linux:commands:network:firewall-cmd

差分

このページの2つのバージョン間の差分を表示します。

この比較画面へのリンク

両方とも前のリビジョン 前のリビジョン
次のリビジョン		 前のリビジョン
linux:commands:network:firewall-cmd [2021/11/25 23:35] – [デフォルトゾーンの確認] ともやんlinux:commands:network:firewall-cmd [2025/02/21 12:16] (現在) – [サービスで許可されるポートを調べる] ともやん
行 1: 行 1:
-====== firewalld(Fedora) ====== +====== firewalld (Linux) ======
 firewall-cmd は firewalld パッケージに含まれている。 firewall-cmd は firewalld パッケージに含まれている。
-<code+<WRAP color_term
-$ sudo dnf install firewalld +<WRAP color_command><html><pre> 
-</code>+<font color="#0087FF"><b>$</b></font> <font color="#26A269"><u style="text-decoration-style:solid">sudo</u></font> <font color="#26A269">dnf</font> install firewalld 
 +</pre></html></WRAP> 
 +</WRAP>
  
-===== 定義済みゾーンの確認 ===== +===== 定義済みゾーンの確認 [--get-zones, --list-all-zones] ===== 
-<WRAP prewrap 100%+Fedora 36\\ 
-<code+<WRAP color_term
-$ firewall-cmd --get-zones +<WRAP color_command><html><pre
-FedoraServer FedoraWorkstation block dmz drop external home internal public trusted work +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--get-zones</font> 
-</code>+</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +FedoraServer FedoraWorkstation block dmz drop external home internal libvirt nm-shared public trusted work 
 +</pre></html></WRAP>
 </WRAP> </WRAP>
  
-===== デフォルトゾーンの確認 ===== +<WRAP color_term> 
-<code+<WRAP color_command><html><pre> 
-$ firewall-cmd --get-default-zone+<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--list-all-zones</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result_long><html><pre> 
 +FedoraServer 
 +  target: default 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: cockpit dhcpv6-client ssh 
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +FedoraWorkstation (active) 
 +  target: default 
 +  icmp-block-inversion: no 
 +  interfaces: wlp2s0 
 +  sources:  
 +  services: dhcpv6-client mdns samba-client ssh vnc-server 
 +  ports: 1025-65535/udp 1025-65535/tcp 
 +  protocols:  
 +  forward: no 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +block 
 +  target: %%REJECT%% 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services:  
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +dmz 
 +  target: default 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: ssh 
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +drop 
 +  target: DROP 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services:  
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +external 
 +  target: default 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: ssh 
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: yes 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +home 
 +  target: default 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: dhcpv6-client mdns samba-client ssh 
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +internal 
 +  target: default 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: dhcpv6-client mdns samba-client ssh 
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +libvirt 
 +  target: ACCEPT 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: dhcp dhcpv6 dns ssh tftp 
 +  ports:  
 +  protocols: icmp ipv6-icmp 
 +  forward: no 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + rule priority="32767" reject 
 + 
 +nm-shared 
 +  target: ACCEPT 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: dhcp dns ssh 
 +  ports:  
 +  protocols: icmp ipv6-icmp 
 +  forward: no 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + rule priority="32767" reject 
 + 
 +public 
 +  target: default 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: dhcpv6-client mdns ssh 
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +trusted 
 +  target: ACCEPT 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services:  
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +work 
 +  target: default 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: dhcpv6-client mdns ssh 
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +</pre></html></WRAP> 
 +</WRAP> 
 + 
 +Ubuntu 22.04.1 LTS\\ 
 +<WRAP color_term> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--get-zones</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +block dmz drop external home internal nm-shared public trusted work 
 +</pre></html></WRAP> 
 +</WRAP> 
 + 
 +<WRAP color_term> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--list-all-zones</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result_long><html><pre> 
 +block 
 +  target: %%REJECT%% 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services:  
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +dmz 
 +  target: default 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: ssh 
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +drop 
 +  target: DROP 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services:  
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +external 
 +  target: default 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: ssh 
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: yes 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +home 
 +  target: default 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: dhcpv6-client mdns samba-client ssh 
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +internal 
 +  target: default 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: dhcpv6-client mdns samba-client ssh 
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +nm-shared 
 +  target: ACCEPT 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: dhcp dns ssh 
 +  ports:  
 +  protocols: icmp ipv6-icmp 
 +  forward: no 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + rule priority="32767" reject 
 + 
 +public (active) 
 +  target: default 
 +  icmp-block-inversion: no 
 +  interfaces: enp1s0 
 +  sources:  
 +  services: dhcpv6-client ssh 
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +trusted 
 +  target: ACCEPT 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services:  
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +work 
 +  target: default 
 +  icmp-block-inversion: no 
 +  interfaces:  
 +  sources:  
 +  services: dhcpv6-client ssh 
 +  ports:  
 +  protocols:  
 +  forward: yes 
 +  masquerade: no 
 +  forward-ports:  
 +  source-ports:  
 +  icmp-blocks:  
 +  rich rules:  
 + 
 +</pre></html></WRAP> 
 +</WRAP> 
 + 
 +===== デフォルトゾーンとアクティブゾーンの確認 ===== 
 +<WRAP color_term
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--get-default-zone</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre>
 FedoraWorkstation FedoraWorkstation
-</code>+</pre></html></WRAP> 
 +</WRAP> 
 + 
 +<WRAP color_term> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--get-active-zones</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +FedoraWorkstation 
 +  interfaces: wlp2s0 
 +</pre></html></WRAP> 
 +</WRAP>
  
-<WRAP center round tip 95%+<WRAP left round tip 95% minfont_12>
-<html><div style="font-size: 80%"></html>+
 はじめに__デフォルトゾーンの確認を行っておくことは重要__です。\\ はじめに__デフォルトゾーンの確認を行っておくことは重要__です。\\
-<html><code class="minfont">firewall-cmd</code></html> コマンドを <html><code class="minfont">--zone</code></html> オプションを省略して実行すると、すべての操作はデフォルトゾーンに対して行われます。\\ +<html><code>firewall-cmd</code></html> コマンドを <html><code>--zone</code></html> オプションを省略して実行すると、すべての操作はデフォルトゾーンに対して行われます。\\ 
-<html><code class="minfont">--zone</code></html> オプションを省略して作業の手間を少なくするには、以降の手順のように**__デフォルトゾーンの変更__**__と__**__アクティブゾーンの変更__**__をセットで行う__ことをオススメします。 +<html><code>--zone</code></html> オプションを省略して作業の手間を少なくするには、以降の手順のように**__デフォルトゾーンの変更__**__と__**__アクティブゾーンの変更__**__をセットで行う__ことをオススメします。 
-<WRAP prewrap 100% mincode> + 
-<html><code class="minfont">--zone</code></html> オプションを省略した場合の実行例:\\ +<html><code>--zone</code></html> オプションを省略した場合の実行例:\\ 
-<code+<WRAP color_term
-$ firewall-cmd --get-default-zone+<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--get-default-zone</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre>
 FedoraWorkstation FedoraWorkstation
-$ firewall-cmd --list-services+</pre></html></WRAP> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--list-services</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre>
 dhcpv6-client mdns samba-client ssh dhcpv6-client mdns samba-client ssh
-$ firewall-cmd --zone=FedoraWorkstation --list-services+</pre></html></WRAP> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--zone=FedoraWorkstation --list-services</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre>
 dhcpv6-client mdns samba-client ssh dhcpv6-client mdns samba-client ssh
-$ firewall-cmd --zone=FedoraServer --list-services+</pre></html></WRAP> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--zone=FedoraServer --list-services</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre>
 cockpit dhcpv6-client ssh cockpit dhcpv6-client ssh
-</code></WRAP>+</pre></html></WRAP> 
 +</WRAP>
  
-例えば、デフォルトゾーンが **FedoraWorkstation** の状態でインタフェース **enp8s0** のアクティブゾーンを **FedoraWorkstation** から **FedoraServer** へ変更した場合、<html><code class="minfont">--zone</code></html> オプションを省略して操作を行うとアクティブゾーンに未使用な **FedoraWorkstation** を操作し続けることになるので、<html><code class="minfont">firewall-cmd</code></html> コマンドは__メッセージ__を表示するようになります。\\ +例えば、デフォルトゾーンが **FedoraWorkstation** の状態でインタフェース **enp8s0** のアクティブゾーンを **FedoraWorkstation** から **FedoraServer** へ変更した場合、<html><code>--zone</code></html> オプションを省略して操作を行うとアクティブゾーンに未使用な **FedoraWorkstation** を操作し続けることになるので、<html><code>firewall-cmd</code></html> コマンドは__メッセージ__を表示するようになります。\\ 
-<WRAP prewrap 100%+<WRAP color_term
-<WRAP mincode><code+<WRAP color_command><html><pre
-$ firewall-cmd --get-default-zone+<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--get-default-zone</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre>
 FedoraWorkstation FedoraWorkstation
-$ firewall-cmd --get-active-zones+</pre></html></WRAP> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--get-active-zones</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre>
 FedoraWorkstation FedoraWorkstation
   interfaces: enp8s0   interfaces: enp8s0
 libvirt libvirt
   interfaces: virbr0   interfaces: virbr0
-$ sudo firewall-cmd --zone=FedoraServer --change-interface=enp8s0+</pre></html></WRAP> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">sudo firewall-cmd</font> <font color="#A347BA">--zone=FedoraServer --change-interface=enp8s0</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre>
 success success
-$ firewall-cmd --get-active-zones+</pre></html></WRAP> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--get-active-zones</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre>
 FedoraServer FedoraServer
   interfaces: enp8s0   interfaces: enp8s0
行 56: 行 477:
   interfaces: virbr0   interfaces: virbr0
  
-$ firewall-cmd --list-services+</pre></html></WRAP> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--list-services</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre>
 You're performing an operation over default zone ('FedoraWorkstation'), You're performing an operation over default zone ('FedoraWorkstation'),
 but your connections/interfaces are in zone 'FedoraServer,libvirt' (see --get-active-zones) but your connections/interfaces are in zone 'FedoraServer,libvirt' (see --get-active-zones)
行 62: 行 487:
  
 dhcpv6-client mdns samba-client ssh dhcpv6-client mdns samba-client ssh
-</code></WRAP>+</pre></html></WRAP>
 </WRAP> </WRAP>
  
-<WRAP prewrap 100% mincode>+<WRAP mincode>
 メッセージ (翻訳):\\ メッセージ (翻訳):\\
 <code> <code>
行 72: 行 497:
 ほとんどの場合、--zone=FedoraServer オプションを使用する必要があります。 ほとんどの場合、--zone=FedoraServer オプションを使用する必要があります。
 </code></WRAP> </code></WRAP>
-<html></div></html> 
 </WRAP> </WRAP>
  
-===== デフォルトゾーンの変更 ===== +===== デフォルトゾーンとアクティブゾーンの変更 ===== 
-workゾーンへ変更 +デフォルトゾーンを FedoraServer へ変更\\ 
-<code+<WRAP color_term
-$ sudo firewall-cmd --set-default-zone=work +<WRAP color_command><html><pre> 
-</code+<font color="#0087FF"><b>$</b></font> <font color="#26A269">sudo firewall-cmd</font> <font color="#A347BA">--set-default-zone=FedoraServer</font> 
- +</pre></html></WRAP
-すべてのアクセスを許可するtrustedゾーンへ変更 +<WRAP color_result><html><pre> 
-<code+success 
-sudo firewall-cmd --set-default-zone=trusted +</pre></html></WRAP
-</code> +<WRAP color_command><html><pre> 
-※これらの変更はすぐに反映される。 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--get-default-zone</font
- +</pre></html></WRAP
-===== アクティブゾーンの確認 ===== +<WRAP color_result><html><pre>
-<code+
-$ firewall-cmd --get-active-zones+
 FedoraServer FedoraServer
-  interfaces: br0 ens33 +</pre></html></WRAP> 
-</code>+<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--get-active-zones</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +FedoraWorkstation 
 +  interfaces: wlp2s0 
 +</pre></html></WRAP> 
 +</WRAP> 
 +※デフォルトゾーンを変更してもアクティブゾーンが変更される訳ではない🤔\\ 
 + これらの変更はすぐに反映される🤔\\ 
 +\\ 
 +アクティブゾーンを FedoraServer へ変更\\ 
 +<WRAP color_term> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">sudo firewall-cmd </font> <font color="#A347BA">--zone=FedoraServer --change-interface=wlp2s0</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +success 
 +</pre></html></WRAP> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd </font> <font color="#A347BA">--get-active-zones</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +FedoraServer 
 +  interfaces: wlp2s0 
 +</pre></html></WRAP> 
 +</WRAP>
  
-===== アクティブゾーンの変更 ===== 
-<code> 
-$ sudo firewall-cmd --zone=work --change-interface=ens33 
-</code> 
 ===== 許可されているサービスの確認 ===== ===== 許可されているサービスの確認 =====
-<code+<WRAP color_term
-$ firewall-cmd --list-services+<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--list-services</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre>
 dhcpv6-client mdns samba-client ssh dhcpv6-client mdns samba-client ssh
-</code>+</pre></html></WRAP> 
 +</WRAP>
  
 ===== 許可されているポートの確認 ===== ===== 許可されているポートの確認 =====
-<code+<WRAP color_term
-$ firewall-cmd --list-ports+<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd </font> <font color="#A347BA">--list-ports</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre>
 22022/tcp 3389/tcp 5901/tcp 22022/tcp 3389/tcp 5901/tcp
-</code>+</pre></html></WRAP> 
 +</WRAP>
  
 ===== 登録可能なサービスの確認 ===== ===== 登録可能なサービスの確認 =====
-<code+<WRAP color_term
-$ firewall-cmd --get-services +<WRAP color_command><html><pre> 
-</code+<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd </font> <font color="#A347BA">--get-services</font
-<WRAP prewrap 100%+</pre></html></WRAP> 
-<code+<WRAP color_result><html><pre
-RH-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server +H-Satellite-6 amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine cockpit condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kerberos kibana klogin kpasswd kprop kshell ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius redis rpc-bind rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server 
-</code>+</pre></html></WRAP>
 </WRAP> </WRAP>
  
 ===== サービスを永続的に許可 ===== ===== サービスを永続的に許可 =====
-<code+<WRAP color_term
-$ sudo firewall-cmd --permanent --add-service=ssh +<WRAP color_command><html><pre> 
-</code>+<font color="#0087FF"><b>$</b></font> <font color="#26A269">sudo firewall-cmd</font> <font color="#A347BA">--permanent --add-service=ssh</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +success 
 +</pre></html></WRAP> 
 +</WRAP>
  
 ===== サービスの許可を永続的に削除 ===== ===== サービスの許可を永続的に削除 =====
-<code+<WRAP color_term
-$ sudo firewall-cmd --permanent --remove-service=ssh +<WRAP color_command><html><pre> 
-</code>+<font color="#0087FF"><b>$</b></font> <font color="#26A269">sudo firewall-cmd</font> <font color="#A347BA">--permanent --remove-service=ssh</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +success 
 +</pre></html></WRAP> 
 +</WRAP> 
 + 
 +複数サービスの許可を一括で永続的に削除🤤\\ 
 +<WRAP color_term> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269"><u style="text-decoration-style:solid">sudo</u></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--permanent</font> <font color="#A347BA">--remove-service=</font><font color="#12488B"><b>{</b></font><font color="#A347BA">ssh,cockpit</font><font color="#12488B"><b>}</b></font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +success 
 +</pre></html></WRAP> 
 +</WRAP>
  
 ===== 特定ポートを永続的に許可 ===== ===== 特定ポートを永続的に許可 =====
-<code+<WRAP color_term
-$ sudo firewall-cmd --permanent --add-port=22022/tcp +<WRAP color_command><html><pre> 
-</code>+<font color="#0087FF"><b>$</b></font> <font color="#26A269">sudo firewall-cmd</font> <font color="#A347BA">--permanent --add-port=22022/tcp</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +success 
 +</pre></html></WRAP> 
 +</WRAP>
  
 ==== 特定ポートの許可を永続的に削除 ==== ==== 特定ポートの許可を永続的に削除 ====
-<code+<WRAP color_term
-$ sudo firewall-cmd --permanent --remove-port=22022/tcp +<WRAP color_command><html><pre> 
-</code>+<font color="#0087FF"><b>$</b></font> <font color="#26A269">sudo firewall-cmd</font> <font color="#A347BA">--permanent --remove-port=22022/tcp</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +success 
 +</pre></html></WRAP> 
 +</WRAP>
  
 ===== アクセス許可 ===== ===== アクセス許可 =====
-<code+<WRAP color_term
-$ sudo firewall-cmd --permanent --add-source=192.168.1.0/24 +<WRAP color_command><html><pre> 
-</code>+<font color="#0087FF"><b>$</b></font> <font color="#26A269">sudo firewall-cmd</font> <font color="#A347BA"> --permanent --add-source=192.168.1.0/24</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +success 
 +</pre></html></WRAP> 
 +</WRAP>
  
 ===== アクセス拒否 ===== ===== アクセス拒否 =====
 drop ゾーンにIPアドレスを登録する。 drop ゾーンにIPアドレスを登録する。
-<code+<WRAP color_term
-$ sudo firewall-cmd --permanent --add-source=192.168.1.0/24 --zone=drop +<WRAP color_command><html><pre> 
-$ sudo firewall-cmd --permanent --add-source=192.168.1.1 --zone=drop +<font color="#0087FF"><b>$</b></font> <font color="#26A269">sudo firewall-cmd</font> <font color="#A347BA">--permanent --add-source=192.168.1.0/24 --zone=drop</font> 
-</code>+</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +success 
 +</pre></html></WRAP> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">sudo firewall-cmd</font> <font color="#A347BA">--permanent --add-source=192.168.1.1 --zone=drop</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +success 
 +</pre></html></WRAP> 
 +</WRAP> 
 拒否リストの表示 拒否リストの表示
-<code+<WRAP color_term
-$ sudo firewall-cmd --list-sources --zone=drop+<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">sudo firewall-cmd</font> <font color="#A347BA">--list-sources --zone=drop</font>
 192.168.1.0/24 192.168.1.1 192.168.1.0/24 192.168.1.1
-</code>+</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +</pre></html></WRAP> 
 +</WRAP> 
 拒否リストの削除 拒否リストの削除
-<code+<WRAP color_term
-$ sudo firewall-cmd --permanent --remove-source=192.168.1.0/24 --zone=drop +<WRAP color_command><html><pre> 
-$ sudo firewall-cmd --permanent --remove-source=192.168.1.1 --zone=drop +<font color="#0087FF"><b>$</b></font> <font color="#26A269">sudo firewall-cmd</font> <font color="#A347BA">--permanent --remove-source=192.168.1.0/24 --zone=drop</font> 
-</code>+<font color="#0087FF"><b>$</b></font> <font color="#26A269">sudo firewall-cmd</font> <font color="#A347BA">--permanent --remove-source=192.168.1.1 --zone=drop</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +</pre></html></WRAP> 
 +</WRAP>
  
 ===== firewalld の状態を失わずにリロード ===== ===== firewalld の状態を失わずにリロード =====
-<code+<WRAP color_term
-$ sudo firewall-cmd --reload +<WRAP color_command><html><pre> 
-</code>+<font color="#0087FF"><b>$</b></font> <font color="#26A269"><u style="text-decoration-style:solid">sudo</u></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--reload</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result><html><pre> 
 +success 
 +</pre></html></WRAP> 
 +</WRAP>
  
 ===== サービスで許可されるポートを調べる ===== ===== サービスで許可されるポートを調べる =====
- 各サービスの定義ファイルを調べることにより許可されるポートがわかる。 +各サービスの定義ファイルを調べることにより許可されるポートがわかる。 
-<code+<WRAP color_term
-cat /usr/lib/firewalld/services/ldap.xml +<WRAP color_command><html><pre> 
-</code+<font color="#0087FF"><b>$</b></font> <font color="#26A269">bat</font> <u style="text-decoration-style:solid">/usr/lib/firewalld/services/ldap.xml</u> 
-<code xml+</pre></html></WRAP
-<?xml version="1.0" encoding="utf-8"?> +<WRAP color_result><html><pre
-<service> +<font color="#444444">   1</font> <font color="#FFFFFF">&lt;?</font><font color="#F92672">xml</font><font color="#F8F8F2"> </font><font color="#A6E22E">version</font><font color="#F8F8F2">=</font><font color="#E6DB74">&quot;1.0&quot;</font><font color="#F8F8F2"> </font><font color="#A6E22E">encoding</font><font color="#F8F8F2">=</font><font color="#E6DB74">&quot;utf-8&quot;</font><font color="#FFFFFF">?&gt;</font
-  <short>LDAP</short> +<font color="#444444">   2</font> <font color="#FFFFFF">&lt;</font><font color="#F92672">service</font><font color="#FFFFFF">&gt;</font
-  <description>Lightweight Directory Access Protocol (LDAP) server</description> +<font color="#444444">   3</font> <font color="#F8F8F2">  </font><font color="#FFFFFF">&lt;</font><font color="#F92672">short</font><font color="#FFFFFF">&gt;</font><font color="#F8F8F2">LDAP</font><font color="#FFFFFF">&lt;/</font><font color="#F92672">short</font><font color="#FFFFFF">&gt;</font
-  <port protocol="tcp" port="389"/> +<font color="#444444">   4</font> <font color="#F8F8F2">  </font><font color="#FFFFFF">&lt;</font><font color="#F92672">description</font><font color="#FFFFFF">&gt;</font><font color="#F8F8F2">Lightweight Directory Access Protocol (LDAP) server</font><font color="#FFFFFF">&lt;/</font><font color="#F92672">description</font><font color="#FFFFFF">&gt;</font
-</service> +<font color="#444444">   5</font> <font color="#F8F8F2">  </font><font color="#FFFFFF">&lt;</font><font color="#F92672">port</font><font color="#F8F8F2"> </font><font color="#A6E22E">protocol</font><font color="#F8F8F2">=</font><font color="#E6DB74">&quot;tcp&quot;</font><font color="#F8F8F2"> </font><font color="#A6E22E">port</font><font color="#F8F8F2">=</font><font color="#E6DB74">&quot;389&quot;</font><font color="#FFFFFF">/&gt;</font
-</code>+<font color="#444444">   6</font> <font color="#FFFFFF">&lt;/</font><font color="#F92672">service</font><font color="#FFFFFF">&gt;</font
 +</pre></html></WRAP> 
 +</WRAP> 
 + 
 +===== ヘルプ [--help] ===== 
 +<WRAP color_term> 
 +<WRAP color_command><html><pre> 
 +<font color="#0087FF"><b>$</b></font> <font color="#26A269">firewall-cmd</font> <font color="#A347BA">--help</font> 
 +</pre></html></WRAP> 
 +<WRAP color_result_long><html><pre> 
 + 
 +Usage: firewall-cmd [OPTIONS...] 
 + 
 +General Options 
 +  -h, --help           Prints a short help text and exists 
 +  -V, --version        Print the version string of firewalld 
 +  -q, --quiet          Do not print status messages 
 + 
 +Status Options 
 +  --state              Return and print firewalld state 
 +  --reload             Reload firewall and keep state information 
 +  --complete-reload    Reload firewall and lose state information 
 +  --runtime-to-permanent 
 +                       Create permanent from runtime configuration 
 +  --check-config       Check permanent configuration for errors 
 + 
 +Log Denied Options 
 +  --get-log-denied     Print the log denied value 
 +  --set-log-denied=&lt;value> 
 +                       Set log denied value 
 + 
 +Permanent Options 
 +  --permanent          Set an option permanently 
 +                       Usable for options marked with [P] 
 + 
 +Zone Options 
 +  --get-default-zone   Print default zone for connections and interfaces 
 +  --set-default-zone=&lt;zone> 
 +                       Set default zone 
 +  --get-active-zones   Print currently active zones 
 +  --get-zones          Print predefined zones [P] 
 +  --get-services       Print predefined services [P] 
 +  --get-icmptypes      Print predefined icmptypes [P] 
 +  --get-zone-of-interface=&lt;interface> 
 +                       Print name of the zone the interface is bound to [P] 
 +  --get-zone-of-source=&lt;source>[/&lt;mask>]|&lt;MAC>|ipset:&lt;ipset> 
 +                       Print name of the zone the source is bound to [P] 
 +  --list-all-zones     List everything added for or enabled in all zones [P] 
 +  --new-zone=&lt;zone>    Add a new zone [P only] 
 +  --new-zone-from-file=&lt;filename> [--name=&lt;zone>
 +                       Add a new zone from file with optional name [P only] 
 +  --delete-zone=&lt;zone> Delete an existing zone [P only] 
 +  --load-zone-defaults=&lt;zone> 
 +                       Load zone default settings [P only] 
 +  --zone=&lt;zone>        Use this zone to set or query options, else default zone 
 +                       Usable for options marked with [Z] 
 +  --info-zone=&lt;zone>   Print information about a zone 
 +  --path-zone=&lt;zone>   Print file path of a zone [P only] 
 + 
 +Policy Options 
 +  --get-policies       Print predefined policies 
 +  --get-active-policies  
 +                       Print currently active policies 
 +  --list-all-policies  List everything added for or enabled in all policies 
 +  --new-policy=&lt;policy>  
 +                       Add a new empty policy 
 +  --new-policy-from-file=&lt;filename> [--name=&lt;policy>
 +                       Add a new policy from file with optional name override [P only] 
 +  --delete-policy=&lt;policy> 
 +                       Delete an existing policy 
 +  --load-policy-defaults=&lt;policy> 
 +                       Load policy default settings 
 +  --policy=&lt;policy>    Use this policy to set or query options 
 +                       Usable for options marked with [O] 
 +  --info-policy=&lt;policy> 
 +                       Print information about a policy 
 +  --path-policy=&lt;policy> 
 +                       Print file path of a policy 
 + 
 +IPSet Options 
 +  --get-ipset-types    Print the supported ipset types 
 +  --new-ipset=&lt;ipset> --type=&lt;ipset type> [--option=&lt;key>[=&lt;value>]].. 
 +                       Add a new ipset [P only] 
 +  --new-ipset-from-file=&lt;filename> [--name=&lt;ipset>
 +                       Add a new ipset from file with optional name [P only] 
 +  --delete-ipset=&lt;ipset> 
 +                       Delete an existing ipset [P only] 
 +  --load-ipset-defaults=&lt;ipset> 
 +                       Load ipset default settings [P only] 
 +  --info-ipset=&lt;ipset> Print information about an ipset 
 +  --path-ipset=&lt;ipset> Print file path of an ipset [P only] 
 +  --get-ipsets         Print predefined ipsets 
 +  --ipset=&lt;ipset> --set-description=&lt;description> 
 +                       Set new description to ipset [P only] 
 +  --ipset=&lt;ipset> --get-description 
 +                       Print description for ipset [P only] 
 +  --ipset=&lt;ipset> --set-short=&lt;description> 
 +                       Set new short description to ipset [P only] 
 +  --ipset=&lt;ipset> --get-short 
 +                       Print short description for ipset [P only] 
 +  --ipset=&lt;ipset> --add-entry=&lt;entry> 
 +                       Add a new entry to an ipset [P] 
 +  --ipset=&lt;ipset> --remove-entry=&lt;entry> 
 +                       Remove an entry from an ipset [P] 
 +  --ipset=&lt;ipset> --query-entry=&lt;entry> 
 +                       Return whether ipset has an entry [P] 
 +  --ipset=&lt;ipset> --get-entries 
 +                       List entries of an ipset [P] 
 +  --ipset=&lt;ipset> --add-entries-from-file=&lt;entry> 
 +                       Add a new entries to an ipset [P] 
 +  --ipset=&lt;ipset> --remove-entries-from-file=&lt;entry> 
 +                       Remove entries from an ipset [P] 
 + 
 +IcmpType Options 
 +  --new-icmptype=&lt;icmptype> 
 +                       Add a new icmptype [P only] 
 +  --new-icmptype-from-file=&lt;filename> [--name=&lt;icmptype>
 +                       Add a new icmptype from file with optional name [P only] 
 +  --delete-icmptype=&lt;icmptype> 
 +                       Delete an existing icmptype [P only] 
 +  --load-icmptype-defaults=&lt;icmptype> 
 +                       Load icmptype default settings [P only] 
 +  --info-icmptype=&lt;icmptype> 
 +                       Print information about an icmptype 
 +  --path-icmptype=&lt;icmptype> 
 +                       Print file path of an icmptype [P only] 
 +  --icmptype=&lt;icmptype> --set-description=&lt;description> 
 +                       Set new description to icmptype [P only] 
 +  --icmptype=&lt;icmptype> --get-description 
 +                       Print description for icmptype [P only] 
 +  --icmptype=&lt;icmptype> --set-short=&lt;description> 
 +                       Set new short description to icmptype [P only] 
 +  --icmptype=&lt;icmptype> --get-short 
 +                       Print short description for icmptype [P only] 
 +  --icmptype=&lt;icmptype> --add-destination=&lt;ipv> 
 +                       Enable destination for ipv in icmptype [P only] 
 +  --icmptype=&lt;icmptype> --remove-destination=&lt;ipv> 
 +                       Disable destination for ipv in icmptype [P only] 
 +  --icmptype=&lt;icmptype> --query-destination=&lt;ipv> 
 +                       Return whether destination ipv is enabled in icmptype [P only] 
 +  --icmptype=&lt;icmptype> --get-destinations 
 +                       List destinations in icmptype [P only] 
 + 
 +Service Options 
 +  --new-service=&lt;service> 
 +                       Add a new service [P only] 
 +  --new-service-from-file=&lt;filename> [--name=&lt;service>
 +                       Add a new service from file with optional name [P only] 
 +  --delete-service=&lt;service> 
 +                       Delete an existing service [P only] 
 +  --load-service-defaults=&lt;service> 
 +                       Load icmptype default settings [P only] 
 +  --info-service=&lt;service> 
 +                       Print information about a service 
 +  --path-service=&lt;service> 
 +                       Print file path of a service [P only] 
 +  --service=&lt;service> --set-description=&lt;description> 
 +                       Set new description to service [P only] 
 +  --service=&lt;service> --get-description 
 +                       Print description for service [P only] 
 +  --service=&lt;service> --set-short=&lt;description> 
 +                       Set new short description to service [P only] 
 +  --service=&lt;service> --get-short 
 +                       Print short description for service [P only] 
 +  --service=&lt;service> --add-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Add a new port to service [P only] 
 +  --service=&lt;service> --remove-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Remove a port from service [P only] 
 +  --service=&lt;service> --query-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Return whether the port has been added for service [P only] 
 +  --service=&lt;service> --get-ports 
 +                       List ports of service [P only] 
 +  --service=&lt;service> --add-protocol=&lt;protocol> 
 +                       Add a new protocol to service [P only] 
 +  --service=&lt;service> --remove-protocol=&lt;protocol> 
 +                       Remove a protocol from service [P only] 
 +  --service=&lt;service> --query-protocol=&lt;protocol> 
 +                       Return whether the protocol has been added for service [P only] 
 +  --service=&lt;service> --get-protocols 
 +                       List protocols of service [P only] 
 +  --service=&lt;service> --add-source-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Add a new source port to service [P only] 
 +  --service=&lt;service> --remove-source-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Remove a source port from service [P only] 
 +  --service=&lt;service> --query-source-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Return whether the source port has been added for service [P only] 
 +  --service=&lt;service> --get-source-ports 
 +                       List source ports of service [P only] 
 +  --service=&lt;service> --add-helper=&lt;helper> 
 +                       Add a new helper to service [P only] 
 +  --service=&lt;service> --remove-helper=&lt;helper> 
 +                       Remove a helper from service [P only] 
 +  --service=&lt;service> --query-helper=&lt;helper> 
 +                       Return whether the helper has been added for service [P only] 
 +  --service=&lt;service> --get-service-helpers 
 +                       List helpers of service [P only] 
 +  --service=&lt;service> --set-destination=&lt;ipv>:&lt;address>[/&lt;mask>
 +                       Set destination for ipv to address in service [P only] 
 +  --service=&lt;service> --remove-destination=&lt;ipv> 
 +                       Disable destination for ipv i service [P only] 
 +  --service=&lt;service> --query-destination=&lt;ipv>:&lt;address>[/&lt;mask>
 +                       Return whether destination ipv is set for service [P only] 
 +  --service=&lt;service> --get-destinations 
 +                       List destinations in service [P only] 
 +  --service=&lt;service> --add-include=&lt;service> 
 +                       Add a new include to service [P only] 
 +  --service=&lt;service> --remove-include=&lt;service> 
 +                       Remove a include from service [P only] 
 +  --service=&lt;service> --query-include=&lt;service> 
 +                       Return whether the include has been added for service [P only] 
 +  --service=&lt;service> --get-includes 
 +                       List includes of service [P only] 
 + 
 +Options to Adapt and Query Zones and Policies 
 +  --list-all           List everything added for or enabled [P] [Z] [O] 
 +  --timeout=&lt;timeval>  Enable an option for timeval time, where timeval is 
 +                       a number followed by one of letters 's' or 'm' or 'h' 
 +                       Usable for options marked with [T] 
 +  --set-description=&lt;description> 
 +                       Set new description [P only] [Z] [O] 
 +  --get-description    Print description [P only] [Z] [O] 
 +  --get-target         Get the target [P only] [Z] [O] 
 +  --set-target=&lt;target> 
 +                       Set the target [P only] [Z] [O] 
 +  --set-short=&lt;description> 
 +                       Set new short description [Z] [O] 
 +  --get-short          Print short description [P only] [Z] [O] 
 +  --list-services      List services added [P] [Z] 
 +  --add-service=&lt;service> 
 +                       Add a service [P] [Z] [O] [T] 
 +  --remove-service=&lt;service> 
 +                       Remove a service [P] [Z] [O] 
 +  --query-service=&lt;service> 
 +                       Return whether service has been added [P] [Z] [O] 
 +  --list-ports         List ports added [P] [Z] [O] 
 +  --add-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Add the port [P] [Z] [O] [T] 
 +  --remove-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Remove the port [P] [Z] [O] 
 +  --query-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Return whether the port has been added [P] [Z] [O] 
 +  --list-protocols     List protocols added [P] [Z] [O] 
 +  --add-protocol=&lt;protocol> 
 +                       Add the protocol [P] [Z] [O] [T] 
 +  --remove-protocol=&lt;protocol> 
 +                       Remove the protocol [P] [Z] [O] 
 +  --query-protocol=&lt;protocol> 
 +                       Return whether the protocol has been added [P] [Z] [O] 
 +  --list-source-ports  List source ports added [P] [Z] [O] 
 +  --add-source-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Add the source port [P] [Z] [O] [T] 
 +  --remove-source-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Remove the source port [P] [Z] [O] 
 +  --query-source-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Return whether the source port has been added [P] [Z] [O] 
 +  --list-icmp-blocks   List Internet ICMP type blocks added [P] [Z] [O] 
 +  --add-icmp-block=&lt;icmptype> 
 +                       Add an ICMP block [P] [Z] [O] [T] 
 +  --remove-icmp-block=&lt;icmptype> 
 +                       Remove the ICMP block [P] [Z] [O] 
 +  --query-icmp-block=&lt;icmptype> 
 +                       Return whether an ICMP block has been added [P] [Z] [O] 
 +  --list-forward-ports List IPv4 forward ports added [P] [Z] [O] 
 +  --add-forward-port=port=&lt;portid>[-&lt;portid>]:proto=&lt;protocol>[:toport=&lt;portid>[-&lt;portid>]][:toaddr=&lt;address>[/&lt;mask>]] 
 +                       Add the IPv4 forward port [P] [Z] [O] [T] 
 +  --remove-forward-port=port=&lt;portid>[-&lt;portid>]:proto=&lt;protocol>[:toport=&lt;portid>[-&lt;portid>]][:toaddr=&lt;address>[/&lt;mask>]] 
 +                       Remove the IPv4 forward port [P] [Z] [O] 
 +  --query-forward-port=port=&lt;portid>[-&lt;portid>]:proto=&lt;protocol>[:toport=&lt;portid>[-&lt;portid>]][:toaddr=&lt;address>[/&lt;mask>]] 
 +                       Return whether the IPv4 forward port has been added [P] [Z] [O] 
 +  --add-masquerade     Enable IPv4 masquerade [P] [Z] [O] [T] 
 +  --remove-masquerade  Disable IPv4 masquerade [P] [Z] [O] 
 +  --query-masquerade   Return whether IPv4 masquerading has been enabled [P] [Z] [O] 
 +  --list-rich-rules    List rich language rules added [P] [Z] [O] 
 +  --add-rich-rule=&lt;rule> 
 +                       Add rich language rule 'rule' [P] [Z] [O] [T] 
 +  --remove-rich-rule=&lt;rule> 
 +                       Remove rich language rule 'rule' [P] [Z] [O] 
 +  --query-rich-rule=&lt;rule> 
 +                       Return whether a rich language rule 'rule' has been 
 +                       added [P] [Z] [O] 
 + 
 +Options to Adapt and Query Zones 
 +  --add-icmp-block-inversion 
 +                       Enable inversion of icmp blocks for a zone [P] [Z] 
 +  --remove-icmp-block-inversion 
 +                       Disable inversion of icmp blocks for a zone [P] [Z] 
 +  --query-icmp-block-inversion 
 +                       Return whether inversion of icmp blocks has been enabled 
 +                       for a zone [P] [Z] 
 +  --add-forward        Enable forwarding of packets between interfaces and 
 +                       sources in a zone [P] [Z] [T] 
 +  --remove-forward     Disable forwarding of packets between interfaces and 
 +                       sources in a zone [P] [Z] 
 +  --query-forward      Return whether forwarding of packets between interfaces 
 +                       and sources has been enabled for a zone [P] [Z] 
 + 
 +Options to Adapt and Query Policies 
 +  --get-priority       Get the priority [P only] [O] 
 +  --set-priority=&lt;priority> 
 +                       Set the priority [P only] [O] 
 +  --list-ingress-zones 
 +                       List ingress zones that are bound to a policy [P] [O] 
 +  --add-ingress-zone=&lt;zone> 
 +                       Add the ingress zone to a policy [P] [O] 
 +  --remove-ingress-zone=&lt;zone> 
 +                       Remove the ingress zone from a policy [P] [O] 
 +  --query-ingress-zone=&lt;zone> 
 +                       Query whether the ingress zone has been adedd to a 
 +                       policy [P] [O] 
 +  --list-egress-zones 
 +                       List egress zones that are bound to a policy [P] [O] 
 +  --add-egress-zone=&lt;zone> 
 +                       Add the egress zone to a policy [P] [O] 
 +  --remove-egress-zone=&lt;zone> 
 +                       Remove the egress zone from a policy [P] [O] 
 +  --query-egress-zone=&lt;zone> 
 +                       Query whether the egress zone has been adedd to a 
 +                       policy [P] [O] 
 + 
 +Options to Handle Bindings of Interfaces 
 +  --list-interfaces    List interfaces that are bound to a zone [P] [Z] 
 +  --add-interface=&lt;interface> 
 +                       Bind the &lt;interface> to a zone [P] [Z] 
 +  --change-interface=&lt;interface> 
 +                       Change zone the &lt;interface> is bound to [P] [Z] 
 +  --query-interface=&lt;interface> 
 +                       Query whether &lt;interface> is bound to a zone [P] [Z] 
 +  --remove-interface=&lt;interface> 
 +                       Remove binding of &lt;interface> from a zone [P] [Z] 
 + 
 +Options to Handle Bindings of Sources 
 +  --list-sources       List sources that are bound to a zone [P] [Z] 
 +  --add-source=&lt;source>[/&lt;mask>]|&lt;MAC>|ipset:&lt;ipset> 
 +                       Bind the source to a zone [P] [Z] 
 +  --change-source=&lt;source>[/&lt;mask>]|&lt;MAC>|ipset:&lt;ipset> 
 +                       Change zone the source is bound to [Z] 
 +  --query-source=&lt;source>[/&lt;mask>]|&lt;MAC>|ipset:&lt;ipset> 
 +                       Query whether the source is bound to a zone [P] [Z] 
 +  --remove-source=&lt;source>[/&lt;mask>]|&lt;MAC>|ipset:&lt;ipset> 
 +                       Remove binding of the source from a zone [P] [Z] 
 + 
 +Helper Options 
 +  --new-helper=&lt;helper> --module=&lt;module> [--family=&lt;family>
 +                       Add a new helper [P only] 
 +  --new-helper-from-file=&lt;filename> [--name=&lt;helper>
 +                       Add a new helper from file with optional name [P only] 
 +  --delete-helper=&lt;helper> 
 +                       Delete an existing helper [P only] 
 +  --load-helper-defaults=&lt;helper> 
 +                       Load helper default settings [P only] 
 +  --info-helper=&lt;helper> Print information about an helper 
 +  --path-helper=&lt;helper> Print file path of an helper [P only] 
 +  --get-helpers         Print predefined helpers 
 +  --helper=&lt;helper> --set-description=&lt;description> 
 +                       Set new description to helper [P only] 
 +  --helper=&lt;helper> --get-description 
 +                       Print description for helper [P only] 
 +  --helper=&lt;helper> --set-short=&lt;description> 
 +                       Set new short description to helper [P only] 
 +  --helper=&lt;helper> --get-short 
 +                       Print short description for helper [P only] 
 +  --helper=&lt;helper> --add-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Add a new port to helper [P only] 
 +  --helper=&lt;helper> --remove-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Remove a port from helper [P only] 
 +  --helper=&lt;helper> --query-port=&lt;portid>[-&lt;portid>]/&lt;protocol> 
 +                       Return whether the port has been added for helper [P only] 
 +  --helper=&lt;helper> --get-ports 
 +                       List ports of helper [P only] 
 +  --helper=&lt;helper> --set-module=&lt;module> 
 +                       Set module to helper [P only] 
 +  --helper=&lt;helper> --get-module 
 +                       Get module from helper [P only] 
 +  --helper=&lt;helper> --set-family={ipv4|ipv6|} 
 +                       Set family for helper [P only] 
 +  --helper=&lt;helper> --get-family 
 +                       Get module from helper [P only] 
 + 
 +Direct Options 
 +  --direct             First option for all direct options 
 +  --get-all-chains 
 +                       Get all chains [P] 
 +  --get-chains {ipv4|ipv6|eb} &lt;table> 
 +                       Get all chains added to the table [P] 
 +  --add-chain {ipv4|ipv6|eb} &lt;table> &lt;chain> 
 +                       Add a new chain to the table [P] 
 +  --remove-chain {ipv4|ipv6|eb} &lt;table> &lt;chain> 
 +                       Remove the chain from the table [P] 
 +  --query-chain {ipv4|ipv6|eb} &lt;table> &lt;chain> 
 +                       Return whether the chain has been added to the table [P] 
 +  --get-all-rules 
 +                       Get all rules [P] 
 +  --get-rules {ipv4|ipv6|eb} &lt;table> &lt;chain> 
 +                       Get all rules added to chain in table [P] 
 +  --add-rule {ipv4|ipv6|eb} &lt;table> &lt;chain> &lt;priority> &lt;arg>... 
 +                       Add rule to chain in table [P] 
 +  --remove-rule {ipv4|ipv6|eb} &lt;table> &lt;chain> &lt;priority> &lt;arg>... 
 +                       Remove rule with priority from chain in table [P] 
 +  --remove-rules {ipv4|ipv6|eb} &lt;table> &lt;chain> 
 +                       Remove rules from chain in table [P] 
 +  --query-rule {ipv4|ipv6|eb} &lt;table> &lt;chain> &lt;priority> &lt;arg>... 
 +                       Return whether a rule with priority has been added to 
 +                       chain in table [P] 
 +  --passthrough {ipv4|ipv6|eb} &lt;arg>... 
 +                       Pass a command through (untracked by firewalld) 
 +  --get-all-passthroughs 
 +                       Get all tracked passthrough rules [P] 
 +  --get-passthroughs {ipv4|ipv6|eb} &lt;arg>... 
 +                       Get tracked passthrough rules [P] 
 +  --add-passthrough {ipv4|ipv6|eb} &lt;arg>... 
 +                       Add a new tracked passthrough rule [P] 
 +  --remove-passthrough {ipv4|ipv6|eb} &lt;arg>... 
 +                       Remove a tracked passthrough rule [P] 
 +  --query-passthrough {ipv4|ipv6|eb} &lt;arg>... 
 +                       Return whether the tracked passthrough rule has been 
 +                       added [P] 
 + 
 +Lockdown Options 
 +  --lockdown-on        Enable lockdown. 
 +  --lockdown-off       Disable lockdown. 
 +  --query-lockdown     Query whether lockdown is enabled 
 + 
 +Lockdown Whitelist Options 
 +  --list-lockdown-whitelist-commands 
 +                       List all command lines that are on the whitelist [P] 
 +  --add-lockdown-whitelist-command=&lt;command> 
 +                       Add the command to the whitelist [P] 
 +  --remove-lockdown-whitelist-command=&lt;command> 
 +                       Remove the command from the whitelist [P] 
 +  --query-lockdown-whitelist-command=&lt;command> 
 +                       Query whether the command is on the whitelist [P] 
 +  --list-lockdown-whitelist-contexts 
 +                       List all contexts that are on the whitelist [P] 
 +  --add-lockdown-whitelist-context=&lt;context> 
 +                       Add the context context to the whitelist [P] 
 +  --remove-lockdown-whitelist-context=&lt;context> 
 +                       Remove the context from the whitelist [P] 
 +  --query-lockdown-whitelist-context=&lt;context> 
 +                       Query whether the context is on the whitelist [P] 
 +  --list-lockdown-whitelist-uids 
 +                       List all user ids that are on the whitelist [P] 
 +  --add-lockdown-whitelist-uid=&lt;uid> 
 +                       Add the user id uid to the whitelist [P] 
 +  --remove-lockdown-whitelist-uid=&lt;uid> 
 +                       Remove the user id uid from the whitelist [P] 
 +  --query-lockdown-whitelist-uid=&lt;uid> 
 +                       Query whether the user id uid is on the whitelist [P] 
 +  --list-lockdown-whitelist-users 
 +                       List all user names that are on the whitelist [P] 
 +  --add-lockdown-whitelist-user=&lt;user> 
 +                       Add the user name user to the whitelist [P] 
 +  --remove-lockdown-whitelist-user=&lt;user> 
 +                       Remove the user name user from the whitelist [P] 
 +  --query-lockdown-whitelist-user=&lt;user> 
 +                       Query whether the user name user is on the whitelist [P] 
 + 
 +Panic Options 
 +  --panic-on           Enable panic mode 
 +  --panic-off          Disable panic mode 
 +  --query-panic        Query whether panic mode is enabled 
 + 
 +</pre></html></WRAP> 
 +</WRAP> 
 + 
 +===== 参考文献 ===== 
 + 
 +==== 付録 ==== 
 +[[tw>tomoyan596/status/1463880721571872781|firewall-cmdこんないいヤツでした?😅You're performing an operation over default zone ('FedoraWorkstation'),but your connections/interfaces are in zone 'FedoraServer,libvirt' (see --get-active-zones)You most likely need to use --zone=FedoraServer option. / Twitter]]\\
  
  • linux/commands/network/firewall-cmd.1637850956.txt.gz
  • 最終更新: 2021/11/25 23:35
  • by ともやん