firewalld firewall-cmd
来源:互联网 发布:美苏军备竞赛原因知乎 编辑:程序博客网 时间:2024/05/22 03:20
原文地址:http://www.oracle-base.com/articles/linux/linux-firewall-firewalld.php
Reverting to the iptables Service
# systemctl stop firewalld# systemctl disable firewalld# iptables-service# touch /etc/sysconfig/iptables# systemctl start iptables# systemctl enable iptables# touch /etc/sysconfig/ip6tables# systemctl start ip6tables# systemctl enable ip6table
Installation
# yum install firewalld firewall-config# systemctl start firewalld.service# systemctl enable firewalld.service# systemctl status firewalldfirewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago Main PID: 13246 (firewalld) CGroup: /system.slice/firewalld.service └─13246 /usr/bin/python /usr/sbin/firewalld --nofork --nopidApr 20 14:06:44 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...Apr 20 14:06:46 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.# systemctl stop firewalld.service# systemctl disable firewalld.service
firewall-cmd
# firewall-cmd --help# Check firewall state.firewall-cmd --state# Check active zones.firewall-cmd --get-active-zones# Check current active services.firewall-cmd --get-service# Check services that will be active after next reload.firewall-cmd --get-service --permanent
Lock down and unlock the firewall using the following commands.
# firewall-cmd --panic-onsuccess# firewall-cmd --query-panicyes# firewall-cmd --panic-offsuccess# firewall-cmd --query-panicno
Reload the runtime configuration from the permanent files using the following command.
# firewall-cmd --reload
The firewall comes with predefined services, which are XML files is the "/usr/lib/firewalld/services/" directory.
# ls /usr/lib/firewalld/services/amanda-client.xml http.xml libvirt.xml pmwebapis.xml ssh.xmlbacula-client.xml imaps.xml mdns.xml pmwebapi.xml telnet.xmlbacula.xml ipp-client.xml mountd.xml pop3s.xml tftp-client.xmldhcpv6-client.xml ipp.xml ms-wbt.xml postgresql.xml tftp.xmldhcpv6.xml ipsec.xml mysql.xml proxy-dhcp.xml transmission-client.xmldhcp.xml kerberos.xml nfs.xml radius.xml vnc-server.xmldns.xml kpasswd.xml ntp.xml rpc-bind.xml wbem-https.xmlftp.xml ldaps.xml openvpn.xml samba-client.xmlhigh-availability.xml ldap.xml pmcd.xml samba.xmlhttps.xml libvirt-tls.xml pmproxy.xml smtp.xml
You shouldn't edit these. Instead, copy a specific service file to the "/etc/firewalld/services/" directory and editing it there. The firewalld service always uses files in "/etc/firewalld/services/" directory in preference to those in the "/usr/lib/firewalld/services/" directory. Remember to reload the config after making any changes.
Add an existing service to a zone.
# # Set runtime and permanent independently.# firewall-cmd --zone=public --add-service=https# firewall-cmd --permanent --zone=public --add-service=httpsor# # Set permanent and reload the runtime config.# firewall-cmd --permanent --zone=public --add-service=https# firewall-cmd --reload
All subsequent examples will assume you want to amend both the runtime and permanent configuration and will only set the permanent configuration and then reload the runtime configuration.
Once you've amended the default configuration, the "/etc/firewalld/zones/public.xml" file will be created. You can manually amend this file, but you will need to issue a reload for the changes to take effect.
Check the services in a zone.
# firewall-cmd --zone=public --list-servicesdhcpv6-client https ss# firewall-cmd --permanent --zone=public --list-servicesdhcpv6-client https ss
Remove a service from a zone.
# firewall-cmd --permanent --zone=public --remove-service=https# firewall-cmd --reload
Open a specific port or range in a zone, check its runtime and permanent configuration, then remove it.
# firewall-cmd --permanent --zone=public --add-port=8080-8081/tcp# firewall-cmd --reload# firewall-cmd --zone=public --list-ports8080-8081/tcp# firewall-cmd --permanent --zone=public --list-ports8080-8081/tcp# firewall-cmd --permanent --zone=public --remove-port=8080-8081/tcp# firewall-cmd --reload
Rich rules allow you to create more complex configurations. The following command allows you to open HTTP access to a specific IP address.
# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" \ source address="192.168.0.4/24" service name="http" accept"
The "/etc/firewalld/zones/public.xml" file now contains the rich rule.
<?xml version="1.0" encoding="utf-8"?><zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="dhcpv6-client"/> <service name="ssh"/> <rule family="ipv4"> <source address="192.168.0.4/24"/> <service name="http"/> <accept/> </rule></zone>
The rule can be removed directly from the XML file, or removed using the "--remove-rich-rule" option.
# firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" \ source address="192.168.0.4/24" service name="http" accept"
The following example opens and closes port 8080 for a specific source IP address using a rich rule.
# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" \ source address="192.168.0.4/24" \ port protocol="tcp" port="8080" accept"# cat /etc/firewalld/zones/public.xml<?xml version="1.0" encoding="utf-8"?><zone> <short>Public</short> <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description> <service name="dhcpv6-client"/> <service name="ssh"/> <rule family="ipv4"> <source address="192.168.0.4/24"/> <port protocol="tcp" port="8080"/> <accept/> </rule></zone>## firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" \ source address="192.168.0.4/24" \ port protocol="tcp" port="8080" accept"
Backups and Transfers of Firewall Configuration
As all non-default configuration is placed under the "/etc/firewalld/" directory, taking a copy of the contents of this directory and its sub-directories constitutes a backup of the firewall configuration.
Not surprisingly, transferring the contents of this directory will allow you to duplicate the firewall configuration in other servers.
- firewalld firewall-cmd
- Linux Firewall (firewalld, firewall-cmd, firewall-config)
- Linux Firewall (firewalld, firewall-cmd, firewall-config)(Fedora19及以后版本用的防火墙)
- firewall-cmd
- firewall-cmd
- firewalld-cmd初体验
- firewall-cmd命令使用
- centOS firewall-cmd 防火墙
- firewall-cmd 基础使用
- firewall-cmd防火墙
- firewall-cmd的使用
- centos7开放端口-firewall-cmd
- CentOS7 firewall-cmd 基础使用
- firewall-cmd常用语法速记
- CentOS 7 防火墙 firewall-cmd
- Centos 7防火墙firewall-cmd
- Fedora-防火墙firewall-cmd相关
- Linux firewall-cmd 命令详解
- poj 2151 Check the difficulty of problems (概率DP)
- Eclipse Indigo 3.7.0 安装GIT插件提示 requires 'bundle org.eclipse.team.core(转)
- 台大机器学习 第八讲 Noise and Error 笔记
- Android TextView属性及跑马灯效果的实现
- 教你如何迅速秒杀掉:99%的海量数据处理面试题
- firewalld firewall-cmd
- Java中static
- 电容充放电
- BEGINNING SHAREPOINT® 2013 DEVELOPMENT 第13章节--使用业务连接服务创建业务线解决方案 SP Apps中的BCS
- [C#.NET] 利用 DES / AES 演算法加解密
- C语言各运算符优先级比较列表
- JQueryEasyUI信息管理实例
- iOS APNS远程推送证书的申请和制作——详细解析
- 搜索业务增速下滑 Google廉颇老矣?