Firewalld防火墙配置使用方法

Kevin 教程 2,093 次浏览 42条评论

严格意义来讲,单纯将Firewalld视为防火墙软件并不准确。Firewalld是Linux内核Netfilter/Iptables信息包过滤系统的前端控制工具,用于用户层管理防火墙规则策略。

与直接使用Iptables管理相比,Firewalld提供更好的易用性,在不了解“四表五链”的情况下,只要熟悉常用参数就能轻松管理防火墙规则。此外,Firewalld支持动态更新技术,修改规则不需要重新加载防火墙服务。同时加入了“区域”和“服务”概念,能快速切换不同场景策略及快速设置服务规则。

Firewalld安装与管理

Firewalld默认包含在部分Linux发行版中,比如 CentOS 7+ 和 Fedora 18+,可以使用下面命令检查服务是否被安装。

firewall-cmd --state

如果服务存在会显示runningnot running,如果返回-bash: firewall-cmd: command not found则表示没有安装。安装命令如下。

yum install firewalld

桌面环境可以一并安装图形化界面和托盘小工具。

yum install firewall-config
yum install firewall-applet

启动服务和设置开机自启(部分系统虽然自带了Firewalld,但可能没有默认激活)

systemctl start firewalld
systemctl enable firewalld

查看Firewalld守护进程状态。

systemctl status firewalld

查看默认区域已允许的端口列表。

firewall-cmd --list-port

查看默认区域已允许的服务列表。

firewall-cmd --list-services
firewalld-cmd命令参数列表(部分参数下文附有实例)
参数选项 功能作用
–version 查看软件版本信息
–help 查看软件帮助信息
–permanent 设置规则永久生效,需要重新加载配置生效
–reload 重新加载防火墙配置,使永久规则即时生效
–get-default-zone 查询当前默认区域名称
–set-default-zone=<区域名称> 更改默认区域(需刷新防火墙配置生效)
–get-zones 列出所有区域名称,以空格分隔显示
–get-services 显示所有可用的服务名称
–get-active-zones 显示当前正在使用的区域与网卡名称
–list-all 显示当前区域详细参数内容 ,包括网卡、允许服务/端口等信息
–list-all-zones 显示所有区域详细参数内容 ,包括网卡、允许服务/端口等信息
–add-service=<服务名> 设置默认区域允许该服务的流量
–remove-service=<服务名> 设置默认区域不再允许该服务的流量
–add-port=<端口号/协议> 允许默认区域允许该端口的流量
–remove-port=<端口号/协议> 允许默认区域不再允许该端口的流量
–add-source=<IP地址> 将此IP或子网流量导向指定的区域
–remove-source=<IP地址> 取消此IP或子网流量导向某个指定区域
–add-interface=<网卡名称> 将来该网卡的所有流量导向某个指定区域
–change-interface=<网卡名称> 将某个网卡与区域做关联
–direct 直接运行Iptables命令接口
–direct –get-all-chains 查看添加的Iptables链命令
–direct –get-all-rules 查看添加的Iptables规则命令
–list-lockdown-whitelist-commands 列出锁定白名单中的所有命令
–add-lockdown-whitelist-command=<命令> 添加命令到锁定白名单
–remove-lockdown-whitelist-command=<命令> 从锁定白名单里删除命令
–list-lockdown-whitelist-users 列出锁定白名单里的所有用户
–add-lockdown-whitelist-user=<用户名> 添加用户到锁定白名单内
–remove-lockdown-whitelist-user=<用户名> 从锁定白名单里删除用户
–lockdown-on 锁定防火墙配置,锁定后将无法使用firewall-cmd管理配置
–lockdown-off 解除锁定状态,需要firewall-cmd命令在锁定白名单中才能使用
–runtime-to-permanent 保存运行时的配置,并用它覆盖永久配置
–panic-on 启用紧急模式,切断所有传入传出数据包
–panic-off 关闭紧急模式
–complete-reload 完全重新加载防火墙服务,包括netfilter内核模块,会终止活动连接

Firewalld区域概念

Firewalld有一个“区域”防火墙概念,这是针对不同使用场景而对应不同信任级别的访问控制策略。通过将网络分割成不同的区域,制定出不同区域间允许不同的网络服务和流量传输类型。

Firewalld默认提供了几组区域策略模板(见下面表格,配置文件在/usr/lib/firewalld/zones/目录下)。其中public是默认使用区域,对于大部分服务,需要手动设置放行才能访问。

区域名称 规则策略
public 表示公共区域,不信任网络内其他计算机,仅允许选定的传入连接
drop 最低级别的信任。所有传入连接都会被丢弃,并且没有回应,仅能有传出的网络连接
block 与drop类似,但不是简单地丢弃连接,由icmp-host-prohibited返回拒绝信息
external 通常是启用了NAT伪装的外部网络,不信任网络上其他计算机,只接受选定的传入连接
internal 用于内部网络。信任网络内的其他计算机,仅接受选定的传入连接
home 用于家庭区域。信任网络内的其他计算机,只接受选定的传入连接
work 用于工作区域。信任网络内的其他计算机,只接受选定的传入连接
dmz 处于隔离区域的计算机,可通过有限的内部网络进行公开访问。只接受选定的传入连接
trusted 最高级别的信任区域,可接受所有的网络连接,信任网络内其他计算机

查看某个区域的配置信息,包括区域描述、网卡、允许的端口及服务等参数(以查看public区域为例)

firewall-cmd --info-zone=public -v

如果需要添加自定义区域,操作流程如下。

# 创建新区域
firewall-cmd --permanent --new-zone=ZoneName
# 添加允许的服务(根据需要设置)
firewall-cmd --permanent --zone=ZoneName --add-service=ssh
firewall-cmd --permanent --zone=ZoneName --add-service=dns
# 设置使用网卡(非必需,不设置将使用默认网卡)
firewall-cmd --zone=ZoneName --change-interface=eth1
# 重启网络和防火墙服务,使配置生效
systemctl restart network
systemctl reload firewalld

针对服务设置访问规则

Firewalld默认公共区域策略,除了SSH这类关键服务,其他服务默认是禁止的(服务泛指端口/协议、应用程序)。如果需要允许其他服务通信,需要手动添加例外。

例如在公共区域内启用或禁用HTTP服务。

firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --remove-service=http

操作后,运行firewall-cmd --reload命令使配置刷新生效。

要查看可用的服务名称列表,请使用firewall-cmd --get-services命令。如需进一步查看服务描述与其端口使用情况,进入/usr/lib/firewalld/services目录,查看里面的XML服务描述文件。

如果需要添加自定义服务,请到/etc/firewalld/services目录下创建相应的XML服务文件。可以直接复制其它服务文件,然后在此基础上修改。需要修改的地方有服务名称、描述、允许的端口协议。

cp /usr/lib/firewalld/services/http.xml /etc/firewalld/services/service-name.xml

在下面例子中创建了一个自定义服务,设置服务使用TCP 111和UDP 222端口。

<?xml version="1.0" encoding="utf-8"?>
<service>
<short>example-service</short>
<description>This is just an example service. use TCP 111 and UDP 222 network port.</description>
<port protocol="tcp" port="111"/>
<port protocol="udp" port="222"/>
</service>

相较直接对不同服务设置具体端口访问,以服务方式管理会更方便,建议优先采用。这样可以不用记住各项服务的端口/协议参数,只需知道服务名称就能操作。

针对端口/协议设置访问规则

如果需要单独允许或禁止特定协议的某些端口访问,命令如下。

firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --remove-port=80/tcp --permanent

批量添加/删除端口可以使用连字号指定端口范围。

firewall-cmd --zone=public --add-port=80-90/tcp --permanent
firewall-cmd --zone=public --remove-port=80-90/tcp --permanent

设置端口转发,示例将80端口流量转发到8080端口。

# 开启NAT功能
firewall-cmd --zone=public --add-masquerade
# 设置端口转发
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080

临时开放端口/服务访问

对于测试用途,有时可能只需临时开放一段时间。例如设置允许25端口或smtp服务600秒内可以访问。

firewall-cmd --add-port=25/tcp --timeout=600
firewall-cmd --add-service=smtp --timeout=600

允许/禁止特定IP访问

通过配置rich-rule参数,可以屏蔽指定IP的访问,命令如下(命令最后的reject参数也可以使用drop,区别是drop直接丢弃流量请求,reject会返回拒绝信息)

firewall-cmd --add-rich-rule 'rule family="ipv4" source address=1.1.1.1 reject'

允许特定IP访问。

firewall-cmd --add-rich-rule 'rule family="ipv4" source address=1.1.1.1 accept'

进一步设置访问条件,比如指定端口和协议。

# 屏蔽1.1.1.1 IP地址访问TCP 22端口
firewall-cmd --add-rich-rule 'rule family="ipv4" source address=1.1.1.1 port port=22 protocol=tcp reject'
# 允许1.1.1.1 IP地址访问TCP 22端口
firewall-cmd --add-rich-rule 'rule family="ipv4" source address=1.1.1.1 port port=22 protocol=tcp accept'

有关Firewalld入门使用方法就介绍到这了,如果希望了解更多Firewalld用法,可以参考Fedora文档

评论列表

  1. #1

    Hi, very nice website, cheers!
    ——————————————————
    Need cheap and reliable hosting? Our shared plans start at $10 for an year and VPS plans for $6/Mo.
    ——————————————————
    Check here: https://www.reliable-webhosting.com/

  2. #2

    subscription viagra without doctor prescription https://buszcentrum.com/

  3. #3

    bimatoprost walmart coupon https://carepro1st.com/

  4. #4

    will coffee affect amoxicillin https://amoxycillin1st.com/

  5. #5

    effectiveness of vidalista in men https://vidalista.buszcentrum.com/

  6. #6

    sildenafil dosage recommendations http://droga5.net/

  7. #7

    silagra coupons judpharmacys https://silagra.buszcentrum.com/

  8. #8

    malaria hydroxychloroquine https://hydroxychloroquine.mlsmalta.com/

  9. #9

    cephalexin for uti treatment https://keflex.webbfenix.com/

  10. #10

    long term effects of vidalista https://vidalista.mlsmalta.com/

  11. #11

    hydroxychloroquine pills https://hydroxychloroquine.webbfenix.com/

  12. #12

    what parasites does ivermectin kill in humans https://ivermectin.webbfenix.com/

  13. #13

    ivermectin anti parasitic https://ivermectin.mlsmalta.com/

  14. #14

    vidalista for sale on ebay https://vidalista40mg.mlsmalta.com/

  15. #15

    cialis information sheet https://wisig.org/

  16. #16

    coupon for albuterol sulfate https://amstyles.com/

  17. #17

    walmart pharmacy generic priligy cost https://ddapoxetine.com/

  18. #18

    doxycycline hyclate for acne http://doxycycline.zolftgenwell.org/

  19. #19

    how effective is hydroxychloroquine for rheumatoid arthritis https://hydroxychloroquinee.com/

  20. #20

    is hydroxychloroquine over the counter https://hydroxychloroquine.wisig.org/

  21. #21

    is hydroxychloroquine over the counter https://hydroxychloroquine.mymvrc.org/

  22. #22

    Thank you for every one of your hard work on this web page. My aunt really likes making time for investigations and it’s really obvious why. Most of us learn all of the lively mode you offer precious suggestions through this web site and even increase participation from some other people on the matter so our favorite girl is now learning a lot of things. Take advantage of the rest of the year. You are always doing a really great job. https://joneslawncarela.com/

  23. #23

    I wanted to post you that tiny remark to say thanks a lot over again just for the nice secrets you have featured in this case. It was really seriously open-handed with you to grant publicly just what many individuals might have offered for an ebook to generate some dough for themselves, mostly now that you might have tried it in case you desired. These principles as well served to be a good way to fully grasp that other people online have the identical fervor much like my personal own to know the truth many more regarding this matter. I am sure there are numerous more pleasant periods in the future for many who looked over your site. https://jlsmithjax.com/

  24. #24

    I happen to be writing to make you understand what a useful experience our princess went through visiting yuor web blog. She realized too many things, with the inclusion of what it is like to possess an incredible teaching style to make the rest without problems understand various very confusing topics. You undoubtedly surpassed visitors’ expected results. Thanks for supplying those warm and friendly, trustworthy, revealing not to mention unique tips on your topic to Tanya. https://lexaproescitalopram.com/

  25. #25

    I precisely had to appreciate you all over again. I am not sure the things that I might have followed in the absence of the entire methods documented by you directly on such industry. It had become a real distressing crisis in my circumstances, however , encountering the skilled form you managed that made me to jump over fulfillment. I’m just happier for this guidance and even hope you find out what a great job you are doing instructing other individuals through your blog post. I am sure you have never encountered all of us. https://sinequandoxepin.com/#

  26. #26

    I’m also commenting to let you be aware of of the beneficial discovery my child encountered checking the blog. She came to understand a lot of details, including how it is like to have a marvelous coaching character to get certain people completely comprehend a variety of complex issues. You actually did more than her desires. I appreciate you for coming up with such essential, dependable, edifying and cool guidance on that topic to Ethel. https://seroquelquetiapine.com/#

  27. #27

    cialis 50 mg dosage https://cialis.cleckleyfloors.com/

  28. #28

    cialis 50 mg dosage https://cialis.advantagetriseal.com/

  29. #29

    Super-Duper blog! I am loving it!! Will come back again. I am bookmarking your feeds also

    http://www.vreyrolinomit.com/

  30. #30

    chloroquine hydroxychloroquine covid 19 https://hhydroxychloroquine.com/

  31. #31

    Outstanding post, I conceive website owners should acquire a lot from this site its really user genial.

    http://www.zortilonrel.com/

  32. #32

    buy hydroxychloroquine online https://hydroxychloroquinex.com/

  33. #33

    You really make it appear really easy along with your presentation however I in finding this topic to be really something which I think I’d by no means understand. It seems too complicated and very huge for me. I am looking forward for your subsequent post, I will try to get the cling of it!

    https://www.youtube.com/watch?v=pWwPxHlnbU8

  34. #34

    There are some fascinating time limits on this article however I don’t know if I see all of them center to heart. There’s some validity but I’ll take maintain opinion until I look into it further. Good article , thanks and we wish extra! Added to FeedBurner as well

    http://www.vreyrolinomit.com/

  35. #35

    Have you ever heard of second life (sl for short). It is essentially a video game where you can do anything you want. sl is literally my second life (pun intended lol). If you want to see more you can see these second life articles and blogs

    wiki.jokaydia.com/index.php?title=LiteratureCompositionCreative_Writing&direction=prev&oldid=438&printable=yes

  36. #36

    Have you ever heard of second life (sl for short). It is essentially a online game where you can do anything you want. SL is literally my second life (pun intended lol). If you want to see more you can see these second life websites and blogs

    wiki.jokaydia.com/index.php?title=Enetworks07_eventdocumentation&diff=cur&oldid=721

  37. #37

    I like this website because so much utile material on here : D.

    https://www.youtube.com/watch?v=tm_FEaULxf8

  38. #38

    he blog was how do i say it… relevant, finally something that helped me. Thanks

    https://www.youtube.com/watch?v=3s7eaFj6XxE

  39. #39

    Great V I should definitely pronounce, impressed with your site. I had no trouble navigating through all tabs as well as related information ended up being truly simple to do to access. I recently found what I hoped for before you know it at all. Reasonably unusual. Is likely to appreciate it for those who add forums or anything, website theme . a tones way for your customer to communicate. Nice task..

    https://www.youtube.com/watch?v=1fjWgYz9egs

  40. #40

    Valuable information. Lucky me I found your site by accident, and I’m shocked why this accident did not happened earlier! I bookmarked it.

    https://www.youtube.com/watch?v=vIeo40k99nY

  41. #41

    buy cialis 10mg uk https://cialis360.jueriy.com/

  42. #42

    buy cialis 10mg uk https://cialis.adicbc.com/

发表评论

电邮地址用于 Gravatar 头像显示,不会被公开可见。