Shulou(Shulou.com)06/01 Report--

Centos7 basic document Trinity. Working with areas at run time

Changes made to the zone in runtime mode are not permanent and will be invalidated after reloading

1 enable a service in an area, that is, turn on a service in an area

Firewall-cmc-- zone= region name-- add-service= service name

2 disable a service in the area, that is, shut down a service

This action disables a service in the area

Firewall-cmd-- zone= region name-- remove-service= service name

3 query whether a specific service is enabled in the area

Firewall-cmd-- zone= region name-- query-service= service name

4 enable regional ports and protocol combinations

Firewall-cmd-- zone= area name-- add-port= port number / protocol

5. Disable ports and protocols

Firewall-cmd-- zone= area name-- remove-port= port number / protocol

6 query whether portability and protocol combination are enabled in the area

Firewall-cmd-- zone= area name-- query-port= port number / protocol

7 enable ip address masquerading in the area

Firewall-cmd-- zone= region name-- add-masquerade this operation is only valid for ipv4

8 ip address camouflage in the disabled area

Firewall-cmd-- zone= area name-- remove-masquerade

9 enable icmp blocking in the area

Firewall-cmd-- zone= area name-- add-icmp-block=icmp type [echo-request and echo-reply]

10 disable icmp blocking in the area

Firewall-cmd-- zone= region name-- remove-icmp-block=icmp type

11 enable port forwarding in the area

Firewall-cmd-- zone= area name-- add-forward-port=port= port number: proto= protocol: toaddr= destination address

A port can be a port or a port range, and the ip address can be the same host or a different host, but the port forwarding function is limited to the ip address of ipv4.

two。 Working with permanent areas

The persistent option does not directly affect the state of the runtime. These options only take effect when the service is reloaded or restarted. In order to use the runtime and permanent configuration, you need to set both options-- the first parameter that is permanently set when needed by permannet.

1 get the services supported by the permanent option

Firewall-cmd-permannet-get-services

two。 Get a list of icmp types supported by the permanent option

Firewall-cmd-permannet-get-icmptypes

3 get supported permanent areas

Firewall-cmd-permannet-get-zones

4 configure the firewall to open the http protocol in the public area and save it to take effect

Firewall-cmd-permannet-zone=public-add-service=http

5 Firewall opens port 8000 in public zone

Firewall-cmd-permannet-zone=public-add-port=8000/tcp

6 command line configuration rich rules

Check out the rich rules: firewall-cmd-- list-rich-rules

Create a rich rule: firewall-cmd-- add-rich-rule 'rule family=ipv4 source address= source address service name= service name log prefix= "fpt" level=info accept'-- permannet

7 allows administrators to remotely manage 192.168.31.83 hosts on the intranet through ssh on 172.31.1.2 hosts (port 23456)

Firewall-cmd-add-rich-rule 'rule family=ipv4 source address=172.31.1.2 forward-port port=23456 protocol=tcp to-port=10211 to-addr=192.168.31.83'-permanent-zone=external

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.