Shulou(Shulou.com)06/03 Report--

Background description

The firewall has a good protective effect. The person must first pass through the security line of the firewall before he or she can contact the target computer. In the company, data security is the most important, requiring the security department to build a company-wide server firewall and set up a secure firewall on the original basis to effectively avoid security risks and other problems. It is recommended that everyone take a good look at the theory of the firewall for more than ten minutes, so as to facilitate the troubleshooting of later problems, and there are common command operations in the last section.

The main contents are as follows: 1 detailed understanding of firewall-related configuration; 2 detailed interpretation of relevant security configuration methods; 3 detailed interpretation of the basic knowledge of firewalld firewall; 4 understanding of firewalld firewall configuration; 5 understanding of the use of firewalld firewall-related commands. Overview of 1.Linux Firewall

Firewall refers to the combination of a series of components set between different networks or network security domains, which can enhance the security of the internal network of the organization. Through the access control mechanism, it determines which internal services allow external access and which external requests are allowed to access internal services. It can determine whether IP packets can be transmitted into or out of the intranet according to the type of network transmission.

The firewall examines each packet to determine whether it has matching filtering rules, compares them one by one according to the order of the rules, until one of the rules is satisfied, and then makes corresponding actions according to the control mechanism. If both are not satisfied, the packet is discarded to protect the security of the network.

The firewall function of Linux system is realized by kernel. In the kernel version 2.4 and beyond, the packet filtering mechanism is netfilter.CentOS 6 management tool is iptables,CentOS 7 management tool is firewalld, and firewalld is a new generation of Linux firewall tool, which provides dynamic firewall management that supports network / firewall zone (zone) definition of network links and interface security levels.

Netfilter, the packet filtering firewall function system located in the Linux kernel, is called the "kernel state" of Linux firewall. Firewall-cmd, located in / bin/firewall-cmd, is a command tool used to manage the firewall, provides filtering rules / policies for the firewall system, and determines how to filter or deal with packets arriving at the firewall host, which is called the "user state" of the Linux firewall. Conventionally, both of the above names can represent Linux firewalls.

2.Linux firewall framework

(1) netfilter framework

The Linux kernel contains a powerful network subsystem called netfilter, which can provide stateless or stateless packet filtering services for iptables kernel firewall modules, such as NAT, IP camouflage, etc., and can also modify IP header information for advanced routing or connection state management. Firewalld can dynamically manage firewalls and integrate the filtering capabilities of netfilter. It also supports interfaces that allow services or applications to add firewall rules directly. The location of netfilter is shown in figure 1:

Although the firewall module is built in the Linux kernel and processes the data packets flowing through the IP layer, it does not change the code of the IP protocol stack, but introduces the function of the firewall into the IP layer through the netfilter module, thus realizing the complete separation of the firewall code and the IP protocol stack code. The structure of netfilter module. As shown in figure 2:

The packet enters the IP stack from the left. After IP verification, the packet is processed by PREROUTING, and then enters the routing module, which decides whether the packet is forwarded or sent to the local machine. If the packet is sent to the local machine, it is processed by INPUT and passed to the upper layer protocol of the local machine; if the packet should be forwarded, it will be processed by FORWARD and then processed by POSTROUTING before it can be transmitted to the network. The packets generated by the local process are first processed by OUTPUT, then processed by routing, and then sent to the network after POSTROUTING processing.

The iptables service stores the configuration in / etc/sysconfig/iptables, while firewalld stores the configuration in various XML files in / usr/lib/firewalld/ and / etc/firewalld/. Using iptables, each individual change means clearing all old rules and reading all new rules from / etc/sysconfig/iptables, while using firewalld will not create any new rules, just run the differences in the rules. So firewalld can change the settings at run time without losing the current configuration.

Firewalld dynamically manages the firewall to apply changes without rebooting the entire firewall. Therefore, it is not necessary to reload all kernel firewall modules. However, to use firewalld requires that all changes to the firewall are implemented through the firewalld daemon to ensure that the state in the daemon is consistent with the firewall in the kernel. In addition, firewalld cannot parse firewall rules added by iptables and iptables command line tools. Schematic diagram of the Firewalld firewall stack, as shown in figure 3.

2.Firewall Firewall Management

FirewallD provides dynamic firewall management tools that support network / firewall zone (zone) definition of network links and interface security levels. Firewalld divides the network into different areas (usually called zones) and formulates access control policies between different regions to control the data flow between different regions. It supports IPv4, IPv6 firewall settings and Ethernet bridging, and has run-time configuration and permanent configuration options. It also supports interfaces that allow services or applications to add firewall rules directly. The previous system-config-firewall/lokkit firewall model was static, and each modification required a full reboot of the firewall. This process includes unloading the kernel netfilter firewall module and loading the modules needed for the new configuration. The uninstallation of the module will destroy the stateful firewall and the established connection.

In contrast, firewall daemon dynamically manages the firewall and does not need to restart the firewall to apply changes. Therefore, it is not necessary to reload all kernel firewall modules. However, to use firewall daemon requires that all changes to the firewall are implemented through the daemon to ensure that the state in the daemon is consistent with the firewall in the kernel. In addition, firewall daemon cannot parse firewall rules added by ip*tables and ebtables command line tools. The daemon provides information about the currently active firewall settings through D-BUS, and also accepts changes made using PolicyKit authentication through D-BUS. Applications, daemons, and users can enable a firewall feature through D-BUS requests. Features can be predefined firewall functions, such as services, combination of ports and protocols, port / Datagram forwarding, masquerading, ICMP blocking, or custom rules. This feature can be enabled for a certain period of time or deactivated again.

3.firewalld area management

The network area defines the trust level of the network connection. This is an one-to-many relationship, which means that a connection can be only part of an area, and an area can be used for many connections. An IP can be regarded as an area, a network segment can be regarded as an area, and the local area network and the Internet can be regarded as an area. For example:

Predefined services: a service is a combination of ports and / or protocol portals. Options include netfilter helper module and IPv4, Pv6 addresses. Port and protocol: defines a tcp or udp port, which can be a port or a port range. ICMP blocking: you can choose the message of the Internet control message protocol. These messages can be information requests or responses to information requests or error conditions. Camouflage: private network addresses can be mapped to public IP addresses. This is a regular address translation. Port forwarding: a port can be mapped to another port and / or another host.

In the current network application, it is assumed that the Internet is an untrusted area, while the internal network is a highly trusted area. In order to avoid some of the communication prohibited in the security policy, it has its own basic control tasks in areas with different degrees of trust.

Typical zones include the Internet (an untrusted zone) and an internal network (a highly trusted area). The ultimate goal is to provide connectivity in areas with different levels of trust according to the principle of least privilege through the operation of security policies and connectivity models. For example, public WIFI network connections should not be trusted, while home wired network connections should be fully trusted. The network security model can be initialized during installation, initial startup, and the first establishment of a network connection. The model describes the trust level of the entire network environment to which the host is connected, and defines how to handle the new connection. In the locale of / etc/firewalld/, a series of presets that can be quickly executed to the network interface are defined. The zones provided by firewalld are sorted from untrust to trust. There are several different initialization areas: drop (drop): any received network packets are discarded without any reply. There can only be outgoing network connections. Block (restriction): any received network connection is rejected by IPv4's icmp-host-prohibited information and IPv6's icmp6-adm-prohibited information. Public (public): this area is the default area of the system and is used in the public area. You can't trust that other computers in the network will not cause harm to your computer. You can only receive selected connections. External (external): especially extranets where camouflage is enabled for routers. You cannot trust other calculations from the network, cannot trust that they will not cause harm to your computer, and can only receive selected connections. Dmz (demilitarized zone): computers used in your demilitarized zone, which are publicly accessible, have limited access to your internal network, and receive only selected connections. Work (work): used in the workspace. You can basically believe that other computers in the network will not harm your computer. Receive only selected connections. Home (home): for home networking. You can basically trust that other computers in the network will not harm your computer. Receive only selected connections. Internal (internal): for internal networks. You can basically trust that other computers in the network will not threaten your computer. Only selected connections are accepted. Trusted (trust): all network connections are acceptable.

Configure or add areas: you can use any of the firewalld configuration tools to configure or add areas, as well as modify configurations. Tools include graphical interface tools such as firewall-config, command-line tools such as firewall-cmd, and D-BUS interfaces. Alternatively, you can create or copy zone files in the configuration file directory. @ PREFIX@/lib/firewalld/zones is used for default and standby configurations, and / etc/firewalld/zones is used for user creation and customization of profiles.

Modify zone: the locale is stored in the ifcfg file of the network connection as the ZONE= option. If this option is missing or empty, firewalld uses the default area of the configuration. If the connection is controlled by NetworkManager, you can also use nm-connection-editor to modify the area.

Network connections controlled by NetworkManager: firewalls cannot configure network connections with the name displayed by NetworkManager, only network interfaces. Therefore, before the network connection, NetworkManager tells the firewalld the network interface corresponding to the connection described in the configuration file. If no zone is configured in the configuration file, the interface is configured to the default area of firewalld. If the network connection uses more than one interface, all interfaces will be applied to the fiwewalld. The change of the interface name will also be controlled by NetworkManager and applied to firewalld. To simplify, the network connection will be used as a relationship with the region. If an interface is disconnected, NetworkManager also tells firewalld to remove the interface from the area. When firewalld is started or restarted by a systemd or init script, firewalld will notify NetworkManager to add network connections to the area.

Basic configuration and Management of 4.Linux Firewall

Firewall policies managed by the firewall-config graphical interface in CentOS 7. You can also use the firewall-cmd command line tool to manage, firewall-cmd supports all firewall features, for state and query mode, the command only returns status, no other output. You can also directly edit the configuration file in / etc/firewalld/ to manage the policy of firewalld.

Using firewalld, you can enable or disable firewall features through the graphical interface tool firewall-config or the command line client firewall-cmd. Use the firewall-cmd command line tool firewall-cmd to support all firewall features. For status and query mode, the command returns only the status and no other output. 4.1 firewall-cmd Command Line tool

Firewall-cmd supports all the features of the firewall, and administrators can use it to change system or user policies. Through firewall-cmd, users can configure the services, ports, camouflage, port forwarding, and ICMP filters and adjust zone settings that are allowed by the firewall.

The firewall-cmd tool supports two policy management methods, runtime and permanent settings, which need to be set separately:

Deal with the runtime zone, the changes made to the zone in runtime mode are not permanent, but take effect immediately, and the changes will be invalidated after reloading or restarting the system. Deal with permanent areas, the permanent options do not directly affect the state of the runtime, these options are only available when the system is reloaded or restarted.

Firewall startup and shutdown firewall: systemctl start firewalld query firewall status: systemctl status firewalld boot startup firewall: systemctl enable firewalld stop firewall: systemctl stop firewalld boot shutdown firewall: systemctl disable firewalld

Firewall management command format:

Firewall-cmd [Options...]

Firewall-cmd supports hundreds of parameters. The following table shows the common Options descriptions, as shown in the table:

Firewall-cmd command description-- get-default-zone query current default area-- set-default-zone= sets the default area Changes to the runtime and permanent configuration-get-zones lists all available zones-get-active-zones lists all areas in use (with associated interfaces or sources) machine interface and source information-add-source= [--zone=] routes all traffic from IP addresses or network / subnet masks to the specified area. -- remove-source= [--zone=] removes the rule for routing all traffic from the IP address or network / subnet mask from the specified area-- add-interface= [--zone=] routes all traffic from the specified area-- change-interface= [--zone=] associates the interface with its current area-- all configured interfaces, sources, listed in list-all [--zone=]. Services and ports-- list-all-zones retrieves all information (interfaces, sources, ports, services, etc.) for all zones-- add-service= [--zone=] allowed traffic-- add-port= [--zone=] allowed traffic to ports-- remove-service= [--zone=] removes ports from the zone allowed list-- remove-port= [--zone=] removes ports from the zone allowed list-- reload discards the runtime configuration. And apply persistent configuration 4.2 firewall-config graphics tool

Firewall-config supports all the features of the firewall, and administrators can use it to change system or user policies. Through firewall-config users can configure the services, ports, camouflage, port forwarding, and ICMP filters and adjust zone (zone) settings allowed by the firewall to make firewall settings more free, secure and robust.

Firewall-config work interface. As shown in figure 4.

The firewall-config work interface is divided into three parts: the top is the main menu, the middle is the configuration tab, including the area, service settings tab, the bottom is the status bar, the status bar from left to right is the connection status, default area, lock status, emergency mode.

Look for the "connected" character in the lower left corner, which indicates that the firewall-config tool is connected to the user area daemon firewalld.

Firewall-config main menu

The firewall-config main menu includes four options: file, options, View, and help. Among them, the option submenu is the most important, which includes several parts:

Reload firewall: reload firewall rules. For example, if all currently running configuration rules are not operated in a permanent configuration, the system will be lost when it is reloaded. Change the connection area: change the default area of the network connection. Change the default area: change the area and interface of the network connection. Emergency mode: emergency mode means discarding all packets. Locking: locking can lock the firewall configuration, allowing only changes to applications on the whitelist. The locking feature adds a simple configuration way for firewalld to lock local applications or service configurations. It is a lightweight application strategy. Firewall-config configuration Tab

The firewall-config configuration tabs include: runtime and persistence.

Runtime: the configuration rules that the runtime is configured to currently use. The runtime configuration is not permanent and can be restored on reload, but these options will be lost when the system or service is restarted or stopped. Permanent: permanent configuration rules are used when the system or service is restarted. The permanent configuration is stored in the configuration file and will be automatically restored every time the machine is restarted or the service is restarted or reloaded. Firewall-config area Tab

The zone tab is a main setting interface. Firewalld provides 10 predefined zones. Regional configuration options and general configuration information can be found in the manual of firewall.zone (5).

The zone tab has eight subtabs, namely, service, port, masquerade, port forwarding, ICMP filter, rich rule, interface, and source, as shown in figure 3-1-5.

Services: define which services in the region are trusted. Port: defines the additional port or port range of host or network access allowed in the area. Camouflage: NAT camouflage, whether to enable IP forwarding, is a kind of address forwarding, only IPv4 is supported. Port forwarding: NAT forwarding, where traffic destined for a single port is forwarded to different ports on the same computer, or to port ICMP filters on different computers: sets the type of ICMP packets that can be passed. Rich rules: an expressive language that can express custom firewall rules that are not covered in the basic syntax of firewalld, can be used to express basic allow / deny rules, and can be used to configure records (for syslog and auditd) and port forwarding, camouflage and rate limiting interfaces: add ingress to the area. Source: bind source address or range.

(4) firewall-config Services Tab

Dozens of important services are predefined, which can be queried by the command firewall-cmd-get-services. A service is a collection of ports, protocols, modules, and destination addresses. This tab configuration can only modify the service in the permanent configuration view, not in the runtime configuration.

There are three sub-tabs of port and protocol, module and destination address under the service tab, as shown in the figure.

Ports and protocols: define additional ports or port ranges that need to be accessed by all hosts or networks. Module: add a network filtering auxiliary module. Destination address: if a destination address is specified, the service item will be limited to the destination address and type.

The current firewalld feature D-BUS interface: the D-BUS interface provides information about the status of the firewall to enable the firewall. It is possible to disable or query settings. Zone: the network or firewall zone defines the trust of the connection. Firewalld provides several predefined areas. Regional configuration options and general configuration information can be found in the firewall.zone (5) manual. Service: the service can be a series of read ports. The purpose and additional information can also be a firewall helper module that is automatically added when the service is started. The use of predefined services makes it easier to enable and disable access to services. Service configuration options and general documentation information are described in the firewalld.service (5) manual. ICMP type: Internet Control message Protocol (ICMP) is used to exchange messages and Internet Protocol (IP) error messages. The ICMP type can be used in firewalld to restrict message exchange. ICMP type configuration options and common file information can be found in the firewalld.icmptype (5) manual. Direct interface: direct interface is mainly used for services or applications to add specific firewall rules. These rules are not permanent and are initiated upon receipt of firewalld transmission through D-Bus. Restart. The signal needs to be reapplied after reloading. Run-time configuration: the run-time configuration is not permanent and can be restored on reload, while the system or service restarts. When stopped, these options will be lost. Permanent configuration: the permanent configuration is stored in the configuration file, each time the machine is restarted or the service is restarted. It is automatically restored when it is reloaded. Pallet Mini Program: pallet Mini Program firewall-applet shows the user the status of the firewall and the problems. It can also be used to configure settings that users are allowed to modify. Graphical configuration tool: the main configuration tool for firewall daemon is firewall-config. It supports all the features of the firewall (except the direct interface used by the service / application to add rules). Administrators can also use it to change system or user policies. Command line client: firewall-cmd is a tool that provides configuration features for most graphical tools on the command line. Support for ebtables: ebtables support is required to meet all the requirements of libvirt daemon and prevent access problems between ip*tables and ebtables at the kernel netfilter level. Because these commands access the same structure, they cannot be used simultaneously. Default / standby configuration in / usr/lib/firewalld: this directory contains the default and alternate ICMP types provided by firewalld. Service. Zone configuration. These files provided by the firewalld package cannot be modified, and even the changes will be reset as the firewalld package is updated. Other ICMP types. Service. Zone configuration can be provided through a software package or by creating a file. System configuration settings in / etc/firewalld: the system or user configuration files stored here can be customized by the system administrator through the configuration interface or manually. These files will overload the default configuration files. To manually modify a predefined icmp type, region, or service, copy the configuration from the default configuration directory to the appropriate system configuration directory, and then modify it as needed. If an area with default and standby configuration is loaded, the corresponding file under / etc/firewalld will be renamed to .old and then the standby configuration will be enabled. 6. User policy support

Administrators can specify which users can use the user interaction mode and limit the features available to the firewall.

Port metadata information (proposed by Lennart Poettering), it is good to have a port-independent metadata information. The port of an application or service is dynamic, so the port itself does not describe usage, so the port and protocol static allocation model for / etc/services is not a good solution and does not reflect current usage.

Metadata information can be used to make simple rules for firewalls. Here are some examples:

Allow external access to file sharing applications or services; allow external access to music sharing applications or services; allow external access to all shared applications or services; allow external access to torrent file sharing applications or services; allow external access to http network services.

The metadata information here is not only a specific application, but also a set of usage cases. For example, the group "share all" or the group "file share" can correspond to all shares or file sharing programs (such as torrent file sharing). These are just examples and, therefore, may not be of practical use.

Here are two possible ways to get metadata information in a firewall:

The first is to add to netfilter (kernel space). The advantage is that everyone can use it, but there are certain restrictions on its use. Also consider the specific information of the user or system space, all of which need to be implemented at the kernel level. The second is to add to firewall daemon. These abstract rules can be associated with specific information (such as network connection trust level). As a user description to be shared by a specific individual / host. The administrator forbids fully shared rules, etc.) to be used together.

The benefit of the second solution is that there is no need for new metadata sets and inclusion changes (credibility level. User preferences or administrator rules, etc.) recompile the kernel. The addition of these abstract rules makes firewall daemon freer. Even new security levels can be easily added without updating the kernel.

Wrong setting for 7.sysctld

Errors often occur in the setting of sysctl in practical applications.

An example is when a module that provides settings does not load or reload the module at startup while rc.sysinit is running.

Another example is net.ipv4.ip_forward, which is required for firewall settings .libvirt and user / administrator changes. If there are two applications or daemons that turn on ip_forwarding only when needed, then one of them may turn off the service without knowing it, and the other needs it, so you have to restart it at this point.

Sysctl daemon can solve the above problem by using an internal count on the settings. At this point, when the requester no longer needs it, it will return to its previous set state or turn it off directly.

The difference between 8.iptables and firewalld

The most essential difference between firewalld and iptables service is:

Iptables service stores the configuration in / etc/sysconfig/iptables, while firewalld stores the configuration in various XML files in / usr/lib/firewalld/ and / etc/firewalld/. Note that when firewalld fails to install on Linux, the / etc/sysconfig/iptables file does not exist. With iptables service, each individual change means clearing all old rules and reading all new rules from / etc/sysconfig/iptables, while using firewalld will not create any new rules; just run the differences in the rules. Therefore, firewalld can change the settings without losing the current connection during the run time. 9. The basic use of the common command firewalld

Launch: systemctl start firewalld

Turn off: systemctl stop firewalld

View status: systemctl status firewalld

Power on disabled: systemctl disable firewalld

Power on: systemctl enable firewalld

(2) systemctl is the main tool in CentOS7's service management tools, which integrates the functions of service and chkconfig.

Start a service: systemctl start firewalld.service

Shut down a service: systemctl stop firewalld.service

Restart a service: systemctl restart firewalld.service

Displays the status of a service: systemctl status firewalld.service

Enable a service at boot time: systemctl enable firewalld.service

Disable one service at boot time: systemctl disable firewalld.service

Check to see if the service is powered on: systemctl is-enabled firewalld.service

View the list of started services: systemctl list-unit-files | grep enabled

View the list of services that failed to start: systemctl-- failed

(3) configure firewalld-cmd

# "instance 1" Firewall queries firewall-cmd-- version / / View version firewall-cmd-- help / / View help firewall-cmd-- state / / display status firewall-cmd-- get-services / / get list of supported services (firewalld built-in service support) firewall-cmd-- zone=public-- list-ports / / View all open ports firewall-cmd-- list-forward-ports / / View forwarded Port fierewall-cmd-reload / / reload firewall policy firewall-cmd-- get-active-zones / / View zone information firewall-cmd-- list-all-zones / / list the characteristics of all enabled zones firewall-cmd-- list-services / / display the current firewall service firewall-cmd-- get-zone-of-interface=eth0 / / View the zone to which the specified interface belongs-- panic-on / / reject all packages firewall-cmd-- panic-offfir / / cancel rejection status firewall-cmd-- query-panic / / check whether to reject * # "instance II" runtime zone policy setting example (Note: the following example does not add zone is the default area public) firewall-cmd-- add-service=ssh / / allow ssh services to pass through firewall-cmd-- remove-service=ssh / / prohibit ssh services from passing through firewall- Cmd-- add-service=samba-- timeout=600 / / temporarily allows the samba service to pass 600s firewall-cmd-- add-service=http-- zone=work / / allows the http service to open the http service firewall-cmd-- zone=internal-- add-port=443/tcp / / from the work region through the work region firewall-cmd-- zone=work-- add-service=http / / Open the 443/tcp port in the internal area (internal) firewall-cmd-- zone=internal-- remove-port=443/tcp / / close the 443/tcp port in the internal area (internal) firewall-cmd-- add-interface=eth0 / / Open the network card eth0firewall-cmd-- remove-interface=eth0 / / close the network card eth0 # "instance three" permanent zone policy setting example (Note: the following example does not add zone is the default area public Permanent settings require reloading firewall policies or rebooting the system) firewall-cmd-- permanent-- add-service=ftp / / permanently allow ftp services to pass through firewall-cmd-- permanent-- remove-service=ftp / / permanently prohibit ftp services from passing through firewall-cmd-- permanent-- add-service=http-- zone=external / / permanently allow http services to pass through external region firewall-cmd-- permanent-- add-service=http-- zone=external / / forever Allow the http service to open the 111/tcp port through the external region firewall-cmd-- permanent-- zone=internal-- add-port=111/tcp / / in the internal area (internal) firewall-cmd-- permanent-- zone=internal-- remove-port=111/tcp / / close the 111/tcp port in the internal area (internal) firewall-cmd-- permanent-- add-interface=eth0 / / permanently open the network card eth0firewall-cmd-- permanent-- remove-interface=eth0 / / permanently close the network card eth0firewall-cmd-- permanent-- zone=public-- add-port=8080-8083/tcp / / add multiple ports firewall-cmd-- permanent-- zone=public-- remove-port=81/tcp / / delete a port firewall-cmd-- permanent-- remove-rich-rule= "rule family=" ipv4 "source address=" 192.168.1.51 "accept" / / delete an IPfirewall-cmd-permanent-- add-rich-rule= "rule family=" ipv4 "source address=" 192 .168.0.0 / 16 "accept" / / firewall-cmd-- permanent-- add-rich-rule= "rule family=" ipv4 "source address=" 192.168.1.0 source address= 24 "port protocol=" tcp "port=" 9200 "accept" / / access firewall-cmd for an ip segment-- reload / / Don't forget to overload before it takes effect after adding operation

Welcome to your personal account "Master Chen without Story"

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.