本文档风哥主要介绍RHEL LINUX 10系统中firewalld防火墙的基础配置与端口开放实战,包括防火墙的概念、firewalld防火墙介绍、防火墙区域概念、防火墙规划要点、安全策略设计原则、端口开放规划、firewalld安装与启动、基础防火墙配置、端口开放配置、Web服务防火墙配置、数据库服务防火墙配置、防火墙故障排查等内容,参考Red Hat Enterprise Linux 10官方文档Security内容,适合运维人员在学习和测试中使用,如果要应用于生产环境则需要自行确认。更多视频教程www.fgedu.net.cn
Part01-基础概念与理论知识
1.1 防火墙的概念与作用
防火墙(Firewall)是一种网络安全系统,用于监控和控制进出网络的数据流量。防火墙根据预定义的安全规则,允许或阻止网络流量,从而保护系统免受未经授权的访问和攻击。防火墙可以是硬件设备、软件程序,或两者的结合。
- 访问控制:控制进出网络的流量
- 安全防护:阻止恶意流量和攻击
- 网络隔离:隔离不同的网络区域
- 审计日志:记录网络流量和访问日志
- 策略管理:实施网络安全策略
1.2 firewalld防火墙介绍
firewalld是RHEL LINUX 10系统中默认的防火墙管理工具,它提供了一个动态管理的防火墙,支持网络区域(Zone)定义,允许在不中断连接的情况下更新防火墙规则。firewalld基于iptables和nftables后端,提供了更高级的抽象和更易用的管理接口。
– 动态管理:无需重启即可更新规则
– 区域概念:支持多个网络区域
– 服务定义:预定义常用服务规则
– 富规则:支持复杂的规则表达式
– D-Bus接口:支持程序化管理
– 图形界面:提供firewall-config图形工具
1.3 防火墙区域(Zone)概念
防火墙区域(Zone)是firewalld的核心概念,它定义了一组预定义的防火墙规则。每个区域可以关联到一个或多个网络接口,不同的区域具有不同的信任级别和规则集。firewalld提供了多个预定义区域,如public、trusted、home、work、internal、dmz、block、drop等。
– public:公共区域,默认拒绝所有入站连接,仅允许SSH和DHCPv6-client
– trusted:信任区域,允许所有入站连接
– home:家庭区域,允许SSH、MDNS、Samba-client、DHCPv6-client
– work:工作区域,允许SSH、DHCPv6-client
– internal:内部区域,允许SSH、MDNS、Samba-client、DHCPv6-client
– dmz:非军事化区域,仅允许SSH
– block:阻塞区域,拒绝所有入站连接,并返回ICMP拒绝消息
– drop:丢弃区域,丢弃所有入站连接,不返回任何消息
Part02-生产环境规划与建议
2.1 防火墙规划要点
防火墙规划要点:
– 最小权限原则:仅开放必要的端口和服务
– 默认拒绝策略:默认拒绝所有入站连接
– 分层防护:网络层、主机层、应用层多层防护
– 定期审查:定期审查和更新防火墙规则
– 日志审计:启用防火墙日志,定期审计
– 备份配置:定期备份防火墙配置
– 测试验证:规则变更后进行测试验证
– 文档记录:记录防火墙规则和变更历史
2.2 安全策略设计原则
安全策略设计原则:
- 最小权限原则:仅授予必要的最小权限
- 默认拒绝原则:默认拒绝所有未明确允许的访问
- 职责分离原则:不同角色具有不同的权限
- 深度防御原则:多层防护,避免单点故障
- 定期审查原则:定期审查和更新安全策略
2.3 端口开放规划
端口开放规划:
– SSH服务:22/TCP(远程管理)
– HTTP服务:80/TCP(Web服务)
– HTTPS服务:443/TCP(安全Web服务)
– MySQL服务:3306/TCP(数据库)
– PostgreSQL服务:5432/TCP(数据库)
– Redis服务:6379/TCP(缓存)
– NFS服务:2049/TCP(文件共享)
– NTP服务:123/UDP(时间同步)
– DNS服务:53/TCP,53/UDP(域名解析)
# 端口开放建议
– 仅开放必要的端口
– 限制访问源IP地址
– 使用富规则进行精细控制
– 定期审查开放的端口
– 记录端口开放原因和时间
Part03-生产环境项目实施方案
3.1 firewalld安装与启动
3.1.1 安装firewalld服务
# rpm -qa | grep firewalld
# 2. 安装firewalld服务
# dnf install -y firewalld
Updating Subscription Management repositories.
Last metadata expiration check: 0:30:00 ago on Fri 02 Apr 2026 10:00:00 AM CST.
Dependencies resolved.
================================================================================
Package Architecture Version Repository Size
================================================================================
Installing:
firewalld noarch 1.3.0-1.el10 baseos 450 k
Installing dependencies:
firewalld-filesystem
noarch 1.3.0-1.el10 baseos 12 k
python3-firewall
noarch 1.3.0-1.el10 baseos 850 k
Transaction Summary
================================================================================
Install 3 Packages
Total download size: 1.3 M
Installed size: 4.5 M
Downloading Packages:
(1/3): firewalld-filesystem-1.3.0-1.el10.noarch.rpm 12 kB/s | 12 kB 00:01
(2/3): python3-firewall-1.3.0-1.el10.noarch.rpm 850 kB/s | 850 kB 00:01
(3/3): firewalld-1.3.0-1.el10.noarch.rpm 450 kB/s | 450 kB 00:01
——————————————————————————–
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/3
Installing : firewalld-filesystem-1.3.0-1.el10.noarch 1/3
Installing : python3-firewall-1.3.0-1.el10.noarch 2/3
Installing : firewalld-1.3.0-1.el10.noarch 3/3
Running scriptlet: firewalld-1.3.0-1.el10.noarch 3/3
Verifying : firewalld-filesystem-1.3.0-1.el10.noarch 1/3
Verifying : python3-firewall-1.3.0-1.el10.noarch 2/3
Verifying : firewalld-1.3.0-1.el10.noarch 3/3
Installed:
firewalld-1.3.0-1.el10.noarch
firewalld-filesystem-1.3.0-1.el10.noarch
python3-firewall-1.3.0-1.el10.noarch
Complete!
# 3. 启动firewalld服务
# systemctl start firewalld
# 4. 设置firewalld服务开机自启
# systemctl enable firewalld
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.
# 5. 查看firewalld服务状态
# systemctl status firewalld
● firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2026-04-02 10:00:00 CST; 5s ago
Docs: man:firewalld(1)
Main PID: 1234 (firewalld)
Tasks: 2 (limit: 4915)
Memory: 15.2M
CGroup: /system.slice/firewalld.service
├─1234 /usr/bin/python3 -s /usr/sbin/firewalld –nofork –nopid
└─1235 /usr/sbin/firewalld –nofork –nopid
Apr 02 10:00:00 server1 systemd[1]: Starting firewalld – dynamic firewall daemon…
Apr 02 10:00:00 server1 systemd[1]: Started firewalld – dynamic firewall daemon.
3.1.2 查看防火墙状态
# firewall-cmd –state
running
# 2. 查看当前活动的区域
# firewall-cmd –get-active-zones
public
interfaces: eth0
# 3. 查看默认区域
# firewall-cmd –get-default-zone
public
# 4. 查看所有区域
# firewall-cmd –get-zones
block dmz drop external home internal public trusted work
# 5. 查看指定区域的详细信息
# firewall-cmd –zone=public –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
3.2 基础防火墙配置
3.2.1 修改默认区域
# firewall-cmd –get-default-zone
public
# 2. 修改默认区域为trusted(临时)
# firewall-cmd –set-default-zone=trusted
success
# 3. 验证默认区域已修改
# firewall-cmd –get-default-zone
trusted
# 4. 修改默认区域为public(永久)
# firewall-cmd –permanent –set-default-zone=public
success
# 5. 重新加载防火墙配置
# firewall-cmd –reload
success
# 6. 验证默认区域
# firewall-cmd –get-default-zone
public
3.2.2 添加接口到区域
# ip addr show
1: lo:
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0:
link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.100/24 brd 192.168.1.255 scope global eth0
valid_lft forever preferred_lft forever
# 2. 将接口eth0添加到public区域(临时)
# firewall-cmd –zone=public –change-interface=eth0
success
# 3. 将接口eth0添加到public区域(永久)
# firewall-cmd –permanent –zone=public –change-interface=eth0
success
# 4. 重新加载防火墙配置
# firewall-cmd –reload
success
# 5. 验证接口已添加到区域
# firewall-cmd –get-active-zones
public
interfaces: eth0
3.3 端口开放配置
3.3.1 开放单个端口
# firewall-cmd –zone=public –add-port=80/tcp
success
# 2. 验证端口已开放
# firewall-cmd –zone=public –list-ports
80/tcp
# 3. 开放TCP端口80(永久)
# firewall-cmd –permanent –zone=public –add-port=80/tcp
success
# 4. 重新加载防火墙配置
# firewall-cmd –reload
success
# 5. 验证端口已永久开放
# firewall-cmd –zone=public –list-ports
80/tcp
# 6. 测试端口是否开放
# ss -tuln | grep :80
tcp LISTEN 0 128 *:80 *:*
3.3.2 开放多个端口
# firewall-cmd –zone=public –add-port={80/tcp,443/tcp,3306/tcp}
success
# 2. 验证端口已开放
# firewall-cmd –zone=public –list-ports
80/tcp 443/tcp 3306/tcp
# 3. 开放多个TCP端口(永久)
# firewall-cmd –permanent –zone=public –add-port={80/tcp,443/tcp,3306/tcp}
success
# 4. 重新加载防火墙配置
# firewall-cmd –reload
success
# 5. 验证端口已永久开放
# firewall-cmd –zone=public –list-ports
80/tcp 443/tcp 3306/tcp
3.3.3 开放端口范围
# firewall-cmd –zone=public –add-port=10000-10050/tcp
success
# 2. 验证端口范围已开放
# firewall-cmd –zone=public –list-ports
80/tcp 443/tcp 3306/tcp 10000-10050/tcp
# 3. 开放端口范围10000-10050(永久)
# firewall-cmd –permanent –zone=public –add-port=10000-10050/tcp
success
# 4. 重新加载防火墙配置
# firewall-cmd –reload
success
# 5. 验证端口范围已永久开放
# firewall-cmd –zone=public –list-ports
80/tcp 443/tcp 3306/tcp 10000-10050/tcp
3.3.4 删除开放的端口
# firewall-cmd –zone=public –remove-port=80/tcp
success
# 2. 验证端口已删除
# firewall-cmd –zone=public –list-ports
443/tcp 3306/tcp 10000-10050/tcp
# 3. 删除开放的端口(永久)
# firewall-cmd –permanent –zone=public –remove-port=80/tcp
success
# 4. 重新加载防火墙配置
# firewall-cmd –reload
success
# 5. 验证端口已永久删除
# firewall-cmd –zone=public –list-ports
443/tcp 3306/tcp 10000-10050/tcp
Part04-生产案例与实战讲解
4.1 Web服务防火墙配置
4.1.1 Web服务端口开放
# firewall-cmd –permanent –zone=public –add-service=http
success
# 2. 开放HTTPS服务端口443
# firewall-cmd –permanent –zone=public –add-service=https
success
# 3. 重新加载防火墙配置
# firewall-cmd –reload
success
# 4. 验证服务已开放
# firewall-cmd –zone=public –list-services
ssh dhcpv6-client http https
# 5. 测试HTTP服务
# curl -I http://localhost
HTTP/1.1 200 OK
Server: nginx/1.24.0
Date: Thu, 02 Apr 2026 02:00:00 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Thu, 02 Apr 2026 01:00:00 GMT
Connection: keep-alive
ETag: “624c3a1e-267”
Accept-Ranges: bytes
# 6. 测试HTTPS服务
# curl -I https://localhost
HTTP/2 200
server: nginx/1.24.0
date: Thu, 02 Apr 2026 02:00:00 GMT
content-type: text/html
content-length: 615
last-modified: Thu, 02 Apr 2026 01:00:00 GMT
etag: “624c3a1e-267”
accept-ranges: bytes
4.1.2 限制Web服务访问源IP
# firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”http” accept’
success
# 2. 使用富规则限制HTTPS服务访问源IP
# firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”https” accept’
success
# 3. 删除默认的HTTP和HTTPS服务规则
# firewall-cmd –permanent –zone=public –remove-service=http
success
# firewall-cmd –permanent –zone=public –remove-service=https
success
# 4. 重新加载防火墙配置
# firewall-cmd –reload
success
# 5. 验证富规则
# firewall-cmd –zone=public –list-rich-rules
rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”http” accept
rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”https” accept
# 6. 测试从允许的IP访问
# curl -I http://localhost
HTTP/1.1 200 OK
Server: nginx/1.24.0
Date: Thu, 02 Apr 2026 02:00:00 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Thu, 02 Apr 2026 01:00:00 GMT
Connection: keep-alive
ETag: “624c3a1e-267”
Accept-Ranges: bytes
4.2 数据库服务防火墙配置
4.2.1 MySQL服务端口开放
# firewall-cmd –permanent –zone=public –add-port=3306/tcp
success
# 2. 重新加载防火墙配置
# firewall-cmd –reload
success
# 3. 验证端口已开放
# firewall-cmd –zone=public –list-ports
3306/tcp
# 4. 测试MySQL连接
# mysql -h 192.168.1.100 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 8.0.35 MySQL Community Server – GPL
Copyright (c) 2000, 2024, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
mysql> exit
Bye
4.2.2 限制MySQL服务访问源IP
# firewall-cmd –permanent –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.10/32″ port port=”3306″ protocol=”tcp” accept’
success
# 2. 删除默认的MySQL端口规则
# firewall-cmd –permanent –zone=public –remove-port=3306/tcp
success
# 3. 重新加载防火墙配置
# firewall-cmd –reload
success
# 4. 验证富规则
# firewall-cmd –zone=public –list-rich-rules
rule family=”ipv4″ source address=”192.168.1.10/32″ port port=”3306″ protocol=”tcp” accept
# 5. 测试从允许的IP连接MySQL
# mysql -h 192.168.1.100 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 9
Server version: 8.0.35 MySQL Community Server – GPL
Copyright (c) 2000, 2024, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
mysql> exit
Bye
4.3 防火墙故障排查
4.3.1 端口无法访问故障排查
# 分析步骤:
# 1. 检查防火墙状态
# firewall-cmd –state
running
# 2. 检查当前区域
# firewall-cmd –get-active-zones
public
interfaces: eth0
# 3. 检查开放的端口
# firewall-cmd –zone=public –list-ports
# 4. 检查开放的服务
# firewall-cmd –zone=public –list-services
ssh dhcpv6-client
# 5. 检查富规则
# firewall-cmd –zone=public –list-rich-rules
# 6. 检查服务是否正在运行
# systemctl status nginx
● nginx.service – The nginx HTTP and reverse proxy server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Thu 2026-04-02 10:00:00 CST; 5min ago
Docs: man:nginx(8)
Main PID: 2345 (nginx)
Tasks: 3 (limit: 4915)
Memory: 3.2M
CGroup: /system.slice/nginx.service
├─2345 nginx: master process /usr/sbin/nginx
├─2346 nginx: worker process
└─2347 nginx: worker process
Apr 02 10:00:00 server1 systemd[1]: Starting The nginx HTTP and reverse proxy server…
Apr 02 10:00:00 server1 nginx[2345]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Apr 02 10:00:00 server1 systemd[1]: Started The nginx HTTP and reverse proxy server.
# 7. 检查端口监听
# ss -tuln | grep :80
tcp LISTEN 0 128 *:80 *:*
# 8. 解决方案:开放HTTP服务端口
# firewall-cmd –permanent –zone=public –add-service=http
success
# 9. 重新加载防火墙配置
# firewall-cmd –reload
success
# 10. 验证服务已开放
# firewall-cmd –zone=public –list-services
ssh dhcpv6-client http
# 11. 测试Web服务
# curl -I http://localhost
HTTP/1.1 200 OK
Server: nginx/1.24.0
Date: Thu, 02 Apr 2026 02:00:00 GMT
Content-Type: text/html
Content-Length: 615
Last-Modified: Thu, 02 Apr 2026 01:00:00 GMT
Connection: keep-alive
ETag: “624c3a1e-267”
Accept-Ranges: bytes
4.3.2 防火墙规则冲突排查
# 分析步骤:
# 1. 查看所有规则
# firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client http
ports: 3306/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”http” accept
rule family=”ipv4″ source address=”192.168.1.10/32″ port port=”3306″ protocol=”tcp” accept
# 2. 检查规则优先级
# 富规则优先级高于服务规则
# 规则按顺序匹配,第一个匹配的规则生效
# 3. 解决方案:删除冲突的规则
# firewall-cmd –permanent –zone=public –remove-service=http
success
# 4. 重新加载防火墙配置
# firewall-cmd –reload
success
# 5. 验证规则
# firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports: 3306/tcp
protocols:
forward: yes
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”http” accept
rule family=”ipv4″ source address=”192.168.1.10/32″ port port=”3306″ protocol=”tcp” accept
Part05-风哥经验总结与分享
5.1 防火墙管理最佳实践
防火墙管理最佳实践:
- 最小权限原则:仅开放必要的端口和服务
- 默认拒绝策略:默认拒绝所有入站连接
- 定期审查规则:定期审查和更新防火墙规则
- 备份配置文件:定期备份防火墙配置
- 测试规则变更:规则变更后进行测试验证
- 记录变更历史:记录防火墙规则和变更历史
- 使用富规则:使用富规则进行精细控制
- 限制访问源:限制访问源IP地址
- 启用日志记录:启用防火墙日志记录
- 监控防火墙状态:监控防火墙运行状态
5.2 防火墙配置检查清单
防火墙配置检查清单:
– [ ] firewalld服务已安装并启动
– [ ] firewalld服务已设置为开机自启
– [ ] 默认区域已设置为public
– [ ] 网络接口已添加到正确的区域
– [ ] 仅开放必要的端口和服务
– [ ] 使用富规则进行精细控制
– [ ] 限制访问源IP地址
– [ ] 已启用日志记录
– [ ] 已备份防火墙配置
– [ ] 已测试规则变更
– [ ] 已记录变更历史
– [ ] 已定期审查规则
5.3 防火墙管理工具推荐
防火墙管理工具推荐:
- firewall-cmd:命令行防火墙管理工具
- firewall-config:图形界面防火墙管理工具
- nftables:新一代防火墙框架
- iptables:传统防火墙工具
- tcpdump:网络抓包工具
- wireshark:网络协议分析工具
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
联系我们
在线咨询:
微信号:itpux-com
工作日:9:30-18:30,节假日休息
