firewalld配置策略

1.centos 防火墙默认开放ssh

[root@pgsql1 data]# cat /etc/firewalld/zones/public.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/> 
</zone>

如果ssh端口不是默认22，则需要在 public.xml 文件中添加ssh端口

[root@pgsql1 data]# cat /etc/firewalld/zones/public.xml 
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <port protocol="tcp" port="4022"/> 
</zone>

2.开启防火墙

[root@gateway ~]# systemctl  start firewalld

3.整理好防火墙需要开通策略的端口（我这边需要开通6379端口）

firewall-cmd --zone=public --add-port=6379/tcp --permanent

也可以批量开通端口（开通100-500所有的端口）

firewall-cmd --zone=public --add-port=100-500/tcp --permanent

4.防火墙重新加载配置

firewall-cmd --reload

5.查看当前系统已经开放的端口

firewall-cmd --list-ports

开放或限制IP

查看已经限制的规则

firewall-cmd --zone=public --list-rich-rules

1.添加IP访问白名单（一个网段）

firewall-cmd --permanent --zone=public --add-rich-rule="rule family="ipv4" source address="0.0.0.0/24" port protocol="tcp" port="34767" accept"

说明：source address="0.0.0.0/24" 可以替换为单ip 譬如source address="172.17.118.253"     port=“5432” 替换为真实放开的端口有多个ip执行多次，配置完成后

重新载入防火墙设置，使设置生效
firewall-cmd --reload

2.限制IP地址访问

比如限制IP为192.168.0.200的地址禁止访问80端口即禁止访问机器

firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.0.200" port protocol="tcp" port="80" reject"

重新载入防火墙设置，使设置生效
firewall-cmd --reload