永久的开放需要的端口
sudo firewall-cmd --zone=public --add-port=3000/tcp --permanent
sudo firewall-cmd --reload
永久的关闭某端口
sudo firewall-cmd --remove-port=3000/tcp --permanent
检查防火墙规则
关闭防火墙
sudo systemctl stop firewalld
其他
source: 根据源地址过滤(优先级最高)
interface: 根据网卡过滤(优先级次高)
service: 根据服务名过滤
port: 根据端口过滤
icmp-block: icmp 报文过滤,按照 icmp 类型配置
masquerade: ip 地址伪装
forward-port: 端口转发
rule: 自定义规则
systemctl status firewalld.service
systemctl start firewalld.service
systemctl disable firewalld
systemctl stop firewalld.service
systemctl enable firewalld
systemctl disable firewalld
firewall-cmd --state
firewall-cmd --list-all
firewall-cmd --reload
firewall-cmd --complete-reload
firewall-cmd --help
--zone=NAME
--permanent
--timeout=seconds
firewall-cmd --add-port=8181/tcp --permanent
firewall-cmd --add-port=6000-6600/tcp
firewall-cmd --add-service=ftp
firewall-cmd --zone=public --add-interface=eth0 --permanent
firewall-cmd --zone=public --add-masquerade
firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=9527
firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toaddr=192.168.1.123
firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=9527:toaddr=192.168.1.100
firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.123' reject"
firewall-cmd --permanent --zone=public --new-ipset=blacklist --type=hash:ip
firewall-cmd --permanent --zone=public --ipset=blacklist --add-entry=192.168.1.123
firewall-cmd --permanent --zone=public --new-ipset=blacklist --type=hash:net
firewall-cmd --permanent --zone=public --ipset=blacklist --add-entry=192.168.1.0/24
firewall-cmd --permanent --zone=public --new-ipset-from-file=/path/blacklist.xml
firewall-cmd --permanent --zone=public --add-rich-rule='rule source ipset=blacklist drop'