一,Firewalld 概述
动态防火墙后台程序 firewalld 提供了一个 动态管理的防火墙, 用以支持网络 “ zones” , 以分配对一个网络及其相关链接和界面一定程度的信任。它具备对 IP v4 和 IP v6 防火墙设置的支持。它支持以太网桥 , 并有分离运行时间和永久性配置选择。它还具备一个通向服务或者应用程序以直接增加防火墙规则的接口
系统提供了图像化的配置工具 firewall-config 、 system-config-firewall, 提供命令行客户端 firewall-cmd, 用于配置firewalld 永久性或非永久性运行时间的改变 : 它依次用iptables 工具与执行数据包筛选的内核中的 Netfilter 通信firewalld 和 iptables service
firewalld 和 iptables service 之间最本质的不同是 :
iptables service 在 /etc/sysconfig/iptables 中储存配置
动态防火墙后台程序 firewalld 提供了一个 动态管理的防火墙, 用以支持网络 “ zones” , 以分配对一个网络及其相关链接和界面一定程度的信任。它具备对 IP v4 和 IP v6 防火墙设置的支持。它支持以太网桥 , 并有分离运行时间和永久性配置选择。它还具备一个通向服务或者应用程序以直接增加防火墙规则的接口
系统提供了图像化的配置工具 firewall-config 、 system-config-firewall, 提供命令行客户端 firewall-cmd, 用于配置firewalld 永久性或非永久性运行时间的改变 : 它依次用iptables 工具与执行数据包筛选的内核中的 Netfilter 通信firewalld 和 iptables service
firewalld 和 iptables service 之间最本质的不同是 :
iptables service 在 /etc/sysconfig/iptables 中储存配置
firewalld 将配置储存在 /usr/lib/firewalld/ 和/etc/firewalld/ 中的各种 XML 文件里 .
firewall的各种域
二,firewall安装与配置
注意:firewalld与iptables服务有冲突,注意开启firewalld时要关闭iptables,同样,如果开启了iptables,那么也要关闭firewalld。
图形化管理防火墙
三,防火墙基本命令
firewall-cmd --state >>>>>查看防火墙的状态
firewall-cmd --get-active-zones >>>>>查看活跃的域(显示正在使用的域和网卡名称)
firewall-cmd --get-default-zone >>>>>查看默认的域
firewall-cmd --get-zones >>>>>查看所有的域
firewall-cmd --zone=public --list-all >>>>>查看public域的详细信息
firewall-cmd --get-services >>>>>查看预先定义的服务
firewall-cmd --list-all-zones >>>>>查看所有域的详细情况
firewall-cmd --list-all --zone=trusted >>>>>查看指定域trusted的详细信息
firewall-cmd --list-all >>>>>查看默认域的详细信息
firewall-cmd --set-default-zone=dmz >>>>>设置默认域为dmz
三,防火墙常用命令
1,不用域对服务的影响
[root@client Desktop]# firewall-cmd --set-default-zone=public
success
此时浏览器浏览该主机ip,无法访问,因为public域中不允许httpd网络连接
[root@client Desktop]# firewall-cmd --set-default-zone=trusted
success
此时浏览器可以正常访问,因为trusted域可接受所有的网络连接
2,再添加一块网卡,配置ip
[root@client network-scripts]# firewall-cmd --list-all >>>>>>在public域里面,156默认是不能浏览器访问本机的
public (default, active)
interfaces: eth0 eth1
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client ~]# firewall-cmd --add-source=172.25.254.156 --zone=trusted >>>>>>把156添加到trusted域里面,此时可以正常访问
success
[root@client ~]# firewall-cmd --list-all --zone=trusted
trusted
interfaces:
sources: 172.25.254.156 >>>>>trusted域里面出现156
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: >>>>>public域里面没有156,但是156主机可以通过156域访问
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client ~]# firewall-cmd --remove-source=172.25.254.156 --zone=trusted >>>>>>把156从trusted域移除
success
[root@client ~]# firewall-cmd --list-all --zone=trusted
trusted
interfaces:
sources: >>>>>>>此时156就无法在浏览器访问本机
services:
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client ~]# firewall-cmd --list-interfaces >>>>>>>列出所有接口
eth0 eth1
[root@client ~]# firewall-cmd --get-zone-of-interface=eth1 >>>>>>>查看eht1网卡所在域
public
[root@client ~]# firewall-cmd --get-zone-of-interface=eth0 >>>>>>>查看eth0网卡所在域
public
[root@client ~]# firewall-cmd --change-interface=eth0 --zone=trusted >>>>>>>改变eth0所在域为trusted
success
[root@client ~]# firewall-cmd --remove-interface=eth0 --zone=trusted >>>>>>>把eth0从trusted从移除
success
[root@client ~]# firewall-cmd --get-zone-of-interface=eth0 >>>>>>>此时eth0域每有在任何域中
no zone
[root@client ~]# firewall-cmd --add-interface=eth0 --zone=public >>>>>>>把eht0添加到public域里面
success
3,永久添加
[root@client Desktop]# firewall-cmd --add-source=172.25.254.156 >>>>>>>注意,没有指名是哪个域就是默认的域
success
[root@client Desktop]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.156 >>>>>>>>虽然添加成功,但是这是一次性的
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client Desktop]# systemctl restart firewalld >>>>>>>>>重启之后就没有了
[root@client Desktop]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: >>>>>>>>>之前添加的ip消失
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client Desktop]# firewall-cmd --permanent --add-source=172.25.254.156 >>>>>>>>加上参数--permanent,永久添加
success
[root@client Desktop]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: >>>>>>>>永久添加不会立即生效
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client Desktop]# firewall-cmd --reload >>>>>>>>需要重新加载
success
[root@client Desktop]# firewall-cmd --list-all >>>>>>>>重新显示,156成功显示
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.156
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
4,修改配置文加添加管理
[root@client ~]# cd /usr/lib/firewalld/
[root@client firewalld]# ls
icmptypes services zones >>>>>>firewall数据文件
[root@client ~]# grep 172.25.254.156 -r /etc/ >>>>>>!!!!!在/etc下找包含172.25.254.156的内容,-r递归查找
/etc/yum.repos.d/rhel_dvd.repo:baseurl = http://172.25.254.156/source7.0
/etc/firewalld/zones/public.xml: <source address="172.25.254.156"/>
[root@client ~]# cd /etc/firewalld/zones/ >>>>>>防火墙的配置文件
[root@client zones]# ls
public.xml public.xml.old ROL.xml
[root@client zones]# vim public.xml >>>>>>修改配置文件
[root@client zones]# cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<source address="172.25.254.156"/>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="http"/> >>>>>>添加http服务
</zone>
[root@client zones]# systemctl restart firewalld.service >>>>>>重启服务,这个是永久性的
[root@client zones]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.156
services: dhcpv6-client http ssh >>>>>>成功添加http服务
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client firewalld]# cd /usr/lib/firewalld/
[root@client firewalld]# ls
icmptypes services zones
[root@client firewalld]# cd services/ >>>>>>服务的数据文件
[root@client services]# cat http.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>WWW (HTTP)</short>
<description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
<port protocol="tcp" port="80"/> >>>>>>可以查看到http的服务端口与协议
</service>
[root@client services]# firewall-cmd --add-port=8080/tcp --zone=public >>>>>>暂时在public域中添加一个端口
success
[root@client services]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.156
services: dhcpv6-client http ssh
ports: 8080/tcp >>>>>>添加成功
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client services]# firewall-cmd --remove-service=ssh >>>>>>>暂时移除ssh服务,此时其他主机无法连接
success
[root@client services]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.156
services: dhcpv6-client http
ports: 8080/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client services]# firewall-cmd --reload >>>>>>>重新加载,会把暂时添加或者删除的都恢复
success
[root@client services]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.156
services: dhcpv6-client http ssh >>>>>>>ssh服务再次出现
ports: >>>>>>>添加的端口消失
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
5,防火墙与ssh服务,完全reload
156主机已经登陆上了本机
[root@client ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.156
services: dhcpv6-client http ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client ~]# firewall-cmd --remove-service=ssh >>>>>暂时删除ssh,156主机还能执行操作
success
[root@client ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.156
services: dhcpv6-client http
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client ~]# firewall-cmd --reload
success
[root@client ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.156
services: dhcpv6-client http ssh >>>>>>加载之后,ssh出现,156主机还是可以执行命令
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client ~]# firewall-cmd --permanent --remove-service=ssh >>>>>>>永久删除ssh
success
[root@client ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.156
services: dhcpv6-client http ssh >>>>>>>ssh还在,156主机还是可以执行操作
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client ~]# firewall-cmd --reload
success
[root@client ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.156
services: dhcpv6-client http >>>>>>>重新加载,ssh消失,但是156主机还是可以进行操作
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
[root@client ~]# firewall-cmd --complete-reload !!!!!!!需要永久删除,然后完全加载
success
[root@client ~]# firewall-cmd --list-all
public (default, active)
interfaces: eth0 eth1
sources: 172.25.254.156
services: dhcpv6-client http >>>>>>>ssh消失,并且156主机ssh卡住,无法执行命令
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules: