Shulou(Shulou.com)06/02 Report--

This article introduces you what the FirewallD introduction manual is, the content is very detailed, interested friends can refer to, I hope it can be helpful to you.

Guided FirewallD is an encapsulation of iptables that makes it easier to manage iptables rules-it is not a substitute for iptables. Although the iptables command is still available for FirewallD, it is recommended that you use only the FirewallD command when using FirewallD.

FirewallD is the front-end controller of iptables and is used to implement persistent network traffic rules. It provides a command line and graphical interface, which is available in the repositories of most Linux distributions. Compared to direct control of iptables, there are two main differences in using FirewallD:

FirewallD uses regions and services instead of chain rules.

It dynamically manages rule sets, allowing rules to be updated without breaking existing sessions and connections.

This manual will introduce you to the concepts of FirewallD regions and services, as well as some basic configuration steps.

Install and manage FirewallD

CentOS 7 and Fedora 20 + already include FirewallD, but it is not activated by default. It can be controlled like other systemd units.

1. Start the service and start the service when the system boots:

Sudo systemctl start firewalldsudo systemctl enable firewalld

To stop and disable:

Sudo systemctl stop firewalldsudo systemctl disable firewalld

2. Check the firewall status. The output should be running or not running.

Sudo firewall-cmd-state

3. To view the status of the FirewallD daemon:

Sudo systemctl status firewalld

Sample output

Firewalld.service-firewalld-dynamic firewall daemon Loaded: loaded (/ usr/lib/systemd/system/firewalld.service; disabled) Active: active (running) since Wed 2015-09-02 18:03:22 UTC; 1min 12s ago Main PID: 11954 (firewalld) CGroup: / system.slice/firewalld.service └─ 11954 / usr/bin/python-Es / usr/sbin/firewalld-- nofork-- nopid

4. Reload the FirewallD configuration:

Sudo firewall-cmd-reload

Configure FirewallD

FirewallD is configured using XML. Unless it's a very special configuration, you don't have to deal with them, you should use firewall-cmd

The configuration file is located in two directories:

Save the default configuration, such as default areas and public services, under / usr/lib/FirewallD. Avoid modifying them because these files are overwritten every time the firewall package is updated.

Save the system configuration file under / etc/firewalld. These files will override the default configuration.

Configuration set

FirewallD uses two configuration sets: runtime and persistence. When the system restarts or restarts FirewallD, the runtime configuration changes are not retained, and changes to the persistent configuration set are not applied to the running system.

By default, the firewall-cmd command applies to the runtime configuration, but the-- permanent flag is used to save it to the persistent configuration. To add and activate persistence rules, you can use one of two methods.

1. Add rules to both the persistent rule set and the runtime rule set.

Sudo firewall-cmd-zone=public-add-service=http-permanentsudo firewall-cmd-zone=public-add-service=http

2. Add rules to the persistent ruleset and reload FirewallD.

Sudo firewall-cmd-zone=public-add-service=http-permanentsudo firewall-cmd-reload

The reload command deletes all run-time configurations and applies persistent configurations. Because firewalld dynamically manages rule sets, it does not break existing connections and sessions.

Zone of the firewall

A zone is a set of pre-built rules that may have various levels of trust for a given location or scenario, such as family, public, trusted, and so on. Different areas allow different types of network services and inbound traffic, while denying any other traffic. When FirewallD is enabled for the first time, public will be the default area.

Zones can also be used for different network interfaces. For example, to separate the interface between the internal network and the Internet, you can allow DHCP in the internal area, but only HTTP and SSH in the external area. Any interfaces that are not explicitly set to a specific area are added to the default zone.

To find the default area:

Sudo firewall-cmd-get-default-zone

To modify the default area:

Sudo firewall-cmd-set-default-zone=internal

To check the area where your network interface is used:

Sudo firewall-cmd-get-active-zones

Sample output:

Public interfaces: eth0

To get all the configurations for a specific area:

Sudo firewall-cmd-zone=public-list-all

Sample output:

Public (default, active) interfaces: ens160 sources: services: dhcpv6-client http ssh ports: 12345/tcp masquerade: no forward-ports: icmp-blocks: rich rules:

To get the configuration for all areas:

Sudo firewall-cmd-list-all-zones

Sample output:

Block interfaces: sources: services: ports: masquerade: no forward-ports: icmp-blocks: rich rules:... work interfaces: sources: services: dhcpv6-client ipp-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:

Use with services

FirewallD can allow related traffic based on predefined rules for specific network services. You can create your own custom system rules and add them to any area. The default supported service profile is located in / usr/lib / firewalld/services, and the user-created service file is in / etc/firewalld/services.

To view the default available services:

Sudo firewall-cmd-get-services

For example, to enable or disable the HTTP service:

Sudo firewall-cmd-zone=public-add-service=http-permanentsudo firewall-cmd-zone=public-remove-service=http-permanent

Allow or deny any port / protocol

For example: allow or disable TCP traffic on port 12345.

Sudo firewall-cmd-zone=public-add-port=12345/tcp-permanentsudo firewall-cmd-zone=public-remove-port=12345/tcp-permanent

Port forwarding

The following is to forward traffic from port 80 to port 12345 on the same server.

Sudo firewall-cmd-zone= "public"-add-forward-port=port=80:proto=tcp:toport=12345

To forward the port to another server:

1. Activate masquerade in the required area.

Sudo firewall-cmd-zone=public-add-masquerade

2. Add forwarding rules. In the example, traffic from port 80 on a remote server with an IP address of 123.456.78.9 is forwarded to 8080.

Sudo firewall-cmd-zone= "public"-add-forward-port=port=80:proto=tcp:toport=8080:toaddr=123.456.78.9

To delete a rule, replace-- add with-- remove. For example:

Sudo firewall-cmd-zone=public-remove-masquerade

Building a rule set with FirewallD

For example, here is how to use FirewallD to configure basic rules for your server (if you are running a web server).

1. Set the default region of eth0 to dmz. Of the default areas provided, dmz (demilitarized zone) is the most suitable for this program because it only allows SSH and ICMP.

Sudo firewall-cmd-set-default-zone=dmzsudo firewall-cmd-zone=dmz-add-interface=eth0

2. Add permanent service rules to HTTP and HTTPS to the dmz area:

Sudo firewall-cmd-zone=dmz-add-service=http-permanentsudo firewall-cmd-zone=dmz-add-service=https-permanent

3. Reload FirewallD to make the rule take effect immediately:

Sudo firewall-cmd-reload

If you run firewall-cmd-- zone=dmz-- list-all, you will have the following output:

Dmz (default) interfaces: eth0 sources: services: http https ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:

This tells us that the dmz area is our default area and is used for the source addresses and ports of all networks in the eth0 interface. Allow incoming traffic to HTTP (port 80), HTTPS (port 443), and SSH (port 22), and because there is no limitation of IP version control, these apply to IPv4 and IPv6. IP camouflage and port forwarding are not allowed. We don't have ICMP blocks, so ICMP traffic is completely allowed. There are no rich Rich rules that allow all outbound traffic.

Advanced configuration

Services and ports are suitable for basic configurations, but may be more restrictive for advanced scenarios. Rich Rich rules and direct Direct interfaces allow you to add fully customized firewall rules to any area for any port, protocol, address, and operation.

Enrich the rules

There are many syntax for rich rules, but they are all fully documented in the man page of firewalld.richlanguage (5) (or man firewalld.richlanguage in the terminal.) Use-- add-rich-rule,-- list-rich-rules,-- remove-rich-rule. And firewall-cmd commands to manage them.

Here are some common examples:

All IPv4 traffic from host 192.168.0.14 is allowed.

Sudo firewall-cmd-zone=public-add-rich-rule 'rule family= "ipv4" source address=192.168.0.14 accept'

Deny TCP traffic from IPv4 from host 192.168.1.10 to 22.

Sudo firewall-cmd-zone=public-add-rich-rule 'rule family= "ipv4" source address= "192.168.1.10" port port=22 protocol=tcp reject'

Allow TCP traffic from IPv4 on host 10.1.0.3 to 80 and forward the traffic to port 6532.

Sudo firewall-cmd-zone=public-add-rich-rule 'rule family=ipv4 source address=10.1.0.3 forward-port port=80 protocol=tcp to-port=6532'

Forward IPv4 traffic from port 80 on host 172.31.4.2 to port 8080 (masquerade needs to be activated on the zone).

Sudo firewall-cmd-zone=public-add-rich-rule 'rule family=ipv4 forward-port port=80 protocol=tcp to-port=8080 to-addr=172.31.4.2'

List your current rich rules:

Sudo firewall-cmd-list-rich-rules

Direct interface of iptables

For the most advanced use, or for iptables experts, FirewallD provides a direct Direct interface that allows you to pass raw iptables commands to it. Direct interface rules are not persistent unless-- permanent is used.

To view all custom chains or rules added to FirewallD:

Firewall-cmd-direct-get-all-chainsfirewall-cmd-direct-get-all-rules

This is the end of the FirewallD introduction manual. I hope the above content can be of some help to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.