firewalld firewall-cmd

原文地址：http://www.oracle-base.com/articles/linux/linux-firewall-firewalld.php

Reverting to the iptables Service

# systemctl stop firewalld# systemctl disable firewalld# iptables-service# touch /etc/sysconfig/iptables# systemctl start iptables# systemctl enable iptables# touch /etc/sysconfig/ip6tables# systemctl start ip6tables# systemctl enable ip6table

Installation

# yum install firewalld firewall-config# systemctl start firewalld.service# systemctl enable firewalld.service# systemctl status firewalldfirewalld.service - firewalld - dynamic firewall daemon   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)   Active: active (running) since Sun 2014-04-20 14:06:46 BST; 30s ago Main PID: 13246 (firewalld)   CGroup: /system.slice/firewalld.service           └─13246 /usr/bin/python /usr/sbin/firewalld --nofork --nopidApr 20 14:06:44 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...Apr 20 14:06:46 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.# systemctl stop firewalld.service# systemctl disable firewalld.service

firewall-cmd

# firewall-cmd --help# Check firewall state.firewall-cmd --state# Check active zones.firewall-cmd --get-active-zones# Check current active services.firewall-cmd --get-service# Check services that will be active after next reload.firewall-cmd --get-service --permanent

Lock down and unlock the firewall using the following commands.

# firewall-cmd --panic-onsuccess# firewall-cmd --query-panicyes# firewall-cmd --panic-offsuccess# firewall-cmd --query-panicno

Reload the runtime configuration from the permanent files using the following command.

# firewall-cmd --reload

The firewall comes with predefined services, which are XML files is the "/usr/lib/firewalld/services/" directory.

# ls /usr/lib/firewalld/services/amanda-client.xml      http.xml         libvirt.xml  pmwebapis.xml     ssh.xmlbacula-client.xml      imaps.xml        mdns.xml     pmwebapi.xml      telnet.xmlbacula.xml             ipp-client.xml   mountd.xml   pop3s.xml         tftp-client.xmldhcpv6-client.xml      ipp.xml          ms-wbt.xml   postgresql.xml    tftp.xmldhcpv6.xml             ipsec.xml        mysql.xml    proxy-dhcp.xml    transmission-client.xmldhcp.xml               kerberos.xml     nfs.xml      radius.xml        vnc-server.xmldns.xml                kpasswd.xml      ntp.xml      rpc-bind.xml      wbem-https.xmlftp.xml                ldaps.xml        openvpn.xml  samba-client.xmlhigh-availability.xml  ldap.xml         pmcd.xml     samba.xmlhttps.xml              libvirt-tls.xml  pmproxy.xml  smtp.xml

You shouldn't edit these. Instead, copy a specific service file to the "/etc/firewalld/services/" directory and editing it there. The firewalld service always uses files in "/etc/firewalld/services/" directory in preference to those in the "/usr/lib/firewalld/services/" directory. Remember to reload the config after making any changes.

Add an existing service to a zone.

# # Set runtime and permanent independently.# firewall-cmd --zone=public --add-service=https# firewall-cmd --permanent --zone=public --add-service=httpsor# # Set permanent and reload the runtime config.# firewall-cmd --permanent --zone=public --add-service=https# firewall-cmd --reload

All subsequent examples will assume you want to amend both the runtime and permanent configuration and will only set the permanent configuration and then reload the runtime configuration.

Once you've amended the default configuration, the "/etc/firewalld/zones/public.xml" file will be created. You can manually amend this file, but you will need to issue a reload for the changes to take effect.

Check the services in a zone.

# firewall-cmd --zone=public --list-servicesdhcpv6-client https ss# firewall-cmd --permanent --zone=public --list-servicesdhcpv6-client https ss

Remove a service from a zone.

# firewall-cmd --permanent --zone=public --remove-service=https# firewall-cmd --reload

Open a specific port or range in a zone, check its runtime and permanent configuration, then remove it.

# firewall-cmd --permanent --zone=public --add-port=8080-8081/tcp# firewall-cmd --reload# firewall-cmd --zone=public --list-ports8080-8081/tcp# firewall-cmd --permanent --zone=public --list-ports8080-8081/tcp# firewall-cmd --permanent --zone=public --remove-port=8080-8081/tcp# firewall-cmd --reload

Rich rules allow you to create more complex configurations. The following command allows you to open HTTP access to a specific IP address.

# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" \    source address="192.168.0.4/24" service name="http" accept"

The "/etc/firewalld/zones/public.xml" file now contains the rich rule.

<?xml version="1.0" encoding="utf-8"?><zone>  <short>Public</short>  <description>For use in public areas. You do not trust the other computers on networks               to not harm your computer. Only selected incoming connections are accepted.</description>  <service name="dhcpv6-client"/>  <service name="ssh"/>  <rule family="ipv4">    <source address="192.168.0.4/24"/>    <service name="http"/>    <accept/>  </rule></zone>

The rule can be removed directly from the XML file, or removed using the "--remove-rich-rule" option.

# firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" \    source address="192.168.0.4/24" service name="http" accept"

The following example opens and closes port 8080 for a specific source IP address using a rich rule.

# firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" \     source address="192.168.0.4/24" \     port protocol="tcp" port="8080" accept"# cat /etc/firewalld/zones/public.xml<?xml version="1.0" encoding="utf-8"?><zone>  <short>Public</short>  <description>For use in public areas. You do not trust the other computers on networks               to not harm your computer. Only selected incoming connections are accepted.</description>  <service name="dhcpv6-client"/>  <service name="ssh"/>  <rule family="ipv4">    <source address="192.168.0.4/24"/>    <port protocol="tcp" port="8080"/>    <accept/>  </rule></zone>## firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4" \     source address="192.168.0.4/24" \     port protocol="tcp" port="8080" accept"

Backups and Transfers of Firewall Configuration

As all non-default configuration is placed under the "/etc/firewalld/" directory, taking a copy of the contents of this directory and its sub-directories constitutes a backup of the firewall configuration.

Not surprisingly, transferring the contents of this directory will allow you to duplicate the firewall configuration in other servers.