next up previous contents
Next: block zone Up: Netfilter Previous: firewall-cmd 命令   Contents


啟用 firewall

  1. firewall 與 iptables, ip6tables, ebtables 服務相互衝突,關閉這些服務。
    [root@kvm7 ~]# systemctl mask iptables.service 
    ln -s '/dev/null' '/etc/systemd/system/iptables.service'
    [root@kvm7 ~]# systemctl mask ip6tables.service 
    ln -s '/dev/null' '/etc/systemd/system/ip6tables.service'
    [root@kvm7 ~]# systemctl mask ebtables.service 
    ln -s '/dev/null' '/etc/systemd/system/ebtables.service'
    
  2. 檢查 firewall 服務狀態。
    [root@kvm7 ~]# systemctl status firewalld.service 
    firewalld.service - firewalld - dynamic firewall daemon
       Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
       Active: active (running) since Thu 2014-08-21 18:51:18 CST; 3min 18s ago
     Main PID: 569 (firewalld)
       CGroup: /system.slice/firewalld.service
               └─569 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid
    
    Aug 21 18:51:18 kvm7.deyu.wang systemd[1]: Started firewalld - dynamic firew....
    Hint: Some lines were ellipsized, use -l to show in full.
    
  3. 如果沒有啟動,啟動 firewall,並設定開機啟動。
    [root@kvm7 ~]# systemctl enable firewalld.service 
    [root@kvm7 ~]# systemctl start firewalld.service
    
  4. 查詢 firewall 預設 zone 為 public。
    [root@kvm7 ~]# firewall-cmd --get-default-zone 
    public
    
  5. 如果預設 zone 不是 public,則設定 public 為預設 zone。
    [root@kvm7 ~]# firewall-cmd --set-default-zone public
    Warning: ZONE_ALREADY_SET: public
    
  6. 檢查 public zone 的永久設定,開放的服務只有 dhcpv6-client 及 ssh。
    [root@kvm7 ~]# firewall-cmd --permanent --zone=public --list-all 
    public (default)
      interfaces: 
      sources: 
      services: dhcpv6-client ssh
      ports: 
      masquerade: no
      forward-ports: 
      icmp-blocks: 
      rich rules:
    



2017-11-30