注意:firewalld服务有两份规则策略配置记录,配置永久生效的策略记录时,需要执行"reload"参数后才能立即生效:
- Permanent:永久生效的
- RunTime:现在正在生效的
1.查看当前区域
[root@ecs-7bec-0002 bin]# chkconfig iptables off public
2.查看防火墙状态,需要注意的是,设置端口规则时防火墙必须是启动状态
[root@ecs-7bec-0002 ~]# systemctl status firewalld //返回信息提示防火墙未启动 ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: inactive (dead) //dead代表关闭状态 Docs: man:firewalld(1) [root@ecs-7bec-0002 ~]# systemctl start firewalld //启动防火墙 [root@ecs-7bec-0002 ~]# systemctl status firewalld ● firewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled) Active: active (running) since Tue 2018-10-09 19:38:36 CST; 2s ago Docs: man:firewalld(1) Main PID: 9269 (firewalld) CGroup: /system.slice/firewalld.service └─9269 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid Oct 09 19:38:36 ecs-7bec-0002 systemd[1]: Starting firewalld - dynamic firewall daemon... Oct 09 19:38:36 ecs-7bec-0002 systemd[1]: Started firewalld - dynamic firewall daemon.
3.配置需要开发的端口
[root@ecs-7bec-0002 ~]# firewall-cmd --zone=public --add-port=端口号/tcp --permanent success
4.执行命令使端口生效
[root@ecs-7bec-0002 ~]# firewall-cmd --reload success
5.查看端口是否生效
[root@ecs-7bec-0002 ~]# firewall-cmd --zone=public --query-port=端口号/tcp yes
6.防火墙其他操作
[root@ecs-7bec-0002 ~]# firewall-cmd --list-port //查看所有开发端口 3306/tcp 80/tcp [root@ecs-7bec-0002 ~]# firewall-cmd --zone=public --remove-port=8080/tcp --permanent 删除一个端口 success [root@ecs-7bec-0002 ~]# firewall-cmd --reload //使新配置的端口规则生效 success [root@ecs-7bec-0002 ~]# firewall-cmd --version //查看版本 0.4.3.2 [root@ecs-7bec-0002 ~]# firewall-cmd --state running [root@ecs-7bec-0002 ~]# firewall-cmd --get-active-zones //查看所在区域 public interfaces: eth0