一、firewalld的9个zone
1. 启动firewalld
1. [root@lx003 ~]#
systemctl disable iptables
停止iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
2. [root@lx003 ~]#
systemctl stop iptables
停止iptables
3. [root@lx003 ~]#
systemctl enable firewalld
#启用firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
4. [root@lx003 ~]#
systemctl start firewalld
#启动firewalld
2.
f
irewall-cmd --get-zones
查看所有的zone,firewalld默认有9个zone,
[root@lx003 ~]#
firewall-cmd --get-zones
block dmz drop external home internal public trusted work
3.
firewall-cmd --get-default-zone 查询默认的zone,
默认zone为public
[root@lx003 ~]#
firewall-cmd --get-default-zone
public
二、
firewalld关于zone的操作
1.
firewall-cmd --set-default-zone= 更改默认的zone
[root@localhost ~]#
firewall-cmd --set-default-zone=work
#
更改默认的zone为work
success
[root@localhost ~]# firewall-cmd --get-default-zone #可以查询到默认的zone已经变更为work
work
2.
firewall-cmd --get-zone-of-interface= 查看网卡设置的zone
[root@localhost ~]#
firewall-cmd --get-zone-of-interface=ens33
work
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens37 #如果显示no zone,那么可能就是网卡没有配置文件
no zone
3.
firewall-cmd --zone=dmz --add-interface= 设置网卡的zone
[root@localhost network-scripts]#
firewall-cmd --zone=dmz --add-interface=ens37
#设置网卡ens37的zone
The interface is under control of NetworkManager, setting zone to 'dmz'.
success
[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37
dmz
4.
firewall-cmd --zone=block --change-interface= 更改网卡的zone
[root@localhost network-scripts]#
firewall-cmd --zone=block --change-interface=ens37
#更改网卡ens37的zone
The interface is under control of NetworkManager, setting zone to 'block'.
success
[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37
block
5.
firewall-cmd --zone=block --remove-interface= 针对网卡删除zone
[root@localhost network-scripts]#
firewall-cmd --zone=block --remove-interface=ens37
#删除block zone里面的ens37
The interface is under control of NetworkManager, setting zone to default.
success
[root@localhost network-scripts]# firewall-cmd --get-zone-of-interface=ens37 #ens37的zone变为work,因为work是默认的zone
work
6.
firewall-cmd --get-active-zones
查看系统所有网卡所在的zone
root@localhost network-scripts]#
firewall-cmd --get-active-zones
work
interfaces: ens33 ens37
三、
firewalld关于service的操作
1.
firewall-cmd --get-services
查看系统所有的services
[root@localhost network-scripts]#
firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
2.
firewall-cmd --list-service 查看当前默认的zone下有哪些service
[root@localhost network-scripts]#
firewall-cmd --list-service
ssh dhcpv6-client
3.
firewall-cmd --zone= --list-service 查看指定zone的service
[root@localhost network-scripts]#
firewall-cmd --zone=public --list-service
#查看public zone里面的service
ssh dhcpv6-client
4.
firewall-cmd --zone=zonename --add-service= 服务名
将一个服务添加到一个zone里面
[root@localhost network-scripts]#
firewall-cmd --zone=public --add-service=http
#将http服务添加到public zone里面
success
[root@localhost network-scripts]# firewall-cmd --zone=public --list-service #可以看到添加成功
ssh dhcpv6-client http
#将http服务添加到public zone里面
5.
--permanent 将更改写入配置文件,不加这个参数只保存在内存中,没有写配置文件
/etc/firewalld/zones/public.xml
[root@localhost network-scripts]#
firewall-cmd --zone=public --add-service=http --permanent
#在public zone里面添加http服务
success
[root@localhost network-scripts]#
cat /etc/firewalld/zones/public.xml
#查看配置文件
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="http"/>
</zone>
6.模板文件的放置地址
zone的配置文件放置在/etc/firewalld/zones这个目录下。
service的配置文件放置在 /etc/firewalld/service目录下。
zone的模板文件放置在 /usr/lib/firewalld/zones 下
service 的模板文件放置在/usr/lib/firewalld/service下
7. 需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
1. [root@lx003 ~]#
cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/ftp.xml
# 拷贝ftp service的配置模板
2. [root@lx003 ~]#
vim /etc/firewalld/services/ftp.xml
# 编辑配置文件,自定义端口1121
<port protocol="tcp" port="1121"/>
3. [root@lx003 ~]#
cp /usr/lib/firewalld/zones/home.xml /etc/firewalld/zones/home.xml
# 拷贝home zone的配置模板
4. [root@lx003 ~]#
vim /etc/firewalld/zones/home.xml
# 编辑home的配置文件,将
<service name="ftp"/>这一行添加上去
<service name="ftp"/>
5. [root@lx003 ~]#
firewalld --reload
# 重新加载firewald服务
6. [root@lx003 ~]#
firewall-cmd --zone=home --list-service
# 查看ftp service在home zone里是否添加成功
ssh mdns samba-client dhcpv6-client ftp
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
