防火墙-firewall

firewall使用方法

查看

1. 查看运行状态

   ]# firewall-cmd --state
   running
   

2. 查看已被激活的zone信息

   ]# firewall-cmd --get-active-zones
   public
     interfaces: ens33
   

3. 查看指定接口的zone信息

   ]# firewall-cmd --get-zone-of-interface=ens33
   public
   

4. 查看指定级别的所有信息

   ]# firewall-cmd --zone=public --list-all
   public (active)
     target: default
     icmp-block-inversion: no
     interfaces: ens33
     sources: 
     services: dhcpv6-client ssh
     ports: 20022/tcp
     protocols: 
     masquerade: no
     forward-ports: 
     source-ports: 
     icmp-blocks: 
     rich rules: 
   

5. 查看开放的端口

   ]# firewall-cmd --list-ports
   

6. 查看所有级别被允许的信息

   ]# firewall-cmd --get-service
   RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
   

7. 查看重启后所有zones级别中被允许的服务，即永久放行的服务

   ]# firewall-cmd --get-service --permanent
   

管理

1. 从public移除interface

   ]# firewall-cmd --zone=public --remove-interface=ens33
   

2. 查询外网端口

   [root@wanwz ~]# firewall-cmd --permanent --query-port=80/tcp
   no
   [root@wanwz ~]# firewall-cmd --permanent --query-port=22/tcp
   no
   [root@wanwz ~]# firewall-cmd --permanent --query-port=20022/tcp
   yes
   

3. 删除指定端口

   ]# firewall-cmd --permanent --remove-port=80/tcp
   

4. 添加指定端口

   ]# firewall-cmd --permanent --add-port=80/tcp
   

5. 将发往某端口的请求转发到指定端口

   ]# firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080
   

6. 重新加载配置

   ]# firewall-cmd --reload
   

7. 开启防火墙

   ]# systemctl start firewalld
   

8. 关闭防火墙

   ]# systemctl stop firewalld
   

9. 设置开机启动

   ]# systemctl enable firewalld
   

10. 禁用开机启动

    ]# systemctl disable firewalld