架构

firewalld

firewalld

基础

1
2
3
4

systemctl stop firewalld
systemctl disable firewalld

firewall-cmd --reload       # 如果是 --permanent 持久化规则, 则还需要reload一次

show

1
2
3
4
5
6
7
8

firewall-cmd --state                # 查询运行状态

firewall-cmd --get-zone-of-interface=eth0               # 查看接口所属区域
firewall-cmd --get-default-zone                         # 获取默认区域
firewall-cmd --get-active-zones                         # 获取活动的区域
firewall-cmd --permanent --zone=public --get-target     # 获取此区域的默认动作

firewall-cmd --zone=public --list-all   # 获取全部规则

管理

1
2
3
4
5
6
7
8
9

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=100-500/tcp           # 临时添加端口范围

firewall-cmd --zone=work --add-source=10.2.1.200

# 更换网卡所匹配的区域
firewall-cmd --zone=drop --change-interface=eth0

firewall-cmd --set-default-zone=drop

高级规则

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12



# 列出高级规则
firewall-cmd --list-rich-rules

# 添加细化的规则
firewall-cmd --zone=public --permanent --add-rich-rule 'rule family="ipv4" source address=10.27.10.181 port port=26379 protocol=tcp accept'

firewall-cmd --zone=public --permanent --remove-rich-rule='rule family="ipv4" source address="10.27.10.0/24" port port="22" protocol="tcp" accept'

# 添加某个网段的访问策略
firewall-cmd --zone=drop --permanent --add-rich-rule 'rule family="ipv4" source address=10.27.10.0/24 port port=9001 protocol=tcp accept'

示例-一般初始化

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

firewall-cmd --zone=public  --remove-service=ssh
firewall-cmd --zone=public  --remove-service=ssh --permanent
firewall-cmd --zone=public  --remove-service=dhcpv6-client --permanent
firewall-cmd --zone=public  --remove-service=cockpit --permanent

firewall-cmd --zone=public  --add-icmp-block=echo-request
firewall-cmd --zone=public  --add-icmp-block=echo-reply

firewall-cmd --permanent --zone=trusted --add-source=10.2.2.0/24
firewall-cmd --permanent --zone=trusted --add-source=10.3.0.1/32
firewall-cmd --permanent --zone=trusted --add-source=192.168.0.175/32

firewall-cmd --permanent --zone=trusted --remove-source=192.168.0.175/24
firewall-cmd --permanent --zone=trusted --remove-source=10.2.1.5/32

firewall-cmd --permanent --zone=trusted --remove-source=192.168.0.175/32

firewall-cmd --zone=trusted --list-all
Http
Licensed under CC BY-NC-SA 4.0
转载或引用本文时请遵守许可协议,知会作者并注明出处
不得用于商业用途!
最后更新于 2023-02-10 00:00 UTC