10.21 firewalld關於zone的操做

Linux防火牆-firewalld

• firewall-cmd --set-default-zone=work //設定默認zone
• firewall-cmd --get-zone-of-interface=ens33 //查指定網卡
• firewall-cmd --zone=public --add-interface=lo //給指定網卡設置zone
• firewall-cmd --zone=dmz --change-interface=lo //針對網卡更改zone
• firewall-cmd --zone=dmz --remove-interface=lo //針對網卡刪除zone
• firewall-cmd --get-active-zones //查看系統全部網卡所在的zone

firewall-cmd設定默認zone

• firewall-cmd --set-default-zone=work //設定默認的zone

[root@hf-01 ~]# firewall-cmd --set-default-zone=work
success
[root@hf-01 ~]# firewall-cmd --get-default-zone
work
[root@hf-01 ~]#

firewall-cmd查看指定網卡

• firewall-cmd --get-zone-of-interface=ens16777736 //查指定網卡

[root@hf-01 ~]# firewall-cmd --get-zone-of-interface=eno16777736
work
[root@hf-01 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
[root@hf-01 ~]#

• 如果後續添加的網卡ens36，顯示no zone，就須要把eno16777736的網卡配置環境複製一份，命令爲ens36，並修改配置文件，最後重啓網絡服務，在從新加載firewalld服務（systemctl restart firewalld），在來查看ens36的zone
  • 若仍是沒有zone，咱們就去增長給ens36增長一個zone
    • firewall-cmd --zone=public --add-interface=ens36 //給指定網卡設置zone

[root@hf-01 ~]# firewall-cmd --get-zone-of-interface=ens36
no zone
[root@hf-01 ~]# cd /etc/sysconfig/network-scripts/
[root@hf-01 network-scripts]# ls
ifcfg-eno16777736    ifdown-post      ifup-bnep   ifup-routes
ifcfg-eno16777736:0  ifdown-ppp       ifup-eth    ifup-sit
ifcfg-lo             ifdown-routes    ifup-ippp   ifup-Team
ifdown               ifdown-sit       ifup-ipv6   ifup-TeamPort
ifdown-bnep          ifdown-Team      ifup-isdn   ifup-tunnel
ifdown-eth           ifdown-TeamPort  ifup-plip   ifup-wireless
ifdown-ippp          ifdown-tunnel    ifup-plusb  init.ipv6-global
ifdown-ipv6          ifup             ifup-post   network-functions
ifdown-isdn          ifup-aliases     ifup-ppp    network-functions-ipv6
[root@hf-01 network-scripts]# cp /etc/sysconfig/network-scripts/ifcfg-eno16777736 /etc/sysconfig/network-scripts/ens36
[root@hf-01 network-scripts]# vi !$        //編輯配置文件
vi /etc/sysconfig/network-scripts/ens36
[root@hf-01 network-scripts]# systemctl restart network.service    //重啓網絡服務
[root@hf-01 network-scripts]# systemctl restart firewalld    //從新加載firewalld服務
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens36    //查看ens36網卡的zone
no zone
[root@hf-01 network-scripts]# firewall-cmd --zone=work --add-interface=ens36    //給ens36網卡設置zone
success
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens36    //查看ens36網卡的zone
work
[root@hf-01 network-scripts]#

firewall-cmd給指定網卡設置zone

• firewall-cmd --zone=public --add-interface=lo //給指定網卡設置zone

[root@hf-01 network-scripts]# firewall-cmd --zone=public --add-interface=lo    給lo網卡設置zone 
success
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
public
[root@hf-01 network-scripts]#

firewall-cmd給指定網卡設置zone

• firewall-cmd --zone=dmz --change-interface=lo //針對網卡更改zone

[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
public
[root@hf-01 network-scripts]# firewall-cmd --zone=dmz --change-interface=lo    //針對網卡更改zone
success
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
dmz
[root@hf-01 network-scripts]#

firewall-cmd針對網卡刪除zone

• firewall-cmd --zone=block --remove-interface=ens37 //針對網卡刪除zone

[root@hf-01 network-scripts]# firewall-cmd --zone=block --change-interface=ens36    給ens36網卡設置zone 
success
[root@hf-01 network-scripts]# firewall-cmd --zone=block  --remove-interface=ens36    //針對ens36網卡刪除zone 
success
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens36
no zone
[root@hf-01 network-scripts]#

• 在remove刪除zone後，恢復默認的zone——>本身在刪除後，就顯示no zone，而並非恢復默認的zone！！！

firewall-cmd查看系統全部網卡所在的zone

• firewall-cmd --get-active-zones //查看系統全部網卡所在的zone

[root@hf-01 network-scripts]# firewall-cmd --get-active-zones        //查看系統全部網卡所在的zone
dmz
  interfaces: lo
work
  interfaces: eno16777736
[root@hf-01 network-scripts]#