CentOS firewalld 设置常用命令

CentOS firewalld usage

作者 Haijian.Zeng 日期 2017-07-18
centos
CentOS firewalld 设置常用命令
  • 参考链接:https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html

firewalld的启动关闭

$ systemctl start firewalld
$ systemctl stop firewalld

firewalld的允许和禁止

$ systemctl enable firewalld
$ systemctl disable firewalld

查看firewalld的zones

$ firewall-cmd --list-all-zones
...
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources: 
  services: dhcpv6-client http https ssh
  ports: 80/tcp 5000/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules: 
...

获取默认zone,就是不设置zone参数默认对应的zone

$ firewall-cmd --get-default-zone
public

获取当前活动的zones

$ firewall-cmd --get-active-zones
public
  interfaces: ens160

永久添加http端口到public zone

$ firewall-cmd --permanent --zone=public --add-service=http

永久删除http端口到public zone

$ firewall-cmd --permanent --zone=public --remove-service=http

永久添加8080端口到public zone

$ firewall-cmd --permanent --zone=public --add-port=8080/tcp

永久删除8080端口到public zone

$ firewall-cmd --permanent --zone=public --remove-port=8080/tcp

添加删除后记得reload

$ firewall-cmd --reload

查看配置结果

$ firewall-cmd --list-all --zone=public
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources: 
  services: dhcpv6-client http https ssh
  ports: 80/tcp 5000/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:

获取firewalld开放的services以及端口

$ firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens160
  sources: 
  services: dhcpv6-client http https ssh
  ports: 80/tcp 5000/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:

获取所有可用的zones

$ firewall-cmd --get-zones
work drop internal external trusted home dmz public block

查看特定的zone状态

$ firewall-cmd --zone=home --list-all
home
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: dhcpv6-client mdns samba-client ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  sourceports: 
  icmp-blocks: 
  rich rules:

查看firewalld默认支持的services

  • services的定义位于/usr/lib/firewalld/services

$ firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

查看特定的service定义文件

$ cat /usr/lib/firewalld/services/ssh.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="22"/>
</service>

FEATURED TAGS
centos
FRIENDS