Foreword: centos 7

1. Basic operations

If you don't have commands installed on your system

yum install firewalld  //Install firewalld firewall

Open Services

# systemctl start firewalld.service

Close the firewall

# systemctl stop firewalld.service

Start-up automatically

# systemctl enable firewalld.service

Turn off and start up

# systemctl disable firewalld.service

View status

#systemctl status firewalld

The result is if

● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2016-09-05 02:34:07 UTC; 15min ago
Main PID: 3447 (firewalld)
CGroup: /system.slice/firewalld.service
└─3447 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Sep 05 02:34:07 vultr.guest systemd[1]: Starting firewalld - dynamic firewall daemon...
Sep 05 02:34:07 vultr.guest systemd[1]: Started firewalld - dynamic firewall daemon.

There's no problem with this explanation.

2. Setting firewall

Use the firewall-cmd command

View status

# firewall-cmd -- state //running means running

Acquisition of active areas

#firewall-cmd --get-active-zones

This command will output the interface contained in each area in the following format:

<zone1>: <interface1> <interface2> ..<zone2>: <interface3> ..

Access to all supported services

#firewall-cmd --get-service

Each service is separated by spaces, for example:

RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imaps ipp ipp-client ipsec iscsi-target kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind rsyncd samba samba-client smtp ssh telnet tftp tftp-client transmission-client vdsm vnc-server wbem-http

Services supported by obtaining permanent options are paid after reboot

# In Firewall D versions before 0.3.0, the panic options are - enable-panic and - disable-panic.

Open Emergency Mode to Block All Network Connections

# firewall-cmd --panic-on//In Firewall D versions before 0.3.0, panic options are --- enable-panic and --- disable-panic

Close emergency mode

#firewall-cmd --panic-off

View the status of emergency mode

#firewall-cmd --query-panic

Reload the firewall without changing the state:

#firewall-cmd --reload

The predefined service configuration file for the firewall is the xml file directory in / usr/lib/firewalld/services/

There are also configuration files in the / etc/firewalld/services / directory, but the / etc/firewalld/services / directory takes precedence over / usr/lib/firewalld/services / directory.

Enabling a service

# firewall-cmd --zone=public --add-service=https // temporary
 # firewall-cmd --permanent --zone=public --add-service=https // permanent

Open a port

# firewall-cmd --permanent --zone=public --add-port=8080-8081/tcp // permanent
 # firewall-cmd -- zone = public -- add-port = 8080-8081 / TCP // temporary

View open ports and services

# firewall-cmd --permanent --zone=public --list-services // service spaces, such as dhcpv6-client https ss   
# firewall-cmd --permanent --zone=public --list-ports // port spaces, such as 8080-8081/tcp 8388/tcp 80/tcp

The / etc/firewalld/zones/public.xml file is modified after each port and service modification, so it can also be modified in the file and then reloaded.

Setting up an ip to access a service

#firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4"  source address="192.168.0.4/24" service name="http" accept"

ip 192.168.0.4/24 accesses http

The public.xml will change after setting it up

Delete the rules set above

#firewall-cmd --permanent --zone=public --remove-rich-rule="rule family="ipv4"  source address="192.168.0.4/24" service name="http" accept"

Port forwarding

First turn on the IP that allows camouflage

firewall-cmd --query-masquerade # Check whether camouflage IP is allowed
firewall-cmd --add-masquerade   # Allow firewalls to disguise IP
firewall-cmd --remove-masquerade# Prohibit firewalls from camouflaging IP

Setting Forwarding

Then forward TCP port 22 to 3753

# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=3753

Forwarding port 22 data to the same port of another ip

# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toaddr=192.168.1.100

Forwarding data from port 22 to port 2055 of another ip

# firewall-cmd --zone=public --add-forward-port=port=22:proto=tcp:toport=2055:toaddr=192.168.1.100

Reprinted please indicate the source http://www.cnblogs.com/phpshen/p/5842118.html