1、firewalld 從名稱上看，模仿的是硬件防火墻的概念，zone. 所有的接口都必須屬于某個zone . 在zone內配置規則。

2. 常用的方法是 增加對一個tcp或者udp端口號的允許通過的規則。

創新互聯公司主營彭山網站建設的網絡公司,主營網站建設方案,成都App定制開發,彭山h5微信小程序定制開發搭建,彭山網站營銷推廣歡迎彭山等地區企業咨詢

  firewall-cmd --add-service icmp --permanent

  firewall-cmd --reload

3. firewalld進程有時候可能沒有啟動。需要啟動一下對應的進程。

[root@localhost zhou]# firewall-cmd --reload
FirewallD is not running
[root@localhost zhou]# ps -ef | grep firewall
root 2970 2757 0 07:57 pts/0 00:00:00 grep --color=auto firewall
[root@localhost zhou]# systemctl start firewalld
[root@localhost zhou]#
[root@localhost zhou]# ps -ef | grep firewall
root 2983 1 14 07:58 ? 00:00:00 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
root 3207 2757 0 07:58 pts/0 00:00:00 grep --color=auto firewall
[root@localhost zhou]#
[root@localhost zhou]#

4. 查看系統所有的zone

[root@localhost zhou]# firewall-cmd --get-zones      ---> 顯示所有zone
work drop internal external trusted home dmz public block
[root@localhost zhou]# firewall-cmd --get-default-zone  ---> 顯示默認zone
public
[root@localhost zhou]#
[root@localhost zhou]# firewall-cmd --list-all-zones  ---> 顯示所有zone的所有規則
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
sourceports:
icmp-blocks:
rich rules:

trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

public (active)
target: default
icmp-block-inversion: no
interfaces: ens33 ens37
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

[root@localhost zhou]#

[root@localhost zhou]# firewall-cmd --list-all --zone=public  ---> 顯示public zone的所有規則
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

[root@localhost zhou]#

5. 獲取接口默認所屬的zone

[root@localhost zhou]# firewall-cmd --get-zone-of-interface ens33
public
[root@localhost zhou]#
[root@localhost zhou]# ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 00:0c:29:f2:c7:50 brd ff:ff:ff:ff:ff:ff
3: ens37: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT qlen 1000
link/ether 00:0c:29:f2:c7:5a brd ff:ff:ff:ff:ff:ff
4: virbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT qlen 1000
link/ether 52:54:00:15:47:59 brd ff:ff:ff:ff:ff:ff
5: virbr0-nic: <BROADCAST,MULTICAST> mtu 1500 qdisc pfifo_fast master virbr0 state DOWN mode DEFAULT qlen 1000
link/ether 52:54:00:15:47:59 brd ff:ff:ff:ff:ff:ff
[root@localhost zhou]#
[root@localhost zhou]# firewall-cmd --get-zone-of-interface lo
no zone
[root@localhost zhou]#
[root@localhost zhou]# firewall-cmd --get-zone-of-interface ens37
no zone
[root@localhost zhou]#
[root@localhost zhou]#

6. 增加某個服務或者端口號

[root@localhost zhou]# firewall-cmd --permanent --remove-service=dhcpv6-client --zone=public
success
[root@localhost zhou]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

[root@localhost zhou]# firewall-cmd --reload
success
[root@localhost zhou]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

[root@localhost zhou]#

[root@localhost zhou]# firewall-cmd --remove-service=ssh --zone=public
success
[root@localhost zhou]#
[root@localhost zhou]#

關閉ssh服務，下面的命令輸入后，ssh連接就不能再建立，對已有的ssh連接無影響。
[root@localhost zhou]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:

[root@localhost zhou]#

[root@localhost zhou]# firewall-cmd --permanent --add-port=3306/tcp  ----> 增加tcp端口號3306, 就是mySQL服務器的端口號。
success
[root@localhost zhou]# firewall-cmd --reload
success
[root@localhost zhou]#

參考：

Firewalld詳解

https://zhuanlan.zhihu.com/p/23519454

本文名稱：firewalld操作實踐-創新互聯
文章路徑：http://www.yijiale78.com/article6/phcog.html

成都網站建設公司_創新互聯，為您提供軟件開發、網站改版、虛擬主機、靜態網站、做網站、手機網站建設

廣告

聲明：本網站發布的內容（圖片、視頻和文字）以用戶投稿、用戶轉載內容為主，如果涉及侵權請盡快告知，我們將會在第一時間刪除。文章觀點不代表本網站立場，如需處理請聯系客服。電話：028-86922220；郵箱：631063699@qq.com。內容未經允許不得轉載，或轉載時需注明來源： 創新互聯