{"id":7120,"date":"2022-12-25T14:11:57","date_gmt":"2022-12-25T05:11:57","guid":{"rendered":"https:\/\/lab4ict.com\/system\/?p=7120"},"modified":"2023-08-25T06:22:37","modified_gmt":"2023-08-24T21:22:37","slug":"firewalld%e3%81%a7%e3%82%88%e3%81%8f%e4%bd%bf%e7%94%a8%e3%81%99%e3%82%8b%e3%82%b3%e3%83%9e%e3%83%b3%e3%83%89%e3%82%92%e4%b8%80%e8%a6%a7%e5%8c%96%e3%81%99%e3%82%8b%ef%bc%81","status":"publish","type":"post","link":"https:\/\/lab4ict.com\/system\/archives\/7120","title":{"rendered":"Firewalld\u306e\u57fa\u672c\u64cd\u4f5c\u3092\u307e\u3068\u3081\u308b\uff01"},"content":{"rendered":"

Firewalld\u3067\u3088\u304f\u4f7f\u7528\u3059\u308b\u30b3\u30de\u30f3\u30c9\u3092\u4e00\u89a7\u5316\u3057\u307e\u3059\u3002
\n<\/p>\n

Firewalld\u306e\u8d77\u52d5\u72b6\u614b\u3092\u78ba\u8a8d\u3059\u308b\uff01<\/h2>\n

Firewalld\u306e\u8d77\u52d5\u72b6\u614b\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002Firewalld\u304c\u8d77\u52d5\u3057\u3066\u3044\u306a\u3044\u3068\u3001\u300cfirewall-cmd\u300d\u30b3\u30de\u30f3\u30c9\u306f\u4f7f\u7528\u3067\u304d\u307e\u305b\u3093\u3002<\/p>\n

\r\n$ sudo firewall-cmd --state\r\nrunning\r\n<\/pre>\n
Firewalld\u306e\u8d77\u52d5\u3068\u505c\u6b62\u306f\u3001systemctl\u30b3\u30de\u30f3\u30c9\u3067\u884c\u3044\u307e\u3059\u3002\u30b5\u30fc\u30d3\u30b9\u540d\u306f\u3001\u300cfirewalld.servcie\u300d\u3067\u3059\u3002<\/p>\n
\r\n$ sudo systemctl stop firewalld.service\r\n$ sudo systemctl status firewalld.service\r\n\u25cf firewalld.service - firewalld - dynamic firewall daemon\r\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/firewalld.service; enabled; vendor preset: enabled)\r\n   Active: inactive (dead) since Thu 2022-04-07 12:46:27 JST; 10s ago\r\n...\r\n$ sudo systemctl start firewalld\r\n$ sudo systemctl status firewalld.service\r\n\u25cf firewalld.service - firewalld - dynamic firewall daemon\r\n   Loaded: loaded (\/usr\/lib\/systemd\/system\/firewalld.service; enabled; vendor preset: enabled)\r\n   Active: active (running) since Thu 2022-04-07 12:46:52 JST; 3s ago\r\n...\r\n<\/pre>\n
\u73fe\u5728\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u30be\u30fc\u30f3\u3092\u78ba\u8a8d\u3059\u308b\uff01<\/h2>\n
\u30c7\u30d5\u30a9\u30eb\u30c8\u306e\u30be\u30fc\u30f3\u306f\u3001\u300cpublic\u300d\u3067\u3059\u3002<\/p>\n
\r\n$ firewall-cmd --get-default\r\npublic\r\n<\/pre>\n
\u73fe\u5728\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u8a2d\u5b9a\u3092\u78ba\u8a8d\u3059\u308b\uff01<\/h2>\n
\u300c--list-all\u300d\u30aa\u30d7\u30b7\u30e7\u30f3\u3067\u3001\u73fe\u5728\u6709\u52b9\u306b\u306a\u3063\u3066\u3044\u308b\u8a2d\u5b9a\u3092\u78ba\u8a8d\u3067\u304d\u307e\u3059\u3002<\/p>\n
\r\n$ sudo firewall-cmd --list-all\r\npublic (active)\r\n  target: default\r\n  icmp-block-inversion: no\r\n  interfaces: enp0s3\r\n  sources: \r\n  services: cockpit dhcpv6-client ssh\r\n  ports: \r\n  protocols: \r\n  masquerade: no\r\n  forward-ports: \r\n  source-ports: \r\n  icmp-blocks: \r\n  rich rules: \r\n<\/pre>\n
\u30b5\u30fc\u30d3\u30b9\u540d\u3067\u901a\u4fe1\u8a31\u53ef\u8a2d\u5b9a\u3092\u8ffd\u52a0\uff0f\u524a\u9664\u3059\u308b\uff01<\/h2>\n
http\u3092\u8ffd\u52a0\u3059\u308b\u4f8b\u3067\u3059\u3002\u30b3\u30de\u30f3\u30c9\u3067\u306f\u308f\u304b\u308a\u307e\u305b\u3093\u304c\u3001Netfilter\u306eINPUT\u30c1\u30a7\u30fc\u30f3\u306b\u5bfe\u3057\u3066\u8a2d\u5b9a\u304c\u8ffd\u52a0\u3055\u308c\u307e\u3059\u3002<\/p>\n
\r\n$ sudo firewall-cmd --permanent --add-service=http\r\nsuccess\r\n$ sudo firewall-cmd --reload\r\nsuccess\r\n$ sudo firewall-cmd --list-services\r\ncockpit dhcpv6-client http ssh\r\n<\/pre>\n
--add-service\u3067\u6307\u5b9a\u3067\u304d\u308b\u8a2d\u5b9a\u5024\u306f\u3001\u4ee5\u4e0b\u3067\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/p>\n
\r\n$ firewall-cmd --get-services\r\n...\r\n<\/pre>\n
http\u3092\u524a\u9664\u3059\u308b\u4f8b\u3067\u3059\u3002<\/p>\n
\r\n$ sudo firewall-cmd --permanent --remove-service=http\r\nsuccess\r\n$ sudo firewall-cmd --reload\r\nsuccess\r\n$ sudo firewall-cmd --list-services\r\ncockpit dhcpv6-client ssh\r\n<\/pre>\n
\u30dd\u30fc\u30c8\u756a\u53f7\u3067\u901a\u4fe1\u8a31\u53ef\u8a2d\u5b9a\u3092\u8ffd\u52a0\uff0f\u524a\u9664\u3059\u308b\uff01<\/h2>\n
10021\u30dd\u30fc\u30c8\u3092\u8ffd\u52a0\u3059\u308b\u4f8b\u3067\u3059\u3002<\/p>\n
\r\n$ sudo firewall-cmd --permanent --add-port=10021\/tcp\r\nsuccess\r\n$ sudo firewall-cmd --reload\r\nsuccess\r\n$ sudo firewall-cmd --list-ports\r\n10021\/tcp\r\n<\/pre>\n
10021\u30dd\u30fc\u30c8\u3092\u524a\u9664\u3059\u308b\u4f8b\u3067\u3059\u3002<\/p>\n
\r\n$ sudo firewall-cmd --permanent --remove-port=10021\/tcp\r\nsuccess\r\n$ sudo firewall-cmd --reload\r\nsuccess\r\n$ sudo firewall-cmd --list-ports\r\n\r\n<\/pre>\n
ICMP\u306e\u901a\u4fe1\u8a31\u53ef\u8a2d\u5b9a\u3092\u7121\u52b9\u5316\uff0f\u6709\u52b9\u5316\u3059\u308b\uff01<\/h2>\n
ping\u30b3\u30de\u30f3\u30c9\u3078\u306e\u5fdc\u7b54\u306f\u30c7\u30d5\u30a9\u30eb\u30c8\u3067\u6709\u52b9\u3067\u3059\u3002ping\u30b3\u30de\u30f3\u30c9\u306e\u5fdc\u7b54\u3092\u7121\u52b9\u5316\u3057\u307e\u3059\u3002<\/p>\n
\r\n$ sudo firewall-cmd --list-icmp-blocks\r\n$ sudo firewall-cmd --permanent --add-icmp-block=echo-request\r\n$ sudo firewall-cmd --reload\r\nsuccess\r\n$ sudo firewall-cmd --list-icmp-blocks\r\necho-request\r\n<\/pre>\n
ping\u30b3\u30de\u30f3\u30c9\u3078\u306e\u5fdc\u7b54\u306e\u8a2d\u5b9a\u3092\u6709\u52b9\u5316\u3057\u307e\u3059\u3002<\/p>\n
\r\n$ sudo firewall-cmd --list-icmp-blocks\r\necho-request\r\n$ sudo firewall-cmd --permanent --remove-icmp-block=echo-request\r\nsuccess\r\n$ sudo firewall-cmd --reload\r\nsuccess\r\n$ sudo firewall-cmd --list-icmp-blocks\r\n<\/pre>\n
Firewalld\u505c\u6b62\u6642\u306b\u8a2d\u5b9a\u5909\u66f4\u3092\u884c\u3046\uff01<\/h2>\n
Firewalld\u505c\u6b62\u6642\u306b\u8a2d\u5b9a\u3092\u884c\u3046\u5834\u5408\u306f\u3001firewalld-offline-cmd\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002Firewalld\u3092\u8d77\u52d5\u3059\u308b\u3068\u3001\u30b5\u30fc\u30d0\u3078\u306e\u30a2\u30af\u30bb\u30b9\u81ea\u4f53\u304c\u4e0d\u53ef\u306b\u306a\u3063\u3066\u3057\u307e\u3046\u3088\u3046\u306a\u5834\u5408\u306b\u91cd\u5b9d\u3057\u307e\u3059\u3002<\/p>\n
\r\n$ sudo firewall-offline-cmd --list-all\r\npublic\r\n  target: default\r\n  icmp-block-inversion: no\r\n  interfaces: \r\n  sources: \r\n  services: cockpit dhcpv6-client ssh\r\n  ports: \r\n  protocols: \r\n  masquerade: no\r\n  forward-ports: \r\n  source-ports: \r\n  icmp-blocks: \r\n  rich rules: \r\n<\/pre>\n
Firewalld\u3067\u4f7f\u7528\u3067\u304d\u308b\u30be\u30fc\u30f3\u306e\u60c5\u5831\u3092\u78ba\u8a8d\u3059\u308b\uff01<\/h2>\n
Firewalld\u3067\u4f7f\u7528\u3067\u304d\u308b\u30be\u30fc\u30f3\u306f\u3001\u300cfirewall-cmd --get-zones\u300d\u30b3\u30de\u30f3\u30c9\u3067\u78ba\u8a8d\u3067\u304d\u307e\u3059\u3002<\/p>\n
\r\n# firewall-cmd --get-zones\r\nblock dmz drop external home internal nm-shared public trusted work\r\n<\/pre>\n
\u5404\u30be\u30fc\u30f3\u306e\u8a2d\u5b9a\u306f\u3001\u300cfirewall-cmd --list-all-zones\u300d\u30b3\u30de\u30f3\u30c9\u3067\u78ba\u8a8d\u3067\u304d\u307e\u3059\u3002<\/p>\n
\r\n# firewall-cmd --list-all-zones\r\nblock\r\n  target: %%REJECT%%\r\n  icmp-block-inversion: no\r\n  interfaces: \r\n  sources: \r\n  services: \r\n  ports: \r\n  protocols: \r\n  forward: no\r\n  masquerade: no\r\n  forward-ports: \r\n  source-ports: \r\n  icmp-blocks: \r\n  rich rules: \r\n\r\ndmz\r\n  target: default\r\n  icmp-block-inversion: no\r\n  interfaces: \r\n  sources: \r\n  services: ssh\r\n  ports: \r\n  protocols: \r\n  forward: no\r\n  masquerade: no\r\n  forward-ports: \r\n  source-ports: \r\n  icmp-blocks: \r\n  rich rules: \r\n\r\ndrop\r\n  target: DROP\r\n  icmp-block-inversion: no\r\n  interfaces: \r\n  sources: \r\n  services: \r\n  ports: \r\n  protocols: \r\n  forward: no\r\n  masquerade: no\r\n  forward-ports: \r\n  source-ports: \r\n  icmp-blocks: \r\n  rich rules: \r\n\r\nexternal\r\n  target: default\r\n  icmp-block-inversion: no\r\n  interfaces: \r\n  sources: \r\n  services: ssh\r\n  ports: \r\n  protocols: \r\n  forward: no\r\n  masquerade: yes\r\n  forward-ports: \r\n  source-ports: \r\n  icmp-blocks: \r\n  rich rules: \r\n\r\nhome\r\n  target: default\r\n  icmp-block-inversion: no\r\n  interfaces: \r\n  sources: \r\n  services: cockpit dhcpv6-client mdns samba-client ssh\r\n  ports: \r\n  protocols: \r\n  forward: no\r\n  masquerade: no\r\n  forward-ports: \r\n  source-ports: \r\n  icmp-blocks: \r\n  rich rules: \r\n\r\ninternal\r\n  target: default\r\n  icmp-block-inversion: no\r\n  interfaces: \r\n  sources: \r\n  services: cockpit dhcpv6-client mdns samba-client ssh\r\n  ports: \r\n  protocols: \r\n  forward: no\r\n  masquerade: no\r\n  forward-ports: \r\n  source-ports: \r\n  icmp-blocks: \r\n  rich rules: \r\n\r\nnm-shared\r\n  target: ACCEPT\r\n  icmp-block-inversion: no\r\n  interfaces: \r\n  sources: \r\n  services: dhcp dns ssh\r\n  ports: \r\n  protocols: icmp ipv6-icmp\r\n  forward: no\r\n  masquerade: no\r\n  forward-ports: \r\n  source-ports: \r\n  icmp-blocks: \r\n  rich rules: \r\n\trule priority="32767" reject\r\n\r\npublic (active)\r\n  target: default\r\n  icmp-block-inversion: no\r\n  interfaces: enp0s3\r\n  sources: \r\n  services: dhcpv6-client ssh\r\n  ports: \r\n  protocols: \r\n  forward: no\r\n  masquerade: no\r\n  forward-ports: \r\n  source-ports: \r\n  icmp-blocks: \r\n  rich rules: \r\n\r\ntrusted\r\n  target: ACCEPT\r\n  icmp-block-inversion: no\r\n  interfaces: \r\n  sources: \r\n  services: \r\n  ports: \r\n  protocols: \r\n  forward: no\r\n  masquerade: no\r\n  forward-ports: \r\n  source-ports: \r\n  icmp-blocks: \r\n  rich rules: \r\n\r\nwork\r\n  target: default\r\n  icmp-block-inversion: no\r\n  interfaces: \r\n  sources: \r\n  services: cockpit dhcpv6-client ssh\r\n  ports: \r\n  protocols: \r\n  forward: no\r\n  masquerade: no\r\n  forward-ports: \r\n  source-ports: \r\n  icmp-blocks: \r\n  rich rules: \r\n<\/pre>\n
\u304a\u308f\u308a\u306b<\/h2>\n
Firewalld\u306e\u8a2d\u5b9a\u306f\u3001firewalld-cmd\u30b3\u30de\u30f3\u30c9\u3067\u884c\u3044\u307e\u3059\u3002Firewalld\u505c\u6b62\u6642\u306f\u3001firewall-offline-cmd\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002\u30aa\u30d7\u30b7\u30e7\u30f3\u306f\u3001\u57fa\u672c\u7684\u306bfirewalld-cmd\u3068\u540c\u3058\u3067\u3059\u3002<\/p>\n
\u95a2\u9023\u8a18\u4e8b<\/h2>\n
\"\u3010\u8a18\u4e8b\u4e00\u89a7\u3011RHEL\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u6a5f\u80fd\u3092\u4f7f\u3044\u3053\u306a\u3059\uff01\"<\/div>
\u3010\u8a18\u4e8b\u4e00\u89a7\u3011RHEL\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u6a5f\u80fd\u3092\u4f7f\u3044\u3053\u306a\u3059\uff01<\/div>
RHEL\u306e\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u6a5f\u80fd\u3092\u4f7f\u3044\u3053\u306a\u3059\u305f\u3081\u306e\u8a18\u4e8b\u4e00\u89a7\u3092\u63b2\u8f09\u3057\u307e\u3059\u3002...<\/div><\/a><\/div>\n
\u95a2\u9023\u66f8\u7c4d\uff08Amazon\uff09<\/h2>\n
\"N\/A\"<\/a><\/p>\n
\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Firewalld\u3067\u3088\u304f\u4f7f\u7528\u3059\u308b\u30b3\u30de\u30f3\u30c9\u3092\u4e00\u89a7\u5316\u3057\u307e\u3059\u3002<\/p>\n","protected":false},"author":1,"featured_media":5291,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[886],"tags":[459,458],"class_list":["post-7120","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-rhel-security","tag-firewall-cmd","tag-firewalld"],"_links":{"self":[{"href":"https:\/\/lab4ict.com\/system\/wp-json\/wp\/v2\/posts\/7120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lab4ict.com\/system\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab4ict.com\/system\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab4ict.com\/system\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lab4ict.com\/system\/wp-json\/wp\/v2\/comments?post=7120"}],"version-history":[{"count":8,"href":"https:\/\/lab4ict.com\/system\/wp-json\/wp\/v2\/posts\/7120\/revisions"}],"predecessor-version":[{"id":14154,"href":"https:\/\/lab4ict.com\/system\/wp-json\/wp\/v2\/posts\/7120\/revisions\/14154"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lab4ict.com\/system\/wp-json\/wp\/v2\/media\/5291"}],"wp:attachment":[{"href":"https:\/\/lab4ict.com\/system\/wp-json\/wp\/v2\/media?parent=7120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab4ict.com\/system\/wp-json\/wp\/v2\/categories?post=7120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab4ict.com\/system\/wp-json\/wp\/v2\/tags?post=7120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}