以下做個記錄
#!/bin/bash firewall-cmd --reload firewall-cmd --zone=public --add-service=ftp firewall-cmd --zone=public --add-service=tftp # WowzaStreamingEngine firewall-cmd --zone=public --add-port=443/tcp firewall-cmd --zone=public --add-port=443/udp firewall-cmd --zone=public --add-port=554/tcp firewall-cmd --zone=public --add-port=554/udp firewall-cmd --zone=public --add-port=1935/tcp firewall-cmd --zone=public --add-port=1935/udp firewall-cmd --zone=public --add-port=8088/tcp firewall-cmd --zone=public --add-port=6970-9999/udp # Node.js firewall-cmd --zone=public --add-port=17000-17001/tcp # YSC's Macbook firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="122.116.200.000/24" accept'
DMZ 之參考
參考網址 https://www.centos.org/forums/viewtopic.php?t=51001
Found the answer in a rich rule rule family="ipv4" destination address="24.37.79.202" forward-port port="http" protocol="tcp" to-port="http" to-addr="192.168.2.2" Which I added using: firewall-cmd --permanent --zone=internal --add-rich-rule='rule family="ipv4" destination address="24.37.79.202" forward-port port="http" protocol="tcp" to-port="http" to-addr="192.168.2.2"' After I fixed up the rest of the rules and cleaned out the port forwarding. I think that I have a clean replacement for the old firewall. This handles the specific case of the internal network while still allowing internal machines to reach the outside world for the ports involved. I may need to add some more later but I am back on the air now. > firewall-cmd --zone=internal --permanent --list-all internal (default, active) interfaces: enp3s08 sources: services: Asterisk SVN Squid Tomcat dhcp dhcpv6 dhcpv6-client dns ftp http https imaps ipp-client mdns mysql nexus nfs ntp pop3 pop3s postgresql samba-client smtp ssh telnet tftp tftp-client webmin ports: 465/tcp 587/tcp 2525/tcp masquerade: no forward-ports: icmp-blocks: rich rules: rule service name="Asterisk" log level="warning" accept rule family="ipv4" destination address="24.37.79.202" forward-port port="https" protocol="tcp" to-port="https" to-addr="192.168.2.2" rule family="ipv4" destination address="24.37.79.202" forward-port port="8081" protocol="tcp" to-port="8081" to-addr="192.168.2.2" rule service name="https" accept rule family="ipv4" destination address="24.37.79.202" forward-port port="80" protocol="tcp" to-port="80" to-addr="192.168.2.2" rule family="ipv4" destination address="24.37.79.202" forward-port port="110" protocol="tcp" to-port="110" to-addr="192.168.2.2" rule family="ipv4" destination address="24.37.79.202" forward-port port="2525" protocol="tcp" to-port="2525" to-addr="192.168.2.2" rule family="ipv4" destination address="24.37.79.202" forward-port port="25" protocol="tcp" to-port="25" to-addr="192.168.2.2" rule service name="http" log level="warning" accept rule family="ipv4" destination address="24.37.79.202" forward-port port="3690" protocol="tcp" to-port="3690" to-addr="192.168.2.2"
