Linux常用命令-firewall-cmd

命令

firewall-cmd

描述

firewalld command line client
防火墙配置工具

用法

1
firewall-cmd [OPTIONS...]

选项

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
firewalld的两种配置说明
runtime configuration 运行配置,当前正在运行的配置
permanent configuration 永久配置,已保存的配置,配置命令后加--permanent选项

Common Options
--permanent 其他有[P]标识的选项均支持添加该选项
--zone=<zone> 其他有[Z]标识的选项均支持添加该选项
--timeout=<timeval> 其他有[T]标识的选项均支持添加该选项

Status Options
--state 查看firewalld运行状态
--reload 加载永久配置为运行配置
--complete-reload 完全重新加载配置,此选项会终止活动连接,仅用于解决firewall运行故障
--runtime-to-permanent 保存运行配置为永久配置
--check-config 检查永久配置文件

Log Denied Options
--get-log-denied 显示日志记录选项
--set-log-denied=<value> 设置日志记录选项,在REJECT之前记录日志,可选参数all,unicast,broadcast,multicast,off(默认),即默认禁用日志记录
设置为all参数后会自动添加一条记录日志的规则 -A INPUT -j LOG --log-prefix "FINAL_REJECT: "
Automatic Helpers Options
--get-automatic-helpers Print the automatic helpers value
--set-automatic-helpers=<value> Set automatic helpers value

Permanent Options
--permanent 添加为永久配置,当配置规则添加该选项后则保存到永久配置而不影响运行配置,即reload之前不生效
其他有[P]标识的选项均支持添加该选项

Zone Options
--get-default-zone 显示默认区域zone
--set-default-zone=<zone> 设置默认区域zone,这将同时更改运行配置和永久配置
即修改系统配置文件firewalld.conf中的DefaultZone参数
--get-active-zones 显示当前活动区域的接口信息
--get-zones 显示区域列表,以空格为分隔符 [P]
--get-services 显示服务列表 [P]
--get-icmptypes 显示icmp类型 [P]
--get-zone-of-interface=<interface> 显示指定接口所绑定的区域名称 [P]
--get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset> 显示指定源地址所绑定的区域名称 [P]
--list-all-zones 显示所有区域信息 [P]
--new-zone=<zone> 添加一个区域 [P only]
--new-zone-from-file=<filename> [--name=<zone>]
添加一个区域,并从文件中读取区域名称列表,并指定一个区域名称 [P only]
--delete-zone=<zone> 删除一个区域 [P only]
--load-zone-defaults=<zone> 加载区域默认设置 [P only] [Z]
--zone=<zone> 指定区域 [Z], 其他有[Z]标识的选项均支持添加该选项
--get-target 显示区域目标 [P only] [Z]
--set-target=<target> 设置区域目标,可选参数default, ACCEPT, DROP, REJECT [P only] [Z]
--info-zone=<zone> 显示指定区域信息
--path-zone=<zone> 显示区域配置文件路径 [P only]

设置区域目标中的参数default和REJECT类似,但是default有以下不同:
1.明确允许ICMP流量
2.根据出口区域的目标设置进行处理
如果入口区域设置为非default参数,则分别以对应的ACCEPT, DROP, REJECT目标设置直接进行处理
如果入口区域设置为default参数,则根据出口区域的目标设置进行处理
如果入口区域和出口区域均设置为default参数,则执行REJECT
3.Zone drifting from source-based zone to interface-based zone (支持区域漂移)
This only applies if AllowZoneDrifting is enabled.See firewalld.conf(5)
后续firewalld将不再支持AllowZoneDrifting选项,所以第3条可以忽略

IPSet Options
--get-ipset-types 显示支持的ipset类型
--new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]]..
Add a new ipset [P only]
--new-ipset-from-file=<filename> [--name=<ipset>]
Add a new ipset from file with optional name [P only]
--delete-ipset=<ipset>
Delete an existing ipset [P only]
--load-ipset-defaults=<ipset>
Load ipset default settings [P only]
--info-ipset=<ipset> Print information about an ipset
--path-ipset=<ipset> Print file path of an ipset [P only]
--get-ipsets Print predefined ipsets
--ipset=<ipset> --set-description=<description>
Set new description to ipset [P only]
--ipset=<ipset> --get-description
Print description for ipset [P only]
--ipset=<ipset> --set-short=<description>
Set new short description to ipset [P only]
--ipset=<ipset> --get-short
Print short description for ipset [P only]
--ipset=<ipset> --add-entry=<entry>
Add a new entry to an ipset [P]
--ipset=<ipset> --remove-entry=<entry>
Remove an entry from an ipset [P]
--ipset=<ipset> --query-entry=<entry>
Return whether ipset has an entry [P]
--ipset=<ipset> --get-entries
List entries of an ipset [P]
--ipset=<ipset> --add-entries-from-file=<entry>
Add a new entries to an ipset [P]
--ipset=<ipset> --remove-entries-from-file=<entry>
Remove entries from an ipset [P]

IcmpType Options
--new-icmptype=<icmptype>
Add a new icmptype [P only]
--new-icmptype-from-file=<filename> [--name=<icmptype>]
Add a new icmptype from file with optional name [P only]
--delete-icmptype=<icmptype>
Delete an existing icmptype [P only]
--load-icmptype-defaults=<icmptype>
Load icmptype default settings [P only]
--info-icmptype=<icmptype>
Print information about an icmptype
--path-icmptype=<icmptype>
Print file path of an icmptype [P only]
--icmptype=<icmptype> --set-description=<description>
Set new description to icmptype [P only]
--icmptype=<icmptype> --get-description
Print description for icmptype [P only]
--icmptype=<icmptype> --set-short=<description>
Set new short description to icmptype [P only]
--icmptype=<icmptype> --get-short
Print short description for icmptype [P only]
--icmptype=<icmptype> --add-destination=<ipv>
Enable destination for ipv in icmptype [P only]
--icmptype=<icmptype> --remove-destination=<ipv>
Disable destination for ipv in icmptype [P only]
--icmptype=<icmptype> --query-destination=<ipv>
Return whether destination ipv is enabled in icmptype [P only]
--icmptype=<icmptype> --get-destinations
List destinations in icmptype [P only]

Service Options
--new-service=<service>
Add a new service [P only]
--new-service-from-file=<filename> [--name=<service>]
Add a new service from file with optional name [P only]
--delete-service=<service>
Delete an existing service [P only]
--load-service-defaults=<service>
Load icmptype default settings [P only]
--info-service=<service>
Print information about a service
--path-service=<service>
Print file path of a service [P only]
--service=<service> --set-description=<description>
Set new description to service [P only]
--service=<service> --get-description
Print description for service [P only]
--service=<service> --set-short=<description>
Set new short description to service [P only]
--service=<service> --get-short
Print short description for service [P only]
--service=<service> --add-port=<portid>[-<portid>]/<protocol>
Add a new port to service [P only]
--service=<service> --remove-port=<portid>[-<portid>]/<protocol>
Remove a port from service [P only]
--service=<service> --query-port=<portid>[-<portid>]/<protocol>
Return whether the port has been added for service [P only]
--service=<service> --get-ports
List ports of service [P only]
--service=<service> --add-protocol=<protocol>
Add a new protocol to service [P only]
--service=<service> --remove-protocol=<protocol>
Remove a protocol from service [P only]
--service=<service> --query-protocol=<protocol>
Return whether the protocol has been added for service [P only]
--service=<service> --get-protocols
List protocols of service [P only]
--service=<service> --add-source-port=<portid>[-<portid>]/<protocol>
Add a new source port to service [P only]
--service=<service> --remove-source-port=<portid>[-<portid>]/<protocol>
Remove a source port from service [P only]
--service=<service> --query-source-port=<portid>[-<portid>]/<protocol>
Return whether the source port has been added for service [P only]
--service=<service> --get-source-ports
List source ports of service [P only]
--service=<service> --add-module=<module>
Add a new module to service [P only]
--service=<service> --remove-module=<module>
Remove a module from service [P only]
--service=<service> --query-module=<module>
Return whether the module has been added for service [P only]
--service=<service> --get-modules
List modules of service [P only]
--service=<service> --set-destination=<ipv>:<address>[/<mask>]
Set destination for ipv to address in service [P only]
--service=<service> --remove-destination=<ipv>
Disable destination for ipv i service [P only]
--service=<service> --query-destination=<ipv>:<address>[/<mask>]
Return whether destination ipv is set for service [P only]
--service=<service> --get-destinations
List destinations in service [P only]

Options to Adapt and Query Zones
--list-all 显示指定区域的所有信息,如果没有指定区域则显示默认区域信息 [P] [Z]
--timeout=<timeval> 指定超时时间,可用于临时允许,可选单位s,m,h. 其他有[T]标识的选项均支持添加该选项
--set-description=<description> Set new description to zone [P only] [Z]
--get-description Print description for zone [P only] [Z]
--set-short=<description> Set new short description to zone [P only] [Z]
--get-short Print short description for zone [P only] [Z]

# zone的所有信息均可以通过如下命令格式进行操作
显示 --list-xxx, --get-xxx
添加 --add-xxx
删除 --remove-xxx
查询 --query-xxx

# service相关命令
--list-services 显示指定区域的服务信息 [P] [Z]
--add-service=<service> 添加服务到指定区域 [P] [Z] [T]
--remove-service=<service> 从区域中删除指定服务 [P] [Z]
--query-service=<service> 查询区域中是否存在指定服务 [P] [Z]

# port相关命令
--list-ports 显示区域的端口信息 [P] [Z]
--add-port=<portid>[-<portid>]/<protocol> 添加端口到指定区域 [P] [Z] [T]
--remove-port=<portid>[-<portid>]/<protocol> 从区域中删除指定端口 [P] [Z]
--query-port=<portid>[-<portid>]/<protocol> 查询区域中是否存在指定端口 [P] [Z]

--list-protocols 显示区域的协议信息 [P] [Z]
--add-protocol=<protocol>
Add the protocol for a zone [P] [Z] [T]
--remove-protocol=<protocol>
Remove the protocol from a zone [P] [Z]
--query-protocol=<protocol>
Return whether the protocol has been added for zone [P] [Z]

--list-source-ports 显示区域的源端口信息 [P] [Z]
--add-source-port=<portid>[-<portid>]/<protocol>
Add the source port for a zone [P] [Z] [T]
--remove-source-port=<portid>[-<portid>]/<protocol>
Remove the source port from a zone [P] [Z]
--query-source-port=<portid>[-<portid>]/<protocol>
Return whether the source port has been added for zone [P] [Z]

--list-icmp-blocks 显示区域的icmp类型块信息 [P] [Z]
--add-icmp-block=<icmptype>
Add an ICMP block for a zone [P] [Z] [T]
--remove-icmp-block=<icmptype>
Remove the ICMP block from a zone [P] [Z]
--query-icmp-block=<icmptype>
Return whether an ICMP block has been added for a zone [P] [Z]
--add-icmp-block-inversion
Enable inversion of icmp blocks for a zone [P] [Z]
--remove-icmp-block-inversion
Disable inversion of icmp blocks for a zone [P] [Z]
--query-icmp-block-inversion
Return whether inversion of icmp blocks has been enabled for a zone [P] [Z]

--list-forward-ports 显示区域的IPv4转发端口信息 [P] [Z]
--add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Add the IPv4 forward port for a zone [P] [Z] [T]
--remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Remove the IPv4 forward port from a zone [P] [Z]
--query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
Return whether the IPv4 forward port has been added for a zone [P] [Z]
--add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T]
--remove-masquerade Disable IPv4 masquerade for a zone [P] [Z]
--query-masquerade Return whether IPv4 masquerading has been enabled for a zone [P] [Z]

--list-rich-rules 显示区域的复杂规则rich-rules [P] [Z]
--add-rich-rule=<rule>
Add rich language rule 'rule' for a zone [P] [Z] [T]
--remove-rich-rule=<rule>
Remove rich language rule 'rule' from a zone [P] [Z]
--query-rich-rule=<rule>
Return whether a rich language rule 'rule' has been added for a zone [P] [Z]

--list-interfaces 显示区域的接口信息 [P] [Z]
--add-interface=<interface>
Bind the <interface> to a zone [P] [Z]
--change-interface=<interface>
Change zone the <interface> is bound to [P] [Z]
--query-interface=<interface>
Query whether <interface> is bound to a zone [P] [Z]
--remove-interface=<interface>
Remove binding of <interface> from a zone [P] [Z]

--list-sources 显示区域绑定的源地址信息 [P] [Z]
--add-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
Bind the source to a zone [P] [Z]
--change-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
Change zone the source is bound to [Z]
--query-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
Query whether the source is bound to a zone [P] [Z]
--remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
Remove binding of the source from a zone [P] [Z]

Helper Options
--new-helper=<helper> --module=<module> [--family=<family>]
Add a new helper [P only]
--new-helper-from-file=<filename> [--name=<helper>]
Add a new helper from file with optional name [P only]
--delete-helper=<helper>
Delete an existing helper [P only]
--load-helper-defaults=<helper>
Load helper default settings [P only]
--info-helper=<helper> Print information about an helper
--path-helper=<helper> Print file path of an helper [P only]
--get-helpers Print predefined helpers
--helper=<helper> --set-description=<description>
Set new description to helper [P only]
--helper=<helper> --get-description
Print description for helper [P only]
--helper=<helper> --set-short=<description>
Set new short description to helper [P only]
--helper=<helper> --get-short
Print short description for helper [P only]
--helper=<helper> --add-port=<portid>[-<portid>]/<protocol>
Add a new port to helper [P only]
--helper=<helper> --remove-port=<portid>[-<portid>]/<protocol>
Remove a port from helper [P only]
--helper=<helper> --query-port=<portid>[-<portid>]/<protocol>
Return whether the port has been added for helper [P only]
--helper=<helper> --get-ports
List ports of helper [P only]
--helper=<helper> --set-module=<module>
Set module to helper [P only]
--helper=<helper> --get-module
Get module from helper [P only]
--helper=<helper> --set-family={ipv4|ipv6|}
Set family for helper [P only]
--helper=<helper> --get-family
Get module from helper [P only]

Direct Options
--direct First option for all direct options
--get-all-chains
Get all chains [P]
--get-chains {ipv4|ipv6|eb} <table>
Get all chains added to the table [P]
--add-chain {ipv4|ipv6|eb} <table> <chain>
Add a new chain to the table [P]
--remove-chain {ipv4|ipv6|eb} <table> <chain>
Remove the chain from the table [P]
--query-chain {ipv4|ipv6|eb} <table> <chain>
Return whether the chain has been added to the table [P]
--get-all-rules
Get all rules [P]
--get-rules {ipv4|ipv6|eb} <table> <chain>
Get all rules added to chain in table [P]
--add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
Add rule to chain in table [P]
--remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
Remove rule with priority from chain in table [P]
--remove-rules {ipv4|ipv6|eb} <table> <chain>
Remove rules from chain in table [P]
--query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
Return whether a rule with priority has been added to chain in table [P]
--passthrough {ipv4|ipv6|eb} <arg>...
Pass a command through (untracked by firewalld)
--get-all-passthroughs
Get all tracked passthrough rules [P]
--get-passthroughs {ipv4|ipv6|eb} <arg>...
Get tracked passthrough rules [P]
--add-passthrough {ipv4|ipv6|eb} <arg>...
Add a new tracked passthrough rule [P]
--remove-passthrough {ipv4|ipv6|eb} <arg>...
Remove a tracked passthrough rule [P]
--query-passthrough {ipv4|ipv6|eb} <arg>...
Return whether the tracked passthrough rule has been added [P]

Lockdown Options
--lockdown-on Enable lockdown.
--lockdown-off Disable lockdown.
--query-lockdown Query whether lockdown is enabled

Lockdown Whitelist Options
--list-lockdown-whitelist-commands
List all command lines that are on the whitelist [P]
--add-lockdown-whitelist-command=<command>
Add the command to the whitelist [P]
--remove-lockdown-whitelist-command=<command>
Remove the command from the whitelist [P]
--query-lockdown-whitelist-command=<command>
Query whether the command is on the whitelist [P]
--list-lockdown-whitelist-contexts
List all contexts that are on the whitelist [P]
--add-lockdown-whitelist-context=<context>
Add the context context to the whitelist [P]
--remove-lockdown-whitelist-context=<context>
Remove the context from the whitelist [P]
--query-lockdown-whitelist-context=<context>
Query whether the context is on the whitelist [P]
--list-lockdown-whitelist-uids
List all user ids that are on the whitelist [P]
--add-lockdown-whitelist-uid=<uid>
Add the user id uid to the whitelist [P]
--remove-lockdown-whitelist-uid=<uid>
Remove the user id uid from the whitelist [P]
--query-lockdown-whitelist-uid=<uid>
Query whether the user id uid is on the whitelist [P]
--list-lockdown-whitelist-users
List all user names that are on the whitelist [P]
--add-lockdown-whitelist-user=<user>
Add the user name user to the whitelist [P]
--remove-lockdown-whitelist-user=<user>
Remove the user name user from the whitelist [P]
--query-lockdown-whitelist-user=<user>
Query whether the user name user is on the whitelist [P]

Panic Options
--panic-on Enable panic mode
--panic-off Disable panic mode
--query-panic Query whether panic mode is enabled

注意

firewalld的配置文件格式为xml,系统配置文件目录为/etc/firewalld/,同时也是用户自定义配置文件目录,会优先加载.
默认配置文件目录为/usr/lib/firewalld/,预定义的配置文件保存在此目录中,也可作为用户自定义配置的模板.
复制/usr/lib/firewalld/中的xml文件到/etc/firewalld/中,然后再进行编辑,reload后生效.
如果两个目录中存在同名配置文件,则以/etc/firewalld/目录中的文件为准.
CentOS系统中的网络接口默认属于public区域.
rich-rule规则用单引号,规则里的值用双引号

参考
https://firewalld.org
https://fedoraproject.org/wiki/Firewalld
https://fedoraproject.org/wiki/Features/FirewalldRichLanguage
https://access.redhat.com/documentation/zh-cn/red_hat_enterprise_linux/7/html/security_guide/sec-using_firewalls
https://www.cnblogs.com/wn1m/p/10920018.html

示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
$ firewall-cmd --version
FirewallD is not running
# offline的命令和常规命令的选项基本通用
$ firewall-offline-cmd --version
0.6.3
$ systemctl start firewalld
$ firewall-cmd --version
0.6.3

# firewalld和firewall-cmd均为python2脚本文件
$ ll /usr/bin/firewall-cmd
-rwxr-xr-x. 1 root root 116200 Apr 28 2021 /usr/bin/firewall-cmd
$ file /usr/bin/firewall-cmd
/usr/bin/firewall-cmd: Python script, ASCII text executable
$ ll /usr/sbin/firewalld
-rwxr-xr-x. 1 root root 7032 Apr 28 2021 /usr/sbin/firewalld
$ file /usr/sbin/firewalld
/usr/sbin/firewalld: Python script, ASCII text executable
$ head /usr/sbin/firewalld
#!/usr/bin/python2 -Es
# -*- coding: utf-8 -*-
#
# Copyright (C) 2010-2016 Red Hat, Inc.

# 需要修改默认配置文件,否则会有一条警告日志
$ sed -i 's/AllowZoneDrifting=.*/AllowZoneDrifting=no/' /etc/firewalld/firewalld.conf
# 启动firewalld
$ systemctl start firewalld
$ systemctl enable firewalld
# 查看firewalld运行状态
$ firewall-cmd --state
running
# 开启firewall日志记录,默认保存在messages日志中
$ firewall-cmd --set-log-denied=all
$ firewall-cmd --get-log-denied
all
# 显示默认区域zone,默认为public
$ firewall-cmd --get-default-zone
public
# 显示默认区域zone的详细信息
$ firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 更改默认区域为work
$ firewall-cmd --set-default-zone=work
# 显示所有区域
$ firewall-cmd --get-zones
block dmz drop external home internal public trusted work
# 显示所有服务
$ firewall-cmd --get-services
dhcp dhcpv6 dhcpv6-client dns docker-registry http https mysql zabbix-agent zabbix-server ...
# 显示所有icmp类型
$ firewall-cmd --get-icmptypes
address-unreachable echo-reply echo-request host-unknown host-unreachable ...
# 显示支持的ipset类型
$ firewall-cmd --get-ipset-types
hash:ip hash:ip,mark hash:ip,port hash:ip,port,ip hash:ip,port,net hash:mac hash:net hash:net,iface hash:net,net hash:net,port hash:net,port,net
# 显示所有区域信息
$ firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
...
# 显示运行配置中的zone信息,未指定zone则显示为默认zone信息
$ firewall-cmd --list-all
$ firewall-cmd --list-services
dhcpv6-client ssh
# 加--permanent显示永久配置中的信息
$ firewall-cmd --list-all --permanent
$ firewall-cmd --list-services --permanent
dhcpv6-client ssh
$ firewall-cmd --get-short --permanent
Public
$ firewall-cmd --list-ports --permanent
$ firewall-cmd --list-interfaces --permanent
# 显示永久配置中默认区域的target
# target为default和REJECT类似,表示默认拒绝,具体参考上面 选项 中的说明
$ firewall-cmd --get-target --permanent
default
$ firewall-cmd --get-target --permanent --zone=work
default
$ firewall-cmd --get-target --permanent --zone=trusted
ACCEPT
# 显示指定zone信息
$ firewall-cmd --path-zone=public --permanent
/etc/firewalld/zones/public.xml
$ firewall-cmd --info-zone=public
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 显示指定service信息
$ firewall-cmd --path-service=mysql --permanent
/usr/lib/firewalld/services/mysql.xml
$ firewall-cmd --info-service=mysql --permanent
mysql
ports: 3306/tcp
protocols:
source-ports:
modules:
destination:
$ firewall-cmd --service=mysql --get-short --permanent
MySQL
$ firewall-cmd --service=mysql --get-description --permanent
MySQL Database Server
$ firewall-cmd --service=mysql --get-ports --permanent
3306/tcp
$ firewall-cmd --service=mysql --get-protocols --permanent

# 添加端口到运行配置,即时生效,reload后失效
$ firewall-cmd --add-port=80/tcp
success
$ firewall-cmd --list-all
$ firewall-cmd --list-all --permanent
# 添加端口到永久配置,reload后生效
$ firewall-cmd --add-port=80/tcp --permanent
success
$ firewall-cmd --list-all
$ firewall-cmd --reload
success

# 默认服务http的配置文件内容
$ cat /usr/lib/firewalld/services/http.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>WWW (HTTP)</short>
<description>HTTP is the protocol used to serve Web pages.</description>
<port protocol="tcp" port="80"/>
</service>
# 默认区域public的配置文件内容
$ cat /usr/lib/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
</zone>

# 添加用户自定义服务nginx,通过配置文件方式
$ cp /usr/lib/firewalld/services/http.xml /etc/firewalld/services/nginx.xml
$ firewall-cmd --path-service=nginx --permanent
/etc/firewalld/services/nginx.xml
$ firewall-cmd --info-service=nginx --permanent
nginx
ports: 8080/tcp
protocols:
source-ports:
modules:
destination:
$ firewall-cmd --info-service=http --permanent
http
ports: 80/tcp
protocols:
source-ports:
modules:
destination:

# 添加用户自定义服务tomcat,通过命令方式
$ firewall-cmd --new-service=tomcat --permanent
success
# 默认配置文件为空,需要添加端口或协议等配置,也可以直接修改配置文件
$ firewall-cmd --info-service=tomcat --permanent
tomcat
ports:
protocols:
source-ports:
modules:
destination:
$ firewall-cmd --service=tomcat --add-port=8080/tcp --permanent
success
$ firewall-cmd --service=tomcat --add-port=8081/tcp --permanent
success
$ firewall-cmd --service=tomcat --add-port=8006/tcp --permanent
success
$ firewall-cmd --info-service=tomcat --permanent
tomcat
ports: 8080/tcp 8081/tcp 8006/tcp
protocols:
source-ports:
modules:
destination:

# 添加自定义服务到默认zone
$ firewall-cmd --add-service=nginx
success
$ firewall-cmd --add-service=tomcat
success
$ firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client nginx ssh tomcat

# 同名配置文件以/etc/firewalld/services/目录中的配置文件为准
$ cp /usr/lib/firewalld/services/http.xml /etc/firewalld/services/
$ sed -i 's/80/8080/' /etc/firewalld/services/http.xml
# 默认加载/usr/lib/firewalld/目录下的配置
$ firewall-cmd --path-service=http --permanent
/usr/lib/firewalld/services/http.xml
# 修改自定义配置文件后需要reload生效
$ firewall-cmd --reload
success
$ firewall-cmd --path-service=http --permanent
/etc/firewalld/services/http.xml
$ firewall-cmd --info-service=http --permanent
http
ports: 8080/tcp
protocols:
source-ports:
modules:
destination:

# 临时开放80端口,指定1分钟后自动关闭
$ firewall-cmd --add-port=80/tcp --timeout=1m
# 通过查看配置可以看到添加的80端口到时间后自动删除
$ firewall-cmd --list-all


# zone,service,ipset,icmptype,部分命令格式通用,可以参考如下的zone配置命令
# 创建zone
$ firewall-cmd --permanent --new-zone=myzone
$ firewall-cmd --get-zones
$ firewall-cmd --permanent --zone=myzone --list-all
myzone
target: default
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 配置zone
$ firewall-cmd --permanent --zone=myzone --set-target=DROP
$ firewall-cmd --permanent --zone=myzone --set-description="myzone,default target is DROP"
$ firewall-cmd --permanent --path-zone=myzone
/etc/firewalld/zones/myzone.xml
$ firewall-cmd --permanent --info-zone=myzone
# 修改zone
$ firewall-cmd --permanent --zone=myzone --add-service=ssh --add-service=http --add-service=https
$ firewall-cmd --permanent --zone=myzone --add-port=8080/tcp --add-port=8081/tcp
$ firewall-cmd --permanent --zone=myzone --add-rich-rule='rule family="ipv4" source address="192.168.31.12" service name="ssh" reject'
$ firewall-cmd --reload
# 查看zone
$ firewall-cmd --permanent --info-zone=myzone
$ firewall-cmd --permanent --zone=myzone --list-all
myzone
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services: http https ssh
ports: 8080/tcp 8081/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="192.168.31.12" service name="ssh" reject
# 删除zone
$ firewall-cmd --permanent --zone=myzone --remove-port=8081/tcp
$ firewall-cmd --permanent --delete-zone=myzone
$ firewall-cmd --permanent --info-zone=myzone
Error: INVALID_ZONE: myzone
$ firewall-cmd --reload


# 复杂规则-rich-rule,支持精细化定义匹配
# 允许指定IP的所有流量
$ firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.31.12" accept' --permanent
# 拒绝指定网段的流量
$ firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.31.0/24" reject'
# 允许指定IP访问指定端口
$ firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.31.12" port protocol="tcp" port="22" accept"'
# 允许指定IP访问ssh服务,10m后自动关闭
$ firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.31.12" service name="ssh" accept' --timeout=10m
# 限制连接数,限制ftp服务每分钟最多1个连接
$ firewall-cmd --add-rich-rule='rule service name="ftp" audit limit value="1/m" accept'
# 记录日志,指定ssh服务,日志前缀为"[SSH_LOGIN] ",日志级别为info,每分钟最多记录3条日志
$ firewall-cmd --add-rich-rule='rule service name="ssh" log prefix="[SSH_LOGIN] " level="notice" limit value="3/m" accept'
# 允许源地址为"192.168.0.0/24"访问tftp服务,每分钟记录1条日志
$ firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="[TFTP_LOGIN] " level="info" limit value="1/m" accept'
# 转发源地址为"192.168.31.0/24"端口为80的流量到"192.168.31.11"的80端口
$ firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.31.0/24" forward-port port="80" protocol="tcp" to-port="80" to-addr="192.168.31.11"'
# masquerade伪装,将源地址为"192.168.31.0/24"的源IP地址映射为出口IP
$ firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.31.0/24" masquerade'
# 拒绝指定IPv6地址访问radius服务
$ firewall-cmd --add-rich-rule='rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="[RADIUS_IPv6] " level="info" limit value="3/m" reject'
# 转发IPv6地址"1::6"的4011端口的tcp流量到"1::7"的4012端口
$ firewall-cmd --add-rich-rule='rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"'

# 查看rich-rule
$ firewall-cmd --list-all
# 删除指定规则
$ firewall-cmd --remove-rich-rule='rule family="ipv4" source address="192.168.31.12" accept'