Firewalld服务是RHEL7系统默认的防火墙软件,有图形配置工具(firewall-config)和命令配置工具(firewall-cmd)
FIrewalld的区域(zone),默认情况下,有以下的区域(zone)可用
##firewalld域 ##默认配置
trusted ##信任,可接受所有的网路连接
home ##家庭,仅接受ssh、mdns、ipp-client、samba-client、dhcpv6-client服务连接
internal ##内部,仅接受ssh、mdns、ipp-client、samba-client、dhcpv6-client服务连接
work ##工作,仅接受ssh、ipp-client、dhcpv6-client服务连接
public ##公共,仅接受ssh、dhcpv6-client服务连接,firewalld默认区域
external ##外部,传出的网络连接通过此区域伪装和转发,仅接受ssh服务连接
dmz ##非军事区,仅接受ssh服务连接
block ##限制,拒绝所有传入的网络数据包,有回应
drop ##丢弃,丢弃所有传入的网络数据包,无回应
启动Firewalld服务,并在系统引导时启动
[root@desktop ~]# systemctl start[root@desktop services]# firewall-cmd --list-all
work (default, active)
interfaces: eth0
sources:
services: dhcpv6-client http https ipp-client ssh
ports: 1234/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
firewalld
[root@desktop ~]# systemctl enable firewalld
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
ln -s '/usr/lib/systemd/system/firewalld.service' '/etc/systemd/system/basic.target.wants/firewalld.service'
停止Firewalld服务,并禁用该服务
[root@desktop ~]# systemctl stop firewalld
[root@desktop ~]# systemctl disable firewalld
rm '/etc/systemd/system/basic.target.wants/firewalld.service'
rm '/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service'
查看FIrewalld进程状态
[root@desktop ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
Active: active (running) since Thu 2018-06-07 08:48:22 EDT; 12s ago
Main PID: 1984 (firewalld)
CGroup: /system.slice/firewalld.service
└─1984 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
Jun 07 08:48:22 desktop.jinx.com systemd[1]: Starting firewalld - dynamic fi....
Jun 07 08:48:22 desktop.jinx.com systemd[1]: Started firewalld - dynamic fir....
Hint: Some lines were ellipsized, use -l to show in full.
这里主要列出有关命令配置工具的一些基本命令
检查Firewalld服务的状态
[root@desktop ~]# firewall-cmd --state
running
列出默认的区域
[root@desktop ~]# firewall-cmd --get-default-zone
public
列出可用的区域
[root@desktop ~]# firewall-cmd --get-zones
ROL block dmz drop external home internal public trusted work
改变默认的区域
[root@desktop ~]# firewall-cmd --set-default-zone=work
success
[root@desktop ~]# firewall-cmd --get-default-zone
work
列出所有可用的服务
[root@desktop services]# firewall-cmd --get-services
amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability
http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls
mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql
proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client
transmission-client vnc-server wbem-https
为work区域永久添加添加http服务(80)和https服务(443)端口
[root@desktop services]# firewall-cmd --zone=work --add-service=http --permanent
success
[root@desktop services]# firewall-cmd --zone=work --add-service=https --permanent
succes
### ---remove-service= 删除信任服务
### --permanent 永久生效的,如不带此参数则临时生效,重启服务后失效
为work区域添加指定端口
[root@desktop services]# firewall-cmd --zone=work --add-port=1234/tcp --permanent
success
### --remove-port= 删除端口
为work区域添加信任区域
[root@desktop services]# firewall-cmd --zone=work --add-source=172.25.254.0/24
success
### --remove-source= 删除信任区域
指定网卡到work区域
[root@desktop services]# firewall-cmd --permanent --add-interface=eth0 --zone=work
success
### --change-interface= 改变
### --remove-interface= 删除
重新加载防火墙
[root@desktop services]# firewall-cmd --reload
success
查看相关配置
[root@desktop services]# firewall-cmd --list-all
work (default, active)
interfaces: eth0
sources:
services: dhcpv6-client http https ipp-client ssh
ports: 1234/tcp
masquerade: no
forward-ports:
icmp-blocks:
rich rules: