-
Linux防火墙和firewall-cmd命令应用
记录:341
场景:在CentOS 7.9操作系统上,操作防火墙firewalld,主要是查看、开启、关闭以及禁用等。firewall-cmd命令查看防火墙和修改防火墙相关配置。
版本:
操作系统:CentOS 7.9
1.使用systemctl命令操作防火服务
(1)查看防火墙状态
查看状态:systemctl status firewalld
解析:查看防火墙状态,如果是Active: active (running),则已经开启防火墙。如果是Active: inactive (dead),则已关闭防火墙。
(2)开启防火墙
开启防火墙:systemctl start firewalld
解析:开启防火墙。
(3)关闭防火墙
关闭防火墙:systemctl stop firewalld
解析:关闭防火墙。
(4)重启防火墙
重启防火墙:systemctl restart firewalld
解析:重启防火墙。
(5)设置开机启用防火墙
开机启用防火墙:systemctl enable firewalld
解析:开机启用防火墙。
(6)设置开机禁用防火墙
设置开机禁用防火墙:systemctl disable firewalld
解析:设置开机禁用防火墙,主机启动时,就会关闭防火墙。
2.firewall-cmd命令应用
(1)查看防火墙已放行的端口号列表
命令:firewall-cmd --zone=public --list-ports
解析:查看防火墙已放行的端口号列表。
(2)查看指定端口防火墙放行状态
命令:firewall-cmd --permanent --query-port="18080"/tcp
解析:查看端口防火墙已放行。
(3)把端口18080添加到防火墙开放端口列表
添加端口:firewall-cmd --zone=public --add-port="18080"/tcp --permanent
解析:把18080端口持久化配置到开放端口列表中;--permanent,使用永久设置选项。
(4)重新加载防火墙
命令:firewall-cmd --reload
解析:加载防火墙,使最新配置生效。
(5)查看防火墙状态
命令:firewall-cmd --state
解析:查看防火墙状态。
(6)查看防火墙版本
命令:firewall-cmd --version
解析:查看防火墙版本。
(7)查看防火墙zone
命令:firewall-cmd --get-default-zone
解析:打印连接和接口的默认zone,本例打印:public,那么在给--zone添加参数时,可以是:--zone=public。
3.firewall-cmd命令帮助手册
命令:firewall-cmd --help
解析:查看firewall-cmd支持全部命令和选项,在实际工作中,查看这个手册应该是必备之选。
- Usage: firewall-cmd [OPTIONS...]
- General Options
- -h, --help Prints a short help text and exists
- -V, --version Print the version string of firewalld
- -q, --quiet Do not print status messages
- Status Options
- --state Return and print firewalld state
- --reload Reload firewall and keep state information
- --complete-reload Reload firewall and lose state information
- --runtime-to-permanent
- Create permanent from runtime configuration
- --check-config Check permanent configuration for errors
- Log Denied Options
- --get-log-denied Print the log denied value
- --set-log-denied=
- Set log denied value
- Automatic Helpers Options
- --get-automatic-helpers
- Print the automatic helpers value
- --set-automatic-helpers=
- Set automatic helpers value
- Permanent Options
- --permanent Set an option permanently
- Usable for options marked with [P]
- Zone Options
- --get-default-zone Print default zone for connections and interfaces
- --set-default-zone=
- Set default zone
- --get-active-zones Print currently active zones
- --get-zones Print predefined zones [P]
- --get-services Print predefined services [P]
- --get-icmptypes Print predefined icmptypes [P]
- --get-zone-of-interface=
- Print name of the zone the interface is bound to [P]
- --get-zone-of-source=<source>[/
]| |ipset: - Print name of the zone the source is bound to [P]
- --list-all-zones List everything added for or enabled in all zones [P]
- --new-zone=
Add a new zone [P only] - --new-zone-from-file=
[--name= ] - Add a new zone from file with optional name [P only]
- --delete-zone=
Delete an existing zone [P only] - --load-zone-defaults=
- Load zone default settings [P only] [Z]
- --zone=
Use this zone to set or query options, else default zone - Usable for options marked with [Z]
- --get-target Get the zone target [P only] [Z]
- --set-target=
- Set the zone target [P only] [Z]
- --info-zone=
Print information about a zone - --path-zone=
Print file path of a zone [P only] - IPSet Options
- --get-ipset-types Print the supported ipset types
- --new-ipset=
--type= type> [--option= [= ]].. - Add a new ipset [P only]
- --new-ipset-from-file=
[--name= ] - Add a new ipset from file with optional name [P only]
- --delete-ipset=
- Delete an existing ipset [P only]
- --load-ipset-defaults=
- Load ipset default settings [P only]
- --info-ipset=
Print information about an ipset - --path-ipset=
Print file path of an ipset [P only] - --get-ipsets Print predefined ipsets
- --ipset=
--set-description= - Set new description to ipset [P only]
- --ipset=
--get-description - Print description for ipset [P only]
- --ipset=
--set-short= - Set new short description to ipset [P only]
- --ipset=
--get-short - Print short description for ipset [P only]
- --ipset=
--add-entry= - Add a new entry to an ipset [P]
- --ipset=
--remove-entry= - Remove an entry from an ipset [P]
- --ipset=
--query-entry= - Return whether ipset has an entry [P]
- --ipset=
--get-entries - List entries of an ipset [P]
- --ipset=
--add-entries-from-file= - Add a new entries to an ipset [P]
- --ipset=
--remove-entries-from-file= - Remove entries from an ipset [P]
- IcmpType Options
- --new-icmptype=
- Add a new icmptype [P only]
- --new-icmptype-from-file=
[--name= ] - Add a new icmptype from file with optional name [P only]
- --delete-icmptype=
- Delete an existing icmptype [P only]
- --load-icmptype-defaults=
- Load icmptype default settings [P only]
- --info-icmptype=
- Print information about an icmptype
- --path-icmptype=
- Print file path of an icmptype [P only]
- --icmptype=
--set-description= - Set new description to icmptype [P only]
- --icmptype=
--get-description - Print description for icmptype [P only]
- --icmptype=
--set-short= - Set new short description to icmptype [P only]
- --icmptype=
--get-short - Print short description for icmptype [P only]
- --icmptype=
--add-destination= - Enable destination for ipv in icmptype [P only]
- --icmptype=
--remove-destination= - Disable destination for ipv in icmptype [P only]
- --icmptype=
--query-destination= - Return whether destination ipv is enabled in icmptype [P only]
- --icmptype=
--get-destinations - List destinations in icmptype [P only]
- Service Options
- --new-service=
- Add a new service [P only]
- --new-service-from-file=
[--name= ] - Add a new service from file with optional name [P only]
- --delete-service=
- Delete an existing service [P only]
- --load-service-defaults=
- Load icmptype default settings [P only]
- --info-service=
- Print information about a service
- --path-service=
- Print file path of a service [P only]
- --service=
--set-description= - Set new description to service [P only]
- --service=
--get-description - Print description for service [P only]
- --service=
--set-short= - Set new short description to service [P only]
- --service=
--get-short - Print short description for service [P only]
- --service=
--add-port= [- ]/ - Add a new port to service [P only]
- --service=
--remove-port= [- ]/ - Remove a port from service [P only]
- --service=
--query-port= [- ]/ - Return whether the port has been added for service [P only]
- --service=
--get-ports - List ports of service [P only]
- --service=
--add-protocol= - Add a new protocol to service [P only]
- --service=
--remove-protocol= - Remove a protocol from service [P only]
- --service=
--query-protocol= - Return whether the protocol has been added for service [P only]
- --service=
--get-protocols - List protocols of service [P only]
- --service=
--add-source-port= [- ]/ - Add a new source port to service [P only]
- --service=
--remove-source-port= [- ]/ - Remove a source port from service [P only]
- --service=
--query-source-port= [- ]/ - Return whether the source port has been added for service [P only]
- --service=
--get-source-ports - List source ports of service [P only]
- --service=
--add-module= - Add a new module to service [P only]
- --service=
--remove-module= - Remove a module from service [P only]
- --service=
--query-module= - Return whether the module has been added for service [P only]
- --service=
--get-modules - List modules of service [P only]
- --service=
--set-destination= :[/ ] - Set destination for ipv to address in service [P only]
- --service=
--remove-destination= - Disable destination for ipv i service [P only]
- --service=
--query-destination= :[/ ] - Return whether destination ipv is set for service [P only]
- --service=
--get-destinations - List destinations in service [P only]
- Options to Adapt and Query Zones
- --list-all List everything added for or enabled in a zone [P] [Z]
- --list-services List services added for a zone [P] [Z]
- --timeout=
Enable an option for timeval time, where timeval is - a number followed by one of letters 's' or 'm' or 'h'
- Usable for options marked with [T]
- --set-description=
- Set new description to zone [P only] [Z]
- --get-description Print description for zone [P only] [Z]
- --set-short=
- Set new short description to zone [P only] [Z]
- --get-short Print short description for zone [P only] [Z]
- --add-service=
- Add a service for a zone [P] [Z] [T]
- --remove-service=
- Remove a service from a zone [P] [Z]
- --query-service=
- Return whether service has been added for a zone [P] [Z]
- --list-ports List ports added for a zone [P] [Z]
- --add-port=
[- ]/ - Add the port for a zone [P] [Z] [T]
- --remove-port=
[- ]/ - Remove the port from a zone [P] [Z]
- --query-port=
[- ]/ - Return whether the port has been added for zone [P] [Z]
- --list-protocols List protocols added for a zone [P] [Z]
- --add-protocol=
- Add the protocol for a zone [P] [Z] [T]
- --remove-protocol=
- Remove the protocol from a zone [P] [Z]
- --query-protocol=
- Return whether the protocol has been added for zone [P] [Z]
- --list-source-ports List source ports added for a zone [P] [Z]
- --add-source-port=
[- ]/ - Add the source port for a zone [P] [Z] [T]
- --remove-source-port=
[- ]/ - Remove the source port from a zone [P] [Z]
- --query-source-port=
[- ]/ - Return whether the source port has been added for zone [P] [Z]
- --list-icmp-blocks List Internet ICMP type blocks added for a zone [P] [Z]
- --add-icmp-block=
- Add an ICMP block for a zone [P] [Z] [T]
- --remove-icmp-block=
- Remove the ICMP block from a zone [P] [Z]
- --query-icmp-block=
- Return whether an ICMP block has been added for a zone
- [P] [Z]
- --add-icmp-block-inversion
- Enable inversion of icmp blocks for a zone [P] [Z]
- --remove-icmp-block-inversion
- Disable inversion of icmp blocks for a zone [P] [Z]
- --query-icmp-block-inversion
- Return whether inversion of icmp blocks has been enabled
- for a zone [P] [Z]
- --list-forward-ports List IPv4 forward ports added for a zone [P] [Z]
- --add-forward-port=port=
[- ]:proto= [:toport= [- ]][:toaddr=[/ ]] - Add the IPv4 forward port for a zone [P] [Z] [T]
- --remove-forward-port=port=
[- ]:proto= [:toport= [- ]][:toaddr=[/ ]] - Remove the IPv4 forward port from a zone [P] [Z]
- --query-forward-port=port=
[- ]:proto= [:toport= [- ]][:toaddr=[/ ]] - Return whether the IPv4 forward port has been added for
- a zone [P] [Z]
- --add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T]
- --remove-masquerade Disable IPv4 masquerade for a zone [P] [Z]
- --query-masquerade Return whether IPv4 masquerading has been enabled for a
- zone [P] [Z]
- --list-rich-rules List rich language rules added for a zone [P] [Z]
- --add-rich-rule=
- Add rich language rule 'rule' for a zone [P] [Z] [T]
- --remove-rich-rule=
- Remove rich language rule 'rule' from a zone [P] [Z]
- --query-rich-rule=
- Return whether a rich language rule 'rule' has been
- added for a zone [P] [Z]
- Options to Handle Bindings of Interfaces
- --list-interfaces List interfaces that are bound to a zone [P] [Z]
- --add-interface=
- Bind the
to a zone [P] [Z] - --change-interface=
- Change zone the
is bound to [P] [Z] - --query-interface=
- Query whether
is bound to a zone [P] [Z] - --remove-interface=
- Remove binding of
from a zone [P] [Z] - Options to Handle Bindings of Sources
- --list-sources List sources that are bound to a zone [P] [Z]
- --add-source=<source>[/
]| |ipset: - Bind the source to a zone [P] [Z]
- --change-source=<source>[/
]| |ipset: - Change zone the source is bound to [Z]
- --query-source=<source>[/
]| |ipset: - Query whether the source is bound to a zone [P] [Z]
- --remove-source=<source>[/
]| |ipset: - Remove binding of the source from a zone [P] [Z]
- Helper Options
- --new-helper=
--module= [--family= ] - Add a new helper [P only]
- --new-helper-from-file=
[--name= ] - Add a new helper from file with optional name [P only]
- --delete-helper=
- Delete an existing helper [P only]
- --load-helper-defaults=
- Load helper default settings [P only]
- --info-helper=
Print information about an helper - --path-helper=
Print file path of an helper [P only] - --get-helpers Print predefined helpers
- --helper=
--set-description= - Set new description to helper [P only]
- --helper=
--get-description - Print description for helper [P only]
- --helper=
--set-short= - Set new short description to helper [P only]
- --helper=
--get-short - Print short description for helper [P only]
- --helper=
--add-port= [- ]/ - Add a new port to helper [P only]
- --helper=
--remove-port= [- ]/ - Remove a port from helper [P only]
- --helper=
--query-port= [- ]/ - Return whether the port has been added for helper [P only]
- --helper=
--get-ports - List ports of helper [P only]
- --helper=
--set-module= - Set module to helper [P only]
- --helper=
--get-module - Get module from helper [P only]
- --helper=
--set-family={ipv4|ipv6|} - Set family for helper [P only]
- --helper=
--get-family - Get module from helper [P only]
- Direct Options
- --direct First option for all direct options
- --get-all-chains
- Get all chains [P]
- --get-chains {ipv4|ipv6|eb}Get all chains added to the table [P]--add-chain {ipv4|ipv6|eb}Add a new chain to the table [P]--remove-chain {ipv4|ipv6|eb}Remove the chain from the table [P]--query-chain {ipv4|ipv6|eb}Return whether the chain has been added to the table [P]--get-all-rulesGet all rules [P]--get-rules {ipv4|ipv6|eb}Get all rules added to chain in table [P]--add-rule {ipv4|ipv6|eb}
... Add rule to chain in table [P]--remove-rule {ipv4|ipv6|eb}... Remove rule with priority from chain in table [P]--remove-rules {ipv4|ipv6|eb}Remove rules from chain in table [P]--query-rule {ipv4|ipv6|eb}... Return whether a rule with priority has been added tochain in table [P]--passthrough {ipv4|ipv6|eb}... Pass a command through (untracked by firewalld)--get-all-passthroughsGet all tracked passthrough rules [P]--get-passthroughs {ipv4|ipv6|eb}... Get tracked passthrough rules [P]--add-passthrough {ipv4|ipv6|eb}... Add a new tracked passthrough rule [P]--remove-passthrough {ipv4|ipv6|eb}... Remove a tracked passthrough rule [P]--query-passthrough {ipv4|ipv6|eb}... Return whether the tracked passthrough rule has beenadded [P]Lockdown Options--lockdown-on Enable lockdown.--lockdown-off Disable lockdown.--query-lockdown Query whether lockdown is enabledLockdown Whitelist Options--list-lockdown-whitelist-commandsList all command lines that are on the whitelist [P]--add-lockdown-whitelist-command=<command>Add the command to the whitelist [P]--remove-lockdown-whitelist-command=<command>Remove the command from the whitelist [P]--query-lockdown-whitelist-command=<command>Query whether the command is on the whitelist [P]--list-lockdown-whitelist-contextsList all contexts that are on the whitelist [P]--add-lockdown-whitelist-context=Add the context context to the whitelist [P]--remove-lockdown-whitelist-context=Remove the context from the whitelist [P]--query-lockdown-whitelist-context=Query whether the context is on the whitelist [P]--list-lockdown-whitelist-uidsList all user ids that are on the whitelist [P]--add-lockdown-whitelist-uid=Add the user id uid to the whitelist [P]--remove-lockdown-whitelist-uid=Remove the user id uid from the whitelist [P]--query-lockdown-whitelist-uid=Query whether the user id uid is on the whitelist [P]--list-lockdown-whitelist-usersList all user names that are on the whitelist [P]--add-lockdown-whitelist-user=Add the user name user to the whitelist [P]--remove-lockdown-whitelist-user=Remove the user name user from the whitelist [P]--query-lockdown-whitelist-user=Query whether the user name user is on the whitelist [P]Panic Options--panic-on Enable panic mode--panic-off Disable panic mode--query-panic Query whether panic mode is enabled以上,感谢。
2022年11月27日
- 相关阅读:
数据结构题型7-删除结点方式1
计算机毕业设计(附源码)python智慧门诊综合管理系统
Raw格式的图片理解、读取、转换、显示、对raw10应用和COLOR_BayerBG2RGB理解
Dubbo3.0新特性
C语言经典100例题(50)--#include 的应用练习
【CSS】笔记1-基础选择器、样式引入
以沙箱的方式运行容器:安全容器Kata Containers
Linux常用命令——帮助命令
为什么我抓不到baidu的数据包
解决vs code终端无法执行命令的问题
- 原文地址:https://blog.csdn.net/zhangbeizhen18/article/details/128062730
