[root@CentOS rdc]# systemctl status firewalld
● firewalld.service-firewalld-dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2017-01-26 21:42:05 MST; 3h 46min ago
Docs: man:firewalld(1)
Main PID: 712 (firewalld)
Memory: 34.7M
CGroup: /system.slice/firewalld.service
└─712 /usr/bin/python-Es /usr/sbin/firewalld--nofork--nopid
systemctl start firewalld && systemctl enable firewalld
[root@CentOS]# firewall-cmd--state
running
[root@CentOS]#
区域和描述 |
drop
信任度低。所有传入的连接和数据包都被丢弃,只有传出连接才能通过 statefullness
|
block
使用icmp消息回复传入的连接,让发起者知道请求被禁止
|
public
所有网络都受到限制。但是,可以明确允许选定的传入连接
|
external
为 NAT 配置 firewalld。内部网络保持私密但可访问
|
dmz
只允许某些传入连接。用于 DMZ 隔离的系统
|
工作
默认情况下,如果系统处于安全的工作环境中,则信任网络上的更多计算机
|
hone
默认情况下,未过滤更多服务。假设系统位于家庭网络上,其中将使用 NFS、SAMBA 和 SSDP 等服务
|
可信
网络上的所有机器都是可信的。允许大多数传入连接不受限制。
这不适用于暴露在 Internet 上的接口
|
[root@CentOS]# firewall-cmd--get-zones work drop internal external trusted home dmz public block
[root@CentOS]# firewall-cmd--get-default-zone
public
[root@CentOS]#
bash-3.2# nmap-sS-p 1-1024-T 5 10.211.55.1 Starting Nmap 7.30 ( https://nmap.org ) at 2017-01-27 23:36 MST Nmap scan report for centos.shared (10.211.55.1) Host is up (0.00046s latency). Not shown: 1023 filtered ports PORT STATE SERVICE 22/tcp open ssh Nmap done: 1 IP address (1 host up) scanned in 3.71 seconds bash-3.2#
[root@CentOs]# firewall-cmd--get-default-zone
public
[root@CentOS]#
[root@CentOS]# firewall-cmd--zone=public --add-port = 80/tcp
success
[root@CentOS]#
bash-3.2# nmap-sS-p 1-1024-T 5 10.211.55.1 Starting Nmap 7.30 ( https://nmap.org ) at 2017-01-27 23:42 MST Nmap scan report for centos.shared (10.211.55.1) Host is up (0.00053s latency). Not shown: 1022 filtered ports PORT STATE SERVICE 22/tcp open ssh 80/tcp closed http Nmap done: 1 IP address (1 host up) scanned in 3.67 seconds bash-3.2#
[root@CentOS]# firewall-cmd--set-default-zone=drop success [root@CentOS]# firewall-cmd--get-default-zone drop [root@CentOs]#
bash-3.2# nmap-sS-p 1-1024-T 5 10.211.55.1 Starting Nmap 7.30 ( https://nmap.org ) at 2017-01-27 23:50 MST Nmap scan report for centos.shared (10.211.55.1) Host is up (0.00094s latency). All 1024 scanned ports on centos.shared (10.211.55.1) are filtered Nmap done: 1 IP address (1 host up) scanned in 12.61 seconds bash-3.2#
bash-3.2# ping 10.211.55.1 PING 10.211.55.1 (10.211.55.1): 56 data bytes Request timeout for icmp_seq 0 Request timeout for icmp_seq 1 Request timeout for icmp_seq 2
[root@CentOs]# firewall-cmd--set-default-zone=public success [root@CentOS]# firewall-cmd--get-default-zone public [root@CentOS]#
[root@CentOS]# firewall-cmd--zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: enp0s5 sources: services: dhcpv6-client ssh ports: 80/tcp protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules: [root@CentOS rdc]#
[root@CentOS]# firewall-cmd--zone=public --add-port=80/tcp--permanent success [root@CentOS]# systemctl restart firewalld [root@CentOS]#
命令 | Action |
firewall-cmd--get-zones | 列出可以应用到一个接口的所有区域 |
firewall-cmd —状态 | 返回 firewalld 服务的当前状态 |
firewall-cmd--get-default-zone | 获取当前默认区域 |
firewall-cmd--set-default-zone=
|
将默认区域设置为当前上下文 |
firewall-cmd--get-active-zone | 获取上下文中应用于接口的当前区域 |
firewall-cmd--zone=
|
列出提供区域的配置 |
firewall-cmd --zone=<zone> --addport=<port/transport protocol> | |
--permanent | 对区域进行持久更改。标志与修改命令内联使用 |