Shulou(Shulou.com)06/02 Report--

Introduction to Firewalld

1. A dynamic firewall management tool that supports network connections and interface security defined by the network area.

two。 Support for IPv4, IPv6 firewall settings and Ethernet bridging

3. Support services or shipping programs to add firewall rule ports directly

4. There are two configuration modes

Run-time configuration

Permanent configuration

The relationship between Firewalld and iptables

Netfilter

1. Packet filtering function system located in linux kernel

two。 The "kernel state" known as the Linux firewall

Firewalld/iptables

1.Centos7 default tool for managing firewall rules (Firewalld)

two。 The "user mode" called linux firewall

3.Firewalld is an upgrade of iptables

4.iptables (command) is in user mode

5.kernel (netfilter) is a kernel state.

The difference between Firewalld and iptables Firewalldiptables configuration file / usr/lib/firewalld/ / etc/firewalld//etc/sysconfig/iptables the modification of rules does not require a full refresh strategy, and no loss of existing connections requires a full refresh policy. Lost connection firewall type dynamic firewall static firewall Firewalld network area introduction

1. The zone is like a security door into the mainframe, and each area has different restrictions.

two。 One or more areas can be used, but any active area at least needs to be associated with a source address or interface

3. By default, the public zone is the default zone and contains all interfaces (network cards)

Zone description drop (drop) any received network packets are discarded without any reply. Only outgoing network connections block (restrictions) any received network connections are rejected by IPv4's icmp-hot-prohibited information and IPv6's icmp6-adm-prohibited information public (public) is used in public areas, can not be trusted that other computers in the network will not cause harm to your computer, can only receive the selected connection external (external), especially the external network with camouflage enabled for the router. You cannot trust other computing from the network, cannot trust that they will not cause harm to your computer, and can only receive the selected connection dmz (demilitarized zone) for your computers in the demilitarized zone, which is publicly accessible, has limited access to your internal network, and only receives the selected connection work (work) for use in the work area. You can basically believe that other computers in the network will not harm your computer. Only receive the selected connection home (home) for use in the home network. You can basically believe that other computers in the network will not harm your computer. Only the selected connection internal (internal) is received for the internal network. You can basically trust that other computers in the network will not threaten your computer. Only accept selected connection trusted (trust) can accept all network connection Firewalld data processing flow

Check the source address of the data source

1. If the source address is associated with a specific area, the rules specified by that area are executed

two。 If the source address is not associated to a specific area, the area passed into the network interface is used and the rules specified in that area are enforced

3. If the network interface is not associated to a specific area, the default zone is used and the rules specified by that area are enforced

Configuration method of Firewalld Firewall Runtime configuration

1. Takes effect in real time and continues until Firewalld restarts or reloads the configuration

two。 Do not break the existing connection

3. Cannot modify service configuration

Permanent configuration

1. Does not take effect immediately unless Firewalld restarts or reloads the configuration

two。 Terminal existing connection

3. You can modify the service configuration

Configuration file in / etc/firewalld/

1.Firewalld will give priority to the configuration in / etc/firewalld/, if there is no configuration file, you can copy it from / usr/lib/firewalld/

2.According to the default configuration file, it is not recommended to modify it. If you restore to the default configuration, you can delete the configuration in / etc/firewalld/ directly.

Firewalld-config graphics tools [root@localhost ~] # firewall-config / / Open graphics tools

Runtime configuration / permanent configuration

Reload the firewall

Change the permanent configuration

Associate the network card to the specified area

Modify the default area

Connection statu

Area tab content

1. "Services" subtab

2. Port subtab

3. Agreement subtab

4. Source Port subtab

5. Camouflage sub-tab

6. Port forwarding subtab

7. ICMP filter subtab

Services Tab

1. Module subtab

2. Destination address subtab

Firewalld command line tool Firewalld-cmd command 1. Start, stop, view firewalld service systemctl start firewalld / / start firewalldsystemctl enable firewalld / / set firewalld to boot systemctl status firewalld / / check firewalld status firewall-cmd-- state / / View firewalld status systemctl stop firewalld / / stop firewalld service systemctl disable firewalld / / set firewalld boot does not self-start 2. There are three main types of firewall-cmd predefined information: available areas, available services, and available ICMP blocking firewall-cmd-- get-zones / / display predefined area firewall-cmd-- get-service / / display predefined service firewall-cmd-- get-icmptypes / / display predefined ICMP types

The meaning of various types of blocking

Destination-unreachable: destination address unreachable echo-reply: reply response (pong) parameter-problem: parameter problem redirect: router advertisement router-advertisement: router advertisement router-solicitation: router search source-quench: source suppression time-exceeded: timeout timestamp-reply: timestamp reply reply timestamp-request: timestamp request 3. Zone management uses firewall-cmd commands to obtain and manage areas, bind network interfaces for specified areas, and so on.

Area management options

-- get-default-zone / / shows the default area of a network connection or interface-- set-default-zone= / / sets the default area of a network connection or interface-- get-active-zones / / shows all active areas-- get-zone-of-interface= / / shows the area bound by the specified interface-- zone=-- add-interface= / / bind the area for the specified interface-- zone=-- change-interface= / / change the bound network interface for the specified area-- zone=-- remove-interface= / / delete the bound network interface for the specified area-- list-all-zones / / Show all areas and their rules [--zone=]-- list-all / / Show all rules for all specified areas Omitting-- zone= means to operate on the default area 4. The service management firewalld pre-defines many services, which are stored in the / usr/lib/firewalld/services/ directory, and the services are specified through a single XML configuration file. These configuration files are named in the following format: service-name.xml, each file corresponds to a specific network service, ssh service, and so on. The corresponding configuration file records the tcp/udp port used by each service. Services that are allowed to be accessed for each network area are defined by default in the latest version of firewalld. When the service provided by default is not applicable or needs to customize the port of a service, we need to place the service configuration file in the / etc/firewalld/services/ directory. Ervice configuration has the following advantages: it is more humane to manage rules by service names, and the mode of organizing port grouping by services is more efficient. If a service uses several network ports, the service profile provides a shortcut to batch operations for rule management to those ports.

Service management options

[--zone=]-- list-services / / displays all services allowed to be accessed in a specified area [--zone=]-- add-service= / / A service that is allowed to be accessed for a specified region setting [--zone=]-- remove-service= / / deletes a service that has been set up for access in the specified area [--zone=]- -list-ports / / display all port numbers allowed for access in the specified area [--zone=]-- add-port= [-] / / set a certain port number (including the protocol name) for the specified region to allow access [--zone=]-- remove-port= [-] / / delete the allowed access for the specified area Port number (including protocol name) [--zone=]-- list-icmp-blocks / / displays all ICMP types denied access within the specified area [--zone=]-- add-icmp-block= / / some ICMP type denied access for the specified locale [--zone=]-- remove-icmp-block= / / deletes a certain ICMP type that has been set for the specified region. Omitting-- zone= means to operate on the default region [--zone=]-- remove-icmp-block= / / query the ICMP blocking function of the specified area 5. Port management when configuring a service, the predefined network service can be configured with a service name, and the port involved in the service will be automatically opened. However, for non-predefined services, you can only manually add ports for the specified area.

Port management command

Firewall-cmd-- zone=internal-- add-ports / / displays the port number firewall-cmd-- zone=internal-- remove-port=22/tcp-- timeout=5m / to enable TCP protocol access for port 22 in the internal area.

Configuration mode option

-- reload: reload the firewall rules and maintain the status information, that is, the permanent configuration is applied to the runtime configuration. -- permanent: commands with this option are used to set persistence rules that take effect only when firewalld is restarted or firewall rules are reloaded; if not, they are used to set runtime rules. -- runtime-to-permanent: writes the current runtime configuration to the rule configuration file, making it a permanent configuration

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.