firewall-cmd基本指令整理
#查看rich-rule:
firewall-cmd --list-rich-rules
#查看特定zone的rich-rule:
firewall-cmd --zone=public --list-all
#針對特定設置允許或是拒絕連通設定(reject/accept):
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" \
source address="123.123.123.0/24" reject"
#針對特定設置允許或是拒絕連通指定TCP PORT設定(reject/accept):
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" \
source address="123.123.123.0/24" port port="8443" protocol="tcp" reject"
#針對特定設置允許或是拒絕連通指定服務端口設定(reject/accept):
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" \
source address="123.123.123.0/24" service name="https" reject"
#移除rich-rule,就是rule前面改用remove-rich-rule:
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" \
source address="123.123.123.0/24" port protocol="tcp" port="13782" accept"
==============非rich rule====================
#執行以下指令開通相關的防火牆設置(http, https and ssh services):
sudo firewall-cmd --permanent --add-service={ssh,http,https} --permanent
#如果是打算開通5000 PORT則是執行以下指令:
sudo firewall-cmd --zone=public --add-port=5000/tcp --permanent
#上面有用到permanent(僅修改設定),要重啟載入防火牆設定來啟用上述的設置:
sudo firewall-cmd --reload
#確認當前開了哪些PORT設置:
sudo firewall-cmd --list-all
===============安裝啟動====================
#安裝VM防火牆:
sudo yum install firewalld
#啟動防火牆:
sudo systemctl start firewalld
#啟動自動啟動防火牆:
sudo systemctl enable firewalld
#確認防火牆:
sudo systemctl status firewalld
#openssl驗證方式(不一定要debug,這個可以看憑證):
openssl s_client -debug -connect 123.123.123.123:443
