firewall-cmd 笔记

检查firewall是否运行

# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Thu 2015-01-22 20:51:48 EST; 2h 15min ago
 Main PID: 564 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─564 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Jan 22 20:51:48 localhost.localdomain systemd[1]: Started firewalld - dynamic...
Hint: Some lines were ellipsized, use -l to show in full.

or

# firewall-cmd --state
running

查看当前配置

# firewall-cmd --get-default-zone
internal

# firewall-cmd --get-active-zones
internal
  interfaces: enp0s3

这里enp0s3是网卡的配置

 列出可用的zone

# firewall-cmd --get-zones
block dmz drop external home internal public trusted work

修改默认的zone, 这种修改只是暂时(tempoary)的,重启之后会失效

# firewall-cmd --set-default-zone=home
success

获得public zone的细节

# firewall-cmd --zone=public --list-all
public
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

注意:--list-all只显示永久(permanent, 重启后不会丢失)的配置

Service的管理

把http服务permanently加入internal zone

# firewall-cmd --permanent --zone=internal --add-service=http
success
# firewall-cmd --reload

 note: 使用 -remove-service=http 来禁止http service
 note: 必须使用 firewall-cmd --reload 命令来激活先前的改变