Rule setting and command of firewall (whitelist setting)


1、 Set firewall rules

Example 1: external exposure port 8080

firewall-cmd --permanent --add-port=8080/tcp

Example 2: make the 3306 port of MySQL service only accessible to the server of network segment

#Add rule
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="" port protocol="tcp" port="3306" accept"

#Reload make effective
firewall-cmd --reload

Note: if the masquerade IP is not turned on, port forwarding will fail; secondly, make sure that the port (3306) on the source server and the port (13306) on the target server are turned on.

2、 Firewall command

1. Start, stop and restart firewalld
1. stop
systemctl stop firewalld.service 

2. boot
systemctl start firewalld.service 

3. restart
systemctl restart firewalld.service

4. View status: 
systemctl status firewalld 

5. Do not start the firewall
systemctl disable firewalld

6. Set the startup firewall:
systemctl enable firewalld.service
2. View firewall rules and status
1. View the default firewall status (not running after closing, running after opening)
firewall-cmd --state              

2. View firewall rules (only display firewall policies in / etc / firewalld / zones / public.xml)
firewall-cmd --list-all           

3. View all firewall policies (that is, display all policies under / etc / firewalld / zones /)
firewall-cmd --list-all-zones     

4. Reload the configuration file
firewall-cmd --reload

3. Configure firewalld CMD

View version: firewall CMD -- version

View help: firewall CMD -- help

Display status: firewall CMD -- state

View all open ports: firewall CMD -- zone = public -- List ports

Update firewall rule: firewall CMD -- reload

View area information: firewall CMD -- get active areas

View the region of the specified interface: firewall CMD -- get zone of interface = eth0

Reject all packages: firewall CMD -- panic on

Cancel rejection status: firewall CMD -- panic off

Check whether to reject: firewall CMD -- Query panic
4. How to open a port
1. Add (- - permanent takes effect permanently. If this parameter is not available, it will be invalid after restarting.)
firewall-cmd --zone=public --add-port=80/tcp --permanent

2. Reload (modify rules to make them effective)
firewall-cmd --reload

3. view
firewall-cmd --zone= public --query-port=80/tcp

4. delete
firewall-cmd --zone= public --remove-port=80/tcp --permanent
Because the corresponding rules of ssh.xml are defined in / usr / lib / firewalld / services /
5. Systemctl is the main tool in the service management tool of centos7. It integrates the functions of service and chkconfig before.
Start a service: systemctl start firewalld.service
Close a service: systemctl stop firewalld.service
Restart a service: systemctl restart firewalld.service
Display the status of a service: systemctl status firewalld.service
Enable a service at startup: systemctl enable firewalld.service
Disable a service at startup: systemctl disable firewalld.service
Check whether the service is started: systemctl is enabled firewalld.service
View the list of started services: systemctl list unit files grep enabled
View the list of services failed to start: systemctl -- failed

Original link

Recommended Today

Lerna package management

background For students who want to maintain multiple NPM packages at the same time, package management is a headache. Whether these packages are placed in one warehouse or in separate warehouses, when the number of packages is small, there will not be too many problems in package maintenance. But when the number of packages is […]