一,firewalld的systemd管理命令
啟動:systemctl start firewalld
關閉:systemctl stop firewalld
查看狀態:systemctl status firewalld
開機禁用:systemctl disable firewalld
開機啟用:systemctl enable firewalld
說明:劉宏締的架構森林是一個專注架構的博客,地址:https://www.cnblogs.com/architectforest
對應的源碼可以訪問這里獲取: https://github.com/liuhongdi/
說明:作者:劉宏締 郵箱: 371125307@qq.com
二,firewall-cmd的通用命令:
1,查看firewall-cmd版本:
[root@localhost liuhongdi]# firewall-cmd --version 0.7.0
2,查看firewall-cmd幫助
[root@localhost liuhongdi]# firewall-cmd --help
3,查看firewalld狀態
[root@localhost liuhongdi]# firewall-cmd --state
running
4,更新防火牆的規則
[root@localhost liuhongdi]# firewall-cmd --reload
success
說明:--reload的作用:讓“永久生效”的配置規則立即生效,並覆蓋當前的配置規則
5,查看firewalld的所有規則:
[root@localhost zones]# firewall-cmd --list-all
三,zone相關命令:
1,得到默認的zone:
[root@localhost liuhongdi]# firewall-cmd --get-default-zone
public
2,得到當前正在使用的zone與網卡名稱
[root@localhost liuhongdi]# firewall-cmd --get-active-zones
libvirt
interfaces: virbr0
public
interfaces: ens33
3,得到所有可用的zone
[root@localhost liuhongdi]# firewall-cmd --get-zones
block dmz drop external home internal libvirt public trusted work
4,設置默認的zone
[root@localhost liuhongdi]# firewall-cmd --set-default-zone=drop success [root@localhost liuhongdi]# firewall-cmd --get-active-zones drop interfaces: ens33 libvirt interfaces: virbr0
四,services相關命令:
1,列出所有可用的services
[root@localhost liuhongdi]# firewall-cmd --get-services
2,列出當前已放開的services
[root@localhost liuhongdi]# firewall-cmd --list-services
3, 放開一個服務
[root@localhost liuhongdi]# firewall-cmd --add-service=http
4, 關閉一個服務
[root@localhost liuhongdi]# firewall-cmd --remove-service=http --permanent
success
說明:關於permanent參數: 添加--permanent重啟后則永久生效,如無--permanent僅臨時生效
五,port相關命令:
1,查看所有打開的端口:
[root@localhost liuhongdi]# firewall-cmd --zone=public --list-ports 80/tcp 8080/tcp 22/tcp
2,放開一個端口:
[root@localhost liuhongdi]# firewall-cmd --zone=public --add-port=80/tcp --permanent success
3,關閉已放開的端口:
[root@localhost liuhongdi]# firewall-cmd --zone=public --remove-port=80/tcp --permanent success
六,針對permanent參數的驗證:
1,添加端口后,如果加了 permanent,不會馬上起作用:reload之后會起作用
[root@localhost liuhongdi]# firewall-cmd --zone=public --add-port=80/tcp --permanent success [root@localhost liuhongdi]# firewall-cmd --zone=public --list-ports 8080/tcp 22/tcp [root@localhost liuhongdi]# firewall-cmd --reload success [root@localhost liuhongdi]# firewall-cmd --zone=public --list-ports 8080/tcp 22/tcp 80/tcp
2,刪除端口,如果加了 permanent,不會馬上起作用,也需要reload
[root@localhost liuhongdi]# firewall-cmd --zone=public --remove-port=80/tcp --permanent success [root@localhost liuhongdi]# firewall-cmd --zone=public --list-ports 8080/tcp 22/tcp 80/tcp [root@localhost liuhongdi]# firewall-cmd --reload success [root@localhost liuhongdi]# firewall-cmd --zone=public --list-ports 8080/tcp 22/tcp
3,如果不加permanent,能馬上起作用:
[root@localhost liuhongdi]# firewall-cmd --zone=public --add-port=80/tcp success [root@localhost liuhongdi]# firewall-cmd --zone=public --list-ports 8080/tcp 22/tcp 80/tcp
七,針對ip地址的操作:
1,允許一個ip訪問:
[root@localhost liuhongdi]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="43.229.53.61" accept'
2,禁止一個ip訪問
[root@localhost liuhongdi]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="43.229.53.61" drop'
說明:drop也可用reject
兩者的區別在於drop不會提示拒絕訪問而是直接丟棄數據包
3,指定允許一個ip到指定端口的訪問
[root@localhost liuhongdi]# firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="192.168.142.166" port protocol="tcp" port="22" accept' success
4,刪除一條rich rule
[root@localhost liuhongdi]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="192.168.142.166" port protocol="tcp" port="22" accept' success
八,手動添加的防火牆規則位於哪里?
/etc/firewalld/zones/public.xml
說明:可以手動編輯這個保存規則的xml,
然后做reload
九,生產環境中要注意的地方:
如果已添加了http服務,仍然可以添加80 port,
導致要關閉http服務時,也需要關閉80 port,
所以,盡量使用 port,而不要把service和port混用
十,一個生產環境中防火牆的zone文件例子:
<?xml version="1.0" encoding="utf-8"?> <zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are acc epted.</description> <port port="80" protocol="tcp"/> <rule family="ipv4"> <source address="10.0.10.1"/> <accept/> </rule> <rule family="ipv4"> <source address="43.229.53.61"/> <drop/> </rule> </zone>
說明: 1,生產環境中防火牆一定要做基於ip地址的限制,不能允許從公網隨便訪問
2,需要放開的端口越少越好,最好只放開一個有運行中業務的端口