# 查看rich-rules 查看所有防火墙已注册的规则
[root@hcss-ecs-8b3c ~]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="xxx.xxx.xx.xx" accept
# 每次设定完规则相关后,都需要<reload>防火墙
[root@hcss-ecs-8b3c ~]# firewall-cmd --reload
success
# 删除已存在的防火墙规则
[root@hcss-ecs-8b3c ~]# firewall-cmd --permanent --remove-rich-rule='rule family="ipv4" source address="xxx.xxx.xxx.xx" accept'
success
- 启动: systemctl start firewalld
- 关闭: systemctl stop firewalld
- 查看状态: systemctl status firewalld
- 开机禁用 : systemctl disable firewalld
- 开机启用 : systemctl enable firewalld
# 重启防火墙
[root@hcss-ecs-8b3c ~]# service firewalld restart
Redirecting to /bin/systemctl restart firewalld.service
# 查看已开放的端口
[root@hcss-ecs-8b3c ~]# firewall-cmd --list-ports
20/tcp 21/tcp 22/tcp 80/tcp 443/tcp 30073/tcp 39000-40000/tcp 888/tcp
# 关闭已经开放的端口
[root@hcss-ecs-8b3c ~]# firewall-cmd --permanent --remove-port=20/tcp
success
# 批量开放80到90之间的所有端口
[root@hcss-ecs-8b3c ~]# firewall-cmd --zone=public --add-port=80-90/tcp --permanent
success
# 批量关闭80到90之间的所有端口
[root@hcss-ecs-8b3c ~]# firewall-cmd --permanent --remove-port=80-90/tcp
success
# 限制单个ip,限制192.168.1.1这个ip访问80端口
[root@hcss-ecs-8b3c ~]# firewall-cmd --list-ports
20/tcp 21/tcp 22/tcp 80/tcp 443/tcp 30073/tcp 39000-40000/tcp 888/tcp
[root@hcss-ecs-8b3c ~]# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.1' port protocol='tcp' port='80' reject"
success
# 批量限制ip,限制192.168.1.x的所有ip访问80端口
[root@hcss-ecs-8b3c ~]# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' port protocol='tcp' port='80' reject"
success
# 允许单个ip访问80端口
[root@hcss-ecs-8b3c ~]# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.1' port protocol='tcp' port='80' accept"
success
# 批量允许多ip访问80端口
[root@hcss-ecs-8b3c ~]# firewall-cmd --permanent --add-rich-rule="rule family='ipv4' source address='192.168.1.0/24' port protocol='tcp' port='80' accept"
success
)
