Shulou(Shulou.com)06/01 Report--

Firewalld mandatory command

Close firewalld

Systemctl stop firewalld.service

Start firewalld

Systemctl start firewalld.service

Add firewalld to the system service

Systemctl enable firewalld.service

Remove from the system service

Systemctl disable firewalld.service

To check the firewalld status, you can choose one of the two methods.

Firewall-cmd-state

Systemctl status firewalld

Reread the firewall

Enter the following command as root to reload the firewall without interrupting the user connection, that is, without losing status information:

Firewall-cmd-reload

Enter the following information as root, reload the firewall and disconnect the user, that is, discard the status information:

Firewall-cmd-complete-reload

Note: this command is usually used only when there is a serious problem with the firewall. For example, the firewall rules are correct, but there are problems with state information and unable to establish a connection.

Firewalld area operation

Get the list of supported areas (zone)

Firewall-cmd-get-zone

Get all supported services

Firewall-cmd-get-services

Get all supported ICMP types

Firewall-cmd-get-icmptypes

List the properties of all enabled areas

Firewall-cmd-list-all-zones

Get the network settings firewall-cmd of the default zone-- get-default-zone sets the default zone firewall-cmd-- set-default-zone=work Note: new access requests that flow into the interfaces configured in the default zone will be placed in the new default zone. Currently active connections will not be affected. Get active area firewall-cmd-- get-active-zones adds the interface to the area firewall-cmd [--zone=]-- add-interface= according to the interface acquisition area firewall-cmd-get-zone-of-interface= firewall-cmd-- get-zone-of-interface=eno16777736. If the interface does not belong to the area, the interface will be added to the area. If the zone is omitted, the default zone is used. The interface will be reapplied after reloading. Modify the area to which the interface belongs, firewall-cmd [--zone=]-- change-interface= this option is similar to the-add-interface option, but when the interface already exists in another area, the interface will be added to the new area. Delete an interface firewall-cmd [--zone=]-- remove-interface= query zone contains an interface firewall-cmd [--zone=]-- Service firewall-cmd enabled in query-interface= enumerated region [--zone=]-- list-services enabled ICMP blocking function firewall-cmd [--zone=]-- add-icmp-block=Firewalld permanent setting

The persistent option does not directly affect the state of the runtime. These options are available only when the service is reloaded or restarted. In order to use the runtime and permanent settings, you need to set both separately. Option-- permanent needs to be the first parameter to be permanently set.

Gets the services supported by the permanent option.

Firewall-cmd-permanent-get-services

Get a list of ICMP types supported by the permanent option

Firewall-cmd-permanent-get-icmptypes

Get supported permanent areas

Firewall-cmd-permanent-get-zones

Enable services in the area

Firewall-cmd-permanent [--zone=]-- add-service=

This will permanently enable services in the area. If no area is specified, the default area is used.

Disable a service in the area

Firewall-cmd-permanent [--zone=]-- remove-service=

Query whether services in the area are enabled

Firewall-cmd-permanent [--zone=]-- query-service=

If the service is enabled, this command will have a return value. This command does not output information.

Permanently enable ipp-client services in the home zone

Firewall-cmd-permanent-zone=home-add-service=ipp-client

Permanently enable a port in the area-protocol combination

Firewall-cmd-permanent [--zone=]-- add-port= [-] /

A port-protocol combination in a permanently disabled area

Firewall-cmd-permanent [--zone=]-- remove-port= [-] /

Query whether the port-protocol combination in the area is permanently enabled

Firewall-cmd-permanent [--zone=]-- query-port= [-] /

If the service is enabled, this command will have a return value. This command does not output information.

Permanently enable the https (tcp 443) port in the home area

Firewall-cmd-permanent-zone=home-add-port=443/tcp

Permanently enable camouflage in the area

Firewall-cmd-permanent [--zone=]-- add-masquerade

This enables the camouflage function of the area. The address of the private network is hidden and mapped to a public IP. This is a form of address translation and is often used for routing. Due to kernel limitations, camouflage is only available for IPv4.

Permanently disable camouflage in the area

Firewall-cmd-permanent [--zone=]-- remove-masquerade

Query the permanent state of camouflage in the area

Firewall-cmd-permanent [--zone=]-- query-masquerade

If the service is enabled, this command will have a return value. This command does not output information.

Permanently enable ICMP blocking in the area

Firewall-cmd-permanent [--zone=]-- add-icmp-block=

This will enable blocking of selected Internet Control message Protocol (ICMP) messages. The ICMP message can be a request message or a created reply message or an error reply message.

Permanently disable ICMP blocking in the area

Firewall-cmd-permanent [--zone=]-- remove-icmp-block=

ICMP permanent status in the query area

Firewall-cmd-permanent [--zone=]-- query-icmp-block=

If the service is enabled, this command will have a return value. This command does not output information.

Blocking response reply messages in the public area:

Firewall-cmd-permanent-zone=public-add-icmp-block=echo-reply

Permanently enable port forwarding or mapping in the area

Firewall-cmd-permanent [--zone=]-- add-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

The # port can be mapped to the same port on another host, or it can be a different port on the same host or another host. The port number can be a single port or a port range. The protocol can be tcp or udp. The destination port can be a port number or a port range. The destination address can be an IPv4 address. Due to kernel limitations, port forwarding is only available for IPv4.

Permanently forbid port forwarding or port mapping in the area

Firewall-cmd-permanent [--zone=]-- remove-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

Query the port forwarding or port mapping status of the region

Firewall-cmd-permanent [--zone=]-- query-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

If the service is enabled, this command will have a return value. This command does not output information.

Gets all the rules in the table that are added to the chain and separated by line breaks.

Firewall-cmd-- direct-- get-rules {ipv4 | ipv6 | eb}

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.