查看防火墙状态
[[email protected] ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Tue 2017-04-25 13:27:30 CST; 10min ago
Main PID: 584 (firewalld)
CGroup: /system.slice/firewalld.service
└─584 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Apr 25 13:27:30 MyCloudServer systemd[1]: Started firewalld - dynamic firewall daemon.或:
[[email protected] ~]# firewall-cmd --state
running查看版本
[[email protected] ~]# firewall-cmd --version
0.3.9 关闭防火墙
[[email protected] ~]# systemctl stop firewalld添加端口
[[email protected] ~]# firewall-cmd --zone=public --add-port=65422/tcp --permanent
success–permanent 表示永久 –zone=public 指定区域 –add-port 添加端口
添加完之后重新加载下
[[email protected] ~]# firewall-cmd --reload然后查看
[[email protected] ~]# firewall-cmd --zone=public --list-ports
65422/tcp禁止端口
[[email protected] ~]# firewall-cmd --permanent --remove-port=80/tcp
success
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 80/tcp 65422/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[[email protected] ~]# firewall-cmd --reload
success
[[email protected] ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports: 65422/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:查看区域信息
1.设置默认的区域
firewall-cmd --set-default-zone=public2.查看支持的区域
[[email protected] ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted workfirewalld默认有8个zone:
- drop 默认丢弃所有包
- block 拒绝所有外部链接,允许内部发起的连接
- public 指定外部连接可以进入
- external 同上,对伪装的进入连接,一般用于路由转发
- dmz 和硬件防火墙一样,受限制的公共连接可以进入
- work 工作区,概念和workgroup一样,指定的外部链接允许
- home 类似家庭组
- internal 信任所有链接
3.获取活跃的区域
[[email protected] ~]# firewall-cmd --get-active-zones
public
interfaces: eth0过滤规则
- source: 根据源地址过滤
- interface: 根据网卡过滤
- service: 根据服务名过滤
- port: 根据端口过滤
- icmp-block: icmp 报文过滤,按照 icmp 类型配置
- masquerade: ip 地址伪装
- forward-port: 端口转发
- rule: 自定义规则
其中,过滤规则的优先级遵循如下顺序
- source
- interface
- firewalld.conf
查看支持的服务
[[email protected] ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https其系统配置文件都在/usr/lib/firewalld/
[[email protected] ~]# cd /usr/lib/firewalld/
[[email protected] firewalld]# ls
icmptypes services zones
[[email protected] firewalld]# cd zones/
[[email protected] zones]# ls
block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml
[[email protected] zones]# cd ..
[[email protected] firewalld]# ls
icmptypes services zones
[[email protected] firewalld]# cd services/
[[email protected] services]# ls
amanda-client.xml http.xml libvirt.xml pmwebapis.xml smtp.xml
bacula-client.xml imaps.xml mdns.xml pmwebapi.xml ssh.xml
bacula.xml ipp-client.xml mountd.xml pop3s.xml telnet.xml
dhcpv6-client.xml ipp.xml ms-wbt.xml postgresql.xml tftp-client.xml
dhcpv6.xml ipsec.xml mysql.xml proxy-dhcp.xml tftp.xml
dhcp.xml kerberos.xml nfs.xml radius.xml transmission-client.xml
dns.xml kpasswd.xml ntp.xml RH-Satellite-6.xml vnc-server.xml
ftp.xml ldaps.xml openvpn.xml rpc-bind.xml wbem-https.xml
high-availability.xml ldap.xml pmcd.xml samba-client.xml
https.xml libvirt-tls.xml pmproxy.xml samba.xml
[[email protected] services]# cd ..
[[email protected] firewalld]# ls
icmptypes services zones
[[email protected] firewalld]# cd icmptypes/
[[email protected] icmptypes]# ls
destination-unreachable.xml parameter-problem.xml router-solicitation.xml
echo-reply.xml redirect.xml source-quench.xml
echo-request.xml router-advertisement.xml time-exceeded.xml 用户配置文件都在
[[email protected] zones]# cd /etc/firewalld/
[[email protected] firewalld]# ls
firewalld.conf icmptypes lockdown-whitelist.xml services zones可以修改配置文件添加或删除端口
[[email protected] firewalld]# cd zones/
[[email protected] zones]# ls
public.xml public.xml.old
[[email protected] zones]# cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<port protocol="tcp" port="65422"/>
</zone>
[[email protected] zones]# cat public.xml.old
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="65422"/>
</zone>转载请注明:LAOV博客 » Centos 7 firewalld 的使用