Shulou(Shulou.com)06/02 Report--

Firewalld Overview introduction to Firewalld

(1) A dynamic firewall management tool that supports network connections and interface security defined by the network area.

(2) support IPv4, IPv6 firewall settings and Ethernet bridging

(3) support services or shipping programs to add firewall rule ports directly.

(4) have two configuration modes

Run-time configuration

Permanent configuration

The relationship between Firewalld and iptables

Netfilter

(1) packet filtering function system located in linux kernel

(2) the "kernel state" called Linux firewall

Firewalld/iptables

(1) Centos7 default tool for managing firewall rules (Firewalld)

(2) "user mode" called linux firewall

The difference between Firewalld and iptables Firewalldiptables profile / usr/lib/firewalld/, / etc/firewalld//etc/sysconfig/iptables the modification of the rules does not require a full refresh policy, do not lose the existing connection requires a full refresh policy, lost connection firewall type dynamic firewall (flexible) static firewall Firewalld network area description area description drop (lost) any received network packets are discarded without any reply. Only outgoing network connection block (restriction) any received network connection is rejected by IPv4 icmp-host-prohibited information and icmp6-adm-prohibited information public (public) is used in the public area, can not be trusted that other computers in the network will not cause harm to your computer, can only receive the selected connection external (external), especially the external network with camouflage enabled for the router. You cannot trust other computing from the network, cannot trust that they will not cause harm to your computer, and can only receive computers with a selected connection dmz (demilitarized zone) for use in your demilitarized zone, which is publicly accessible, has limited access to your internal network, and receives only selected connection work (work) for use in the workspace. You can basically believe that other computers in the network will not harm your computer. Only the selected connections are received for the home network. Home (home) you can basically trust that other computers in the network will not harm your computer. Only the selected connection internal (internal) is received for the internal network. You can basically trust that other computers in the network will not threaten your computer. Only accept selected connections trusted (trust) can accept all network connections Firewalld network area introduction

(1) the zone is like a security door into the mainframe, and each area has different restrictions.

(2) one or more areas can be used, but any active area at least needs to be associated with a source address or interface.

(3) by default, the public area is the default area and contains all interfaces (network cards)

Firewalld data processing flow

Check the source address of the data source

(1) if the source address is associated with a specific area, the rules specified by that area are executed.

(2) if the source address is not associated with a specific area, the area passed into the network interface is used and the rules specified by that area are executed.

(3) if the network interface is not associated to a specific area, the default area is used and the rules specified by that area are enforced.

Configuration method of Firewalld Firewall Runtime configuration

(1) take effect in real time and continue until Firewalld restarts or reloads the configuration

(2) do not break the existing connection

(3) Service configuration cannot be modified.

Permanent configuration

(1) it shall not take effect immediately. Unless Firewalld restarts or reloads the configuration

(2) break the existing connection

(3) Service configuration can be modified.

Firewalld-config graphical tool Runtime configuration / permanent configuration

Reload the firewall

Change the permanent configuration and take effect

Associate the network card to the specified area "area" tab

(1) "Services" sub-tab

(2) "Port" sub-tab

(3) Agreement sub-tab

(4) Source Port subtab

(5) camouflage sub-tab

(6) "Port forwarding" sub-tab

(7) ICMP filter subtab

Services Tab

(1) Module sub-tab

(2) destination address subtab

Modify default zone connection status Firewalld-cmd command line tool 1) start, stop, view firewalld services

Start firewalld

[root@localhost ~] # systemctl start firewalld

Set firewalld to boot

[root@localhost ~] # systemctl enable firewalld

If firewalld is running, you can view its running status through the systemctl status firewalld or firewall-cmd command

[root@localhost ~] # systemctl status firewalld

2) get predefined information

There are three main types of firewall-cmd predefined information: available areas, available services, and available ICMP resistance.

Plug type

Show predefined areas

[root@localhost] # firewall-cmd-- get-zones

Show predefined services

[root@localhost] # firewall-cmd-- get-services

Show predefined ICMP types

[root@localhost] # firewall-cmd-- get-icmptypes

The meanings of the various blocking types in the execution results of the firewall-cmd-- get-icmptypes command are shown below.

(1) destination-unreachable: destination address is unreachable.

(2) echo-reply: reply response (pong).

(3) parameter-problem: parameter problem.

(4) redirect: redirect.

(5) router-advertisement: router advertisement.

(6) router-solicitation: router search.

(7) source-quench: source end inhibition.

(8) time-exceeded: timeout.

(9) timestamp-reply: timestamp reply response.

(10) timestamp-request: timestamp request.

3) Regional management

Using the firewall-cmd command, you can obtain and manage areas, bind network interfaces for specified areas, and so on.

(1)-- get-default-zone displays the default area of a network connection or interface

(2)-- set-default-zone= sets the default area for network connections or interfaces

(3)-get-active-zones displays all areas that have been activated

(4)-- get-zone-of-interface= displays the area bound to the specified interface

(5)-- zone=-- add-interface= is the specified interface binding area

(6)-- zone=-- change-interface= changes the bound network interface for the specified area

(7)-- zone=-- remove-interface= deletes the bound network interface for the specified area

(8)-- list-all-zones displays all areas and their rules

(9) [--zone=]-- list-all displays all rules for all specified areas. Omitting-zone= means that only the default area is operated.

1) displays the default area in the current system.

[root@localhost] # firewall-cmd-- get-default-zone

2) display all rules for the default area

[root@localhost] # firewall-cmd-- list-all

3) display the corresponding area of the network interface ens33

[root@localhost] # firewall-cmd-- get-zone-of-interface=ens33

4) change the corresponding area of the network interface ens33 to the internal area.

[root@localhost] # firewall-cmd-- zone=internal-- change-interface=ens33

5) display all active areas.

[root@localhost] # firewall-cmd-- get-active-zones

4) Service management

For convenience, firewalld pre-defines a number of services, which are stored in the / usr/lib/firewalld/services/ directory, and services are specified through a single XML configuration file. These configuration files are named in the following format: service-name.xml, with each file corresponding to a specific network service, such as ssh service

Wait for the service. The corresponding configuration file records the tcp/udp port used by each service. In the latest version of firewalld, more than 70 services have been defined for our use by default. For each network area, you can configure services that allow access. When the service provided by default is not applicable or needs to customize the port of a service, we need to place the service configuration file in the / etc/firewalld/services/ directory. Service configuration has the following advantages.

(1) it is more humanized to manage the rules through the service name.

(2) the mode of organizing port grouping through services is more efficient. If a service uses several network ports, the service profile is equivalent to providing a batch operation shortcut for rule management to these ports.

1. [--zone=]-- list-services displays all services that are allowed to be accessed in the specified area

2. [--zone=]-- add-service= is a service that the specified locale is allowed to access

3. [--zone=]-- remove-service= deletes a service that has been set to allow access in the specified region

4. [--zone=]-- list-ports displays all port numbers allowed to be accessed in the specified area

5. [--zone=]-- add-port= [-] /

Set a port number (including protocol name) for the specified locale to allow access

6. [--zone=]-- remove-port= [-] /

Delete the port number (including the protocol name) that has been set for access in the specified area.

7. [--zone=]-- list-icmp-blocks displays all ICMP types denied access in the specified area

8. [--zone=]-- add-icmp-block= is an ICMP type that is denied access by the specified locale

9. [--zone=]-- remove-icmp-block= deletes a certain ICMP type that has been set to deny access in the specified region. Omitting-- zone= indicates the operation on the default region.

(1) set the services that are allowed to be accessed by default locale.

Displays all services that are allowed to be accessed in the default area:

[root@localhost] # firewall-cmd-- list-services

Set the default area to allow access to the http service success

[root@localhost] # firewall-cmd-- add-service=http

Set the default area to allow access to https services

[root@localhost] # firewall-cmd-- add-service=https

(2) set the services allowed to be accessed for the internal zone.

Set the internal area to allow access to the mysql service

[root@localhost] # firewall-cmd-- zone=internal-- add-service=mysql

Setting the internal zone does not allow access to samba-client services

[root@localhost~] # firewall-cmd-zone=internal-remove-service=samba-client

Show all services that are allowed to be accessed in the internal area

[root@localhost] # firewall-cmd-- zone=internal-- list-services

5) Port management

When configuring a service, the predefined network service can be configured with the service name, and the port involved in the service will be self-defined.

Move. Open it. However, for non-predefined services, ports can only be added manually for the specified area. For example, do the following

You can open the 443/TCP port in the internal area.

[root@localhost] # firewall-cmd-- zone=internal-- add-port=443/tcp

To disable access to 443/TCP ports in the internal area, execute the following command.

[root@localhost] # firewall-cmd-- zone=internal-- remove-port=443/tcp

6) two configuration modes

As mentioned earlier, the firewall-cmd command tool has two configuration modes: run-time mode (Runtime mode) indicates that the firewall configuration currently running in memory will fail when the system or firewalld service is restarted or stopped; and permanent mode (Permanent mode) means that the rule configuration when the firewall is restarted or reloaded is permanently stored in the configuration file.

The firewall-cmd command tool has three options related to configuration mode.

(1)-- reload: reload the firewall rules and maintain the status information, that is, the permanent configuration is applied to the runtime configuration.

(2)-- permanent: the command with this option is used to set persistence rules that take effect only when the firewalld is restarted or the firewall rule is reloaded; if not, it is used to set the runtime rule.

(3)-- runtime-to-permanent: writes the current runtime configuration to the rule configuration file, making it permanent

Configuration file in / etc/firewalld/

(1) Firewalld will give priority to the configuration in / etc/fireewalld/. If there is no configuration file, use the configuration in / usr/bin/firewalld/.

(2) / etc/firewalld/: user-defined configuration file, which can be copied from / usr/bin/firewalld/ if needed

(3) / usr/bin/firewalld/: default configuration file, which is not recommended. If you restore to the default configuration, you can delete the configuration in / etc/firewalld/ directly.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.