介绍 (Introduction)

firewalld is firewall management software available for many Linux distributions, which acts as a frontend for Linux’s in-kernel nftables or iptables packet filtering systems.

firewalld是可用于许多Linux发行版的防火墙管理软件，它充当Linux内核内可移植对象或iptables数据包过滤系统的前端。

In this guide, we will show you how to set up a firewalld firewall for your CentOS 8 server, and cover the basics of managing the firewall with the firewall-cmd administrative tool.

在本指南中，我们将向您展示如何为CentOS 8服务器设置防火墙防火墙，并介绍使用firewall-cmd管理工具管理防火墙的基础知识。

先决条件 (Prerequisites)

To complete this tutorial, you will need a server running CentOS 8. We will assume you are logged into this server as a non-root, sudo-enabled user. To set this up, see our Initial Server Setup for CentOS 8 guide.

要完成本教程，您将需要一台运行CentOS 8的服务器。我们假定您以非root用户 ，启用了sudo用户身份登录到该服务器。 要进行设置，请参阅我们的CentOS 8初始服务器设置指南。

Firewalld中的基本概念 (Basic Concepts in firewalld)

Before we begin talking about how to actually use the firewall-cmd utility to manage your firewall configuration, we should get familiar with a few concepts that the tool introduces.

在开始讨论如何实际使用firewall-cmd实用程序来管理防火墙配置之前，我们应该熟悉该工具引入的一些概念。

区域 (Zones)

The firewalld daemon manages groups of rules using entities called zones. Zones are sets of rules that dictate what traffic should be allowed depending on the level of trust you have in the network. Network interfaces are assigned to a zone to dictate the behavior that the firewall should allow.

firewalld守护程序使用称为zone的实体管理规则组。 区域是一组规则，这些规则根据您在网络中的信任级别来决定应允许的流量。 将网络接口分配给区域，以指示防火墙应允许的行为。

For computers that might move between networks frequently (like laptops), this kind of flexibility provides a good method of changing your rules depending on your environment. You may have strict rules in place prohibiting most traffic when operating on a public WiFi network, while allowing more relaxed restrictions when connected to your home network. For a server, these zones are often not as important because the network environment rarely, if ever, changes.

对于可能经常在网络之间移动的计算机(例如笔记本电脑)，这种灵活性提供了一种根据环境更改规则的好方法。 在公共WiFi网络上运行时，您可能有严格的规则禁止大多数流量，而在连接到家庭网络时允许放宽限制。 对于服务器，这些区域通常并不那么重要，因为网络环境很少(如果有的话)发生变化。

Regardless of how dynamic your network environment may be, it is still useful to be familiar with the general idea behind each of the predefined zones for firewalld. The predefined zones within firewalld are, in order from least trusted to most trusted:

无论您的网络环境有多动态，熟悉firewalld d的每个预定义区域背后的一般思想仍然很有用。 按最低信任到最受信任的顺序， firewalld中的预定义区域是：

• drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.

  drop ：最低信任级别。 所有传入的连接都将被丢弃而不会回复，并且只能进行传出连接。

• block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.

  block ：与上述类似，但不是简单地丢弃连接，而是使用icmp-host-prohibited或icmp6-adm-prohibited消息拒绝传入的请求。

• public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.

  public ：代表公共的，不受信任的网络。 您不信任其他计算机，但可能会视情况允许选择的传入连接。

• external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.

  external ：如果您使用防火墙作为网关，则为外部网络。 将其配置为伪装NAT，以便您的内部网络保持私有但可访问。

• internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.

  内部 ：外部区域的另一侧，用于网关的内部。 这些计算机相当值得信赖，并且可以使用一些其他服务。

• dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.

  dmz ：用于DMZ中的计算机(将无法访问网络其余部分的隔离计算机)。 仅允许某些传入连接。

• work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.

  工作 ：用于工作机。 信任网络中的大多数计算机。 可能还允许其他一些服务。

• home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.

  home ：家庭环境。 通常，这意味着您信任其他大多数计算机，并且将接受其他一些服务。

• trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.

  Trusted ：信任网络中的所有计算机。 可用选项中最开放的，应谨慎使用。

To use the firewall, we can create rules and alter the properties of our zones and then assign our network interfaces to whichever zones are most appropriate.

要使用防火墙，我们可以创建规则并更改区域的属性，然后将网络接口分配给最合适的区域。

规则永久性 (Rule Permanence)

In firewalld, rules can be applied to the current runtime ruleset, or be made permanent. When a rule is added or modified, by default, only the currently running firewall is modified. After the next reboot – or reload of the firewalld service – only the permanent rules will remain.

在firewalld中，规则可以应用于当前的运行时规则集，也可以成为永久规则。 添加或修改规则时， 默认情况下，仅修改当前运行的防火墙 。 下次重新启动后-或重新加载firewalld服务-仅保留永久性规则。

Most firewall-cmd operations can take a --permanent flag to indicate that the changes should be applied to the permenent configuration. Additionally, the currently running firewall can be saved to the permanent configuration with the firewall-cmd --runtime-to-permanent command.

大多数firewall-cmd操作都可以带有--permanent标志，以指示应将更改应用于永久配置。 另外，可以使用firewall-cmd --runtime-to-permanent命令将当前正在运行的防火墙保存到永久配置。

This separation of runtime vs permanent configuration means that you can safely test rules in your active firewall, then reload to start over if there are problems.

运行时间与永久配置的这种分离意味着您可以在活动防火墙中安全地测试规则，然后在出现问题时重新加载以重新开始。

安装和启用防火墙 (Installing and Enabling firewalld)

firewalld is installed by default on some Linux distributions, including many images of CentOS 8. However, it may be necessary for you to install firewalld yourself:

默认情况下， firewalld是在某些Linux发行版上安装的，包括许多CentOS 8映像。但是，您可能需要自己安装firewalld：

After you install firewalld, you can enable the service and reboot your server. Keep in mind that enabling firewalld will cause the service to start up at boot. It is best practice to create your firewall rules and take the opportunity to test them before configuring this behavior in order to avoid potential issues.

安装firewalld ，您可以启用该服务并重新启动服务器。 请记住，启用firewalld将导致该服务在启动时启动。 最好的做法是在配置此行为之前创建防火墙规则并借此机会对其进行测试，以避免潜在的问题。

When the server restarts, your firewall should be brought up, your network interfaces should be put into the zones you configured (or fall back to the configured default zone), and any rules associated with the zone(s) will be applied to the associated interfaces.

服务器重新启动时，应启动防火墙，将网络接口放入配置的区域(或退回到配置的默认区域)，并且与该区域关联的所有规则都将应用于关联的区域。接口。

We can verify that the service is running and reachable by typing:

我们可以通过输入以下内容来验证该服务正在运行并且可以访问：

running

This indicates that our firewall is up and running with the default configuration.

这表明我们的防火墙已启动并以默认配置运行。

熟悉当前的防火墙规则 (Getting Familiar with the Current Firewall Rules)

Before we begin to make modifications, we should familiarize ourselves with the default environment and rules provided by firewalld.

在开始进行修改之前，我们应该熟悉firewalld提供的默认环境和规则。

探索默认值 (Exploring the Defaults)

We can see which zone is currently selected as the default by typing:

通过键入以下内容，我们可以看到当前选择哪个区域作为默认区域：

public

Since we haven’t given firewalld any commands to deviate from the default zone, and none of our interfaces are configured to bind to another zone, that zone will also be the only active zone (the zone that is controlling the traffic for our interfaces). We can verify that by typing:

由于我们没有给firewalld提供任何偏离默认区域的命令，并且我们的接口都没有配置为绑定到另一个区域，因此该区域也将是唯一的活动区域(控制接口流量的区域) 。 我们可以通过输入以下内容进行验证：

publicinterfaces: eth0 eth1

Here, we can see that our example server has two network interfaces being controlled by the firewall (eth0 and eth1). They are both currently being managed according to the rules defined for the public zone.

在这里，我们可以看到示例服务器有两个受防火墙控制的网络接口( eth0和eth1 )。 目前，它们都根据为公共区域定义的规则进行管理。

How do we know what rules are associated with the public zone though? We can print out the default zone’s configuration by typing:

我们如何知道与公共区域相关的规则？ 我们可以通过输入以下内容打印出默认区域的配置：

public (active)target: defaulticmp-block-inversion: nointerfaces: eth0 eth1sources:services: cockpit dhcpv6-client sshports:protocols:masquerade: noforward-ports:source-ports:icmp-blocks:rich rules:

We can tell from the output that this zone is both the default and active, and that the eth0 and eth1 interfaces are associated with this zone (we already knew all of this from our previous inquiries). However, we can also see that this zone allows traffic for a DHCP client (for IP address assignment), SSH (for remote administration), and Cockpit (a web-based console).

从输出中可以看出，该区域既是默认区域又是活动区域，并且eth0和eth1接口都与此区域相关联(我们已经从先前的查询中了解了所有这些信息)。 但是，我们还可以看到，该区域允许DHCP客户端(用于IP地址分配)，SSH(用于远程管理)和Cockpit(基于Web的控制台)的流量。

探索替代区 (Exploring Alternative Zones)

Now we have a good idea about the configuration for the default and active zone. We can find out information about other zones as well.

现在，我们对默认区域和活动区域的配置有了一个好主意。 我们还可以找到有关其他区域的信息。

To get a list of the available zones, type:

要获取可用区域的列表，请输入：

block dmz drop external home internal public trusted work

We can see the specific configuration associated with a zone by including the --zone= parameter in our --list-all command:

通过在--list-all命令中包含--zone=参数，我们可以看到与区域关联的特定配置：

hometarget: defaulticmp-block-inversion: nointerfaces:sources:services: cockpit dhcpv6-client mdns samba-client sshports:protocols:masquerade: noforward-ports:source-ports:icmp-blocks:rich rules:

You can output all of the zone definitions by using the --list-all-zones option. You will probably want to pipe the output into a pager for easier viewing:

您可以使用--list-all-zones选项输出所有区域定义。 您可能希望将输出通过管道传到寻呼机中以便于查看：

Next we will learn about assiging zones to network interfaces.

接下来，我们将学习将区域辅助到网络接口。

为接口选择区域 (Selecting Zones for your Interfaces)

Unless you have configured your network interfaces otherwise, each interface will be put in the default zone when the firewall is started.

除非另外配置了网络接口，否则启动防火墙时，每个接口都将置于默认区域中。

更改接口区域 (Changing the Zone of an Interface)

You can move an interface between zones during a session by using the --zone= parameter in combination with the --change-interface= parameter. As with all commands that modify the firewall, you will need to use sudo.

通过将--zone=参数与--change-interface=参数结合使用，可以在会话期间在区域之间移动接口。 与所有修改防火墙的命令一样，您将需要使用sudo 。

For instance, we can move our eth0 interface to the home zone by typing this:

例如，我们可以通过输入以下命令将eth0界面移动到本地区域：

success

Note: Whenever you are moving an interface to a new zone, be aware that you are probably modifying which services will be operational. For instance, here we are moving to the home zone, which has SSH available. This means that our connection shouldn’t drop. Some other zones do not have SSH enabled by default, and switching to one of these zones could cause your connection to drop, preventing you from logging back into your server.

注意：每当将接口移至新区域时，请注意，您可能正在修改哪些服务将可运行。 例如，在这里，我们要转到可使用SSH的本地区域。 这意味着我们的连接不应断开。 其他一些区域默认情况下未启用SSH，并且切换到这些区域之一可能会导致连接断开，从而阻止您重新登录服务器。

We can verify that this was successful by asking for the active zones again:

我们可以通过再次请求活动区域来验证此操作是否成功：

homeinterfaces: eth0
publicinterfaces: eth1

调整默认区域 (Adjusting the Default Zone)

If all of your interfaces can be handled well by a single zone, it’s probably easiest to just designate the best zone as default and then use that for your configuration.

如果一个区域可以很好地处理所有接口，则最简单的方法是将最佳区域指定为默认区域，然后将其用于配置。

You can change the default zone with the --set-default-zone= parameter. This will immediately change any interface using the default zone:

您可以使用--set-default-zone=参数更改默认区域。 这将立即使用默认区域更改任何接口：

success

为您的应用程序设置规则 (Setting Rules for your Applications)

Let’s run through the basic way of defining firewall exceptions for the services you wish to make available.

让我们看一下为希望提供的服务定义防火墙例外的基本方法。

将服务添加到您的区域 (Adding a Service to your Zones)

The most straighforward method is to add the services or ports you need to the zones you are using. You can get a list of the available service definitions with the --get-services option:

最直接的方法是将所需的服务或端口添加到所使用的区域。 您可以使用--get-services选项获取可用服务定义的列表：

RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

Note: You can get more details about each of these services by looking at their associated .xml file within the /usr/lib/firewalld/services directory. For instance, the SSH service is defined like this:

注意：通过查看/usr/lib/firewalld/services目录中与它们相关的.xml文件，可以获取有关这些服务的更多详细信息。 例如，SSH服务的定义如下：

<?xml version="1.0" encoding="utf-8"?>
<service><short>SSH</short><description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description><port protocol="tcp" port="22"/>
</service>

You can enable a service for a zone using the --add-service= parameter. The operation will target the default zone or whatever zone is specified by the --zone= parameter. By default, this will only adjust the current firewall session. You can adjust the permanent firewall configuration by including the --permanent flag.

您可以使用--add-service=参数为区域启用服务。 该操作将针对默认区域或--zone=参数指定的任何区域。 默认情况下，这只会调整当前的防火墙会话。 您可以通过包括--permanent标志来调整永久防火墙配置。

For instance, if we are running a web server serving conventional HTTP traffic, we can temporarily allow this traffic for interfaces in our public zone by typing:

例如，如果我们正在运行提供常规HTTP流量的Web服务器，则可以通过键入以下内容来暂时允许此流量用于公共区域中的接口：

You can leave out the --zone= flag if you wish to modify the default zone. We can verify the operation was successful by using the --list-all or --list-services operations:

如果要修改默认区域，可以不使用--zone=标志。 我们可以使用--list-all或--list-services操作来验证操作是否成功：

cockpit dhcpv6-client http ssh

Once you have tested that everything is working as it should, you will probably want to modify the permanent firewall rules so that your service will still be available after a reboot. We can make our previous change permanent by retyping it and adding the --permanent flag:

测试完所有功能后，您可能需要修改永久防火墙规则，以便重新启动后您的服务仍然可用。 我们可以通过重新键入并添加--permanent标志来使之前的更改成为永久更改：

success

Alternately, you could use the --runtime-to-permanent flag to save the currently running firewall configuration to the permanant config:

或者，您可以使用--runtime-to-permanent标志将当前运行的防火墙配置保存到永久配置：

Be careful with this, as all changes made to the running firewall will be commited permenantly.

请注意这一点，因为将永久提交对运行中的防火墙所做的所有更改。

Whichever method you chose, you can verify that it was successful by adding the --permanent flag to the --list-services operation. You need to use sudo for any --permanent operations:

无论选择哪种方法，都可以通过在--list-services操作中添加--permanent标志来验证该方法是否成功。 您需要对任何--permanent操作使用sudo ：

cockpit dhcpv6-client http ssh

Your public zone will now allow HTTP web traffic on port 80. If your web server is configured to use SSL/TLS, you’ll also want to add the https service. We can add that to the current session and the permanent rule-set by typing:

您的公共区域现在将允许端口80上的HTTP Web通信。如果您的Web服务器配置为使用SSL / TLS，则还需要添加https服务。 我们可以通过输入以下内容将其添加到当前会话和永久规则集中：

如果没有适当的服务可用怎么办？ (What If No Appropriate Service Is Available?)

The services that are included with the firewalld installation represent many of the most common applications that you may wish to allow access to. However, there will likely be scenarios where these services do not fit your requirements.

防火墙安装中包含的服务代表了您可能希望允许访问的许多最常见的应用程序。 但是，在某些情况下这些服务可能无法满足您的要求。

In this situation, you have two options.

在这种情况下，您有两个选择。

为您的区域打开端口 (Opening a Port for your Zones)

The easiest way to add support for your specific application is to open up the ports that it uses in the appropriate zone(s). This is done by specifying the port or port range, and the associated protocol (TCP or UDP) for the ports.

为特定应用程序添加支持的最简单方法是在适当的区域中打开其使用的端口。 通过指定端口或端口范围以及端口的关联协议(TCP或UDP)来完成此操作。

For instance, if our application runs on port 5000 and uses TCP, we could temporarily add this to the public zone using the --add-port= parameter. Protocols can be designated as either tcp or udp:

例如，如果我们的应用程序在端口5000上运行并使用TCP，则可以使用--add-port=参数将其临时添加到公共区域。 协议可以指定为tcp或udp ：

success

We can verify that this was successful using the --list-ports operation:

我们可以使用--list-ports操作验证此操作是否成功：

5000/tcp

It is also possible to specify a sequential range of ports by separating the beginning and ending port in the range with a dash. For instance, if our application uses UDP ports 4990 to 4999, we could open these up on public by typing:

也可以通过用破折号分隔该范围内的开始和结束端口来指定顺序的端口范围。 例如，如果我们的应用程序使用UDP端口4990至4999，则可以通过键入以下内容在公共位置打开它们：

After testing, we would likely want to add these to the permanent firewall. Use sudo firewall-cmd --runtime-to-permanent to do that, or rerun the commands with the --permanent flag:

经过测试后，我们可能希望将它们添加到永久防火墙中。 使用sudo firewall-cmd --runtime-to-permanent做到这一点，或重新运行与命令--permanent标志：

success
success
5000/tcp 4990-4999/udp

定义服务 (Defining a Service)

Opening ports for your zones is a straightforward solution, but it can be difficult to keep track of what each one is for. If you ever decommission a service on your server, you may have a hard time remembering which ports that have been opened are still required. To avoid this situation, it is possible to define a new service.

为您的区域开放端口是一个简单的解决方案，但是要跟踪每个区域的用途可能很困难。 如果您曾经停用服务器上的服务，则可能很难记住仍然需要打开哪些端口。 为了避免这种情况，可以定义一个新服务。

Services are collections of ports with an associated name and description. Using services is easier to administer than ports, but requires a bit of up-front work. The easiest way to start is to copy an existing script (found in /usr/lib/firewalld/services) to the /etc/firewalld/services directory where the firewall looks for non-standard definitions.

服务是具有相关名称和描述的端口的集合。 使用服务比端口更易于管理，但是需要一些前期工作。 最简单的开始方法是将现有脚本(在/usr/lib/firewalld/services找到)复制到/etc/firewalld/services目录中，防火墙在其中查找非标准定义。

For instance, we could copy the SSH service definition to use for our example service definition like this. The filename minus the .xml suffix will dictate the name of the service within the firewall services list:

例如，我们可以复制SSH服务定义以用于我们的示例服务定义，如下所示。 文件名减去.xml后缀将指示防火墙服务列表中的服务名称：

Now, you can adjust the definition found in the file you copied. First open it in your favorite text editor. We’ll use vi here:

现在，您可以调整在复制的文件中找到的定义。 首先在您喜欢的文本编辑器中将其打开。 我们将在这里使用vi ：

To start, the file will contain the SSH definition that you copied:

首先，该文件将包含您复制的SSH定义：

<?xml version="1.0" encoding="utf-8"?>
<service><short>SSH</short><description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description><port protocol="tcp" port="22"/>
</service>

The majority of this definition is actually metadata. You will want to change the short name for the service within the <short> tags. This is a human-readable name for your service. You should also add a description so that you have more information if you ever need to audit the service. The only configuration you need to make that actually affects the functionality of the service will likely be the port definition where you identify the port number and protocol you wish to open. Multiple <port/> tags can be specified.

该定义的大部分实际上是元数据。 您将要在<short>标记内更改服务的<short> 。 这是您的服务的易读名称。 您还应该添加描述，以便在需要审核服务时获得更多信息。 您需要进行的实际上会影响服务功能的唯一配置可能是端口定义，您可以在其中定义要打开的端口号和协议。 可以指定多个<port/>标记。

For our example service, imagine that we need to open up port 7777 for TCP and 8888 for UDP. We can modify the existing definition with something like this:

对于我们的示例服务，假设我们需要为TCP打开端口7777，为UDP打开端口8888。 我们可以使用以下内容修改现有定义：

<?xml version="1.0" encoding="utf-8"?>
<service><short>Example Service</short><description>This is just an example service. It probably shouldn't be used on a real system.</description><port protocol="tcp" port="7777"/><port protocol="udp" port="8888"/>
</service>

Save and close the file.

保存并关闭文件。

Reload your firewall to get access to your new service:

重新加载防火墙以访问新服务：

You can see that it is now among the list of available services:

您可以看到它现在在可用服务列表中：

RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server example finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server

You can now use this service in your zones as you normally would.

现在，您可以像往常一样在您的区域中使用此服务。

创建自己的区域 (Creating Your Own Zones)

While the predefined zones will probably be more than enough for most users, it can be helpful to define your own zones that are more descriptive of their function.

尽管预定义的区域对于大多数用户来说可能绰绰有余，但是定义自己的区域来描述其功能可能会有所帮助。

For instance, you might want to create a zone for your web server, called publicweb. However, you might want to have another zone configured for the DNS service you provide on your private network. You might want a zone called “privateDNS” for that.

例如，您可能要为Web服务器创建一个名为publicweb的区域 。 但是，您可能希望为您在专用网络上提供的DNS服务配置另一个区域。 您可能需要一个名为“ privateDNS”的区域。

When adding a zone, you must add it to the permanent firewall configuration. You can then reload to bring the configuration into your running session. For instance, we could create the two zones we discussed above by typing:

添加区域时， 必须将其添加到永久防火墙配置中。 然后，您可以重新加载以将配置带入正在运行的会话。 例如，我们可以通过键入以下内容来创建我们上面讨论的两个区域：

You can verify that these are present in your permanent configuration by typing:

您可以通过键入以下内容来验证这些内容是否存在于您的永久配置中：

block dmz drop external home internal privateDNS public publicweb trusted work

As stated before, these won’t be available in the runtime firewall yet:

如前所述，这些在运行时防火墙中尚不可用：

block dmz drop external home internal public trusted work

Reload the firewall to bring these new zones into the active runtime configuration:

重新加载防火墙，以使这些新区域进入活动的运行时配置：

block dmz drop external home internal privateDNS public publicweb trusted work

Now, you can begin assigning the appropriate services and ports to your zones. It’s usually a good idea to adjust the runtime firewall and then save those changes to the permanent configuration after testing. For instance, for the publicweb zone, you might want to add the SSH, HTTP, and HTTPS services:

现在，您可以开始为您的区域分配适当的服务和端口。 调整运行时防火墙，然后在测试后将这些更改保存到永久配置中，通常是一个好主意。 例如，对于publicweb区域，您可能要添加SSH，HTTP和HTTPS服务：

publicwebtarget: defaulticmp-block-inversion: nointerfaces: sources: services: http https sshports: protocols: masquerade: noforward-ports: source-ports: icmp-blocks: rich rules:

Likewise, we can add the DNS service to our privateDNS zone:

同样，我们可以将DNS服务添加到我们的privateDNS区域：

privateDNStarget: defaulticmp-block-inversion: nointerfaces:sources:services: dnsports:protocols:masquerade: noforward-ports:source-ports:icmp-blocks:rich rules:

We could then change our interfaces over to these new zones to test them out:

然后，我们可以将界面更改为这些新区域以对其进行测试：

At this point, you have the opportunity to test your configuration. If these values work for you, you will want to add these rules to the permanent configuration. You could do that by running all the commands again with the --permanent flag appended, but in this case we’ll use the --runtime-to-permanent flag to save our entire runtime configuration permanently:

此时，您将有机会测试您的配置。 如果这些值对您有用，您将需要将这些规则添加到永久配置中。 你可以做到这一点与重新运行所有的命令--permanent附加标志，但在这种情况下，我们将使用--runtime-to-permanent标志永久保存我们的整个运行时配置：

After permanently applying these rules, reload the firewall to test that the changes remain:

永久应用这些规则后，请重新加载防火墙以测试更改是否仍然存在：

Validate that the correct zones were assigned:

验证是否分配了正确的区域：

privateDNSinterfaces: eth1
publicwebinterfaces: eth0

And validate that the appropriate services are available for both of the zones:

并验证两个区域都可以使用适当的服务：

http https ssh

dns

You have successfully set up your own zones! If you want to make one of these zones the default for other interfaces, remember to configure that behavior with the --set-default-zone= parameter:

您已经成功设置了自己的区域！ 如果要将这些区域之一设为其他接口的默认区域，请记住使用--set-default-zone=参数配置该行为：

结论 (Conclusion)

You should now have a fairly thorough understanding of how to administer the firewalld service on your CentOS system for day-to-day use.

现在，您应该对如何在CentOS系统上日常使用的防火墙服务进行全面的了解。

The firewalld service allows you to configure maintainable rules and rule-sets that take into consideration your network environment. It allows you to seamlessly transition between different firewall policies through the use of zones and gives administrators the ability to abstract the port management into more friendly service definitions. Acquiring a working knowledge of this system will allow you to take advantage of the flexibility and power that this tool provides.

Firewalld服务允许您配置考虑网络环境的可维护规则和规则集。 它使您可以通过使用区域在不同的防火墙策略之间无缝过渡，并使管理员能够将端口管理抽象为更友好的服务定义。 掌握该系统的使用知识将使您能够利用此工具提供的灵活性和强大功能。

For more information on firewalld, please see the official firewalld documentation.

有关firewalld的更多信息，请参阅官方firewalld文档 。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-set-up-a-firewall-using-firewalld-on-centos-8