1、开启firewalld服务[root@juispan ~]# systemctl disable iptables
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
[root@juispan ~]# systemctl stop iptables
[root@juispan ~]# systemctl enable firewalld
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/basic.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
[root@juispan ~]# systemctl start firewalld
[root@juispan ~]# firewall-cmd --get-zones ##查看所有zone
work drop internal external trusted home dmz public block
[root@juispan ~]# firewall-cmd --get-default-zone ##查看默认zone
public
▎man firewalld.zonesWhich zones are available?
Here are the zones provided by firewalld sorted according to the default trust level of the zones from untrusted to trusted:
drop
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
public
For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
external
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted
All network connections are accepted.
2、firewall-cmd[root@juispan ~]# firewall-cmd --set-default-zone=work ##设置默认zone
success
[root@juispan ~]# firewall-cmd --get-default-zone ##查看默认zone
work
[root@juispan ~]# firewall-cmd --get-zone-of-interface=ens33 ##查看接口所在的zone
work
[root@juispan ~]# firewall-cmd --zone=public --add-interface=lo ##针对网卡设置zone
success
[root@juispan ~]# firewall-cmd --get-zone-of-interface=lo
public
[root@juispan ~]# firewall-cmd --zone=dmz --change-interface=lo ##针对网卡更改zone
success
[root@juispan ~]# firewall-cmd --get-zone-of-interface=lo
dmz
[root@juispan ~]# firewall-cmd --zone=dmz --remove-interface=lo ##针对网卡删除zone
success
[root@juispan ~]# firewall-cmd --get-zone-of-interface=lo
no zone
[root@juispan ~]# firewall-cmd --get-active-zones ##查看系统所有网卡所在的zone
work
interfaces: ens37
public
interfaces: ens33
[root@juispan ~]# firewall-cmd --get-services ##查看所有的services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap free ipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp open*** pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
[root@juispan ~]# firewall-cmd --list-services ##查看当前zone下有哪些service
ssh dhcpv6-client
[root@juispan ~]# firewall-cmd --zone=public --add-service=http
success ##把http增加到public zone
[root@juispan ~]# firewall-cmd --list-services --zone=public
dhcpv6-client ssh http
[root@juispan ~]# firewall-cmd --zone=public --remove-service=http
success ##删除public zone中的http service
[root@juispan ~]# firewall-cmd --list-services --zone=public
dhcpv6-client ssh
[root@juispan ~]# firewall-cmd --zone=public --add-service=http --permanent
success ##永久操作,在/etc/firewalld/zones目录下生成配置文件
3、小案例:ftp服务自定义端口1121,需要在work zone下面放行ftp[root@juispan ~]# cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/
[root@juispan ~]# vi /etc/firewalld/services/ftp.xml
FTP
FTP is a protocol used for remote file transfer. If you plan to make your FTP server publicly avail able, enable this option. You need the vsftpd package installed for this option to be useful.
##把21端口更改为1121端口
[root@juispan ~]# cp /usr/lib/firewalld/zones/work.xml /etc/firewalld/zones/
[root@juispan ~]# vi /etc/firewalld/zones/work.xml
Work
For use in work areas.You mostly trust the other computers on networks to not harm your computer.Only selected incoming connections are accepted.
##增加该行
[root@juispan ~]# firewall-cmd --reload ##重新加载
success
[root@juispan ~]# firewall-cmd --zone=work --list-services
ssh dhcpv6-client ftp