一、firewalld的9个zone
1. 启动firewalld
Removed symlink /etc/systemd/system/basic.target.wants/iptables.service.
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
2. firewall-cmd --get-zones
查看所有的zone,firewalld默认有9个zone,
block dmz drop external home internal public trusted work
3. firewall-cmd --get-default-zone 查询默认的zone,默认zone为public
public
二、firewalld关于zone的操作
1. firewall-cmd --set-default-zone= 更改默认的zone
2. firewall-cmd --get-zone-of-interface= 查看网卡设置的zone
[[email protected] ~]#
firewall-cmd --get-zone-of-interface=ens33
work
[[email protected] ~]# firewall-cmd --get-zone-of-interface=ens37 #如果显示no zone,那么可能就是网卡没有配置文件
no zone
3.firewall-cmd --zone=dmz --add-interface= 设置网卡的zone
The interface is under control of NetworkManager, setting zone to 'dmz'.
success
[[email protected] network-scripts]# firewall-cmd --get-zone-of-interface=ens37
dmz
4. firewall-cmd --zone=block --change-interface= 更改网卡的zone
[[email protected] network-scripts]#
firewall-cmd --zone=block --change-interface=ens37
#更改网卡ens37的zone
The interface is under control of NetworkManager, setting zone to 'block'.
success
[[email protected] network-scripts]# firewall-cmd --get-zone-of-interface=ens37
block
5.firewall-cmd --zone=block --remove-interface= 针对网卡删除zone
[[email protected] network-scripts]#
firewall-cmd --zone=block --remove-interface=ens37
#删除block zone里面的ens37
The interface is under control of NetworkManager, setting zone to default.
success
[[email protected] network-scripts]# firewall-cmd --get-zone-of-interface=ens37 #ens37的zone变为work,因为work是默认的zone
work
6. firewall-cmd --get-active-zones 查看系统所有网卡所在的zone
三、 firewalld关于service的操作
1. firewall-cmd --get-services 查看系统所有的services
[[email protected] network-scripts]#
firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry
dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt
libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openv*n ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind
rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local
xmpp-server
2. firewall-cmd --list-service 查看当前默认的zone下有哪些service
[[email protected] network-scripts]#
firewall-cmd --list-service
ssh dhcpv6-client
3. firewall-cmd --zone= --list-service 查看指定zone的service
[[email protected] network-scripts]#
firewall-cmd --zone=public --list-service
#查看public zone里面的service
ssh dhcpv6-client
4.firewall-cmd --zone=zonename --add-service= 服务名
将一个服务添加到一个zone里面
[[email protected] network-scripts]#
firewall-cmd --zone=public --add-service=http
#将http服务添加到public zone里面
success
[[email protected] network-scripts]# firewall-cmd --zone=public --list-service #可以看到添加成功
ssh dhcpv6-client http #将http服务添加到public zone里面
5. --permanent 将更改写入配置文件,不加这个参数只保存在内存中,没有写配置文件 /etc/firewalld/zones/public.xml
[[email protected] network-scripts]#
firewall-cmd --zone=public --add-service=http --permanent
#在public zone里面添加http服务
success
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="http"/>
</zone>
6.模板文件的放置地址
zone的配置文件放置在/etc/firewalld/zones这个目录下。
service的配置文件放置在 /etc/firewalld/service目录下。
zone的模板文件放置在 /usr/lib/firewalld/zones 下
service 的模板文件放置在/usr/lib/firewalld/service下
7. 需求:ftp服务自定义端口1121,需要在work zone下面放行ftp
1. [[email protected] ~]#
cp /usr/lib/firewalld/services/ftp.xml /etc/firewalld/services/ftp.xml
# 拷贝ftp service的配置模板
<port protocol="tcp" port="1121"/>
3. [[email protected] ~]#
cp /usr/lib/firewalld/zones/home.xml /etc/firewalld/zones/home.xml
# 拷贝home zone的配置模板
4. [[email protected] ~]#
vim /etc/firewalld/zones/home.xml
# 编辑home的配置文件,将<service name="ftp"/>这一行添加上去
<service name="ftp"/>
ssh mdns samba-client dhcpv6-client ftp