CentOS 7.8 FirewallD is not running
今天新购阿里云 ECS 云服务器一台,设置防火墙(FirewallD)时发现,默认情况下并没有开启防火墙,发出提示信息FirewallD is not running,记录解决过程如下。
操作系统:CentOS 7.8
操作错误提示信息:
[root@node01 ~]# firewall-cmd --zone=public --list-allFirewallD is not running[root@node01 ~]# systemctl status firewalld● firewalld.service - firewalld - dynamic firewall daemonLoaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)Active: inactive (dead) since Fri 2020-09-04 15:00:32 CST; 13s agoDocs: man:firewalld(1)Process: 11587 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)Main PID: 11587 (code=exited, status=0/SUCCESS)Sep 04 14:46:34 node01 systemd[1]: Starting firewalld - dynamic firewall daemon...Sep 04 14:46:35 node01 systemd[1]: Started firewalld - dynamic firewall daemon.Sep 04 15:00:32 node01 systemd[1]: Stopping firewalld - dynamic firewall daemon...Sep 04 15:00:32 node01 systemd[1]: Stopped firewalld - dynamic firewall daemon.
解决过程:
启动 FirewallD 服务
[root@node01 ~]# systemctl start firewalld
查看 FirewallD 服务状态,已经正常开启了。但是注意报出一个警告
WARNING,下面有介绍如何处理。[root@node01 ~]# systemctl status firewalld● firewalld.service - firewalld - dynamic firewall daemonLoaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)Active: active (running) since Fri 2020-09-04 14:41:45 CST; 3s agoDocs: man:firewalld(1)Main PID: 11251 (firewalld)CGroup: /system.slice/firewalld.service└─11251 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid-Sep 04 14:41:45 node01 systemd[1]: Starting firewalld - dynamic firewall daemon...Sep 04 14:41:45 node01 systemd[1]: Started firewalld - dynamic firewall daemon.Sep 04 14:41:45 node01 firewalld[11251]: WARNING: AllowZoneDrifting is enabled. This is considered an insecure c... now.Hint: Some lines were ellipsized, use -l to show in full.
警告信息:
WARNING: AllowZoneDrifting is enabled. This is considered an insecure c... now.设置 FirewallD 服务,开机启动或关闭。
设置开机启动,方便重启后,不用重复操作了。
# 开机启动[root@node01 ~]# systemctl enable firewalld# 关闭开机启动[root@node01 ~]# systemctl disable firewalld
systemctl 操作常用命令
[root@node01 ~]# systemctl start firewalld[root@node01 ~]# systemctl stop firewalld[root@node01 ~]# systemctl restart firewalld
处理 AllowZoneDrifting 警告
启动 FirewallD 服务时,报出警告:WARNING: AllowZoneDrifting is enabled. This is considered an insecure c... now.
编辑 FirewallD 配置文件
[root@node01 ~]# vi /etc/firewalld/firewalld.conf
关闭 AllowZoneDrifting
找到
AllowZoneDrifting=yes把yes改为no,并退出保存配置。# AllowZoneDrifting# Older versions of firewalld had undocumented behavior known as "zone# drifting". This allowed packets to ingress multiple zones - this is a# violation of zone based firewalls. However, some users rely on this behavior# to have a "catch-all" zone, e.g. the default zone. You can enable this if you# desire such behavior. It's disabled by default for security reasons.# Note: If "yes" packets will only drift from source based zones to interface# based zones (including the default zone). Packets never drift from interface# based zones to other interfaces based zones (including the default zone).# Possible values; "yes", "no". Defaults to "yes".AllowZoneDrifting=no
重启 FirewallD 服务后,再次查看服务状态,不再提示警告消息。
(完)