Shulou(Shulou.com)06/03 Report--

Firewalld Firewall for Linux Network Services 1. Preface

In the last article of ​ (Linux firewall) we mainly introduced the concept of firewall, mainly for software firewall (Linux firewall) in detail. This paper will mainly describe the firewalld firewall in Centos7 system.

Connection and difference between 2.firewalld Firewall and iptables Firewall

​ firewalld firewall is the default firewall management tool of Centos7 version system, which replaces iptables firewall. Like iptables firewall, it also belongs to typical packet filtering firewall or network layer firewall, which belongs to user state (also known as user space (User Space)). The internal structure points to netfilter, a powerful network filtering subsystem (kernel state) to realize the function of packet filtering firewall.

The main differences are as follows:

Firewalldiptables profile / etc/firewalld/, / usr/lib/firewalld//etc/sysconfig/iptables do not need all refresh policies to modify rules, do not lose existing connections need full refresh policies, and firewall types of lost connections are dynamic and static

The advantage of ​ firewalld is that it supports dynamic updates and the concept of "zone" added to the firewall. Firewalld firewall supports both ipv4 and ipv6 addresses.

​ this article will introduce firewalld Firewall from character management tools and graphical management tools respectively.

3. The concept of region

​

Area description drop (lost) any received network packets are discarded without any reply. Only outgoing network connection block (restriction) any received network connection is rejected by IPv4 icmp-host-prohibited information and icmp6-adm-prohibited information public (public) is used in the public area, can not be trusted that other computers in the network will not cause harm to your computer, can only receive the selected connection external (external), especially the external network with camouflage enabled for the router. You cannot trust other computing from the network, cannot trust that they will not cause harm to your computer, and can only receive computers with a selected connection dmz (demilitarized zone) for use in your demilitarized zone, which is publicly accessible, has limited access to your internal network, and receives only selected connection work (work) for use in the workspace. You can basically believe that other computers in the network will not harm your computer. Only the selected connections are received for the home network. Home (home) you can basically trust that other computers in the network will not harm your computer. Only the selected connection internal (internal) is received for the internal network. You can basically trust that other computers in the network will not harm your computer. Only accept selected connections trusted (trust) can accept all network connections 4.Firewalld network area introduction

(1) the zone is like a security door into the mainframe, and each area has different restrictions.

(2) one or more areas can be used, but any active area at least needs to be associated with a source address or interface.

(3) by default, the public area is the default area and contains all interfaces (network cards)

Firewalld data processing flow

Check the source address of the data source

(1) if the source address is associated with a specific area, the rules specified by that area are executed.

(2) if the source address is not associated with a specific area, the area passed into the network interface is used and the rules specified by that area are executed.

(3) if the network interface is not associated to a specific area, the default area is used and the rules specified by that area are enforced.

Configuration method of 5.Firewalld Firewall Runtime configuration

(1) take effect in real time and continue until Firewalld restarts or reloads the configuration

(2) do not break the existing connection

(3) Service configuration cannot be modified.

Permanent configuration

(1) it shall not take effect immediately. Unless Firewalld restarts or reloads the configuration

(2) break the existing connection

(3) Service configuration can be modified.

6. Concrete operation example

It can be set by both Firewall-config graphics tools and Firewall-cmd command line tools.

Configuration file in / etc/firewalld/

Firewalld will give priority to the configuration in / etc/firewalld/, or use the configuration in / usr/lib/firewalld/ if no configuration file exists

/ etc/firewalld/: user-defined configuration file. Copy / usr/lib/firewalldl: default configuration file from / usr/ib/firewalld/ when needed. Modification is not recommended. If you restore to the default configuration You can delete the configuration in / etc/firewalld/ directly [root@localhost ~] # cd / etc/firewalld/ [root@localhost firewalld] # lsfirewalld.conf icmptypes lockdown-whitelist.xml zoneshelpers ipsets services [root@localhost firewalld] # cd / usr/lib/firewalld/ [root@localhost firewalld] # lshelpers icmptypes ipsets services xmlschema zones

1) start-stop view command of the firewall

[root@localhost ~] # systemctl stop firewalld [root@localhost ~] # systemctl start firewalld [root@localhost ~] # systemctl enable firewalld / / self-boot [root@localhost] # systemctl status firewalld ● firewalld.service-firewalld-dynamic firewall daemon Loaded: loaded (/ usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled) Active: active (running) since two 2019-12-10 18:40:56 CST 32s ago Docs: man:firewalld (1) Main PID: 53010 (firewalld) CGroup: / system.slice/firewalld.service └─ 53010 / usr/bin/python-Es / usr/sbin/firewalld-- nofork-- no...12 monthly 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 18:40:56 localhost.localdomain firewalld [53010] ]: WARNING: COMMA...12 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...12 10 / 10 18:40:56 localhost.localdomain firewalld [53010]: WARNING: COMMA...Hint: Some lines were ellipsized Use-l to show in full. [root@localhost ~] # firewall-cmd-- state / / cmd set running root@localhost ~] # systemctl stop firewalld / / stop firewalld [root@localhost ~] # systemctl disable firewalld / / set firewalld boot does not start automatically

2) Let's use command line operations (firewall-cmd) against verification with the graphical interface management tool (firewall-config).

First, typing firewall-config on the command line will pop up the following window interface:

1. Get predefined information

There are three main types of firewall-cmd predefined information: available areas, available services, and available ICMP blocking types, as shown in the following view commands.

[root@localhost ~] # firewall-cmd-- get-zones / / displays the predefined area work drop internal external trusted home dmz public block [root@localhost ~] # firewall-cmd-- get-service / / shows the predefined service RH-Satellite-6 amanda-client amanda-k5-client baculabacula-client cephcephmondhcp dhcpv6 dhcpv6-client dnsdocker-registry dropbox-lansyncfreeipa-ldap freeipa-ldapsfreeipa-replication ftp high-availability http https imapimaps ippipp-clientipseciscsi-target kadminkerberoskpasswdldapldapslibvirt libvirt-tlsmdns mosh mountdms-wbtmysqlnfsntpopen***pmcdpmproxypmwebapi pmwebapis pop3 pop3s Postgresqlprivoxy proxy-dhcpptppulseaudiopuppetmaster radiusrpc-bindrsyncd samba samba-client sane smtpsmtpssnmpsnmptrap squid ssh synergy syslog syslog-tls telnet tftptftp-client tinc tor-socks transmissionclientvdsmvnc-serverwbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server [root@localhost ~] # firewall-cmd-- get-icmptypes / / displays the predefined ICMP type destination-unreachable echo-reply echo-request parameter-problem redirect router- advertisement router-solicitation source-quench time-exceeded timestamp-reply timestamp-request

The meanings of the various blocking types in the execution results of the firewall-cmd-- get-icmptypes command are shown below.

 destination-unreachable: destination address is unreachable.

 echo-reply: reply response (pong).

 parameter-problem: parameter problem.

 redirect: redirect.

 router-advertisement: router advertisements.

 router-solicitation: router search.

 source-quench: source-side suppression.

 time-exceeded: timed out.

 timestamp-reply: timestamp reply response.

 timestamp-request: timestamp request.

two。 Regional management

-- get-default-zone displays the default area of a network connection or interface

-- set-default-zone= sets the default area for network connections or interfaces

-- get-active-zones displays all activated areas

-- get-zone-of-interface= displays the area bound to the specified interface

-- zone=-- add-interface= is the specified interface binding area

-- zone=

-- change-interface=

Change the bound network interface for the specified area

-- zone=

-- remove-interface=

Delete the bound network interface for the specified area

-- list-all-zones displays all areas and their rules

[--zone=]-- list-all displays all rules for all specified areas, omitting-zone= means only

Operate on the default area

The specific operation is shown below.

(1) displays the default area in the current system.

[root@localhost] # firewall-cmd-- get-default-zone

Public

(2) display all rules for the default area.

[root@localhost] # firewall-cmd-- list-all

Public (active)

Target: default

Icmp-block-inversion: no

Interfaces: ens33

Sources:

Services: dhcpv6-client ssh

Ports:

Protocols:

Masquerade: no

Forward-ports:

Sourceports:

Icmp-blocks:

Rich rules:

(3) display the corresponding area of the network interface ens33.

[root@localhost] # firewall-cmd-- get-zone-of-interface=ens33

Public

(4) change the corresponding area of network interface ens33 to internal area.

[root@localhost] # firewall-cmd-- zone=internal-- change-interface=ens33

The interface is under control of NetworkManager, setting zone to 'internal'.

Success

[root@localhost] # firewall-cmd-- zone=internal-- list-interfaces

Ens33

[root@localhost] # firewall-cmd-- get-zone-of-interface=ens33

Internal

(5) display all active areas.

[root@localhost] # firewall-cmd-- get-active-zones

Internal

Interfaces: ens33

4) Service management

For the sake of convenience, firewalld pre-defines a lot of services, which are stored in

In the / usr/lib/firewalld/services/ directory, services are specified through a single XML configuration file. These configuration files are named in the following format: service-name.xml, with each file corresponding to a specific network service, such as ssh service

Wait for the service. The corresponding configuration file records the tcp/udp port used by each service. In the latest version of

More than 70 services have been defined for our use by default in firewalld, and allow can be configured for each network area.

Services that are allowed to be accessed. When the service provided by default is not applicable or needs to customize the port of a service, we need to set the

The service configuration file is placed in the / etc/firewalld/services/ directory. Service configuration has the following advantages.

It is more humane to manage the rules through the service name.

The mode of organizing port grouping through services is more efficient, if a service uses several network ports

The configuration file of the service is equivalent to providing a batch operation shortcut for rule management to these ports.

Tables 1-3 list common options for service management in the firewall-cmd command area.

Table 1-3 description of common options for service management in the firewall-cmd command area

Option description

[--zone=]-- list-services displays all services that are allowed to be accessed in the specified area

[--zone=]-- add-service= is a service that is allowed to be accessed by the specified locale

[--zone=]-- remove-service= deletes a service that has been set to allow access in the specified region

[--zone=]-- list-ports displays all port numbers that are allowed to be accessed in the specified area

[--zone=]

-add-port= [-] /

Sets a port number for the specified locale to allow access

(including protocol name)

[--zone=]

-remove-port= [-] /

Deletes the port number that has been set for access in the specified area (including

Protocol name)

[--zone=]-- list-icmp-blocks displays all ICMP types denied access in the specified area

[--zone=]-- add-icmp-block= is an ICMP type denied by the specified locale

[--zone=]-- remove-icmp-block= deletes an ICMP class that has been set to deny access in the specified area

Type, omitting-- zone= indicates operation on the default zone

The specific operation is shown below.

(1) set the services that are allowed to be accessed by default locale.

[root@localhost] # firewall-cmd-- list-services

Ssh dhcpv6-client / / displays all services that are allowed to be accessed in the default area

[root@localhost] # firewall-cmd-- add-service=http

/ / set the default area to allow access to the http service success. In the graphical interface, you will find that the HTTP service is marked with √ in the public.

[root@localhost] # firewall-cmd-- add-service=https

/ / set the default zone to allow access to https services

Success

[root@localhost] # firewall-cmd-- list-services

Dhcpv6-clientssh https http

(2) set the services allowed to be accessed for the internal zone.

[root@localhost] # firewall-cmd-- zone=internal-- add-service=mysql

/ / set the internal area to allow access to the mysql service

Success

[root@localhost~] # firewall-cmd-zone=internal-remove-service=samba-client

/ / set the internal region not to allow access to samba-client services

Success

[root@localhost] # firewall-cmd-- zone=internal-- list-services

/ / display all services allowed to be accessed in the internal area

Sshmdns dhcpv6-client mysql

5) Port management

When configuring a service, the predefined network service can be configured with the service name, and the port involved in the service will be self-defined.

Move. Open it. However, for non-predefined services, ports can only be added manually for the specified area. For example, do the following

You can open the 443/TCP port in the internal area.

[root@localhost] # firewall-cmd-- zone=internal-- add-port=443/tcp

Success

To disable access to 443/TCP ports in the internal area, execute the following command.

[root@localhost] # firewall-cmd-- zone=internal-- remove-port=443/tcp

Success

6) two configuration modes

As mentioned earlier, the firewall-cmd command tool has two configuration modes: run-time mode (Runtime mode) indicates

The firewall configuration currently running in memory will fail when the system or firewalld service is restarted or stopped; permanent mode

Permanent mode indicates that the rule configuration when the firewall is restarted or reloaded is permanently stored in the configuration.

In the file.

The firewall-cmd command tool has three options related to configuration mode.

Z.-- reload: reloads the firewall rules and maintains the state information, which means that the permanent configuration is applied to the runtime configuration.

Z.-- permanent: the command with this option is used to set persistent rules that can only be restarted

It will not take effect until firewalld or reload the firewall rule; without this option, it is used to set the runtime

Rules.

-- runtime-to-permanent: writes the current runtime configuration to the rule configuration file, making it permanent

7. Summary

This paper mainly describes the related concepts and specific configuration settings of firewalld, and the environment is Centos7.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.