Shulou(Shulou.com)06/01 Report--

This article mainly analyzes the relevant knowledge points of how to use the FirewallD firewall, the content is detailed and easy to understand, the operation details are reasonable, and has a certain reference value. If you are interested, you might as well follow the editor to take a look, and follow the editor to learn more about "how to use FirewallD firewall".

In RHEL7, FirewallD replaces the original ptables firewall. Compared with iptables firewall, users can choose appropriate policy sets according to different production scenarios, so as to achieve fast switching between firewall policies.

I. installation

Use the following command in Debian Linux 10 Community Edition:

Apt-get install firewall-applet firewall-config firewalld

You can install the FirewallD firewall software package directly, where:

Firewall-applet is FirewallD tray Mini Program

Firewall-config is a graphical system configuration management tool for FirewallD

Firewalld is the main component package of the FirewallD firewall software component, which contains command line system configuration management tools such as firewall-cmd and firewall-offline-cmd.

The firewall component has been installed by default under RedHat 8. If you need to install the software component separately after a special custom installation, you can use the command.

Yum install firewall-config

You can install it directly.

The author has compared the installation of the two systems and found that the software component package has no difference from the configuration file to the systemd service configuration except for the slight difference in the installation commands between the two systems. The following content will no longer emphasize the operating system.

2. Default zone of firewall

Block (blocking)

Any connection request to this area will be rejected with the icmp-host-prohibited information of IPv4 or the icmp6-adm-prohibited information of IPv6. Network connections can only be initiated from within the system.

Dmz (isolation)

For computers in your quarantine area, this area is publicly accessible, has limited access to your internal network, and receives only selected connections.

Drop (discard)

All packets entering the area are discarded without any return packets, and incoming backhaul packets initiating connections in the area are allowed to pass through and network connections in the outgoing direction are allowed.

External (external)

Used on external networks where camouflage is enabled, especially when routers and firewalls do not believe that other hosts on this network can be trusted. Receive only selected connections.

Home (Family)

By default, other hosts in the same region can be trusted and only receive selected connections. At the same time, the connections generated by ssh, mdns, ipp-client, amba-client and dhcpv6-client services are released by default.

Internal (internal)

From the description, it can be equated with the family area.

Public (Open)

The public area, which is also the default zone for firewall configuration, does not believe that the host in this area can be trusted. Receive only selected connections. At the same time, the connection between ssh and dhcpv6-client service is released by default.

Trusted (trusted)

Trusted zone, the firewall releases all traffic. It is equivalent to turning off the firewall function.

Work (work)

In the work area, the firewall believes that other hosts on this network cannot be trusted. Receive only selected connections. At the same time, the connections generated by ssh, ipp-client and dhcpv6-client services are released by default.

The naming of these areas is self-evident, and users can quickly choose a suitable security zone, thus simplifying and avoiding many security issues. Of course, users can also according to their own needs or security assessment to more personalized configuration of the corresponding security domain according to their actual needs, in order to adapt to their own security management norms. Although the security rules of some security domains are the same, the main reason for the difference in names is to make it customary for users to better distinguish the unique usage scenarios of different domains, which is better understood and easier for users to distinguish.

Daily management of firewalls 3.1. Check the current status of firewalls

Query status:

Firewall-cmd-state

More firewall system service status information can be used

Systemctl status firewalld

Before you configure new firewall rules, you need to know how to view the current firewall configuration through commands. Viewing the current configuration of the firewall can be done through a graphical interface or using commands in terminal mode.

In the graphical interface, you can directly click the application "firewall-config" icon or enter the firewall-config command in the terminal window to configure the firewall. If the current user is a non-root user, the administrator authentication window will pop up. After the user enters the administrator password correctly, the firewall configuration window will open, and the user can operate according to the functions provided by the window interface.

Users can also use the firewall-cmd tool to configure the firewall under the command line. Although the command line tool takes some time to learn, it can completely configure all kinds of complex firewalls in terminal mode, so it is necessary for users to study and master it carefully.

3.2. Firewall basic commands

FirewallD uses zones for data flow management, and when a user uses the firewall-cmd-- list-all command, if the zone is not specified with-- zone, the system will return to the current configuration state of the default zone.

The default area is defined by the field DefaultZone in the configuration file / etc/firewalld/firewalld.conf. In the initial state, the default area is defined as public (public area).

Users can use the command:

Firewall-cmd-get-zones

To view the list of zone names set by the current system firewall, you can also use the command:

Firewall-cmd-get-default-zone

View the current default area of the firewall; meanwhile, you can use the command:

Firewall-cmd-- set-default-zone= [zonename]

Or modify the default area by directly editing the value of the DefaultZone field in the configuration file.

Start the firewall:

Systemctl unmask firewalld

Systemctl start firewalld

Let the firewall start with the system boot:

Systemctl enable firewalld

Stop the firewall:

Systemctl stop firewalld

Stop starting with the system:

Systemctl disable firewalld

Stop the automatic start of firewalld caused by the need for firewalld dependency to access the firewalld D-Bus interface and other services, and shut down the firewalld service more cleanly:

Systemctl mask firewalld

According to the official documentation of RedHat, the firewall is called the runtime state after running, and the configuration after the startup default parameters are saved is called the permanent state. All configuration changes made to the firewall in the current running state will take effect immediately, but the firewall will return to its previous permanent state after restart. In fact, this process is the process of loading the corresponding configuration parameters from the saved configuration file.

Users can use the command:

Fiewall-cmd-runtime-to-permanent

The currently modified rule is saved as a permanent configuration immediately, or you can use the command firewall-cmd-- permanent and then add other parameters to modify it permanently.

Restarting firewalld will close all open ports and stop network communication, using the command:

Firewall-cmd-reload

Reload the permanent configuration to take effect.

FirewallD provides an emergency operation function in which the system is attacked. Assuming that the attacker attacks the system, the user can use the command directly:

Firewall-cmd-panic-on

Shut down the network communication and cut off the attacker, instead of disconnecting the network by physically unplugging the network cable as before, it prevents the confusion that may be caused by the system plugging all the network cables at once in a multi-port environment and the resulting problems after the system is restored.

When you need to resume network communication, users only need to use the command:

Firewall-cmd-panic-off

You can turn off panic mode, or you can use the command:

Firewall-cmd-query-panic

Query the status of the current panic mode of the firewall.

3.2. Firewall service management commands

Users can add predefined service types through the command line tool, and the firewall automatically modifies other settings to a service definition file based on the desired port.

Use the command:

Firewall-cmd-list-services

You can view the services allowed in the current area. Use the command:

Firewall-cmd-get-services

You can list the predefined service names that have been given by all firewalls. Use the command:

Firewall-cmd-- add-service=service-name >

Specific services can be added, and service name users can choose the appropriate service name from the predefined service name according to their actual needs. When you are finished, you can use the command:

Firewall-cmd-runtime-to-permanent

Save changes to the runtime as permanent. Users can add a custom service type by commands firewall-config, firewall-cmd, and firewall-offline-cmd, or by directly copying the default template XML file from the / usr/lib/firewalld/services directory to the / etc/firewalld/services directory for editing. The specific process is as follows:

Method 1: execute firewall-cmd-new-service=service-name, and the system will directly create a file with the same name ending with .xml in the / etc/firewalld/services directory, and the custom service type will be added.

Method 2: use editing software to directly edit the XML file in the corresponding directory and execute firewall-cmd-new-service-from-file=service-name.xml, and the system will automatically complete the addition of custom service types with the same name.

A port is a logical device that receives and distinguishes network traffic from a specific system service and forwards it to the system service, and the system daemon usually listens on the specific service port. The firewall has defined the corresponding port that the corresponding service needs to release in the default service type configuration. When you still need to release a specific custom port or port segment in a service, you can do so through firewall-cmd, in the following format:

Firewall-cmd [--zone=zone_name] [--service=service_name]-- add-port=port-number/port-type

It should be noted that-- zone and-- service are optional parameters. If a user executes a command without adding these two parameters, it is equivalent to adding ports directly in the default area. When only the-- zone parameter is selected, the result of the command execution is to add ports directly in the specified area, regardless of the service status. The port is added to the appropriate service only when the-- service parameter is used.

When a user needs to delete a port, you can use the following command:

# firewall-cmd [--zone=zone_name] [--service=service_name]-- remove-port=port-number/port-type

When users need to add services to different regions, they can do so step by step as follows:

# firewall-cmd-add-service=ssh-zone=drop

This command adds a ssh service to the regional drop, which essentially releases traffic and connections in the default inbound direction of port 22 in the ssh service definition.

In the multi-network interface host, the specified network interface can be added to the required area by using the following method, so as to realize the secure connection area requirement of each interface and realize the real regionalized network security management.

Use the command:

Firewall-cmd-get-active-zones

View the currently active security zone and the corresponding network interface configuration. Use the command

Firewall-cmd-zone=work-change-interface=ens3p0

Then the network card ens3p0 is added to the work zone, after which all traffic passing through the network card will be restricted and restricted by the zone security rules. The configuration is effective immediately and will be automatically saved as a permanent configuration.

Users who need to add a network card to a specific security zone can also use it directly:

Vi / etc/sysconfig/network-scripts/ifcfg-connection-name

And add the ZONE=zone-name line under the file, and the network card belongs to a specific security zone.

Users can set the default rules for the security zone. The silent rule includes three options: ACCEPT, REJECT and DROP, in which the ACCEPT option will release all traffic, and the REJECT and DROP options will block all traffic entering the security zone. Unlike REJECT, the DROP option directly discards packets that enter the security zone and does not reply any information to the initiator of the packet. Users can use the command:

Firewall-cmd-- zone=zone-name-- set-target=default | ACCEPT | REJECT | DROP >

Make the default rule settings for the appropriate security zone.

3.3. Use regions to manage incoming traffic based on source

You can use regions to manage incoming traffic by source, which allows you to sort incoming traffic and route it to different areas to allow or disable services that can be reached by that traffic.

If you add a source to a zone, the area becomes active and any incoming traffic from that source passes through it. You can specify different settings for each area, which will apply to traffic from a given source. Even if you have only one network interface, you can use more areas.

Through the following example, we can manage the request traffic of HTTP in a specific network segment in more detail, using commands:

Firewall-cmd-zone=trusted-add-source=192.168.1.0/24

Add this network segment to the trusted area as a resource, and use the command:

Firewall-cmd-zone=trusted-add-service=http

Add the Web service to the same area, and then the traffic to access the Web service generated by that destination address will pass smoothly.

3.4. Firewall lock mechanism

In order to prevent local programs such as KVM virtual machine components from modifying the firewall, FirewallD also provides a locking mechanism to prevent local programs or service components from modifying the firewall configuration, and this command can only be executed by root users.

Users can use the command:

Firewall-cmd-query-lockdown

Query the firewall lock status, and you can execute the command directly when you need to lock:

Firewall-cmd-lockdown-on

You can execute the command when you return to an unlocked state:

Firewall-cmd-lockdown-off

This is the end of the introduction on "how to use FirewallD Firewall". More related content can be searched for previous articles, hoping to help you answer questions and questions, please support the website!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.