检查firewall是否运行
# systemctl status firewalld firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Thu 2015-01-22 20:51:48 EST; 2h 15min ago Main PID: 564 (firewalld) CGroup: /system.slice/firewalld.service └─564 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Jan 22 20:51:48 localhost.localdomain systemd[1]: Started firewalld - dynamic... Hint: Some lines were ellipsized, use -l to show in full.
or
# firewall-cmd --state running
查看当前配置
# firewall-cmd --get-default-zone internal
# firewall-cmd --get-active-zones internal interfaces: enp0s3
这里enp0s3是网卡的配置
列出可用的zone
# firewall-cmd --get-zones block dmz drop external home internal public trusted work
修改默认的zone, 这种修改只是暂时(tempoary)的,重启之后会失效
# firewall-cmd --set-default-zone=home success
获得public zone的细节
# firewall-cmd --zone=public --list-all public interfaces: sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
注意:--list-all只显示永久(permanent, 重启后不会丢失)的配置
Service的管理
把http服务permanently加入internal zone
# firewall-cmd --permanent --zone=internal --add-service=http success # firewall-cmd --reload
note: 使用 -remove-service=http 来禁止http service
note: 必须使用 firewall-cmd --reload 命令来激活先前的改变