Shulou(Shulou.com)06/01 Report--

Fiewalld Firewall Foundation

Overview of 1.Fiewalld

The relationship between 2.Fiewalld and iptables

3.Fiewalld network area

Configuration method of 4.Fiewalld Firewall

5.Fiewalld-config graphics tool

6.Fiewalld Firewall case

Fiewalld Overview introduction to Fiewalld

1. A dynamic firewall management tool that supports network links defined by network areas and interface security levels

two。 Support for IPv4, IPv6 firewall settings, and Ethernet bridge

3. Support services or applications to add firewall rule interfaces directly

4. There are two configuration modes: run-time configuration and permanent configuration

Based on port, protocol,

Relationship between Fiewalld and iptables netfilter:

1. Packet filtering function system located in Linux kernel

two。 The "kernel state" known as the Linux firewall

Fiewalld/iptables:

1.CentOS7 default tool for managing firewall rules (Fiewalld)

two。 The "user mode" called Linux firewall

The difference between Fiewalld and iptables: the modification of rules by Fiewalldiptables profile / usr/lib/firewalld/ or / etc/firewalld//etc/sysconfig/iptables does not require a full refresh policy, not losing existing connections requires a full refresh policy, lost connection firewall type dynamic firewall (flexible) static firewall Fiewalld network area description: zone description drop (discard) any received network packets are discarded without any reply. Only outgoing network connections block (restrictions) any received network connections are rejected by IPv4's icmp-hot-prohibited information and IPv6's icmp6-adm-prohibited information public (public) is used in public areas, can not be trusted that other computers in the network will not cause harm to your computer, can only receive the selected connection external (external), especially the external network with camouflage enabled for the router. You cannot trust other computing from the network, cannot trust that they will not cause harm to your computer, and can only receive the selected connection dmz (demilitarized zone) for your computers in the demilitarized zone, which is publicly accessible, has limited access to your internal network, and only receives the selected connection work (work) for use in the work area. You can basically believe that other computers in the network will not harm your computer. Only receive the selected connection home (home) for use in the home network. You can basically believe that other computers in the network will not harm your computer. Only the selected connection internal (internal) is received for the internal network. You can basically trust that other computers in the network will not threaten your computer. Accept only selected connections trusted (trust) can accept all network connections

Advantages of PAT: security and saving resources of IP address

Iptables:

1.SNAT (original address translation)

2.DNAT (destination address translation)

Area introduction 1:

1. The zone is like a security door into the mainframe, and each area has different restrictions.

two。 One or more areas can be used, but any active area needs to be associated with at least the original address or interface

3. By default, the public zone is the default zone and contains all interfaces (network cards)

Firewalld data processing flow:

Check the data source address:

1. If the source address is associated with a specific area, the rules made by that area are enforced.

two。 If the source address is not associated to a specific area, use the area of the incoming network interface and enforce the rules established by that area

3. If the network interface is not associated to a specific area, the rules specified by the default area are used

Configuration method for Firewalld Firewall Runtime configuration:

1. Takes effect in real time and continues until Firewalld restarts or reloads the configuration

two。 Do not break existing links

3. Cannot modify service configuration

Permanent configuration:

1. Does not take effect immediately unless Firewalld restarts or reloads the configuration

two。 Terminal existing connection

3. You can modify the service configuration

Configuration file in Firewalld-config graphics tool Firewalld-cmd command tool / etc/firewalld/:

1.Firewalld will give priority to the configuration in / etc/firewalld/, if there is no configuration file, you can copy it from / usr/lib/firewalld/

2.According to the default configuration file, it is not recommended to modify it. If you restore to the default configuration, you can delete the configuration in / etc/firewalld/ directly.

Firewall-config graphics tools: 1. Runtime configuration / permanent configuration 2. Reload Firewall 3. Associate the network card to the specified area 4. Modify the default area 5. Connection status 6. Area tab:

Service, Port, Protocol, Source Port, masquerade, Port forwarding, ICMO filter

7. "Services" tab:

Module, destination address

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.