that the dhcrelay service starts when the system boots:

   # systemctl enable dhcrelay.service

6. Start the dhcrelay service:

   # systemctl start dhcrelay.service

1. Install the dhcp-relay package:

   # yum install dhcp-relay

2. Copy the /lib/systemd/system/dhcrelay.service file to the /etc/systemd/system/ directory and name the file dhcrelay6.service:

   # cp /lib/systemd/system/dhcrelay.service /etc/systemd/system/dhcrelay6.service

   Do not edit the /usr/lib/systemd/system/dhcrelay.service file. Future updates of the dhcp-relay package can override the changes.

3. Edit the /etc/systemd/system/dhcrelay6.service file, and append the -l receiving_interface and -u outgoing_interface parameters:

   ExecStart=/usr/sbin/dhcrelay -d --no-pid -l enp1s0 -u enp7s0

   With these additional parameters, dhcrelay listens for DHCPv6 requests on the enp1s0 interface and forwards them to the network connected to the enp7s0 interface.

4. Reload the systemd manager configuration:

   # systemctl daemon-reload

5. Optionally, configure that the dhcrelay6 service starts when the system boots:

   # systemctl enable dhcrelay6.service

6. Start the dhcrelay6 service:

   # systemctl start dhcrelay6.service

Procedure

1. Enter the following command as root:

   # yum install firewall-config

   Alternatively, in GNOME, use the Super key and type `Software to launch the Software Sources application. Type firewall to the search box, which appears after selecting the search button in the top-right corner. Select the Firewall item from the search results, and click on the Install button.

2. To run firewall-config, use either the firewall-config command or press the Super key to enter the Activities Overview, type firewall, and press Enter.

Procedure

1. To start firewalld, enter the following command as root:

   # systemctl unmask firewalld
   # systemctl start firewalld

2. To ensure firewalld starts automatically at system start, enter the following command as root:

   # systemctl enable firewalld

Procedure

1. To stop firewalld, enter the following command as root:

   # systemctl stop firewalld

2. To prevent firewalld from starting automatically at system start:

   # systemctl disable firewalld

3. To make sure firewalld is not started by accessing the firewalld D-Bus interface and also if other services require firewalld:

   # systemctl mask firewalld

1. Change runtime settings and then make them permanent as follows:

   # firewall-cmd <other options>
   # firewall-cmd --runtime-to-permanent

2. Set permanent settings and reload the settings into runtime mode:

   # firewall-cmd --permanent <other options>
   # firewall-cmd --reload

Procedure

1. Verify the permanent configuration of the firewalld service:

   # firewall-cmd --check-config
   success

   If the permanent configuration is valid, the command returns success. In other cases, the command returns an error with further details, such as the following:

   # firewall-cmd --check-config
   Error: INVALID_PROTOCOL: 'public.xml': 'tcpx' not from {'tcp'|'udp'|'sctp'|'dccp'}