«   2018/07   »
1 2 3 4 5 6 7
8 9 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 31        
Archives
Today
111
Total
1,126,105
안정적인 DNS서비스 DNSEver
관리 메뉴

Blue Breeze

centos7 firewalld 본문

보안

centos7 firewalld

푸른바람 C/H 2017.02.23 08:30

설정

systemctl start firewalld.service
systemctl stop firewalld.service
systemctl status firewalld.service
systemctl restart firewalld.service

# --permanent 영구히 적용
firewall-cmd --state
firewall-cmd --reload
firewall-cmd --get-services # 서비스 목록
firewall-cmd --zone=public --list-services # public 에 적용된 서비스 목록
firewall-cmd --zone=public --permanent --add-service=http
firewall-cmd --zone=public --permanent --add-service=https
firewall-cmd --zone=public --permanent --add-service=mysql

firewall-cmd --list-ports
firewall-cmd --zone=public --permanent --add-port=3306/tcp
firewall-cmd --zone=public --permanent --add-port=4990-4999/udp

# rule reomve
firewall-cmd --zone=public --permanent  --remove-port=3306/tcp
firewall-cmd --zone=public --permanent  --remove-port=4990-4999/udp
firewall-cmd --remove-port=21/tcp

# ip allow
firewall-cmd --add-source=192.168.3.100
firewall-cmd --remove-source=192.168.3.100

# ip width allow
firewall-cmd --add-source=192.168.0.0/24
firewall-cmd --remove-source=192.168.0.0/24

# 차단
firewall-cmd --add-rich-rule='rule family="ipv4" source address=192.168.5.100 reject'
firewall-cmd --remove-rich-rule='rule family="ipv4" source address=192.168.5.100 reject'

# 드롭
firewall-cmd --add-rich-rule='rule family="ipv4" source address=192.168.5.100 drop'
firewall-cmd --remove-rich-rule='rule family="ipv4" source address=192.168.5.100 drop'

# ip:port 허용
firewall-cmd --add-rich-rule='rule family="ipv4" source address=192.168.10.170 port port="80" protocol="tcp" accept'
firewall-cmd --remove-rich-rule='rule family="ipv4" source address=192.168.10.170 port port="80" protocol="tcp" accept'

/etc/firewalld/zones/public.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <service name="http"/>
  <service name="https"/>
  <service name="mysql"/>
</zone>

서비스 명으로 관리

sudo cp /usr/lib/firewalld/services/service.xml /etc/firewalld/services/example.xml

설정

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>SSH</short>
  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>
  <port protocol="tcp" port="22"/>
</service>
<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Example Service</short>
  <description>This is just an example service.  It probably shouldn't be used on a real system.</description>
  <port protocol="tcp" port="7777"/>
  <port protocol="udp" port="8888"/>
</service>


'보안' 카테고리의 다른 글

centos7 firewalld  (0) 2017.02.23
웹 취약점 9요소  (0) 2006.10.12
0 Comments
댓글쓰기 폼