suse12下操作为
关闭防火墙服务:
systemctl stop SuSEfirewall2.service
取消开机启动防火墙服务
systemctl disable SuSEfirewall2.service
开机开启防火墙服务
systemctl enable SuSEfirewall2.service
启动防火墙服务
systemctl start SuSEfirewall2.service
查询防火墙服务状态
systemctl status SuSEfirewall2.service
根据帮助命令查看
SUSE-12:~ # /sbin/SuSEfirewall2 -h
SuSEfirewall2 3.6, Copyright (C) 2005 SUSE LINUX Products GmbH
stateful packet filter rules generator for iptables.
/sbin/SuSEfirewall2 start|test|debug [file FILENAME]
/sbin/SuSEfirewall2 basic|stop|close|status|help
/sbin/SuSEfirewall2 open ZONE TYPE services...
/sbin/SuSEfirewall2 on|off
/sbin/SuSEfirewall2 [-s <service>] update-rpc
Options:
start generate and load the firewall filter rules from
/etc/sysconfig/SuSEfirewall2
stop unload all filter rules
close no incoming network traffic except bootp+ping (for boot security)
basic set basic filter rules that drop all incoming access
test generate and load the filter rules but do not drop any packet but log
to syslog anything which *would* be denied
status print the output of "iptables -nvL"
3. SuSEfirewall2配置文件中FW_SERVICES_EXT_TCP与FW_SERVICES_ACCEPT_EXT的区别:
FW_SERVICES_EXT_TCP 不能做更详细的配置,只有允许和不允许两种配置,不能过滤IP,只能过滤端口;
FW_SERVICES_ACCEPT_EXT 可以做更详细的配置和限制,对IP和端口同时作限制;
但是,如果对同一端口既然配置了FW_SERVICES_EXT_TCP,也配置了FW_SERVICES_ACCEPT_EXT,则系统优先使用
FW_SERVICES_EXT_TCP配置项。
4. 如果有一种场景,既要让指定的IP能访问22端口,又要让所有IP能访问80端口,则这样配置:
FW_SERVICES_EXT_TCP = “80” #多个端口用空格分开
FW_SERVICES_EXT_TCP="ftp 22 telnet 512:514" #开放ftp,ssh,telnet,512-514这些端口
FW_SERVICES_ACCEPT_EXT="192.168.1.100,tcp,22"
Format: space separated list of net,protocol[,dport[,sport[,flags]]]
# Example: "0/0,tcp,22"
#
# Supported flags are
# hitcount=NUMBER : ipt_recent --hitcount parameter
# blockseconds=NUMBER : ipt_recent --seconds parameter
# recentname=NAME : ipt_recent --name parameter
# Example:
# Allow max three ssh connects per minute from the same IP address:
# "0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
每分钟来自相同ip最大3个ssh链接的语法
如果要对同一个source IP开放多个端口,应将相同的IP写两个,中间用空格隔开
FW_SERVICES_ACCEPT_EXT="192.168.1.100 192.168.1.100,tcp,22 8080 80"
如果对多个source ip 开放ssh端口,配置如下,不能开多行
FW_SERVICES_ACCEPT_EXT="10.1.1.1 20.1.1.1 30.1.1.1,tcp,22"
5. /etc/sysconfig/SuSEfirewall2配置文件中也有相应的详细说明。
firewall配置变更后,需要restart防火墙服务
systemctl restart SuSEfirewall2
配置变更完后,可以通过命令/sbin/SuSEfirewall2 status 查看防火墙端口状态。