Linux command – firewall-cmd

測試環境為 CentOS 8 x64 (虛擬機 )

現在可以用 firewall-cmd 指令來改 防火牆設定. 參考文章 – https://blog.gtwang.org/linux/centos-7-firewalld-command-setup-tutorial/2/

啟動防火牆.

[root@localhost ~]# systemctl enable firewalld
Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.
[root@localhost ~]# systemctl start firewalld

firewall-cmd 使用名稱來定義要開啟防火牆哪些 TCP Port ,好處是不用記網路埠 (Port) 號碼 (如 http 為 port 80 與 https 為 Port443),透過下面指令可以看到目前已經定義了哪些網路埠名稱.

[root@localhost ~]# firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

如果要自訂服務名稱,可以在 /etc/firewalld/services 目錄新增 XML 設定檔,設定檔案可以參考 /usr/lib/firewalld/services/ 目錄如 http.xml (http 服務設定檔).

[root@localhost ~]# cat /usr/lib/firewalld/services/http.xml 
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>WWW (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages. If you plan to make your Web server publicly available, enable this option. This option is not required for viewing pages locally or developing Web pages.</description>
  <port protocol="tcp" port="80"/>
</service>

檢視是哪一些服務埠已經開啟.

[root@localhost ~]# firewall-cmd --list-services
cockpit dhcpv6-client ssh

設定是依據區域來設定,我們先來看一下目前環境有定義哪一些區域.

[root@localhost ~]# firewall-cmd --get-active-zones
libvirt
  interfaces: virbr0
public
  interfaces: ens33

預設區域為 public (interfaces: ens33)

[root@localhost ~]# firewall-cmd --get-default-zone
public

開啟網路埠其防火牆設定有分暫時(Firewall 服務重啟或是重開機就會失效) 與永久的方式.

  • 暫時
    將 http (Port 80) 服務新增至 public 區域

    [root@localhost ~]# firewall-cmd --zone=public --add-service=http
    success
    

    可以看到目前是暫時將 http 開啟.

    [root@localhost ~]# firewall-cmd --list-services
    cockpit dhcpv6-client http ssh
    [root@localhost ~]# firewall-cmd --zone=public --permanent --list-services
    cockpit dhcpv6-client ssh
    
  • 永久
    加入參數 –permanent 讓設定永久生效.

    [root@localhost ~]# firewall-cmd --zone=public --permanent --add-service=http
    success
    [root@localhost ~]# firewall-cmd --zone=public --permanent --list-services
    cockpit dhcpv6-client http ssh
    

關閉網路埠其防火牆設定也是有分暫時(Firewall 服務重啟或是重開機) 與永久的方式.

  • 暫時
    暫時關閉 http 服務.

    [root@localhost ~]# firewall-cmd --zone=public --remove-service=http
    success
    

    可以觀察到 http 是暫時關閉.

    [root@localhost ~]# firewall-cmd --list-services
    cockpit dhcpv6-client ssh
    [root@localhost ~]# firewall-cmd --zone=public --permanent --list-services
    cockpit dhcpv6-client http ssh
    
  • 永久
    加入參數 –permanent 讓設定永久生效.

    [root@localhost ~]# firewall-cmd --zone=public --permanent --remove-service=http
    success
    

    可以看到 http 確定是關閉的.

    [root@localhost ~]# firewall-cmd --zone=public --permanent --list-services
    cockpit dhcpv6-client ssh
    
沒有解決問題,試試搜尋本站其他內容

發佈留言

發佈留言必須填寫的電子郵件地址不會公開。 必填欄位標示為 *

這個網站採用 Akismet 服務減少垃圾留言。進一步了解 Akismet 如何處理網站訪客的留言資料