Shulou(Shulou.com)06/01 Report--

This article focuses on "how to use FirewallD in CentOS7". Interested friends may wish to have a look. The method introduced in this paper is simple, fast and practical. Let the editor take you to learn how to use FirewallD in CentOS7.

Firewall FirewallD is a very powerful feature in centos 7. FirewallD provides a dynamic firewall management tool that supports network / firewall zone (zone) definition of network links and interface security levels. Area of FirewallD (zone)

FirewallD uses services (service) and regions (zone) instead of iptables rules (rule) and chains (chain).

By default, the following zone are available:

Drop-all incoming network packets are dropped and there is no response, only outgoing network connections are available. Block-rejects all incoming network packets and responds to a host forbidden ICMP message, only outgoing network connections are available. Public-only selected incoming network connections are accepted for use in public areas. External-for external networks with address masquerading enabled, only selected incoming network connections are accepted. The dmz-DMZ quarantine, which has limited external access to the internal network, accepts only selected incoming network connections. Work-for computers in your work area, only selected incoming network connections are accepted. Home-for computers in your home area, only selected incoming network connections are accepted. Internal-for computers on your internal network, only selected incoming network connections are accepted. Trusted-all network connections are accepted.

To list all available areas, run:

# firewall-cmd-get-zoneswork drop internal external trusted home dmz public block

List the default areas:

# firewall-cmd-get-default-zonepublic

Change the default area:

# firewall-cmd-set-default-zone=dmz# firewall-cmd-get-default-zonedmzFirewallD service

The FirewallD service records the firewalld service information using the XML configuration file.

List all available services:

# firewall-cmd-get-servicesamanda-client amanda-k5-client bacula bacula-client ceph ceph-mon dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync freeipa-ldap freeipa-ldaps freeipa-replication ftp high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mosh mountd ms-wbt mysql nfs ntp openvpn pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster radius rpc-bind rsyncd samba samba-client sane smtp smtps snmp snmptrap squid ssh synergy syslog syslog-tls telnet tftp tftp-client Tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

The XML configuration file is stored in the / usr/lib/firewalld/services/ and / etc/firewalld/services/ directories.

Configure your firewall with FirewallD

As an example, suppose you are running a web server with a SSH service port of 7022, and a mail service, you can configure your server with FirewallD:

First set the default area to dmz.

# firewall-cmd-set-default-zone=dmz# firewall-cmd-get-default-zonedmz

Add persistent HTTP and HTTPS rules for the dmz zone:

# firewall-cmd-zone=dmz-add-service=http-permanent# firewall-cmd-zone=dmz-add-service=https-permanent

Open port 25 (SMTP) and port 465 (SMTPS):

Firewall-cmd-zone=dmz-add-service=smtp-permanentfirewall-cmd-zone=dmz-add-service=smtps-permanent

Open the IMAP, IMAPS, POP3, and POP3S ports:

Firewall-cmd-zone=dmz-add-service=imap-permanentfirewall-cmd-zone=dmz-add-service=imaps-permanentfirewall-cmd-zone=dmz-add-service=pop3-permanentfirewall-cmd-zone=dmz add-service=pop3s permanent

Since the SSH port has been changed to 7022, remove the ssh service (port 22) and open port 7022:

Firewall-cmd-remove-service=ssh-permanentfirewall-cmd-add-port=7022/tcp-permanent

To apply these changes, we need to reload the firewall:

Firewall-cmd-reload

Finally, you can list these rules:

# firewall-cmd-list-alldmztarget: defaulticmp-block-inversion: nointerfaces:sources:services: http https imap imaps pop3 pop3s smtp smtpsports: 7022/tcpprotocols:masquerade: noforward-ports:sourceports:icmp-blocks:rich rules: now that you have a better understanding of "how to use FirewallD in CentOS7", you might as well do it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.