HQY 一个和谐有爱的空间
HQY
首页
留言本
关于我
会员注册
微信支付宝扫一扫,打赏作者吧~
20
2019
05
11:44:49
RHEL7: How to get started with Firewalld.
https://www.certdepot.net/rhel7-get-started-firewalld/
RHEL7: How to get started with Firewalld.
Last updated on
October 3, 2018
(768,677 views) -
CertDepot
—
79 Comments ↓
Share this link
mp
ortant;">
0
<span class="fsb-count" style="margin: 0px 0px 0px 70px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; width: 30px; text-align: center; display: inline-block;">0</span></a></div></div><div class="fsb-clear" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; clear: both;"></div><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: This is an <a href="https://www.certdepot.net/rhel7-rhcsa-exam-objectives/" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">RHCSA 7 exam objective</a> and an <a href="https://www.certdepot.net/rhel7-rhce-exam-objectives/" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">RHCE 7 exam objective</a>.</p><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Presentation</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;"><span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> is the new userland interface in <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7</span>. It replaces the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">iptables</span> interface and connects to the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">netfilter</span> kernel code. It mainly improves the security rules management by allowing configuration changes without stopping the current connections.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To know if <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> is running, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># systemctl status firewalldfirewalld.service - firewalld - dynamic firewall daemon Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled) Active: active (running) since Tue 2014-06-17 11:14:49 CEST; 5 days ago ...</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">or alternatively:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --staterunning</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: If <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> is not running, the command displays <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">not running</span>.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">If you’ve got several network interfaces in <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">IPv4</span>, you will have to activate <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ip forwarding</span>.<br/>To do that, paste the following line into the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/etc/sysctl.conf</span> file:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;">net.ipv4.ip_forward=1</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Then, activate the configuration:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># sysctl -p</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: If you interested in kernel parameter configuration, there is a <a href="https://www.certdepot.net/rhel7-use-sysctl/" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;"><a href="https://hqyman.cn/tags-58.html">tutorial</a> about the sysctl command</a>.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Although <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> is the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7</span> way to deal with firewalls and provides many improvements, <a title="RHEL7: How to disable Firewalld and use Iptables instead." href="https://www.certdepot.net/rhel7-disable-firewalld-use-iptables/" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">iptables can still be used</a> (but both shouldn’t run at the same time).</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">You can also look at the iptables rules created by <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> with the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">iptables-save</span> command.</p><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Zone Management</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Also, a new concept of zone appears: all network interfaces can be located in the same default zone or divided into different ones according to the levels of trust defined. In the latter case, this allows to restrict traffic based on origin zone (read this <a href="https://lwn.net/Articles/484506/" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">article</a> from <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">lwn.net</span> for more details).<br/>Note: Without any configuration, everything is done by default in the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">public</span> zone. If you’ve got more than one network interface or use <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">sources</span> (see <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Source management</span> section below), you will be able to restrict traffic between zones.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To get the default zone, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --get-default-zonepublic</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To get the list of zones where you’ve got network interfaces or sources assigned to, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --get-active-zonespublic interfaces: eth0</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: You can have more than one active zone at a time.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To get the list of all the available zones, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --get-zonesblock dmz drop external home internal public trusted work</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To change the default zone to <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">home</span> permanently, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --set-default-zone=homesuccess</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: This information is stored in the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/etc/firewalld/firewalld.conf</span> file.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Network interfaces can be assigned to a zone in a <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">permanent</span> way.<br/>To <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">permanently</span> assign the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">eth0</span> network interface to the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">internal</span> zone (a file called <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">internal.xml</span> is created in the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/etc/firewalld/zones</span> directory), type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --permanent --zone=internal --change-interface=eth0success # nmcli con show | grep eth0System eth0 4de55c95-2368-429b-be65-8f7b1a357e3f 802-3-ethernet eth0 # nmcli con mod "System eth0" connection.zone internal# nmcli con up "System eth0"Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note1: This operation can also be done by editing the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/etc/sysconfig/network-scripts/ifcfg-eth0</span> file and add <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ZONE=internal</span> followed by # <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">nmcli con reload </span>. It seems that with <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7.5</span>, the use of <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ZONE</span> in <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ifcfg-*</span> files no longer works (<a href="http://www.advancedclustering.com/act_kb/fixing-firewall-zones-centos-7-5/" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">source</a>).<br/>Note2: More information about the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">nmcli</span> command is available at the <a href="https://www.certdepot.net/rhel7-get-started-nmcli/" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">page dedicated to nmcli</a>or at the <a href="https://www.certdepot.net/rhel7-configure-ipv4-addresses/" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">IPV4 configuration page</a>.<br/>Note3: The <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7.3</span> release improves the way <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> handles zones (v0.3.9 -> v0.4.3.2: BZ#<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1302802" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">1302802</a>).</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To know which zone is associated with the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">eth0</span> interface, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --get-zone-of-interface=eth0internal</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To get the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">permanent </span>configuration of the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">public</span> zone, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --permanent --zone=public --list-allpublic (default, active) interfaces: eth0 sources: services: dhcpv6-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">It is also possible to create new zones. To create a new zone (here <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">test</span>), type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --permanent --new-zone=testsuccess # firewall-cmd --reloadsuccess</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: Only <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">permanent</span> zones can be created.</p><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Source Management</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">A zone can be bound to a network interface (see above) and/or to a network addressing (called here a <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">source</span>).<br/>Any network packet entering in the network stack is associated with a zone.<br/>The association is done according to the following pattern:<br/>– is the packet coming from a source already bound to a zone? (if yes, it is associated with this zone),<br/>– if not, is the packet coming from a network interface already bound to a zone? (if yes, it is associated with this zone),<br/>– if not, the packet is associated with the default zone.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">This way, multiple zones can be defined even on a server with only one network interface!</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;"><span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Caution</span>: To get this feature, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> relies on <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">NetworkManager</span> (see <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">reference</a>). This means that if you plan to stop <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">NetworkManager</span> for any reason (for example when <a title="RHEL7: Configure lab network settings." href="https://www.certdepot.net/rhel7-configure-lab-network-settings/" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">building a <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">KVM</span> host</a>), you will have to <a title="RHEL7: How to disable Firewalld and use Iptables instead." href="https://www.certdepot.net/rhel7-disable-firewalld-use-iptables/" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">stop Firewalld and use Iptables instead</a>!<br/>Note: With the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7.3</span> release, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> robustness has been improved in regard to <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">NetworkManager</span> (see details <a href="http://www.firewalld.org/2016/05/firewalld-0-4-2-release" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">here</a>).</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To add a source (here <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">192.168.2.0/24</span>) to a zone (here <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">trusted</span>) <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">permanently</span>, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --permanent --zone=trusted --add-source=192.168.2.0/24success # firewall-cmd --reloadsuccess</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note1: Use the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–remove-source</span> option to delete a previous assigned source.<br/>Note2: Use the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–change-source</span> option to move the source to the new specified zone.<br/>Note3: If you want to <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">temporarily</span> add a source to a zone, don’t use the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–permanent</span> option and don’t <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">reload</span> the firewall configuration. If you <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">reload</span> the firewall configuration, this will <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">cancel</span> all the operation.<br/>Note4: You can also make some changes and when you like your new configuration, have it become your permanent configuration with the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">firewall-cmd –runtime-to-permanent</span>command.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">With the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7.3</span> release, you can add a source based on a <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">MAC</span> address (here <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">00:11:22:33:44:55</span>) to a zone (here <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">trusted</span>) <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">permanently</span>:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --permanent --zone=trusted --add-source=00:11:22:33:44:55success # firewall-cmd --reloadsuccess</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">With the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7.3</span> release, you can create an <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ipset</span> (a set of IP addresses or networks, see below) and add a source based on it:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --permanent --new-ipset=iplist --type=hash:ipsuccess # firewall-cmd --reloadsuccess # firewall-cmd --ipset=iplist --add-entry=192.168.1.11success # firewall-cmd --ipset=iplist --add-entry=192.168.1.12success # firewall-cmd --permanent--zone=trusted --add-source=ipset:iplistsuccess # firewall-cmd --reloadsuccess</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To get the list of the sources <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">currently</span> bound to a zone (here <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">trusted</span>), type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --permanent --zone=trusted --list-sources192.168.2.0/24 00:11:22:33:44:55 ipset:iplist</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: Remove the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–permanent</span> option if you only want to display <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">temporary</span> settings.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To keep track of your configuration (<span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">active</span> zones are zones that have a binding to an interface or source), type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --get-active-zonespublic interfaces: eth0 trusted sources: 192.168.2.0/24</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">As an exemple of source management, let’s assume you want to only allow connections to your server from a specific IP address (here <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">1.2.3.4/32</span>).</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --zone=internal --add-service=ssh --permanentsuccess # firewall-cmd --zone=internal --add-source=1.2.3.4/32 --permanentsuccess # firewall-cmd --zone=public --remove-service=ssh --permanentsuccess # firewall-cmd --reloadsuccess</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Source: <a title="http://serverfault.com/questions/680780/block-all-but-a-few-ips-with-firewalld" href="http://serverfault.com/questions/680780/block-all-but-a-few-ips-with-firewalld" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">Serverfault website</a>.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">With <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7.3</span>, a new option called <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–info-zone</span> is available.<br/>To get the detail of a zone called <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">public</span>, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --info-zone=publicpublic (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules:</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: You can also add the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–permanent</span> option.</p><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Service Management</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">After assigning each network interface to a zone, it is now possible to add services to each zone.<br/>To allow the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">http</span> service <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">permanently</span> in the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">internal</span> zone, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --permanent --zone=internal --add-service=httpsuccess # firewall-cmd --reloadsuccess</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note1: Type <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–remove-service=http</span> to deny the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">http</span> service.<br/>Note2: The <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">firewall-cmd –reload</span> command is necessary to activate the change. Contrary to the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–complete-reload</span> option, current connections are not stopped.<br/>Note3: If you only want to <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">temporarily</span> add a service, don’t use the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–permanent</span> option and don’t <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">reload</span> the firewall configuration. If you <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">reload</span> the firewall configuration, you <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">cancel</span> all the operation.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">If you want to temporary add several services (here <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">http</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">https</span>, and <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">dns</span>) at the same time in the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">internal</span> zone, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --zone=internal --add-service={http,https,dns}success</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To get the list of services in the default zone, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --list-servicesdhcpv6-client ssh</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: To get the list of the services in a particular zone, add the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–zone=</span> option.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">With <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7.3</span>, a new option called <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–info-service</span> is available.<br/>To get some information about the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ftp</span> service, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --info-service=ftpftp ports: 21/tcp protocols: source-ports: modules: nf_conntrack_ftp destination:</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: You can also add the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–permanent</span> option.</p><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Firewall Services Configuration</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">With the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> package, the firewall configuration of the main services (ftp, httpd, etc) comes in the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/usr/lib/firewalld/services</span> directory. But it is still possible to add new ones in the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/etc/firewalld/services</span> directory. Also, if files exist at both locations for the same service, the file in the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/etc/firewalld/services</span> directory takes precedence.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">For example, it is the case of the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">HAProxy</span> service. There is no firewall configuration associated.<br/>Create the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/etc/firewalld/services/haproxy.xml</span> and paste the following lines:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"><?xml version="1.0" encoding="utf-8"?> <service> <short>HAProxy</short> <description>HAProxy load-balancer</description> <port protocol="tcp" port="80"/> </service></pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: You can use the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">firewall-cmd –permanent –new-service=haproxy</span> command to quickly create a configuration file skeleton.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Assign the correct <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">SELinux</span> context and file permissions to the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">haproxy.xml</span> file:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># cd /etc/firewalld/services# restorecon haproxy.xml# chmod 640 haproxy.xml</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Add the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">HAProxy</span> service to the default zone <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">permanently</span> and <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">reload</span> the firewall configuration:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --permanent --add-service=haproxysuccess # firewall-cmd --reloadsuccess</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: According to <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Bert Van Vreckem</span>, it is possible to go quicker by using the command history (see details <a href="https://bertvv.github.io/presentation-el7-basics/" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">here</a>):</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --add-service=haproxysuccess # firewall-cmd --add-service=haproxy --permanentsuccess</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">In <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7.0 </span>(<span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">v0.3.9.7)</span>, there were <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">47</span> firewall services configured: <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">amanda-client</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">bacula</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">bacula-client</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">dhcp</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">dhcpv6</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">dhcpv6-client</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">dns</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ftp</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">high-availability</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">http</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">https</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">imaps</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ipp</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ipp-client</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ipsec</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">kerberos</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">kpasswd</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ldap</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ldaps</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">libvirt</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">libvirt-tls</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">mdns</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">mountd</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ms-wbt</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">mysql</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">nfs</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ntp</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">open<a href="https://hqyman.cn/tags-4.html">vpn</a></span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">pmcd</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">pmproxy</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">pmwebapi</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">pmwebapis</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">pop3s</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">postgresql</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">proxy-dhcp</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">radius</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">rpc-bind</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">samba</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">samba-client</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">smtp, </span><span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ssh</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">telnet</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">tftp</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">tftp-client</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">transmission-client</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">vnc-server</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">wbem-https</span>.<br/>In <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7.1</span> (<span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld v0.3.9.11)</span>, the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RH-Satellite-6</span> service was added.<br/>In <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7.2</span> (<span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">v0.3.9.14</span>), the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">freeipa-ldaps</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">freeipa-ldap</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">freeipa-replication</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">iscsi-target</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">rsyncd</span> and <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">vdsm</span> services were added.<br/>In <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7.3</span> (<span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">v0.4.3.2</span>), the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">amanda-k5-client</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ceph</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ceph-mon</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">docker-registry</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">dropbox-lansync</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">imap</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">kadmin</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">mosh</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">pop3</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">privoxy</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ptp</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">pulseaudio</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">puppetmaster</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">sane</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">smtps</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">snmp</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">snmptrap</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">squid</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">synergy</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">syslog</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">syslog-tls</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">tinc</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">tor-socks</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">xmpp-bosh</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">xmpp-client</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">xmpp-local</span> and <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">xmpp-server</span> services have been added for a total of <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">81</span>services.</p><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Port Management</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Port management follows the same model as service management.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To allow the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">443/tcp</span> port <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">temporarily</span> in the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">internal</span> zone, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --zone=internal --add-port=443/tcpsuccess</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note1: To make the configuration <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">permanent</span>, add the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–permanent</span> option and <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">reload</span> the firewall configuration.<br/>Note2: Type <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–remove-port=443/tcp</span> to deny the port.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To get the list of ports <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">currently</span> open in the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">internal</span> zone, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --zone=internal --list-ports443/tcp</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: To only get the list of ports <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">permanently</span> open, add the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–permanent</span> option. Here, you will not get anything.</p><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Rich Rules</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">As the syntax used by the rich rules are somehow difficult to remember, keep in mind the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">man firewalld.richlanguage</span> command and the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Example</span> section at the end.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Here is the format of a rich rule:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --add-rich-rule 'rule ...'</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To allow all connections from <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">192.168.2.2</span>, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.2.2" log accept'</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note1: The <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">log</span> option writes coming packets into the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/var/log/messages</span> file.<br/>Note2: Use the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–remove-rich-rule</span> option instead of the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–add-rich-rule</span> option if you want to delete an already existing rule.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To list the rich rules set in the default zone, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --list-allpublic (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: dhcpv6-client ssh ports: protocols: masquerade: no forward-ports: sourceports: icmp-blocks: rich rules: rule family="ipv4" source address="192.168.2.2" log accept</pre><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Direct Rules</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">It is still possible to set specific rules by using the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">direct</span> mode (here to open the tcp port <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">9000</span>) that by-passes the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> interface:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPTsuccess</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note1: This example has been borrowed from <a title="http://ktaraghi.blogspot.fr/2013/10/what-is-firewalld-and-how-it-works.html" href="http://ktaraghi.blogspot.fr/2013/10/what-is-firewalld-and-how-it-works.html" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">Khosro Taraghi’s blog</a>.<br/>Note2: Use the same command with the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–remove-rule</span> instead of <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–add-rule</span> to delete the rule.<br/>Note3: The configuration is <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">temporary</span> except if you add the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–permanent</span> option just after the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–direct</span> option.<br/>Note4: It is not necessary to <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">reload</span> the firewall configuration, all commands are <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">directly</span>activated.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To display all the direct rules added, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --direct --get-all-rules</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note1: For information, the configuration is written into the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/etc/firewalld/direct.xml</span> file.<br/>Note2: <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Direct rules</span> are not part of the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHCSA</span>/<span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHCE</span> exam objectives.</p><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">IP Set Management</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">With the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7.3</span> comes the ability to create <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ipsets</span>. An <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ipset</span> is a set of IP addresses or networks. The different categories belong to <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">hash:ip </span>or <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">hash:net</span>.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To create a permanent IPv4 <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ipset</span> containing two IP addresses and drop packets coming from these addresses, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --permanent --new-ipset=blacklist --type=hash:ipsuccess # firewall-cmd --reloadsuccess # firewall-cmd --ipset=blacklist --add-entry=192.168.1.11success # firewall-cmd --ipset=blacklist --add-entry=192.168.1.12success # firewall-cmd --add-rich-rule='rule source ipset=blacklist drop'success</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: Add <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–option=family=inet6</span> to create an <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">IPv6</span> ipset.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To get the content of the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">blacklist</span> ipset, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --info-ipset=blacklistblacklist type: hash:ip options: entries: 192.168.1.11 192.168.1.12</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To remove the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">192.168.1.12</span> entry from the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">blacklist</span> ipset, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --ipset=blacklist --remove-entry=192.168.1.12success # firewall-cmd --ipset=blacklist --get-entries192.168.1.11</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To create a permanent IPv4 ipset containing two networks, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --permanent --new-ipset=netlistsuccess # firewall-cmd --reloadsuccess # firewall-cmd --ipset=netlist --add-entry=192.168.1.0/24success # firewall-cmd --ipset=netlist --add-entry=192.168.2.0/24success # firewall-cmd --info-ipset=netlistnetlist type: hash:net options: entries: 192.168.1.0/24 192.168.2.0/24 To remove the netlist ipset, type: # firewall-cmd --permanent --delete-ipset=netlistsuccess # firewall-cmd --reloadsuccess # firewall-cmd --get-ipsetsblacklist It is also possible to download the content of an ipset from a file (--add-entries-from-file=file option) or store it with the name ipset in the /etc/firewalld/ipsets/ipset.xmlor /usr/lib/firewalld/ipsets/ipset.xml files according to the following format:</pre><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"><?xml version="1.0" encoding="utf-8"?> <ipset type="hash:ip"> <short>My Ipset</short> <description>description</description> <entry>192.168.1.11</entry> <entry>192.168.1.12</entry> </ipset></pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To load this ipset, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --reload</pre><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Masquerading</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">If your firewall is your network gateway and you don’t want everybody to know your internal addresses, you can set up two zones, one called <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">internal</span>, the other <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">external</span>, and configure <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">masquerading</span> on the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">external</span> zone. This way, all packets will get your firewall ip address as source address.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To set up <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">masquerading</span> on the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">external</span> zone in a temporary way, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --zone=external --add-masqueradesuccess</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note1: To remove <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">masquerading</span>, use the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–remove-masquerade</span> option.<br/>Note2: To know if <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">masquerading</span> is active in a zone, use the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–query-masquerade</span> option.<br/>Note3: To get the configuration <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">permanent</span>, add the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–permanent</span> option and <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">reload</span> the firewall configuration.</p><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Port Forwarding</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;"><span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Port forwarding</span> is a way to forward inbound network traffic for a specific port to another internal address or an alternative port.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;"><span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Caution: Port forwarding requires masquerading</span> (<a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Configuring_firewalld" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">source</a>). This point is a classical mistake made during the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHCE</span> exam.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">So, you need to enable <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">masquerading</span> before anything else:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --zone=external --add-masqueradesuccess</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">If you want all packets intended for port <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">22</span> to be now forwarded to port <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">tcp</span> <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">3753 temporarily</span>, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --zone=external --add-forward-port=port=22:proto=tcp:toport=3753success</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note1: To remove <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">port forwarding</span>, use the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–remove-forward-port</span> option.<br/>Note2: To know if <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">port forwarding</span> is active in a zone, use the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–query-forward-port</span> option.<br/>Note3: If you want to make the configuration <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">permanent</span>, add the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">–permanent</span> option and reload the firewall configuration.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Also, if you want to define the destination ip address, this time in a <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">permanent</span> way, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --permanent --zone=external --add-forward-port=port=22:proto=tcp:toport=3753:toaddr=10.0.0.1success # firewall-cmd --reloadsuccess</pre><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Special Modules</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Sometimes it is required to download specific modules. Instead of <a href="https://www.certdepot.net/rhel7-rc-local-service/" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">using a rc.local file</a>, it is better to notify <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> through the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/etc/modules-load.d</span> directory.<br/>In this example we want to add the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ip_nat_ftp</span> and <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ip_conntrack_ftp</span> modules to follow <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">ftp</span>connections.<br/>We only need to choose a filename (here <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">firewall_ftp.conf</span>) and type these instructions:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># echo ip_nat_ftp > /etc/modules-load.d/firewall_ftp.conf# echo ip_conntrack_ftp >> /etc/modules-load.d/firewall_ftp.conf</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Source: <a title="http://unix.stackexchange.com/questions/240044/on-centos7-firewalld-overwrite-iptables-modules" href="http://unix.stackexchange.com/questions/240044/on-centos7-firewalld-overwrite-iptables-modules" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">StackExchange website</a>.</p><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Offline Configuration</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">In some cases (installations through <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Anaconda</span> or <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Kickstart </span>for example), you need to set up firewall rules when <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> is not running. The <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">firewall-offline-cmd</span> command has just been created for this purpose.<br/>For instance, to open the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">tcp port 22</span>, you would type in the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/etc/sysconfig/iptables</span> file:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;">-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Instead, you can now execute the following command:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-offline-cmd --direct --add-rule ipv4 filter INPUT 0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT</pre><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Configuration Backup</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To store the current configuration into files, type:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># iptables -S > firewalld_rules_ipv4# ip6tables -S > firewalld_rules_ipv6</pre><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Debugging Tips</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">To better understand how <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld</span> works, assign the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">‘–debug’</span> value to the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">FIREWALLD_ARGS</span> variable in the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/etc/sysconfig/firewalld</span> file:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewalld command line args # possile values: --debug FIREWALLD_ARGS='--debug'</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Restart the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld </span>daemon:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># systemctl restart firewalld</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: Messages will be written into the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/var/log/firewalld</span> file.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Also, with the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">RHEL 7.3</span> release comes the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">LogDenied</span> directive in the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/etc/firewalld/firewalld.conf</span> file.<br/>This directive adds logging rules right before reject and drop rules in the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">INPUT</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">FORWARD</span>and <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">OUTPUT</span> chains for the default rules and also final reject and drop rules in zones.<br/>Possible values are: <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">all</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">unicast</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">broadcast</span>, <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">multicast</span> and <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">off</span> (value by default).</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Reload the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Firewalld </span>configuration:</p><pre style="margin-top: 0px; margin-bottom: 0px; padding: 6px 10px; border-width: 1px; border-style: solid; border-color: rgb(170, 170, 170) rgb(170, 170, 170) rgb(204, 204, 204); border-image: initial; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: monospace, serif; vertical-align: middle; box-sizing: border-box; width: 605.484px; height: auto; border-radius: 2px; outline: none; background-color: rgb(244, 244, 244); box-shadow: rgb(255, 255, 255) 0px 1px 0px, rgba(0, 0, 0, 0.2) 0px 1px 1px inset; overflow-wrap: normal; overflow-x: auto;"># firewall-cmd --reload</pre><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Note: Messages will be written into the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/var/log/messages</span> file. If you also want messages to be written in a file called <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/var/log/custom.log</span>, edit the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">/etc/rsyslog.conf</span> file, add the line <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">kern.warning /var/log/custom.log</span> and restart the <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">rsyslog</span> configuration with <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;"># systemctl restart rsyslog</span></p><h2 style="margin: 0.75em 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: 1em; font-family: inherit; font-size: 2.25em; vertical-align: baseline; overflow-wrap: break-word;">Additional Resources</h2><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">In addition, you can:</p><ul style="margin-right: 1.5em; margin-bottom: 1.5em; padding: 0px 0px 0px 2em; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; list-style-position: initial; list-style-image: initial;" class=" list-paddingleft-2"><li><p>read this <a title="http://searchdatacenter.techtarget.com/tip/A-few-ways-to-configure-Linux-firewalld" href="http://searchdatacenter.techtarget.com/tip/A-few-ways-to-configure-Linux-firewalld" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">article about Firewalld by Sander van Vugt,</a></p></li><li><p>watch <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Thomas Woerner</span>‘s video about <a title="https://www.youtube.com/watch?v=L8rwSqONmCY#t=4m45s" href="https://www.youtube.com/watch?v=L8rwSqONmCY#t=4m45s" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">Firewalld, present and future (48min/2015)</a>,</p></li><li><p>read this <a href="https://fedoraproject.org/wiki/Fail2ban_with_FirewallD" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">FedoraProject page about Fail2ban with Firewalld</a>,</p></li><li><p>read this article about <a href="https://www.hogarthuk.com/?q=node/9" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">Firewalld and zone deployment by James Hogarth</a>,</p></li><li><p>read the <a href="https://benchmarks.cisecurity.org/tools2/<a href="https://hqyman.cn/tags-62.html">linux</a>/CIS_Red_Hat_Enterprise_Linux_7_Benchmark_v1.1.0.pdf" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">CIS RHEL 7 Server Hardening Guide</a>,</p></li><li><p>watch <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Venkat Nagappan</span>‘s video about <a href="https://www.youtube.com/watch?v=TyMallqnWiw" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">Firewalld Concepts and Examples (34min/2015)</a>,</p></li><li><p>watch <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Sander van Vugt</span>‘s video about <a href="https://www.youtube.com/watch?v=MKTDFkwgMRQ" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">port forwarding using firewall-cmd (8min/2015)</a>,</p></li><li><p>watch <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Ralph Nyberg</span>‘s video about <a href="https://www.youtube.com/watch?v=XF9sjjLM8_0" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">Firewalld and Iptables (26min/2016)</a>,</p></li><li><p>read <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Thomas Woerner</span>‘s blog, the <a href="http://www.firewalld.org/" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">blog of the author of Firewalld</a>,</p></li><li><p>read this presentation from the <a href="http://www.firewalld.org/uploads/2015/06/nfws2015-firewalld.pdf" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">11th Netfilter Workshop (2015)</a>,</p></li><li><p>read the <a href="https://github.com/t-woerner/firewalld/releases" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">changelog of the Firewalld versions</a>,</p></li><li><p>have a look at <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;"><span class="byline author vcard" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;"><span class="byline-name fn" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Daniel Aleksandersen</span></span></span>‘s blog about <a href="https://www.ctrl.blog/entry/how-to-firewalld-zone-by-ip" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">Configuring zones bound by source IPs in Firewalld</a> or <a href="https://www.ctrl.blog/entry/ufw-vs-firewalld" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">Comparing and contrasting Uncomplicated Firewall and Firewalld</a>,</p></li><li><p>read <span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: 700; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;">Alexander Molochko</span>‘s blog about <a href="https://crosp.net/blog/administration/drop-all-accept-few-zone-firewalld-centos-7/" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">Creating a new zone in Firewalld</a>.</p></li></ul><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Sources: <a title="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html" href="https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">RHEL7 Security Guide</a>, <a title="https://fedoraproject.org/wiki/FirewallD" href="https://fedoraproject.org/wiki/FirewallD" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; color: rgb(0, 102, 204); text-decoration-line: none;">wiki Fedora project</a>.</p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;"><span style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;"></span></p><div class="wpProQuiz_content" id="wpProQuiz_11" style="margin-right: 0px; margin-left: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; margin-top: 10px !important; margin-bottom: 10px !important;"><div class="wpProQuiz_text" style="margin: 0px; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline;"><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;"><br/></p><p style="margin-top: 1.6em; margin-bottom: 1.6em; padding: 0px; border: 0px; font-style: inherit; font-variant: inherit; font-weight: inherit; font-stretch: inherit; line-height: inherit; font-family: inherit; vertical-align: baseline; overflow-wrap: break-word;">Test yourself!</p></div></div></div><p><br/></p><br></br> <p style="font-size: 24px;">推荐本站淘宝优惠价购买喜欢的宝贝:</p> <p> <a href="https://hqyman.cn/taobao/" target="_blank" title="本站自助优惠购物"><img src="https://hqyman.cn/zb_users/upload/2023/03/202303281679965612475864.png" alt="image.png"/></a> </p> <p>本文链接:<a href="https://hqyman.cn/post/757.html" title="RHEL7: How to get started with Firewalld.">https://hqyman.cn/post/757.html</a> 非本站原创文章欢迎转载,原创文章需保留本站地址!</p> <div class="" id="ishare-1" style="margin-top:10px!important; margin-bottom:10px!important;"> <input type="text" id="ishare_copy" value="https://hqyman.cn/post/757.html"/>分享到:<a class="ishare-icon icon-link" href="javascript:void(0)" onclick="isharecopy()" title="点击复制文章链接"></a></div> <script> function isharecopy(){ var copyobject=document.getElementById("ishare_copy"); copyobject.select(); document.execCommand("Copy"); alert("成功复制本文链接"); }; $(document).ready(function() { $("#ishare-1").share({sites: ["qzone","qq","weibo","wechat","douban","linkedin","google","facebook","twitter", ]});}); </script> <div class="gave"><a href="javascript:;" id="gave">打赏</a><div class="code" id="wechatCode" style="display: none"><img src="https://hqyman.cn/zb_users/plugin/wxreward/src/alipaywechat.png" alt="微信扫一扫支付"><div id="ico-wechat"><img src="https://hqyman.cn/zb_users/plugin/wxreward/src/ico-wechat.jpg" alt="微信logo" class="ico-wechat">微信支付宝扫一扫,打赏作者吧~</div></div></div> <br> </br> <!-- baidu union --> <div class="_7d5v4u25x8m"></div> <script type="text/javascript"> (window.slotbydup = window.slotbydup || []).push({ id: "u6885890", container: "_7d5v4u25x8m", async: true }); </script> <!-- 多条广告如下脚本只需引入一次 --> <script type="text/javascript" src="//cpro.baidustatic.com/cpro/ui/cm.js" async="async" defer="defer" > </script> <br> </br> <br> <p style="font-size: 24px;">休息一下~~</p> </br> </div> <div class="post_tags"></div> <div class="post_info"> 作者:hqy | 分类:技术文章 | 浏览:2385 | 评论:0 </div> </div> <div class="post_nav"> <a class="l" href="https://hqyman.cn/post/756.html" title="采用windows下route命令设置静态路由实现跨网段访问">« 上一篇</a> <a class="r" href="https://hqyman.cn/post/758.html" title="Firewalld CentOS 7 Masquerading"> 下一篇 »</a> </div> <div class="commentlist" style="overflow:hidden;"> <label id="AjaxCommentBegin"></label> <!--评论输出--> <!--评论翻页条输出--> <div class="pagebar commentpagebar"> </div> <label id="AjaxCommentEnd"></label> </div> <!--评论框--> <div class="commentpost" id="comment"> <h4>发表评论:</h4><a rel="nofollow" id="cancel-reply" href="#comment" style="display:none;"><small>取消回复</small></a> <form id="frmSumbit" target="_self" method="post" action="https://hqyman.cn/zb_system/cmd.php?act=cmt&postid=757&key=5ff53407fadea154545de25df8b979fd" > <input type="hidden" name="inpId" id="inpId" value="757" /> <input type="hidden" name="inpRevID" id="inpRevID" value="0" /> <p><input type="text" name="inpName" id="inpName" class="text" value="访客" size="28" tabindex="1" /> <label for="name">名称(*)</label></p> <p><input type="text" name="inpEmail" id="inpEmail" class="text" value="" size="28" tabindex="2" /> <label for="email">邮箱</label></p> <p><input type="text" name="inpHomePage" id="inpHomePage" class="text" value="" size="28" tabindex="3" /> <label for="homepage">网址</label></p> <p><input type="text" name="inpVerify" id="inpVerify" class="text" value="" size="28" tabindex="4" /> <label for="inpVerify">验证码(*)</label><img style="width:90px;height:30px;cursor:pointer;" src="https://hqyman.cn/zb_system/script/c_validcode.php?id=cmt" alt="" title="" onclick="javascript:this.src='https://hqyman.cn/zb_system/script/c_validcode.php?id=cmt&tm='+Math.random();"/></p> <p><label for="content">正文(*)</label></p> <p><textarea name="txaArticle" id="txaArticle" class="text" cols="50" rows="4" tabindex="5" ></textarea></p> <p><input name="sumbit" type="submit" tabindex="6" value="提交" onclick="return zbp.comment.post()" class="button" /></p> </form> <p class="postbottom">◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。</p> </div> </div> <div class="clear"></div> </div> </div> <div id="sidebar"> <dl class="function" id="divCalendar"> <dt style="display:none;"></dt><dd class="function_c"> <div><table id="tbCalendar"> <caption><a title="上个月" href="https://hqyman.cn/date-2024-10.html">«</a> <a href="https://hqyman.cn/date-2024-11.html"> 2024年11月 </a> <a title="下个月" href="https://hqyman.cn/date-2024-12.html">»</a></caption> <thead><tr> <th title="星期一" scope="col"><small>一</small></th> <th title="星期二" scope="col"><small>二</small></th> <th title="星期三" scope="col"><small>三</small></th> <th title="星期四" scope="col"><small>四</small></th> <th title="星期五" scope="col"><small>五</small></th> <th title="星期六" scope="col"><small>六</small></th> <th title="星期日" scope="col"><small>日</small></th></tr></thead> <tbody> <tr><td></td><td></td><td></td><td></td><td><a href="https://hqyman.cn/date-2024-11-1.html" title="2024-11-1 (20)" target="_blank">1</a></td><td><a href="https://hqyman.cn/date-2024-11-2.html" title="2024-11-2 (1)" target="_blank">2</a></td><td><a href="https://hqyman.cn/date-2024-11-3.html" title="2024-11-3 (3)" target="_blank">3</a></td></tr> <tr><td><a href="https://hqyman.cn/date-2024-11-4.html" title="2024-11-4 (7)" target="_blank">4</a></td><td><a href="https://hqyman.cn/date-2024-11-5.html" title="2024-11-5 (8)" target="_blank">5</a></td><td><a href="https://hqyman.cn/date-2024-11-6.html" title="2024-11-6 (33)" target="_blank">6</a></td><td><a href="https://hqyman.cn/date-2024-11-7.html" title="2024-11-7 (27)" target="_blank">7</a></td><td><a href="https://hqyman.cn/date-2024-11-8.html" title="2024-11-8 (1)" target="_blank">8</a></td><td><a href="https://hqyman.cn/date-2024-11-9.html" title="2024-11-9 (1)" target="_blank">9</a></td><td>10</td></tr> <tr><td><a href="https://hqyman.cn/date-2024-11-11.html" title="2024-11-11 (5)" target="_blank">11</a></td><td><a href="https://hqyman.cn/date-2024-11-12.html" title="2024-11-12 (25)" target="_blank">12</a></td><td><a href="https://hqyman.cn/date-2024-11-13.html" title="2024-11-13 (18)" target="_blank">13</a></td><td><a href="https://hqyman.cn/date-2024-11-14.html" title="2024-11-14 (9)" target="_blank">14</a></td><td><a href="https://hqyman.cn/date-2024-11-15.html" title="2024-11-15 (5)" target="_blank">15</a></td><td>16</td><td><a href="https://hqyman.cn/date-2024-11-17.html" title="2024-11-17 (1)" target="_blank">17</a></td></tr> <tr><td><a href="https://hqyman.cn/date-2024-11-18.html" title="2024-11-18 (26)" target="_blank">18</a></td><td><a href="https://hqyman.cn/date-2024-11-19.html" title="2024-11-19 (8)" target="_blank">19</a></td><td><a href="https://hqyman.cn/date-2024-11-20.html" title="2024-11-20 (34)" target="_blank">20</a></td><td><a href="https://hqyman.cn/date-2024-11-21.html" title="2024-11-21 (48)" target="_blank">21</a></td><td><a href="https://hqyman.cn/date-2024-11-22.html" title="2024-11-22 (16)" target="_blank">22</a></td><td><a href="https://hqyman.cn/date-2024-11-23.html" title="2024-11-23 (1)" target="_blank">23</a></td><td><a href="https://hqyman.cn/date-2024-11-24.html" title="2024-11-24 (1)" target="_blank">24</a></td></tr> <tr><td>25</td><td>26</td><td>27</td><td>28</td><td>29</td><td>30</td><td></td></tr> </tbody> </table></div> </dd> </dl> <dl class="function" id="tools_module"> <dt class="function_t">本站推荐小工具</dt><dd class="function_c"> <div><li id="navbar-page-2292"><a href="https://hqyman.cn/2292.html">MSDN ISO 磁力地址 版本1</a></li> <li id="navbar-page-2294"><a href="https://hqyman.cn/2294.html">MSDN ISO 磁力地址 版本2</a></li> <li id="navbar-page-2294"><a href="https://hqyman.cn/post/8565.html">Windows kms激活</a></li> <li id="navbar-page-2294"><a href="https://hqyman.cn/post/8566.html">Office kms激活</a></li> <li id="navbar-page-3773"><a href="https://hqyman.cn/taobao/">领淘宝优惠券</a></li> <li id="navbar-page-5518"><a href="https://hqyman.cn/5518.html">在线小工具</a></li> <li id="navbar-page-5518"><a href="https://hqyman.cn/myip/">在线查IP |WhatIsMyIPAddress</a></li> <li id="navbar-page-5518"><a href="https://hqyman.cn/tools/speedtest/index.html">在线下载测速</a></li> <li id="navbar-page-5518"><a href="https://hqyman.cn/tools/bjx/index.html">百家姓暗号</a></li> <li id="navbar-page-5519"><a href="https://hqyman.cn/game/fc小游戏/index.html">在线fc小游戏</a></li> <li id="navbar-page-5519"><a href="https://hqyman.cn/game/cat/index.html">圈住猫的游戏</a></li> <li id="navbar-page-5519"><a href="https://hqyman.cn/game/2048/index.html">2048的游戏</a></li> <li id="navbar-page-5519"><a href="https://hqyman.cn/game/eat/index.html">今天吃什么呢</a></li> <li id="navbar-page-5519"><a href="https://hqyman.cn/tools/djt/index.php">毒鸡汤网页 </a></li> <li id="navbar-page-5519"><a href="https://hqyman.cn/game/qqvalue/index.html">在线查QQ价值</a></li> <li id="navbar-page-5519"><a href="https://it-tools.hqyman.cn/">在线it-tools工具箱</a></li> <li id="navbar-page-5519"><a href="https://it-tools.kinber.cn/">在线it-tools工具箱(备站)</a></li> <li id="navbar-page-5519"><a href="https://hqyman.cn/tools/checkkey/index_key.php">微软密钥在线检测</a></li> <li id="navbar-page-5519"><a href="https://hqyman.cn/tools/whois/">whois在线查询</a></li> <li id="navbar-page-5519"><a href="https://hqyman.cn/free-for-dev/ ">开发者资源的宝库</a></li> <li id="navbar-page-5519"><a href="https://www.ctfile.com/p/giftcard?uid=465521&type=1&key=206a60/">城通网盘</a></li> <li id="navbar-page-5519"><a href="https://www.bt.cn/?invite_code=M19laXF6b24=/">宝塔服务器面板</a></li> <li id="navbar-page-5519"><a href="https://www.aliyun.com/daily-act/ecs/activity_selection?userCode=cfberzd0">阿里云特价VPS服务器</a></li> <li id="navbar-page-5519"><a href="https://curl.qcloud.com/TFMUo6rG">腾讯云特价VPS服务器</a></li> <li id="navbar-page-5519"><a href="https://app.cloudcone.com/?ref=11811">cloudcone特价VPS服务器</a></li> <li id="navbar-page-5519"><a href="https://my.racknerd.com/aff.php?aff=12318">racknerd特价VPS服务器</a></li> <li id="navbar-page-5519"><a href="http://my.henghost.com/aff.php?aff=9792">恒创VPS特价服务器</a></li> <li id="navbar-page-5519"><a href="https://www.jianidc.com/aff/ZQEXMDXM">简云免费虚拟云主机</a></li> </div> </dd> </dl> <dl class="function" id="divContorPanel"> <dt class="function_t">控制面板</dt><dd class="function_c"> <div><span class="cp-hello">您好,欢迎到访网站!</span><br/><span class="cp-login"><a href="https://hqyman.cn/zb_system/cmd.php?act=login">登录后台</a></span> <span class="cp-vrs"><a href="https://hqyman.cn/zb_system/cmd.php?act=misc&type=vrs">查看权限</a></span> <br/> <a href="https://hqyman.cn/user/user.html">个人中心</a></span> <span><a href="https://hqyman.cn/user/editpass.html">修改密码</a></span> </div> </dd> </dl> <dl class="function" id="divmine_yiyan"> <dt class="function_t">随心随性</dt><dd class="function_c"> <div><p>明年此日青云去,却笑人间举子忙。</p></div> </dd> </dl> <dl class="function" id="divCatalog"> <dt class="function_t">网站分类</dt><dd class="function_c"> <ul><li><a title="技术文章" href="https://hqyman.cn/category-2.html">技术文章</a></li> <li><a title="心情随笔" href="https://hqyman.cn/category-3.html">心情随笔</a></li> <li><a title="福利" href="https://hqyman.cn/category-4.html">福利</a></li> <li><a title="play more" href="https://hqyman.cn/category-5.html">play more</a></li> <li><a title="Windows&office激活" href="https://hqyman.cn/category-6.html">Windows&office激活</a></li> <li><a title="虚拟化&超融合" href="https://hqyman.cn/category-7.html">虚拟化&超融合</a></li> <li><a title="Windows&windows server" href="https://hqyman.cn/category-8.html">Windows&windows server</a></li> <li><a title="Linux" href="https://hqyman.cn/category-9.html">Linux</a></li> <li><a title="Network" href="https://hqyman.cn/category-10.html">Network</a></li> <li><a title="金蝶" href="https://hqyman.cn/category-11.html">金蝶</a></li> <li><a title="VPS" href="https://hqyman.cn/category-12.html">VPS</a></li> <li><a title="网络实验室" href="https://hqyman.cn/category-13.html">网络实验室</a></li> <li><a title="青龙" href="https://hqyman.cn/category-14.html">青龙</a></li> <li><a title="docker" href="https://hqyman.cn/category-15.html">docker</a></li> <li><a title="Openwrt" href="https://hqyman.cn/category-16.html">Openwrt</a></li> <li><a title="vpn" href="https://hqyman.cn/category-17.html">vpn</a></li> <li><a title="群晖Synology" href="https://hqyman.cn/category-18.html">群晖Synology</a></li> <li><a title="android" href="https://hqyman.cn/category-19.html">android</a></li> <li><a title="编程" href="https://hqyman.cn/category-20.html">编程</a></li> <li><a title="SEO" href="https://hqyman.cn/category-21.html">SEO</a></li> <li><a title="Jumpserver" href="https://hqyman.cn/category-22.html">Jumpserver</a></li> <li><a title="怀旧" href="https://hqyman.cn/category-23.html">怀旧</a></li> <li><a title="MACOS" href="https://hqyman.cn/category-24.html">MACOS</a></li> <li><a title="SQL" href="https://hqyman.cn/category-25.html">SQL</a></li> <li><a title="未分类" href="https://hqyman.cn/category-1.html">未分类</a></li> </ul> </dd> </dl> <dl class="function" id="divSearchPanel"> <dt class="function_t">搜索</dt><dd class="function_c"> <div><form name="search" method="post" action="https://hqyman.cn/zb_system/cmd.php?act=search"><input type="text" name="q" size="11" /> <input type="submit" value="搜索" /></form></div> </dd> </dl> <dl class="function" id="divComments"> <dt class="function_t">最新留言</dt><dd class="function_c"> <ul><li><a href="https://hqyman.cn/post/867.html#cmt712" title="hqy @ 2024-09-03 09:39:47">赞助本站50元,就给你找密码</a></li> <li><a href="https://hqyman.cn/post/6213.html#cmt711" title="hqy @ 2024-09-02 22:49:09">还行,动动手,随意打个赏就完美了</a></li> <li><a href="https://hqyman.cn/post/7771.html#cmt710" title="hqy @ 2024-09-02 22:46:15">我更新了哟,不可能找不到的哇。。。</a></li> <li><a href="https://hqyman.cn/post/6213.html#cmt709" title="gt66666 @ 2024-09-02 14:18:23">好好好</a></li> <li><a href="https://hqyman.cn/post/7771.html#cmt706" title="访客 @ 2024-09-02 12:23:37">天翼云的控制台没找到,pc应用端和网页端都是直接登录进去</a></li> <li><a href="https://hqyman.cn/post/273.html#cmt705" title="hqy @ 2024-08-31 23:41:04">有,有空找找,赞助一下,直接立马找给你</a></li> <li><a href="https://hqyman.cn/post/6522.html#cmt704" title="hqy @ 2024-08-31 23:34:58">哦,好的</a></li> <li><a href="https://hqyman.cn/post/6522.html#cmt703" title="mei @ 2024-08-30 19:16:49">本文最先发表于 https://mmeiblog.cn/articles/2024/sakurapanel/使用 BY-NC-SA 协议分发, CSDN 上的文章使用 CC 4.0 BY-SA 协议分发,转载时请注明出处 </a></li> <li><a href="https://hqyman.cn/post/273.html#cmt702" title="访客 @ 2024-08-30 11:16:19">链接全部失效,有备用的吗?</a></li> <li><a href="https://hqyman.cn/post/868.html#cmt701" title="hqy @ 2024-08-30 10:15:12">赞助本站50元,直接发链接和解压密码,谢谢</a></li> </ul> </dd> </dl> <dl class="function" id="divArchives"> <dt class="function_t">文章归档</dt><dd class="function_c"> <ul><li><a title="2024年11月" href="https://hqyman.cn/date-2024-11.html">2024年11月 (298)</a></li> <li><a title="2024年10月" href="https://hqyman.cn/date-2024-10.html">2024年10月 (175)</a></li> <li><a title="2024年9月" href="https://hqyman.cn/date-2024-9.html">2024年9月 (200)</a></li> <li><a title="2024年8月" href="https://hqyman.cn/date-2024-8.html">2024年8月 (537)</a></li> <li><a title="2024年7月" href="https://hqyman.cn/date-2024-7.html">2024年7月 (437)</a></li> <li><a title="2024年6月" href="https://hqyman.cn/date-2024-6.html">2024年6月 (461)</a></li> <li><a title="2024年5月" href="https://hqyman.cn/date-2024-5.html">2024年5月 (460)</a></li> <li><a title="2024年4月" href="https://hqyman.cn/date-2024-4.html">2024年4月 (324)</a></li> <li><a title="2024年3月" href="https://hqyman.cn/date-2024-3.html">2024年3月 (334)</a></li> <li><a title="2024年2月" href="https://hqyman.cn/date-2024-2.html">2024年2月 (288)</a></li> <li><a title="2024年1月" href="https://hqyman.cn/date-2024-1.html">2024年1月 (202)</a></li> <li><a title="2023年12月" href="https://hqyman.cn/date-2023-12.html">2023年12月 (131)</a></li> <li><a title="2023年11月" href="https://hqyman.cn/date-2023-11.html">2023年11月 (140)</a></li> <li><a title="2023年10月" href="https://hqyman.cn/date-2023-10.html">2023年10月 (71)</a></li> <li><a title="2023年9月" href="https://hqyman.cn/date-2023-9.html">2023年9月 (50)</a></li> <li><a title="2023年8月" href="https://hqyman.cn/date-2023-8.html">2023年8月 (31)</a></li> <li><a title="2023年7月" href="https://hqyman.cn/date-2023-7.html">2023年7月 (82)</a></li> <li><a title="2023年6月" href="https://hqyman.cn/date-2023-6.html">2023年6月 (19)</a></li> <li><a title="2023年5月" href="https://hqyman.cn/date-2023-5.html">2023年5月 (192)</a></li> <li><a title="2023年4月" href="https://hqyman.cn/date-2023-4.html">2023年4月 (221)</a></li> <li><a title="2023年3月" href="https://hqyman.cn/date-2023-3.html">2023年3月 (84)</a></li> <li><a title="2023年2月" href="https://hqyman.cn/date-2023-2.html">2023年2月 (89)</a></li> <li><a title="2023年1月" href="https://hqyman.cn/date-2023-1.html">2023年1月 (207)</a></li> <li><a title="2022年12月" href="https://hqyman.cn/date-2022-12.html">2022年12月 (216)</a></li> <li><a title="2022年11月" href="https://hqyman.cn/date-2022-11.html">2022年11月 (343)</a></li> <li><a title="2022年10月" href="https://hqyman.cn/date-2022-10.html">2022年10月 (62)</a></li> <li><a title="2022年9月" href="https://hqyman.cn/date-2022-9.html">2022年9月 (73)</a></li> <li><a title="2022年8月" href="https://hqyman.cn/date-2022-8.html">2022年8月 (158)</a></li> <li><a title="2022年7月" href="https://hqyman.cn/date-2022-7.html">2022年7月 (119)</a></li> <li><a title="2022年6月" href="https://hqyman.cn/date-2022-6.html">2022年6月 (168)</a></li> <li><a title="2022年5月" href="https://hqyman.cn/date-2022-5.html">2022年5月 (33)</a></li> <li><a title="2022年4月" href="https://hqyman.cn/date-2022-4.html">2022年4月 (53)</a></li> <li><a title="2022年3月" href="https://hqyman.cn/date-2022-3.html">2022年3月 (60)</a></li> <li><a title="2022年2月" href="https://hqyman.cn/date-2022-2.html">2022年2月 (7)</a></li> <li><a title="2022年1月" href="https://hqyman.cn/date-2022-1.html">2022年1月 (31)</a></li> <li><a title="2021年12月" href="https://hqyman.cn/date-2021-12.html">2021年12月 (35)</a></li> <li><a title="2021年11月" href="https://hqyman.cn/date-2021-11.html">2021年11月 (27)</a></li> <li><a title="2021年10月" href="https://hqyman.cn/date-2021-10.html">2021年10月 (74)</a></li> <li><a title="2021年9月" href="https://hqyman.cn/date-2021-9.html">2021年9月 (61)</a></li> <li><a title="2021年8月" href="https://hqyman.cn/date-2021-8.html">2021年8月 (29)</a></li> <li><a title="2021年7月" href="https://hqyman.cn/date-2021-7.html">2021年7月 (17)</a></li> <li><a title="2021年6月" href="https://hqyman.cn/date-2021-6.html">2021年6月 (55)</a></li> <li><a title="2021年5月" href="https://hqyman.cn/date-2021-5.html">2021年5月 (57)</a></li> <li><a title="2021年4月" href="https://hqyman.cn/date-2021-4.html">2021年4月 (51)</a></li> <li><a title="2021年3月" href="https://hqyman.cn/date-2021-3.html">2021年3月 (16)</a></li> <li><a title="2021年2月" href="https://hqyman.cn/date-2021-2.html">2021年2月 (1)</a></li> <li><a title="2021年1月" href="https://hqyman.cn/date-2021-1.html">2021年1月 (27)</a></li> <li><a title="2020年12月" href="https://hqyman.cn/date-2020-12.html">2020年12月 (60)</a></li> <li><a title="2020年11月" href="https://hqyman.cn/date-2020-11.html">2020年11月 (28)</a></li> <li><a title="2020年10月" href="https://hqyman.cn/date-2020-10.html">2020年10月 (8)</a></li> <li><a title="2020年9月" href="https://hqyman.cn/date-2020-9.html">2020年9月 (1)</a></li> <li><a title="2020年8月" href="https://hqyman.cn/date-2020-8.html">2020年8月 (32)</a></li> <li><a title="2020年7月" href="https://hqyman.cn/date-2020-7.html">2020年7月 (50)</a></li> <li><a title="2020年6月" href="https://hqyman.cn/date-2020-6.html">2020年6月 (86)</a></li> <li><a title="2020年5月" href="https://hqyman.cn/date-2020-5.html">2020年5月 (87)</a></li> <li><a title="2020年4月" href="https://hqyman.cn/date-2020-4.html">2020年4月 (27)</a></li> <li><a title="2020年3月" href="https://hqyman.cn/date-2020-3.html">2020年3月 (26)</a></li> <li><a title="2020年2月" href="https://hqyman.cn/date-2020-2.html">2020年2月 (9)</a></li> <li><a title="2020年1月" href="https://hqyman.cn/date-2020-1.html">2020年1月 (35)</a></li> <li><a title="2019年12月" href="https://hqyman.cn/date-2019-12.html">2019年12月 (37)</a></li> <li><a title="2019年11月" href="https://hqyman.cn/date-2019-11.html">2019年11月 (99)</a></li> <li><a title="2019年10月" href="https://hqyman.cn/date-2019-10.html">2019年10月 (30)</a></li> <li><a title="2019年9月" href="https://hqyman.cn/date-2019-9.html">2019年9月 (24)</a></li> <li><a title="2019年8月" href="https://hqyman.cn/date-2019-8.html">2019年8月 (17)</a></li> <li><a title="2019年7月" href="https://hqyman.cn/date-2019-7.html">2019年7月 (92)</a></li> <li><a title="2019年6月" href="https://hqyman.cn/date-2019-6.html">2019年6月 (21)</a></li> <li><a title="2019年5月" href="https://hqyman.cn/date-2019-5.html">2019年5月 (120)</a></li> <li><a title="2019年4月" href="https://hqyman.cn/date-2019-4.html">2019年4月 (156)</a></li> <li><a title="2019年3月" href="https://hqyman.cn/date-2019-3.html">2019年3月 (163)</a></li> <li><a title="2019年2月" href="https://hqyman.cn/date-2019-2.html">2019年2月 (2)</a></li> <li><a title="2019年1月" href="https://hqyman.cn/date-2019-1.html">2019年1月 (272)</a></li> </ul> </dd> </dl> <dl class="function" id="divFavorites"> <dt class="function_t">网站收藏</dt><dd class="function_c"> <ul><li><a href="https://www.hqyman.cn" target="_blank">一个和谐有爱的空间</a></li> </ul> </dd> </dl> <dl class="function" id="divLinkage"> <dt class="function_t">友情链接</dt><dd class="function_c"> <ul><li><a href="http://www.ssiww.net" target="_blank">温柔如血</a></li> <li><a href="http://www.lainzy.net" target="_blank">阳光明媚 在没有疯的日子</a></li> <li><a href="https://hqyman.cn/taobao/" target="_blank">领淘宝优惠券</a></li> <li><a href="https://jingber.cn/" target="_blank">备站</a></li> <li><a href="https://www.kinber.cn/" target="_blank">分站</a></li> <li><a href="https://www.msl.wang/" target="_blank">收录</a></li> <li><a href="https://www.1953.me/" target="_blank">收录</a></li> <li><a href="https://guan.ma/hao/2024000195/" title="官码2024000195号"><img src="https://style.wmou.com/images/guanma.png" alt="官码" width="20">官码2024000195号</a></li> <li><a href="https://icp.gov.moe/?keyword=20248119" target="_blank"><img src="https://icp.gov.moe/images/ico64.png" alt="萌码" width="20">萌ICP备20248119号</a></li> </ul> </dd> </dl> <dl class="function" id="divMisc"> <dt style="display:none;"></dt><dd class="function_c"> <ul> <li><a href="https://hqyman.cn/feed.php" target="_blank"><img src="https://hqyman.cn/zb_system/image/logo/rss.png" height="31" width="88" alt="订阅本站的 RSS 2.0 新闻聚合" /></a></li> <li><a href="https://hqyman.cn/sitemaps.xml" target="_blank"><img src="https://hqyman.cn/zb_system/image/logo.png" height="110" width="110" alt="订阅本站的 sitemap" /></a></li> </ul> </dd> </dl> </div> <div class="clear"></div> </div> <div id="footer"> <div class="copyright"> <p>Powered By <a href="http://www.hqyman.cn/">HQY</p> <p>Copyright HQY Rights Reserved.</p> <p><a href="http://beian.miit.gov.cn" target="_blank">粤ICP备17029924号</p> </div> <div id="goTopBtn"> <a onclick="pageScroll()"><span>返回顶部</span></a> </div> <div class="clear"></div> </div> <script src="https://hqyman.cn/zb_users/plugin/dayuser/style/js/frontend.js"></script> <link href="https://hqyman.cn/zb_users/plugin/wxreward/src/wx-reward.css" rel="stylesheet"> <script type="text/javascript" src="https://hqyman.cn/zb_users/plugin/wxreward/src/wx-reward.js"></script><script> (function(){ var bp = document.createElement('script'); var curProtocol = window.location.protocol.split(':')[0]; if (curProtocol === 'https'){ bp.src = 'https://zz.bdstatic.com/linksubmit/push.js'; } else{ bp.src = 'http://push.zhanzhang.baidu.com/push.js'; } var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(bp, s); })(); </script><div id="nocmtip" style="position:absolute;left:-100%;height:0;overflow:hidden;">请先 <a href="https://hqyman.cn/zb_system/login.php">登录</a> 再评论,若不是会员请先 <a href="https://hqyman.cn/reg.html">注册</a>!</div> <script src="https://hqyman.cn/zb_users/plugin/CommentSet/c.js?v=1.4"></script> <center><script type="text/javascript" src="//js.users.51.la/21426339.js"></script></center> <center> <p>您的IP地址是:<p/> <iframe src="https://www.hqyman.cn/myip2.php" width="120px" height="20px">
HQY 一个和谐有爱的空间