Shulou(Shulou.com)06/02 Report--

Introduction to Firewalld

A dynamic firewall management tool that supports network links and interface security levels defined by the network area, supports IPv4, IPv6 fire wall settings and Ethernet bridges, and supports services or applications to directly add firewall rule interfaces.

There are two configuration modes

1. Run-time configuration

two。 Permanent configuration

Relationship between Firewalld and iptables netfilter:

The packet filtering function system located in the Linux kernel is called the "kernel state" of Linux firewall.

Firewalld/iptables:

CentOS7's default tool for managing firewall rules (Firewalld) is called the "user state" of the Linux firewall.

The difference between Firewalld and iptables: Firewalldiptables profile / us/ib/firewalld/, / etc/sysconfig/iptables/etc/firewalld/ do not need all refresh policies to modify rules, do not lose existing connections need all refresh policies, lost connection firewall type dynamic firewall static firewall Firewalld network zone introduction: zone is like a security door into the host, each zone has rules with different degrees of restriction One or more zones can be used, but at least one active area needs to be associated with a source address or interface; by default, the public zone is the default area and contains all interfaces (network cards). Zone description drop (drop) any received network packets are discarded without any reply. Only outgoing network connections block (restrictions) any received network connections are rejected by IPv4's icmp-host-prohibited information and IPv6's icmp6-adm-prohibited information public (public) is used in public areas, can not be trusted that other computers in the network will not cause harm to your computer, can only receive the selected connection external (external), especially the external network with camouflage enabled for the router. You cannot trust other computing from the network, cannot trust that they will not cause harm to your computer, and can only receive computers with a selected connection dmz (demilitarized zone) for use in your demilitarized zone, which is publicly accessible, has limited access to your internal network, and receives only selected connection work (work) for use in the workspace. You can basically believe that other computers in the network will not harm your computer. Only receive the selected connection home (home) for use in the home network. You can basically trust that other computers in the network will not harm your computer. Only the selected connection internal (internal) is received for the internal network. You can basically trust that other computers in the network will not threaten your computer. Accept only the selected connection trusted (trust) to accept all network connection Firewalld data processing processes:

Check the source address of the data source

If the source address is associated with a specific area, the rules specified by that area are executed; if the source address is not associated with a specific area, the area of the incoming network interface is used and the rules specified by that area are executed; if the network interface is not associated with a specific area, the default area is used and the rules specified by that area are executed. The configuration method of Firewalld firewall takes effect in real time and continues until Firewalld restarts or reloads the configuration does not break the existing connection cannot modify the service configuration permanent configuration does not take effect immediately, unless the Firewalld restart or reload configuration interrupts the existing connection can modify the configuration file in the service configuration / etc/firewalld/

Firewalld will give priority to the configuration in / etc/firewalld/, or use the configuration in / usr/lib/firewalld/ if no configuration file exists

/ etc/firewalld/: user-defined configuration file. If necessary, you can copy / usr/lib/firewalld/: default configuration file from / usr/ib/firewalld/. It is not recommended to modify it. If you restore to the default configuration, you can delete the configuration Firewall-config graphics tool in / etc/firewalld/ directly.

Enter the "firewall-config" command to enter the graphics tool.

When we have finished the configuration, we need to reload the firewall to take effect. Before reloading the firewall, be sure to set the Runtime to permanent configuration, otherwise the previously configured runtime configuration will be deleted directly. If you configure it permanently, just reload it directly.

We can choose to configure the network cards and interfaces of firewall rules, and we can also restrict access according to services, ports, protocols, and so on. The graphic tools are simple and convenient, so there is no need to introduce them.

Firewall-cmd command line tool

(1) start, stop, and view firewalld services

When you install the CentOS7 system, firewalld and the graphics tool firewall-config are installed automatically. Execute the following command to start firewalld and set it to power on.

[root@localhost ~] # systemctl start firewalld / / start firewalld [root@localhost ~] # systemctl enable firewalld / / set firewalld to boot

If firewalld is running, you can view its running status through the systemctl status firewalld or firewall-cmd command.

[root@localhost ~] # systemctl status firewalld / / View status ● firewalld.service-firewalld-dynamic firewall daemon Loaded: loaded (/ usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since-2019-10-14 10:04:49 CST 5h 59min ago Docs: man:firewalld (1) Main PID: 633 (firewalld) CGroup: / system.slice/firewalld.service └─ 633 / usr/bin/python-Es / usr/sbin/firewalld-- nofork-- nopid10 14 10:04:45 localhost.localdomain systemd [1]: Starting firewalld-dynamic fi....10 14 10:04:49 localhost.localdomain systemd [1]: Started firewalld-dynamic fir....10 14 10:04:49 localhost.localdomain Firewalld: WARNING: ICMP type 'beyond-. October 14 10:04:49 localhost.localdomain firewalld: WARNING: beyond-scope: INVA....10 14 10:04:49 localhost.localdomain firewalld: WARNING: ICMP type 'failed-. October 14 10:04:49 localhost.localdomain firewalld: WARNING: failed-policy: INV....10 14 10:04:49 localhost.localdomain firewalld: WARNING: ICMP type 'reject- .. October 14 10:04:49 localhost.localdomain firewalld: WARNING: reject-route: INVA....Hint: Some lines were ellipsized Use-l to show in full. [root@localhost ~] # firewall-cmd-- state / / View status running [root@localhost ~] #

If you want to disable firewalld, execute the following command.

[root@localhost ~] # systemctl stop firewalld / / stop firewalld [root@localhost ~] # systemctl disable firewalld / / set firewalld not to start automatically

(2) obtain predefined information

There are three main types of firewall-cmd predefined information: available areas, available services, and available ICMP blocking types, as shown in the following view commands.

[root@localhost ~] # firewall-cmd-- get-zones / / displays the predefined area block dmz drop external home internal public trusted work [root@localhost ~] # firewall-cmd-- get-services / / shows the predefined service RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker -registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp open*** ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog -tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server [root@localhost ~] # firewall-cmd-- get-icmptypes / / displays the predefined ICMP type address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network- Unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option [root@localhost ~] #

The meanings of the various blocking types in the execution results of the firewall-cmd-- get-icmptypes command are as follows:

Destination-unreachable: destination address unreachable echo-reply: reply response (pong) parameter-problem: parameter problem redirect: router advertisement router-advertisement: router advertisement router-solicitation: router search source-quench: source suppression time-exceeded: timeout timestamp-reply: timestamp reply reply timestamp-request: timestamp request

(3) Regional management

Using the firewall-cmd command, you can obtain and manage the area, bind the network interface for the specified area, and so on.

Option description:

-- get-default-zone displays the default area for a network connection or interface-- set-default-zone= sets the default area for a network connection or interface-- get-active-zones displays all areas that have been activated-- get-zone-of-interface= shows the area bound by the specified interface-- zone=-- add-interface= for the specified interface binding area-- zone=-- change-interface= changes the bound for the specified area Network interface-- zone=-- remove-interface= deletes the bound network interface for the specified area-- list-all-zones displays all areas and their rules [--zone=]-- list-all displays all rules for all specified areas Omitting-- zone= means that only the default area is operated

The specific actions are as follows:

Displays the default area in the current system. [root@localhost ~] # firewall-cmd-- get-default-zone public [root@localhost ~] # displays all rules for the default area. [root@localhost ~] # firewall-cmd-- list-allpublic (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: ssh dhcpv6-client ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@localhost ~] # shows the corresponding area of the network interface ens33. [root@localhost ~] # firewall-cmd-- get-zone-of-interface=ens33public [root@localhost ~] # change the corresponding area of the network interface ens33 to the internal area and view it. [root@localhost ~] # firewall-cmd-- zone=internal-- change-interface=ens33The interface is under control of NetworkManager, setting zone to 'internal'.success [root@localhost ~] # firewall-cmd-- get-zone-of-interface=ens33internal [root@localhost ~] # firewall-cmd-- zone=internal-- list-interfaces ens33 [root@localhost ~] # shows all active regions. [root@localhost] # firewall-cmd-- get-active-zones internal interfaces: ens33 [root@localhost] #

(4) Service management

For convenience, firewalld pre-defines a number of services, which are stored in the / usr/lib/firewalld/services/ directory, and services are specified through a single XML configuration file. These configuration files are named in the following format: service-name.xml, and each file corresponds to a specific network service, such as ssh services.

Option description:

[--zone=]-- list-services displays all services allowed to access within the specified area [--zone=]-- add-service= sets a service to be accessed for the specified region [--zone=]-- remove-service= deletes a service that has been set for access in the specified region [--zone=]-- list-ports displays all the port numbers allowed to be accessed in the specified area [--zone=] ]-- add-port= [-] / Port number of a certain segment (including protocol name) allowed for the specified locale [--zone=]-- remove-port= [-] / Delete the port number that has been set for the specified region (including the protocol name) [--zone=]-- list-icmp-blocks displays all ICMP types denied access within the specified area [--zone=] -- add-icmp-block= denies access to a certain ICMP type for the specified locale [--zone=]-- remove-icmp-block= deletes an ICMP type that has been set for denied access in the specified region Omit-- zone= indicates operation on the default region

The specific actions are as follows:

Sets the services allowed to be accessed for the default locale. [root@localhost ~] # firewall-cmd-- list-services / / shows all services allowed to be accessed in the default area ssh dhcpv6-client [root@localhost ~] # firewall-cmd-- add-service=http / / sets the default zone to allow access to the http service success [root@localhost ~] # firewall-cmd-- add-service=https / / sets the default zone to allow access to the https service success [root@localhost ~] # firewall-cmd-- list-services / / shows all services allowed to be accessed in the default area ssh dhcpv6-client http https [root@localhost ~] # sets the services that are allowed to access for the internal zone. [root@localhost ~] # firewall-cmd-- zone=internal-- add-service=mysql / / sets the internal area to allow access to the mysql service success [root@localhost ~] # firewall-cmd-- zone=internal-- remove-service=samba-client / / sets the internal area not to allow access to the samba-client service success [root@localhost ~] # firewall-cmd-- zone=internal-- list-services / / displays all services ssh mdns dhcpv6-client mysql [root@localhost ~] # allowed in the internal area

(5) Port management

When configuring the service, the predefined network service can be configured with the service name, and the port involved in the service will be opened automatically. However, for non-predefined services, ports can only be added manually for the specified area. For example, you can open the 443/TCP port in the internal area by doing the following.

[root@localhost] # firewall-cmd-- zone=internal-- add-port=443/tcpsuccess [root@localhost ~] #

To disable access to 443/TCP ports in the internal area, execute the following command.

[root@localhost] # firewall-cmd-- zone=internal-- remove-port=443/tcpsuccess [root@localhost ~] #

(6) two configuration modes

As mentioned earlier, the firewall-cmd command tool has two configuration modes: run-time mode (Runtime mode) indicates that the firewall configuration currently running in memory will fail when the system or firewalld service is restarted or stopped; and permanent mode (Permanent mode) means that the rule configuration when the firewall is restarted or reloaded is permanently stored in the configuration file.

The firewall-cmd command tool has three options related to configuration mode:

-- reload: reload firewall rules and maintain status information, that is, permanent configuration is applied to run-time configuration-- permanent: commands with this option are used to set persistent rules that take effect only when firewalld is restarted or firewall rules are reloaded; if not, it is used to set run-time rules. -- runtime-to-permanent: writes the current runtime configuration to the rule configuration file Make it permanent Firewall-cmd command summary: option description-- get-default-zone displays the default area of a network connection or interface-- set-default-zone= sets the default area of a network connection or interface-- get-active-zones shows all areas that have been activated-- get-zone-of-interface= shows the area bound by the specified interface-- zone=-- add-interface= is the specified interface binding area-- zone= -- change-interface= changes the bound network interface for the specified area-- zone=-- remove-interface= deletes the bound network interface for the specified area-- query-interface= queries whether the area contains an interface-- list-all-zones displays all areas and their rules [--zone=]-- list-all displays all rules for all specified areas [--zone=]-- list-services displays all rules within the specified area. All services allowed to access [--zone=]-- add-service= allows access to a service for the specified locale [--zone=]-- remove-service= deletes a service that has been set for access in the specified area [--zone=]-- query-service= queries whether a service is enabled in the specified area [--zone=]-- list-ports displays all ports allowed to access in the specified area. Number [--zone=]-- add-port= [-] / [--timeout=] enables regional ports and protocol combinations Optional configuration timeout [--zone=]-- remove-port= [-] / disable zone port and protocol combination [--zone=]-- query-port= [-] / query area whether port and protocol combination [--zone=]-- list-icmp-blocks displays all ICMP types blocked in the specified area [--zone=]-- add-icmp-block= sets a blocking item for the specified region ICMP type [--zone=]-- remove-icmp-block= deletes a blocked ICMP type in a specified area [--zone=]-- query-icmp-block= queries ICMP blocking in a specified area

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.