--- loncom/configuration/Firewall.pm	2024/06/13 17:18:38	1.27
+++ loncom/configuration/Firewall.pm	2024/09/13 03:52:03	1.28
@@ -1,7 +1,7 @@
 # The LearningOnline Network with CAPA
 # Firewall configuration to allow internal LON-CAPA communication between servers   
 #
-# $Id: Firewall.pm,v 1.27 2024/06/13 17:18:38 raeburn Exp $
+# $Id: Firewall.pm,v 1.28 2024/09/13 03:52:03 raeburn Exp $
 #
 # The LearningOnline Network with CAPA
 #
@@ -82,10 +82,11 @@ sub firewall_open_port {
     return 'inactive firewall' if (!&firewall_is_active());
     return 'port number unknown' if !$lond_port;
     return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
-    my (@opened,@okchains,$zone);
+    my (@opened,@okchains,$zone,$firewalld_num_opened);
     if ($firewalld) {
         $zone = &get_default_zone();
         return 'invalid zone' if ($zone eq '');
+        $firewalld_num_opened = 0;
     } else {
         my @badchains;
         foreach my $chain (@{$fw_chains}) {
@@ -161,6 +162,7 @@ sub firewall_open_port {
                                     close(PIPE);
                                     if ($result eq 'success') {
                                         push(@lond_port_open,$ip);
+                                        $firewalld_num_opened ++;
                                     } else {
                                         push(@port_error,$ip);
                                     }
@@ -242,6 +244,7 @@ sub firewall_open_port {
                     close(PIPE);
                     if ($result eq 'success') {
                         push(@opened,$port);
+                        $firewalld_num_opened ++;
                     } else {
                         $port_error = $port;
                     }
@@ -282,6 +285,9 @@ sub firewall_open_port {
             }
         }
     }
+    if ($firewalld && $firewalld_num_opened) {
+        system('firewall-cmd --runtime-to-permanent'); 
+    }
     foreach my $port (@{$ports}) {
         if (!grep(/^\Q$port\E$/,@opened)) {
             return 'Required port not open: '.$port."\n";
@@ -389,10 +395,11 @@ sub firewall_close_port {
     return 'inactive firewall' if (!&firewall_is_active());
     return 'port number unknown' if !$lond_port;
     return 'invalid firewall chain' unless (ref($fw_chains) eq 'ARRAY');
-    my (@okchains,$zone);
+    my (@okchains,$zone,$firewalld_num_closed);
     if ($firewalld) {
         $zone = &get_default_zone();
         return 'no default zone' if ($zone eq '');
+        $firewalld_num_closed = 0;
     } else {
         my @badchains;
         foreach my $chain (@{$fw_chains}) {
@@ -449,6 +456,7 @@ sub firewall_close_port {
                             close(PIPE);
                             if ($result eq 'success') {
                                 push(@lond_port_close,$ip);
+                                $firewalld_num_closed ++;
                             } else {
                                 push(@port_error,$ip);
                             }
@@ -537,6 +545,7 @@ sub firewall_close_port {
                         close(PIPE);
                         if ($result eq 'success') {
                             print "Port: $port closed in zone: $zone.\n";
+                            $firewalld_num_closed ++;
                         } else {
                             print "Error closing port: $port in zone: $zone.\n";
                         }
@@ -577,6 +586,9 @@ sub firewall_close_port {
             }
         }
     }
+    if ($firewalld && $firewalld_num_closed) {
+        system('firewall-cmd --runtime-to-permanent');
+    }
     return;
 }
 
@@ -614,6 +626,7 @@ sub firewall_close_anywhere {
                 close(PIPE);
                 if ($result eq 'success') {
                     print 'Port '.$port.' closed for source "anywhere"'."\n";
+                    system('firewall-cmd --runtime-to-permanent');
                 } else {
                     print 'Error closing port '.$port.' for source "anywhere".'."\n";
                 }