Shulou(Shulou.com)06/02 Report--

I. the foundation of Linux firewall

The firewall system of Linux mainly works in the network layer, aiming at the real-time filtering and restriction of TCP/IP data packets, which is a typical packet filtering firewall (or network layer firewall). The firewall architecture of Linux system is based on kernel coexistence: firewalld, iptables, ebtables, and firewalld is used by default to manage the netfilter subsystem.

Netfilter: refers to the internal structure of the packet filtering firewall in the Linux kernel, which does not exist in the form of programs or files, and belongs to the "kernel state" firewall function system.

Firewalld: refers to the command program used to manage the Linux protection wall, which belongs to the "user mode" firewall management system; 1. Overview of firewalld

The function of firewalld is to provide matching rules (or policies) for packet filtering mechanism. Through a variety of different rules, netfilter is told how to deal with packets from a specified source to a specified destination or with certain protocol characteristics. In order to organize and manage firewalls more easily, firewalld provides dynamic firewall management tools that support network links and interface security levels defined by network areas. Supports IPv4, IPv6 firewall settings, and Ethernet bridge, and has two configuration modes:

Running configuration

Permanent configuration

It also supports services or applications to add firewall rule interfaces directly. 2. Firewalld network area

Firewalld divides all network data traffic into multiple areas, thus simplifying firewall management. According to conditions such as the source IP address of the packet or the incoming network interface, the data traffic is transferred to the firewall rules of the corresponding area.

For packets entering the system, the first thing to check is their source address:

If the source address is associated to a specific area, the rules made by that area are executed; if the source address is not associated to a specific area, the area of the incoming network interface is used and the rules made by that area are enforced; if the network interface is not associated to a specific area, the default area is used and the rules made by that area are enforced

The default area is not a separate area, but points to some other area defined on the system. By default, the default zone is public, but you can also change it. According to the above matching rules, in order, the first matching rule wins. A series of services or ports to be opened or closed can be configured in each zone, and each predefined area of firewalld has a default open service.

3. Firewalld predefined zone description trusted (trust zone): all network connections can be received; public: (public area): traffic is denied unless it is related to outgoing traffic or matches with ssh or dhcpv6-client predefined services; work (work area): traffic is denied for use in the workspace unless it is related to outgoing traffic or matches with ssh, ipp-client, or dhcpv6-client predefined services Home (home area): denies incoming traffic for home networks unless it is associated with outgoing traffic or matches predefined services such as ssh, ipp-client, mdns, samba-client, dhcpv6-client; internal (internal area): rejects incoming traffic for internal networks unless it is associated with outgoing traffic or matches predefined services such as ssh, ipp-client, mdns, samba-client, dhcpv6-client External (external area): denies incoming traffic unless it is associated with outgoing traffic or matches ssh predefined services; dmz (also known as demilitarized zone): denies incoming traffic unless it is associated with outgoing traffic or matches ssh predefined services; blocak (restricted area): denies all incoming traffic unless it is associated with outgoing traffic Drop (drop area): discards all incoming traffic unless it is related to outgoing traffic, and does not produce an error response including ICMP. Second, the configuration method of firewalld firewall

On Centos 7 systems, you can configure the firewalld firewall in three ways:

Firewalld-config graphical tool

Firewalld-cmd command line tool

Configuration file in / etc/firewalld/

In general, it is not recommended to edit the configuration file directly

1 、 Firewalld-cmd 's basic command [root@centos01 ~] # systemctl start firewalld [root@centos01 ~] # systemctl enable firewalld [root@centos01 ~] # systemctl status firewalld [root@localhost ~] # firewall-cmd-- state running [root@centos01 ~] # systemctl stop firewalld [root@centos01 ~] # systemctl disable firewalld [root@centos01 ~] # firewall-cmd-- get-zones [root@centos01 ~] # firewall-cmd-get-service [root@centos01 ~] # firewall-cmd-get-default- Zone [root@localhost /] # firewall-cmd-- reload [root@centos01 ~] # firewall-cmd-- get-active-zones [root@centos01 ~] # firewall-cmd-get-icmptypes address-unreachable bad-header communication-prohibited destination-unreachable echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibitedhost-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisementneighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port- Unreachableprecedence-cutoff protocol-unreachable redirect required-option-missingrouter-advertisement router-solicitation source-quench source-route-failed time-exceededtimestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option

The meaning of some blocking types in the execution result of the firewall-cmd-get-icmptypes command is as follows:

Destination-unreachable: destination address unreachable; echo-reply: reply response; parameter-problem: parameter problem; redirect: redirect; router-advertisement: router advertisement; router-solicitation: router search; source-quench: source side suppression; time-exceeded: timeout; timestamp-reply: timestamp reply response; timestamp-request: timestamp request; 2. Firewalld area management option-get-default-zone: display the default area of a network connection or interface -- set-default-zone=: sets the default area for network connections or interfaces;-- get-active-zones: displays all active areas;-- get-zone-of-interface=: displays the area bound by the specified interface;-- zone=-- add-interface=: is the area bound by the specified interface;-- zone=-- change-interface=: changes the bound network interface for the specified area. -- zone=-- remove-interface=: deletes the bound network interface for the specified area;-- list-all=zones: displays all zones and their rules; [--zone=]-- list-all: displays all rules for all specified areas, omitting-- zone= means that only the default zone is operated

Examples of area management are as follows:

[root@centos01] # firewall-cmd-- get-default-zone [root@centos01 ~] # firewall-cmd-- list-all [root@centos01 ~] # firewall-cmd-- get-zone-of-interface=ens32 internal [root@centos01 ~] # firewall-cmd-- zone=internal-- change-interface=ens32 The interface is under control of NetworkManager Setting zone to 'internal'.success [root@centos01 ~] # firewall-cmd-- zone=internal-- list-interface ens32 [root@centos01 ~] # firewall-cmd-- get-active-zones internal interfaces: ens323, firewalld service management

For ease of management, firewalld pre-defines a number of services, which are stored in the / usr/lib/firewalld/services/ directory, and the services are specified through a single XML configuration file. These configuration files are named in the following format: service-name.xml, and each file corresponds to a specific network service, such as ssh service. We need to place the service configuration file in the / etc/firewalld/services/ directory. Service configuration has the following advantages:

Managing rules through service names is more humane.

The mode of organizing port grouping through services is more efficient. If a service uses several network ports, the profile of the service is equivalent to providing bulk operation shortcuts for rule management to those ports. 1) Common options for service management in the firewalld-cmd command area:

[--zone=]-- list-services: displays all services allowed to be accessed in the specified area

[--zone=]-- add-service=: is a service that is allowed to be accessed by the specified locale

[--zone=]-- remove-service=: deletes a service that has been set to allow access in the specified region

[--zone=]-- list-ports: displays all port numbers allowed to be accessed in the specified area

[--zone=]-- add-port= [-] /: sets the port number (including the protocol number) for the specified region to allow access

[--zone=]-- remove-port= [-] /: delete the port number (including the protocol name) that has been set for access in the specified area.

[--zone=]-- list-icmp-blocaks: displays all ICMP types that are denied access in the specified area

[--zone=]-- add-icmp-block=: is an ICMP type denied by the specified locale

[--zone=]-- remove-icmp-block=: deletes an ICMP type that has been set to deny access in the specified region, and omits-zone= indicates the operation on the default region 2) an example of firewalld service management is as follows (for services that are allowed to be accessed by default locale): [root@centos01 ~] # firewall-cmd-- list-services dhcpv6-client ssh [root@centos01 ~] # firewall-cmd-- add-service=http success [root@centos01 ~] # firewall-cmd-- add-service=https success [root@centos01 ~] # firewall-cmd-- list-services dhcpv6-client ssh https http3) example of firewalld service management (allow for internal locale) Services accessed): [root@centos01 ~] # firewall-cmd-- zone=internal-- add-service=mysql success [root@centos01 ~] # firewall-cmd-- zone=internal-- remove-service=samba-client success [root@centos01 ~] # firewall-cmd-- zone=internal-- list-services ssh mdns dhcpv6-client mysql4, Port management

When configuring a service, the predefined network service can be configured with a service name, and the port involved in the service is automatically opened. However, for non-predefined services, ports can only be added manually for the specified area. For example, you can open the 443/TCP port in the internal area by doing the following. Examples are as follows:

[root@centos01] # firewall-cmd-- zone=internal-- add-port=443/tcp success

To disable access to 443/TCP ports in the internal area, execute the following command:

[root@centos01] # firewall-cmd-- zone=internal-- remove-port=443/tcp success

The above configurations are all temporary. To save the current configuration as a permanent configuration, you can use the following command:

[root@centos01] # firewall-cmd-- runtime-to-permanentsuccess

Directly configured as a permanent rule, with the-- permanent option, as follows:

[root@centos01 ~] # firewall-cmd-- add-icmp-block=echo-request-- permanent success [root@centos01 ~] # firewall-cmd-- zone=external-- add-icmp-block=echo-request-- permanent success three and firewalld configuration modes

As mentioned earlier, the firewall-cmd command tool has two configuration modes: the runtime mode (Runtime mode) indicates that the firewall configuration currently running in memory will fail when the system or firewalld service is restarted or stopped; and the permanent mode (Permanent mode) indicates that the rule configuration when the firewall is restarted or reloaded is permanently stored in the configuration file.

The firewall-cmd command tool has three options related to configuration mode:

-- reload: reloads firewall rules and maintains state information, that is, permanent configuration is applied to run-time configuration

-- permanent: the command with this option is used to set persistence rules that take effect only when the firewall rule is restarted or reloaded; if not, it is used to set the runtime rule

-- runtime-to-permanent: writes the configuration of the current runtime to the rule configuration file so that the rule in the current memory is called permanent configuration

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.