Полезные ссылки
Запущен ли firewall
sudo systemctl start firewalld.service
или
firewall-cmd --state
Информация о текущих настройках firewall
- We can see which zone is currently selected as the default by typing:
firewall-cmd --get-default-zone
- Since we haven't given firewalld any commands to deviate from the default zone, and none of our interfaces are configured to bind to another zone, that zone will also be the only "active" zone (the zone that is controlling the traffic for our interfaces). We can verify that by typing:
firewall-cmd --get-active-zones
- How do we know what rules are associated with the public zone though? We can print out the default zone's configuration by typing:
firewall-cmd --list-all
- To get a list of the available zones, type:
firewall-cmd --get-zones
- Changing the Zone of an Interface for the Current Session
You can transition an interface between zones during a session by using the --zone= parameter in combination with the --change-interface= parameter. As with all commands that modify the firewall, you will need to use sudo.
For instance, we can transition our eth0 interface to the "home" zone by typing this:
sudo firewall-cmd --zone=home --change-interface=eth0
- изменить зону для интерфейса на постоянной основе
/etc/sysconfig/network-scripts directory with files of the format ifcfg-interface.
ZONE= variable to the zone you wish to associate with the interface.
Настройка правила для приложений
- Получение список всех сервисов
firewall-cmd --get-services
You can get more details about each of these services by looking at their associated .xml file within the /usr/lib/firewalld/services directory. For instance, the SSH service is defined like this:
/usr/lib/firewalld/services/ssh.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>SSH</short>
<description>
Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.
</description>
<port protocol="tcp" port="22"/>
</service>
- For instance, if we are running a web server serving conventional HTTP traffic, we can allow this traffic for interfaces in our "public" zone for this session by typing:
sudo firewall-cmd --zone=public --add-service=http
You can leave out the --zone= if you wish to modify the default zone. We can verify the operation was successful by using the --list-all or --list-services operations:
firewall-cmd --zone=public --list-services
We can make our "public" zone change permanent by typing:
sudo firewall-cmd --zone=public --permanent --add-service=http
You can verify that this was successful by adding the --permanent flag to the --list-services operation. You need to use sudo for any --permanent operations:
sudo firewall-cmd --zone=public --permanent --list-services
- Открыть порт для приложения
if our application runs on port 5000 and uses TCP, we could add this to the "public" zone for this session using the --add-port= parameter. Protocols can be either tcp or udp:
sudo firewall-cmd --zone=public --add-port=5000/tcp