Shulou(Shulou.com)06/01 Report--

Introduction to getting started with Firewalld

Starting with CentOS7, there is no iptables by default, but firewall Firewall is used. FirewallD provides a dynamic firewall management tool that supports network / firewall zone (zone) definition of network links and interface security levels.

What is a dynamic firewall? Recall the pattern in which iptables service manages firewall rules: the user adds new firewall rules to the / etc/sysconfig/iptables profile, and then executes the command service iptables reload to make the changed rules take effect.

Behind this whole process, iptables service first empties the old firewall rules, then reloads all the new firewall rules completely, and if the reload kernel module is configured, it also includes the action of unloading and reloading the kernel module, which, unfortunately, is likely to have additional adverse effects on running systems, especially in systems with very busy networks.

If the pattern that only modifies one rule and reloads all rules is called static firewall, then the mode provided by firewalld can be called dynamic firewall, which appears to solve this problem. Any rule changes do not need to reload the entire list of firewall rules, but only need to save and update the changes to the running iptables.

For the relationship between firewalld and iptables, firewalld provides a daemon and service, as well as a command line and graphical interface configuration tool, which only replaces the iptables service part, and its underlying layer still uses iptables as the firewall rule management portal. Firewalld was developed in the python language, and in the new version it has been planned to rewrite the daemon part using C++.

What is a zone?

Firewalld will correspond network cards to different areas (zone). There are 9 zone by default, block dmz drop external home internal public trusted work.

The difference between different regions is that their default behavior towards packets is different. According to the name of the region, we can directly know the characteristics of the area. In the CentOS7 system, the default area is set to public.

In the latest version of fedora (fedora21), with the differentiation of the server version and the workstation version, two different custom zone FedoraServer and FedoraWorkstation versions are added.

List all supported zone separately using the following command

Firewall-cmd-get-zones

Block dmz drop external home internal public trusted work

View the current default zone

Firewall-cmd-get-default-zone

Public

The zone is described as follows:

Iptables service stores the configuration in / etc/sysconfig/iptables

Firewalld stores the configuration in various XML files in / usr/lib/firewalld/ and / etc/firewalld/

The locale of / etc/firewalld/ is a series of presets that can be quickly executed to the network interface. The list and brief description are as follows:

Drop (discard)

Any received network packets are discarded and there is no reply. There can only be outgoing network connections.

Block (restriction)

Any received network connection is rejected by the icmp-host-prohibited information of IPv4 and the icmp6-adm-prohibited information of IPv6.

Public (Public)

When used in a public area, you cannot trust that other computers in the network will not cause harm to your computer and can only receive selected connections.

External (external)

Especially extranets that enable camouflage for routers. You cannot trust other calculations from the network, cannot trust that they will not cause harm to your computer, and can only receive selected connections.

Dmz (demilitarized zone)

Computers used in your demilitarized zone, which are publicly accessible, have limited access to your internal network, and receive only selected connections.

Work (work)

Used in the workspace. You can basically believe that other computers in the network will not harm your computer. Receive only selected connections.

Home (Family)

For home networks. You can basically trust that other computers in the network will not harm your computer. Receive only selected connections.

Internal (internal)

For internal networks. You can basically trust that other computers in the network will not threaten your computer. Only selected connections are accepted.

Trusted (trust)

All network connections are acceptable.

It is possible to specify one of the areas as the default area. When interface connections join the NetworkManager, they are assigned as default areas. The default area in the firewalld is set to the public area during installation.

What is service?

In the / usr/lib/firewalld/services/ directory, another type of configuration file is saved, each corresponding to a specific network service, such as ssh service.

The corresponding configuration file records the tcp/udp ports used by various services, and 70 + services have been defined for our use by default in the latest version of firewalld.

When the default service is not enough or the port of a service needs to be customized, we need to place the service configuration file in the / etc/firewalld/services/ directory.

The benefits of service configuration are obvious:

First, it is more humane to manage rules through service names.

Second, the mode of organizing port grouping through services is more efficient, and if a service uses several network ports, the service profile provides a batch operation shortcut for rule management to those ports.

Each loading of a service configuration means that the corresponding port access is opened. List all supported service using the following command

Firewall-cmd-get-services

RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp open*** pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https

View the service loaded by the current zone

Firewall-cmd-list-services

Dhcpv6-client ssh

Dynamically add a firewall rule as follows:

Assuming that the custom ssh port number is 12222, use the following command to add the firewall rule for the new port:

Firewall-cmd-add-port=12222/tcp-permanent

If you need to save the rules to the zone configuration file, you need to add the parameter-permanent

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.