Shulou(Shulou.com)06/01 Report--

This article mainly explains the "basic use and detailed explanation of linux7 firewall". The content of the explanation in the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "the basic use and detailed explanation of linux7 firewall".

1. Basic use of firewalld

Launch: systemctl start firewalld

View status: systemctl status firewalld

Stop: systemctl disable firewalld

Disable: systemctl stop firewalld

2.systemctl is the main tool in CentOS7's service management tools, which combines the functions of service and chkconfig.

Start a service: systemctl start firewalld.service

Shut down a service: systemctl stop firewalld.service

Restart a service: systemctl restart firewalld.service

Displays the status of a service: systemctl status firewalld.service

Enable a service at boot time: systemctl enable firewalld.service

Disable one service at boot time: systemctl disable firewalld.service

Check to see if the service is powered on: systemctl is-enabled firewalld.service

View the list of started services: systemctl list-unit-files | grep enabled

View the list of services that failed to start: systemctl-- failed

3. Configure firewalld-cmd

View version: firewall-cmd-- version

Check out help: firewall-cmd-help

Display status: firewall-cmd-- state

View all open ports: firewall-cmd-- zone=public-- list-ports

Update firewall rules: firewall-cmd-- reload

View area information: firewall-cmd-- get-active-zones

View the area to which the specified API belongs: firewall-cmd-- get-zone-of-interface=eth0

Reject all packages: firewall-cmd-- panic-on

Cancel rejection status: firewall-cmd-- panic-off

Check whether to reject: firewall-cmd-- query-panic

So how do you open a port?

Add

Firewall-cmd

The code is copied as follows, the emergency mode of the code has changed in version 0.3.0

In FirewallD versions prior to 0. 3. 0, the panic options were-enable-panic and-disable-panic.

Query emergency mode

Firewall-cmd-query-panic

This command returns the status of emergency mode and has no output. You can get the status output in the following ways:

Firewall-cmd-- query-panic & & echo "On" | | echo "Off"

Working with the runtime area

Changes made to the zone in runtime mode are not permanent. Changes will be invalidated after reloading or restarting.

Enable a service in the area

Firewall-cmd [--zone=]-- add-service= [--timeout=]

This enables a service in the area. If no area is specified, the default area is used. If the timeout is set, the service will only enable a specific number of seconds. If the service is already active, there will be no warning message.

For example, make the ipp-client service in the region effective for 60 seconds:

Firewall-cmd-zone=home-add-service=ipp-client-timeout=60

Example: enable the http service in the default area:

Firewall-cmd-add-service=http

Disable a service in the area

Firewall-cmd [--zone=]-- remove-service=

This disables a service in the area. If no area is specified, the default area is used.

Example: disable the http service in the home area:

Firewall-cmd-zone=home-remove-service=http

Regional services will be disabled. If the service is not enabled, there will be no warning messages.

Query whether specific services are enabled in the area

Firewall-cmd [--zone=]-- query-service=

If the service is enabled, 1 is returned, otherwise 0 is returned. No output information.

Enable regional ports and protocol combinations

Firewall-cmd [--zone=]-- add-port= [-] / [--timeout=]

This will enable the combination of ports and protocols. A port can be a single port or a range of ports. The protocol can be tcp or udp.

Disable port and protocol combination

Firewall-cmd [--zone=]-- remove-port= [-] /

Query whether port and protocol combinations are enabled in the area

Firewall-cmd [--zone=]-- query-port= [-] /

If enabled, this command will have a return value. No output information.

Enable IP camouflage in the area

Firewall-cmd [--zone=]-- add-masquerade

This enables the camouflage function of the area. The address of the private network is hidden and mapped to a public IP. This is a form of address translation and is often used for routing. Due to kernel limitations, camouflage is only available for IPv4.

Disable IP camouflage in the area

Firewall-cmd [--zone=]-- remove-masquerade

The camouflage status of the query area

Firewall-cmd [--zone=]-- query-masquerade

If enabled, this command will have a return value. No output information.

Enable ICMP blocking in the area

Firewall-cmd [--zone=]-- add-icmp-block=

This will enable blocking of selected Internet Control message Protocol (ICMP) messages. The ICMP message can be a request message or a created reply message, as well as an error reply.

The ICMP blocking function of the prohibited area

Firewall-cmd [--zone=]-- remove-icmp-block=

ICMP blocking function of the query area

Firewall-cmd [--zone=]-- query-icmp-block=

If enabled, this command will have a return value. No output information.

Example: response response message in the blocking area:

Firewall-cmd-zone=public-add-icmp-block=echo-reply

Enable port forwarding or mapping in the area

Firewall-cmd [- zone=]-- add-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

A port can be mapped to the same port on another host, or it can be a different port on the same host or another host. The port number can be a single port or a port range. The protocol can be tcp or udp. The destination port can be a port number or a port range. The destination address can be an IPv4 address. Due to kernel limitations, port forwarding is only available for IPv4.

Forbid port forwarding or port mapping in the area

Firewall-cmd [- zone=]-- remove-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

Port forwarding or port mapping in the query area

Firewall-cmd [- zone=]-- query-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

If enabled, this command will have a return value. No output information.

Example: forward the ssh of the region home to 127.0.0.2

Firewall-cmd-zone=home-add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2

Working with permanent areas

The persistent option does not directly affect the state of the runtime. These options are available only when the service is reloaded or restarted. In order to use the runtime and permanent settings, you need to set both separately. Option-permanent needs to be the first parameter to be permanently set.

Get the services supported by the permanent option

Firewall-cmd-permanent-get-services

Get a list of ICMP types supported by the permanent option

Firewall-cmd-permanent-get-icmptypes

Get supported permanent areas

Firewall-cmd-permanent-get-zones

Enable services in the area

Firewall-cmd-permanent [--zone=]-- add-service=

This will permanently enable services in the area. If no area is specified, the default area is used.

Disable a service in the area

Firewall-cmd-permanent [--zone=]-- remove-service=

Query whether services in the area are enabled

Firewall-cmd-permanent [--zone=]-- query-service=

If the service is enabled, this command will have a return value. This command does not output information.

Example: permanently enable ipp-client services in the home area

Firewall-cmd-permanent-zone=home-add-service=ipp-client

Permanently enable a port in the area-protocol combination

Firewall-cmd-permanent [--zone=]-- add-port= [-] /

A port-protocol combination in a permanently disabled area

Firewall-cmd-permanent [--zone=]-- remove-port= [-] /

Query whether the port-protocol combination in the area is permanently enabled

Firewall-cmd-permanent [--zone=]-- query-port= [-] /

If the service is enabled, this command will have a return value. This command does not output information.

Example: permanently enable https (tcp 443) port in home area

Firewall-cmd-permanent-zone=home-add-port=443/tcp

Permanently enable camouflage in the area

Firewall-cmd-permanent [--zone=]-- add-masquerade

This enables the camouflage function of the area. The address of the private network is hidden and mapped to a public IP. This is a form of address translation and is often used for routing. Due to kernel limitations, camouflage is only available for IPv4.

Permanently disable camouflage in the area

Firewall-cmd-permanent [--zone=]-- remove-masquerade

Query the permanent state of camouflage in the area

Firewall-cmd-permanent [--zone=]-- query-masquerade

If the service is enabled, this command will have a return value. This command does not output information.

Permanently enable ICMP blocking in the area

Firewall-cmd-permanent [--zone=]-- add-icmp-block=

This will enable blocking of selected Internet Control message Protocol (ICMP) messages. The ICMP message can be a request message or a created reply message or an error reply message.

Permanently disable ICMP blocking in the area

Firewall-cmd-permanent [--zone=]-- remove-icmp-block=

ICMP permanent status in the query area

Firewall-cmd-permanent [--zone=]-- query-icmp-block=

If the service is enabled, this command will have a return value. This command does not output information.

Example: blocking response response messages in public areas:

Firewall-cmd-permanent-zone=public-add-icmp-block=echo-reply

Permanently enable port forwarding or mapping in the area

Firewall-cmd-permanent [--zone=]-- add-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

A port can be mapped to the same port on another host, or it can be a different port on the same host or another host. The port number can be a single port or a port range. The protocol can be tcp or udp. The destination port can be a port number or a port range. The destination address can be an IPv4 address. Due to kernel limitations, port forwarding is only available for IPv4.

Permanently forbid port forwarding or port mapping in the area

Firewall-cmd-permanent [--zone=]-- remove-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

Query the port forwarding or port mapping status of the region

Firewall-cmd-permanent [--zone=]-- query-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

If the service is enabled, this command will have a return value. This command does not output information.

Example: forward the ssh service of the home region to 127.0.0.2

Firewall-cmd-permanent-zone=home-add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2

Direct option

Direct options are mainly used to enable services and applications to add rules. Rules are not saved and must be submitted again after reloading or restarting. The parameters passed are the same as iptables, ip6tables, and ebtables.

Option-direct needs to be the first parameter of the direct option.

Pass the command to the firewall. Parameters can be iptables, ip6tables, and ebtables command line arguments.

Firewall-cmd-- direct-- passthrough {ipv4 | ipv6 | eb}

Add a new chain to the table.

Firewall-cmd-- direct-- add-chain {ipv4 | ipv6 | eb}

Removes the chain from the table.

Firewall-cmd-- direct-- remove-chain {ipv4 | ipv6 | eb}

Query whether the chain exists with the table. If so, return 0, otherwise return 1.

Firewall-cmd-- direct-- query-chain {ipv4 | ipv6 | eb}

If enabled, this command will have a return value. This command does not output information.

Gets a list of chains in a table separated by spaces.

Firewall-cmd-- direct-- get-chains {ipv4 | ipv6 | eb}

Add a chain of parameters to the table, and the priority is set to.

Firewall-cmd-- direct-- add-rule {ipv4 | ipv6 | eb}

Removes the chain with parameters from the table.

Firewall-cmd-- direct-- remove-rule {ipv4 | ipv6 | eb}

Query whether the chain with parameters exists in the table. If so, return 0, otherwise return 1.

Firewall-cmd-- direct-- query-rule {ipv4 | ipv6 | eb}

If enabled, this command will have a return value. This command does not output information.

Gets all the rules in the table that are added to the chain and separated by line breaks.

Firewall-cmd-- direct-- get-rules {ipv4 | ipv6 | eb}

Current firewalld features

D-BUS interface

The D-BUS interface provides information about the status of the firewall, making it possible to enable, disable, or query settings for the firewall.

Region

The network or firewall zone defines the degree of trust of the connection. Firewalld provides several predefined areas. Regional configuration options and general configuration information can be found in the firewall.zone (5) manual.

Service

The service can be a series of read ports, purposes, and additional information, or it can be a firewall helper module that is automatically added when the service starts. The use of predefined services makes it easier to enable and disable access to services. Service configuration options and general documentation information are described in the firewalld.service (5) manual.

ICMP Typ

Internet Control message Protocol (ICMP) is used to exchange messages and Internet Protocol (IP) error messages. The ICMP type can be used in firewalld to restrict message exchange. ICMP type configuration options and common file information can be found in the firewalld.icmptype (5) manual.

Direct interface

Direct interfaces are mainly used for services or applications to add specific firewall rules. These rules are not permanent and need to be reapplied after receiving the startup, restart, and reload signals sent by firewalld through D-Bus.

Run-time configuration

The runtime configuration is not permanent and can be restored on reload, but these options will be lost when the system or service is restarted or stopped.

Permanent configuration

The permanent configuration is stored in the configuration file and will be automatically restored every time the machine is restarted or the service is restarted or reloaded.

Pallet Mini Program

The tray Mini Program firewall-applet shows the user the status of the firewall and the problems. It can also be used to configure settings that users are allowed to modify.

Graphical configuration tool

The main configuration tool for firewall daemon is firewall-config. It supports all the features of the firewall (except the direct interface used by the service / application to add rules). Administrators can also use it to change system or user policies.

Command line client

Firewall-cmd is the tool that provides most of the graphical tool configuration features on the command line.

Support for ebtables

Ebtables support is required to meet all the requirements of libvirt daemon and prevent access problems between ip*tables and ebtables at the kernel netfilter level. Because these commands access the same structure, they cannot be used simultaneously.

Default / standby configuration in / usr/lib/firewalld

This directory contains default and alternate ICMP types, services, and zone configurations provided by firewalld. These files provided by the firewalld package cannot be modified, and even the changes will be reset as the firewalld package is updated. Other ICMP types, services, and zone configurations can be provided through software packages or by creating files.

System configuration settings in / etc/firewalld

The system or user profile stored here can be customized by the system administrator through the configuration interface or manually. These files will overload the default configuration files.

To manually modify a predefined icmp type, region, or service, copy the configuration from the default configuration directory to the appropriate system configuration directory, and then modify it as needed.

If you load an area with default and backup configuration, the corresponding file under / etc/firewalld will be renamed .old and then enable the backup configuration.

Features under development

Rich language

The rich language feature provides a mechanism for configuring complex IPv4 and IPv6 firewall rules through a high-level language without knowing the iptables syntax.

Fedora 19 provides the second milestone version of rich language features with D-Bus and command line support. The third milestone version will also provide support for graphical interface firewall-config.

For more information about this feature, see: firewalld Rich Language

Lock

The locking feature adds a simple configuration way for firewalld to lock local applications or service configurations. It is a lightweight application strategy.

Fedora 19 provides the second milestone version of the locking feature with D-Bus and command line support. The third milestone version will also provide support under the graphical interface firewall-config.

For more information, see firewalld Lockdown

Permanent direct rule

This feature is in its early state. It will be able to provide the ability to save direct rules and direct chains. The pass rule does not belong to this property. For more information about direct rules, see Direct options.

Migrate from ip*tables and ebtables servic

This feature is in its early state. As far as possible, it will provide scripts that are converted from iptables,ip6tables and ebtables service configurations to permanent direct rules. This feature may have limitations in terms of direct chain integration provided by firewalld.

This feature will require a large number of migration tests for complex firewall configurations.

Planning and proposal featur

Abstract model of firewall

Adding a layer of abstraction on top of ip*tables and ebtables firewall rules makes adding rules easier and more intuitive. It is not a simple task for the abstraction layer to be powerful but not complex at the same time. For this reason, a firewall language has to be developed. Make the firewall rules have a fixed location, you can query the port access status, access policies and other common information and some other possible firewall features.

Support for conntrack

Conntrack is required to terminate a connection where the disabled feature has been established. However, it may not be good to terminate the connection in some cases, such as firewall services enabled to establish continuous external connections for a limited period of time.

User interaction model

This is a special mode that users or administrators can enable in the firewall. All requests from the application to change the firewall will be directed to the user for confirmation and denial. It is possible to set a time limit for the authorization of a connection and limit the hosts, networks, or connections to which it is connected. The configuration can be saved so that the same behavior can be applied without notification in the future. Another feature of this pattern is the management of external link attempts that request pre-selected services and ports with the same functionality initiated by the application. Service and port restrictions also limit the number of requests sent to users.

User policy support

Administrators can specify which users can use the user interaction mode and limit the features available to the firewall.

Port metadata information (proposed by Lennart Poettering)

It is good to have a port-independent metadata information. The current static port and protocol allocation model for / etc/services is not a good solution, nor does it reflect current usage. The port of an application or service is dynamic, so the port itself does not describe usage.

Metadata information can be used to make simple rules for firewalls. Here are some examples:

Allow external access to file sharing applications or services

Allow external access to music sharing applications or services

Allow external access to all shared applications or services

Allow external access to torrent file sharing applications or services

Allow external access to http network services

The metadata information here is not only a specific application, but also a set of usage cases. For example, the group "share all" or the group "file share" can correspond to all shares or file sharing programs (such as torrent file sharing). These are just examples and, therefore, may not be of practical use.

Here are two possible ways to get metadata information in a firewall:

The first is to add to netfilter (kernel space). The advantage is that everyone can use it, but there are certain restrictions on its use. Also consider the specific information of the user or system space, all of which need to be implemented at the kernel level.

The second is to add to firewall daemon. These abstract rules can be used with specific information (such as trusted level of network connections, user descriptions to be shared as specific individuals / hosts, rules that administrators prohibit full sharing, etc.).

The benefit of the second solution is that there is no need to recompile the kernel for new metadata sets and inclusion changes (trustworthiness, user preferences, administrator rules, etc.). The addition of these abstract rules makes firewall daemon freer. Even new security levels can be easily added without updating the kernel.

Sysctld

There are still sysctl settings that are not applied correctly. An example is when a module that provides settings does not load or reload the module at startup while rc.sysinit is running.

Another example is net.ipv4.ip_forward, which is required for firewall settings, libvirt, and user / administrator changes. If there are two applications or daemons that turn on ip_forwarding only when needed, then one of them may turn off the service without knowing it, and the other needs it, so you have to restart it at this point.

Sysctl daemon can solve the above problem by using an internal count on the settings. At this point, when the previous requestor no longer needs it, it will return to its previous set state or turn it off directly.

Firewall Rul

Netfilter firewalls are always vulnerable to the order of rules because a rule has no fixed place in the chain. Adding or removing a rule before a rule changes the position of the rule. In the static firewall model, changing the firewall is to rebuild a clean and perfect firewall setting, which is limited by the functions directly supported by system-config-firewall / lokkit. There is no integration with other applications to create firewall rules, and if the custom rules file feature is not using s-c-fw / lokkit, you don't know about them. The default chain also usually has no safe way to add or remove rules without affecting other rules.

Dynamic firewalls have additional firewall function chains. These special chains are called in a defined order, so adding rules to the chain will not interfere with previously invoked reject and discard rules. Thus it is beneficial to create a more reasonable and perfect firewall configuration.

Here are some rules created by daemons that enable support for ssh, mdns, and ipp-client in public areas in the filter list:

* filter:INPUT ACCEPT [0:0]: FORWARD ACCEPT [0:0]: OUTPUT ACCEPT [0:0]: FORWARD_ZONES-[0:0]: FORWARD_direct-[0:0]: INPUT_ZONES-[0:0]: INPUT_direct-[0:0]: IN_ZONE_public-[0:0]: IN_ZONE_public_allow-[0:0]: IN_ZONE_public_deny-[0:0]: OUTPUT_direct-[ 0:0]-An INPUT-m conntrack-- ctstate RELATED ESTABLISHED-j ACCEPT-An INPUT-I lo-j ACCEPT-An INPUT-j INPUT_direct-An INPUT-j INPUT_ZONES-An INPUT-p icmp- j ACCEPT-An INPUT-j REJECT-- reject-with icmp-host-prohibited-A FORWARD-m conntrack-- ctstate RELATED ESTABLISHED-j ACCEPT-A FORWARD-I lo-j ACCEPT-A FORWARD-j FORWARD_direct-A FORWARD-j FORWARD_ZONES-A FORWARD-p icmp- j ACCEPT-A FORWARD-j REJECT-- reject-with icmp-host-prohibited-An OUTPUT-j OUTPUT_direct-An IN_ZONE_public-j IN_ZONE_public_deny-An IN_ZONE_public-j IN_ZONE_public_allow-An IN_ZONE_public_allow- p tcp-m tcp-- dport 22-m conntrack-- ctstate NEW -j ACCEPT-An IN_ZONE_public_allow-d 224.0.251dport 32-p udp-m udp-- dport 5353-m conntrack-- ctstate NEW-j ACCEPT-An IN_ZONE_public_allow-p udp-m udp-- dport 631-m conntrack-- ctstate NEW-j ACCEPT

Use the deny/allow model to build a clear behavior (preferably without conflicting rules). For example: the ICMP block will enter the IN_ZONE_public_deny chain (if set for the public area) and will be processed before the IN_ZONE_public_allow chain.

This model makes it easier to add or remove rules to a specific block without interfering with other blocks.

Thank you for your reading. The above is the content of "basic use and detailed explanation of linux7 Firewall". After the study of this article, I believe you have a deeper understanding of the basic use and detailed interpretation of linux7 Firewall, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.