Shulou(Shulou.com)06/02 Report--

The firewall system of Linux mainly works in the network layer, aiming at the real-time filtering and restriction of TCP/IP data packets, which is a typical packet filtering firewall.

How does the Linux firewall check data traffic?

For packets entering the system, the first thing to check is their source address:

If the source address is associated with a specific area, the rules made by that area are enforced.

If the source address is not associated to a specific area, the area of the incoming network interface is used and the rules established by that area are enforced.

If the network interface is not associated to a specific area, the default area is used and the rules established by that area are enforced.

The default area is not a separate area, but points to some other area defined on the system. By default, the default zone is public, but you can also change it. The above matching rules, in order, the first matching rule wins, which is similar to the ACL matching rule of network devices, which is commonly known as stop matching.

Relevant predefined areas of firewalld:

There are two configuration modes for firewalld firewalls:

1. Runtime mode: indicates that the firewall configuration currently running in memory will fail when the system or firewalld service is restarted or stopped.

2. Permanent mode: indicates that the rule configuration when restarting or reloading the firewall is permanently stored in the configuration file.

The firewall-cmd command tool has three options related to configuration mode:

-- reload: reloads firewall rules and maintains state information, that is, permanent configuration is applied to run-time configuration

-- permanent: the command with this option is used to set persistence rules that take effect only when the firewall rule is restarted or reloaded; if not, it is used to set the runtime rule.

-- runtime-to-permanent: writes the configuration of the current runtime to the rule configuration file, so that the rule in the current memory is called permanent configuration.

1. Firewall-related commands use:

[root@localhost ~] # systemctl start firewalld # start firewall [root@localhost ~] # systemctl enable firewalld # set boot self-boot [root@localhost /] # firewall-cmd-- reload # reload firewall [root@localhost ~] # systemctl status firewalld # View firewall status [root@localhost ~] # systemctl stop firewalld # Stop firewall [root@localhost ~] # systemctl disable firewalld # set firewall not to boot automatically [root@localhost ~] # firewall-cmd-- get-zones # display predefined area block dmz drop external home internal public trusted work [root@localhost ~] # firewall-cmd-- get-service # display predefined service [root@localhost /] # firewall-cmd-- List-all-- zone=dmz # View the configuration of the specified area dmz target: default icmp-block-inversion: no interfaces: sources: services: ssh ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: [root@localhost ~] # firewall-cmd-- get-icmptypes # shows the predefined ICMP type address-unreachable bad-header communication-prohibited destination-unreachable echo-reply Echo-request fragmentation-needed host-precedence-violation host-prohibitedhost-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisementneighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachableprecedence-cutoff protocol-unreachable redirect required-option-missingrouter-advertisement router-solicitation source-quench source-route-failed time-exceededtimestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option

The meaning of some blocking types in the execution result of the firewall-cmd-get-icmptypes command is as follows:

Destination-unreachable: destination address unreachable; echo-reply: reply response; parameter-problem: parameter problem; redirect: redirect; router-advertisement: router advertisement; router-solicitation: router search; source-quench: source side suppression; time-exceeded: timeout; timestamp-reply: timestamp reply response; timestamp-request: timestamp request

2. Firewalld firewall zone management commands and examples:

[root@localhost /] # firewall-cmd-- set-default-zone=dmz # sets the default area to the DMZ area [root@localhost ~] # firewall-cmd-- get-default-zone # displays the default area in the current system [root@localhost ~] # firewall-cmd-- list-all # shows all the rules of the default area [root@localhost ~] # firewall-cmd-- get-zone-of-interface=ens33 # displays the corresponding area of the network interface ens33 [root@localhost ~] # firewall-cmd-- get-active-zones # shows all active areas internal interfaces: ens33 # do the following to change the corresponding area of the network interface ens33 to the internal area And view: [root@localhost ~] # firewall-cmd-- zone=internal-- change-interface=ens33 The interface is under control of NetworkManager, setting zone to 'internal'.success [root@localhost ~] # firewall-cmd-- zone=internal-- list-interfaces # View the interface list in the internal area ens33 [root@localhost ~] # firewall-cmd-- get-zone-of-interface=ens33 # View the area internal corresponding to the interface ens33

3. Commands and examples related to firewall service management:

Examples of partial service management:

Sets the services allowed to be accessed for the default locale

[root@localhost services] # firewall-cmd-- list-services # shows all services allowed to be accessed in the default area ssh dhcpv6-client [root@localhost services] # firewall-cmd-- add-service=http # sets the default zone to allow access to the http service success [root@localhost services] # firewall-cmd-- add-service=https # sets the default zone to allow access to the https service success [root@localhost services] # firewall-cmd-- list-services # display ssh dhcpv6-client http https of all services allowed to be accessed in the default area

Set the services to be accessed for the internal locale:

[root@localhost services] # firewall-cmd-- zone=internal-- add-service=mysql # set the internal area to allow access to the mysql service success [root@localhost services] # firewall-cmd-- zone=internal-- remove-service=samba-client # set the internal area not to allow access to the Samba-client service success [root@localhost services] # firewall-cmd-- zone=internal-- list-services # shows all services ssh mdns dhcpv6-client mysql allowed in the internal area

Port Management:

When configuring a service, the predefined network service can be configured with a service name, and the port involved in the service is automatically opened. However, for non-predefined services, ports can only be added manually for the specified area. Examples are as follows:

[root@localhost services] # firewall-cmd-- zone=internal-- add-port=443/tcp # Open 443/tcp port in internal area success [root@localhost services] # firewall-cmd-- zone=internal-- remove-port=443/tcp # disable 443/tcp port access to success in internal area

The above configurations are all temporary. To save the current configuration as a permanent configuration, you can use the following command:

[root@localhost services] # firewall-cmd-- runtime-to-permanentsuccess

Directly configured as a permanent rule, with the-- permanent option, as follows:

[root@localhost /] # firewall-cmd-- add-icmp-block=echo-request-- permanent # prohibit pingsuccess [root@localhost /] # firewall-cmd-- zone=external-- add-icmp-block=echo-request-- permanent # configure external area to prohibit pingsuccess

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.