查看防火墙状态

1
2
3
4
firewall-cmd --state
#or
systemctl status firewalld

查看默认区域的设置

1
firewall-cmd --list-all

允许(禁止)开机启动防火墙

1
2
systemctl enable firewalld   # 允许启动
systemctl disable firewalld  # 禁止

开启(关闭)防火墙

1
2
systemctl start firewalld  #开启
systemctl stop firewalld   #关闭

开启(关闭)某端口

1
2
3
4
5
6
firewall-cmd --add-port=<port>/<protocol> #添加端口/协议(TCP/UDP)
firewall-cmd --remove-port=<port>/<protocol> #移除端口/协议(TCP/UDP)
firewall-cmd --list-ports #查看开放的端口

#例
firewall-cmd --add-port=1521/tcp  #开放1521端口

允许(禁止)某协议

1
2
3
firewall-cmd --add-protocol=<protocol> # 允许协议 (例:icmp,即允许ping)
firewall-cmd --remove-protocol=<protocol> # 取消协议
firewall-cmd --list-protocols # 查看允许的协议

允许(禁止)某 ip 某端口访问(白名单 accept)(黑名单 reject)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#允许某ip的所有流量
firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" accept"
#拒绝某ip的所有流量
firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" reject"

#允许某ip访问某端口
firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" port protocol="<port protocol>" port="<port>" accept"
#禁止某ip访问某端口
firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" port protocol="<port protocol>" port="<port>" reject"

#允许某ip访问某服务
firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" service name="<service name>" accept"
#禁止某ip访问某服务
firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" service name="<service name>" reject"