firewall-cmd
options
| 参数 | 参数说明 |
|---|---|
| --state | 显示防火墙的状态 |
| --list-all | 查看防火墙规则(只显示/etc/firewalld/zones/public.xml中防火墙策略) |
| --list-all-zones | 看所有的防火墙策略(即显示/etc/firewalld/zones/下的所有策略),默认有block、dmz、drop、external、home、internal、libvirt (active)、public (active)、trusted、work区域。 |
| --reload | 重新加载配置文件 |
| --zone=………… | 针对某一区域调整policy |
| --add-port=……/--remove-port=…… | 添加/删除端口 |
| --add-rich-rule=…………/--remove-rich-rule=…… | 添加或者修改完规则后必须热加载才能生效:firewall-cmd --reload |
example
firewall-cmd --state
[root@rhel ~]# firewall-cmd --state
running //说明防火墙正在运行
firewall-cmd --list-all
[root@rhel ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewall-cmd --list-all-zones
默认有
- block
- dmz
- drop
- external
- home
- internal
- libvirt (active)
- public (active)
- trusted
- work
[root@rhel ~]# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
libvirt (active)
target: ACCEPT
icmp-block-inversion: no
interfaces: virbr0
sources:
services: dhcp dhcpv6 dns ssh tftp
ports:
protocols: icmp ipv6-icmp
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule priority="32767" reject
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@rhel ~]#
firewall-cmd --reload
[root@rhel ~]# firewall-cmd --reload
success
firewall-cmd --zone=trusted --add-port=8088/tcp
firewall-cmd --list-all --zone=trusted 查看某一区域的策略
[root@rhel ~]# firewall-cmd --zone=trusted --add-port=8088/tcp
success
[root@rhel ~]# firewall-cmd --list-all --zone=trusted
trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports: 8088/tcp //添加成功 tcp 8088端口的策略
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="8080-8090" accept'
[root@rhel ~]# firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.1.0/24" port protocol="tcp" port="8080-8090" accept'
success
[root@rhel ~]# firewall-cmd --reload //一定要重新reload一下,不然策略不会生效。
success
[root@rhel ~]# firewall-cmd --list-all --zone=public
public (active)
target: default
icmp-block-inversion: no
interfaces: ens160
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.1.0/24" port port="8080-8090" protocol="tcp" accept
drop禁止特定ip连接ssh/22服务
1.drop禁止特定ip连接ssh/22服务
firewall-cmd --permanent --zone=public --add-rich-rule="rule family=ipv4 source address='x.x.x.x/24' service name='ssh' drop"
firewall-cmd --reload ##重新加载防火墙配置,不然firewall-cmd --list-all-zones不会显示刚加上的规则
reject禁止特定ip连接ssh/22``服务
2.reject禁止特定ip连接``ssh``/22``服务
firewall-cmd --permanent --zone=public --add-rich-rule=``"rule family='ipv4' source address='x.x.x.x/24' service name='ssh' reject"
firewall-cmd --permanent --zone=public --add-rich-rule=``"rule family='ipv4' source address='x.x.x.x/24' port port=22 protocol=tcp reject"
firewall-cmd --reload
防火墙内的策略动作有DROP和REJECT两种,区别如下:
1、DROP动作只是简单的直接丢弃数据,并不反馈任何回应。需要Client等待超时,Client容易发现自己被防火墙所阻挡。
2、REJECT动作则会更为礼貌的返回一个拒绝(终止)数据包(TCP FIN或UDP-ICMP-PORT-UNREACHABLE),明确的拒绝对方的连接动作。连接马上断开,Client会认为访问的主机不存在。REJECT在IPTABLES里面有一些返回参数,参数如下:ICMP port-unreachable、ICMP echo-reply 或是 tcp-reset(这个封包会要求对方关闭联机),进行完此处理动作后,将不再比对其它规则,直接中断过滤程序。
至于使用DROP还是REJECT更合适一直未有定论,因为的确二者都有适用的场合。REJECT是一种更符合规范的处理方式,并且在可控的网络环境中,更易于诊断和调试网络/防火墙所产生的问题;而DROP则提供了更高的防火墙安全性和稍许的效率提高,但是由于DROP不很规范(不很符合TCP连接规范)的处理方式,可能会对你的网络造成一些不可预期或难以诊断的问题。因为DROP虽然单方面的中断了连接,但是并不返回任何拒绝信息,因此连接客户端将被动的等到tcp session超时才能判断连接是否成功,这样早企业内部网络中会有一些问题,例如某些客户端程序或应用需要IDENT协议支持(TCP Port 113, RFC 1413),如果防火墙未经通知的应用了DROP规则的话,所有的同类连接都会失败,并且由于超时时间,将导致难以判断是由于防火墙引起的问题还是网络设备/线路 故障。
一点个人经验,在部署防火墙时,如果是面向企业内部(或部分可信任网络),那么最好使用更绅士REJECT方法,对于需要经常变更或调试规则的网络也是如此;而对于面向危险的Internet/Extranet的防火墙,则有必要使用更为粗暴但是安全的DROP方法,可以在一定程度上延缓******的进度(和难度,至少,DROP可以使他们进行TCP-Connect方式端口扫描时间更长)。