Shulou(Shulou.com)06/02 Report--

The firewall is the first barrier for your computer to prevent network intrusion. To ensure your safety, please download our cheat sheet.

The firewall is the first barrier for your computer to prevent network intrusion. To ensure your safety, please download our cheat sheet.

A reasonable firewall is the first barrier for your computer to prevent network intrusion. When you surf the Internet at home, Internet service providers usually build a firewall in the routing. When you leave home, the firewall on your computer is the only one, so it's important to configure and control the firewall on your Linux computer. If you maintain a Linux server, it is also important to know how to manage your firewall. Only with this knowledge can you protect your server from illegal local or remote traffic.

Install a firewall

Many Linux distributions already have their own firewalls, usually iptables. It's powerful and customizable, but it's a little complicated to configure. Fortunately, some developers have written some front-end programs to help users control the firewall without having to write lengthy iptables rules.

On Fedora, CentOS, Red Hat, and similar distributions, the firewall software installed by default is firewalld, which is configured and controlled by the firewall-cmd command. On Debian and most other distributions, you can install firewalld from your software repository. Ubuntu comes with a simple firewall Uncomplicated Firewall (ufw), so to use firewalld, you must enable the universe software repository:

$sudo add-apt-repository universe$ sudo apt install firewalld

You also need to deactivate ufw:

$sudo systemctl disable ufw

There is no reason not to use ufw. It is a powerful front end of the firewall. However, this article focuses on firewalld because most distributions support it and it integrates into systemd,systemd and comes with almost all distributions.

No matter what your distribution is, you have to activate the firewall for it to take effect, and you need to load it at startup:

$sudo systemctl enable-now firewalld understands the domain of the firewall

Firewalld aims to make the configuration of firewalls as simple as possible. It achieves this goal by establishing a domain zone. A domain is a set of reasonable and general rules that suit the daily needs of most users. There are nine domains by default.

Trusted: accept all connections. This is the least paranoid firewall setting and can only be used in a fully trusted environment, such as a test lab or a home network that knows each other in the network.

Home, work, internal: accept most incoming connections in these three domains. They each exclude traffic coming in from ports that are expected to be inactive. All three are suitable for use in the home environment, where there is no network traffic with uncertain ports, and you can generally trust other users in the home network.

Public: used in public areas. This is a paranoid setting to use when you don't trust other computers on the network. Only the selected common and most secure incoming connections can be received.

Dmz:DMZ represents a quarantine zone. This domain is mostly used for computers that are publicly accessible, located in the external network of the organization, and have limited access to the internal network. It's not useful for personal computers, but it's an important option for some kind of server.

External: for external networks, camouflage is turned on (the address of your private network is mapped to an extranet IP address and hidden). Similar to DMZ, only selected incoming connections are accepted, including SSH.

Block: only network connections initialized in this system are received. Any network connection received will be rejected by the icmp-host-prohibited message. This extremely paranoid setting is important for some type of server or personal computer in an untrusted or insecure environment.

Drop: all received network packets are discarded without any reply. There can only be outgoing network connections. The more extreme way than this setting is to turn off the WiFi and unplug the network cable.

You can view all the domains of your distribution, or view the administrator settings through the configuration file / usr/lib/firewalld/zones. For example: here is the FedoraWorkstation domain that comes with Fefora 31:

$cat / usr/lib/firewalld/zones/FedoraWorkstation.xml FedoraWorkstation Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed. Get the current domain at any time you can use the-- get-active-zones option to see which domain you are in: $sudo firewall-cmd-- get-active-zones

In the output, there will be the name of the currently active domain and the network interface assigned to it. On laptops, in the default domain, it usually means you have a WiFi card:

FedoraWorkstation interfaces: wlp61s0 modifies your current domain

To change your domain, reassign the network interface to a different domain. For example, change the wlp61s0 card in the example to the public domain:

$sudo firewall-cmd-change-interface=wlp61s0-zone=public

You can change the active domain of an interface at any time and for any reason-whether you're going to a cafe, you feel the need to increase the security policy for your laptop, you need to go to work, you need to open some ports to enter the intranet, or for other reasons. Before you learn the firewall-cmd command from memory, you can learn it slowly as long as you remember the keywords change and zone, because when you press Tab, its options will be completed automatically.

More information

You can do more things with your firewall, such as customizing existing domains, setting default domains, and so on. The more you know about firewalls, the more secure your online activities will be, so we created a cheat sheet for quick inspection and reference.

Download your firewall cheat sheet. (registration required)

The original text is from: https://www.linuxprobe.com/linux-firewall-pc.html

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.