23600浏览
网上大多数文章都是直接讲命令方式,很少讲直接通过配置文件修改,所以这里记录一下。
从命令执行结果查看配置文件变化。
开放端口
永久开放2个端口
firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --permanent --zone=public --add-port=80/tcp
firewall-cmd --reload在 /etc/firewalld/zones 下的 public.xml里:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="8080"/>
</zone>限制来源IP
限制只能接收来自 10.10.x.x段的IP,开放8000到9000之间的端口。
firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.10.0.0/16" port protocol="tcp" port="8000-9000" accept"
firewall-cmd --reload再看 public.xml
# cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<port protocol="tcp" port="80"/>
<port protocol="tcp" port="8080"/>
<rule family="ipv4">
<source address="10.10.0.0/16"/>
<port protocol="tcp" port="8000-9000"/>
<accept/>
</rule>
</zone>所以,我们明白了直接修改配置文件的方式。
# firewall-cmd --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports: 80/tcp 22/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family="ipv4" source address="10.10.0.0/16" port port="8000-9000" protocol="tcp" accept
