Shulou(Shulou.com)06/01 Report--

This article mainly introduces how to use the firewall to make Linux more powerful, the article is very detailed, has a certain reference value, interested friends must read it!

How firewalls work

Communication between different devices in a network is achieved through a gateway called port port. The port here does not refer to a physical connection such as a USB port or a HDMI port. In network terminology, a port is a purely virtual concept used to indicate the path that some type of data takes when it arrives at or leaves a computer. In fact, they can be called by another name, such as "connection" or "door", but they have been called ports as early as 1981, and this term is still used today. In fact, there is nothing special about the port, it is just a way to refer to an address where data transmission may occur.

In 1972, a list of port numbers (then known as "socket socket") was published and evolved into a well-known set of standard port numbers to help manage specific types of network traffic. For example, you use ports 80 and 443 when you visit a website every day, because most people on the Internet agree (or default) that data is transferred from a web server through these two ports. If you want to verify this, you can add a non-standard port number after URL when using a browser to visit the site. For example, a request to access example.com:42 will be denied because example.com does not provide a web service on port 42.

Navigating to a nonstandard port produces an error

If you visit the same website through port 80, you can (unsurprisingly) access it normally. You can add: 80 after URL to specify port 80, but since port 80 is the standard port for HTTP access, your browser already uses port 80 by default.

When a computer, such as a web server, is ready to receive network traffic on a designated port, it is acceptable (and necessary) to keep the port open to network traffic. However, it is more dangerous for ports that do not need to receive traffic if they are also open, and this is the problem that needs to be solved with a firewall.

Install firewalld

There are many ways to configure firewalls, and this article introduces firewalld. It is integrated in the network manager Network Manager in the desktop environment and in firewall-cmd in the terminal. These tools are pre-installed in many Linux distributions. If you don't have it in your distribution, you can use this article as a general advice for managing firewalls, using a similar approach in the firewall software you use, or you can choose to install firewalld.

For example, on Ubuntu, you must enable the universe software repository, turn off the default ufw firewall, and then install firewalld:

$sudo systemctl disable ufw$ sudo add-apt-repository universe$ sudo apt install firewalld

Fedora, CentOS, RHEL, OpenSUSE, and many other distributions include firewalld by default.

No matter which distribution you use, if you want the firewall to work, you must keep it on and set it to boot and load automatically. You should minimize the amount of energy you spend on firewall maintenance.

$sudo systemctl enable-- now firewalld uses the Network Manager to select an area

Maybe you connect to many different networks every day. One network is used at work, another in the cafe and another at home. Your computer can tell which network is used more frequently, but it doesn't know which network you trust.

The zone zone of a firewall contains default rules for opening and closing ports. You can choose a strategy that works best for the current network by using the region.

You can open the connection editor in the network manager (which can be found in the application menu), or use the nm-connection-editor & command to get a list of all available zones.

Network Manager Connection Editor

In the list of network connections, double-click the network you are using now.

In the network configuration window that appears, click the General tab.

In the General panel, click the drop-down menu next to Firewall zones to get a list of all available zones.

Firewall zones

You can also use the following terminal command to get the same list:

$sudo firewall-cmd-get-zones

The name of each area can already reveal the designer's intention to create this area, but you can also use the following terminal command to get the details of any area:

$sudo firewall-cmd-- zone work-- list-allwork target: default icmp-block-inversion: no interfaces: sources: services: ssh dhcpv6-client ports: protocols: [...]

In this example, the work zone is configured to allow traffic from SSH and DHCPv6-client, but to deny traffic that is not explicitly requested by any other user. In other words, the work area will not block HTTP response traffic while you are browsing the site, but it will block a HTTP request for port 80 on your computer. )

You can look at each area in turn and find out what kind of traffic they allow. The more common ones are:

Work: this area should be used on networks that you trust very much. It allows SSH, DHCPv6, and mDNS, and can add more allowed items. This area is ideal as a basic configuration, and then customize a work environment according to the needs of the daily office.

Public: use it on networks you don't trust. The configuration of this area is the same as the work area, but you should not continue to add any other allowed items.

Drop: all incoming connections are discarded and there is no response. This is the closest configuration to invisible mode without completely shutting down the network, because only outgoing network connections are allowed (but any port scanner can detect your computer through outgoing traffic, so this area is not an invisible device). If you are using public WiFi, this area is arguably the safest choice; if you think the current network is dangerous, this area must be the best choice.

Block: all incoming connections are rejected, but a message is returned indicating that the requested port is disabled. Only the Internet connection initiated by you is allowed. This is a friendly version of the drop zone, because although there is still no port to allow incoming traffic, it indicates that it will refuse to accept any connections that are not initiated locally.

Home: use this zone if you trust other computers on the network. This area will only allow incoming connections of your choice, but you can add more allowed items as needed.

Internal: similar to the work area, this area applies to the internal network and you should use it with basic trust in the computers in the network. You can open more ports and services according to your needs, while maintaining a different set of rules from the work area.

Trusted: accept all network connections. It is suitable for troubleshooting or on a network that you absolutely trust.

Specify an area for the network

You can specify an area for any of your network connections, and you can also specify different areas for different connections to the same network (such as Ethernet, WiFi, etc.).

Select the area you want and click the "Save" button to submit changes.

Setting a new zone

The best way to get into the habit of connecting to a given area of the network is to start with the network you use most often. Specify a home area for your home network, a work area for your work network, and a public relations area for your favorite library or cafe network.

Once you have designated an area for all commonly used networks, when you join a new network later (whether it's a new cafe or your friend's network), try to designate an area for it as well. This is a good way to make you realize that the security of different networks is different, and you are not more secure than anyone just because you use Linux.

Default area

Every time you join a new network, firewalld will not prompt you to make a choice, but will specify a default area. You can enter the following command in the terminal to get your default area:

$sudo firewall-cmd-get-defaultpublic

In this example, the default area is the public region. You should make sure that the area has very strict restrictions so that it is safer when you assign it to an unknown network. Or you can set your own default area.

For example, if you are a paranoid person or need frequent access to untrusted networks, you can set a very strict default area:

$sudo firewall-cmd-set-default-zone dropsuccess$ sudo firewall-cmd-get-defaultdrop

In this way, any new network you join will be designated to use the drop area unless you manually define it as another area that is not so strict.

Implement custom areas through open ports and services

The developers of Firewalld do not want the region they set to adapt to all the different networks and levels of trust in the world. You can use these areas directly, or you can customize them based on them.

You can decide which ports to open or close according to the network activities you need, which does not require much understanding of the firewall.

Preset service

The easiest way to add a license to your firewall is to add a default service. Strictly speaking, your firewall does not know what a "service" is, because it only knows the port number and the type of protocol used. However, based on standards and traditions, firewalls can provide you with a combination of ports and protocols.

For example, if you are a web developer and want your computer to be open to the local network (so that your colleagues can see the site you are building), you can add http and https services. If you are a gamer and are running an open source murmur voice chat server for your game guild, you can add murmur services. There are many other services available, which you can check using the following command:

$sudo firewall-cmd-- get-services amanda-client amanda-k5-client bacula bacula-client\ bgp bitcoin bitcoin-rpc ceph cfengine condor-collector\ ctdb dhcp dhcpv6 dhcpv6-client dns elasticsearch\ freeipa-ldap freeipa-ldaps ftp [...]

If you find a service you need, you can add it to your current firewall configuration, such as:

$sudo firewall-cmd-add-service murmur

This command adds all the ports and protocols required for the specified service to your default area, but it will fail after restarting the computer or firewall. If you want your changes to be permanent, you can use the-- permanent flag:

$sudo firewall-cmd-add-service murmur-permanent

You can also use this command for a non-default area:

$sudo firewall-cmd-add-service murmur-permanent-zone home port

Sometimes the traffic you want to allow is not in the service defined by firewalld. Maybe you want to run a regular service on a non-standard port, or you just want to open a port at will.

For example, maybe you are running the open source virtual board game software MapTool. Since there is no industry standard for which port the MapTool server should use, you can decide which port to use and then "make a hole" in the firewall to allow traffic on that port.

It is implemented in much the same way as adding services:

$sudo firewall-cmd-add-port 51234/tcp

This command opens port 51234 to TCP incoming connections in your default area, but it will fail after you restart the computer or firewall. If you want your changes to be permanent, you can use the-- permanent flag:

$sudo firewall-cmd-add-port 51234/tcp-permanent

You can also use this command for a non-default area:

$sudo firewall-cmd-add-port 51234/tcp-permanent-zone home

Setting allowed traffic on the firewall of the router is different from setting it on the local machine. Your router may provide a different configuration interface for its built-in firewall (the same in principle), but this is beyond the scope of this article.

Remove ports and services

If you no longer need a service or port and do not use the-- permanent flag when setting it, you can clear the changes by rebooting the firewall.

If you have set the changes to be permanent, you can use the-- remove-port or-- remove-service flag to clear:

$sudo firewall-cmd-remove-port 51234/tcp-permanent

You can remove ports or services from a non-default area by specifying an area in the command.

Sudo firewall-cmd-- remove-service murmur-- permanent-- zone home custom zone

You are free to use the default areas provided by firewalld, but you can also create your own. For example, if you want to have a special area for the game, you can create one and then switch to that area only when you are playing the game.

If you want to create a new blank area, you can create a new area called game, and then reload the firewall rules so that your new area is enabled:

$sudo firewall-cmd-new-zone game-permanentsuccess$ sudo firewall-cmd-reload

Once created and enabled, you can customize it by adding the services and ports you need to play the game.

The above is all the contents of the article "how to use firewalls to make Linux more powerful". Thank you for reading! Hope to share the content to help you, more related knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.