1、firewalld 从名称上看,模仿的是硬件防火墙的概念,zone. 所有的接口都必须属于某个zone . 在zone内配置规则。
2. 常用的方法是 增加对一个tcp或者udp端口号的允许通过的规则。
firewall-cmd --add-service icmp --permanent
firewall-cmd --reload
3. firewalld进程有时候可能没有启动。需要启动一下对应的进程。
[root@localhost zhou]# firewall-cmd --reload
FirewallD is not running
[root@localhost zhou]# ps -ef | grep firewall
root 2970 2757 0 07:57 pts/0 00:00:00 grep --color=auto firewall
[root@localhost zhou]# systemctl start firewalld
[root@localhost zhou]#
[root@localhost zhou]# ps -ef | grep firewall
root 2983 1 14 07:58 ? 00:00:00 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
root 3207 2757 0 07:58 pts/0 00:00:00 grep --color=auto firewall
[root@localhost zhou]#
[root@localhost zhou]#
4. 查看系统所有的zone
[root@localhost zhou]# firewall-cmd --get-zones ---> 显示所有zone
work drop internal external trusted home dmz public block
[root@localhost zhou]# firewall-cmd --get-default-zone ---> 显示默认zone
public
[root@localhost zhou]#
[root@localhost zhou]# firewall-cmd --list-all-zones ---> 显示所有zone的所有规则
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
sourceports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33 ens37
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
[root@localhost zhou]#
[root@localhost zhou]# firewall-cmd --list-all --zone=public ---> 显示public zone的所有规则
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
[root@localhost zhou]#
5. 获取接口默认所属的zone
[root@localhost zhou]# firewall-cmd --get-zone-of-interface ens33
public
[root@localhost zhou]#
[root@localhost zhou]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 00:0c:29:f2:c7:50 brd ff:ff:ff:ff:ff:ff
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 00:0c:29:f2:c7:5a brd ff:ff:ff:ff:ff:ff
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT qlen 1000
link/ether 52:54:00:15:47:59 brd ff:ff:ff:ff:ff:ff
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT qlen 1000
link/ether 52:54:00:15:47:59 brd ff:ff:ff:ff:ff:ff
[root@localhost zhou]#
[root@localhost zhou]# firewall-cmd --get-zone-of-interface lo
no zone
[root@localhost zhou]#
[root@localhost zhou]# firewall-cmd --get-zone-of-interface ens37
no zone
[root@localhost zhou]#
[root@localhost zhou]#
6. 增加某个服务或者端口号
[root@localhost zhou]# firewall-cmd --permanent --remove-service=dhcpv6-client --zone=public
success
[root@localhost zhou]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
[root@localhost zhou]# firewall-cmd --reload
success
[root@localhost zhou]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
[root@localhost zhou]#
[root@localhost zhou]# firewall-cmd --remove-service=ssh --zone=public
success
[root@localhost zhou]#
[root@localhost zhou]#
关闭ssh服务,下面的命令输入后,ssh连接就不能再建立,对已有的ssh连接无影响。
[root@localhost zhou]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
[root@localhost zhou]#
[root@localhost zhou]# firewall-cmd --permanent --add-port=3306/tcp ----> 增加tcp端口号3306, 就是mySQL服务器的端口号。
success
[root@localhost zhou]# firewall-cmd --reload
success
[root@localhost zhou]#
参考:
Firewalld详解
https://zhuanlan.zhihu.com/p/23519454