firewalld

Firewalld 서비스 시작

[root@mnode ~]# systemctl restart firewalld.service

Firewall 은 Pre-defined 된 Zone이 정의 되어 있다.

[root@mnode ~]# firewall-cmd --get-zones

block dmz drop external home internal public trusted work

• drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
• block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
• public: Represents public, untrusted networks. You don't trust other computers but may allow selected incoming connections on a case-by-case basis.
• external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
• internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
• dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
• work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
• home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
• trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.

Default Zone 확인

[root@mnode ~]# firewall-cmd --get-default-zone

public

현재 Active Zone 확인

[root@mnode ~]# firewall-cmd --get-active-zones

public

  interfaces: bond0.11 bond0.3 em1 p5p1 p5p2

현재 Zone에 적용된 Interface를 다른 Zone으로 바꾸기

[root@mnode ~]# firewall-cmd --zone=external --change-interface=bond0.11

success

현재 Zone에 적용된 Rule 확인

[root@mnode ~]# firewall-cmd --list-all

public (default, active)

  interfaces: bond0.11 bond0.3 em1 p5p1 p5p2

  sources:

  services: dhcpv6-client nfs ssh

  ports:

  masquerade: no

  forward-ports:

  icmp-blocks:

  rich rules:

적용 가능한 rule list

[root@mnode ~]# firewall-cmd --get-services

amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

변경된 값을 저장하고 싶으면 --permanent 를 추가하면 된다.

• Set the default zone

 firewall-cmd --set-default-zone=<zone>

참조

https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-7

https://fedoraproject.org/wiki/FirewallD#Masquerading