firewalld配置文件修改_firewalld public.xml

网上大多数文章都是直接讲命令方式，很少讲直接通过配置文件修改，所以这里记录一下。

从命令执行结果查看配置文件变化。

开放端口

永久开放2个端口

firewall-cmd --permanent --zone=public --add-port=8080/tcp
firewall-cmd --permanent --zone=public --add-port=80/tcp

firewall-cmd --reload
1
2
3
4

在 /etc/firewalld/zones 下的 public.xml里：

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="8080"/>
</zone>
1
2
3
4
5
6
7
8
9

限制来源IP

限制只能接收来自 10.10.x.x段的IP，开放8000到9000之间的端口。

firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="10.10.0.0/16" port protocol="tcp" port="8000-9000" accept" 

firewall-cmd --reload
1
2
3

再看 public.xml

# cat public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="ssh"/>
  <service name="dhcpv6-client"/>
  <port protocol="tcp" port="80"/>
  <port protocol="tcp" port="8080"/>
  <rule family="ipv4">
    <source address="10.10.0.0/16"/>
    <port protocol="tcp" port="8000-9000"/>
    <accept/>
  </rule>
</zone>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

所以，我们明白了直接修改配置文件的方式。

# firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces: 
  sources: 
  services: ssh dhcpv6-client
  ports: 80/tcp 22/tcp
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
	rule family="ipv4" source address="10.10.0.0/16" port port="8000-9000" protocol="tcp" accept
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

参考官方文档：https://firewalld.org/documentation/