In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-09 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >
Share
Shulou(Shulou.com)06/03 Report--
Firewalld Firewall for Linux Network Services 1. Preface
In the last article of (Linux firewall) we mainly introduced the concept of firewall, mainly for software firewall (Linux firewall) in detail. This paper will mainly describe the firewalld firewall in Centos7 system.
Connection and difference between 2.firewalld Firewall and iptables Firewall
firewalld firewall is the default firewall management tool of Centos7 version system, which replaces iptables firewall. Like iptables firewall, it also belongs to typical packet filtering firewall or network layer firewall, which belongs to user state (also known as user space (User Space)). The internal structure points to netfilter, a powerful network filtering subsystem (kernel state) to realize the function of packet filtering firewall.
The main differences are as follows:
Firewalldiptables profile / etc/firewalld/, / usr/lib/firewalld//etc/sysconfig/iptables do not need all refresh policies to modify rules, do not lose existing connections need full refresh policies, and firewall types of lost connections are dynamic and static
The advantage of firewalld is that it supports dynamic updates and the concept of "zone" added to the firewall. Firewalld firewall supports both ipv4 and ipv6 addresses.
this article will introduce firewalld Firewall from character management tools and graphical management tools respectively.
3. The concept of region
Area description drop (lost) any received network packets are discarded without any reply. Only outgoing network connection block (restriction) any received network connection is rejected by IPv4 icmp-host-prohibited information and icmp6-adm-prohibited information public (public) is used in the public area, can not be trusted that other computers in the network will not cause harm to your computer, can only receive the selected connection external (external), especially the external network with camouflage enabled for the router. You cannot trust other computing from the network, cannot trust that they will not cause harm to your computer, and can only receive computers with a selected connection dmz (demilitarized zone) for use in your demilitarized zone, which is publicly accessible, has limited access to your internal network, and receives only selected connection work (work) for use in the workspace. You can basically believe that other computers in the network will not harm your computer. Only the selected connections are received for the home network. Home (home) you can basically trust that other computers in the network will not harm your computer. Only the selected connection internal (internal) is received for the internal network. You can basically trust that other computers in the network will not harm your computer. Only accept selected connections trusted (trust) can accept all network connections 4.Firewalld network area introduction
(1) the zone is like a security door into the mainframe, and each area has different restrictions.
(2) one or more areas can be used, but any active area at least needs to be associated with a source address or interface.
(3) by default, the public area is the default area and contains all interfaces (network cards)
Firewalld data processing flow
Check the source address of the data source
(1) if the source address is associated with a specific area, the rules specified by that area are executed.
(2) if the source address is not associated with a specific area, the area passed into the network interface is used and the rules specified by that area are executed.
(3) if the network interface is not associated to a specific area, the default area is used and the rules specified by that area are enforced.
Configuration method of 5.Firewalld Firewall Runtime configuration
(1) take effect in real time and continue until Firewalld restarts or reloads the configuration
(2) do not break the existing connection
(3) Service configuration cannot be modified.
Permanent configuration
(1) it shall not take effect immediately. Unless Firewalld restarts or reloads the configuration
(2) break the existing connection
(3) Service configuration can be modified.
6. Concrete operation example
It can be set by both Firewall-config graphics tools and Firewall-cmd command line tools.
Configuration file in / etc/firewalld/
Firewalld will give priority to the configuration in / etc/firewalld/, or use the configuration in / usr/lib/firewalld/ if no configuration file exists
/ etc/firewalld/: user-defined configuration file. Copy / usr/lib/firewalldl: default configuration file from / usr/ib/firewalld/ when needed. Modification is not recommended. If you restore to the default configuration You can delete the configuration in / etc/firewalld/ directly [root@localhost ~] # cd / etc/firewalld/ [root@localhost firewalld] # lsfirewalld.conf icmptypes lockdown-whitelist.xml zoneshelpers ipsets services [root@localhost firewalld] # cd / usr/lib/firewalld/ [root@localhost firewalld] # lshelpers icmptypes ipsets services xmlschema zones
1) start-stop view command of the firewall
[root@localhost ~] # systemctl stop firewalld [root@localhost ~] # systemctl start firewalld [root@localhost ~] # systemctl enable firewalld / / self-boot [root@localhost] # systemctl status firewalld ● firewalld.service-firewalld-dynamic firewall daemon Loaded: loaded (/ usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since two 2019-12-10 18:40:56 CST 32s ago Docs: man:firewalld (1) Main PID: 53010 (firewalld) CGroup: / system.slice/firewalld.service └─ 53010 / usr/bin/python-Es / usr/sbin/firewalld-- nofork-- no...12 monthly 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 18:40:56 localhost.localdomain firewalld [53010] ]: WARNING: COMMA...12 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 / 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...Hint: Some lines were ellipsized Use-l to show in full. [root@localhost ~] # firewall-cmd-- state / / cmd set running root@localhost ~] # systemctl stop firewalld / / stop firewalld [root@localhost ~] # systemctl disable firewalld / / set firewalld boot does not start automatically
2) Let's use command line operations (firewall-cmd) against verification with the graphical interface management tool (firewall-config).
First, typing firewall-config on the command line will pop up the following window interface:
1. Get predefined information
There are three main types of firewall-cmd predefined information: available areas, available services, and available ICMP blocking types, as shown in the following view commands.
[root@localhost ~] # firewall-cmd-- get-zones / / displays the predefined area work drop internal external trusted home dmz public block [root@localhost ~] # firewall-cmd-- get-service / / shows the predefined service RH-Satellite-6 amanda-client amanda-k5-client baculabacula-client cephcephmondhcp dhcpv6 dhcpv6-client dnsdocker-registry dropbox-lansyncfreeipa-ldap freeipa-ldapsfreeipa-replication ftp high-availability http https imapimaps ippipp-clientipseciscsi-target kadminkerberoskpasswdldapldapslibvirt libvirt-tlsmdns mosh mountdms-wbtmysqlnfsntpopen***pmcdpmproxypmwebapi pmwebapis pop3 pop3s Postgresqlprivoxy proxy-dhcpptppulseaudiopuppetmaster radiusrpc-bindrsyncd samba samba-client sane smtpsmtpssnmpsnmptrap squid ssh synergy syslog syslog-tls telnet tftptftp-client tinc tor-socks transmissionclientvdsmvnc-serverwbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server [root@localhost ~] # firewall-cmd-- get-icmptypes / / displays the predefined ICMP type destination-unreachable echo-reply echo-request parameter-problem redirect router- advertisement router-solicitation source-quench time-exceeded timestamp-reply timestamp-request
The meanings of the various blocking types in the execution results of the firewall-cmd-- get-icmptypes command are shown below.
destination-unreachable: destination address is unreachable.
echo-reply: reply response (pong).
parameter-problem: parameter problem.
redirect: redirect.
router-advertisement: router advertisements.
router-solicitation: router search.
source-quench: source-side suppression.
time-exceeded: timed out.
timestamp-reply: timestamp reply response.
timestamp-request: timestamp request.
two。 Regional management
-- get-default-zone displays the default area of a network connection or interface
-- set-default-zone= sets the default area for network connections or interfaces
-- get-active-zones displays all activated areas
-- get-zone-of-interface= displays the area bound to the specified interface
-- zone=-- add-interface= is the specified interface binding area
-- zone=
-- change-interface=
Change the bound network interface for the specified area
-- zone=
-- remove-interface=
Delete the bound network interface for the specified area
-- list-all-zones displays all areas and their rules
[--zone=]-- list-all displays all rules for all specified areas, omitting-zone= means only
Operate on the default area
The specific operation is shown below.
(1) displays the default area in the current system.
[root@localhost] # firewall-cmd-- get-default-zone
Public
(2) display all rules for the default area.
[root@localhost] # firewall-cmd-- list-all
Public (active)
Target: default
Icmp-block-inversion: no
Interfaces: ens33
Sources:
Services: dhcpv6-client ssh
Ports:
Protocols:
Masquerade: no
Forward-ports:
Sourceports:
Icmp-blocks:
Rich rules:
(3) display the corresponding area of the network interface ens33.
[root@localhost] # firewall-cmd-- get-zone-of-interface=ens33
Public
(4) change the corresponding area of network interface ens33 to internal area.
[root@localhost] # firewall-cmd-- zone=internal-- change-interface=ens33
The interface is under control of NetworkManager, setting zone to 'internal'.
Success
[root@localhost] # firewall-cmd-- zone=internal-- list-interfaces
Ens33
[root@localhost] # firewall-cmd-- get-zone-of-interface=ens33
Internal
(5) display all active areas.
[root@localhost] # firewall-cmd-- get-active-zones
Internal
Interfaces: ens33
4) Service management
For the sake of convenience, firewalld pre-defines a lot of services, which are stored in
In the / usr/lib/firewalld/services/ directory, services are specified through a single XML configuration file. These configuration files are named in the following format: service-name.xml, with each file corresponding to a specific network service, such as ssh service
Wait for the service. The corresponding configuration file records the tcp/udp port used by each service. In the latest version of
More than 70 services have been defined for our use by default in firewalld, and allow can be configured for each network area.
Services that are allowed to be accessed. When the service provided by default is not applicable or needs to customize the port of a service, we need to set the
The service configuration file is placed in the / etc/firewalld/services/ directory. Service configuration has the following advantages.
It is more humane to manage the rules through the service name.
The mode of organizing port grouping through services is more efficient, if a service uses several network ports
The configuration file of the service is equivalent to providing a batch operation shortcut for rule management to these ports.
Tables 1-3 list common options for service management in the firewall-cmd command area.
Table 1-3 description of common options for service management in the firewall-cmd command area
Option description
[--zone=]-- list-services displays all services that are allowed to be accessed in the specified area
[--zone=]-- add-service= is a service that is allowed to be accessed by the specified locale
[--zone=]-- remove-service= deletes a service that has been set to allow access in the specified region
[--zone=]-- list-ports displays all port numbers that are allowed to be accessed in the specified area
[--zone=]
-add-port= [-] /
Sets a port number for the specified locale to allow access
(including protocol name)
[--zone=]
-remove-port= [-] /
Deletes the port number that has been set for access in the specified area (including
Protocol name)
[--zone=]-- list-icmp-blocks displays all ICMP types denied access in the specified area
[--zone=]-- add-icmp-block= is an ICMP type denied by the specified locale
[--zone=]-- remove-icmp-block= deletes an ICMP class that has been set to deny access in the specified area
Type, omitting-- zone= indicates operation on the default zone
The specific operation is shown below.
(1) set the services that are allowed to be accessed by default locale.
[root@localhost] # firewall-cmd-- list-services
Ssh dhcpv6-client / / displays all services that are allowed to be accessed in the default area
[root@localhost] # firewall-cmd-- add-service=http
/ / set the default area to allow access to the http service success. In the graphical interface, you will find that the HTTP service is marked with √ in the public.
[root@localhost] # firewall-cmd-- add-service=https
/ / set the default zone to allow access to https services
Success
[root@localhost] # firewall-cmd-- list-services
Dhcpv6-clientssh https http
(2) set the services allowed to be accessed for the internal zone.
[root@localhost] # firewall-cmd-- zone=internal-- add-service=mysql
/ / set the internal area to allow access to the mysql service
Success
[root@localhost~] # firewall-cmd-zone=internal-remove-service=samba-client
/ / set the internal region not to allow access to samba-client services
Success
[root@localhost] # firewall-cmd-- zone=internal-- list-services
/ / display all services allowed to be accessed in the internal area
Sshmdns dhcpv6-client mysql
5) Port management
When configuring a service, the predefined network service can be configured with the service name, and the port involved in the service will be self-defined.
Move. Open it. However, for non-predefined services, ports can only be added manually for the specified area. For example, do the following
You can open the 443/TCP port in the internal area.
[root@localhost] # firewall-cmd-- zone=internal-- add-port=443/tcp
Success
To disable access to 443/TCP ports in the internal area, execute the following command.
[root@localhost] # firewall-cmd-- zone=internal-- remove-port=443/tcp
Success
6) two configuration modes
As mentioned earlier, the firewall-cmd command tool has two configuration modes: run-time mode (Runtime mode) indicates
The firewall configuration currently running in memory will fail when the system or firewalld service is restarted or stopped; permanent mode
Permanent mode indicates that the rule configuration when the firewall is restarted or reloaded is permanently stored in the configuration.
In the file.
The firewall-cmd command tool has three options related to configuration mode.
Z.-- reload: reloads the firewall rules and maintains the state information, which means that the permanent configuration is applied to the runtime configuration.
Z.-- permanent: the command with this option is used to set persistent rules that can only be restarted
It will not take effect until firewalld or reload the firewall rule; without this option, it is used to set the runtime
Rules.
-- runtime-to-permanent: writes the current runtime configuration to the rule configuration file, making it permanent
7. Summary
This paper mainly describes the related concepts and specific configuration settings of firewalld, and the environment is Centos7.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.