重新打开 firewall
[root@linux-01 ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@linux-01 ~]# systemctl stop iptables
[root@linux-01 ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@linux-01 ~]# systemctl start firewalld
firewall 9个zone 自带的规则集
# 查看firewalld 9个规则集
[root@linux-01 ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
#查看默认规则集
[root@linux-01 ~]# firewall-cmd --get-default-zone
public
各个zones 的区别
怎么查看zone 的规则?
设置更改zone
[root@linux-01 network-scripts]# firewall-cmd --set-default-zone=work
success
[root@linux-01 network-scripts]# firewall-cmd --get-default-zone
work查看网卡使用的是哪个zone
[root@linux-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens33
work
[root@linux-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens37
work
[root@linux-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
no zone
如果新添加的网卡是no zone 复制ens33 网卡配置文件 并重启网络服务 然后重新加载firewalld
给指定的网卡设置 zone
[root@linux-01 network-scripts]# firewall-cmd --zone=public --add-interface=lo
success
[root@linux-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
public针对网卡更改zone
[root@linux-01 network-scripts]# firewall-cmd --zone=block --change-interface=ens37
The interface is under control of NetworkManager, setting zone to 'block'.
success
[root@linux-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens37
block
[root@linux-01 network-scripts]#针对网卡删除zone
[root@linux-01 network-scripts]# firewall-cmd --zone=block --remove-interface=ens37
The interface is under control of NetworkManager, setting zone to default.
success
[root@linux-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens37
work # 变回默认zone
[root@linux-01 network-scripts]#
查看系统网卡所在的zone
[root@linux-01 network-scripts]# firewall-cmd --get-active-zones
work
interfaces: ens33 ens37
public
interfaces: lo
[root@linux-01 network-scripts]#
service
service 就是zone下面的子单元可以理解成指定的一个端口,因为防火墙不外乎就是针对某个端口做一些限制。不如http它操作的是80端口、http是它操作的是43端口、ssh它操作是22端口
列出系统所有 service
#当前所有得service
[root@linux-01 ~]# firewall-cmd --get-service
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nfs3 nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
#现在使用的zone有哪些service
[root@linux-01 network-scripts]# firewall-cmd --list-service
ssh dhcpv6-client
#查看指定zone 有哪些service
[root@linux-01 ~]# firewall-cmd --zone=public --list-service
ssh dhcpv6-client
[root@linux-01 ~]#
[root@linux-01 ~]# firewall-cmd --zone=trusted --list-service
[root@linux-01 ~]#
# trusted 没有service
把http 加到public
[root@linux-01 ~]# firewall-cmd --zone=public --add-service=http
success
[root@linux-01 ~]# firewall-cmd --zone=public --list-service
ssh dhcpv6-client http # 已经添加
[root@linux-01 ~]#
[root@linux-01 ~]# firewall-cmd --zone=public --add-service=ftp
success
[root@linux-01 ~]# firewall-cmd --zone=public --list-service
ssh dhcpv6-client http ftp
[root@linux-01 ~]#
把配置保存到配置里
添加service并保存到配置文件 (永久保存)
[root@linux-01 ~]# firewall-cmd --zone=public --add-service=http --permanent
success
#存放位置
[root@linux-01 ~]# ls /etc/firewalld/zones #zone 的配置文件模板
public.xml public.xml.old
[root@linux-01 ~]#
[root@linux-01 ~]# cat /etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="http"/>
<service name="ftp"/>
</zone>
[root@linux-01 ~]#
更改zones后 永久保存时 会将就的备份
# zones 模板
[root@linux-01 ~]# ls /usr/lib/firewalld/zones
block.xml dmz.xml drop.xml external.xml home.xml internal.xml public.xml trusted.xml work.xml
#service模板
[root@linux-01 ~]# ls /usr/lib/firewalld/services/
amanda-client.xml freeipa-replication.xml libvirt-tls.xml pop3.xml snmp.xml
amanda-k5-client.xml freeipa-trust.xml libvirt.xml postgresql.xml spideroak-lansync.xml
bacula-client.xml ftp.xml managesieve.xml privoxy.xml squid.xml
bacula.xml ganglia-client.xml mdns.xml proxy-dhcp.xml ssh.xml
bitcoin-rpc.xml ganglia-master.xml mosh.xml ptp.xml synergy.xml
bitcoin-testnet-rpc.xml high-availability.xml mountd.xml pulseaudio.xml syslog-tls.xml
bitcoin-testnet.xml https.xml mssql.xml puppetmaster.xml syslog.xml
bitcoin.xml http.xml ms-wbt.xml quassel.xml telnet.xml
ceph-mon.xml imaps.xml mysql.xml radius.xml tftp-client.xml
ceph.xml imap.xml nfs3.xml RH-Satellite-6.xml tftp.xml
cfengine.xml ipp-client.xml nfs.xml rpc-bind.xml tinc.xml
condor-collector.xml ipp.xml nrpe.xml rsh.xml tor-socks.xml
ctdb.xml ipsec.xml ntp.xml rsyncd.xml transmission-client.xml
dhcpv6-client.xml iscsi-target.xml openvpn.xml samba-client.xml vdsm.xml
dhcpv6.xml kadmin.xml ovirt-imageio.xml samba.xml vnc-server.xml
dhcp.xml kerberos.xml ovirt-storageconsole.xml sane.xml wbem-https.xml
dns.xml kibana.xml ovirt-vmconsole.xml sips.xml xmpp-bosh.xml
docker-registry.xml klogin.xml pmcd.xml sip.xml xmpp-client.xml
dropbox-lansync.xml kpasswd.xml pmproxy.xml smtp-submission.xml xmpp-local.xml
elasticsearch.xml kshell.xml pmwebapis.xml smtps.xml xmpp-server.xml
freeipa-ldaps.xml ldaps.xml pmwebapi.xml smtp.xml
freeipa-ldap.xml ldap.xml pop3s.xml snmptrap.xml
[root@linux-01 ~]# 需求:ftp服务自定义端口1121,需要在work zone 下面放行ftp
以配置文件方式操作
第一步
[root@linux-01 ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
[root@linux-01 ~]# vi /etc/firewalld/services/ftp.xml
[root@linux-01 ~]#
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>FTP</short>
<description>FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly available, enable this option. You need the vsftpd package installed for this option to be useful.</description>
<port protocol="tcp" port="1121"/> # 21改成1121
<module name="nf_conntrack_ftp"/>
</service>第二步
[root@linux-01 ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@linux-01 ~]# vi /etc/firewalld/zones/work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="ftp"/> #增加一行ftp
</zone>第三步、重新加载服务
[root@linux-01 ~]# firewall-cmd --reload
success
[root@linux-01 ~]# firewall-cmd --zone=work --list-service
ssh dhcpv6-client ftp
[root@linux-01 ~]# 
扫一扫
660
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
