firewall启动一般有3步:
systemctl enable firewalldsystemctl start firewalldfirewall-cmd <...> (add ports, sources, services etc.),但是针对已经部署了服务的服务器来说,就会再执行第二步的时候,导致大部分服务都会被firewall拦截。 影响线上服务,其实可以在启动firewall之前,先修改firewall的配置文件,提前设置好
添加端口
- public添加端口:
/etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
## 开放8080端口
<port protocol="tcp" port="8080"/>
## 允许172.17.0.0/24网段访问80端口
<rule family="ipv4">
<source address="172.17.0.0/24"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
</zone>
添加服务
- 添加服务:
/etc/firewalld/services/tenmao.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Tenmao</short>
<description>Tenmao Service</description>
<port protocol="tcp" port="8019"/>
<port protocol="udp" port="5405"/>
</service>
- 服务添加到作用区:
/etc/firewalld/zones/public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
## 添加服务tenmao
<service name="tenmao" />
## 开放8080端口
<port protocol="tcp" port="8080"/>
## 允许172.17.0.0/24网段访问80端口
<rule family="ipv4">
<source address="172.17.0.0/24"/>
<port protocol="tcp" port="80"/>
<accept/>
</rule>
</zone>
启动firewalld
systemctl start firewalld
为了防止配置文件错误,可以先把配置文件在其他测试机器上试验,比如虚拟机
网友评论