本文档风哥主要介绍firewalld防火墙基础配置,包括firewalld的概念、firewalld与iptables的区别、firewalld区域概念、firewalld在生产环境的规划、firewalld最佳实践、firewalld安全配置建议、firewalld基础操作详解、firewalld高级使用技巧、firewalld富规则详解、Web服务器防火墙配置实战案例、数据库服务器防火墙配置实战案例、firewalld故障排查与解决等内容,参考Red Hat Enterprise Linux 10官方文档,适合Linux运维人员在学习和测试中使用,如果要应用于生产环境则需要自行确认。
Part01-基础概念与理论知识
1.1 firewalld的概念
firewalld是Red Hat Enterprise Linux 7及以后版本的默认防火墙管理工具,提供了动态管理的防火墙功能。firewalld支持网络区域(zone)概念,可以根据网络连接的可信度设置不同的安全策略。firewalld使用D-Bus接口,支持运行时配置和永久配置,无需重启服务即可生效。更多视频教程www.fgedu.net.cn
- 动态防火墙管理
- 支持网络区域概念
- 运行时配置和永久配置
- 支持D-Bus接口
- 支持IPv4和IPv6
1.2 firewalld与iptables的区别
firewalld与iptables的区别:
- 配置方式:firewalld使用区域和服务概念,iptables使用链和规则
- 动态更新:firewalld支持动态更新,iptables需要重启服务
- 易用性:firewalld更易用,iptables更灵活
- 兼容性:firewalld底层使用nftables/iptables
- 管理工具:firewalld使用firewall-cmd,iptables使用iptables命令
1.3 firewalld区域概念
firewalld区域(zone)是预定义的安全策略集合,用于根据网络连接的可信度设置不同的安全级别:
- drop:丢弃所有传入连接,无响应
- block:拒绝所有传入连接,有响应
- public:公共区域,仅允许选定的传入连接
- external:外部区域,用于外部网络
- internal:内部区域,用于内部网络
- dmz:非军事区,用于公开访问的服务器
- work:工作区域,用于工作网络
- home:家庭区域,用于家庭网络
- trusted:信任区域,接受所有连接
Part02-生产环境规划与建议
2.1 firewalld在生产环境的规划
firewalld在生产环境的规划要点:
– 选择合适的默认区域
– 配置必要的服务和端口
– 配置源IP限制
– 配置富规则
– 定期审查防火墙规则
# firewalld注意事项
– 了解区域概念
– 配置正确的规则
– 测试防火墙规则
– 记录防火墙配置
– 备份防火墙配置
2.2 firewalld最佳实践
firewalld最佳实践:
- 默认拒绝:默认拒绝所有传入连接
- 最小权限:只开放必要的端口
- 源IP限制:限制源IP地址
- 定期审查:定期审查防火墙规则
- 备份配置:备份防火墙配置
2.3 firewalld安全配置建议
firewalld安全配置建议:
- 默认区域:使用public或更严格的区域
- 服务限制:只开放必要的服务
- 端口限制:只开放必要的端口
- 源IP限制:限制管理访问的源IP
- 日志记录:启用日志记录
Part03-生产环境项目实施方案
3.1 firewalld基础操作详解
3.1.1 查看firewalld状态
# systemctl status firewalld
● firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2026-03-31 09:00:00 CST; 1h 30min ago
Docs: man:firewalld(1)
Main PID: 1234 (firewalld)
Tasks: 2 (limit: 4915)
Memory: 35.2M
CGroup: /system.slice/firewalld.service
└─1234 /usr/bin/python3 -Es /usr/sbin/firewalld –nofork –nopid
Mar 31 09:00:00 localhost systemd[1]: Starting firewalld – dynamic firewall daemon…
Mar 31 09:00:00 localhost systemd[1]: Started firewalld – dynamic firewall daemon.
# 查看firewalld是否运行
# firewall-cmd –state
running
# 查看默认区域
# firewall-cmd –get-default-zone
public
# 查看活动区域
# firewall-cmd –get-active-zones
public
interfaces: eth0
# 查看所有区域
# firewall-cmd –get-zones
block dmz drop external home internal public trusted work
# 查看区域详细信息
# firewall-cmd –zone=public –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
3.1.2 管理服务
# firewall-cmd –get-services
RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit collectd condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server
# 查看已启用的服务
# firewall-cmd –zone=public –list-services
ssh dhcpv6-client
# 添加服务(运行时)
# firewall-cmd –zone=public –add-service=http
success
# 添加服务(永久)
# firewall-cmd –zone=public –add-service=http –permanent
success
# 重新加载防火墙配置
# firewall-cmd –reload
success
# 验证服务已添加
# firewall-cmd –zone=public –list-services
ssh dhcpv6-client http
# 删除服务(运行时)
# firewall-cmd –zone=public –remove-service=http
success
# 删除服务(永久)
# firewall-cmd –zone=public –remove-service=http –permanent
success
# 重新加载防火墙配置
# firewall-cmd –reload
success
# 验证服务已删除
# firewall-cmd –zone=public –list-services
ssh dhcpv6-client
3.1.3 管理端口
# firewall-cmd –zone=public –list-ports
# 添加端口(运行时)
# firewall-cmd –zone=public –add-port=8080/tcp
success
# 添加端口(永久)
# firewall-cmd –zone=public –add-port=8080/tcp –permanent
success
# 重新加载防火墙配置
# firewall-cmd –reload
success
# 验证端口已添加
# firewall-cmd –zone=public –list-ports
8080/tcp
# 添加端口范围
# firewall-cmd –zone=public –add-port=10000-10010/tcp –permanent
success
# 重新加载防火墙配置
# firewall-cmd –reload
success
# 验证端口范围已添加
# firewall-cmd –zone=public –list-ports
8080/tcp 10000-10010/tcp
# 删除端口(运行时)
# firewall-cmd –zone=public –remove-port=8080/tcp
success
# 删除端口(永久)
# firewall-cmd –zone=public –remove-port=8080/tcp –permanent
success
# 重新加载防火墙配置
# firewall-cmd –reload
success
# 验证端口已删除
# firewall-cmd –zone=public –list-ports
10000-10010/tcp
3.2 firewalld高级使用技巧
3.2.1 配置源IP
# firewall-cmd –zone=trusted –add-source=192.168.1.0/24
success
# 添加源IP(永久)
# firewall-cmd –zone=trusted –add-source=192.168.1.0/24 –permanent
success
# 重新加载防火墙配置
# firewall-cmd –reload
success
# 验证源IP已添加
# firewall-cmd –zone=trusted –list-sources
192.168.1.0/24
# 查看活动区域
# firewall-cmd –get-active-zones
trusted
sources: 192.168.1.0/24
public
interfaces: eth0
# 删除源IP(运行时)
# firewall-cmd –zone=trusted –remove-source=192.168.1.0/24
success
# 删除源IP(永久)
# firewall-cmd –zone=trusted –remove-source=192.168.1.0/24 –permanent
success
# 重新加载防火墙配置
# firewall-cmd –reload
success
3.2.2 配置接口
# firewall-cmd –get-zone-of-interface=eth0
public
# 修改接口所属区域(运行时)
# firewall-cmd –zone=internal –change-interface=eth0
success
# 修改接口所属区域(永久)
# firewall-cmd –zone=internal –change-interface=eth0 –permanent
success
# 重新加载防火墙配置
# firewall-cmd –reload
success
# 验证接口已修改
# firewall-cmd –get-zone-of-interface=eth0
internal
# 查看活动区域
# firewall-cmd –get-active-zones
internal
interfaces: eth0
# 恢复接口到默认区域
# firewall-cmd –zone=public –change-interface=eth0 –permanent
success
# firewall-cmd –reload
success
3.3 firewalld富规则详解
3.3.1 富规则基础
# firewall-cmd –zone=public –list-rich-rules
# 添加富规则(允许特定IP访问SSH)
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.100″ service name=”ssh” accept’
success
# 添加富规则(拒绝特定IP访问)
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.200″ reject’
success
# 添加富规则(限制连接速率)
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ service name=”http” limit value=”100/m” accept’
success
# 添加富规则(端口转发)
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ forward-port port=”8080″ protocol=”tcp” to-port=”80″ to-addr=”192.168.1.10″‘
success
# 查看所有富规则
# firewall-cmd –zone=public –list-rich-rules
rule family=”ipv4″ source address=”192.168.1.100″ service name=”ssh” accept
rule family=”ipv4″ source address=”192.168.1.200″ reject
rule family=”ipv4″ service name=”http” limit value=”100/m” accept
rule family=”ipv4″ forward-port port=”8080″ protocol=”tcp” to-port=”80″ to-addr=”192.168.1.10″
# 删除富规则
# firewall-cmd –zone=public –remove-rich-rule=’rule family=”ipv4″ source address=”192.168.1.200″ reject’
success
# 重新加载防火墙配置
# firewall-cmd –reload
success
3.3.2 富规则高级配置
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.0.0.0/8″ port port=”3306″ protocol=”tcp” accept’ –permanent
success
# 添加富规则(记录日志)
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” log prefix=”SSH-ACCESS: ” level=”info” limit value=”10/m” accept’ –permanent
success
# 添加富规则(按时间段限制)
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ service name=”ftp” source address=”192.168.1.0/24″ accept’ –permanent
success
# 重新加载防火墙配置
# firewall-cmd –reload
success
# 查看所有富规则
# firewall-cmd –zone=public –list-rich-rules
rule family=”ipv4″ source address=”10.0.0.0/8″ port port=”3306″ protocol=”tcp” accept
rule family=”ipv4″ source address=”192.168.1.0/24″ service name=”ssh” log prefix=”SSH-ACCESS: ” level=”info” limit value=”10/m” accept
rule family=”ipv4″ service name=”ftp” source address=”192.168.1.0/24″ accept
# 查看防火墙日志
# journalctl -u firewalld | grep “SSH-ACCESS”
Mar 31 10:00:00 localhost firewalld[1234]: SSH-ACCESS: IN=eth0 OUT= MAC=00:50:56:c0:00:08:00:50:56:c0:00:01:08:00 SRC=192.168.1.100 DST=192.168.1.10 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=12345 DF PROTO=TCP SPT=54321 DPT=22 WINDOW=29200 RES=0x00 SYN URGP=0
Part04-生产案例与实战讲解
4.1 Web服务器防火墙配置实战案例
4.1.1 完整配置流程
# firewall-cmd –zone=public –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 2. 添加Web服务端口
# firewall-cmd –zone=public –add-service=http –permanent
success
# firewall-cmd –zone=public –add-service=https –permanent
success
# 3. 添加管理IP限制(只允许特定IP访问SSH)
# firewall-cmd –zone=public –remove-service=ssh –permanent
success
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.1.100″ service name=”ssh” accept’ –permanent
success
# 4. 添加MySQL端口(只允许内网访问)
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”192.168.0.0/16″ port port=”3306″ protocol=”tcp” accept’ –permanent
success
# 5. 添加Redis端口(只允许本机访问)
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”127.0.0.1″ port port=”6379″ protocol=”tcp” accept’ –permanent
success
# 6. 重新加载防火墙配置
# firewall-cmd –reload
success
# 7. 验证配置
# firewall-cmd –zone=public –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: http https dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”192.168.1.100″ service name=”ssh” accept
rule family=”ipv4″ source address=”192.168.0.0/16″ port port=”3306″ protocol=”tcp” accept
rule family=”ipv4″ source address=”127.0.0.1″ port port=”6379″ protocol=”tcp” accept
# 8. 测试防火墙规则
# 从192.168.1.100访问SSH(应该成功)
# ssh root@192.168.1.10
# 从其他IP访问SSH(应该失败)
# ssh root@192.168.1.10
ssh: connect to host 192.168.1.10 port 22: Connection refused
# 访问HTTP(应该成功)
# curl http://192.168.1.10
# 访问MySQL(从内网应该成功)
# mysql -h 192.168.1.10 -u root -p
# 访问MySQL(从外网应该失败)
# mysql -h 192.168.1.10 -u root -p
ERROR 2003 (HY000): Can’t connect to MySQL server on ‘192.168.1.10’ (111)
# 9. 保存配置
# firewall-cmd –runtime-to-permanent
success
4.2 数据库服务器防火墙配置实战案例
4.2.1 完整配置流程
# firewall-cmd –zone=public –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 2. 配置只允许管理IP访问SSH
# firewall-cmd –zone=public –remove-service=ssh –permanent
success
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.0.0.0/8″ service name=”ssh” accept’ –permanent
success
# 3. 配置MySQL访问(只允许应用服务器)
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.0.1.0/24″ port port=”3306″ protocol=”tcp” accept’ –permanent
success
# 4. 配置PostgreSQL访问(只允许应用服务器)
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.0.1.0/24″ port port=”5432″ protocol=”tcp” accept’ –permanent
success
# 5. 配置MongoDB访问(只允许应用服务器)
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.0.1.0/24″ port port=”27017″ protocol=”tcp” accept’ –permanent
success
# 6. 配置Redis访问(只允许应用服务器)
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.0.1.0/24″ port port=”6379″ protocol=”tcp” accept’ –permanent
success
# 7. 配置监控访问(只允许监控服务器)
# firewall-cmd –zone=public –add-rich-rule=’rule family=”ipv4″ source address=”10.0.2.0/24″ port port=”9100″ protocol=”tcp” accept’ –permanent
success
# 8. 重新加载防火墙配置
# firewall-cmd –reload
success
# 9. 验证配置
# firewall-cmd –zone=public –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
rule family=”ipv4″ source address=”10.0.0.0/8″ service name=”ssh” accept
rule family=”ipv4″ source address=”10.0.1.0/24″ port port=”3306″ protocol=”tcp” accept
rule family=”ipv4″ source address=”10.0.1.0/24″ port port=”5432″ protocol=”tcp” accept
rule family=”ipv4″ source address=”10.0.1.0/24″ port port=”27017″ protocol=”tcp” accept
rule family=”ipv4″ source address=”10.0.1.0/24″ port port=”6379″ protocol=”tcp” accept
rule family=”ipv4″ source address=”10.0.2.0/24″ port port=”9100″ protocol=”tcp” accept
# 10. 测试防火墙规则
# 从10.0.0.100访问SSH(应该成功)
# ssh root@10.0.0.10
# 从其他网段访问SSH(应该失败)
# ssh root@10.0.0.10
ssh: connect to host 10.0.0.10 port 22: Connection refused
# 从10.0.1.100访问MySQL(应该成功)
# mysql -h 10.0.0.10 -u appuser -p
# 从其他网段访问MySQL(应该失败)
# mysql -h 10.0.0.10 -u appuser -p
ERROR 2003 (HY000): Can’t connect to MySQL server on ‘10.0.0.10’ (111)
# 11. 保存配置
# firewall-cmd –runtime-to-permanent
success
4.3 firewalld故障排查与解决
4.3.1 服务无法访问
# 分析步骤:
# 1. 检查firewalld状态
# systemctl status firewalld
● firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2026-03-31 09:00:00 CST; 1h 30min ago
# 2. 检查防火墙规则
# firewall-cmd –zone=public –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 3. 发现问题:http服务未添加
# 4. 添加http服务
# firewall-cmd –zone=public –add-service=http –permanent
success
# 5. 重新加载防火墙配置
# firewall-cmd –reload
success
# 6. 验证配置
# firewall-cmd –zone=public –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client http
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
# 7. 测试访问
# curl http://192.168.1.10
It works!
# 8. 预防措施
# – 检查firewalld状态
# – 检查防火墙规则
# – 添加必要的服务和端口
# – 测试防火墙规则
Part05-风哥经验总结与分享
5.1 firewalld经验总结
firewalld经验总结:
- 默认拒绝:默认拒绝所有传入连接
- 最小权限:只开放必要的端口
- 源IP限制:限制源IP地址
- 定期审查:定期审查防火墙规则
- 备份配置:备份防火墙配置
5.2 firewalld检查清单
firewalld检查清单:
- 配置前:规划防火墙规则
- 配置时:检查配置语法
- 配置后:验证防火墙规则
- 使用时:定期检查防火墙状态
- 维护时:定期更新防火墙规则
- 故障排查:检查防火墙规则、查看日志
5.3 firewalld相关工具推荐
firewalld相关工具推荐:
- firewall-cmd:firewalld命令行工具
- firewall-config:firewalld图形界面工具
- iptables:底层防火墙工具
- nftables:新一代防火墙工具
- tcpdump:网络抓包工具
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
联系我们
在线咨询:
微信号:itpux-com
工作日:9:30-18:30,节假日休息
