{"id":38177,"date":"2026-01-20T13:34:20","date_gmt":"2026-01-20T06:34:20","guid":{"rendered":"https:\/\/interdata.vn\/blog\/?p=38177"},"modified":"2026-01-20T13:34:51","modified_gmt":"2026-01-20T06:34:51","slug":"firewalld-la-gi","status":"publish","type":"post","link":"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/","title":{"rendered":"FirewallD l\u00e0 g\u00ec? D\u00f9ng l\u00e0m g\u00ec? So v\u1edbi Iptables &#038; L\u1ec7nh th\u01b0\u1eddng d\u00f9ng"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_85 counter-hierarchy ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">N\u1ed8I DUNG<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#FirewallD-la-gi\" >FirewallD l\u00e0 g\u00ec?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#FirewallD-dung-de-lam-gi\" >FirewallD d\u00f9ng \u0111\u1ec3 l\u00e0m g\u00ec?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#1-Vai-tro-trong-bao-mat-he-thong\" >1. Vai tr\u00f2 trong b\u1ea3o m\u1eadt h\u1ec7 th\u1ed1ng<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#2-Truong-hop-su-dung-pho-bien\" >2. Tr\u01b0\u1eddng h\u1ee3p s\u1eed d\u1ee5ng ph\u1ed5 bi\u1ebfn<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#Cac-khai-niem-cot-loi-trong-FirewallD\" >C\u00e1c kh\u00e1i ni\u1ec7m c\u1ed1t l\u00f5i trong FirewallD<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#1-Zone-Vung-tin-cay\" >1. Zone (V\u00f9ng tin c\u1eady)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#2-Runtime-vs-Permanent-Tam-thoi-va-Vinh-vien\" >2. Runtime vs Permanent (T\u1ea1m th\u1eddi v\u00e0 V\u0129nh vi\u1ec5n)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#So-sanh-FirewallD-va-Iptables\" >So s\u00e1nh FirewallD v\u00e0 Iptables<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#Cac-lenh-FirewallD-thuong-dung-nhat\" >C\u00e1c l\u1ec7nh FirewallD th\u01b0\u1eddng d\u00f9ng nh\u1ea5t<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#1-Cac-lenh-quan-ly-Zone\" >1. C\u00e1c l\u1ec7nh qu\u1ea3n l\u00fd Zone<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#2-Cach-mo-Port-va-Service-Open-Port\" >2. C\u00e1ch m\u1edf Port v\u00e0 Service (Open Port)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#3-Cach-dong-PortService-Remove-Rules\" >3. C\u00e1ch \u0111\u00f3ng Port\/Service (Remove Rules)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#4-Chan-IP-truy-cap-Block-IPPanic-Mode\" >4. Ch\u1eb7n IP truy c\u1eadp (Block IP\/Panic Mode)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#Kiem-tra-backend-FirewallD-iptables-hay-nftables\" >Ki\u1ec3m tra backend FirewallD (iptables hay nftables)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#Gan-card-mang-vao-Zone\" >G\u00e1n card m\u1ea1ng v\u00e0o Zone<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#Kiem-tra-trang-thai-FirewallD\" >Ki\u1ec3m tra tr\u1ea1ng th\u00e1i FirewallD<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#Bat-log-cac-goi-bi-chan-debug\" >B\u1eadt log c\u00e1c g\u00f3i b\u1ecb ch\u1eb7n (debug)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#Xem-danh-sach-service-co-san\" >Xem danh s\u00e1ch service c\u00f3 s\u1eb5n<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#Cac-loi-thuong-gap-khi-dung-FirewallD\" >C\u00e1c l\u1ed7i th\u01b0\u1eddng g\u1eb7p khi d\u00f9ng FirewallD<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#1-Mo-port-nhung-khong-truy-cap-duoc\" >1. M\u1edf port nh\u01b0ng kh\u00f4ng truy c\u1eadp \u0111\u01b0\u1ee3c<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#2-Sai-Zone-dang-su-dung\" >2. Sai Zone \u0111ang s\u1eed d\u1ee5ng<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#3-Firewalld-xung-dot-voi-Iptables-service\" >3. Firewalld xung \u0111\u1ed9t v\u1edbi Iptables service<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#Co-nen-tat-FirewallD-khong\" >C\u00f3 n\u00ean t\u1eaft FirewallD kh\u00f4ng?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#Cac-cau-hoi-thuong-gap-FAQs\" >C\u00e1c c\u00e2u h\u1ecfi th\u01b0\u1eddng g\u1eb7p (FAQs)<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#1-FirewallD-co-thay-the-hoan-toan-iptables-khong\" >1. FirewallD c\u00f3 thay th\u1ebf ho\u00e0n to\u00e0n iptables kh\u00f4ng?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#2-Khoi-dong-lai-VPS-co-mat-cau-hinh-FirewallD-khong\" >2. Kh\u1edfi \u0111\u1ed9ng l\u1ea1i VPS c\u00f3 m\u1ea5t c\u1ea5u h\u00ecnh FirewallD kh\u00f4ng?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#3-Toi-nen-dung-FirewallD-hay-Iptables-cho-nguoi-moi-bat-dau\" >3. T\u00f4i n\u00ean d\u00f9ng FirewallD hay Iptables cho ng\u01b0\u1eddi m\u1edbi b\u1eaft \u0111\u1ea7u?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-28\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#4-Lam-sao-de-biet-FirewallD-dang-chan-ket-noi-nao\" >4. L\u00e0m sao \u0111\u1ec3 bi\u1ebft FirewallD \u0111ang ch\u1eb7n k\u1ebft n\u1ed1i n\u00e0o?<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-29\" href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/#Ket-luan\" >K\u1ebft lu\u1eadn<\/a><\/li><\/ul><\/nav><\/div>\n<p>Trong qu\u00e1 tr\u00ecnh qu\u1ea3n tr\u1ecb VPS ho\u1eb7c server Linux, kh\u00f4ng \u00edt ng\u01b0\u1eddi g\u1eb7p t\u00ecnh hu\u1ed1ng d\u1ecbch v\u1ee5 \u0111\u00e3 ch\u1ea1y nh\u01b0ng v\u1eabn kh\u00f4ng th\u1ec3 truy c\u1eadp t\u1eeb b\u00ean ngo\u00e0i, d\u00f9 port t\u01b0\u1edfng ch\u1eebng \u0111\u00e3 \u0111\u01b0\u1ee3c m\u1edf. Nguy\u00ean nh\u00e2n ph\u1ed5 bi\u1ebfn th\u01b0\u1eddng \u0111\u1ebfn t\u1eeb c\u1ea5u h\u00ecnh firewall \u1edf t\u1ea7ng h\u1ec7 \u0111i\u1ec1u h\u00e0nh, trong \u0111\u00f3 <strong>FirewallD<\/strong> l\u00e0 th\u00e0nh ph\u1ea7n \u0111\u00f3ng vai tr\u00f2 then ch\u1ed1t tr\u00ean nhi\u1ec1u b\u1ea3n ph\u00e2n ph\u1ed1i Linux hi\u1ec7n nay nh\u01b0 CentOS, Rocky Linux hay AlmaLinux.<\/p>\n<p>V\u1eady <a href=\"https:\/\/interdata.vn\/blog\/firewalld-la-gi\/\"><strong>FirewallD l\u00e0 g\u00ec<\/strong><\/a>, c\u00f4ng c\u1ee5 n\u00e0y d\u00f9ng \u0111\u1ec3 l\u00e0m g\u00ec v\u00e0 ho\u1ea1t \u0111\u1ed9ng nh\u01b0 th\u1ebf n\u00e0o trong vi\u1ec7c ki\u1ec3m so\u00e1t l\u01b0u l\u01b0\u1ee3ng m\u1ea1ng? B\u00e0i vi\u1ebft d\u01b0\u1edbi \u0111\u00e2y s\u1ebd gi\u00fap b\u1ea1n hi\u1ec3u r\u00f5 kh\u00e1i ni\u1ec7m FirewallD, c\u01a1 ch\u1ebf ho\u1ea1t \u0111\u1ed9ng, c\u00e1ch m\u1edf port \u0111\u00fang c\u00e1ch c\u0169ng nh\u01b0 nh\u1eefng l\u01b0u \u00fd quan tr\u1ecdng \u0111\u1ec3 c\u1ea5u h\u00ecnh firewall Linux an to\u00e0n, h\u1ea1n ch\u1ebf r\u1ee7i ro m\u1ea5t k\u1ebft n\u1ed1i server.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"FirewallD-la-gi\"><\/span>FirewallD l\u00e0 g\u00ec?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>FirewallD<\/strong> (Dynamic Firewall Daemon) l\u00e0 m\u1ed9t c\u00f4ng c\u1ee5 qu\u1ea3n l\u00fd t\u01b0\u1eddng l\u1eeda \u0111\u1ed9ng \u0111\u01b0\u1ee3c t\u00edch h\u1ee3p m\u1eb7c \u0111\u1ecbnh tr\u00ean c\u00e1c b\u1ea3n ph\u00e2n ph\u1ed1i Linux hi\u1ec7n \u0111\u1ea1i nh\u01b0 CentOS 7, RHEL 7, Fedora v\u00e0 c\u00e1c phi\u00ean b\u1ea3n m\u1edbi h\u01a1n.<\/p>\n<p>V\u1ec1 b\u1ea3n ch\u1ea5t k\u1ef9 thu\u1eadt, FirewallD kh\u00f4ng ph\u1ea3i l\u00e0 m\u1ed9t t\u01b0\u1eddng l\u1eeda \u0111\u1ed9c l\u1eadp ho\u00e0n to\u00e0n. N\u00f3 \u0111\u00f3ng vai tr\u00f2 l\u00e0 m\u1ed9t l\u1edbp giao di\u1ec7n qu\u1ea3n l\u00fd (frontend controller) gi\u00fap ng\u01b0\u1eddi d\u00f9ng t\u01b0\u01a1ng t\u00e1c v\u1edbi h\u1ec7 th\u1ed1ng l\u1ecdc g\u00f3i tin <strong>Netfilter<\/strong> trong nh\u00e2n (kernel) c\u1ee7a Linux, tr\u00ean c\u00e1c b\u1ea3n m\u1edbi, firewalld s\u1eed d\u1ee5ng nftables l\u00e0m backend m\u1eb7c \u0111\u1ecbnh. Tr\u01b0\u1edbc \u0111\u00e2y, ng\u01b0\u1eddi d\u00f9ng th\u01b0\u1eddng t\u01b0\u01a1ng t\u00e1c v\u1edbi Netfilter th\u00f4ng qua <strong>iptables<\/strong>, nh\u01b0ng iptables c\u00f3 nh\u01b0\u1ee3c \u0111i\u1ec3m l\u00e0 c\u00fa ph\u00e1p ph\u1ee9c t\u1ea1p v\u00e0 c\u01a1 ch\u1ebf t\u0129nh.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-38187 aligncenter\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/FirewallD-la-gi.jpg\" alt=\"FirewallD l\u00e0 g\u00ec\" width=\"800\" height=\"500\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/FirewallD-la-gi.jpg 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/FirewallD-la-gi-300x188.jpg 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/FirewallD-la-gi-768x480.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/p>\n<p>FirewallD ho\u1ea1t \u0111\u1ed9ng nh\u01b0 m\u1ed9t l\u1edbp qu\u1ea3n l\u00fd firewall \u0111\u1ed9ng. Tr\u00ean c\u00e1c h\u1ec7 \u0111i\u1ec1u h\u00e0nh Linux hi\u1ec7n \u0111\u1ea1i (RHEL 8+, Rocky Linux 9, AlmaLinux), FirewallD s\u1eed d\u1ee5ng nftables l\u00e0m backend m\u1eb7c \u0111\u1ecbnh thay v\u00ec iptables truy\u1ec1n th\u1ed1ng, gi\u00fap t\u0103ng hi\u1ec7u n\u0103ng v\u00e0 kh\u1ea3 n\u0103ng m\u1edf r\u1ed9ng, trong khi v\u1eabn gi\u1eef \u0111\u01b0\u1ee3c c\u00fa ph\u00e1p qu\u1ea3n l\u00fd \u0111\u01a1n gi\u1ea3n th\u00f4ng qua firewall-cmd.<\/p>\n<p>T\u01b0\u1eddng l\u1eeda FirewallD ra \u0111\u1eddi \u0111\u1ec3 gi\u1ea3i quy\u1ebft c\u00e1c v\u1ea5n \u0111\u1ec1 \u0111\u00f3 b\u1eb1ng c\u00e1ch cung c\u1ea5p giao di\u1ec7n d\u00f2ng l\u1ec7nh (CLI) firewall-cmd tr\u1ef1c quan h\u01a1n v\u00e0 h\u1ed7 tr\u1ee3 thay \u0111\u1ed5i c\u1ea5u h\u00ecnh ngay l\u1eadp t\u1ee9c m\u00e0 kh\u00f4ng l\u00e0m ng\u1eaft k\u1ebft n\u1ed1i hi\u1ec7n t\u1ea1i.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"FirewallD-dung-de-lam-gi\"><\/span>FirewallD d\u00f9ng \u0111\u1ec3 l\u00e0m g\u00ec?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Trong m\u00f4i tr\u01b0\u1eddng qu\u1ea3n tr\u1ecb h\u1ec7 th\u1ed1ng, vi\u1ec7c hi\u1ec3u r\u00f5 <strong>t\u01b0\u1eddng l\u1eeda<\/strong> <strong>FirewallD d\u00f9ng \u0111\u1ec3 l\u00e0m g\u00ec<\/strong> gi\u00fap k\u1ef9 s\u01b0 h\u1ec7 th\u1ed1ng x\u00e1c \u0111\u1ecbnh \u0111\u00fang ph\u1ea1m vi \u1ee9ng d\u1ee5ng c\u1ee7a c\u00f4ng c\u1ee5.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"1-Vai-tro-trong-bao-mat-he-thong\"><\/span>1. Vai tr\u00f2 trong b\u1ea3o m\u1eadt h\u1ec7 th\u1ed1ng<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Ch\u1ee9c n\u0103ng ch\u00ednh c\u1ee7a FirewallD l\u00e0 ki\u1ec3m so\u00e1t lu\u1ed3ng truy c\u1eadp m\u1ea1ng (traffic control). N\u00f3 ho\u1ea1t \u0111\u1ed9ng nh\u01b0 m\u1ed9t &#8220;ng\u01b0\u1eddi g\u00e1c c\u1ed5ng&#8221;, ch\u1ec9 cho ph\u00e9p nh\u1eefng k\u1ebft n\u1ed1i \u0111\u01b0\u1ee3c c\u1ea5p quy\u1ec1n \u0111i v\u00e0o server v\u00e0 ch\u1eb7n t\u1ea5t c\u1ea3 c\u00e1c k\u1ebft n\u1ed1i l\u1ea1. \u0110i\u1ec1u n\u00e0y gi\u00fap:<\/p>\n<ul>\n<li>Ng\u0103n ch\u1eb7n c\u00e1c truy c\u1eadp tr\u00e1i ph\u00e9p v\u00e0o c\u00e1c c\u1ed5ng (port) nh\u1ea1y c\u1ea3m.<\/li>\n<li>Gi\u1ea3m thi\u1ec3u r\u1ee7i ro t\u1eeb c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng d\u00f2 qu\u00e9t c\u1ed5ng (port scan).<\/li>\n<li>H\u1ea1n ch\u1ebf t\u1ea5n c\u00f4ng brute-force v\u00e0o d\u1ecbch v\u1ee5 SSH ho\u1eb7c Database.<\/li>\n<\/ul>\n<h3><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-38189\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/FirewallD-dung-de-lam-gi.jpg\" alt=\"FirewallD d\u00f9ng \u0111\u1ec3 l\u00e0m g\u00ec\" width=\"800\" height=\"500\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/FirewallD-dung-de-lam-gi.jpg 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/FirewallD-dung-de-lam-gi-300x188.jpg 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/FirewallD-dung-de-lam-gi-768x480.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/h3>\n<h3><span class=\"ez-toc-section\" id=\"2-Truong-hop-su-dung-pho-bien\"><\/span>2. Tr\u01b0\u1eddng h\u1ee3p s\u1eed d\u1ee5ng ph\u1ed5 bi\u1ebfn<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>FirewallD th\u01b0\u1eddng \u0111\u01b0\u1ee3c k\u00edch ho\u1ea1t v\u00e0 c\u1ea5u h\u00ecnh trong c\u00e1c tr\u01b0\u1eddng h\u1ee3p sau:<\/p>\n<ul>\n<li><strong>VPS ch\u1ea1y Web Server:<\/strong> Ch\u1ec9 m\u1edf port 80 (HTTP), 443 (HTTPS) cho c\u00f4ng ch\u00fang v\u00e0 port 22 (SSH) cho qu\u1ea3n tr\u1ecb vi\u00ean.<\/li>\n<li><strong>Database Server:<\/strong> Ch\u1ec9 cho ph\u00e9p k\u1ebft n\u1ed1i t\u1eeb IP c\u1ee7a Web Server (Internal Network) v\u00e0 ch\u1eb7n to\u00e0n b\u1ed9 truy c\u1eadp t\u1eeb Internet.<\/li>\n<li><strong>M\u00f4i tr\u01b0\u1eddng Cloud:<\/strong> D\u00f9 c\u00e1c nh\u00e0 cung c\u1ea5p nh\u01b0 AWS, Google Cloud hay <strong>InterData<\/strong> \u0111\u1ec1u c\u00f3 Security Group (t\u01b0\u1eddng l\u1eeda l\u1edbp network), vi\u1ec7c c\u1ea5u h\u00ecnh th\u00eam FirewallD (t\u01b0\u1eddng l\u1eeda l\u1edbp OS) t\u1ea1o n\u00ean l\u1edbp b\u1ea3o m\u1eadt k\u00e9p v\u1eefng ch\u1eafc.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Cac-khai-niem-cot-loi-trong-FirewallD\"><\/span>C\u00e1c kh\u00e1i ni\u1ec7m c\u1ed1t l\u00f5i trong FirewallD<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u0110\u1ec3 l\u00e0m ch\u1ee7 \u0111\u01b0\u1ee3c <strong>Firewall Linux<\/strong> n\u00e0y, b\u1ea1n c\u1ea7n n\u1eafm v\u1eefng hai kh\u00e1i ni\u1ec7m n\u1ec1n t\u1ea3ng: <strong>Zone<\/strong> v\u00e0 ch\u1ebf \u0111\u1ed9 c\u1ea5u h\u00ecnh (<strong>Configuration Mode<\/strong>).<\/p>\n<h3><span class=\"ez-toc-section\" id=\"1-Zone-Vung-tin-cay\"><\/span>1. Zone (V\u00f9ng tin c\u1eady)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u0110\u00e2y l\u00e0 t\u00ednh n\u0103ng t\u1ea1o n\u00ean s\u1ef1 linh ho\u1ea1t c\u1ee7a c\u00f4ng c\u1ee5 FirewallD. <strong>Zone<\/strong> x\u00e1c \u0111\u1ecbnh m\u1ee9c \u0111\u1ed9 tin c\u1eady c\u1ee7a c\u00e1c k\u1ebft n\u1ed1i m\u1ea1ng. M\u1ed7i card m\u1ea1ng (interface) ho\u1eb7c k\u1ebft n\u1ed1i s\u1ebd \u0111\u01b0\u1ee3c g\u00e1n v\u00e0o m\u1ed9t Zone c\u1ee5 th\u1ec3.<\/p>\n<p>D\u01b0\u1edbi \u0111\u00e2y l\u00e0 danh s\u00e1ch c\u00e1c Zone m\u1eb7c \u0111\u1ecbnh theo th\u1ee9 t\u1ef1 t\u1eeb &#8220;\u00edt tin c\u1eady nh\u1ea5t&#8221; \u0111\u1ebfn &#8220;tin c\u1eady nh\u1ea5t&#8221;:<\/p>\n<ul>\n<li><strong>drop:<\/strong> M\u1ee9c \u0111\u1ed9 b\u1ea3o m\u1eadt cao nh\u1ea5t (Paranoiac). T\u1ea5t c\u1ea3 c\u00e1c g\u00f3i tin \u0111\u1ebfn \u0111\u1ec1u b\u1ecb h\u1ee7y b\u1ecf (drop) m\u00e0 kh\u00f4ng c\u00f3 b\u1ea5t k\u1ef3 ph\u1ea3n h\u1ed3i n\u00e0o. Ch\u1ec9 cho ph\u00e9p c\u00e1c k\u1ebft n\u1ed1i \u0111i ra.<\/li>\n<li><strong>block:<\/strong> T\u01b0\u01a1ng t\u1ef1 nh\u01b0 drop, nh\u01b0ng s\u1ebd g\u1eedi ph\u1ea3n h\u1ed3i t\u1eeb ch\u1ed1i (ICMP Prohibited) cho ng\u01b0\u1eddi g\u1eedi bi\u1ebft r\u1eb1ng k\u1ebft n\u1ed1i b\u1ecb ch\u1eb7n.<\/li>\n<li><strong>public:<\/strong> (M\u1eb7c \u0111\u1ecbnh) D\u00e0nh cho m\u1ea1ng c\u00f4ng c\u1ed9ng, kh\u00f4ng an to\u00e0n. Ch\u1ec9 ch\u1ea5p nh\u1eadn c\u00e1c k\u1ebft n\u1ed1i \u0111\u01b0\u1ee3c thi\u1ebft l\u1eadp c\u1ee5 th\u1ec3. \u0110\u00e2y l\u00e0 Zone th\u01b0\u1eddng d\u00f9ng nh\u1ea5t tr\u00ean VPS.<\/li>\n<li><strong>external:<\/strong> D\u00e0nh cho m\u1ea1ng b\u00ean ngo\u00e0i v\u1edbi t\u00ednh n\u0103ng gi\u1ea3 m\u1ea1o IP (masquerading) \u0111\u01b0\u1ee3c k\u00edch ho\u1ea1t, th\u01b0\u1eddng d\u00f9ng cho router.<\/li>\n<li><strong>dmz:<\/strong> D\u00e0nh cho c\u00e1c m\u00e1y t\u00ednh trong v\u00f9ng DMZ (Demilitarized Zone), n\u01a1i c\u00e1c d\u1ecbch v\u1ee5 c\u00f3 th\u1ec3 truy c\u1eadp c\u00f4ng khai nh\u01b0ng h\u1ea1n ch\u1ebf quy\u1ec1n truy c\u1eadp v\u00e0o m\u1ea1ng n\u1ed9i b\u1ed9.<\/li>\n<li><strong>work:<\/strong> D\u00e0nh cho m\u00f4i tr\u01b0\u1eddng l\u00e0m vi\u1ec7c, tin t\u01b0\u1edfng h\u1ea7u h\u1ebft c\u00e1c m\u00e1y t\u00ednh trong m\u1ea1ng.<\/li>\n<li><strong>home:<\/strong> D\u00e0nh cho m\u1ea1ng gia \u0111\u00ecnh, m\u1ee9c \u0111\u1ed9 tin c\u1eady cao h\u01a1n work.<\/li>\n<li><strong>internal:<\/strong> D\u00e0nh cho m\u1ea1ng n\u1ed9i b\u1ed9 b\u00ean trong firewall.<\/li>\n<li><strong>trusted:<\/strong> Tin c\u1eady tuy\u1ec7t \u0111\u1ed1i. Ch\u1ea5p nh\u1eadn t\u1ea5t c\u1ea3 c\u00e1c k\u1ebft n\u1ed1i m\u1ea1ng. <strong>L\u01b0u \u00fd:<\/strong> Ch\u1ec9 d\u00f9ng khi b\u1ea1n ki\u1ec3m so\u00e1t ho\u00e0n to\u00e0n m\u1ea1ng l\u01b0\u1edbi.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"2-Runtime-vs-Permanent-Tam-thoi-va-Vinh-vien\"><\/span>2. Runtime vs Permanent (T\u1ea1m th\u1eddi v\u00e0 V\u0129nh vi\u1ec5n)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>S\u1ef1 ph\u00e2n bi\u1ec7t gi\u1eefa c\u1ea5u h\u00ecnh <strong>Runtime<\/strong> v\u00e0 <strong>Permanent<\/strong> l\u00e0 nguy\u00ean nh\u00e2n g\u00e2y ra nhi\u1ec1u l\u1ed7i nh\u1ea5t cho ng\u01b0\u1eddi m\u1edbi b\u1eaft \u0111\u1ea7u.<\/p>\n<ul>\n<li><strong>Runtime Configuration (C\u1ea5u h\u00ecnh t\u1ea1m th\u1eddi):<\/strong>\n<ul>\n<li>C\u00e1c thay \u0111\u1ed5i c\u00f3 hi\u1ec7u l\u1ef1c ngay l\u1eadp t\u1ee9c.<\/li>\n<li>S\u1ebd <strong>m\u1ea5t \u0111i<\/strong> khi kh\u1edfi \u0111\u1ed9ng l\u1ea1i (reboot) server ho\u1eb7c kh\u1edfi \u0111\u1ed9ng l\u1ea1i d\u1ecbch v\u1ee5 FirewallD.<\/li>\n<li>M\u1ee5c \u0111\u00edch: D\u00f9ng \u0111\u1ec3 ki\u1ec3m tra th\u1eed (test) c\u00e1c rule m\u1edbi. N\u1ebfu sai, ch\u1ec9 c\u1ea7n reboot l\u00e0 h\u1ec7 th\u1ed1ng tr\u1edf l\u1ea1i b\u00ecnh th\u01b0\u1eddng, tr\u00e1nh b\u1ecb kh\u00f3a kh\u1ecfi server (lockout).<\/li>\n<\/ul>\n<\/li>\n<li><strong>Permanent Configuration (C\u1ea5u h\u00ecnh v\u0129nh vi\u1ec5n):<\/strong>\n<ul>\n<li>C\u00e1c thay \u0111\u1ed5i \u0111\u01b0\u1ee3c ghi v\u00e0o file c\u1ea5u h\u00ecnh XML t\u1ea1i \/etc\/firewalld\/zones\/.<\/li>\n<li><strong>Kh\u00f4ng c\u00f3 hi\u1ec7u l\u1ef1c ngay l\u1eadp t\u1ee9c<\/strong> tr\u1eeb khi b\u1ea1n reload l\u1ea1i FirewallD.<\/li>\n<li>S\u1ebd \u0111\u01b0\u1ee3c gi\u1eef l\u1ea1i sau khi reboot server.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<blockquote><p><strong>L\u1eddi khuy\u00ean t\u1eeb chuy\u00ean gia InterData:<\/strong> Lu\u00f4n test rule \u1edf ch\u1ebf \u0111\u1ed9 Runtime tr\u01b0\u1edbc. Sau khi ch\u1eafc ch\u1eafn ho\u1ea1t \u0111\u1ed9ng \u0111\u00fang, h\u00e3y \u00e1p d\u1ee5ng tham s\u1ed1 &#8211;permanent \u0111\u1ec3 l\u01b0u c\u1ea5u h\u00ecnh v\u0129nh vi\u1ec5n.<\/p><\/blockquote>\n<h2><span class=\"ez-toc-section\" id=\"So-sanh-FirewallD-va-Iptables\"><\/span>So s\u00e1nh FirewallD v\u00e0 Iptables<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Nhi\u1ec1u ng\u01b0\u1eddi d\u00f9ng l\u00e2u n\u0103m v\u1eabn quen thu\u1ed9c v\u1edbi Iptables. V\u1eady t\u1ea1i sao n\u00ean chuy\u1ec3n sang FirewallD? B\u1ea3ng so s\u00e1nh d\u01b0\u1edbi \u0111\u00e2y s\u1ebd l\u00e0m r\u00f5 s\u1ef1 kh\u00e1c bi\u1ec7t.<\/p>\n<table style=\"width: 100%; border-collapse: collapse; font-family: Arial, Helvetica, sans-serif; font-size: 15px; line-height: 1.6; margin: 20px 0;\">\n<thead>\n<tr>\n<th style=\"padding: 14px; color: #ffffff; text-align: left; background: linear-gradient(90deg,#0C40F4,#077FFA); border: 1px solid #e0e0e0;\">Ti\u00eau ch\u00ed<\/th>\n<th style=\"padding: 14px; color: #ffffff; text-align: left; background: linear-gradient(90deg,#077FFA,#0497FC); border: 1px solid #e0e0e0;\">Iptables<\/th>\n<th style=\"padding: 14px; color: #ffffff; text-align: left; background: linear-gradient(90deg,#0C40F4,#0497FC); border: 1px solid #e0e0e0;\">FirewallD<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"padding: 12px; font-weight: 600; background-color: #f5f8ff; border: 1px solid #e0e0e0;\">File c\u1ea5u h\u00ecnh<\/td>\n<td style=\"padding: 12px; border: 1px solid #e0e0e0;\">\/etc\/sysconfig\/iptables (D\u1ea1ng text \u0111\u01a1n gi\u1ea3n)<\/td>\n<td style=\"padding: 12px; border: 1px solid #e0e0e0;\">\/etc\/firewalld\/ (D\u1ea1ng XML)<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 12px; font-weight: 600; background-color: #f5f8ff; border: 1px solid #e0e0e0;\">C\u01a1 ch\u1ebf \u00e1p d\u1ee5ng<\/td>\n<td style=\"padding: 12px; border: 1px solid #e0e0e0;\">Static: M\u1ed7i l\u1ea7n thay \u0111\u1ed5i rule, to\u00e0n b\u1ed9 firewall ph\u1ea3i flush (x\u00f3a) v\u00e0 n\u1ea1p l\u1ea1i t\u1eeb \u0111\u1ea7u. G\u00e2y gi\u00e1n \u0111o\u1ea1n k\u1ebft n\u1ed1i ng\u1eafn.<\/td>\n<td style=\"padding: 12px; border: 1px solid #e0e0e0;\">Dynamic: Ch\u1ec9 \u00e1p d\u1ee5ng rule m\u1edbi thay \u0111\u1ed5i, kh\u00f4ng c\u1ea7n n\u1ea1p l\u1ea1i to\u00e0n b\u1ed9. Kh\u00f4ng l\u00e0m ng\u1eaft k\u1ebft n\u1ed1i hi\u1ec7n t\u1ea1i.<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 12px; font-weight: 600; background-color: #f5f8ff; border: 1px solid #e0e0e0;\">Giao di\u1ec7n qu\u1ea3n l\u00fd<\/td>\n<td style=\"padding: 12px; border: 1px solid #e0e0e0;\">L\u1ec7nh d\u00e0i, ph\u1ee9c t\u1ea1p, kh\u00f3 nh\u1edb.<\/td>\n<td style=\"padding: 12px; border: 1px solid #e0e0e0;\">L\u1ec7nh firewall-cmd tr\u1ef1c quan, d\u1ec5 hi\u1ec3u. C\u00f3 h\u1ed7 tr\u1ee3 GUI.<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 12px; font-weight: 600; background-color: #f5f8ff; border: 1px solid #e0e0e0;\">T\u01b0 duy qu\u1ea3n l\u00fd<\/td>\n<td style=\"padding: 12px; border: 1px solid #e0e0e0;\">Qu\u1ea3n l\u00fd theo Chain (Input, Output, Forward).<\/td>\n<td style=\"padding: 12px; border: 1px solid #e0e0e0;\">Qu\u1ea3n l\u00fd theo Zone v\u00e0 Service.<\/td>\n<\/tr>\n<tr>\n<td style=\"padding: 12px; font-weight: 600; background-color: #f5f8ff; border: 1px solid #e0e0e0;\">Kh\u1ea3 n\u0103ng t\u00edch h\u1ee3p<\/td>\n<td style=\"padding: 12px; border: 1px solid #e0e0e0;\">Kh\u00f3 t\u00edch h\u1ee3p v\u1edbi c\u00e1c ph\u1ea7n m\u1ec1m kh\u00e1c (nh\u01b0 Puppet, Ansible).<\/td>\n<td style=\"padding: 12px; border: 1px solid #e0e0e0;\">T\u00edch h\u1ee3p t\u1ed1t qua D-Bus API.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>V\u1edbi c\u00e1c h\u1ec7 \u0111i\u1ec1u h\u00e0nh m\u1edbi nh\u01b0 CentOS 7\/8\/9, t\u01b0\u1eddng l\u1eeda FirewallD l\u00e0 l\u1ef1a ch\u1ecdn t\u1ed1i \u01b0u nh\u1edd t\u00ednh linh ho\u1ea1t v\u00e0 kh\u1ea3 n\u0103ng qu\u1ea3n l\u00fd \u0111\u1ed9ng, \u0111\u1eb7c bi\u1ec7t quan tr\u1ecdng trong m\u00f4i tr\u01b0\u1eddng Cloud Server v\u00e0 Virtualization.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-38194\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/So-sanh-FirewallD-va-Iptables.jpg\" alt=\"So s\u00e1nh FirewallD v\u00e0 Iptables\" width=\"800\" height=\"500\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/So-sanh-FirewallD-va-Iptables.jpg 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/So-sanh-FirewallD-va-Iptables-300x188.jpg 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/So-sanh-FirewallD-va-Iptables-768x480.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Cac-lenh-FirewallD-thuong-dung-nhat\"><\/span>C\u00e1c l\u1ec7nh FirewallD th\u01b0\u1eddng d\u00f9ng nh\u1ea5t<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u0110\u00e2y l\u00e0 ph\u1ea7n quan tr\u1ecdng nh\u1ea5t gi\u00fap b\u1ea1n l\u00e0m ch\u1ee7 c\u00f4ng c\u1ee5 FirewallD. Ch\u00fang ta s\u1ebd \u0111i qua c\u00e1c nh\u00f3m l\u1ec7nh t\u1eeb c\u01a1 b\u1ea3n \u0111\u1ebfn n\u00e2ng cao.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"1-Cac-lenh-quan-ly-Zone\"><\/span>1. C\u00e1c l\u1ec7nh qu\u1ea3n l\u00fd Zone<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Tr\u01b0\u1edbc khi th\u00eam rule, b\u1ea1n c\u1ea7n bi\u1ebft m\u00ecnh \u0111ang \u0111\u1ee9ng \u1edf Zone n\u00e0o.<\/p>\n<p><strong>Ki\u1ec3m tra Zone m\u1eb7c \u0111\u1ecbnh:<\/strong><\/p>\n<pre><code>firewall-cmd --get-default-zone\r\n# K\u1ebft qu\u1ea3 th\u01b0\u1eddng l\u00e0: public<\/code><\/pre>\n<p><strong>Ki\u1ec3m tra zone \u0111ang \u0111\u01b0\u1ee3c g\u00e1n cho card m\u1ea1ng (interface):<\/strong><\/p>\n<pre><code>firewall-cmd --get-active-zones<\/code><\/pre>\n<p><strong>Li\u1ec7t k\u00ea t\u1ea5t c\u1ea3 c\u00e1c c\u1ea5u h\u00ecnh hi\u1ec7n t\u1ea1i:<\/strong><\/p>\n<p>\u0110\u00e2y l\u00e0 l\u1ec7nh h\u1eefu \u00edch nh\u1ea5t \u0111\u1ec3 xem t\u1ed5ng quan firewall \u0111ang m\u1edf nh\u1eefng port n\u00e0o.<\/p>\n<pre><code>firewall-cmd --list-all<\/code><\/pre>\n<h3><span class=\"ez-toc-section\" id=\"2-Cach-mo-Port-va-Service-Open-Port\"><\/span>2. C\u00e1ch m\u1edf Port v\u00e0 Service (Open Port)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u0110\u1ec3 \u1ee9ng d\u1ee5ng web ho\u1eb7c database ho\u1ea1t \u0111\u1ed9ng, b\u1ea1n c\u1ea7n m\u1edf c\u1ed5ng t\u01b0\u01a1ng \u1ee9ng.<\/p>\n<p><strong>M\u1edf port theo t\u00ean d\u1ecbch v\u1ee5 (Service):<\/strong><\/p>\n<p>C\u00e1ch n\u00e0y \u0111\u01a1n gi\u1ea3n h\u01a1n v\u00ec b\u1ea1n kh\u00f4ng c\u1ea7n nh\u1edb s\u1ed1 port. FirewallD c\u00f3 s\u1eb5n danh s\u00e1ch c\u00e1c service chu\u1ea9n.<\/p>\n<pre><code># M\u1edf d\u1ecbch v\u1ee5 HTTP (Port 80)\r\nsudo firewall-cmd --zone=public --add-service=http --permanent\r\n\r\n# M\u1edf d\u1ecbch v\u1ee5 HTTPS (Port 443)\r\nsudo firewall-cmd --zone=public --add-service=https --permanent<\/code><\/pre>\n<p><strong>M\u1edf port theo s\u1ed1 (Port Number):<\/strong><\/p>\n<p>D\u00f9ng khi b\u1ea1n ch\u1ea1y service \u1edf port kh\u00f4ng m\u1eb7c \u0111\u1ecbnh (v\u00ed d\u1ee5 SSH \u0111\u1ed5i sang port 2222).<\/p>\n<pre><code># M\u1edf port 8080 giao th\u1ee9c TCP\r\nsudo firewall-cmd --zone=public --add-port=8080\/tcp --permanent<\/code><\/pre>\n<blockquote><p><strong>L\u01b0u \u00fd quan tr\u1ecdng:<\/strong> Tham s\u1ed1 &#8211;permanent \u0111\u1ea3m b\u1ea3o rule \u0111\u01b0\u1ee3c l\u01b0u v\u0129nh vi\u1ec5n. Sau khi th\u00eam rule v\u1edbi tham s\u1ed1 n\u00e0y, b\u1ea1n <strong>b\u1eaft bu\u1ed9c<\/strong> ph\u1ea3i ch\u1ea1y l\u1ec7nh reload \u0111\u1ec3 rule c\u00f3 hi\u1ec7u l\u1ef1c.<\/p><\/blockquote>\n<p><strong>N\u1ea1p l\u1ea1i c\u1ea5u h\u00ecnh (Reload):<\/strong><\/p>\n<pre><code>sudo firewall-cmd --reload<\/code><\/pre>\n<h3><span class=\"ez-toc-section\" id=\"3-Cach-dong-PortService-Remove-Rules\"><\/span>3. C\u00e1ch \u0111\u00f3ng Port\/Service (Remove Rules)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>N\u1ebfu kh\u00f4ng c\u00f2n d\u00f9ng d\u1ecbch v\u1ee5, h\u00e3y \u0111\u00f3ng port \u0111\u1ec3 b\u1ea3o m\u1eadt. C\u00fa ph\u00e1p t\u01b0\u01a1ng t\u1ef1 nh\u01b0 m\u1edf port, ch\u1ec9 thay add b\u1eb1ng remove.<\/p>\n<pre><code># \u0110\u00f3ng port 8080\r\nsudo firewall-cmd --zone=public --remove-port=8080\/tcp --permanent\r\n\r\n# X\u00f3a d\u1ecbch v\u1ee5 FTP\r\nsudo firewall-cmd --zone=public --remove-service=ftp --permanent\r\n\r\n# \u0110\u1eebng qu\u00ean reload\r\nsudo firewall-cmd --reload<\/code><\/pre>\n<figure id=\"attachment_38195\" aria-describedby=\"caption-attachment-38195\" style=\"width: 800px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-38195\" src=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/Cac-lenh-FirewallD-thuong-dung-nhat.jpg\" alt=\"C\u00e1c l\u1ec7nh FirewallD th\u01b0\u1eddng d\u00f9ng nh\u1ea5t\" width=\"800\" height=\"500\" title=\"\" srcset=\"https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/Cac-lenh-FirewallD-thuong-dung-nhat.jpg 800w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/Cac-lenh-FirewallD-thuong-dung-nhat-300x188.jpg 300w, https:\/\/interdata.vn\/blog\/wp-content\/uploads\/2026\/01\/Cac-lenh-FirewallD-thuong-dung-nhat-768x480.jpg 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><figcaption id=\"caption-attachment-38195\" class=\"wp-caption-text\">C\u00e1c l\u1ec7nh FirewallD th\u01b0\u1eddng d\u00f9ng nh\u1ea5t<\/figcaption><\/figure>\n<h3><span class=\"ez-toc-section\" id=\"4-Chan-IP-truy-cap-Block-IPPanic-Mode\"><\/span>4. Ch\u1eb7n IP truy c\u1eadp (Block IP\/Panic Mode)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Trong tr\u01b0\u1eddng h\u1ee3p server b\u1ecb t\u1ea5n c\u00f4ng t\u1eeb m\u1ed9t IP c\u1ee5 th\u1ec3, b\u1ea1n c\u00f3 th\u1ec3 ch\u1eb7n ngay l\u1eadp t\u1ee9c b\u1eb1ng <strong>Rich Rules<\/strong>.<\/p>\n<p><strong>Ch\u1eb7n (Drop) m\u1ed9t \u0111\u1ecba ch\u1ec9 IP:<\/strong><\/p>\n<pre><code>sudo firewall-cmd --zone=public --add-rich-rule='rule family=\"ipv4\" source address=\"192.168.1.100\" drop' --permanent<\/code><\/pre>\n<p><strong>Ch\u1ebf \u0111\u1ed9 ho\u1ea3ng lo\u1ea1n (Panic Mode):<\/strong><\/p>\n<p>D\u00f9ng trong tr\u01b0\u1eddng h\u1ee3p kh\u1ea9n c\u1ea5p khi server b\u1ecb t\u1ea5n c\u00f4ng d\u1eef d\u1ed9i. L\u1ec7nh n\u00e0y s\u1ebd ng\u1eaft to\u00e0n b\u1ed9 k\u1ebft n\u1ed1i m\u1ea1ng \u0111i v\u00e0 \u0111\u1ebfn (k\u1ec3 c\u1ea3 SSH c\u1ee7a b\u1ea1n, n\u00ean h\u00e3y c\u1ea9n tr\u1ecdng n\u1ebfu \u0111ang remote).<\/p>\n<pre><code># B\u1eadt ch\u1ebf \u0111\u1ed9 Panic\r\nsudo firewall-cmd --panic-on\r\n# T\u1eaft ch\u1ebf \u0111\u1ed9 Panic\r\nsudo firewall-cmd --panic-off<\/code><\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Kiem-tra-backend-FirewallD-iptables-hay-nftables\"><\/span>Ki\u1ec3m tra backend FirewallD (iptables hay nftables)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><code>firewall-cmd --get-backend<\/code><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Gan-card-mang-vao-Zone\"><\/span>G\u00e1n card m\u1ea1ng v\u00e0o Zone<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><code># G\u00e1n eth0 v\u00e0o zone public<\/code><br \/>\n<code>firewall-cmd --zone=public --add-interface=eth0 --permanent<\/code><br \/>\n<code>firewall-cmd --reload<\/code><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Kiem-tra-trang-thai-FirewallD\"><\/span>Ki\u1ec3m tra tr\u1ea1ng th\u00e1i FirewallD<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><code>systemctl status firewalld<\/code><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Bat-log-cac-goi-bi-chan-debug\"><\/span>B\u1eadt log c\u00e1c g\u00f3i b\u1ecb ch\u1eb7n (debug)<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><code>firewall-cmd --set-log-denied=all<\/code><\/p>\n<h3><span class=\"ez-toc-section\" id=\"Xem-danh-sach-service-co-san\"><\/span>Xem danh s\u00e1ch service c\u00f3 s\u1eb5n<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p><code>firewall-cmd --get-services<\/code><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Cac-loi-thuong-gap-khi-dung-FirewallD\"><\/span>C\u00e1c l\u1ed7i th\u01b0\u1eddng g\u1eb7p khi d\u00f9ng FirewallD<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>D\u01b0\u1edbi \u0111\u00e2y l\u00e0 c\u00e1c t\u00ecnh hu\u1ed1ng th\u1ef1c t\u1ebf m\u00e0 \u0111\u1ed9i ng\u0169 k\u1ef9 thu\u1eadt t\u1ea1i <strong>InterData<\/strong> th\u01b0\u1eddng h\u1ed7 tr\u1ee3 kh\u00e1ch h\u00e0ng x\u1eed l\u00fd.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"1-Mo-port-nhung-khong-truy-cap-duoc\"><\/span>1. M\u1edf port nh\u01b0ng kh\u00f4ng truy c\u1eadp \u0111\u01b0\u1ee3c<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><strong>Nguy\u00ean nh\u00e2n:<\/strong> C\u00f3 th\u1ec3 b\u1ea1n \u0111\u00e3 th\u00eam rule v\u1edbi &#8211;permanent nh\u01b0ng qu\u00ean ch\u1ea1y l\u1ec7nh &#8211;reload.<\/li>\n<li><strong>Kh\u1eafc ph\u1ee5c:<\/strong> Ch\u1ea1y firewall-cmd &#8211;reload v\u00e0 ki\u1ec3m tra l\u1ea1i b\u1eb1ng firewall-cmd &#8211;list-all.<\/li>\n<li><strong>Nguy\u00ean nh\u00e2n kh\u00e1c:<\/strong> D\u1ecbch v\u1ee5 b\u00ean trong ch\u01b0a ch\u1ea1y (v\u00ed d\u1ee5 nginx ch\u01b0a start) ho\u1eb7c d\u1ecbch v\u1ee5 \u0111\u00f3 ch\u1ec9 l\u1eafng nghe tr\u00ean localhost (127.0.0.1) thay v\u00ec 0.0.0.0.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"2-Sai-Zone-dang-su-dung\"><\/span>2. Sai Zone \u0111ang s\u1eed d\u1ee5ng<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><strong>T\u00ecnh hu\u1ed1ng:<\/strong> B\u1ea1n c\u1ea5u h\u00ecnh m\u1edf port \u1edf zone home, nh\u01b0ng card m\u1ea1ng eth0 l\u1ea1i \u0111ang \u0111\u01b0\u1ee3c g\u00e1n v\u00e0o zone public.<\/li>\n<li><strong>Kh\u1eafc ph\u1ee5c:<\/strong> Ki\u1ec3m tra k\u1ef9 firewall-cmd &#8211;get-active-zones \u0111\u1ec3 bi\u1ebft card m\u1ea1ng \u0111ang n\u1eb1m \u1edf zone n\u00e0o v\u00e0 c\u1ea5u h\u00ecnh tr\u00ean \u0111\u00fang zone \u0111\u00f3.<\/li>\n<\/ul>\n<h3><span class=\"ez-toc-section\" id=\"3-Firewalld-xung-dot-voi-Iptables-service\"><\/span>3. Firewalld xung \u0111\u1ed9t v\u1edbi Iptables service<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><strong>T\u00ecnh hu\u1ed1ng:<\/strong> Tr\u00ean c\u00f9ng m\u1ed9t server kh\u00f4ng n\u00ean ch\u1ea1y song song iptables-services v\u00e0 firewalld.<\/li>\n<li><strong>Kh\u1eafc ph\u1ee5c:<\/strong>H\u00e3y t\u1eaft iptables v\u00e0 ip6tables service \u0111\u1ec3 tr\u00e1nh xung \u0111\u1ed9t rule.\n<pre><code>systemctl stop iptables\r\nsystemctl mask iptables<\/code><\/pre>\n<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Co-nen-tat-FirewallD-khong\"><\/span>C\u00f3 n\u00ean t\u1eaft FirewallD kh\u00f4ng?<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>C\u00e2u tr\u1ea3 l\u1eddi ng\u1eafn g\u1ecdn l\u00e0: <strong>Kh\u00f4ng n\u00ean, tr\u1eeb tr\u01b0\u1eddng h\u1ee3p b\u1ea5t kh\u1ea3 kh\u00e1ng.<\/strong><\/p>\n<p>T\u01b0\u1eddng l\u1eeda l\u00e0 l\u1edbp b\u1ea3o v\u1ec7 \u0111\u1ea7u ti\u00ean c\u1ee7a h\u1ec7 \u0111i\u1ec1u h\u00e0nh. Vi\u1ec7c t\u1eaft (disable) FirewallD \u0111\u1ed3ng ngh\u0129a v\u1edbi vi\u1ec7c b\u1ea1n m\u1edf toang m\u1ecdi c\u00e1nh c\u1eeda v\u00e0o server. B\u1ea5t k\u1ef3 d\u1ecbch v\u1ee5 n\u00e0o \u0111ang ch\u1ea1y (Database, Redis, Memcached&#8230;) n\u1ebfu kh\u00f4ng c\u00f3 c\u1ea5u h\u00ecnh b\u1ea3o m\u1eadt ri\u00eang \u0111\u1ec1u c\u00f3 th\u1ec3 b\u1ecb truy c\u1eadp tr\u00e1i ph\u00e9p t\u1eeb Internet.<\/p>\n<p><strong>Khi n\u00e0o c\u00f3 th\u1ec3 t\u1eaft t\u1ea1m th\u1eddi?<\/strong><\/p>\n<ul>\n<li>Khi b\u1ea1n c\u1ea7n debug l\u1ed7i k\u1ebft n\u1ed1i \u0111\u1ec3 x\u00e1c \u0111\u1ecbnh xem nguy\u00ean nh\u00e2n c\u00f3 ph\u1ea3i do firewall hay kh\u00f4ng.<\/li>\n<li>Khi b\u1ea1n s\u1eed d\u1ee5ng m\u1ed9t gi\u1ea3i ph\u00e1p firewall kh\u00e1c thay th\u1ebf (v\u00ed d\u1ee5: Config Server Firewall &#8211; CSF).<\/li>\n<\/ul>\n<p>N\u1ebfu b\u1ea1n quy\u1ebft \u0111\u1ecbnh t\u1eaft \u0111\u1ec3 test, h\u00e3y b\u1eadt l\u1ea1i ngay sau khi xong vi\u1ec7c:<\/p>\n<pre><code>sudo systemctl stop firewalld<\/code><\/pre>\n<h2><span class=\"ez-toc-section\" id=\"Cac-cau-hoi-thuong-gap-FAQs\"><\/span>C\u00e1c c\u00e2u h\u1ecfi th\u01b0\u1eddng g\u1eb7p (FAQs)<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"1-FirewallD-co-thay-the-hoan-toan-iptables-khong\"><\/span>1. FirewallD c\u00f3 thay th\u1ebf ho\u00e0n to\u00e0n iptables kh\u00f4ng?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>FirewallD l\u00e0 giao di\u1ec7n qu\u1ea3n l\u00fd hi\u1ec7n \u0111\u1ea1i thay th\u1ebf cho vi\u1ec7c s\u1eed d\u1ee5ng l\u1ec7nh iptables tr\u1ef1c ti\u1ebfp. Tuy nhi\u00ean, \u1edf t\u1ea7ng th\u1ea5p nh\u1ea5t (kernel), n\u00f3 v\u1eabn s\u1eed d\u1ee5ng netfilter (ho\u1eb7c nftables tr\u00ean c\u00e1c b\u1ea3n m\u1edbi) gi\u1ed1ng nh\u01b0 iptables. V\u00ec v\u1eady, n\u00f3i \u0111\u00fang h\u01a1n l\u00e0 FirewallD thay th\u1ebf <strong>c\u00e1ch qu\u1ea3n l\u00fd<\/strong> c\u0169 c\u1ee7a iptables service.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"2-Khoi-dong-lai-VPS-co-mat-cau-hinh-FirewallD-khong\"><\/span>2. Kh\u1edfi \u0111\u1ed9ng l\u1ea1i VPS c\u00f3 m\u1ea5t c\u1ea5u h\u00ecnh FirewallD kh\u00f4ng?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>N\u1ebfu b\u1ea1n s\u1eed d\u1ee5ng tham s\u1ed1 &#8211;permanent khi th\u00eam rule, c\u1ea5u h\u00ecnh s\u1ebd <strong>kh\u00f4ng m\u1ea5t<\/strong> khi kh\u1edfi \u0111\u1ed9ng l\u1ea1i VPS. N\u1ebfu b\u1ea1n kh\u00f4ng d\u00f9ng tham s\u1ed1 n\u00e0y, c\u1ea5u h\u00ecnh s\u1ebd m\u1ea5t.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"3-Toi-nen-dung-FirewallD-hay-Iptables-cho-nguoi-moi-bat-dau\"><\/span>3. T\u00f4i n\u00ean d\u00f9ng FirewallD hay Iptables cho ng\u01b0\u1eddi m\u1edbi b\u1eaft \u0111\u1ea7u?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>B\u1ea1n n\u00ean d\u00f9ng <strong>FirewallD<\/strong>. C\u00fa ph\u00e1p c\u1ee7a n\u00f3 d\u1ec5 hi\u1ec3u, logic h\u01a1n v\u00e0 \u00edt r\u1ee7i ro l\u00e0m &#8220;ch\u1ebft&#8221; k\u1ebft n\u1ed1i SSH h\u01a1n so v\u1edbi iptables thu\u1ea7n.<\/p>\n<h3><span class=\"ez-toc-section\" id=\"4-Lam-sao-de-biet-FirewallD-dang-chan-ket-noi-nao\"><\/span>4. L\u00e0m sao \u0111\u1ec3 bi\u1ebft FirewallD \u0111ang ch\u1eb7n k\u1ebft n\u1ed1i n\u00e0o?<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>B\u1ea1n c\u00f3 th\u1ec3 b\u1eadt t\u00ednh n\u0103ng log c\u00e1c g\u00f3i tin b\u1ecb t\u1eeb ch\u1ed1i (dropped packets) \u0111\u1ec3 ki\u1ec3m tra:<\/p>\n<pre><code>firewall-cmd --set-log-denied=all<\/code><\/pre>\n<p>Sau \u0111\u00f3 ki\u1ec3m tra file log h\u1ec7 th\u1ed1ng (th\u01b0\u1eddng l\u00e0 \/var\/log\/messages ho\u1eb7c d\u00f9ng l\u1ec7nh dmesg).<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Ket-luan\"><\/span>K\u1ebft lu\u1eadn<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>FirewallD l\u00e0 m\u1ed9t c\u00f4ng c\u1ee5 m\u1ea1nh m\u1ebd v\u00e0 thi\u1ebft y\u1ebfu \u0111\u1ed1i v\u1edbi b\u1ea5t k\u1ef3 ai qu\u1ea3n tr\u1ecb h\u1ec7 th\u1ed1ng Linux, \u0111\u1eb7c bi\u1ec7t l\u00e0 tr\u00ean n\u1ec1n t\u1ea3ng CentOS\/RHEL. Vi\u1ec7c hi\u1ec3u r\u00f5 <strong>FirewallD l\u00e0 g\u00ec<\/strong> v\u00e0 n\u1eafm v\u1eefng c\u00e1c l\u1ec7nh qu\u1ea3n l\u00fd Zone, Service, Port s\u1ebd gi\u00fap b\u1ea1n x\u00e2y d\u1ef1ng m\u1ed9t h\u00e0ng r\u00e0o b\u1ea3o m\u1eadt v\u1eefng ch\u1eafc cho VPS\/Server c\u1ee7a m\u00ecnh.<\/p>\n<p>H\u00e3y nh\u1edb nguy\u00ean t\u1eafc v\u00e0ng: <strong>&#8220;Lu\u00f4n ki\u1ec3m tra active zone v\u00e0 \u0111\u1eebng qu\u00ean reload sau khi c\u1ea5u h\u00ecnh permanent&#8221;<\/strong>.<\/p>\n<p>N\u1ebfu b\u1ea1n \u0111ang t\u00ecm ki\u1ebfm c\u00e1c gi\u1ea3i ph\u00e1p <strong>VPS Linux<\/strong> an to\u00e0n, \u1ed5n \u0111\u1ecbnh v\u00e0 \u0111\u01b0\u1ee3c h\u1ed7 tr\u1ee3 k\u1ef9 thu\u1eadt chuy\u00ean s\u00e2u v\u1ec1 b\u1ea3o m\u1eadt, h\u00e3y tham kh\u1ea3o c\u00e1c g\u00f3i d\u1ecbch v\u1ee5 t\u1ea1i <strong>InterData<\/strong>. Ch\u00fang t\u00f4i lu\u00f4n s\u1eb5n s\u00e0ng \u0111\u1ed3ng h\u00e0nh c\u00f9ng s\u1ef1 an to\u00e0n d\u1eef li\u1ec7u c\u1ee7a b\u1ea1n.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Trong qu\u00e1 tr\u00ecnh qu\u1ea3n tr\u1ecb VPS ho\u1eb7c server Linux, kh\u00f4ng \u00edt ng\u01b0\u1eddi g\u1eb7p t\u00ecnh hu\u1ed1ng d\u1ecbch v\u1ee5 \u0111\u00e3 ch\u1ea1y nh\u01b0ng v\u1eabn kh\u00f4ng th\u1ec3 truy c\u1eadp t\u1eeb b\u00ean ngo\u00e0i, d\u00f9 port t\u01b0\u1edfng ch\u1eebng \u0111\u00e3 \u0111\u01b0\u1ee3c m\u1edf. Nguy\u00ean nh\u00e2n ph\u1ed5 bi\u1ebfn th\u01b0\u1eddng \u0111\u1ebfn t\u1eeb c\u1ea5u h\u00ecnh firewall \u1edf t\u1ea7ng h\u1ec7 \u0111i\u1ec1u h\u00e0nh, trong \u0111\u00f3 FirewallD l\u00e0 th\u00e0nh<\/p>\n","protected":false},"author":11,"featured_media":38197,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[84],"tags":[],"class_list":["post-38177","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cong-cu-phan-mem"],"_links":{"self":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts\/38177","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/comments?post=38177"}],"version-history":[{"count":4,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts\/38177\/revisions"}],"predecessor-version":[{"id":38199,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/posts\/38177\/revisions\/38199"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/media\/38197"}],"wp:attachment":[{"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/media?parent=38177"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/categories?post=38177"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/interdata.vn\/blog\/wp-json\/wp\/v2\/tags?post=38177"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}