在启动firewalld之前,firewall-cmd命令无法使用,此时想要在防火墙启动之前增加端口或服务放通,可以修改firewalld的配置文件达到目标。
添加端口
- 到firewalld的区域目录下编辑对应的文件。
# cd /etc/firewalld/zones/
# vim public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
## 开放8080端口
<port protocol="tcp" port="8080"/>
## 允许172.17.0.0/24网段访问80端口
<rule family="ipv4">
<source address="172.17.0.0/24"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
</zone>
添加服务
- 到firewalld的服务目录下编辑对应的文件。
# cd /etc/firewalld/services/
# vim test_service.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>test_service</short>
<description>test service</description>
<port protocol="tcp" port="5555"/>
<port protocol="udp" port="5556"/>
</service>
- 把服务添加到作用区域。
# cd /etc/firewalld/zones/
# vim public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
## 添加服务test_service
<service name="test_service" />
## 开放8080端口
<port protocol="tcp" port="8080"/>
## 允许172.17.0.0/24网段访问80端口
<rule family="ipv4">
<source address="172.17.0.0/24"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
</zone>
启用firewalld
systemctl start firewalld