10.21 firewalld关于zone的操做

时间 2020-01-20

标签 10.21 firewalld 关于 zone 繁體版

原文原文链接

Linux防火墙-firewalld

firewall-cmd --set-default-zone=work //设定默认zone
firewall-cmd --get-zone-of-interface=ens33 //查指定网卡
firewall-cmd --zone=public --add-interface=lo //给指定网卡设置zone
firewall-cmd --zone=dmz --change-interface=lo //针对网卡更改zone
firewall-cmd --zone=dmz --remove-interface=lo //针对网卡删除zone
firewall-cmd --get-active-zones //查看系统全部网卡所在的zone

firewall-cmd设定默认zone

firewall-cmd --set-default-zone=work //设定默认的zone

[root@hf-01 ~]# firewall-cmd --set-default-zone=work
success
[root@hf-01 ~]# firewall-cmd --get-default-zone
work
[root@hf-01 ~]#

firewall-cmd查看指定网卡

firewall-cmd --get-zone-of-interface=ens16777736 //查指定网卡

[root@hf-01 ~]# firewall-cmd --get-zone-of-interface=eno16777736
work
[root@hf-01 ~]# firewall-cmd --get-zone-of-interface=lo
no zone
[root@hf-01 ~]#

如果后续添加的网卡ens36，显示no zone，就须要把eno16777736的网卡配置环境复制一份，命令为ens36，并修改配置文件，最后重启网络服务，在从新加载firewalld服务（systemctl restart firewalld），在来查看ens36的zone
- 若仍是没有zone，咱们就去增长给ens36增长一个zone
  - firewall-cmd --zone=public --add-interface=ens36 //给指定网卡设置zone

[root@hf-01 ~]# firewall-cmd --get-zone-of-interface=ens36
no zone
[root@hf-01 ~]# cd /etc/sysconfig/network-scripts/
[root@hf-01 network-scripts]# ls
ifcfg-eno16777736    ifdown-post      ifup-bnep   ifup-routes
ifcfg-eno16777736:0  ifdown-ppp       ifup-eth    ifup-sit
ifcfg-lo             ifdown-routes    ifup-ippp   ifup-Team
ifdown               ifdown-sit       ifup-ipv6   ifup-TeamPort
ifdown-bnep          ifdown-Team      ifup-isdn   ifup-tunnel
ifdown-eth           ifdown-TeamPort  ifup-plip   ifup-wireless
ifdown-ippp          ifdown-tunnel    ifup-plusb  init.ipv6-global
ifdown-ipv6          ifup             ifup-post   network-functions
ifdown-isdn          ifup-aliases     ifup-ppp    network-functions-ipv6
[root@hf-01 network-scripts]# cp /etc/sysconfig/network-scripts/ifcfg-eno16777736 /etc/sysconfig/network-scripts/ens36
[root@hf-01 network-scripts]# vi !$        //编辑配置文件
vi /etc/sysconfig/network-scripts/ens36
[root@hf-01 network-scripts]# systemctl restart network.service    //重启网络服务
[root@hf-01 network-scripts]# systemctl restart firewalld    //从新加载firewalld服务
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens36    //查看ens36网卡的zone
no zone
[root@hf-01 network-scripts]# firewall-cmd --zone=work --add-interface=ens36    //给ens36网卡设置zone
success
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens36    //查看ens36网卡的zone
work
[root@hf-01 network-scripts]#

firewall-cmd给指定网卡设置zone

firewall-cmd --zone=public --add-interface=lo //给指定网卡设置zone

[root@hf-01 network-scripts]# firewall-cmd --zone=public --add-interface=lo    给lo网卡设置zone 
success
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
public
[root@hf-01 network-scripts]#

firewall-cmd给指定网卡设置zone

firewall-cmd --zone=dmz --change-interface=lo //针对网卡更改zone

[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
public
[root@hf-01 network-scripts]# firewall-cmd --zone=dmz --change-interface=lo    //针对网卡更改zone
success
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=lo
dmz
[root@hf-01 network-scripts]#

firewall-cmd针对网卡删除zone

firewall-cmd --zone=block --remove-interface=ens37 //针对网卡删除zone

[root@hf-01 network-scripts]# firewall-cmd --zone=block --change-interface=ens36    给ens36网卡设置zone 
success
[root@hf-01 network-scripts]# firewall-cmd --zone=block  --remove-interface=ens36    //针对ens36网卡删除zone 
success
[root@hf-01 network-scripts]# firewall-cmd --get-zone-of-interface=ens36
no zone
[root@hf-01 network-scripts]#

在remove删除zone后，恢复默认的zone——>本身在删除后，就显示no zone，而并非恢复默认的zone！！！

firewall-cmd查看系统全部网卡所在的zone

firewall-cmd --get-active-zones //查看系统全部网卡所在的zone

[root@hf-01 network-scripts]# firewall-cmd --get-active-zones        //查看系统全部网卡所在的zone
dmz
  interfaces: lo
work
  interfaces: eno16777736
[root@hf-01 network-scripts]#