1:firewall-cmd命令
(1)启动、停止、查看firewalld服务
[root@localhost ~]# systemctl start firewalld
[root@localhost ~]# systemctl enable firewalld
[root@localhost ~]# systemctl status firewalld ##能够看到更详细的信息
或
[root@localhost ~]# firewall-cmd --state ##信息较少
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# systemctl disable firewalld
(2)获取预定义信息
[root@localhost ~]# firewall-cmd --get-zones
[root@localhost ~]# firewall-cmd --get-service
[root@localhost ~]# firewall-cmd --get-icmptype
(3)区域管理
显示当前系统默认的区域
[root@localhost ~]# firewall-cmd --get-default-zone
public
显示默认区域的所有规则
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
显示网络接口eth0对应区域
[root@localhost ~]# firewall-cmd --get-zone-of-interface=eth0
public
将网络接口eth0对应区域改为internal区域
[root@localhost ~]# firewall-cmd --zone=internal --change-interface=eth0
The interface is under control of NetworkManager, setting zone to 'internal'.
success
[root@localhost ~]# firewall-cmd --zone=internal --list-interface
eth0
[root@localhost ~]# firewall-cmd --get-zone-of-interface=eth0
internal
显示所有激活区域
[root@localhost ~]# firewall-cmd --get-active-zone
internal
interfaces: eth0
(4)服务管理
为默认区域设置允许访问的所有服务
[root@localhost ~]# firewall-cmd --zone=public --change-interface=eth0
[root@localhost ~]# firewall-cmd --list-services
dhcpv6-client ssh
[root@localhost ~]# firewall-cmd --add-service=http
success
[root@localhost ~]# firewall-cmd --add-service=https
success
[root@localhost ~]# firewall-cmd --list-services
dhcpv6-client ssh http https
为internal区域设置允许访问的服务
[root@localhost ~]# firewall-cmd --zone=internal --add-service=mysql
success
[root@localhost ~]# firewall-cmd --zone=internal --remove-service=samba-client
success
[root@localhost ~]# firewall-cmd --zone=internal --list-services
ssh mdns dhcpv6-client mysql
端口管理
[root@localhost ~]# firewall-cmd --zone=internal --add-port=443/tcp
success
[root@localhost ~]# firewall-cmd --zone=internal --remove-port=443/tcp
success