CentOS7中的防火墙配置
一、防火墙的基本用法
1、启动防火墙
[root@localhost ~]# systemctl start firewalld.service
2、关闭防火墙
[root@localhost ~]# systemctl stop firewalld.service
3、重新启动防火墙
[root@localhost ~]# systemctl restart firewalld.service
4、重新加载防火墙
[root@localhost ~]# systemctl reload firewalld.service
5、查看 firewalld 服务状态
[root@localhost ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2020-08-07 04:48:14 EDT; 1min 19s ago
Docs: man:firewalld(1)
Process: 1860 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS)
Main PID: 1764 (firewalld)
CGroup: /system.slice/firewalld.service
└─1764 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Aug 07 04:48:13 localhost.localdomain systemd[1]: Starting firewalld - dynamic firewall daemon...
Aug 07 04:48:14 localhost.localdomain systemd[1]: Started firewalld - dynamic firewall daemon.
Aug 07 04:48:14 localhost.localdomain firewalld[1764]: WARNING: AllowZoneDrifting is enabled. This is considered an inse... now.
Aug 07 04:48:48 localhost.localdomain systemd[1]: Reloading firewalld - dynamic firewall daemon.
Aug 07 04:48:48 localhost.localdomain systemd[1]: Reloaded firewalld - dynamic firewall daemon.
Aug 07 04:48:48 localhost.localdomain firewalld[1764]: WARNING: AllowZoneDrifting is enabled. This is considered an inse... now.
Hint: Some lines were ellipsized, use -l to show in full.
6、开机时禁用防火墙
[root@localhost ~]# systemctl disable firewalld.service
Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.
Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.
Removed symlink /etc/systemd/system/basic.target.wants/firewalld.service.
7、开机时启用防火墙
[root@localhost ~]# systemctl enable firewalld.service
Created symlink from /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service to /usr/lib/systemd/system/firewalld.service.
Created symlink from /etc/systemd/system/multi-user.target.wants/firewalld.service to /usr/lib/systemd/system/firewalld.service.
二、配置 firewall-cmd
1、查看帮助
[root@localhost ~]# firewall-cmd --help
Usage: firewall-cmd [OPTIONS...]
General Options
-h, --help Prints a short help text and exists
-V, --version Print the version string of firewalld
-q, --quiet Do not print status messages
Status Options
--state Return and print firewalld state
--reload Reload firewall and keep state information
--complete-reload Reload firewall and lose state information
--runtime-to-permanent
Create permanent from runtime configuration
--check-config Check permanent configuration for errors
............
2、查看版本
[root@localhost ~]# firewall-cmd --version
0.6.3
3、显示状态
[root@localhost ~]# firewall-cmd --state
running
4、显示所有打开的端口
[root@localhost ~]# firewall-cmd --list-port
3306/tcp
5、更新防火墙规则
[root@localhost ~]# firewall-cmd --reload
success
6、查看防火墙规则
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports: 3306/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
7、开放3306端口
[root@localhost ~]# firewall-cmd --permanent --add-port=3306/tcp
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports: 8080/tcp 3306/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
说明:
(1)–permanent:表示设置为持久;
(2)reload:重新加载防火墙。
8、移除3306端口
[root@localhost ~]# firewall-cmd --permanent --remove-port 3306/tcp
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh
ports: 8080/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
说明:
(1)–permanent:表示设置为持久;
(2)reload:重新加载防火墙。