Linux常用命令-firewall-cmd

发表于 2022-02-18 分类于 command

命令

firewall-cmd

描述

firewalld command line client
防火墙配置工具

用法

1	firewall-cmd [OPTIONS...]

选项

firewalld的两种配置说明
runtime configuration    运行配置,当前正在运行的配置
permanent configuration  永久配置,已保存的配置,配置命令后加--permanent选项

Common Options
  --permanent  其他有[P]标识的选项均支持添加该选项
  --zone=<zone>  其他有[Z]标识的选项均支持添加该选项
  --timeout=<timeval>  其他有[T]标识的选项均支持添加该选项

Status Options
  --state              查看firewalld运行状态
  --reload             加载永久配置为运行配置
  --complete-reload    完全重新加载配置,此选项会终止活动连接,仅用于解决firewall运行故障
  --runtime-to-permanent  保存运行配置为永久配置
  --check-config       检查永久配置文件

Log Denied Options
  --get-log-denied     显示日志记录选项
  --set-log-denied=<value>  设置日志记录选项,在REJECT之前记录日志,可选参数all,unicast,broadcast,multicast,off(默认),即默认禁用日志记录
                            设置为all参数后会自动添加一条记录日志的规则 -A INPUT -j LOG --log-prefix "FINAL_REJECT: "
Automatic Helpers Options
  --get-automatic-helpers  Print the automatic helpers value
  --set-automatic-helpers=<value>  Set automatic helpers value

Permanent Options
  --permanent          添加为永久配置,当配置规则添加该选项后则保存到永久配置而不影响运行配置,即reload之前不生效
                       其他有[P]标识的选项均支持添加该选项

Zone Options
  --get-default-zone   显示默认区域zone
  --set-default-zone=<zone>  设置默认区域zone,这将同时更改运行配置和永久配置
                             即修改系统配置文件firewalld.conf中的DefaultZone参数
  --get-active-zones   显示当前活动区域的接口信息
  --get-zones          显示区域列表,以空格为分隔符 [P]
  --get-services       显示服务列表 [P]
  --get-icmptypes      显示icmp类型 [P]
  --get-zone-of-interface=<interface>  显示指定接口所绑定的区域名称 [P]
  --get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset>  显示指定源地址所绑定的区域名称 [P]
  --list-all-zones     显示所有区域信息 [P]
  --new-zone=<zone>    添加一个区域 [P only]
  --new-zone-from-file=<filename> [--name=<zone>]
                       添加一个区域,并从文件中读取区域名称列表,并指定一个区域名称 [P only]
  --delete-zone=<zone> 删除一个区域 [P only]
  --load-zone-defaults=<zone>  加载区域默认设置 [P only] [Z]
  --zone=<zone>        指定区域 [Z], 其他有[Z]标识的选项均支持添加该选项
  --get-target         显示区域目标 [P only] [Z]
  --set-target=<target>  设置区域目标,可选参数default, ACCEPT, DROP, REJECT [P only] [Z]
  --info-zone=<zone>   显示指定区域信息
  --path-zone=<zone>   显示区域配置文件路径 [P only]

设置区域目标中的参数default和REJECT类似,但是default有以下不同:
1.明确允许ICMP流量
2.根据出口区域的目标设置进行处理
  如果入口区域设置为非default参数,则分别以对应的ACCEPT, DROP, REJECT目标设置直接进行处理
  如果入口区域设置为default参数,则根据出口区域的目标设置进行处理
  如果入口区域和出口区域均设置为default参数,则执行REJECT
3.Zone drifting from source-based zone to interface-based zone (支持区域漂移)
  This only applies if AllowZoneDrifting is enabled.See firewalld.conf(5)
  后续firewalld将不再支持AllowZoneDrifting选项,所以第3条可以忽略

IPSet Options
  --get-ipset-types    显示支持的ipset类型
  --new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]]..
                       Add a new ipset [P only]
  --new-ipset-from-file=<filename> [--name=<ipset>]
                       Add a new ipset from file with optional name [P only]
  --delete-ipset=<ipset>
                       Delete an existing ipset [P only]
  --load-ipset-defaults=<ipset>
                       Load ipset default settings [P only]
  --info-ipset=<ipset> Print information about an ipset
  --path-ipset=<ipset> Print file path of an ipset [P only]
  --get-ipsets         Print predefined ipsets
  --ipset=<ipset> --set-description=<description>
                       Set new description to ipset [P only]
  --ipset=<ipset> --get-description
                       Print description for ipset [P only]
  --ipset=<ipset> --set-short=<description>
                       Set new short description to ipset [P only]
  --ipset=<ipset> --get-short
                       Print short description for ipset [P only]
  --ipset=<ipset> --add-entry=<entry>
                       Add a new entry to an ipset [P]
  --ipset=<ipset> --remove-entry=<entry>
                       Remove an entry from an ipset [P]
  --ipset=<ipset> --query-entry=<entry>
                       Return whether ipset has an entry [P]
  --ipset=<ipset> --get-entries
                       List entries of an ipset [P]
  --ipset=<ipset> --add-entries-from-file=<entry>
                       Add a new entries to an ipset [P]
  --ipset=<ipset> --remove-entries-from-file=<entry>
                       Remove entries from an ipset [P]

IcmpType Options
  --new-icmptype=<icmptype>
                       Add a new icmptype [P only]
  --new-icmptype-from-file=<filename> [--name=<icmptype>]
                       Add a new icmptype from file with optional name [P only]
  --delete-icmptype=<icmptype>
                       Delete an existing icmptype [P only]
  --load-icmptype-defaults=<icmptype>
                       Load icmptype default settings [P only]
  --info-icmptype=<icmptype>
                       Print information about an icmptype
  --path-icmptype=<icmptype>
                       Print file path of an icmptype [P only]
  --icmptype=<icmptype> --set-description=<description>
                       Set new description to icmptype [P only]
  --icmptype=<icmptype> --get-description
                       Print description for icmptype [P only]
  --icmptype=<icmptype> --set-short=<description>
                       Set new short description to icmptype [P only]
  --icmptype=<icmptype> --get-short
                       Print short description for icmptype [P only]
  --icmptype=<icmptype> --add-destination=<ipv>
                       Enable destination for ipv in icmptype [P only]
  --icmptype=<icmptype> --remove-destination=<ipv>
                       Disable destination for ipv in icmptype [P only]
  --icmptype=<icmptype> --query-destination=<ipv>
                       Return whether destination ipv is enabled in icmptype [P only]
  --icmptype=<icmptype> --get-destinations
                       List destinations in icmptype [P only]

Service Options
  --new-service=<service>
                       Add a new service [P only]
  --new-service-from-file=<filename> [--name=<service>]
                       Add a new service from file with optional name [P only]
  --delete-service=<service>
                       Delete an existing service [P only]
  --load-service-defaults=<service>
                       Load icmptype default settings [P only]
  --info-service=<service>
                       Print information about a service
  --path-service=<service>
                       Print file path of a service [P only]
  --service=<service> --set-description=<description>
                       Set new description to service [P only]
  --service=<service> --get-description
                       Print description for service [P only]
  --service=<service> --set-short=<description>
                       Set new short description to service [P only]
  --service=<service> --get-short
                       Print short description for service [P only]
  --service=<service> --add-port=<portid>[-<portid>]/<protocol>
                       Add a new port to service [P only]
  --service=<service> --remove-port=<portid>[-<portid>]/<protocol>
                       Remove a port from service [P only]
  --service=<service> --query-port=<portid>[-<portid>]/<protocol>
                       Return whether the port has been added for service [P only]
  --service=<service> --get-ports
                       List ports of service [P only]
  --service=<service> --add-protocol=<protocol>
                       Add a new protocol to service [P only]
  --service=<service> --remove-protocol=<protocol>
                       Remove a protocol from service [P only]
  --service=<service> --query-protocol=<protocol>
                       Return whether the protocol has been added for service [P only]
  --service=<service> --get-protocols
                       List protocols of service [P only]
  --service=<service> --add-source-port=<portid>[-<portid>]/<protocol>
                       Add a new source port to service [P only]
  --service=<service> --remove-source-port=<portid>[-<portid>]/<protocol>
                       Remove a source port from service [P only]
  --service=<service> --query-source-port=<portid>[-<portid>]/<protocol>
                       Return whether the source port has been added for service [P only]
  --service=<service> --get-source-ports
                       List source ports of service [P only]
  --service=<service> --add-module=<module>
                       Add a new module to service [P only]
  --service=<service> --remove-module=<module>
                       Remove a module from service [P only]
  --service=<service> --query-module=<module>
                       Return whether the module has been added for service [P only]
  --service=<service> --get-modules
                       List modules of service [P only]
  --service=<service> --set-destination=<ipv>:<address>[/<mask>]
                       Set destination for ipv to address in service [P only]
  --service=<service> --remove-destination=<ipv>
                       Disable destination for ipv i service [P only]
  --service=<service> --query-destination=<ipv>:<address>[/<mask>]
                       Return whether destination ipv is set for service [P only]
  --service=<service> --get-destinations
                       List destinations in service [P only]

Options to Adapt and Query Zones
  --list-all           显示指定区域的所有信息,如果没有指定区域则显示默认区域信息 [P] [Z]
  --timeout=<timeval>  指定超时时间,可用于临时允许,可选单位s,m,h. 其他有[T]标识的选项均支持添加该选项
  --set-description=<description>  Set new description to zone [P only] [Z]
  --get-description    Print description for zone [P only] [Z]
  --set-short=<description>  Set new short description to zone [P only] [Z]
  --get-short          Print short description for zone [P only] [Z]

  # zone的所有信息均可以通过如下命令格式进行操作
  显示  --list-xxx, --get-xxx
  添加  --add-xxx
  删除  --remove-xxx
  查询  --query-xxx

  # service相关命令
  --list-services  显示指定区域的服务信息 [P] [Z]
  --add-service=<service>  添加服务到指定区域 [P] [Z] [T]
  --remove-service=<service>  从区域中删除指定服务 [P] [Z]
  --query-service=<service>  查询区域中是否存在指定服务 [P] [Z]

  # port相关命令
  --list-ports         显示区域的端口信息 [P] [Z]
  --add-port=<portid>[-<portid>]/<protocol>  添加端口到指定区域 [P] [Z] [T]
  --remove-port=<portid>[-<portid>]/<protocol>  从区域中删除指定端口 [P] [Z]
  --query-port=<portid>[-<portid>]/<protocol>  查询区域中是否存在指定端口 [P] [Z]

  --list-protocols     显示区域的协议信息 [P] [Z]
  --add-protocol=<protocol>
                       Add the protocol for a zone [P] [Z] [T]
  --remove-protocol=<protocol>
                       Remove the protocol from a zone [P] [Z]
  --query-protocol=<protocol>
                       Return whether the protocol has been added for zone [P] [Z]

  --list-source-ports  显示区域的源端口信息 [P] [Z]
  --add-source-port=<portid>[-<portid>]/<protocol>
                       Add the source port for a zone [P] [Z] [T]
  --remove-source-port=<portid>[-<portid>]/<protocol>
                       Remove the source port from a zone [P] [Z]
  --query-source-port=<portid>[-<portid>]/<protocol>
                       Return whether the source port has been added for zone [P] [Z]

  --list-icmp-blocks   显示区域的icmp类型块信息 [P] [Z]
  --add-icmp-block=<icmptype>
                       Add an ICMP block for a zone [P] [Z] [T]
  --remove-icmp-block=<icmptype>
                       Remove the ICMP block from a zone [P] [Z]
  --query-icmp-block=<icmptype>
                       Return whether an ICMP block has been added for a zone [P] [Z]
  --add-icmp-block-inversion
                       Enable inversion of icmp blocks for a zone [P] [Z]
  --remove-icmp-block-inversion
                       Disable inversion of icmp blocks for a zone [P] [Z]
  --query-icmp-block-inversion
                       Return whether inversion of icmp blocks has been enabled for a zone [P] [Z]

  --list-forward-ports 显示区域的IPv4转发端口信息 [P] [Z]
  --add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
                       Add the IPv4 forward port for a zone [P] [Z] [T]
  --remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
                       Remove the IPv4 forward port from a zone [P] [Z]
  --query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
                       Return whether the IPv4 forward port has been added for a zone [P] [Z]
  --add-masquerade     Enable IPv4 masquerade for a zone [P] [Z] [T]
  --remove-masquerade  Disable IPv4 masquerade for a zone [P] [Z]
  --query-masquerade   Return whether IPv4 masquerading has been enabled for a zone [P] [Z]

  --list-rich-rules    显示区域的复杂规则rich-rules [P] [Z]
  --add-rich-rule=<rule>
                       Add rich language rule 'rule' for a zone [P] [Z] [T]
  --remove-rich-rule=<rule>
                       Remove rich language rule 'rule' from a zone [P] [Z]
  --query-rich-rule=<rule>
                       Return whether a rich language rule 'rule' has been added for a zone [P] [Z]

  --list-interfaces    显示区域的接口信息 [P] [Z]
  --add-interface=<interface>
                       Bind the <interface> to a zone [P] [Z]
  --change-interface=<interface>
                       Change zone the <interface> is bound to [P] [Z]
  --query-interface=<interface>
                       Query whether <interface> is bound to a zone [P] [Z]
  --remove-interface=<interface>
                       Remove binding of <interface> from a zone [P] [Z]

  --list-sources       显示区域绑定的源地址信息 [P] [Z]
  --add-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                       Bind the source to a zone [P] [Z]
  --change-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                       Change zone the source is bound to [Z]
  --query-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                       Query whether the source is bound to a zone [P] [Z]
  --remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                       Remove binding of the source from a zone [P] [Z]

Helper Options
  --new-helper=<helper> --module=<module> [--family=<family>]
                       Add a new helper [P only]
  --new-helper-from-file=<filename> [--name=<helper>]
                       Add a new helper from file with optional name [P only]
  --delete-helper=<helper>
                       Delete an existing helper [P only]
  --load-helper-defaults=<helper>
                       Load helper default settings [P only]
  --info-helper=<helper> Print information about an helper
  --path-helper=<helper> Print file path of an helper [P only]
  --get-helpers         Print predefined helpers
  --helper=<helper> --set-description=<description>
                       Set new description to helper [P only]
  --helper=<helper> --get-description
                       Print description for helper [P only]
  --helper=<helper> --set-short=<description>
                       Set new short description to helper [P only]
  --helper=<helper> --get-short
                       Print short description for helper [P only]
  --helper=<helper> --add-port=<portid>[-<portid>]/<protocol>
                       Add a new port to helper [P only]
  --helper=<helper> --remove-port=<portid>[-<portid>]/<protocol>
                       Remove a port from helper [P only]
  --helper=<helper> --query-port=<portid>[-<portid>]/<protocol>
                       Return whether the port has been added for helper [P only]
  --helper=<helper> --get-ports
                       List ports of helper [P only]
  --helper=<helper> --set-module=<module>
                       Set module to helper [P only]
  --helper=<helper> --get-module
                       Get module from helper [P only]
  --helper=<helper> --set-family={ipv4|ipv6|}
                       Set family for helper [P only]
  --helper=<helper> --get-family
                       Get module from helper [P only]

Direct Options
  --direct             First option for all direct options
  --get-all-chains
                       Get all chains [P]
  --get-chains {ipv4|ipv6|eb} <table>
                       Get all chains added to the table [P]
  --add-chain {ipv4|ipv6|eb} <table> <chain>
                       Add a new chain to the table [P]
  --remove-chain {ipv4|ipv6|eb} <table> <chain>
                       Remove the chain from the table [P]
  --query-chain {ipv4|ipv6|eb} <table> <chain>
                       Return whether the chain has been added to the table [P]
  --get-all-rules
                       Get all rules [P]
  --get-rules {ipv4|ipv6|eb} <table> <chain>
                       Get all rules added to chain in table [P]
  --add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
                       Add rule to chain in table [P]
  --remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
                       Remove rule with priority from chain in table [P]
  --remove-rules {ipv4|ipv6|eb} <table> <chain>
                       Remove rules from chain in table [P]
  --query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
                       Return whether a rule with priority has been added to chain in table [P]
  --passthrough {ipv4|ipv6|eb} <arg>...
                       Pass a command through (untracked by firewalld)
  --get-all-passthroughs
                       Get all tracked passthrough rules [P]
  --get-passthroughs {ipv4|ipv6|eb} <arg>...
                       Get tracked passthrough rules [P]
  --add-passthrough {ipv4|ipv6|eb} <arg>...
                       Add a new tracked passthrough rule [P]
  --remove-passthrough {ipv4|ipv6|eb} <arg>...
                       Remove a tracked passthrough rule [P]
  --query-passthrough {ipv4|ipv6|eb} <arg>...
                       Return whether the tracked passthrough rule has been added [P]

Lockdown Options
  --lockdown-on        Enable lockdown.
  --lockdown-off       Disable lockdown.
  --query-lockdown     Query whether lockdown is enabled

Lockdown Whitelist Options
  --list-lockdown-whitelist-commands
                       List all command lines that are on the whitelist [P]
  --add-lockdown-whitelist-command=<command>
                       Add the command to the whitelist [P]
  --remove-lockdown-whitelist-command=<command>
                       Remove the command from the whitelist [P]
  --query-lockdown-whitelist-command=<command>
                       Query whether the command is on the whitelist [P]
  --list-lockdown-whitelist-contexts
                       List all contexts that are on the whitelist [P]
  --add-lockdown-whitelist-context=<context>
                       Add the context context to the whitelist [P]
  --remove-lockdown-whitelist-context=<context>
                       Remove the context from the whitelist [P]
  --query-lockdown-whitelist-context=<context>
                       Query whether the context is on the whitelist [P]
  --list-lockdown-whitelist-uids
                       List all user ids that are on the whitelist [P]
  --add-lockdown-whitelist-uid=<uid>
                       Add the user id uid to the whitelist [P]
  --remove-lockdown-whitelist-uid=<uid>
                       Remove the user id uid from the whitelist [P]
  --query-lockdown-whitelist-uid=<uid>
                       Query whether the user id uid is on the whitelist [P]
  --list-lockdown-whitelist-users
                       List all user names that are on the whitelist [P]
  --add-lockdown-whitelist-user=<user>
                       Add the user name user to the whitelist [P]
  --remove-lockdown-whitelist-user=<user>
                       Remove the user name user from the whitelist [P]
  --query-lockdown-whitelist-user=<user>
                       Query whether the user name user is on the whitelist [P]

Panic Options
  --panic-on           Enable panic mode
  --panic-off          Disable panic mode
  --query-panic        Query whether panic mode is enabled

注意

firewalld的配置文件格式为xml,系统配置文件目录为/etc/firewalld/,同时也是用户自定义配置文件目录,会优先加载.
默认配置文件目录为/usr/lib/firewalld/,预定义的配置文件保存在此目录中,也可作为用户自定义配置的模板.
复制/usr/lib/firewalld/中的xml文件到/etc/firewalld/中,然后再进行编辑,reload后生效.
如果两个目录中存在同名配置文件,则以/etc/firewalld/目录中的文件为准.
CentOS系统中的网络接口默认属于public区域.
rich-rule规则用单引号,规则里的值用双引号

参考
https://firewalld.org
https://fedoraproject.org/wiki/Firewalld
https://fedoraproject.org/wiki/Features/FirewalldRichLanguage
https://access.redhat.com/documentation/zh-cn/red_hat_enterprise_linux/7/html/security_guide/sec-using_firewalls
https://www.cnblogs.com/wn1m/p/10920018.html

示例

$ firewall-cmd --version
FirewallD is not running
# offline的命令和常规命令的选项基本通用
$ firewall-offline-cmd --version
0.6.3
$ systemctl start firewalld
$ firewall-cmd --version
0.6.3

# firewalld和firewall-cmd均为python2脚本文件
$ ll /usr/bin/firewall-cmd
-rwxr-xr-x. 1 root root 116200 Apr 28  2021 /usr/bin/firewall-cmd
$ file /usr/bin/firewall-cmd
/usr/bin/firewall-cmd: Python script, ASCII text executable
$ ll /usr/sbin/firewalld
-rwxr-xr-x. 1 root root 7032 Apr 28  2021 /usr/sbin/firewalld
$ file /usr/sbin/firewalld
/usr/sbin/firewalld: Python script, ASCII text executable
$ head /usr/sbin/firewalld
#!/usr/bin/python2 -Es
# -*- coding: utf-8 -*-
#
# Copyright (C) 2010-2016 Red Hat, Inc.

# 需要修改默认配置文件,否则会有一条警告日志
$ sed -i 's/AllowZoneDrifting=.*/AllowZoneDrifting=no/' /etc/firewalld/firewalld.conf
# 启动firewalld
$ systemctl start firewalld
$ systemctl enable firewalld
# 查看firewalld运行状态
$ firewall-cmd --state
running
# 开启firewall日志记录,默认保存在messages日志中
$ firewall-cmd --set-log-denied=all
$ firewall-cmd --get-log-denied
all
# 显示默认区域zone,默认为public
$ firewall-cmd --get-default-zone
public
# 显示默认区域zone的详细信息
$ firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
# 更改默认区域为work
$ firewall-cmd --set-default-zone=work
# 显示所有区域
$ firewall-cmd --get-zones
block dmz drop external home internal public trusted work
# 显示所有服务
$ firewall-cmd --get-services
dhcp dhcpv6 dhcpv6-client dns docker-registry http https mysql zabbix-agent zabbix-server ...
# 显示所有icmp类型
$ firewall-cmd --get-icmptypes
address-unreachable echo-reply echo-request host-unknown host-unreachable ...
# 显示支持的ipset类型
$ firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
# 显示所有区域信息
$ firewall-cmd --list-all-zones
block
  target: %%REJECT%%
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
...
# 显示运行配置中的zone信息,未指定zone则显示为默认zone信息
$ firewall-cmd --list-all
$ firewall-cmd --list-services
dhcpv6-client ssh
# 加--permanent显示永久配置中的信息
$ firewall-cmd --list-all --permanent
$ firewall-cmd --list-services --permanent
dhcpv6-client ssh
$ firewall-cmd --get-short --permanent
Public
$ firewall-cmd --list-ports --permanent
$ firewall-cmd --list-interfaces --permanent
# 显示永久配置中默认区域的target
# target为default和REJECT类似,表示默认拒绝,具体参考上面 选项 中的说明
$ firewall-cmd --get-target --permanent
default
$ firewall-cmd --get-target --permanent --zone=work
default
$ firewall-cmd --get-target --permanent --zone=trusted
ACCEPT
# 显示指定zone信息
$ firewall-cmd --path-zone=public --permanent
/etc/firewalld/zones/public.xml
$ firewall-cmd --info-zone=public
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
# 显示指定service信息
$ firewall-cmd --path-service=mysql --permanent
/usr/lib/firewalld/services/mysql.xml
$ firewall-cmd --info-service=mysql --permanent
mysql
  ports: 3306/tcp
  protocols:
  source-ports:
  modules:
  destination:
$ firewall-cmd --service=mysql --get-short --permanent
MySQL
$ firewall-cmd --service=mysql --get-description --permanent
MySQL Database Server
$ firewall-cmd --service=mysql --get-ports --permanent
3306/tcp
$ firewall-cmd --service=mysql --get-protocols --permanent

# 添加端口到运行配置,即时生效,reload后失效
$ firewall-cmd --add-port=80/tcp
success
$ firewall-cmd --list-all
$ firewall-cmd --list-all --permanent
# 添加端口到永久配置,reload后生效
$ firewall-cmd --add-port=80/tcp --permanent
success
$ firewall-cmd --list-all
$ firewall-cmd --reload
success

# 默认服务http的配置文件内容
$ cat /usr/lib/firewalld/services/http.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>WWW (HTTP)</short>
  <description>HTTP is the protocol used to serve Web pages.</description>
  <port protocol="tcp" port="80"/>
</service>
# 默认区域public的配置文件内容
$ cat /usr/lib/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
</zone>

# 添加用户自定义服务nginx,通过配置文件方式
$ cp /usr/lib/firewalld/services/http.xml /etc/firewalld/services/nginx.xml
$ firewall-cmd --path-service=nginx --permanent
/etc/firewalld/services/nginx.xml
$ firewall-cmd --info-service=nginx --permanent
nginx
  ports: 8080/tcp
  protocols:
  source-ports:
  modules:
  destination:
$ firewall-cmd --info-service=http --permanent
http
  ports: 80/tcp
  protocols:
  source-ports:
  modules:
  destination:

# 添加用户自定义服务tomcat,通过命令方式
$ firewall-cmd --new-service=tomcat --permanent
success
# 默认配置文件为空,需要添加端口或协议等配置,也可以直接修改配置文件
$ firewall-cmd --info-service=tomcat --permanent
tomcat
  ports:
  protocols:
  source-ports:
  modules:
  destination:
$ firewall-cmd --service=tomcat --add-port=8080/tcp --permanent
success
$ firewall-cmd --service=tomcat --add-port=8081/tcp --permanent
success
$ firewall-cmd --service=tomcat --add-port=8006/tcp --permanent
success
$ firewall-cmd --info-service=tomcat --permanent
tomcat
  ports: 8080/tcp 8081/tcp 8006/tcp
  protocols:
  source-ports:
  modules:
  destination:

# 添加自定义服务到默认zone
$ firewall-cmd --add-service=nginx
success
$ firewall-cmd --add-service=tomcat
success
$ firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: dhcpv6-client nginx ssh tomcat

# 同名配置文件以/etc/firewalld/services/目录中的配置文件为准
$ cp /usr/lib/firewalld/services/http.xml /etc/firewalld/services/
$ sed -i 's/80/8080/' /etc/firewalld/services/http.xml
# 默认加载/usr/lib/firewalld/目录下的配置
$ firewall-cmd --path-service=http --permanent
/usr/lib/firewalld/services/http.xml
# 修改自定义配置文件后需要reload生效
$ firewall-cmd --reload
success
$ firewall-cmd --path-service=http --permanent
/etc/firewalld/services/http.xml
$ firewall-cmd --info-service=http --permanent
http
  ports: 8080/tcp
  protocols:
  source-ports:
  modules:
  destination:

# 临时开放80端口,指定1分钟后自动关闭
$ firewall-cmd --add-port=80/tcp --timeout=1m
# 通过查看配置可以看到添加的80端口到时间后自动删除
$ firewall-cmd --list-all


# zone,service,ipset,icmptype,部分命令格式通用,可以参考如下的zone配置命令
# 创建zone
$ firewall-cmd --permanent --new-zone=myzone
$ firewall-cmd --get-zones
$ firewall-cmd --permanent --zone=myzone --list-all
myzone
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
# 配置zone
$ firewall-cmd --permanent --zone=myzone --set-target=DROP
$ firewall-cmd --permanent --zone=myzone --set-description="myzone,default target is DROP"
$ firewall-cmd --permanent --path-zone=myzone
/etc/firewalld/zones/myzone.xml
$ firewall-cmd --permanent --info-zone=myzone
# 修改zone
$ firewall-cmd --permanent --zone=myzone --add-service=ssh --add-service=http --add-service=https
$ firewall-cmd --permanent --zone=myzone --add-port=8080/tcp --add-port=8081/tcp
$ firewall-cmd --permanent --zone=myzone --add-rich-rule='rule family="ipv4" source address="192.168.31.12" service name="ssh" reject'
$ firewall-cmd --reload
# 查看zone
$ firewall-cmd --permanent --info-zone=myzone
$ firewall-cmd --permanent --zone=myzone --list-all
myzone
  target: DROP
  icmp-block-inversion: no
  interfaces:
  sources:
  services: http https ssh
  ports: 8080/tcp 8081/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
	rule family="ipv4" source address="192.168.31.12" service name="ssh" reject
# 删除zone
$ firewall-cmd --permanent --zone=myzone --remove-port=8081/tcp
$ firewall-cmd --permanent --delete-zone=myzone
$ firewall-cmd --permanent --info-zone=myzone
Error: INVALID_ZONE: myzone
$ firewall-cmd --reload


# 复杂规则-rich-rule,支持精细化定义匹配
# 允许指定IP的所有流量
$ firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.31.12" accept' --permanent
# 拒绝指定网段的流量
$ firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.31.0/24" reject'
# 允许指定IP访问指定端口
$ firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.31.12" port protocol="tcp" port="22" accept"'
# 允许指定IP访问ssh服务,10m后自动关闭
$ firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.31.12" service name="ssh" accept' --timeout=10m
# 限制连接数,限制ftp服务每分钟最多1个连接
$ firewall-cmd --add-rich-rule='rule service name="ftp" audit limit value="1/m" accept'
# 记录日志,指定ssh服务,日志前缀为"[SSH_LOGIN] ",日志级别为info,每分钟最多记录3条日志
$ firewall-cmd --add-rich-rule='rule service name="ssh" log prefix="[SSH_LOGIN] " level="notice" limit value="3/m" accept'
# 允许源地址为"192.168.0.0/24"访问tftp服务,每分钟记录1条日志
$ firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="[TFTP_LOGIN] " level="info" limit value="1/m" accept'
# 转发源地址为"192.168.31.0/24"端口为80的流量到"192.168.31.11"的80端口
$ firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.31.0/24" forward-port port="80" protocol="tcp" to-port="80" to-addr="192.168.31.11"'
# masquerade伪装,将源地址为"192.168.31.0/24"的源IP地址映射为出口IP
$ firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.31.0/24" masquerade'
# 拒绝指定IPv6地址访问radius服务
$ firewall-cmd --add-rich-rule='rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="[RADIUS_IPv6] " level="info" limit value="3/m" reject'
# 转发IPv6地址"1::6"的4011端口的tcp流量到"1::7"的4012端口
$ firewall-cmd --add-rich-rule='rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"'

# 查看rich-rule
$ firewall-cmd --list-all
# 删除指定规则
$ firewall-cmd --remove-rich-rule='rule family="ipv4" source address="192.168.31.12" accept'