firewalld:管理firewalld防火墙服务

一，服务启动与停止

1,启动:

[root@blog ~]# systemctl start firewalld.service 

查看状态:

[root@blog ~]# systemctl status firewalld.service
● firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (;;file://blog/usr/lib/systemd/system/firewalld.service/usr/lib/systemd/system/firewalld.service;;; enabled; preset: enabled)
     Active: active (running) since Tue 2024-07-16 10:41:15 CST; 2s ago
       Docs: ;;man:firewalld(1)man:firewalld(1);;
   Main PID: 287872 (firewalld)
      Tasks: 2 (limit: 97127)
     Memory: 25.3M
        CPU: 300ms
     CGroup: /system.slice/firewalld.service
             └─287872 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid

Jul 16 10:41:15 blog systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 16 10:41:15 blog systemd[1]: Started firewalld - dynamic firewall daemon.

2，停止:

[root@blog ~]# systemctl stop firewalld.service

停止后查看状态:

[root@blog ~]# systemctl status firewalld.service
○ firewalld.service - firewalld - dynamic firewall daemon
     Loaded: loaded (;;file://blog/usr/lib/systemd/system/firewalld.service/usr/lib/systemd/system/firewalld.service;;; enabled; preset: enabled)
     Active: inactive (dead) since Tue 2024-07-16 10:43:34 CST; 1s ago
   Duration: 2min 19.327s
       Docs: ;;man:firewalld(1)man:firewalld(1);;
    Process: 287872 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
   Main PID: 287872 (code=exited, status=0/SUCCESS)
        CPU: 331ms

Jul 16 10:41:15 blog systemd[1]: Starting firewalld - dynamic firewall daemon...
Jul 16 10:41:15 blog systemd[1]: Started firewalld - dynamic firewall daemon.
Jul 16 10:43:34 blog systemd[1]: Stopping firewalld - dynamic firewall daemon...
Jul 16 10:43:34 blog systemd[1]: firewalld.service: Deactivated successfully.
Jul 16 10:43:34 blog systemd[1]: Stopped firewalld - dynamic firewall daemon.

二，配置自启动

1,配置自动启动

[root@blog ~]# systemctl is-enabled firewalld.service
disabled
[root@blog ~]# systemctl enable firewalld.service
Created symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service → /usr/lib/systemd/system/firewalld.service.
Created symlink /etc/systemd/system/multi-user.target.wants/firewalld.service → /usr/lib/systemd/system/firewalld.service.
[root@blog ~]# systemctl is-enabled firewalld.service
enabled

2,配置不自动启动

[root@blog ~]# systemctl disable firewalld.service
Removed "/etc/systemd/system/multi-user.target.wants/firewalld.service".
Removed "/etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service".
[root@blog ~]# systemctl is-enabled firewalld.service
disabled

 三，mask/umask

1,mask:锁定或禁用

[root@blog ~]# systemctl mask firewalld.service
Created symlink /etc/systemd/system/firewalld.service → /dev/null. 

查看状态:

[root@blog ~]# systemctl status firewalld.service
● firewalld.service
   Loaded: masked (Reason: Unit firewalld.service is masked.)
   Active: active (running) since Fri 2023-10-06 18:39:59 CST; 9 months 9 days ago
 Main PID: 30486 (firewalld)
    Tasks: 3 (limit: 26213)
   Memory: 27.5M
   CGroup: /system.slice/firewalld.service
           └─30486 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

Jul 16 10:57:17 blog systemd[1]: firewalld.service: Current command vanished from the unit file, execution of the command list won't be resumed.
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. 

从命令行查看firewalld的运行状态:

[root@blog ~]# firewall-cmd --state
running 

可以看到，锁定时是把service文件指向了/dev/null,
也就是不能再通过systemctl管理firewalld服务了,
而防火墙本身的运行并未受影响，

2,umask:解锁或启用:

[root@blog ~]# systemctl unmask firewalld.service
Removed /etc/systemd/system/firewalld.service.

四，重新加载防火墙

firewall-cmd --reload  # 更新防火墙规则
firewall-cmd --complete-reload   # 断开连接后更新防火墙规则
两者的区别就是:
第一个无需断开连接，就是firewalld特性之一动态添加规则，所以它不会将正在运行的服务打断
第二个需要断开连接，类似重启服务,会把正在运行的服务打断,会把已建立的连接关闭，
所以如果需要重新加载所有规则，禁止一些连接和服务时，使用第二个

例子:

[root@blog ~]# firewall-cmd --reload
success

[root@blog ~]# firewall-cmd  --complete-reload
success

五，恐慌模式/切断网络:

#关闭网络通信并且切断攻击者，而不用像之前那样通过物理拔除网线来进行断网操作
firewall-cmd --panic-on
#需要恢复网络通信时,关闭恐慌模式
firewall-cmd --panic-off
# 查询防火墙当前恐慌模式的状态
firewall-cmd --query-panic

例子:

[root@blog ~]# firewall-cmd --query-panic
no

六，锁定防火墙规则的修改:

1,红帽官方的文档:

https://docs.redhat.com/zh_hans/documentation/red_hat_enterprise_linux/8/html/securing_networks/configuring-firewall-lockdown_using-and-configuring-firewalld

2,启用锁定

# firewall-cmd --lockdown-on

3,关闭锁定:

# firewall-cmd --lockdown-off

4,查询锁定状态:

# firewall-cmd --query-lockdown

例子:

[root@blog ~]# firewall-cmd --query-lockdown
no

5, 为什么要锁定？

如果本地应用或服务以 root 身份运行（如 libvirt），则可以更改防火墙配置。
为了防止规则被应用或服务修改，管理员可以用--lockdown-on锁定防火墙配置