所謂的 zone 就表示主機位於何種環境,需要設定哪些規則,在 firewalld 裡共有 7 個zones
> 先決定主機要設定在那個區域 zone >> 再往該 zone 設定規則 >>> 重新讀取設定檔 sudo firewall-cmd --reload
public: 公開的場所,不信任網域內所有連線,只有被允許的連線才能進入,一般只要設定這裡就可以了
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
external: 公開的場所,應用在IP是NAT的網路
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
dmz: (Demilitarized Zone) 非軍事區,允許對外連線,內部網路只有允許的才可以連線進來
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
work: 公司、工作的環境
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
home: 家庭環境
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
internal: 內部網路,應用在NAT設定時的對內網路
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
trusted: 接受所有的連線
All network connections are accepted.
drop: 任何進入的封包全部丟棄,只有往外的連線是允許的
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
block: 任何進入的封包全部拒絕,並以 icmp 回覆對方 ,只有往外的連線是允許的
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
預設主機是被放在 public zone 區域,並有開啟兩個服務 dhcpv6-client ssh
> 在這樣的設定下,任何來源都可以透過 ssh 服務來連接到本主機,但其他的服務 service-port 都是關閉的。
★★★ 顯示目前的設定 ★★★
# firewall-cmd --list-all
public (default, active)
interfaces: ens160
sources:
services: dhcpv6-client ssh
ports:
masquerade: no
forward-ports:
icmp-blocks:
rich rules:
若你的環境沒在用 DHCP ,則可以將他關掉 DHCP 服務 port
★★★ 關掉 DHCP 服務 port ★★★
# sudo firewall-cmd --zone=public --remove-service dhcpv6-client
暫時允許外部連接本機 DNS 服務
★★★ 暫時開啟 DNS port 53 ★★★
# sudo systemctl start named
# sudo systemctl enable named
# sudo firewall-cmd --add-service=dns
# sudo firewall-cmd --reload
# firewall-cmd --list-all
public (default, active)
interfaces: ens160
sources:
services: dhcpv6-client dns ssh
ports: (略)
★★★ 永久開啟 DNS port 53 ★★★
# sudo firewall-cmd --add-service=dns --permanent
# sudo firewall-cmd --reload
QQ:為何可以直接指定加入的服務名稱為dns 呢?
Ans:他會參考 /usr/lib/firewalld/services/ 下的服務,例如 dns.xml ,啟用本服務就會連帶的開啟 TCP 跟 UDP 的 port 53
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>DNS</short>
<description>The Domain Name System (DNS) is used to provide and request host and domain names. Enable this option, if you plan
to provide a domain name service (e.g. with bind).</description>
<port protocol="tcp" port="53"/>
<port protocol="udp" port="53"/>
</service>
★★★ 查看預設載入的 rule ★★★
所有的 zone 設定檔會放在 /etc/firewalld/zones 跟 /usr/lib/firewalld/zones/ ,
你所執行的 --permanent 參數會寫在 /etc/firewalld/zones 對應的 zone 文件內(例:public.xml),所以當你
# sudo firewall-cmd --add-service=dns --permanent
就會在 /etc/firewalld/zones/public.xml 變成 多了 <service name="dns"/>
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="dns"/>
<port protocol="tcp" port="8080"/>
</zone>
★★★ 從 /etc/sysconfig/iptables 轉為 firewalld 的 direct ★★★
假設你原有的 /etc/sysconfig/iptables 有規則
-A INPUT -s 140.113.12.9 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s 140.113.0.0/16 --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s 140.114.88.0/24 --dport 161 -j ACCEPT
要轉換到 firewalld 的 direct 規則
新增 /etc/firewalld/direct.xml ,如果你之前有執行過 #sudo firewall-cmd --permanent --direct .... 則自動的產生
★★★ port forward 將從某 port number 的封包轉送另外的 port 或其他主機 ★★★
# 將 80 port 轉往 port 8080
# sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080
# 將 80 port 轉往其他台主機的 port 8080
# sudo firewall-cmd --zone="public" --add-forward-port=port=80:proto=tcp:toport=8080:toaddr=140.113.1.1