Heesung Yang
[명령어] firewalld
- zone 개념 추가됨
- service 와 port 개념 추가됨
- 여러개의 eth가 있을 경우, 각 eth별로 zone을 다르게 설정 가능
- zone 별로 service/port 설정 가능
Zone
~$ sudo firewall-cmd --get-default-zone
public
~$ sudo firewall-cmd --set-default-zone=home
success
~$ sudo firewall-cmd --get-active-zones
public
interfaces: eno1
~$ sudo firewall-cmd --new-zone=myzone
~$ sudo firewall-cmd --zone=myzone --set-description="My Zone"
~$ sudo firewall-cmd --zone=myzone --set-short="myzone"
~$ sudo firewall-cmd --zone=myzone --add-service="ssh"
# show zone list
~$ sudo firewall-cmd --get-zones
block dmz drop external home internal public trusted work
# show default zone's configuration
~$ sudo firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eno1
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# show specific zone's configuration
~$ sudo firewall-cmd --zone=home --list-all
home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client mdns samba-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# show all zone's configuration
~$ sudo firewall-cmd --list-all-zones
# attach eth to specific zone
~$ sudo firewall-cmd --zone=home --change-interface=eth0
success
~$ sudo firewall-cmd --get-active-zones
home
interfaces: eth0
public
interfaces: eno1
Service
# service list
# /usr/lib/firewalld/services/ 의 파일 이름이 나옴 (xml extension 제외)
~$ sudo firewall-cmd --get-services
RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
~$ sudo firewall-cmd --zone=public --add-service=http
~$ sudo firewall-cmd --add-service=http # default zone
~$ sudo firewall-cmd --zone=public --add-service=http --permanent
~$ sudo firewall-cmd --zone=public --list-services
dhcpv6-client ssh http
- Defining service
~$ sudo vim /usr/lib/firewalld/services/myservice.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>My Service</short>
<description>This is my service</description>
<port protocol="tcp" port="8000"/>
<port protocol="udp" port="8000"/>
</service>
~$ sudo firewall-cmd --reload
~$ sudo firewall-cmd --get-services
... myservice ...
Port
~$ sudo firewall-cmd --add-port=5000/tcp
~$ sudo firewall-cmd --zone=public --add-port=4990-4999/udp
~$ sudo firewall-cmd --list-ports
5000/tcp 4990-4999/udp
Apply permanently
~$ firewall-cmd --runtime-to-permanent
Reference
Previous post
[명령어] dcmodifyNext post
[명령어] tmux