所謂的 zone 就表示主機位於何種環境,需要設定哪些規則,在 firewalld 裡共有 7 個zones
> 先決定主機要設定在那個區域 zone >> 再往該 zone 設定規則 >>> 重新讀取設定檔 sudo firewall-cmd --reload
public: 公開的場所,不信任網域內所有連線,只有被允許的連線才能進入,一般只要設定這裡就可以了
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. external: 公開的場所,應用在IP是NAT的網路
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted. dmz: (Demilitarized Zone) 非軍事區,允許對外連線,內部網路只有允許的才可以連線進來
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted. work: 公司、工作的環境
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. home: 家庭環境
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted. internal: 內部網路,應用在NAT設定時的對內網路
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted. trusted: 接受所有的連線
All network connections are accepted. drop: 任何進入的封包全部丟棄,只有往外的連線是允許的
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible. block: 任何進入的封包全部拒絕,並以 icmp 回覆對方 ,只有往外的連線是允許的
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="dhcpv6-client"/>
<service name="ssh"/>
<service name="dns"/>
<port protocol="tcp" port="8080"/>
</zone>
複製代碼
★★★ 從 /etc/sysconfig/iptables 轉為 firewalld 的 direct ★★★
假設你原有的 /etc/sysconfig/iptables 有規則
-A INPUT -s 140.113.12.9 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp -s 140.113.0.0/16 --dport 123 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp -s 140.114.88.0/24 --dport 161 -j ACCEPT