zones 区域参数介绍
这个参数的意义就是定义了网络连接的可信等级。是按照从不信任到信任的顺序进行排序的。
drop
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
如果使用丢弃区域,任何进入的数据包将被丢弃。这个类似与我们之前使用的iptables -j drop。使用丢弃规则意味着将不存在响应。
block
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated from within the system are possible.
阻塞区域会拒绝进入的网络连接,返回 icmp-host-prohibited,只有服务器已经建立的连接会被通过即只允许由该系统初始化的网络连接。
public
For use in public areas. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
你认为网络中其他的计算机不可信并且可能伤害你的计算机。只允许选中的连接接入。默认zones就是public
external
For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on the network to not harm your computer. Only selected incoming connections are accepted.
这个区域相当于路由器的启用伪装(masquerading)选项。只有指定的连接会被接受,即 ssh,而其它的连接将被丢弃或者不被接受。
dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
如果想要只允许给部分服务能被外部访问,可以在 dmz 区域中定义。它也拥有只通过被选中连接的特性,即 ssh。
work
For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
在这个区域,我们只能定义内部网络。比如私有网络通信才被允许,只允许 ssh,ipp-client 和 dhcpv6-client。
home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
这个区域专门用于家庭环境。它同样只允许被选中的连接。即 ssh,ipp-client,mdns,samba-client 和 dhcpv6-client。
internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
这个区域和工作区域(work)类似,只有通过被选中的连接,和 home 区域一样。
trusted
All network connections are accepted.
It is possible to designate one of these zones to be the default zone. When interface connections are added to Network Manager, they are assigned to the default zone. On installation, the default zone in firewalld is set to be the public zone.
允许所有网络通信通过。因为 trusted 是最被信任的,即使没有设置任何的服务,那么也是被允许的,因为 trusted 是允许所有连接的。
icmptypes 的几种参数介绍
destination-unreachable: 目的地址不可达。
echo-reply:应答回应(pong)。
parameter--problem:参数问题。
redirect: 重新定向。
router-advertisement:路由器通告。
router-solicitation:路由器征寻。
source- quench:源端抑制。
time-exceeded:超时。
timestamp-reply:时间戳应答回应。
timestamp-request:时间戳请求。
评论区