Shulou(Shulou.com)06/02 Report--

Firewalld Overview introduction to Firewalld

A dynamic firewall management tool that supports network links defined by network areas and interface security levels

Support for IPv4, IPv6 fire wall settings, and Ethernet bridge

Support services or applications to add firewall rule interfaces directly

There are two configuration modes

Run-time configuration

Permanent configuration

The relationship between Firewalld and iptables netfilternetfilter is a new generation of Linux firewall mechanism after Linux2.4.x and a subsystem of linux kernel

Netfilter adopts modular design and has good expandability.

The packet filtering function system located in the Linux kernel is called Linux firewall "kernel state" Firewalld/iptablesCentOS7 default tool for managing firewall rules (Firewalld) the difference between "user mode" Firewalld and iptables called Linux firewall-Firewalldiptables profile / usr/lib/firewalld/etc/firewalld//etc/sysconfig/iptables changes to the rules do not require a full refresh policy, do not lose the existing connection requires a full refresh policy Lost connection static firewall dynamic firewall (flexible) static firewall Firewalld network area introduction zone description drop (drop) any received network packets are discarded without any reply. Only outgoing network connections block (restrictions) any received network connections are rejected by lPv4's icmp-host-prohibited information and IPv6's icmp6-adm-prohibited information public (public) is used in public areas, can not be trusted that other computers in the network will not cause harm to your computer, can only receive the selected connection external (external), especially the external network with camouflage enabled for the router. You cannot trust other computing from the network, cannot trust that they will not cause harm to your computer, and can only receive computers with a selected connection dmz (demilitarized zone) for use in your demilitarized zone, which is publicly accessible, has limited access to your internal network, and receives only selected connection work (work) for use in the workspace. You can basically believe that other computers in the network will not harm your computer. Only receive the selected connection home (home) for use in the home network. You can basically trust that other computers in the network will not harm your computer. Only the selected connection internal (internal) is received for the internal network. You can basically trust that other computers in the network will not threaten your computer. Only accept selected connections trusted (trust) can accept all network connections Firewalld data processing flow check the source address of the data source if the source address is associated with a specific area, execute the rules specified by that area if the source address is not associated with a specific area, then use the zone passed into the network interface and enforce the rules specified by that zone if the network interface is not associated to a specific area Then the runtime configuration of the Firewalld firewall using the default zone and executing the rules specified in that zone takes effect in real time and continues until Firewalld restarts or reloads the configuration does not break the existing connection cannot modify the service configuration permanent configuration does not take effect immediately, unless the Firewalld restart or reload configuration interrupts the existing connection can modify the service configuration Firewall-config graphics tool runtime configuration / permanent configuration

Reload the firewall to change the permanent configuration and take effect

Associate the network card to the specified area

Modify the default area

Connection statu

"region" tab "Services" sub-tab "Port" sub-tab "Agreement" sub-tab "Source Port" sub-tab, "masquerade" sub-tab "Port forwarding" sub-tab "ICMP filter" sub-tab

"Services" tab "Module" sub-tab "destination address" sub-tab

Firewall-cmd command line tool

Start, stop, view firewalld services

Systemctl start firewalld / / start firewalldsystemctl enable firewalld / / set firewalld to boot systemctl status firewalld / / View firewalld status information firewall-cmd-- state / / View firewalld status information systemctl stop firewalld / / stop firewalldsystemctl disable firewalld / / set firewalld boot does not self-start

Get predefined information

There are three main types of firewall-cmd predefined information: available areas, available services, and available ICMP blocking types firewall-cmd-- get-zones / / Show predefined areas firewall-cmd-- get-service / / display predefined services firewall-cmd-- get-icmptypes / / display predefined ICMP types firewall-cmd-- meaning of various blocking types in the execution results of the get-icmptypes command

Destination-unreachable: destination address is unreachable.

Echo-reply: reply response (pong).

Parameter-problem: parameter problem.

Redirect: redirect.

Router-advertisement: router advertisement.

Router-solicitation: router search.

Source-quench: source-side suppression.

Time-exceeded: timeout.

Timestamp-reply: timestamp reply response.

Timestamp-request: timestamp request.

Regional management

Using the firewall-cmd command, you can obtain and manage the area, bind the network interface for the specified area, and so on. Option description-- get- default-zone shows the default area for a network connection or interface-- set-default-zone= sets the default area for a network connection or interface-- get- active-zones shows all areas that have been activated-- get- zone-of-interface= shows the area bound by the specified interface-- zone=-- add-interface= for the specified interface binding area-- zone=-- change-interface= changes the bound network for the specified area. Network interface-- zone=-- remove-interface= deletes the bound network interface for the specified area-- list-all-zones displays all areas and their rules [--zone=]-- list-a displays all rules for all specified areas Omit-zone= means that only the service management firewalld pre-defines many services, which are stored in the / usr/lib/firewalld/services/ directory, and the services are specified through a single XML configuration file, which is named in the following format: service-name.xml, each file corresponds to a specific network service, when the default service is not applicable or the port of a service needs to be customized We need to place the service configuration file in the / etc/firewalld/services/ directory. Service configuration advantages: managing rules by service names is more humane, and organizing port grouping through services is more efficient. If a service uses several network ports, the service profile provides a shortcut to batch operations for rule management to these ports. Description of common options for service management in the firewall-cmd command area: option description [--zone=]-- list-services displays all services allowed to access in the specified area [--zone=]-- add-service= allows access to a service for the specified locale [--zone=]-- remove-service= deletes a service that has been set for access in the specified area [--zone=]-- list-ports display Show all port numbers allowed for access in the specified area [--zone=]-- add-port= [-] / a certain port number (including the protocol name) allowed for the specified region setting [--zone=]-- remove-port= [-] / Delete the port number (including the protocol name) that has been set for the specified area [--zone=]-- list-icmp-blocks shows the denied within the specified area. All ICMP types denied access [--zone=]-- add-icmp-block= is a certain ICMP type denied access by the specified locale [--zone=]-- remove-icmp-block= deletes a certain ICMP class type that has been set to deny access in the specified region. Omit-- zone= indicates operation on the default region

Port management

When configuring the service, the predefined network service can be configured with the service name, and the port involved in the service will be opened automatically. However, for non-predefined services, ports can only be added manually for the specified area. Firewall-cmd-- zone=internal-- add-port=443/tcp / / Open port 443in internal area firewall-cmd-- zone=internal-- remove-port=443/tcp / / disable port 443in internal area two configuration modes firewall-cmd command tools have two configuration modes: run-time mode (Runtime mode) indicates the firewall configuration of the current in-memory operation The configuration will fail when the system or firewalld service is restarted or stopped, and permanent mode (Permanent mode) indicates that the rule configuration when the firewall is restarted or reloaded is permanently stored in the configuration file. The firewall-cmd command tool has three options related to configuration mode: option description-reload reloads firewall rules and maintains state information, that is, permanent configuration applies to run-time configuration-permanent commands with this option are used to set persistent rules that take effect only when firewalld is restarted or firewall rules are reloaded If you do not have this option, it means that runtime-to-permanent is used to set runtime rules-runtime-to-permanent writes the current runtime configuration to the rule configuration file to make it persistent / etc/firewalld/ the configuration file Firewalld will give priority to the configuration in / etc/firewalld/, or use the configuration / etc/firewalld/: user-defined configuration file in / usr/lib/firewalld/ if no configuration file exists If necessary, you can copy / usr/lib/firewalld/: default configuration file from / usr/lib/firewalld/. It is not recommended to modify it. If you restore to the default configuration, you can delete the configuration in / etc/firewalld/ directly.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.