我有打开端口的防火墙规则,但该端口仍然关闭。
我改变了规则的顺序,它开始起作用了——不明白为什么。
这是我以前所拥有的:
cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p ipv4-icmp -m comment --comment ipv4_icmp -j ACCEPT</rule>
<rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p ipv6-icmp -m comment --comment ipv6_icmp -j ACCEPT</rule>
<rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p tcp -m tcp -m multiport --dports 22 -m comment --comment 'Allow SSH' -j ACCEPT</rule>
<rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p tcp -m tcp -m multiport --dports 22 -m comment --comment 'Allow SSH' -j ACCEPT</rule>
<rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT</rule>
<rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT</rule>
<rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p tcp -m tcp -m multiport --dports 5000:5200 -m comment --comment 'my app' -j ACCEPT</rule>
<rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p tcp -m tcp -m multiport --dports 5000:5200 -m comment --comment 'my app' -j ACCEPT</rule>
</direct>
现在端口 5000-5200 未打开,我无法访问它们
然后我将顺序改为这样它就开始起作用了:
cat /etc/firewalld/direct.xml
<?xml version="1.0" encoding="utf-8"?>
<direct>
<rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p tcp -m tcp -m multiport --dports 5000:5200 -m comment --comment 'my app' -j ACCEPT</rule>
<rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p tcp -m tcp -m multiport --dports 5000:5200 -m comment --comment 'my app' -j ACCEPT</rule>
<rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p ipv4-icmp -m comment --comment ipv4_icmp -j ACCEPT</rule>
<rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p ipv6-icmp -m comment --comment ipv6_icmp -j ACCEPT</rule>
<rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-p tcp -m tcp -m multiport --dports 22 -m comment --comment 'Allow SSH' -j ACCEPT</rule>
<rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-p tcp -m tcp -m multiport --dports 22 -m comment --comment 'Allow SSH' -j ACCEPT</rule>
<rule priority="50" table="filter" ipv="ipv4" chain="INPUT">-m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT</rule>
<rule priority="50" table="filter" ipv="ipv6" chain="INPUT">-m state --state RELATED,ESTABLISHED -m comment --comment established -j ACCEPT</rule>
</direct>
它为什么会这么做?
答案1
您只有 ACCEPT 规则,因此它们的顺序应该不会有任何区别。相反,您是否重新启动/重新加载了firewalld?在这种情况下,您的先前规则可能被标记为永久规则(因此它们被保存到磁盘),但不是运行时规则(因此它们当前未应用)。