1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398
| firewalld的两种配置说明 runtime configuration 运行配置,当前正在运行的配置 permanent configuration 永久配置,已保存的配置,配置命令后加--permanent选项
Common Options --permanent 其他有[P]标识的选项均支持添加该选项 --zone=<zone> 其他有[Z]标识的选项均支持添加该选项 --timeout=<timeval> 其他有[T]标识的选项均支持添加该选项
Status Options --state 查看firewalld运行状态 --reload 加载永久配置为运行配置 --complete-reload 完全重新加载配置,此选项会终止活动连接,仅用于解决firewall运行故障 --runtime-to-permanent 保存运行配置为永久配置 --check-config 检查永久配置文件
Log Denied Options --get-log-denied 显示日志记录选项 --set-log-denied=<value> 设置日志记录选项,在REJECT之前记录日志,可选参数all,unicast,broadcast,multicast,off(默认),即默认禁用日志记录 设置为all参数后会自动添加一条记录日志的规则 -A INPUT -j LOG --log-prefix "FINAL_REJECT: " Automatic Helpers Options --get-automatic-helpers Print the automatic helpers value --set-automatic-helpers=<value> Set automatic helpers value
Permanent Options --permanent 添加为永久配置,当配置规则添加该选项后则保存到永久配置而不影响运行配置,即reload之前不生效 其他有[P]标识的选项均支持添加该选项
Zone Options --get-default-zone 显示默认区域zone --set-default-zone=<zone> 设置默认区域zone,这将同时更改运行配置和永久配置 即修改系统配置文件firewalld.conf中的DefaultZone参数 --get-active-zones 显示当前活动区域的接口信息 --get-zones 显示区域列表,以空格为分隔符 [P] --get-services 显示服务列表 [P] --get-icmptypes 显示icmp类型 [P] --get-zone-of-interface=<interface> 显示指定接口所绑定的区域名称 [P] --get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset> 显示指定源地址所绑定的区域名称 [P] --list-all-zones 显示所有区域信息 [P] --new-zone=<zone> 添加一个区域 [P only] --new-zone-from-file=<filename> [--name=<zone>] 添加一个区域,并从文件中读取区域名称列表,并指定一个区域名称 [P only] --delete-zone=<zone> 删除一个区域 [P only] --load-zone-defaults=<zone> 加载区域默认设置 [P only] [Z] --zone=<zone> 指定区域 [Z], 其他有[Z]标识的选项均支持添加该选项 --get-target 显示区域目标 [P only] [Z] --set-target=<target> 设置区域目标,可选参数default, ACCEPT, DROP, REJECT [P only] [Z] --info-zone=<zone> 显示指定区域信息 --path-zone=<zone> 显示区域配置文件路径 [P only]
设置区域目标中的参数default和REJECT类似,但是default有以下不同: 1.明确允许ICMP流量 2.根据出口区域的目标设置进行处理 如果入口区域设置为非default参数,则分别以对应的ACCEPT, DROP, REJECT目标设置直接进行处理 如果入口区域设置为default参数,则根据出口区域的目标设置进行处理 如果入口区域和出口区域均设置为default参数,则执行REJECT 3.Zone drifting from source-based zone to interface-based zone (支持区域漂移) This only applies if AllowZoneDrifting is enabled.See firewalld.conf(5) 后续firewalld将不再支持AllowZoneDrifting选项,所以第3条可以忽略
IPSet Options --get-ipset-types 显示支持的ipset类型 --new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]].. Add a new ipset [P only] --new-ipset-from-file=<filename> [--name=<ipset>] Add a new ipset from file with optional name [P only] --delete-ipset=<ipset> Delete an existing ipset [P only] --load-ipset-defaults=<ipset> Load ipset default settings [P only] --info-ipset=<ipset> Print information about an ipset --path-ipset=<ipset> Print file path of an ipset [P only] --get-ipsets Print predefined ipsets --ipset=<ipset> --set-description=<description> Set new description to ipset [P only] --ipset=<ipset> --get-description Print description for ipset [P only] --ipset=<ipset> --set-short=<description> Set new short description to ipset [P only] --ipset=<ipset> --get-short Print short description for ipset [P only] --ipset=<ipset> --add-entry=<entry> Add a new entry to an ipset [P] --ipset=<ipset> --remove-entry=<entry> Remove an entry from an ipset [P] --ipset=<ipset> --query-entry=<entry> Return whether ipset has an entry [P] --ipset=<ipset> --get-entries List entries of an ipset [P] --ipset=<ipset> --add-entries-from-file=<entry> Add a new entries to an ipset [P] --ipset=<ipset> --remove-entries-from-file=<entry> Remove entries from an ipset [P]
IcmpType Options --new-icmptype=<icmptype> Add a new icmptype [P only] --new-icmptype-from-file=<filename> [--name=<icmptype>] Add a new icmptype from file with optional name [P only] --delete-icmptype=<icmptype> Delete an existing icmptype [P only] --load-icmptype-defaults=<icmptype> Load icmptype default settings [P only] --info-icmptype=<icmptype> Print information about an icmptype --path-icmptype=<icmptype> Print file path of an icmptype [P only] --icmptype=<icmptype> --set-description=<description> Set new description to icmptype [P only] --icmptype=<icmptype> --get-description Print description for icmptype [P only] --icmptype=<icmptype> --set-short=<description> Set new short description to icmptype [P only] --icmptype=<icmptype> --get-short Print short description for icmptype [P only] --icmptype=<icmptype> --add-destination=<ipv> Enable destination for ipv in icmptype [P only] --icmptype=<icmptype> --remove-destination=<ipv> Disable destination for ipv in icmptype [P only] --icmptype=<icmptype> --query-destination=<ipv> Return whether destination ipv is enabled in icmptype [P only] --icmptype=<icmptype> --get-destinations List destinations in icmptype [P only]
Service Options --new-service=<service> Add a new service [P only] --new-service-from-file=<filename> [--name=<service>] Add a new service from file with optional name [P only] --delete-service=<service> Delete an existing service [P only] --load-service-defaults=<service> Load icmptype default settings [P only] --info-service=<service> Print information about a service --path-service=<service> Print file path of a service [P only] --service=<service> --set-description=<description> Set new description to service [P only] --service=<service> --get-description Print description for service [P only] --service=<service> --set-short=<description> Set new short description to service [P only] --service=<service> --get-short Print short description for service [P only] --service=<service> --add-port=<portid>[-<portid>]/<protocol> Add a new port to service [P only] --service=<service> --remove-port=<portid>[-<portid>]/<protocol> Remove a port from service [P only] --service=<service> --query-port=<portid>[-<portid>]/<protocol> Return whether the port has been added for service [P only] --service=<service> --get-ports List ports of service [P only] --service=<service> --add-protocol=<protocol> Add a new protocol to service [P only] --service=<service> --remove-protocol=<protocol> Remove a protocol from service [P only] --service=<service> --query-protocol=<protocol> Return whether the protocol has been added for service [P only] --service=<service> --get-protocols List protocols of service [P only] --service=<service> --add-source-port=<portid>[-<portid>]/<protocol> Add a new source port to service [P only] --service=<service> --remove-source-port=<portid>[-<portid>]/<protocol> Remove a source port from service [P only] --service=<service> --query-source-port=<portid>[-<portid>]/<protocol> Return whether the source port has been added for service [P only] --service=<service> --get-source-ports List source ports of service [P only] --service=<service> --add-module=<module> Add a new module to service [P only] --service=<service> --remove-module=<module> Remove a module from service [P only] --service=<service> --query-module=<module> Return whether the module has been added for service [P only] --service=<service> --get-modules List modules of service [P only] --service=<service> --set-destination=<ipv>:<address>[/<mask>] Set destination for ipv to address in service [P only] --service=<service> --remove-destination=<ipv> Disable destination for ipv i service [P only] --service=<service> --query-destination=<ipv>:<address>[/<mask>] Return whether destination ipv is set for service [P only] --service=<service> --get-destinations List destinations in service [P only]
Options to Adapt and Query Zones --list-all 显示指定区域的所有信息,如果没有指定区域则显示默认区域信息 [P] [Z] --timeout=<timeval> 指定超时时间,可用于临时允许,可选单位s,m,h. 其他有[T]标识的选项均支持添加该选项 --set-description=<description> Set new description to zone [P only] [Z] --get-description Print description for zone [P only] [Z] --set-short=<description> Set new short description to zone [P only] [Z] --get-short Print short description for zone [P only] [Z]
# zone的所有信息均可以通过如下命令格式进行操作 显示 --list-xxx, --get-xxx 添加 --add-xxx 删除 --remove-xxx 查询 --query-xxx
# service相关命令 --list-services 显示指定区域的服务信息 [P] [Z] --add-service=<service> 添加服务到指定区域 [P] [Z] [T] --remove-service=<service> 从区域中删除指定服务 [P] [Z] --query-service=<service> 查询区域中是否存在指定服务 [P] [Z]
# port相关命令 --list-ports 显示区域的端口信息 [P] [Z] --add-port=<portid>[-<portid>]/<protocol> 添加端口到指定区域 [P] [Z] [T] --remove-port=<portid>[-<portid>]/<protocol> 从区域中删除指定端口 [P] [Z] --query-port=<portid>[-<portid>]/<protocol> 查询区域中是否存在指定端口 [P] [Z]
--list-protocols 显示区域的协议信息 [P] [Z] --add-protocol=<protocol> Add the protocol for a zone [P] [Z] [T] --remove-protocol=<protocol> Remove the protocol from a zone [P] [Z] --query-protocol=<protocol> Return whether the protocol has been added for zone [P] [Z]
--list-source-ports 显示区域的源端口信息 [P] [Z] --add-source-port=<portid>[-<portid>]/<protocol> Add the source port for a zone [P] [Z] [T] --remove-source-port=<portid>[-<portid>]/<protocol> Remove the source port from a zone [P] [Z] --query-source-port=<portid>[-<portid>]/<protocol> Return whether the source port has been added for zone [P] [Z]
--list-icmp-blocks 显示区域的icmp类型块信息 [P] [Z] --add-icmp-block=<icmptype> Add an ICMP block for a zone [P] [Z] [T] --remove-icmp-block=<icmptype> Remove the ICMP block from a zone [P] [Z] --query-icmp-block=<icmptype> Return whether an ICMP block has been added for a zone [P] [Z] --add-icmp-block-inversion Enable inversion of icmp blocks for a zone [P] [Z] --remove-icmp-block-inversion Disable inversion of icmp blocks for a zone [P] [Z] --query-icmp-block-inversion Return whether inversion of icmp blocks has been enabled for a zone [P] [Z]
--list-forward-ports 显示区域的IPv4转发端口信息 [P] [Z] --add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] Add the IPv4 forward port for a zone [P] [Z] [T] --remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] Remove the IPv4 forward port from a zone [P] [Z] --query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] Return whether the IPv4 forward port has been added for a zone [P] [Z] --add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T] --remove-masquerade Disable IPv4 masquerade for a zone [P] [Z] --query-masquerade Return whether IPv4 masquerading has been enabled for a zone [P] [Z]
--list-rich-rules 显示区域的复杂规则rich-rules [P] [Z] --add-rich-rule=<rule> Add rich language rule 'rule' for a zone [P] [Z] [T] --remove-rich-rule=<rule> Remove rich language rule 'rule' from a zone [P] [Z] --query-rich-rule=<rule> Return whether a rich language rule 'rule' has been added for a zone [P] [Z]
--list-interfaces 显示区域的接口信息 [P] [Z] --add-interface=<interface> Bind the <interface> to a zone [P] [Z] --change-interface=<interface> Change zone the <interface> is bound to [P] [Z] --query-interface=<interface> Query whether <interface> is bound to a zone [P] [Z] --remove-interface=<interface> Remove binding of <interface> from a zone [P] [Z]
--list-sources 显示区域绑定的源地址信息 [P] [Z] --add-source=<source>[/<mask>]|<MAC>|ipset:<ipset> Bind the source to a zone [P] [Z] --change-source=<source>[/<mask>]|<MAC>|ipset:<ipset> Change zone the source is bound to [Z] --query-source=<source>[/<mask>]|<MAC>|ipset:<ipset> Query whether the source is bound to a zone [P] [Z] --remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset> Remove binding of the source from a zone [P] [Z]
Helper Options --new-helper=<helper> --module=<module> [--family=<family>] Add a new helper [P only] --new-helper-from-file=<filename> [--name=<helper>] Add a new helper from file with optional name [P only] --delete-helper=<helper> Delete an existing helper [P only] --load-helper-defaults=<helper> Load helper default settings [P only] --info-helper=<helper> Print information about an helper --path-helper=<helper> Print file path of an helper [P only] --get-helpers Print predefined helpers --helper=<helper> --set-description=<description> Set new description to helper [P only] --helper=<helper> --get-description Print description for helper [P only] --helper=<helper> --set-short=<description> Set new short description to helper [P only] --helper=<helper> --get-short Print short description for helper [P only] --helper=<helper> --add-port=<portid>[-<portid>]/<protocol> Add a new port to helper [P only] --helper=<helper> --remove-port=<portid>[-<portid>]/<protocol> Remove a port from helper [P only] --helper=<helper> --query-port=<portid>[-<portid>]/<protocol> Return whether the port has been added for helper [P only] --helper=<helper> --get-ports List ports of helper [P only] --helper=<helper> --set-module=<module> Set module to helper [P only] --helper=<helper> --get-module Get module from helper [P only] --helper=<helper> --set-family={ipv4|ipv6|} Set family for helper [P only] --helper=<helper> --get-family Get module from helper [P only]
Direct Options --direct First option for all direct options --get-all-chains Get all chains [P] --get-chains {ipv4|ipv6|eb} <table> Get all chains added to the table [P] --add-chain {ipv4|ipv6|eb} <table> <chain> Add a new chain to the table [P] --remove-chain {ipv4|ipv6|eb} <table> <chain> Remove the chain from the table [P] --query-chain {ipv4|ipv6|eb} <table> <chain> Return whether the chain has been added to the table [P] --get-all-rules Get all rules [P] --get-rules {ipv4|ipv6|eb} <table> <chain> Get all rules added to chain in table [P] --add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Add rule to chain in table [P] --remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Remove rule with priority from chain in table [P] --remove-rules {ipv4|ipv6|eb} <table> <chain> Remove rules from chain in table [P] --query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Return whether a rule with priority has been added to chain in table [P] --passthrough {ipv4|ipv6|eb} <arg>... Pass a command through (untracked by firewalld) --get-all-passthroughs Get all tracked passthrough rules [P] --get-passthroughs {ipv4|ipv6|eb} <arg>... Get tracked passthrough rules [P] --add-passthrough {ipv4|ipv6|eb} <arg>... Add a new tracked passthrough rule [P] --remove-passthrough {ipv4|ipv6|eb} <arg>... Remove a tracked passthrough rule [P] --query-passthrough {ipv4|ipv6|eb} <arg>... Return whether the tracked passthrough rule has been added [P]
Lockdown Options --lockdown-on Enable lockdown. --lockdown-off Disable lockdown. --query-lockdown Query whether lockdown is enabled
Lockdown Whitelist Options --list-lockdown-whitelist-commands List all command lines that are on the whitelist [P] --add-lockdown-whitelist-command=<command> Add the command to the whitelist [P] --remove-lockdown-whitelist-command=<command> Remove the command from the whitelist [P] --query-lockdown-whitelist-command=<command> Query whether the command is on the whitelist [P] --list-lockdown-whitelist-contexts List all contexts that are on the whitelist [P] --add-lockdown-whitelist-context=<context> Add the context context to the whitelist [P] --remove-lockdown-whitelist-context=<context> Remove the context from the whitelist [P] --query-lockdown-whitelist-context=<context> Query whether the context is on the whitelist [P] --list-lockdown-whitelist-uids List all user ids that are on the whitelist [P] --add-lockdown-whitelist-uid=<uid> Add the user id uid to the whitelist [P] --remove-lockdown-whitelist-uid=<uid> Remove the user id uid from the whitelist [P] --query-lockdown-whitelist-uid=<uid> Query whether the user id uid is on the whitelist [P] --list-lockdown-whitelist-users List all user names that are on the whitelist [P] --add-lockdown-whitelist-user=<user> Add the user name user to the whitelist [P] --remove-lockdown-whitelist-user=<user> Remove the user name user from the whitelist [P] --query-lockdown-whitelist-user=<user> Query whether the user name user is on the whitelist [P]
Panic Options --panic-on Enable panic mode --panic-off Disable panic mode --query-panic Query whether panic mode is enabled
|