{"id":1550,"date":"2016-12-19T04:01:47","date_gmt":"2016-12-18T20:01:47","guid":{"rendered":"http:\/\/cn.hostease.com\/xueyuan\/?p=1550"},"modified":"2016-12-19T04:01:47","modified_gmt":"2016-12-18T20:01:47","slug":"centos7%e4%b8%8bfirewall%e9%98%b2%e7%81%ab%e5%a2%99%e9%85%8d%e7%bd%ae%e7%94%a8%e6%b3%95%e8%af%a6%e8%a7%a3","status":"publish","type":"post","link":"https:\/\/cn.hostease.com\/xueyuan\/jishu\/centos7%e4%b8%8bfirewall%e9%98%b2%e7%81%ab%e5%a2%99%e9%85%8d%e7%bd%ae%e7%94%a8%e6%b3%95%e8%af%a6%e8%a7%a3\/","title":{"rendered":"CentOS7\u4e0bFirewall\u9632\u706b\u5899\u914d\u7f6e\u7528\u6cd5\u8be6\u89e3"},"content":{"rendered":"
centos 7\u4e2d\u9632\u706b\u5899\u662f\u4e00\u4e2a\u975e\u5e38\u7684\u5f3a\u5927\u7684\u529f\u80fd\u4e86\uff0c\u4f46\u5bf9\u4e8ecentos 7\u4e2d\u5728\u9632\u706b\u5899\u4e2d\u8fdb\u884c\u4e86\u5347\u7ea7\u4e86\uff0c\u4e0b\u9762\u6211\u4eec\u4e00\u8d77\u6765\u8be6\u7ec6\u7684\u770b\u770b\u5173\u4e8ecentos 7\u4e2d\u9632\u706b\u5899\u4f7f\u7528\u65b9\u6cd5\u3002<\/div>\n
FirewallD \u63d0\u4f9b\u4e86\u652f\u6301\u7f51\u7edc\/\u9632\u706b\u5899\u533a\u57df(zone)\u5b9a\u4e49\u7f51\u7edc\u94fe\u63a5\u4ee5\u53ca\u63a5\u53e3\u5b89\u5168\u7b49\u7ea7\u7684\u52a8\u6001\u9632\u706b\u5899\u7ba1\u7406\u5de5\u5177\u3002\u5b83\u652f\u6301 IPv4, IPv6 \u9632\u706b\u5899\u8bbe\u7f6e\u4ee5\u53ca\u4ee5\u592a\u7f51\u6865\u63a5\uff0c\u5e76\u4e14\u62e5\u6709\u8fd0\u884c\u65f6\u914d\u7f6e\u548c\u6c38\u4e45\u914d\u7f6e\u9009\u9879\u3002\u5b83\u4e5f\u652f\u6301\u5141\u8bb8\u670d\u52a1\u6216\u8005\u5e94\u7528\u7a0b\u5e8f\u76f4\u63a5\u6dfb\u52a0\u9632\u706b\u5899\u89c4\u5219\u7684\u63a5\u53e3\u3002 \u4ee5\u524d\u7684 system-config-firewall\/lokkit \u9632\u706b\u5899\u6a21\u578b\u662f\u9759\u6001\u7684\uff0c\u6bcf\u6b21\u4fee\u6539\u90fd\u8981\u6c42\u9632\u706b\u5899\u5b8c\u5168\u91cd\u542f\u3002\u8fd9\u4e2a\u8fc7\u7a0b\u5305\u62ec\u5185\u6838 netfilter \u9632\u706b\u5899\u6a21\u5757\u7684\u5378\u8f7d\u548c\u65b0\u914d\u7f6e\u6240\u9700\u6a21\u5757\u7684\u88c5\u8f7d\u7b49\u3002\u800c\u6a21\u5757\u7684\u5378\u8f7d\u5c06\u4f1a\u7834\u574f\u72b6\u6001\u9632\u706b\u5899\u548c\u786e\u7acb\u7684\u8fde\u63a5\u3002<\/div>\n
\u76f8\u53cd\uff0cfirewall daemon \u52a8\u6001\u7ba1\u7406\u9632\u706b\u5899\uff0c\u4e0d\u9700\u8981\u91cd\u542f\u6574\u4e2a\u9632\u706b\u5899\u4fbf\u53ef\u5e94\u7528\u66f4\u6539\u3002\u56e0\u800c\u4e5f\u5c31\u6ca1\u6709\u5fc5\u8981\u91cd\u8f7d\u6240\u6709\u5185\u6838\u9632\u706b\u5899\u6a21\u5757\u4e86\u3002\u4e0d\u8fc7\uff0c\u8981\u4f7f\u7528 firewall daemon \u5c31\u8981\u6c42\u9632\u706b\u5899\u7684\u6240\u6709\u53d8\u66f4\u90fd\u8981\u901a\u8fc7\u8be5\u5b88\u62a4\u8fdb\u7a0b\u6765\u5b9e\u73b0\uff0c\u4ee5\u786e\u4fdd\u5b88\u62a4\u8fdb\u7a0b\u4e2d\u7684\u72b6\u6001\u548c\u5185\u6838\u91cc\u7684\u9632\u706b\u5899\u662f\u4e00\u81f4\u7684\u3002\u53e6\u5916\uff0cfirewall daemon \u65e0\u6cd5\u89e3\u6790\u7531 ip*tables \u548c ebtables \u547d\u4ee4\u884c\u5de5\u5177\u6dfb\u52a0\u7684\u9632\u706b\u5899\u89c4\u5219\u3002<\/div>\n
\u5b88\u62a4\u8fdb\u7a0b\u901a\u8fc7 D-BUS \u63d0\u4f9b\u5f53\u524d\u6fc0\u6d3b\u7684\u9632\u706b\u5899\u8bbe\u7f6e\u4fe1\u606f\uff0c\u4e5f\u901a\u8fc7 D-BUS \u63a5\u53d7\u4f7f\u7528 PolicyKit \u8ba4\u8bc1\u65b9\u5f0f\u505a\u7684\u66f4\u6539\u3002<\/div>\n
\n

\u201c\u5b88\u62a4\u8fdb\u7a0b\u201d<\/strong><\/p>\n

\u5e94\u7528\u7a0b\u5e8f\u3001\u5b88\u62a4\u8fdb\u7a0b\u548c\u7528\u6237\u53ef\u4ee5\u901a\u8fc7 D-BUS \u8bf7\u6c42\u542f\u7528\u4e00\u4e2a\u9632\u706b\u5899\u7279\u6027\u3002\u7279\u6027\u53ef\u4ee5\u662f\u9884\u5b9a\u4e49\u7684\u9632\u706b\u5899\u529f\u80fd\uff0c\u5982\uff1a\u670d\u52a1\u3001\u7aef\u53e3\u548c\u534f\u8bae\u7684\u7ec4\u5408\u3001\u7aef\u53e3\/\u6570\u636e\u62a5\u8f6c\u53d1\u3001\u4f2a\u88c5\u3001ICMP \u62e6\u622a\u6216\u81ea\u5b9a\u4e49\u89c4\u5219\u7b49\u3002\u8be5\u529f\u80fd\u53ef\u4ee5\u542f\u7528\u786e\u5b9a\u7684\u4e00\u6bb5\u65f6\u95f4\u4e5f\u53ef\u4ee5\u518d\u6b21\u505c\u7528\u3002<\/p>\n<\/div>\n

\u901a\u8fc7\u6240\u8c13\u7684\u76f4\u63a5\u63a5\u53e3\uff0c\u5176\u4ed6\u7684\u670d\u52a1(\u4f8b\u5982 libvirt )\u80fd\u591f\u901a\u8fc7 iptables \u53d8\u5143(arguments)\u548c\u53c2\u6570(parameters)\u589e\u52a0\u81ea\u5df1\u7684\u89c4\u5219\u3002<\/div>\n
amanda \u3001ftp \u3001samba \u548c tftp \u670d\u52a1\u7684 netfilter \u9632\u706b\u5899\u52a9\u624b\u4e5f\u88ab\u201c\u5b88\u62a4\u8fdb\u7a0b\u201d\u89e3\u51b3\u4e86,\u53ea\u8981\u5b83\u4eec\u8fd8\u4f5c\u4e3a\u9884\u5b9a\u4e49\u670d\u52a1\u7684\u4e00\u90e8\u5206\u3002\u9644\u52a0\u52a9\u624b\u7684\u88c5\u8f7d\u4e0d\u4f5c\u4e3a\u5f53\u524d\u63a5\u53e3\u7684\u4e00\u90e8\u5206\u3002\u7531\u4e8e\u4e00\u4e9b\u52a9\u624b\u53ea\u6709\u5728\u7531\u6a21\u5757\u63a7\u5236\u7684\u6240\u6709\u8fde\u63a5\u90fd\u5173\u95ed\u540e\u624d\u53ef\u88c5\u8f7d\u3002\u56e0\u800c\uff0c\u8ddf\u8e2a\u8fde\u63a5\u4fe1\u606f\u5f88\u91cd\u8981\uff0c\u9700\u8981\u5217\u5165\u8003\u8651\u8303\u56f4\u3002<\/div>\n
\n

\u9759\u6001\u9632\u706b\u5899(system-config-firewall\/lokkit)<\/strong><\/p>\n

\u4f7f\u7528 system-config-firewall \u548c lokkit \u7684\u9759\u6001\u9632\u706b\u5899\u6a21\u578b\u5b9e\u9645\u4e0a\u4ecd\u7136\u53ef\u7528\u5e76\u5c06\u7ee7\u7eed\u63d0\u4f9b\uff0c\u4f46\u5374\u4e0d\u80fd\u4e0e\u201c\u5b88\u62a4\u8fdb\u7a0b\u201d\u540c\u65f6\u4f7f\u7528\u3002\u7528\u6237\u6216\u8005\u7ba1\u7406\u5458\u53ef\u4ee5\u51b3\u5b9a\u4f7f\u7528\u54ea\u4e00\u79cd\u65b9\u6848\u3002<\/p>\n<\/div>\n

\u5728\u8f6f\u4ef6\u5b89\u88c5\uff0c\u521d\u6b21\u542f\u52a8\u6216\u8005\u662f\u9996\u6b21\u8054\u7f51\u65f6\uff0c\u5c06\u4f1a\u51fa\u73b0\u4e00\u4e2a\u9009\u62e9\u5668\u3002\u901a\u8fc7\u5b83\u4f60\u53ef\u4ee5\u9009\u62e9\u8981\u4f7f\u7528\u7684\u9632\u706b\u5899\u65b9\u6848\u3002\u5176\u4ed6\u7684\u89e3\u51b3\u65b9\u6848\u5c06\u4fdd\u6301\u5b8c\u6574\uff0c\u53ef\u4ee5\u901a\u8fc7\u66f4\u6362\u6a21\u5f0f\u542f\u7528\u3002<\/div>\n
firewall daemon \u72ec\u7acb\u4e8e system-config-firewall\uff0c\u4f46\u4e8c\u8005\u4e0d\u80fd\u540c\u65f6\u4f7f\u7528\u3002<\/div>\n
\n

\u4f7f\u7528iptables\u548cip6tables\u7684\u9759\u6001\u9632\u706b\u5899\u89c4\u5219<\/strong><\/p>\n

\u5982\u679c\u4f60\u60f3\u4f7f\u7528\u81ea\u5df1\u7684 iptables \u548c ip6tables \u9759\u6001\u9632\u706b\u5899\u89c4\u5219, \u90a3\u4e48\u8bf7\u5b89\u88c5 iptables-services \u5e76\u4e14\u7981\u7528 firewalld \uff0c\u542f\u7528 iptables \u548cip6tables:<\/p>\n<\/div>\n

yum install iptables-services\r\nsystemctl mask firewalld.service\r\nsystemctl enable iptables.service\r\nsystemctl enable ip6tables.service<\/pre>\n
\u9759\u6001\u9632\u706b\u5899\u89c4\u5219\u914d\u7f6e\u6587\u4ef6\u662f \/etc\/sysconfig\/iptables \u4ee5\u53ca \/etc\/sysconfig\/ip6tables .<\/div>\n
\u6ce8\uff1a iptables \u4e0e iptables-services \u8f6f\u4ef6\u5305\u4e0d\u63d0\u4f9b\u4e0e\u670d\u52a1\u914d\u5957\u4f7f\u7528\u7684\u9632\u706b\u5899\u89c4\u5219. \u8fd9\u4e9b\u670d\u52a1\u662f\u7528\u6765\u4fdd\u969c\u517c\u5bb9\u6027\u4ee5\u53ca\u4f9b\u60f3\u4f7f\u7528\u81ea\u5df1\u9632\u706b\u5899\u89c4\u5219\u7684\u4eba\u4f7f\u7528\u7684. \u4f60\u53ef\u4ee5\u5b89\u88c5\u5e76\u4f7f\u7528 system-config-firewall \u6765\u521b\u5efa\u4e0a\u8ff0\u670d\u52a1\u9700\u8981\u7684\u89c4\u5219. \u4e3a\u4e86\u80fd\u4f7f\u7528 system-config-firewall, \u4f60\u5fc5\u987b\u505c\u6b62 firewalld.<\/div>\n
\u4e3a\u670d\u52a1\u521b\u5efa\u89c4\u5219\u5e76\u505c\u7528 firewalld \u540e\uff0c\u5c31\u53ef\u4ee5\u542f\u7528 iptables \u4e0e ip6tables \u670d\u52a1\u4e86:<\/div>\n
systemctl stop firewalld.service\r\nsystemctl start iptables.service\r\nsystemctl start ip6tables.service<\/pre>\n
\n
\u4ec0\u4e48\u662f\u533a\u57df\uff1f<\/strong><\/p>\n
\u7f51\u7edc\u533a\u57df\u5b9a\u4e49\u4e86\u7f51\u7edc\u8fde\u63a5\u7684\u53ef\u4fe1\u7b49\u7ea7\u3002\u8fd9\u662f\u4e00\u4e2a\u4e00\u5bf9\u591a\u7684\u5173\u7cfb\uff0c\u8fd9\u610f\u5473\u7740\u4e00\u6b21\u8fde\u63a5\u53ef\u4ee5\u4ec5\u4ec5\u662f\u4e00\u4e2a\u533a\u57df\u7684\u4e00\u90e8\u5206\uff0c\u800c\u4e00\u4e2a\u533a\u57df\u53ef\u4ee5\u7528\u4e8e\u5f88\u591a\u8fde\u63a5\u3002<\/p>\n<\/div>\n
\n
\u9884\u5b9a\u4e49\u7684\u670d\u52a1<\/strong><\/p>\n
\u670d\u52a1\u662f\u7aef\u53e3\u548c\/\u6216\u534f\u8bae\u5165\u53e3\u7684\u7ec4\u5408\u3002\u5907\u9009\u5185\u5bb9\u5305\u62ec netfilter \u52a9\u624b\u6a21\u5757\u4ee5\u53ca IPv4\u3001IPv6\u5730\u5740\u3002<\/p>\n<\/div>\n
\n
\u7aef\u53e3\u548c\u534f\u8bae<\/strong><\/p>\n
\u5b9a\u4e49\u4e86 tcp \u6216 udp \u7aef\u53e3\uff0c\u7aef\u53e3\u53ef\u4ee5\u662f\u4e00\u4e2a\u7aef\u53e3\u6216\u8005\u7aef\u53e3\u8303\u56f4\u3002<\/p>\n<\/div>\n
\n
ICMP\u963b\u585e<\/strong><\/p>\n
\u53ef\u4ee5\u9009\u62e9 Internet \u63a7\u5236\u62a5\u6587\u534f\u8bae\u7684\u62a5\u6587\u3002\u8fd9\u4e9b\u62a5\u6587\u53ef\u4ee5\u662f\u4fe1\u606f\u8bf7\u6c42\u4ea6\u53ef\u662f\u5bf9\u4fe1\u606f\u8bf7\u6c42\u6216\u9519\u8bef\u6761\u4ef6\u521b\u5efa\u7684\u54cd\u5e94\u3002<\/p>\n<\/div>\n
\u4f2a\u88c5<\/strong>
\n\u79c1\u6709\u7f51\u7edc\u5730\u5740\u53ef\u4ee5\u88ab\u6620\u5c04\u5230\u516c\u5f00\u7684IP\u5730\u5740\u3002\u8fd9\u662f\u4e00\u6b21\u6b63\u89c4\u7684\u5730\u5740\u8f6c\u6362\u3002<\/div>\n
\n
\u7aef\u53e3\u8f6c\u53d1<\/strong><\/p>\n
\u7aef\u53e3\u53ef\u4ee5\u6620\u5c04\u5230\u53e6\u4e00\u4e2a\u7aef\u53e3\u4ee5\u53ca\/\u6216\u8005\u5176\u4ed6\u4e3b\u673a\u3002<\/p>\n<\/div>\n
\n
\u54ea\u4e2a\u533a\u57df\u53ef\u7528?<\/strong><\/p>\n
\u7531firewalld \u63d0\u4f9b\u7684\u533a\u57df\u6309\u7167\u4ece\u4e0d\u4fe1\u4efb\u5230\u4fe1\u4efb\u7684\u987a\u5e8f\u6392\u5e8f\u3002<\/p>\n<\/div>\n
\n
\u4e22\u5f03<\/strong><\/p>\n
\u4efb\u4f55\u6d41\u5165\u7f51\u7edc\u7684\u5305\u90fd\u88ab\u4e22\u5f03\uff0c\u4e0d\u4f5c\u51fa\u4efb\u4f55\u54cd\u5e94\u3002\u53ea\u5141\u8bb8\u6d41\u51fa\u7684\u7f51\u7edc\u8fde\u63a5\u3002<\/p>\n<\/div>\n
\n
\u963b\u585e<\/strong><\/p>\n
\u4efb\u4f55\u8fdb\u5165\u7684\u7f51\u7edc\u8fde\u63a5\u90fd\u88ab\u62d2\u7edd\uff0c\u5e76\u8fd4\u56de IPv4 \u7684 icmp-host-prohibited \u62a5\u6587\u6216\u8005 IPv6 \u7684 icmp6-adm-prohibited \u62a5\u6587\u3002\u53ea\u5141\u8bb8\u7531\u8be5\u7cfb\u7edf\u521d\u59cb\u5316\u7684\u7f51\u7edc\u8fde\u63a5\u3002<\/p>\n<\/div>\n
\n
\u516c\u5f00<\/strong><\/p>\n
\u7528\u4ee5\u53ef\u4ee5\u516c\u5f00\u7684\u90e8\u5206\u3002\u4f60\u8ba4\u4e3a\u7f51\u7edc\u4e2d\u5176\u4ed6\u7684\u8ba1\u7b97\u673a\u4e0d\u53ef\u4fe1\u5e76\u4e14\u53ef\u80fd\u4f24\u5bb3\u4f60\u7684\u8ba1\u7b97\u673a\u3002\u53ea\u5141\u8bb8\u9009\u4e2d\u7684\u8fde\u63a5\u63a5\u5165\u3002\uff08You do not trust the other computers on networks to not harm your computer. Only\u00a0selected incoming connections are accepted.\uff09<\/p>\n<\/div>\n
\n
\u5916\u90e8<\/strong><\/p>\n
\u7528\u5728\u8def\u7531\u5668\u7b49\u542f\u7528\u4f2a\u88c5\u7684\u5916\u90e8\u7f51\u7edc\u3002\u4f60\u8ba4\u4e3a\u7f51\u7edc\u4e2d\u5176\u4ed6\u7684\u8ba1\u7b97\u673a\u4e0d\u53ef\u4fe1\u5e76\u4e14\u53ef\u80fd\u4f24\u5bb3\u4f60\u7684\u8ba1\u7b97\u673a\u3002\u53ea\u5141\u8bb8\u9009\u4e2d\u7684\u8fde\u63a5\u63a5\u5165\u3002<\/p>\n<\/div>\n
\n
\u9694\u79bb\u533a\uff08dmz\uff09<\/strong><\/p>\n
\u7528\u4ee5\u5141\u8bb8\u9694\u79bb\u533a\uff08dmz\uff09\u4e2d\u7684\u7535\u8111\u6709\u9650\u5730\u88ab\u5916\u754c\u7f51\u7edc\u8bbf\u95ee\u3002\u53ea\u63a5\u53d7\u88ab\u9009\u4e2d\u7684\u8fde\u63a5\u3002<\/p>\n<\/div>\n
\n
\u5de5\u4f5c<\/strong><\/p>\n
\u7528\u5728\u5de5\u4f5c\u7f51\u7edc\u3002\u4f60\u4fe1\u4efb\u7f51\u7edc\u4e2d\u7684\u5927\u591a\u6570\u8ba1\u7b97\u673a\u4e0d\u4f1a\u5f71\u54cd\u4f60\u7684\u8ba1\u7b97\u673a\u3002\u53ea\u63a5\u53d7\u88ab\u9009\u4e2d\u7684\u8fde\u63a5\u3002<\/p>\n<\/div>\n
\n
\u5bb6\u5ead<\/strong><\/p>\n
\u7528\u5728\u5bb6\u5ead\u7f51\u7edc\u3002\u4f60\u4fe1\u4efb\u7f51\u7edc\u4e2d\u7684\u5927\u591a\u6570\u8ba1\u7b97\u673a\u4e0d\u4f1a\u5f71\u54cd\u4f60\u7684\u8ba1\u7b97\u673a\u3002\u53ea\u63a5\u53d7\u88ab\u9009\u4e2d\u7684\u8fde\u63a5\u3002<\/p>\n<\/div>\n
\n
\u5185\u90e8<\/strong><\/p>\n
\u7528\u5728\u5185\u90e8\u7f51\u7edc\u3002\u4f60\u4fe1\u4efb\u7f51\u7edc\u4e2d\u7684\u5927\u591a\u6570\u8ba1\u7b97\u673a\u4e0d\u4f1a\u5f71\u54cd\u4f60\u7684\u8ba1\u7b97\u673a\u3002\u53ea\u63a5\u53d7\u88ab\u9009\u4e2d\u7684\u8fde\u63a5\u3002<\/p>\n<\/div>\n
\n
\u53d7\u4fe1\u4efb\u7684<\/strong><\/p>\n
\u5141\u8bb8\u6240\u6709\u7f51\u7edc\u8fde\u63a5\u3002<\/p>\n<\/div>\n
\n
\u6211\u5e94\u8be5\u9009\u7528\u54ea\u4e2a\u533a\u57df?<\/strong><\/p>\n
\u4f8b\u5982\uff0c\u516c\u5171\u7684 WIFI \u8fde\u63a5\u5e94\u8be5\u4e3b\u8981\u4e3a\u4e0d\u53d7\u4fe1\u4efb\u7684\uff0c\u5bb6\u5ead\u7684\u6709\u7ebf\u7f51\u7edc\u5e94\u8be5\u662f\u76f8\u5f53\u53ef\u4fe1\u4efb\u7684\u3002\u6839\u636e\u4e0e\u4f60\u4f7f\u7528\u7684\u7f51\u7edc\u6700\u7b26\u5408\u7684\u533a\u57df\u8fdb\u884c\u9009\u62e9\u3002<\/p>\n<\/div>\n
\n
\u5982\u4f55\u914d\u7f6e\u6216\u8005\u589e\u52a0\u533a\u57df?<\/strong><\/p>\n
\u4f60\u53ef\u4ee5\u4f7f\u7528\u4efb\u4f55\u4e00\u79cd firewalld \u914d\u7f6e\u5de5\u5177\u6765\u914d\u7f6e\u6216\u8005\u589e\u52a0\u533a\u57df\uff0c\u4ee5\u53ca\u4fee\u6539\u914d\u7f6e\u3002\u5de5\u5177\u6709\u4f8b\u5982 firewall-config \u8fd9\u6837\u7684\u56fe\u5f62\u754c\u9762\u5de5\u5177\uff0c firewall-cmd \u8fd9\u6837\u7684\u547d\u4ee4\u884c\u5de5\u5177\uff0c\u4ee5\u53caD-BUS\u63a5\u53e3\u3002\u6216\u8005\u4f60\u4e5f\u53ef\u4ee5\u5728\u914d\u7f6e\u6587\u4ef6\u76ee\u5f55\u4e2d\u521b\u5efa\u6216\u8005\u62f7\u8d1d\u533a\u57df\u6587\u4ef6\u3002 @PREFIX@\/lib\/firewalld\/zones \u88ab\u7528\u4e8e\u9ed8\u8ba4\u548c\u5907\u7528\u914d\u7f6e\uff0c\/etc\/firewalld\/zones \u88ab\u7528\u4e8e\u7528\u6237\u521b\u5efa\u548c\u81ea\u5b9a\u4e49\u914d\u7f6e\u6587\u4ef6\u3002<\/p>\n<\/div>\n
\n
\u5982\u4f55\u4e3a\u7f51\u7edc\u8fde\u63a5\u8bbe\u7f6e\u6216\u8005\u4fee\u6539\u533a\u57df<\/strong><\/p>\n
\u533a\u57df\u8bbe\u7f6e\u4ee5 ZONE= \u9009\u9879 \u5b58\u50a8\u5728\u7f51\u7edc\u8fde\u63a5\u7684ifcfg\u6587\u4ef6\u4e2d\u3002\u5982\u679c\u8fd9\u4e2a\u9009\u9879\u7f3a\u5931\u6216\u8005\u4e3a\u7a7a\uff0cfirewalld \u5c06\u4f7f\u7528\u914d\u7f6e\u7684\u9ed8\u8ba4\u533a\u57df\u3002<\/p>\n<\/div>\n
\u5982\u679c\u8fd9\u4e2a\u8fde\u63a5\u53d7\u5230 NetworkManager \u63a7\u5236\uff0c\u4f60\u4e5f\u53ef\u4ee5\u4f7f\u7528 nm-connection-editor \u6765\u4fee\u6539\u533a\u57df\u3002<\/div>\n
\n
\u7531NetworkManager\u63a7\u5236\u7684\u7f51\u7edc\u8fde\u63a5<\/strong><\/p>\n
\u9632\u706b\u5899\u4e0d\u80fd\u591f\u901a\u8fc7 NetworkManager \u663e\u793a\u7684\u540d\u79f0\u6765\u914d\u7f6e\u7f51\u7edc\u8fde\u63a5\uff0c\u53ea\u80fd\u914d\u7f6e\u7f51\u7edc\u63a5\u53e3\u3002\u56e0\u6b64\u5728\u7f51\u7edc\u8fde\u63a5\u4e4b\u524d NetworkManager \u5c06\u914d\u7f6e\u6587\u4ef6\u6240\u8ff0\u8fde\u63a5\u5bf9\u5e94\u7684\u7f51\u7edc\u63a5\u53e3\u544a\u8bc9 firewalld \u3002\u5982\u679c\u5728\u914d\u7f6e\u6587\u4ef6\u4e2d\u6ca1\u6709\u914d\u7f6e\u533a\u57df\uff0c\u63a5\u53e3\u5c06\u914d\u7f6e\u5230 firewalld \u7684\u9ed8\u8ba4\u533a\u57df\u3002\u5982\u679c\u7f51\u7edc\u8fde\u63a5\u4f7f\u7528\u4e86\u4e0d\u6b62\u4e00\u4e2a\u63a5\u53e3\uff0c\u6240\u6709\u7684\u63a5\u53e3\u90fd\u4f1a\u5e94\u7528\u5230 fiwewalld\u3002\u63a5\u53e3\u540d\u79f0\u7684\u6539\u53d8\u4e5f\u5c06\u7531 NetworkManager \u63a7\u5236\u5e76\u5e94\u7528\u5230firewalld\u3002<\/p>\n<\/div>\n
\u4e3a\u4e86\u7b80\u5316\uff0c\u81ea\u6b64\uff0c\u7f51\u7edc\u8fde\u63a5\u5c06\u88ab\u7528\u4f5c\u4e0e\u533a\u57df\u7684\u5173\u7cfb\u3002<\/div>\n
\u5982\u679c\u4e00\u4e2a\u63a5\u53e3\u65ad\u5f00\u4e86\uff0cNetworkManager\u4e5f\u5c06\u544a\u8bc9firewalld\u4ece\u533a\u57df\u4e2d\u5220\u9664\u8be5\u63a5\u53e3\u3002<\/div>\n
\u5f53firewalld\u7531systemd\u6216\u8005init\u811a\u672c\u542f\u52a8\u6216\u8005\u91cd\u542f\u540e\uff0cfirewalld\u5c06\u901a\u77e5NetworkManager\u628a\u7f51\u7edc\u8fde\u63a5\u589e\u52a0\u5230\u533a\u57df\u3002<\/div>\n
\n
\u7531\u811a\u672c\u63a7\u5236\u7684\u7f51\u7edc<\/strong><\/p>\n
\u5bf9\u4e8e\u7531\u7f51\u7edc\u811a\u672c\u63a7\u5236\u7684\u8fde\u63a5\u6709\u4e00\u6761\u9650\u5236\uff1a\u6ca1\u6709\u5b88\u62a4\u8fdb\u7a0b\u901a\u77e5 firewalld \u5c06\u8fde\u63a5\u589e\u52a0\u5230\u533a\u57df\u3002\u8fd9\u9879\u5de5\u4f5c\u4ec5\u5728 ifcfg-post \u811a\u672c\u8fdb\u884c\u3002\u56e0\u6b64\uff0c\u6b64\u540e\u5bf9\u7f51\u7edc\u8fde\u63a5\u7684\u91cd\u547d\u540d\u5c06\u4e0d\u80fd\u88ab\u5e94\u7528\u5230firewalld\u3002\u540c\u6837\uff0c\u5728\u8fde\u63a5\u6d3b\u52a8\u65f6\u91cd\u542f firewalld \u5c06\u5bfc\u81f4\u4e0e\u5176\u5931\u53bb\u5173\u8054\u3002\u73b0\u5728\u6709\u610f\u4fee\u590d\u6b64\u60c5\u51b5\u3002\u6700\u7b80\u5355\u7684\u662f\u5c06\u5168\u90e8\u672a\u914d\u7f6e\u8fde\u63a5\u52a0\u5165\u9ed8\u8ba4\u533a\u57df\u3002<\/p>\n<\/div>\n
\u533a\u57df\u5b9a\u4e49\u4e86\u672c\u533a\u57df\u4e2d\u9632\u706b\u5899\u7684\u7279\u6027\uff1a<\/div>\n
\n
\u4f7f\u7528firewalld<\/strong><\/p>\n
\u4f60\u53ef\u4ee5\u901a\u8fc7\u56fe\u5f62\u754c\u9762\u5de5\u5177 firewall-config \u6216\u8005\u547d\u4ee4\u884c\u5ba2\u6237\u7aef firewall-cmd \u542f\u7528\u6216\u8005\u5173\u95ed\u9632\u706b\u5899\u7279\u6027\u3002<\/p>\n<\/div>\n
\n
\u4f7f\u7528firewall-cmd<\/strong><\/p>\n
\u547d\u4ee4\u884c\u5de5\u5177 firewall-cmd \u652f\u6301\u5168\u90e8\u9632\u706b\u5899\u7279\u6027\u3002\u5bf9\u4e8e\u72b6\u6001\u548c\u67e5\u8be2\u6a21\u5f0f\uff0c\u547d\u4ee4\u53ea\u8fd4\u56de\u72b6\u6001\uff0c\u6ca1\u6709\u5176\u4ed6\u8f93\u51fa\u3002<\/p>\n<\/div>\n
\n
\u4e00\u822c\u5e94\u7528<\/strong><\/p>\n
\u83b7\u53d6 firewalld \u72b6\u6001<\/p>\n<\/div>\n
firewall-cmd --state<\/pre>\n
\u6b64\u4e3e\u8fd4\u56de firewalld \u7684\u72b6\u6001\uff0c\u6ca1\u6709\u4efb\u4f55\u8f93\u51fa\u3002\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u65b9\u5f0f\u83b7\u5f97\u72b6\u6001\u8f93\u51fa\uff1a<\/div>\n
firewall-cmd --state && echo \"Running\" || echo \"Not running\"<\/pre>\n
\u5728 Fedora 19 \u4e2d, \u72b6\u6001\u8f93\u51fa\u6bd4\u6b64\u524d\u76f4\u89c2:<\/div>\n
# rpm -qf $( which firewall-cmd )\r\nfirewalld-0.3.3-2.fc19.noarch# firewall-cmd --state\r\nnot running<\/pre>\n
\u5728\u4e0d\u6539\u53d8\u72b6\u6001\u7684\u6761\u4ef6\u4e0b\u91cd\u65b0\u52a0\u8f7d\u9632\u706b\u5899\uff1a<\/div>\n
firewall-cmd --reload<\/pre>\n
\u5982\u679c\u4f60\u4f7f\u7528\u2013complete-reload\uff0c\u72b6\u6001\u4fe1\u606f\u5c06\u4f1a\u4e22\u5931\u3002\u8fd9\u4e2a\u9009\u9879\u5e94\u5f53\u4ec5\u7528\u4e8e\u5904\u7406\u9632\u706b\u5899\u95ee\u9898\u65f6\uff0c\u4f8b\u5982\uff0c\u72b6\u6001\u4fe1\u606f\u548c\u9632\u706b\u5899\u89c4\u5219\u90fd\u6b63\u5e38\uff0c\u4f46\u662f\u4e0d\u80fd\u5efa\u7acb\u4efb\u4f55\u8fde\u63a5\u7684\u60c5\u51b5\u3002<\/div>\n
\u83b7\u53d6\u652f\u6301\u7684\u533a\u57df\u5217\u8868<\/div>\n
firewall-cmd --get-zones<\/pre>\n
\u8fd9\u6761\u547d\u4ee4\u8f93\u51fa\u7528\u7a7a\u683c\u5206\u9694\u7684\u5217\u8868\u3002<\/div>\n
\u83b7\u53d6\u6240\u6709\u652f\u6301\u7684\u670d\u52a1<\/div>\n
firewall-cmd --get-services<\/pre>\n
\u8fd9\u6761\u547d\u4ee4\u8f93\u51fa\u7528\u7a7a\u683c\u5206\u9694\u7684\u5217\u8868\u3002<\/div>\n
\u83b7\u53d6\u6240\u6709\u652f\u6301\u7684ICMP\u7c7b\u578b<\/div>\n
firewall-cmd --get-icmptypes<\/pre>\n
\u8fd9\u6761\u547d\u4ee4\u8f93\u51fa\u7528\u7a7a\u683c\u5206\u9694\u7684\u5217\u8868\u3002<\/div>\n
\u5217\u51fa\u5168\u90e8\u542f\u7528\u7684\u533a\u57df\u7684\u7279\u6027<\/div>\n
firewall-cmd --list-all-zones<\/pre>\n
\u8f93\u51fa\u683c\u5f0f\u662f\uff1a<\/div>\n
<zone>\r\n  interfaces: <interface1> ..\r\n  services: <service1> ..\r\n  ports: <port1> ..\r\n  forward-ports: <forward port1> ..\r\n  icmp-blocks: <icmp type1> ....<\/pre>\n
\u8f93\u51fa\u533a\u57df <zone> \u5168\u90e8\u542f\u7528\u7684\u7279\u6027\u3002\u5982\u679c\u751f\u7565\u533a\u57df\uff0c\u5c06\u663e\u793a\u9ed8\u8ba4\u533a\u57df\u7684\u4fe1\u606f\u3002<\/div>\n
firewall-cmd [--zone=<zone>] --list-all<\/pre>\n
\u83b7\u53d6\u9ed8\u8ba4\u533a\u57df\u7684\u7f51\u7edc\u8bbe\u7f6e<\/div>\n
firewall-cmd --get-default-zone<\/pre>\n
\u8bbe\u7f6e\u9ed8\u8ba4\u533a\u57df<\/div>\n
firewall-cmd --set-default-zone=<zone><\/pre>\n
\u6d41\u5165\u9ed8\u8ba4\u533a\u57df\u4e2d\u914d\u7f6e\u7684\u63a5\u53e3\u7684\u65b0\u8bbf\u95ee\u8bf7\u6c42\u5c06\u88ab\u7f6e\u5165\u65b0\u7684\u9ed8\u8ba4\u533a\u57df\u3002\u5f53\u524d\u6d3b\u52a8\u7684\u8fde\u63a5\u5c06\u4e0d\u53d7\u5f71\u54cd\u3002<\/div>\n
\u83b7\u53d6\u6d3b\u52a8\u7684\u533a\u57df<\/div>\n
firewall-cmd --get-active-zones<\/pre>\n
\u8fd9\u6761\u547d\u4ee4\u5c06\u7528\u4ee5\u4e0b\u683c\u5f0f\u8f93\u51fa\u6bcf\u4e2a\u533a\u57df\u6240\u542b\u63a5\u53e3\uff1a<\/div>\n
<zone1>: <interface1> <interface2> ..<zone2>: <interface3> ..<\/pre>\n
\u6839\u636e\u63a5\u53e3\u83b7\u53d6\u533a\u57df<\/div>\n
firewall-cmd --get-zone-of-interface=<interface><\/pre>\n
\u8fd9\u6761\u547d\u4ee4\u5c06\u8f93\u51fa\u63a5\u53e3\u6240\u5c5e\u7684\u533a\u57df\u540d\u79f0\u3002<\/div>\n
\u5c06\u63a5\u53e3\u589e\u52a0\u5230\u533a\u57df<\/div>\n
firewall-cmd [--zone=<zone>] --add-interface=<interface><\/pre>\n
\u5982\u679c\u63a5\u53e3\u4e0d\u5c5e\u4e8e\u533a\u57df\uff0c\u63a5\u53e3\u5c06\u88ab\u589e\u52a0\u5230\u533a\u57df\u3002\u5982\u679c\u533a\u57df\u88ab\u7701\u7565\u4e86\uff0c\u5c06\u4f7f\u7528\u9ed8\u8ba4\u533a\u57df\u3002\u63a5\u53e3\u5728\u91cd\u65b0\u52a0\u8f7d\u540e\u5c06\u91cd\u65b0\u5e94\u7528\u3002<\/div>\n
\u4fee\u6539\u63a5\u53e3\u6240\u5c5e\u533a\u57df<\/div>\n
firewall-cmd [--zone=<zone>] --change-interface=<interface><\/pre>\n
\u8fd9\u4e2a\u9009\u9879\u4e0e \u2013add-interface \u9009\u9879\u76f8\u4f3c\uff0c\u4f46\u662f\u5f53\u63a5\u53e3\u5df2\u7ecf\u5b58\u5728\u4e8e\u53e6\u4e00\u4e2a\u533a\u57df\u7684\u65f6\u5019\uff0c\u8be5\u63a5\u53e3\u5c06\u88ab\u6dfb\u52a0\u5230\u65b0\u7684\u533a\u57df\u3002<\/div>\n
\u4ece\u533a\u57df\u4e2d\u5220\u9664\u4e00\u4e2a\u63a5\u53e3<\/div>\n
firewall-cmd [--zone=<zone>] --remove-interface=<interface><\/pre>\n
\u67e5\u8be2\u533a\u57df\u4e2d\u662f\u5426\u5305\u542b\u67d0\u63a5\u53e3<\/div>\n
firewall-cmd [--zone=<zone>] --query-interface=<interface><\/pre>\n
\u8fd4\u56de\u63a5\u53e3\u662f\u5426\u5b58\u5728\u4e8e\u8be5\u533a\u57df\u3002\u6ca1\u6709\u8f93\u51fa\u3002<\/div>\n
\u5217\u4e3e\u533a\u57df\u4e2d\u542f\u7528\u7684\u670d\u52a1<\/div>\n
firewall-cmd [ --zone=<zone> ] --list-services<\/pre>\n
\u542f\u7528\u5e94\u6025\u6a21\u5f0f\u963b\u65ad\u6240\u6709\u7f51\u7edc\u8fde\u63a5\uff0c\u4ee5\u9632\u51fa\u73b0\u7d27\u6025\u72b6\u51b5<\/div>\n
firewall-cmd --panic-on<\/pre>\n
\u7981\u7528\u5e94\u6025\u6a21\u5f0f<\/div>\n
firewall-cmd --panic-off<\/pre>\n\n\n\n\n
\u00a0\u4ee3\u7801\u5982\u4e0b<\/td>\n\u590d\u5236\u4ee3\u7801<\/td>\n<\/tr>\n
\n
\u5e94\u6025\u6a21\u5f0f\u5728 0.3.0 \u7248\u672c\u4e2d\u53d1\u751f\u4e86\u53d8\u5316
\n\u5728 0.3.0 \u4e4b\u524d\u7684 FirewallD\u7248\u672c\u4e2d, panic \u9009\u9879\u662f \u2013enable-panic \u4e0e \u2013disable-panic.<\/div>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
\u67e5\u8be2\u5e94\u6025\u6a21\u5f0f<\/div>\n
firewall-cmd --query-panic<\/pre>\n
\u6b64\u547d\u4ee4\u8fd4\u56de\u5e94\u6025\u6a21\u5f0f\u7684\u72b6\u6001\uff0c\u6ca1\u6709\u8f93\u51fa\u3002\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u65b9\u5f0f\u83b7\u5f97\u72b6\u6001\u8f93\u51fa\uff1a<\/div>\n
firewall-cmd --query-panic && echo \"On\" || echo \"Off\"<\/pre>\n
\n
\u5904\u7406\u8fd0\u884c\u65f6\u533a\u57df<\/strong><\/p>\n
\u8fd0\u884c\u65f6\u6a21\u5f0f\u4e0b\u5bf9\u533a\u57df\u8fdb\u884c\u7684\u4fee\u6539\u4e0d\u662f\u6c38\u4e45\u6709\u6548\u7684\u3002\u91cd\u65b0\u52a0\u8f7d\u6216\u8005\u91cd\u542f\u540e\u4fee\u6539\u5c06\u5931\u6548\u3002<\/p>\n<\/div>\n
\u542f\u7528\u533a\u57df\u4e2d\u7684\u4e00\u79cd\u670d\u52a1<\/div>\n
firewall-cmd [--zone=<zone>] --add-service=<service> [--timeout=<seconds>]<\/pre>\n
\u6b64\u4e3e\u542f\u7528\u533a\u57df\u4e2d\u7684\u4e00\u79cd\u670d\u52a1\u3002\u5982\u679c\u672a\u6307\u5b9a\u533a\u57df\uff0c\u5c06\u4f7f\u7528\u9ed8\u8ba4\u533a\u57df\u3002\u5982\u679c\u8bbe\u5b9a\u4e86\u8d85\u65f6\u65f6\u95f4\uff0c\u670d\u52a1\u5c06\u53ea\u542f\u7528\u7279\u5b9a\u79d2\u6570\u3002\u5982\u679c\u670d\u52a1\u5df2\u7ecf\u6d3b\u8dc3\uff0c\u5c06\u4e0d\u4f1a\u6709\u4efb\u4f55\u8b66\u544a\u4fe1\u606f\u3002<\/div>\n
\u4f8b: \u4f7f\u533a\u57df\u4e2d\u7684ipp-client\u670d\u52a1\u751f\u654860\u79d2:<\/div>\n
firewall-cmd --zone=home --add-service=ipp-client --timeout=60<\/pre>\n
\u4f8b: \u542f\u7528\u9ed8\u8ba4\u533a\u57df\u4e2d\u7684http\u670d\u52a1:<\/div>\n
firewall-cmd --add-service=http<\/pre>\n
\u7981\u7528\u533a\u57df\u4e2d\u7684\u67d0\u79cd\u670d\u52a1<\/div>\n
firewall-cmd [--zone=<zone>] --remove-service=<service><\/pre>\n
\u6b64\u4e3e\u7981\u7528\u533a\u57df\u4e2d\u7684\u67d0\u79cd\u670d\u52a1\u3002\u5982\u679c\u672a\u6307\u5b9a\u533a\u57df\uff0c\u5c06\u4f7f\u7528\u9ed8\u8ba4\u533a\u57df\u3002<\/div>\n
\u4f8b: \u7981\u6b62home\u533a\u57df\u4e2d\u7684http\u670d\u52a1:<\/div>\n
firewall-cmd --zone=home --remove-service=http<\/pre>\n
\u533a\u57df\u79cd\u7684\u670d\u52a1\u5c06\u88ab\u7981\u7528\u3002\u5982\u679c\u670d\u52a1\u6ca1\u6709\u542f\u7528\uff0c\u5c06\u4e0d\u4f1a\u6709\u4efb\u4f55\u8b66\u544a\u4fe1\u606f\u3002<\/div>\n
\u67e5\u8be2\u533a\u57df\u4e2d\u662f\u5426\u542f\u7528\u4e86\u7279\u5b9a\u670d\u52a1<\/div>\n
firewall-cmd [--zone=<zone>] --query-service=<service><\/pre>\n
\u5982\u679c\u670d\u52a1\u542f\u7528\uff0c\u5c06\u8fd4\u56de1,\u5426\u5219\u8fd4\u56de0\u3002\u6ca1\u6709\u8f93\u51fa\u4fe1\u606f\u3002<\/div>\n
\u542f\u7528\u533a\u57df\u7aef\u53e3\u548c\u534f\u8bae\u7ec4\u5408<\/div>\n
firewall-cmd [--zone=<zone>] --add-port=<port>[-<port>]\/<protocol> [--timeout=<seconds>]<\/pre>\n
\u6b64\u4e3e\u5c06\u542f\u7528\u7aef\u53e3\u548c\u534f\u8bae\u7684\u7ec4\u5408\u3002\u7aef\u53e3\u53ef\u4ee5\u662f\u4e00\u4e2a\u5355\u72ec\u7684\u7aef\u53e3 <port> \u6216\u8005\u662f\u4e00\u4e2a\u7aef\u53e3\u8303\u56f4 <port>-<port> \u3002\u534f\u8bae\u53ef\u4ee5\u662f tcp \u6216 udp\u3002<\/div>\n
\u7981\u7528\u7aef\u53e3\u548c\u534f\u8bae\u7ec4\u5408<\/div>\n
firewall-cmd [--zone=<zone>] --remove-port=<port>[-<port>]\/<protocol><\/pre>\n
\u67e5\u8be2\u533a\u57df\u4e2d\u662f\u5426\u542f\u7528\u4e86\u7aef\u53e3\u548c\u534f\u8bae\u7ec4\u5408<\/div>\n
firewall-cmd [--zone=<zone>] --query-port=<port>[-<port>]\/<protocol><\/pre>\n
\u5982\u679c\u542f\u7528\uff0c\u6b64\u547d\u4ee4\u5c06\u6709\u8fd4\u56de\u503c\u3002\u6ca1\u6709\u8f93\u51fa\u4fe1\u606f\u3002<\/div>\n
\u542f\u7528\u533a\u57df\u4e2d\u7684IP\u4f2a\u88c5\u529f\u80fd<\/div>\n
firewall-cmd [--zone=<zone>] --add-masquerade<\/pre>\n
\u6b64\u4e3e\u542f\u7528\u533a\u57df\u7684\u4f2a\u88c5\u529f\u80fd\u3002\u79c1\u6709\u7f51\u7edc\u7684\u5730\u5740\u5c06\u88ab\u9690\u85cf\u5e76\u6620\u5c04\u5230\u4e00\u4e2a\u516c\u6709IP\u3002\u8fd9\u662f\u5730\u5740\u8f6c\u6362\u7684\u4e00\u79cd\u5f62\u5f0f\uff0c\u5e38\u7528\u4e8e\u8def\u7531\u3002\u7531\u4e8e\u5185\u6838\u7684\u9650\u5236\uff0c\u4f2a\u88c5\u529f\u80fd\u4ec5\u53ef\u7528\u4e8eIPv4\u3002<\/div>\n
\u7981\u7528\u533a\u57df\u4e2d\u7684IP\u4f2a\u88c5<\/div>\n
firewall-cmd [--zone=<zone>] --remove-masquerade<\/pre>\n
\u67e5\u8be2\u533a\u57df\u7684\u4f2a\u88c5\u72b6\u6001<\/div>\n
firewall-cmd [--zone=<zone>] --query-masquerade<\/pre>\n
\u5982\u679c\u542f\u7528\uff0c\u6b64\u547d\u4ee4\u5c06\u6709\u8fd4\u56de\u503c\u3002\u6ca1\u6709\u8f93\u51fa\u4fe1\u606f\u3002<\/div>\n
\u542f\u7528\u533a\u57df\u7684ICMP\u963b\u585e\u529f\u80fd<\/div>\n
firewall-cmd [--zone=<zone>] --add-icmp-block=<icmptype><\/pre>\n
\u6b64\u4e3e\u5c06\u542f\u7528\u9009\u4e2d\u7684Internet\u63a7\u5236\u62a5\u6587\u534f\u8bae\uff08ICMP\uff09\u62a5\u6587\u8fdb\u884c\u963b\u585e\u3002ICMP\u62a5\u6587\u53ef\u4ee5\u662f\u8bf7\u6c42\u4fe1\u606f\u6216\u8005\u521b\u5efa\u7684\u5e94\u7b54\u62a5\u6587\uff0c\u4ee5\u53ca\u9519\u8bef\u5e94\u7b54\u3002<\/div>\n
\u7981\u6b62\u533a\u57df\u7684ICMP\u963b\u585e\u529f\u80fd<\/div>\n
firewall-cmd [--zone=<zone>] --remove-icmp-block=<icmptype><\/pre>\n
\u67e5\u8be2\u533a\u57df\u7684ICMP\u963b\u585e\u529f\u80fd<\/div>\n
firewall-cmd [--zone=<zone>] --query-icmp-block=<icmptype><\/pre>\n
\u5982\u679c\u542f\u7528\uff0c\u6b64\u547d\u4ee4\u5c06\u6709\u8fd4\u56de\u503c\u3002\u6ca1\u6709\u8f93\u51fa\u4fe1\u606f\u3002<\/div>\n
\u4f8b: \u963b\u585e\u533a\u57df\u7684\u54cd\u5e94\u5e94\u7b54\u62a5\u6587:<\/div>\n
firewall-cmd --zone=public --add-icmp-block=echo-reply<\/pre>\n
\u5728\u533a\u57df\u4e2d\u542f\u7528\u7aef\u53e3\u8f6c\u53d1\u6216\u6620\u5c04<\/div>\n
firewall-cmd [--zone=<zone>] --add-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }<\/pre>\n
\u7aef\u53e3\u53ef\u4ee5\u6620\u5c04\u5230\u53e6\u4e00\u53f0\u4e3b\u673a\u7684\u540c\u4e00\u7aef\u53e3\uff0c\u4e5f\u53ef\u4ee5\u662f\u540c\u4e00\u4e3b\u673a\u6216\u53e6\u4e00\u4e3b\u673a\u7684\u4e0d\u540c\u7aef\u53e3\u3002\u7aef\u53e3\u53f7\u53ef\u4ee5\u662f\u4e00\u4e2a\u5355\u72ec\u7684\u7aef\u53e3 <port> \u6216\u8005\u662f\u7aef\u53e3\u8303\u56f4 <port>-<port> \u3002\u534f\u8bae\u53ef\u4ee5\u4e3a tcp \u6216udp \u3002\u76ee\u6807\u7aef\u53e3\u53ef\u4ee5\u662f\u7aef\u53e3\u53f7 <port> \u6216\u8005\u662f\u7aef\u53e3\u8303\u56f4 <port>-<port> \u3002\u76ee\u6807\u5730\u5740\u53ef\u4ee5\u662f IPv4 \u5730\u5740\u3002\u53d7\u5185\u6838\u9650\u5236\uff0c\u7aef\u53e3\u8f6c\u53d1\u529f\u80fd\u4ec5\u53ef\u7528\u4e8eIPv4\u3002<\/div>\n
\u7981\u6b62\u533a\u57df\u7684\u7aef\u53e3\u8f6c\u53d1\u6216\u8005\u7aef\u53e3\u6620\u5c04<\/div>\n
firewall-cmd [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }<\/pre>\n
\u67e5\u8be2\u533a\u57df\u7684\u7aef\u53e3\u8f6c\u53d1\u6216\u8005\u7aef\u53e3\u6620\u5c04<\/div>\n
firewall-cmd [--zone=<zone>] --query-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }<\/pre>\n
\u5982\u679c\u542f\u7528\uff0c\u6b64\u547d\u4ee4\u5c06\u6709\u8fd4\u56de\u503c\u3002\u6ca1\u6709\u8f93\u51fa\u4fe1\u606f\u3002<\/div>\n
\u4f8b: \u5c06\u533a\u57dfhome\u7684ssh\u8f6c\u53d1\u5230127.0.0.2<\/div>\n
firewall-cmd --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2<\/pre>\n
\n
\u5904\u7406\u6c38\u4e45\u533a\u57df<\/strong><\/p>\n
\u6c38\u4e45\u9009\u9879\u4e0d\u76f4\u63a5\u5f71\u54cd\u8fd0\u884c\u65f6\u7684\u72b6\u6001\u3002\u8fd9\u4e9b\u9009\u9879\u4ec5\u5728\u91cd\u8f7d\u6216\u8005\u91cd\u542f\u670d\u52a1\u65f6\u53ef\u7528\u3002\u4e3a\u4e86\u4f7f\u7528\u8fd0\u884c\u65f6\u548c\u6c38\u4e45\u8bbe\u7f6e\uff0c\u9700\u8981\u5206\u522b\u8bbe\u7f6e\u4e24\u8005\u3002 \u9009\u9879 \u2013permanent \u9700\u8981\u662f\u6c38\u4e45\u8bbe\u7f6e\u7684\u7b2c\u4e00\u4e2a\u53c2\u6570\u3002<\/p>\n<\/div>\n
\u83b7\u53d6\u6c38\u4e45\u9009\u9879\u6240\u652f\u6301\u7684\u670d\u52a1<\/div>\n
firewall-cmd --permanent --get-services<\/pre>\n
\u83b7\u53d6\u6c38\u4e45\u9009\u9879\u6240\u652f\u6301\u7684ICMP\u7c7b\u578b\u5217\u8868<\/div>\n
firewall-cmd --permanent --get-icmptypes<\/pre>\n
\u83b7\u53d6\u652f\u6301\u7684\u6c38\u4e45\u533a\u57df<\/div>\n
firewall-cmd --permanent --get-zones<\/pre>\n
\u542f\u7528\u533a\u57df\u4e2d\u7684\u670d\u52a1<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --add-service=<service><\/pre>\n
\u6b64\u4e3e\u5c06\u6c38\u4e45\u542f\u7528\u533a\u57df\u4e2d\u7684\u670d\u52a1\u3002\u5982\u679c\u672a\u6307\u5b9a\u533a\u57df\uff0c\u5c06\u4f7f\u7528\u9ed8\u8ba4\u533a\u57df\u3002<\/div>\n
\u7981\u7528\u533a\u57df\u4e2d\u7684\u4e00\u79cd\u670d\u52a1<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --remove-service=<service><\/pre>\n
\u67e5\u8be2\u533a\u57df\u4e2d\u7684\u670d\u52a1\u662f\u5426\u542f\u7528<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --query-service=<service><\/pre>\n
\u5982\u679c\u670d\u52a1\u542f\u7528\uff0c\u6b64\u547d\u4ee4\u5c06\u6709\u8fd4\u56de\u503c\u3002\u6b64\u547d\u4ee4\u6ca1\u6709\u8f93\u51fa\u4fe1\u606f\u3002<\/div>\n
\u4f8b: \u6c38\u4e45\u542f\u7528 home \u533a\u57df\u4e2d\u7684 ipp-client \u670d\u52a1<\/div>\n
firewall-cmd --permanent --zone=home --add-service=ipp-client<\/pre>\n
\u6c38\u4e45\u542f\u7528\u533a\u57df\u4e2d\u7684\u4e00\u4e2a\u7aef\u53e3-\u534f\u8bae\u7ec4\u5408<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --add-port=<port>[-<port>]\/<protocol><\/pre>\n
\u6c38\u4e45\u7981\u7528\u533a\u57df\u4e2d\u7684\u4e00\u4e2a\u7aef\u53e3-\u534f\u8bae\u7ec4\u5408<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --remove-port=<port>[-<port>]\/<protocol><\/pre>\n
\u67e5\u8be2\u533a\u57df\u4e2d\u7684\u7aef\u53e3-\u534f\u8bae\u7ec4\u5408\u662f\u5426\u6c38\u4e45\u542f\u7528<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --query-port=<port>[-<port>]\/<protocol><\/pre>\n
\u5982\u679c\u670d\u52a1\u542f\u7528\uff0c\u6b64\u547d\u4ee4\u5c06\u6709\u8fd4\u56de\u503c\u3002\u6b64\u547d\u4ee4\u6ca1\u6709\u8f93\u51fa\u4fe1\u606f\u3002<\/div>\n
\u4f8b: \u6c38\u4e45\u542f\u7528 home \u533a\u57df\u4e2d\u7684 https\u00a0(tcp 443) \u7aef\u53e3<\/div>\n
firewall-cmd --permanent --zone=home --add-port=443\/tcp<\/pre>\n
\u6c38\u4e45\u542f\u7528\u533a\u57df\u4e2d\u7684\u4f2a\u88c5<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --add-masquerade<\/pre>\n
\u6b64\u4e3e\u542f\u7528\u533a\u57df\u7684\u4f2a\u88c5\u529f\u80fd\u3002\u79c1\u6709\u7f51\u7edc\u7684\u5730\u5740\u5c06\u88ab\u9690\u85cf\u5e76\u6620\u5c04\u5230\u4e00\u4e2a\u516c\u6709IP\u3002\u8fd9\u662f\u5730\u5740\u8f6c\u6362\u7684\u4e00\u79cd\u5f62\u5f0f\uff0c\u5e38\u7528\u4e8e\u8def\u7531\u3002\u7531\u4e8e\u5185\u6838\u7684\u9650\u5236\uff0c\u4f2a\u88c5\u529f\u80fd\u4ec5\u53ef\u7528\u4e8eIPv4\u3002<\/div>\n
\u6c38\u4e45\u7981\u7528\u533a\u57df\u4e2d\u7684\u4f2a\u88c5<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --remove-masquerade<\/pre>\n
\u67e5\u8be2\u533a\u57df\u4e2d\u7684\u4f2a\u88c5\u7684\u6c38\u4e45\u72b6\u6001<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --query-masquerade<\/pre>\n
\u5982\u679c\u670d\u52a1\u542f\u7528\uff0c\u6b64\u547d\u4ee4\u5c06\u6709\u8fd4\u56de\u503c\u3002\u6b64\u547d\u4ee4\u6ca1\u6709\u8f93\u51fa\u4fe1\u606f\u3002<\/div>\n
\u6c38\u4e45\u542f\u7528\u533a\u57df\u4e2d\u7684ICMP\u963b\u585e<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --add-icmp-block=<icmptype><\/pre>\n
\u6b64\u4e3e\u5c06\u542f\u7528\u9009\u4e2d\u7684 Internet \u63a7\u5236\u62a5\u6587\u534f\u8bae \uff08ICMP\uff09 \u62a5\u6587\u8fdb\u884c\u963b\u585e\u3002 ICMP \u62a5\u6587\u53ef\u4ee5\u662f\u8bf7\u6c42\u4fe1\u606f\u6216\u8005\u521b\u5efa\u7684\u5e94\u7b54\u62a5\u6587\u6216\u9519\u8bef\u5e94\u7b54\u62a5\u6587\u3002<\/div>\n
\u6c38\u4e45\u7981\u7528\u533a\u57df\u4e2d\u7684ICMP\u963b\u585e<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --remove-icmp-block=<icmptype><\/pre>\n
\u67e5\u8be2\u533a\u57df\u4e2d\u7684ICMP\u6c38\u4e45\u72b6\u6001<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --query-icmp-block=<icmptype><\/pre>\n
\u5982\u679c\u670d\u52a1\u542f\u7528\uff0c\u6b64\u547d\u4ee4\u5c06\u6709\u8fd4\u56de\u503c\u3002\u6b64\u547d\u4ee4\u6ca1\u6709\u8f93\u51fa\u4fe1\u606f\u3002<\/div>\n
\u4f8b: \u963b\u585e\u516c\u5171\u533a\u57df\u4e2d\u7684\u54cd\u5e94\u5e94\u7b54\u62a5\u6587:<\/div>\n
firewall-cmd --permanent --zone=public --add-icmp-block=echo-reply<\/pre>\n
\u5728\u533a\u57df\u4e2d\u6c38\u4e45\u542f\u7528\u7aef\u53e3\u8f6c\u53d1\u6216\u6620\u5c04<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --add-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }<\/pre>\n
\u7aef\u53e3\u53ef\u4ee5\u6620\u5c04\u5230\u53e6\u4e00\u53f0\u4e3b\u673a\u7684\u540c\u4e00\u7aef\u53e3\uff0c\u4e5f\u53ef\u4ee5\u662f\u540c\u4e00\u4e3b\u673a\u6216\u53e6\u4e00\u4e3b\u673a\u7684\u4e0d\u540c\u7aef\u53e3\u3002\u7aef\u53e3\u53f7\u53ef\u4ee5\u662f\u4e00\u4e2a\u5355\u72ec\u7684\u7aef\u53e3 <port> \u6216\u8005\u662f\u7aef\u53e3\u8303\u56f4 <port>-<port> \u3002\u534f\u8bae\u53ef\u4ee5\u4e3a tcp \u6216udp \u3002\u76ee\u6807\u7aef\u53e3\u53ef\u4ee5\u662f\u7aef\u53e3\u53f7 <port> \u6216\u8005\u662f\u7aef\u53e3\u8303\u56f4 <port>-<port> \u3002\u76ee\u6807\u5730\u5740\u53ef\u4ee5\u662f IPv4 \u5730\u5740\u3002\u53d7\u5185\u6838\u9650\u5236\uff0c\u7aef\u53e3\u8f6c\u53d1\u529f\u80fd\u4ec5\u53ef\u7528\u4e8eIPv4\u3002<\/div>\n
\u6c38\u4e45\u7981\u6b62\u533a\u57df\u7684\u7aef\u53e3\u8f6c\u53d1\u6216\u8005\u7aef\u53e3\u6620\u5c04<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --remove-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }<\/pre>\n
\u67e5\u8be2\u533a\u57df\u7684\u7aef\u53e3\u8f6c\u53d1\u6216\u8005\u7aef\u53e3\u6620\u5c04\u72b6\u6001<\/div>\n
firewall-cmd --permanent [--zone=<zone>] --query-forward-port=port=<port>[-<port>]:proto=<protocol> { :toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address> }<\/pre>\n
\u5982\u679c\u670d\u52a1\u542f\u7528\uff0c\u6b64\u547d\u4ee4\u5c06\u6709\u8fd4\u56de\u503c\u3002\u6b64\u547d\u4ee4\u6ca1\u6709\u8f93\u51fa\u4fe1\u606f\u3002<\/div>\n
\u4f8b: \u5c06 home \u533a\u57df\u7684 ssh \u670d\u52a1\u8f6c\u53d1\u5230 127.0.0.2<\/div>\n
firewall-cmd --permanent --zone=home --add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2<\/pre>\n
\n
\u76f4\u63a5\u9009\u9879<\/strong><\/p>\n
\u76f4\u63a5\u9009\u9879\u4e3b\u8981\u7528\u4e8e\u4f7f\u670d\u52a1\u548c\u5e94\u7528\u7a0b\u5e8f\u80fd\u591f\u589e\u52a0\u89c4\u5219\u3002 \u89c4\u5219\u4e0d\u4f1a\u88ab\u4fdd\u5b58\uff0c\u5728\u91cd\u65b0\u52a0\u8f7d\u6216\u8005\u91cd\u542f\u4e4b\u540e\u5fc5\u987b\u518d\u6b21\u63d0\u4ea4\u3002\u4f20\u9012\u7684\u53c2\u6570 <args> \u4e0e iptables, ip6tables \u4ee5\u53ca ebtables \u4e00\u81f4\u3002<\/p>\n<\/div>\n
\u9009\u9879\u2013direct\u9700\u8981\u662f\u76f4\u63a5\u9009\u9879\u7684\u7b2c\u4e00\u4e2a\u53c2\u6570\u3002<\/div>\n
\u5c06\u547d\u4ee4\u4f20\u9012\u7ed9\u9632\u706b\u5899\u3002\u53c2\u6570 <args> \u53ef\u4ee5\u662f iptables, ip6tables \u4ee5\u53ca ebtables \u547d\u4ee4\u884c\u53c2\u6570\u3002<\/div>\n
firewall-cmd --direct --passthrough { ipv4 | ipv6 | eb } <args><\/pre>\n
\u4e3a\u8868 <table> \u589e\u52a0\u4e00\u4e2a\u65b0\u94fe <chain> \u3002<\/div>\n
firewall-cmd --direct --add-chain { ipv4 | ipv6 | eb } <table> <chain><\/pre>\n
\u4ece\u8868 <table> \u4e2d\u5220\u9664\u94fe <chain> \u3002<\/div>\n
firewall-cmd --direct --remove-chain { ipv4 | ipv6 | eb } <table> <chain><\/pre>\n
\u67e5\u8be2 <chain> \u94fe\u662f\u5426\u5b58\u5728\u4e0e\u8868 <table>. \u5982\u679c\u662f\uff0c\u8fd4\u56de0,\u5426\u5219\u8fd4\u56de1.<\/div>\n
firewall-cmd --direct --query-chain { ipv4 | ipv6 | eb } <table> <chain><\/pre>\n
\u5982\u679c\u542f\u7528\uff0c\u6b64\u547d\u4ee4\u5c06\u6709\u8fd4\u56de\u503c\u3002\u6b64\u547d\u4ee4\u6ca1\u6709\u8f93\u51fa\u4fe1\u606f\u3002<\/div>\n
\u83b7\u53d6\u7528\u7a7a\u683c\u5206\u9694\u7684\u8868 <table> \u4e2d\u94fe\u7684\u5217\u8868\u3002<\/div>\n
firewall-cmd --direct --get-chains { ipv4 | ipv6 | eb } <table><\/pre>\n
\u4e3a\u8868 <table> \u589e\u52a0\u4e00\u6761\u53c2\u6570\u4e3a <args> \u7684\u94fe <chain> \uff0c\u4f18\u5148\u7ea7\u8bbe\u5b9a\u4e3a <priority>\u3002<\/div>\n
firewall-cmd --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args><\/pre>\n
\u4ece\u8868 <table> \u4e2d\u5220\u9664\u5e26\u53c2\u6570 <args> \u7684\u94fe <chain>\u3002<\/div>\n
firewall-cmd --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <args><\/pre>\n
\u67e5\u8be2\u5e26\u53c2\u6570 <args> \u7684\u94fe <chain> \u662f\u5426\u5b58\u5728\u8868 <table> \u4e2d. \u5982\u679c\u662f\uff0c\u8fd4\u56de0,\u5426\u5219\u8fd4\u56de1.<\/div>\n
firewall-cmd --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <args><\/pre>\n
\u5982\u679c\u542f\u7528\uff0c\u6b64\u547d\u4ee4\u5c06\u6709\u8fd4\u56de\u503c\u3002\u6b64\u547d\u4ee4\u6ca1\u6709\u8f93\u51fa\u4fe1\u606f\u3002<\/div>\n
\u83b7\u53d6\u8868 <table> \u4e2d\u6240\u6709\u589e\u52a0\u5230\u94fe <chain> \u7684\u89c4\u5219\uff0c\u5e76\u7528\u6362\u884c\u5206\u9694\u3002<\/div>\n
firewall-cmd --direct --get-rules { ipv4 | ipv6 | eb } <table> <chain><\/pre>\n
\n
\u5f53\u524d\u7684firewalld\u7279\u6027\u00a0<\/strong><\/p>\n
D-BUS\u63a5\u53e3<\/strong><\/p>\n
D-BUS \u63a5\u53e3\u63d0\u4f9b\u9632\u706b\u5899\u72b6\u6001\u7684\u4fe1\u606f\uff0c\u4f7f\u9632\u706b\u5899\u7684\u542f\u7528\u3001\u505c\u7528\u6216\u67e5\u8be2\u8bbe\u7f6e\u6210\u4e3a\u53ef\u80fd\u3002<\/p>\n<\/div>\n
\n
\u533a\u57df<\/strong><\/p>\n
\u7f51\u7edc\u6216\u8005\u9632\u706b\u5899\u533a\u57df\u5b9a\u4e49\u4e86\u8fde\u63a5\u7684\u53ef\u4fe1\u7a0b\u5ea6\u3002firewalld \u63d0\u4f9b\u4e86\u51e0\u79cd\u9884\u5b9a\u4e49\u7684\u533a\u57df\u3002\u533a\u57df\u914d\u7f6e\u9009\u9879\u548c\u901a\u7528\u914d\u7f6e\u4fe1\u606f\u53ef\u4ee5\u5728firewall.zone(5)\u7684\u624b\u518c\u91cc\u67e5\u5230\u3002<\/p>\n<\/div>\n
\n
\u670d\u52a1<\/strong><\/p>\n
\u670d\u52a1\u53ef\u4ee5\u662f\u4e00\u7cfb\u5217\u672c\u8bfb\u7aef\u53e3\u3001\u76ee\u7684\u4ee5\u53ca\u9644\u52a0\u4fe1\u606f\uff0c\u4e5f\u53ef\u4ee5\u662f\u670d\u52a1\u542f\u52a8\u65f6\u81ea\u52a8\u589e\u52a0\u7684\u9632\u706b\u5899\u52a9\u624b\u6a21\u5757\u3002\u9884\u5b9a\u4e49\u670d\u52a1\u7684\u4f7f\u7528\u4f7f\u542f\u7528\u548c\u7981\u7528\u5bf9\u670d\u52a1\u7684\u8bbf\u95ee\u53d8\u5f97\u66f4\u52a0\u7b80\u5355\u3002\u670d\u52a1\u914d\u7f6e\u9009\u9879\u548c\u901a\u7528\u6587\u4ef6\u4fe1\u606f\u5728 firewalld.service(5) \u624b\u518c\u91cc\u6709\u63cf\u8ff0\u3002<\/p>\n<\/div>\n
\n
ICMP\u7c7b\u578b<\/strong><\/p>\n
Internet\u63a7\u5236\u62a5\u6587\u534f\u8bae (ICMP) \u88ab\u7528\u4ee5\u4ea4\u6362\u62a5\u6587\u548c\u4e92\u8054\u7f51\u534f\u8bae (IP) \u7684\u9519\u8bef\u62a5\u6587\u3002\u5728 firewalld \u4e2d\u53ef\u4ee5\u4f7f\u7528 ICMP \u7c7b\u578b\u6765\u9650\u5236\u62a5\u6587\u4ea4\u6362\u3002 ICMP \u7c7b\u578b\u914d\u7f6e\u9009\u9879\u548c\u901a\u7528\u6587\u4ef6\u4fe1\u606f\u53ef\u4ee5\u53c2\u9605 firewalld.icmptype(5) \u624b\u518c\u3002<\/p>\n<\/div>\n
\n
\u76f4\u63a5\u63a5\u53e3<\/strong><\/p>\n
\u76f4\u63a5\u63a5\u53e3\u4e3b\u8981\u7528\u4e8e\u670d\u52a1\u6216\u8005\u5e94\u7528\u7a0b\u5e8f\u589e\u52a0\u7279\u5b9a\u7684\u9632\u706b\u5899\u89c4\u5219\u3002\u8fd9\u4e9b\u89c4\u5219\u5e76\u975e\u6c38\u4e45\u6709\u6548\uff0c\u5e76\u4e14\u5728\u6536\u5230 firewalld \u901a\u8fc7 D-Bus \u4f20\u9012\u7684\u542f\u52a8\u3001\u91cd\u542f\u3001\u91cd\u8f7d\u4fe1\u53f7\u540e\u9700\u8981\u91cd\u65b0\u5e94\u7528\u3002<\/p>\n<\/div>\n
\n
\u8fd0\u884c\u65f6\u914d\u7f6e<\/strong><\/p>\n
\u8fd0\u884c\u65f6\u914d\u7f6e\u5e76\u975e\u6c38\u4e45\u6709\u6548\uff0c\u5728\u91cd\u65b0\u52a0\u8f7d\u65f6\u53ef\u4ee5\u88ab\u6062\u590d\uff0c\u800c\u7cfb\u7edf\u6216\u8005\u670d\u52a1\u91cd\u542f\u3001\u505c\u6b62\u65f6\uff0c\u8fd9\u4e9b\u9009\u9879\u5c06\u4f1a\u4e22\u5931\u3002<\/p>\n<\/div>\n
\n
\u6c38\u4e45\u914d\u7f6e<\/strong><\/p>\n
\u6c38\u4e45\u914d\u7f6e\u5b58\u50a8\u5728\u914d\u7f6e\u6587\u4ef6\u79cd\uff0c\u6bcf\u6b21\u673a\u5668\u91cd\u542f\u6216\u8005\u670d\u52a1\u91cd\u542f\u3001\u91cd\u65b0\u52a0\u8f7d\u65f6\u5c06\u81ea\u52a8\u6062\u590d\u3002<\/p>\n<\/div>\n
\n
\u6258\u76d8\u5c0f\u7a0b\u5e8f<\/strong><\/p>\n
\u6258\u76d8\u5c0f\u7a0b\u5e8f firewall-applet \u4e3a\u7528\u6237\u663e\u793a\u9632\u706b\u5899\u72b6\u6001\u548c\u5b58\u5728\u7684\u95ee\u9898\u3002\u5b83\u4e5f\u53ef\u4ee5\u7528\u6765\u914d\u7f6e\u7528\u6237\u5141\u8bb8\u4fee\u6539\u7684\u8bbe\u7f6e\u3002<\/p>\n<\/div>\n
\n
\u56fe\u5f62\u5316\u914d\u7f6e\u5de5\u5177<\/strong><\/p>\n
firewall daemon \u4e3b\u8981\u7684\u914d\u7f6e\u5de5\u5177\u662f firewall-config \u3002\u5b83\u652f\u6301\u9632\u706b\u5899\u7684\u6240\u6709\u7279\u6027\uff08\u9664\u4e86\u7531\u670d\u52a1\/\u5e94\u7528\u7a0b\u5e8f\u589e\u52a0\u89c4\u5219\u4f7f\u7528\u7684\u76f4\u63a5\u63a5\u53e3\uff09\u3002 \u7ba1\u7406\u5458\u4e5f\u53ef\u4ee5\u7528\u5b83\u6765\u6539\u53d8\u7cfb\u7edf\u6216\u7528\u6237\u7b56\u7565\u3002<\/p>\n<\/div>\n
\n
\u547d\u4ee4\u884c\u5ba2\u6237\u7aef<\/strong><\/p>\n
firewall-cmd\u662f\u547d\u4ee4\u884c\u4e0b\u63d0\u4f9b\u5927\u90e8\u5206\u56fe\u5f62\u5de5\u5177\u914d\u7f6e\u7279\u6027\u7684\u5de5\u5177\u3002<\/p>\n<\/div>\n
\n
\u5bf9\u4e8eebtables\u7684\u652f\u6301<\/strong><\/p>\n
\u8981\u6ee1\u8db3libvirt daemon\u7684\u5168\u90e8\u9700\u6c42\uff0c\u5728\u5185\u6838 netfilter \u7ea7\u4e0a\u9632\u6b62 ip*tables \u548c ebtables \u95f4\u8bbf\u95ee\u95ee\u9898\uff0cebtables \u652f\u6301\u662f\u9700\u8981\u7684\u3002\u7531\u4e8e\u8fd9\u4e9b\u547d\u4ee4\u662f\u8bbf\u95ee\u76f8\u540c\u7ed3\u6784\u7684\uff0c\u56e0\u800c\u4e0d\u80fd\u540c\u65f6\u4f7f\u7528\u3002<\/p>\n<\/div>\n
\n
\/usr\/lib\/firewalld\u4e2d\u7684\u9ed8\u8ba4\/\u5907\u7528\u914d\u7f6e<\/strong><\/p>\n
\u8be5\u76ee\u5f55\u5305\u542b\u4e86\u7531 firewalld \u63d0\u4f9b\u7684\u9ed8\u8ba4\u4ee5\u53ca\u5907\u7528\u7684 ICMP \u7c7b\u578b\u3001\u670d\u52a1\u3001\u533a\u57df\u914d\u7f6e\u3002\u7531 firewalld \u8f6f\u4ef6\u5305\u63d0\u4f9b\u7684\u8fd9\u4e9b\u6587\u4ef6\u4e0d\u80fd\u88ab\u4fee\u6539\uff0c\u5373\u4f7f\u4fee\u6539\u4e5f\u4f1a\u968f\u7740 firewalld \u8f6f\u4ef6\u5305\u7684\u66f4\u65b0\u88ab\u91cd\u7f6e\u3002 \u5176\u4ed6\u7684 ICMP \u7c7b\u578b\u3001\u670d\u52a1\u3001\u533a\u57df\u914d\u7f6e\u53ef\u4ee5\u901a\u8fc7\u8f6f\u4ef6\u5305\u6216\u8005\u521b\u5efa\u6587\u4ef6\u7684\u65b9\u5f0f\u63d0\u4f9b\u3002<\/p>\n<\/div>\n
\/etc\/firewalld\u4e2d\u7684\u7cfb\u7edf\u914d\u7f6e\u8bbe\u7f6e<\/strong>
\n\u5b58\u50a8\u5728\u6b64\u7684\u7cfb\u7edf\u6216\u8005\u7528\u6237\u914d\u7f6e\u6587\u4ef6\u53ef\u4ee5\u662f\u7cfb\u7edf\u7ba1\u7406\u5458\u901a\u8fc7\u914d\u7f6e\u63a5\u53e3\u5b9a\u5236\u7684\uff0c\u4e5f\u53ef\u4ee5\u662f\u624b\u52a8\u5b9a\u5236\u7684\u3002\u8fd9\u4e9b\u6587\u4ef6\u5c06\u91cd\u8f7d\u9ed8\u8ba4\u914d\u7f6e\u6587\u4ef6\u3002<\/div>\n
\u4e3a\u4e86\u624b\u52a8\u4fee\u6539\u9884\u5b9a\u4e49\u7684 icmp \u7c7b\u578b\uff0c\u533a\u57df\u6216\u8005\u670d\u52a1\uff0c\u4ece\u9ed8\u8ba4\u914d\u7f6e\u76ee\u5f55\u5c06\u914d\u7f6e\u62f7\u8d1d\u5230\u76f8\u5e94\u7684\u7cfb\u7edf\u914d\u7f6e\u76ee\u5f55\uff0c\u7136\u540e\u6839\u636e\u9700\u6c42\u8fdb\u884c\u4fee\u6539\u3002<\/div>\n
\u5982\u679c\u4f60\u52a0\u8f7d\u4e86\u6709\u9ed8\u8ba4\u548c\u5907\u7528\u914d\u7f6e\u7684\u533a\u57df\uff0c\u5728 \/etc\/firewalld\u4e0b\u7684\u5bf9\u5e94\u6587\u4ef6\u5c06\u88ab\u91cd\u547d\u540d\u4e3a <file>.old \u7136\u540e\u542f\u7528\u5907\u7528\u914d\u7f6e\u3002<\/div>\n
\n
\u6b63\u5728\u5f00\u53d1\u7684\u7279\u6027\u00a0<\/strong><\/p>\n
\u5bcc\u8bed\u8a00<\/strong><\/p>\n
\u5bcc\u8bed\u8a00\u7279\u6027\u63d0\u4f9b\u4e86\u4e00\u79cd\u4e0d\u9700\u8981\u4e86\u89e3iptables\u8bed\u6cd5\u7684\u901a\u8fc7\u9ad8\u7ea7\u8bed\u8a00\u914d\u7f6e\u590d\u6742 IPv4 \u548c IPv6 \u9632\u706b\u5899\u89c4\u5219\u7684\u673a\u5236\u3002<\/p>\n<\/div>\n
Fedora 19 \u63d0\u4f9b\u4e86\u5e26\u6709 D-Bus \u548c\u547d\u4ee4\u884c\u652f\u6301\u7684\u5bcc\u8bed\u8a00\u7279\u6027\u7b2c2\u4e2a\u91cc\u7a0b\u7891\u7248\u672c\u3002\u7b2c3\u4e2a\u91cc\u7a0b\u7891\u7248\u672c\u4e5f\u5c06\u63d0\u4f9b\u5bf9\u4e8e\u56fe\u5f62\u754c\u9762 firewall-config \u7684\u652f\u6301\u3002<\/div>\n
\u5bf9\u4e8e\u6b64\u7279\u6027\u7684\u66f4\u591a\u4fe1\u606f\uff0c\u8bf7\u53c2\u9605\uff1a\u00a0firewalld Rich Language<\/div>\n
\n
\u9501\u5b9a<\/strong><\/p>\n
\u9501\u5b9a\u7279\u6027\u4e3a firewalld \u589e\u52a0\u4e86\u9501\u5b9a\u672c\u5730\u5e94\u7528\u6216\u8005\u670d\u52a1\u914d\u7f6e\u7684\u7b80\u5355\u914d\u7f6e\u65b9\u5f0f\u3002\u5b83\u662f\u4e00\u79cd\u8f7b\u91cf\u7ea7\u7684\u5e94\u7528\u7a0b\u5e8f\u7b56\u7565\u3002<\/p>\n<\/div>\n
Fedora 19 \u63d0\u4f9b\u4e86\u9501\u5b9a\u7279\u6027\u7684\u7b2c\u4e8c\u4e2a\u91cc\u7a0b\u7891\u7248\u672c\uff0c\u5e26\u6709 D-Bus \u548c\u547d\u4ee4\u884c\u652f\u6301\u3002\u7b2c3\u4e2a\u91cc\u7a0b\u7891\u7248\u672c\u4e5f\u5c06\u63d0\u4f9b\u56fe\u5f62\u754c\u9762 firewall-config \u4e0b\u7684\u652f\u6301\u3002<\/div>\n
\u66f4\u591a\u4fe1\u606f\u8bf7\u53c2\u9605\uff1a\u00a0firewalld Lockdown<\/div>\n
\n
\u6c38\u4e45\u76f4\u63a5\u89c4\u5219<\/strong><\/p>\n
\u8fd9\u9879\u7279\u6027\u5904\u4e8e\u65e9\u671f\u72b6\u6001\u3002\u5b83\u5c06\u80fd\u591f\u63d0\u4f9b\u4fdd\u5b58\u76f4\u63a5\u89c4\u5219\u548c\u76f4\u63a5\u94fe\u7684\u529f\u80fd\u3002\u901a\u8fc7\u89c4\u5219\u4e0d\u5c5e\u4e8e\u8be5\u7279\u6027\u3002\u66f4\u591a\u5173\u4e8e\u76f4\u63a5\u89c4\u5219\u7684\u4fe1\u606f\u8bf7\u53c2\u9605Direct options\u3002<\/p>\n<\/div>\n
\u4eceip*tables\u548cebtables\u670d\u52a1\u8fc1\u79fb
\n\u8fd9\u9879\u7279\u6027\u5904\u4e8e\u65e9\u671f\u72b6\u6001\u3002\u5b83\u5c06\u5c3d\u53ef\u80fd\u63d0\u4f9b\u7531iptables,ip6tables \u548c ebtables \u670d\u52a1\u914d\u7f6e\u8f6c\u6362\u4e3a\u6c38\u4e45\u76f4\u63a5\u89c4\u5219\u7684\u811a\u672c\u3002\u6b64\u7279\u6027\u5728\u7531firewalld\u63d0\u4f9b\u7684\u76f4\u63a5\u94fe\u96c6\u6210\u65b9\u9762\u53ef\u80fd\u5b58\u5728\u5c40\u9650\u6027\u3002<\/div>\n
\u6b64\u7279\u6027\u5c06\u9700\u8981\u5927\u91cf\u590d\u6742\u9632\u706b\u5899\u914d\u7f6e\u7684\u8fc1\u79fb\u6d4b\u8bd5\u3002<\/div>\n
\n
\u8ba1\u5212\u548c\u63d0\u8bae\u529f\u80fd<\/strong>
\n\u9632\u706b\u5899\u62bd\u8c61\u6a21\u578b<\/strong><\/p>\n
\u5728 ip*tables \u548c ebtables \u9632\u706b\u5899\u89c4\u5219\u4e4b\u4e0a\u6dfb\u52a0\u62bd\u8c61\u5c42\u4f7f\u6dfb\u52a0\u89c4\u5219\u66f4\u7b80\u5355\u548c\u76f4\u89c2\u3002\u8981\u62bd\u8c61\u5c42\u529f\u80fd\u5f3a\u5927\uff0c\u4f46\u540c\u65f6\u53c8\u4e0d\u80fd\u590d\u6742\uff0c\u5e76\u4e0d\u662f\u4e00\u9879\u7b80\u5355\u7684\u4efb\u52a1\u3002\u4e3a\u6b64\uff0c\u4e0d\u5f97\u4e0d\u5f00\u53d1\u4e00\u79cd\u9632\u706b\u5899\u8bed\u8a00\u3002\u4f7f\u9632\u706b\u5899\u89c4\u5219\u62e5\u6709\u56fa\u5b9a\u7684\u4f4d\u7f6e\uff0c\u53ef\u4ee5\u67e5\u8be2\u7aef\u53e3\u7684\u8bbf\u95ee\u72b6\u6001\u3001\u8bbf\u95ee\u7b56\u7565\u7b49\u666e\u901a\u4fe1\u606f\u548c\u4e00\u4e9b\u5176\u4ed6\u53ef\u80fd\u7684\u9632\u706b\u5899\u7279\u6027\u3002<\/p>\n<\/div>\n
\n
\u5bf9\u4e8econntrack\u7684\u652f\u6301<\/strong><\/p>\n
\u8981\u7ec8\u6b62\u7981\u7528\u7279\u6027\u5df2\u786e\u7acb\u7684\u8fde\u63a5\u9700\u8981 conntrack \u3002\u4e0d\u8fc7\uff0c\u4e00\u4e9b\u60c5\u51b5\u4e0b\u7ec8\u6b62\u8fde\u63a5\u53ef\u80fd\u662f\u4e0d\u597d\u7684\uff0c\u5982\uff1a\u4e3a\u5efa\u7acb\u6709\u9650\u65f6\u95f4\u5185\u7684\u8fde\u7eed\u6027\u5916\u90e8\u8fde\u63a5\u800c\u542f\u7528\u7684\u9632\u706b\u5899\u670d\u52a1\u3002<\/p>\n<\/div>\n
\n
\u7528\u6237\u4ea4\u4e92\u6a21\u578b<\/strong><\/p>\n
\u8fd9\u662f\u9632\u706b\u5899\u4e2d\u7528\u6237\u6216\u8005\u7ba1\u7406\u5458\u53ef\u4ee5\u542f\u7528\u7684\u4e00\u79cd\u7279\u6b8a\u6a21\u5f0f\u3002\u5e94\u7528\u7a0b\u5e8f\u6240\u6709\u8981\u66f4\u6539\u9632\u706b\u5899\u7684\u8bf7\u6c42\u5c06\u5b9a\u5411\u7ed9\u7528\u6237\u77e5\u6653\uff0c\u4ee5\u4fbf\u786e\u8ba4\u548c\u5426\u8ba4\u3002\u4e3a\u4e00\u4e2a\u8fde\u63a5\u7684\u6388\u6743\u8bbe\u7f6e\u4e00\u4e2a\u65f6\u95f4\u9650\u5236\u5e76\u9650\u5236\u5176\u6240\u8fde\u4e3b\u673a\u3001\u7f51\u7edc\u6216\u8fde\u63a5\u662f\u53ef\u884c\u7684\u3002\u914d\u7f6e\u53ef\u4ee5\u4fdd\u5b58\u4ee5\u4fbf\u5c06\u6765\u4e0d\u9700\u901a\u77e5\u4fbf\u53ef\u5e94\u7528\u76f8\u540c\u884c\u4e3a\u3002 \u8be5\u6a21\u5f0f\u7684\u53e6\u4e00\u4e2a\u7279\u6027\u662f\u7ba1\u7406\u548c\u5e94\u7528\u7a0b\u5e8f\u53d1\u8d77\u7684\u8bf7\u6c42\u5177\u6709\u76f8\u540c\u529f\u80fd\u7684\u9884\u9009\u670d\u52a1\u548c\u7aef\u53e3\u7684\u5916\u90e8\u94fe\u63a5\u5c1d\u8bd5\u3002\u670d\u52a1\u548c\u7aef\u53e3\u7684\u9650\u5236\u4e5f\u4f1a\u9650\u5236\u53d1\u9001\u7ed9\u7528\u6237\u7684\u8bf7\u6c42\u6570\u91cf\u3002<\/p>\n<\/div>\n
\n
\u7528\u6237\u7b56\u7565\u652f\u6301<\/strong><\/p>\n
\u7ba1\u7406\u5458\u53ef\u4ee5\u89c4\u5b9a\u54ea\u4e9b\u7528\u6237\u53ef\u4ee5\u4f7f\u7528\u7528\u6237\u4ea4\u4e92\u6a21\u5f0f\u548c\u9650\u5236\u9632\u706b\u5899\u53ef\u7528\u7279\u6027\u3002<\/p>\n<\/div>\n
\n
\u7aef\u53e3\u5143\u6570\u636e\u4fe1\u606f(\u7531 Lennart Poettering \u63d0\u8bae)<\/strong><\/p>\n
\u62e5\u6709\u4e00\u4e2a\u7aef\u53e3\u72ec\u7acb\u7684\u5143\u6570\u636e\u4fe1\u606f\u662f\u5f88\u597d\u7684\u3002\u5f53\u524d\u5bf9 \/etc\/services \u7684\u7aef\u53e3\u548c\u534f\u8bae\u9759\u6001\u5206\u914d\u6a21\u578b\u4e0d\u662f\u4e2a\u597d\u7684\u89e3\u51b3\u65b9\u6848\uff0c\u4e5f\u6ca1\u6709\u53cd\u6620\u5f53\u524d\u4f7f\u7528\u60c5\u51b5\u3002\u5e94\u7528\u7a0b\u5e8f\u6216\u670d\u52a1\u7684\u7aef\u53e3\u662f\u52a8\u6001\u7684\uff0c\u56e0\u800c\u7aef\u53e3\u672c\u8eab\u5e76\u4e0d\u80fd\u63cf\u8ff0\u4f7f\u7528\u60c5\u51b5\u3002<\/p>\n<\/div>\n
\u5143\u6570\u636e\u4fe1\u606f\u53ef\u4ee5\u7528\u6765\u4e3a\u9632\u706b\u5899\u5236\u5b9a\u7b80\u5355\u7684\u89c4\u5219\u3002\u4e0b\u9762\u662f\u4e00\u4e9b\u4f8b\u5b50\uff1a<\/div>\n
    \n
  • \u5141\u8bb8\u5916\u90e8\u8bbf\u95ee\u6587\u4ef6\u5171\u4eab\u5e94\u7528\u7a0b\u5e8f\u6216\u670d\u52a1<\/li>\n
  • \u5141\u8bb8\u5916\u90e8\u8bbf\u95ee\u97f3\u4e50\u5171\u4eab\u5e94\u7528\u7a0b\u5e8f\u6216\u670d\u52a1<\/li>\n
  • \u5141\u8bb8\u5916\u90e8\u8bbf\u95ee\u5168\u90e8\u5171\u4eab\u5e94\u7528\u7a0b\u5e8f\u6216\u670d\u52a1<\/li>\n
  • \u5141\u8bb8\u5916\u90e8\u8bbf\u95ee torrent \u6587\u4ef6\u5171\u4eab\u5e94\u7528\u7a0b\u5e8f\u6216\u670d\u52a1<\/li>\n
  • \u5141\u8bb8\u5916\u90e8\u8bbf\u95ee http \u7f51\u7edc\u670d\u52a1<\/li>\n<\/ul>\n
    \u8fd9\u91cc\u7684\u5143\u6570\u636e\u4fe1\u606f\u4e0d\u53ea\u6709\u7279\u5b9a\u5e94\u7528\u7a0b\u5e8f\uff0c\u8fd8\u53ef\u4ee5\u662f\u4e00\u7ec4\u4f7f\u7528\u60c5\u51b5\u3002\u4f8b\u5982\uff1a\u7ec4\u201c\u5168\u90e8\u5171\u4eab\u201d\u6216\u8005\u7ec4\u201c\u6587\u4ef6\u5171\u4eab\u201d\u53ef\u4ee5\u5bf9\u5e94\u4e8e\u5168\u90e8\u5171\u4eab\u6216\u6587\u4ef6\u5171\u4eab\u7a0b\u5e8f(\u5982\uff1atorrent \u6587\u4ef6\u5171\u4eab)\u3002\u8fd9\u4e9b\u53ea\u662f\u4f8b\u5b50\uff0c\u56e0\u800c\uff0c\u53ef\u80fd\u5e76\u6ca1\u6709\u5b9e\u9645\u7528\u5904\u3002<\/div>\n
    \u8fd9\u91cc\u662f\u5728\u9632\u706b\u5899\u4e2d\u83b7\u53d6\u5143\u6570\u636e\u4fe1\u606f\u7684\u4e24\u79cd\u53ef\u80fd\u9014\u5f84\uff1a
    \n\u7b2c\u4e00\u79cd\u662f\u6dfb\u52a0\u5230 netfilter (\u5185\u6838\u7a7a\u95f4)\u3002\u597d\u5904\u662f\u6bcf\u4e2a\u4eba\u90fd\u53ef\u4ee5\u4f7f\u7528\u5b83\uff0c\u4f46\u4e5f\u6709\u4e00\u5b9a\u4f7f\u7528\u9650\u5236\u3002\u8fd8\u8981\u8003\u8651\u7528\u6237\u6216\u7cfb\u7edf\u7a7a\u95f4\u7684\u5177\u4f53\u4fe1\u606f\uff0c\u6240\u6709\u8fd9\u4e9b\u90fd\u9700\u8981\u5728\u5185\u6838\u5c42\u9762\u5b9e\u73b0\u3002
    \n\u7b2c\u4e8c\u79cd\u662f\u6dfb\u52a0\u5230 firewall daemon \u4e2d\u3002\u8fd9\u4e9b\u62bd\u8c61\u7684\u89c4\u5219\u53ef\u4ee5\u548c\u5177\u4f53\u4fe1\u606f(\u5982\uff1a\u7f51\u7edc\u8fde\u63a5\u53ef\u4fe1\u7ea7\u3001\u4f5c\u4e3a\u5177\u4f53\u4e2a\u4eba\/\u4e3b\u673a\u8981\u5206\u4eab\u7684\u7528\u6237\u63cf\u8ff0\u3001\u7ba1\u7406\u5458\u7981\u6b62\u5b8c\u5168\u5171\u4eab\u7684\u5e94\u5f52\u5219\u7b49)\u4e00\u8d77\u4f7f\u7528\u3002
    \n\u7b2c\u4e8c\u79cd\u89e3\u51b3\u65b9\u6848\u7684\u597d\u5904\u662f\u4e0d\u9700\u8981\u4e3a\u6709\u65b0\u7684\u5143\u6570\u636e\u7ec4\u548c\u7eb3\u5165\u6539\u53d8(\u53ef\u4fe1\u7ea7\u3001\u7528\u6237\u504f\u597d\u6216\u7ba1\u7406\u5458\u89c4\u5219\u7b49\u7b49)\u91cd\u65b0\u7f16\u8bd1\u5185\u6838\u3002\u8fd9\u4e9b\u62bd\u8c61\u89c4\u5219\u7684\u6dfb\u52a0\u4f7f\u5f97 firewall daemon \u66f4\u52a0\u81ea\u7531\u3002\u5373\u4f7f\u662f\u65b0\u7684\u5b89\u5168\u7ea7\u4e5f\u4e0d\u9700\u8981\u66f4\u65b0\u5185\u6838\u5373\u53ef\u8f7b\u677e\u6dfb\u52a0\u3002<\/div>\n
    sysctld<\/strong>
    \n\u73b0\u5728\u4ecd\u6709 sysctl \u8bbe\u7f6e\u6ca1\u6709\u6b63\u786e\u5e94\u7528\u3002\u4e00\u4e2a\u4f8b\u5b50\u662f\uff0c\u5728 rc.sysinit \u6b63\u8fd0\u884c\u65f6\uff0c\u800c\u63d0\u4f9b\u8bbe\u7f6e\u7684\u6a21\u5757\u5728\u542f\u52a8\u65f6\u6ca1\u6709\u88c5\u8f7d\u6216\u8005\u91cd\u65b0\u88c5\u8f7d\u8be5\u6a21\u5757\u65f6\u4f1a\u53d1\u751f\u95ee\u9898\u3002<\/div>\n
    \u53e6\u4e00\u4e2a\u4f8b\u5b50\u662f net.ipv4.ip_forward \uff0c\u9632\u706b\u5899\u8bbe\u7f6e\u3001libvirt \u548c\u7528\u6237\/\u7ba1\u7406\u5458\u66f4\u6539\u90fd\u9700\u8981\u5b83\u3002\u5982\u679c\u6709\u4e24\u4e2a\u5e94\u7528\u7a0b\u5e8f\u6216\u5b88\u62a4\u8fdb\u7a0b\u53ea\u5728\u9700\u8981\u65f6\u5f00\u542f ip_forwarding \uff0c\u4e4b\u540e\u53ef\u80fd\u5176\u4e2d\u4e00\u4e2a\u5728\u4e0d\u77e5\u9053\u7684\u60c5\u51b5\u4e0b\u5173\u6389\u670d\u52a1\uff0c\u800c\u53e6\u4e00\u4e2a\u6b63\u9700\u8981\u5b83\uff0c\u6b64\u65f6\u5c31\u4e0d\u5f97\u4e0d\u91cd\u542f\u5b83\u3002<\/div>\n
    sysctl daemon \u53ef\u4ee5\u901a\u8fc7\u5bf9\u8bbe\u7f6e\u4f7f\u7528\u5185\u90e8\u8ba1\u6570\u6765\u89e3\u51b3\u4e0a\u9762\u7684\u95ee\u9898\u3002\u6b64\u65f6\uff0c\u5f53\u4e4b\u524d\u8bf7\u6c42\u8005\u4e0d\u518d\u9700\u8981\u65f6\uff0c\u5b83\u5c31\u4f1a\u518d\u6b21\u56de\u5230\u4e4b\u524d\u7684\u8bbe\u7f6e\u72b6\u6001\u6216\u8005\u662f\u76f4\u63a5\u5173\u95ed\u5b83\u3002<\/div>\n
    \n
    \u9632\u706b\u5899\u89c4\u5219<\/strong><\/p>\n
    netfilter \u9632\u706b\u5899\u603b\u662f\u5bb9\u6613\u53d7\u5230\u89c4\u5219\u987a\u5e8f\u7684\u5f71\u54cd\uff0c\u56e0\u4e3a\u4e00\u6761\u89c4\u5219\u5728\u94fe\u4e2d\u6ca1\u6709\u56fa\u5b9a\u7684\u4f4d\u7f6e\u3002\u5728\u4e00\u6761\u89c4\u5219\u4e4b\u524d\u6dfb\u52a0\u6216\u8005\u5220\u9664\u89c4\u5219\u90fd\u4f1a\u6539\u53d8\u6b64\u89c4\u5219\u7684\u4f4d\u7f6e\u3002 \u5728\u9759\u6001\u9632\u706b\u5899\u6a21\u578b\u4e2d\uff0c\u6539\u53d8\u9632\u706b\u5899\u5c31\u662f\u91cd\u5efa\u4e00\u4e2a\u5e72\u51c0\u548c\u5b8c\u5584\u7684\u9632\u706b\u5899\u8bbe\u7f6e\uff0c\u4e14\u53d7\u9650\u4e8e system-config-firewall \/ lokkit \u76f4\u63a5\u652f\u6301\u7684\u529f\u80fd\u3002\u4e5f\u6ca1\u6709\u6574\u5408\u5176\u4ed6\u5e94\u7528\u7a0b\u5e8f\u521b\u5efa\u9632\u706b\u5899\u89c4\u5219\uff0c\u4e14\u5982\u679c\u81ea\u5b9a\u4e49\u89c4\u5219\u6587\u4ef6\u529f\u80fd\u6ca1\u5728\u4f7f\u7528 s-c-fw \/ lokkit \u5c31\u4e0d\u77e5\u9053\u5b83\u4eec\u3002\u9ed8\u8ba4\u94fe\u901a\u5e38\u4e5f\u6ca1\u6709\u5b89\u5168\u7684\u65b9\u5f0f\u6dfb\u52a0\u6216\u5220\u9664\u89c4\u5219\u800c\u4e0d\u5f71\u54cd\u5176\u4ed6\u89c4\u5219\u3002<\/p>\n<\/div>\n
    \u52a8\u6001\u9632\u706b\u5899\u6709\u9644\u52a0\u7684\u9632\u706b\u5899\u529f\u80fd\u94fe\u3002\u8fd9\u4e9b\u7279\u6b8a\u7684\u94fe\u6309\u7167\u5df2\u5b9a\u4e49\u7684\u987a\u5e8f\u8fdb\u884c\u8c03\u7528\uff0c\u56e0\u800c\u5411\u94fe\u4e2d\u6dfb\u52a0\u89c4\u5219\u5c06\u4e0d\u4f1a\u5e72\u6270\u5148\u524d\u8c03\u7528\u7684\u62d2\u7edd\u548c\u4e22\u5f03\u89c4\u5219\u3002\u4ece\u800c\u5229\u4e8e\u521b\u5efa\u66f4\u4e3a\u5408\u7406\u5b8c\u5584\u7684\u9632\u706b\u5899\u914d\u7f6e\u3002<\/div>\n
    \u4e0b\u9762\u662f\u4e00\u4e9b\u7531\u5b88\u62a4\u8fdb\u7a0b\u521b\u5efa\u7684\u89c4\u5219\uff0c\u8fc7\u6ee4\u5217\u8868\u4e2d\u542f\u7528\u4e86\u5728\u516c\u5171\u533a\u57df\u5bf9 ssh , mdns \u548c ipp-client \u7684\u652f\u6301\uff1a<\/div>\n
    *filter\r\n:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:FORWARD_ZONES - [0:0]:FORWARD_direct - [0:0]:INPUT_ZONES - [0:0]:INPUT_direct - [0:0]:IN_ZONE_public - [0:0]:IN_ZONE_public_allow - [0:0]:IN_ZONE_public_deny - [0:0]:OUTPUT_direct - [0:0]-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\r\n-A INPUT -i lo -j ACCEPT\r\n-A INPUT -j INPUT_direct\r\n-A INPUT -j INPUT_ZONES\r\n-A INPUT -p icmp -j ACCEPT\r\n-A INPUT -j REJECT --reject-with icmp-host-prohibited\r\n-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT\r\n-A FORWARD -i lo -j ACCEPT\r\n-A FORWARD -j FORWARD_direct\r\n-A FORWARD -j FORWARD_ZONES\r\n-A FORWARD -p icmp -j ACCEPT\r\n-A FORWARD -j REJECT --reject-with icmp-host-prohibited\r\n-A OUTPUT -j OUTPUT_direct\r\n-A IN_ZONE_public -j IN_ZONE_public_deny\r\n-A IN_ZONE_public -j IN_ZONE_public_allow\r\n-A IN_ZONE_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT\r\n-A IN_ZONE_public_allow -d 224.0.0.251\/32 -p udp -m udp --dport 5353 -m conntrack --ctstate NEW -j ACCEPT\r\n-A IN_ZONE_public_allow -p udp -m udp --dport 631 -m conntrack --ctstate NEW -j ACCEPT<\/pre>\n
    \u4f7f\u7528 deny\/allow \u6a21\u578b\u6765\u6784\u5efa\u4e00\u4e2a\u6e05\u6670\u884c\u4e3a(\u6700\u597d\u6ca1\u6709\u51b2\u7a81\u89c4\u5219)\u3002\u4f8b\u5982\uff1a ICMP\u5757\u5c06\u8fdb\u5165 IN_ZONE_public_deny \u94fe(\u5982\u679c\u4e3a\u516c\u5171\u533a\u57df\u8bbe\u7f6e\u4e86\u7684\u8bdd)\uff0c\u5e76\u5c06\u5728 IN_ZONE_public_allow \u94fe\u4e4b\u524d\u5904\u7406\u3002<\/div>\n
    \u8be5\u6a21\u578b\u4f7f\u5f97\u5728\u4e0d\u5e72\u6270\u5176\u4ed6\u5757\u7684\u60c5\u51b5\u4e0b\u5411\u4e00\u4e2a\u5177\u4f53\u5757\u6dfb\u52a0\u6216\u5220\u9664\u89c4\u5219\u800c\u53d8\u5f97\u66f4\u52a0\u5bb9\u6613\u3002<\/div>\n
    <\/div>\n
    <\/div>\n
    <\/div>\n
    \u539f\u6587\u94fe\u63a5\uff1ahttps:\/\/www.centoscn.com\/CentOS\/Intermediate\/2015\/0313\/4879.html<\/div>\n","protected":false},"excerpt":{"rendered":"
    centos 7\u4e2d\u9632\u706b\u5899\u662f\u4e00\u4e2a\u975e\u5e38\u7684\u5f3a\u5927\u7684\u529f\u80fd\u4e86\uff0c\u4f46\u5bf9\u4e8ecentos 7\u4e2d\u5728\u9632\u706b\u5899\u4e2d\u8fdb\u884c\u4e86\u5347\u7ea7\u4e86\uff0c\u4e0b\u9762\u6211\u4eec\u4e00\u8d77 … \u9605\u8bfb\u66f4\u591a<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[49,5],"tags":[495,496],"class_list":["post-1550","post","type-post","status-publish","format-standard","hentry","category-linux","category-jishu","tag-centos7-x","tag-filewall"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/cn.hostease.com\/xueyuan\/wp-json\/wp\/v2\/posts\/1550","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cn.hostease.com\/xueyuan\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cn.hostease.com\/xueyuan\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cn.hostease.com\/xueyuan\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cn.hostease.com\/xueyuan\/wp-json\/wp\/v2\/comments?post=1550"}],"version-history":[{"count":1,"href":"https:\/\/cn.hostease.com\/xueyuan\/wp-json\/wp\/v2\/posts\/1550\/revisions"}],"predecessor-version":[{"id":1551,"href":"https:\/\/cn.hostease.com\/xueyuan\/wp-json\/wp\/v2\/posts\/1550\/revisions\/1551"}],"wp:attachment":[{"href":"https:\/\/cn.hostease.com\/xueyuan\/wp-json\/wp\/v2\/media?parent=1550"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cn.hostease.com\/xueyuan\/wp-json\/wp\/v2\/categories?post=1550"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cn.hostease.com\/xueyuan\/wp-json\/wp\/v2\/tags?post=1550"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}