【tech】centos7のfirewallにzoneを追加するメモ

CentOS7を使用していて、publicのzoneを残したままfirewallにオリジナルのfirewallのzoneを追加する方法を調べたメモです。CentOS7からfirewalldになっているのでCetOS6で使い慣れている人には少し使いづらいですね、

以下、CentOSのFirewalldで独自のゾーンを追加する方法です。

環境


CentOS7.5
追加するfirewallのZONE:Manage


・ゾーンの確認
firewall-cmd --get-zones
→ここに独自の「manage」というzoneを追加しようと思います。

・全てのzoneとzone毎の設定内容を確認
firewall-cmd --list-all-zones

・既存のzoneファイルディレクトリへ移動
cd /etc/firewalld/zones/

・既存ファイルを確認
ls

・punbicファイルをコピーして独自のzoneを定義する。
cp -p public.xml manage.xml
(-pオプションは権限なども丸ごとコピーみたいな感じです。詳しくはググってください笑)

・ファイルが作られたことを確認
ls

・viで開いて編集します
vi manage.xml

以下はサンプルです。
編集した所は
「short」タグ「description」タグのところです

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Manage</short>
  <description>Custom Zone. Only allow ssh connection from Manage.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
</zone>

・編集内容を確認します
cat manage.xml

・編集後はfirewalldを再起動すればzoneが追加されます。
systemctl restart firewalld

・作成したゾーンが追加されているか確認
firewall-cmd --get-zones

以下作業ログです


[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# firewall-cmd --get-zones
block dmz drop external home internal public trusted work
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# firewall-cmd --list-all-zones
block
target: %%REJECT%%
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

dmz
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

drop
target: DROP
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

external
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh
ports:
protocols:
masquerade: yes
forward-ports:
source-ports:
icmp-blocks:
rich rules:

home
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

internal
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh mdns samba-client dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3 enp0s8
sources:
services: dhcpv6-client ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

trusted
target: ACCEPT
icmp-block-inversion: no
interfaces:
sources:
services:
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: ssh dhcpv6-client
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]#
[root@localhost ~]# cd /etc/firewalld/zones/
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]# ls
public.xml
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]# cp -p public.xml manage.xml
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]# ls
manage.xml public.xml
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]# vi manage.xml

"manage.xml" 7L, 315C<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Public</short>
  <description>For use in public areas. You do not trust the other computers  on networks to not harm your computer. Only selected incoming connections aree accepted.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
</zone>

[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]# cat manage.xml

<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Manage</short>
  <description>Custom Zone. Only allow ssh connection from Manage.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
</zone>

[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]# systemctl restart firewalld
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]# firewall-cmd --get-zones

block dmz drop external home internal manage public trusted work
[root@localhost zones]#
[root@localhost zones]#
[root@localhost zones]# exit