[daily][centos][iptables][firewalld] firewalld的初步了解

CentOS7中默认使用firewalld代替了iptables . 接下来将对firewalld, 做一些初步的了解.

首先读一下, redhat的文档:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-using_firewalls

重要内容摘录如下:

1.  firewalld与iptables的区别:

. The iptables service stores configuration in /etc/sysconfig/iptables and /etc/sysconfig/ip6tables, 
while firewalld stores it in various XML files in /usr/lib/firewalld/ and /etc/firewalld/. 
Note that the /etc/sysconfig/iptables file does not exist as firewalld is installed by default 
on Red Hat Enterprise Linux.
. With the iptables service, every single change means flushing all the old rules and reading all 
the new rules from /etc/sysconfig/iptables, while with firewalld there is no recreating of all the rules. 
Only the differences are applied. Consequently, firewalld can change the settings 
during runtime without existing connections being lost.

2. service

[root@S205 ~]# man firewalld.service

配置文件:

[root@S205 ~]# ls /usr/lib/firewalld/services/
amanda-client.xml     dns.xml                  http.xml          kpasswd.xml      mysql.xml      pop3.xml            rpc-bind.xml      squid.xml        tor-socks.xml
amanda-k5-client.xml  docker-registry.xml      imaps.xml         ldaps.xml        nfs.xml        postgresql.xml      rsyncd.xml        ssh.xml          transmission-client.xml
bacula-client.xml     dropbox-lansync.xml      imap.xml          ldap.xml         ntp.xml        privoxy.xml         samba-client.xml  synergy.xml      vdsm.xml
bacula.xml            freeipa-ldaps.xml        ipp-client.xml    libvirt-tls.xml  openvpn.xml    proxy-dhcp.xml      samba.xml         syslog-tls.xml   vnc-server.xml
ceph-mon.xml          freeipa-ldap.xml         ipp.xml           libvirt.xml      pmcd.xml       ptp.xml             sane.xml          syslog.xml       wbem-https.xml
ceph.xml              freeipa-replication.xml  ipsec.xml         mdns.xml         pmproxy.xml    pulseaudio.xml      smtps.xml         telnet.xml       xmpp-bosh.xml
dhcpv6-client.xml     ftp.xml                  iscsi-target.xml  mosh.xml         pmwebapis.xml  puppetmaster.xml    smtp.xml          tftp-client.xml  xmpp-client.xml
dhcpv6.xml            high-availability.xml    kadmin.xml        mountd.xml       pmwebapi.xml   radius.xml          snmptrap.xml      tftp.xml         xmpp-local.xml
dhcp.xml              https.xml                kerberos.xml      ms-wbt.xml       pop3s.xml      RH-Satellite-.xml  snmp.xml          tinc.xml         xmpp-server.xml
[root@S205 ~]# 

查看当前系统里预置的(可以设置的)所有服务:

[root@S205 ~]# firewall-cmd --get-services

查看生效的服务:

[root@S205 ~]# firewall-cmd --list-services
dhcpv6-client ssh
[root@S205 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources:
  services: dhcpv6-client ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  sourceports:
  icmp-blocks:
  rich rules: 

查看服务详情:

[root@S205 ~]# firewall-cmd --info-service=http
http
  ports: /tcp
  protocols:
  source-ports:
  modules:
  destination:

/usr/lib/firewalld/services/ 下的服务是默认自带, 用户不应该对他们进行编辑, 用户定义的应该放在目录/etc/firewalld/services/,  这一点和systemd是一样的.

可以是有几个方法新增服务:

方法A:

cp /usr/lib/firewalld/services/service-name.xml /etc/firewalld/services/service-name.xml

方法B:

firewall-cmd --permanent --new-service-from-file=service-name.xml

[root@S205 zones]# firewall-cmd --add-service=http
success
[root@S205 zones]# firewall-cmd --list-services
dhcpv6-client ssh http
[root@S205 zones]# 

方法C:

修改如下配置文件:

[root@S205 ~]# vim /etc/firewalld/zones/public.xml