Shulou(Shulou.com)06/01 Report--

Using FirewallD to build dynamic Firewall

FirewallD provides dynamic firewall management tools that support network / firewall zone (zone) definition of network links and interface security levels. It supports IPv4, IPv6 firewall settings and Ethernet bridging, and has run-time configuration and permanent configuration options. It also supports interfaces that allow services or applications to add firewall rules directly. The previous system-config-firewall/lokkit firewall model was static, and each modification required a full reboot of the firewall. This process includes unloading the kernel netfilter firewall module and loading the modules needed for the new configuration. The uninstallation of the module will destroy the stateful firewall and the established connection.

In contrast, firewall daemon dynamically manages the firewall and can apply changes without rebooting the entire firewall. Therefore, it is not necessary to reload all kernel firewall modules. However, to use firewall daemon requires that all changes to the firewall are implemented through the daemon to ensure that the state in the daemon is consistent with the firewall in the kernel. In addition, firewall daemon cannot parse firewall rules added by ip*tables and ebtables command line tools.

The daemon provides information about the currently active firewall settings through D-BUS, and also accepts changes made using PolicyKit authentication through D-BUS.

"daemon"

Applications, daemons, and users can enable a firewall feature through D-BUS requests. Features can be predefined firewall functions, such as services, combination of ports and protocols, port / Datagram forwarding, masquerading, ICMP blocking, or custom rules. This feature can be enabled for a certain period of time or deactivated again.

Through so-called direct interfaces, other services (such as libvirt) can add their own rules through iptables arguments (arguments) and parameters (parameters).

Netfilter firewall helpers for amanda, ftp, samba, and tftp services are also addressed by "daemons" as long as they are part of predefined services. The load of the additional helper is not part of the current interface. Because some assistants can be loaded only after all connections controlled by the module are closed. Therefore, tracking connection information is important and needs to be taken into account.

Static Firewall (system-config-firewall/lokkit)

Static firewall models that use system-config-firewall and lokkit are actually still available and will continue to be available, but cannot be used with "daemons." The user or administrator can decide which scheme to use.

A selector will appear when the software is installed, started for the first time, or connected to the Internet for the first time. Through it, you can choose which firewall scheme to use. Other solutions will remain intact and can be enabled through replacement mode.

Firewall daemon is independent of system-config-firewall, but cannot be used at the same time.

Static firewall rules using iptables and ip6tables

If you want to use your own iptables and ip6tables static firewall rules, install iptables-services and disable firewalld, enable iptables and ip6tables:

Yum installiptables-services

Systemctl mask firewalld.service

Systemctl disable firewalld

Systemctl enableiptables.service

Systemctl enableip6tables.service

The static firewall rule configuration files are / etc/sysconfig/iptables and / etc/sysconfig/ip6tables.

Note: iptables and iptables-services packages do not provide firewall rules for use with services. These services are used to ensure compatibility and for people who want to use their own firewall rules. You can install and use system-config-firewall to create the rules required by the above services. In order to use system-config-firewall, you must stop firewalld.

After you create rules for the service and deactivate firewalld, you can enable the iptables and ip6tables services:

Systemctl stop firewalld.service

Systemctl start iptables.service

Systemctl start ip6tables.service

What is an area?

The network area defines the trust level of the network connection. This is an one-to-many relationship, which means that a connection can be only part of an area, and an area can be used for many connections.

Predefined servic

A service is a combination of ports and / or protocol portals. Options include netfilter helper module and IPv4, IPv6 addresses.

Port and protocol

Defines a tcp or udp port, which can be a port or a port range.

ICMP blocking

You can choose the message of Internet control message protocol. These messages can be information requests or responses to information requests or error conditions.

camouflage

Private network addresses can be mapped to public IP addresses. This is a regular address translation.

Port forwarding

A port can be mapped to another port and / or to another host.

Which area is available?

The zones provided by firewalld are sorted in the order from untrust to trust.

Discard

Any packets that flow into the network are discarded without any response. Only outgoing network connections are allowed.

Blockage

Any incoming network connection is rejected and the icmp-host-prohibited message of IPv4 or the icmp6-adm-prohibited message of IPv6 is returned. Only network connections initialized by the system are allowed.

Open to the public

For parts that can be made public. You think that other computers in the network can't be trusted and may hurt your computer. Only selected connections are allowed to access.

External

Used in external networks such as routers that enable camouflage. You think that other computers in the network can't be trusted and may hurt your computer. Only selected connections are allowed to access.

Quarantine Zone (dmz)

It is used to allow computers in the quarantine zone (dmz) to be accessed by external networks to a limited extent. Only selected connections are accepted.

Work

Used in the work network. You trust that most computers in the network will not affect your computer. Only selected connections are accepted.

Family

Used in home networks. You trust that most computers in the network will not affect your computer. Only selected connections are accepted.

Inside

Used in the internal network. You trust that most computers in the network will not affect your computer. Only selected connections are accepted.

Trusted

Allow all network connections.

Which area should I choose?

For example, public WIFI connections should be primarily untrusted, and home wired networks should be fairly trusted. Choose according to the area that best matches the network you are using.

How to configure or add areas?

You can use any of the firewalld configuration tools to configure or add areas, as well as modify the configuration. Tools include graphical interface tools such as firewall-config, command-line tools such as firewall-cmd, and D-BUS interfaces. Or you can create or copy zone files in the configuration files directory. @ PREFIX@/lib/firewalld/zones is used for default and standby configurations, and / etc/firewalld/zones is used for user creation and customization of profiles.

How to set or modify areas for network connections

The locale is stored as the ZONE= option in the ifcfg file of the network connection. If this option is missing or empty, firewalld uses the default area of the configuration.

If the connection is controlled by NetworkManager, you can also use nm-connection-editor to modify the area.

Network connection controlled by NetworkManager

Firewalls cannot configure network connections with the name displayed by NetworkManager, only network interfaces. Therefore, before the network connection, NetworkManager tells the firewalld the network interface corresponding to the connection described in the configuration file. If no zone is configured in the configuration file, the interface is configured to the default area of firewalld. If the network connection uses more than one interface, all interfaces will be applied to the fiwewalld. The change of the interface name will also be controlled by NetworkManager and applied to firewalld.

In order to simplify, henceforth, the network connection will be used as a relationship with the region.

If an interface is disconnected, NetworkManager also tells firewalld to remove the interface from the area.

When firewalld is started or restarted by a systemd or init script, firewalld will notify NetworkManager to add network connections to the area.

A network controlled by scripts

There is a restriction on connections controlled by network scripts: no daemon notifies firewalld to add the connection to the area. This work is done only in ifcfg-post scripts. Therefore, subsequent renaming of network connections will not be applied to firewalld. Similarly, restarting firewalld while the connection is active will cause it to lose its association. It is now intended to fix the situation. The simplest thing is to add all unconfigured connections to the default area.

The zone defines the characteristics of firewalls in this area:

Use firewalld

You can turn the firewall feature on or off through the graphical interface tool firewall-config or the command line client firewall-cmd.

Use firewall-cmd

The command line tool firewall-cmd supports all firewall features. For status and query mode, the command returns only the status and no other output.

General application

Get firewalld status

Firewall-cmd-state

This returns the status of the firewalld with no output. You can get the status output in the following ways:

Firewall-cmd-- state & & echo "Running" | | echo "Not running"

In Fedora 19, the status output is more intuitive than before:

# rpm-qf $(which firewall-cmd)

Firewalld-0.3.3-2.fc19.noarch

# firewall-cmd-state

Not running

Reload the firewall without changing the state:

Firewall-cmd-reload

If you use-- complete-reload, the status information will be lost. This option should be used only when dealing with firewall issues, for example, where state information and firewall rules are normal, but no connections can be established.

Get a list of supported areas

Firewall-cmd-get-zones

This command outputs a list separated by spaces.

Get all supported services

Firewall-cmd-get-services

This command outputs a list separated by spaces.

Get all supported ICMP types

Firewall-cmd-get-icmptypes

This command outputs a list separated by spaces.

List the properties of all enabled areas

Firewall-cmd-list-all-zones

The output format is:

Interfaces:.. Services:.. Ports:.. Forward-ports:.. Icmp-blocks:.. ..

All enabled features in the output area. If the area is raw, the information for the default area is displayed.

Firewall-cmd [--zone=]-- list-all

Get the network settings for the default zone

Firewall-cmd-get-default-zone

Set the default area

Firewall-cmd-set-default-zone=

New access requests that flow into interfaces configured in the default area are placed in the new default area. Currently active connections will not be affected.

Get the active area

Firewall-cmd-get-active-zones

This command outputs the interfaces contained in each area in the following format:

:.. :..

Get the area according to the interface

Firewall-cmd-get-zone-of-interface=

This command will output the name of the region to which the interface belongs.

Add interfaces to the area

Firewall-cmd [--zone=]-- add-interface=

If the interface does not belong to the area, the interface will be added to the area. If the zone is omitted, the default zone is used. The interface will be reapplied after reloading.

Modify the area to which the interface belongs

Firewall-cmd [--zone=]-- change-interface=

This option is similar to the-- add-interface option, but when the interface already exists in another area, the interface will be added to the new area.

Remove an interface from the area

Firewall-cmd [--zone=]-- remove-interface=

Query whether an interface is included in the area

Firewall-cmd [--zone=]-- query-interface=

Returns whether the interface exists in the area. There is no output.

List the services enabled in the area

Firewall-cmd [--zone=]-- list-services

Enable emergency mode to block all network connections in case of emergency

Firewall-cmd-panic-on

Disable emergency mode

Firewall-cmd-panic-off

The emergency mode has changed in version 0.3.0

In FirewallD versions prior to 0. 3. 0, the panic options were-- enable-panic and-- disable-panic.

Query emergency mode

Firewall-cmd-query-panic

This command returns the status of emergency mode and has no output. You can get the status output in the following ways:

Firewall-cmd-- query-panic & & echo "On" | | echo "Off"

Working with the runtime area

Changes made to the zone in runtime mode are not permanent. Changes will be invalidated after reloading or restarting.

Enable a service in the area

Firewall-cmd [--zone=]-- add-service= [--timeout=]

This enables a service in the area. If no area is specified, the default area is used. If the timeout is set, the service will only enable a specific number of seconds. If the service is already active, there will be no warning message.

For example, make the ipp-client service in the region effective for 60 seconds:

Firewall-cmd-zone=home-add-service=ipp-client-timeout=60

Example: enable the http service in the default area:

Firewall-cmd-add-service=http

Disable a service in the area

Firewall-cmd [--zone=]-- remove-service=

This disables a service in the area. If no area is specified, the default area is used.

Example: disable the http service in the home area:

Firewall-cmd-zone=home-remove-service=http

Regional services will be disabled. If the service is not enabled, there will be no warning messages.

Query whether specific services are enabled in the area

Firewall-cmd [--zone=]-- query-service=

If the service is enabled, 1 is returned, otherwise 0 is returned. No output information.

Enable regional ports and protocol combinations

Firewall-cmd [--zone=]-- add-port= [-] / [--timeout=]

This will enable the combination of ports and protocols. A port can be a single port or a range of ports. The protocol can be tcp or udp.

Disable port and protocol combination

Firewall-cmd [--zone=]-- remove-port= [-] /

Query whether port and protocol combinations are enabled in the area

Firewall-cmd [--zone=]-- query-port= [-] /

If enabled, this command will have a return value. No output information.

Enable IP camouflage in the area

Firewall-cmd [--zone=]-- add-masquerade

This enables the camouflage function of the area. The address of the private network is hidden and mapped to a public IP. This is a form of address translation and is often used for routing. Due to kernel limitations, camouflage is only available for IPv4.

Disable IP camouflage in the area

Firewall-cmd [--zone=]-- remove-masquerade

The camouflage status of the query area

Firewall-cmd [--zone=]-- query-masquerade

If enabled, this command will have a return value. No output information.

Enable ICMP blocking in the area

Firewall-cmd [--zone=]-- add-icmp-block=

This will enable blocking of selected Internet Control message Protocol (ICMP) messages. The ICMP message can be a request message or a created reply message, as well as an error reply.

The ICMP blocking function of the prohibited area

Firewall-cmd [--zone=]-- remove-icmp-block=

ICMP blocking function of the query area

Firewall-cmd [--zone=]-- query-icmp-block=

If enabled, this command will have a return value. No output information.

Example: response response message in the blocking area:

Firewall-cmd-zone=public-add-icmp-block=echo-reply

Enable port forwarding or mapping in the area

Firewall-cmd [- zone=]-- add-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

A port can be mapped to the same port on another host, or it can be a different port on the same host or another host. The port number can be a single port or a port range. The protocol can be tcp or udp. The destination port can be a port number or a port range. The destination address can be an IPv4 address. Due to kernel limitations, port forwarding is only available for IPv4.

Forbid port forwarding or port mapping in the area

Firewall-cmd [- zone=]-- remove-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

Port forwarding or port mapping in the query area

Firewall-cmd [- zone=]-- query-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

If enabled, this command will have a return value. No output information.

Example: forward the ssh of the region home to 127.0.0.2

Firewall-cmd-zone=home-add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2

Working with permanent areas

The persistent option does not directly affect the state of the runtime. These options are available only when the service is reloaded or restarted. In order to use the runtime and permanent settings, you need to set both separately. Option-- permanent needs to be the first parameter to be permanently set.

Get the services supported by the permanent option

Firewall-cmd-permanent-get-services

Get a list of ICMP types supported by the permanent option

Firewall-cmd-permanent-get-icmptypes

Get supported permanent areas

Firewall-cmd-permanent-get-zones

Enable services in the area

Firewall-cmd-permanent [--zone=]-- add-service=

This will permanently enable services in the area. If no area is specified, the default area is used.

Disable a service in the area

Firewall-cmd-permanent [--zone=]-- remove-service=

Query whether services in the area are enabled

Firewall-cmd-permanent [--zone=]-- query-service=

If the service is enabled, this command will have a return value. This command does not output information.

Example: permanently enable ipp-client services in the home area

Firewall-cmd-permanent-zone=home-add-service=ipp-client

Permanently enable a port in the area-protocol combination

Firewall-cmd-permanent [--zone=]-- add-port= [-] /

A port-protocol combination in a permanently disabled area

Firewall-cmd-permanent [--zone=]-- remove-port= [-] /

Query whether the port-protocol combination in the area is permanently enabled

Firewall-cmd-permanent [--zone=]-- query-port= [-] /

If the service is enabled, this command will have a return value. This command does not output information.

Example: permanently enable https (tcp 443) port in home area

Firewall-cmd-permanent-zone=home-add-port=443/tcp

Permanently enable camouflage in the area

Firewall-cmd-permanent [--zone=]-- add-masquerade

This enables the camouflage function of the area. The address of the private network is hidden and mapped to a public IP. This is a form of address translation and is often used for routing. Due to kernel limitations, camouflage is only available for IPv4.

Permanently disable camouflage in the area

Firewall-cmd-permanent [--zone=]-- remove-masquerade

Query the permanent state of camouflage in the area

Firewall-cmd-permanent [--zone=]-- query-masquerade

If the service is enabled, this command will have a return value. This command does not output information.

Permanently enable ICMP blocking in the area

Firewall-cmd-permanent [--zone=]-- add-icmp-block=

This will enable blocking of selected Internet Control message Protocol (ICMP) messages. The ICMP message can be a request message or a created reply message or an error reply message.

Permanently disable ICMP blocking in the area

Firewall-cmd-permanent [--zone=]-- remove-icmp-block=

ICMP permanent status in the query area

Firewall-cmd-permanent [--zone=]-- query-icmp-block=

If the service is enabled, this command will have a return value. This command does not output information.

Example: blocking response response messages in public areas:

Firewall-cmd-permanent-zone=public-add-icmp-block=echo-reply

Permanently enable port forwarding or mapping in the area

Firewall-cmd-permanent [--zone=]-- add-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

A port can be mapped to the same port on another host, or it can be a different port on the same host or another host. The port number can be a single port or a port range. The protocol can be tcp or udp. The destination port can be a port number or a port range. The destination address can be an IPv4 address. Due to kernel limitations, port forwarding is only available for IPv4.

Permanently forbid port forwarding or port mapping in the area

Firewall-cmd-permanent [--zone=]-- remove-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

Query the port forwarding or port mapping status of the region

Firewall-cmd-permanent [--zone=]-- query-forward-port=port= [-]: proto= {: toport= [-] |: toaddr= |: toport= [-]: toaddr=}

If the service is enabled, this command will have a return value. This command does not output information.

Example: forward the ssh service of the home region to 127.0.0.2

Firewall-cmd-permanent-zone=home-add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2

Direct option

Direct options are mainly used to enable services and applications to add rules. Rules are not saved and must be submitted again after reloading or restarting. The parameters passed are the same as iptables, ip6tables, and ebtables.

Option-- direct needs to be the first parameter of the direct option.

Pass the command to the firewall. Parameters can be iptables, ip6tables, and ebtables command line arguments.

Firewall-cmd-- direct-- passthrough {ipv4 | ipv6 | eb}

For tabl

Add a new chain.

Firewall-cmd-- direct-- add-chain {ipv4 | ipv6 | eb}

From the table

Delete the chain in the.

Firewall-cmd-- direct-- remove-chain {ipv4 | ipv6 | eb}

Whether the query chain exists and the table

. If so, return 0, otherwise return 1.

Firewall-cmd-- direct-- query-chain {ipv4 | ipv6 | eb}

If enabled, this command will have a return value. This command does not output information.

Get a table separated by spaces

A list of chains in the.

Firewall-cmd-- direct-- get-chains {ipv4 | ipv6 | eb}

For tabl

Add a chain with a parameter, and set the priority to.

Firewall-cmd-- direct-- add-rule {ipv4 | ipv6 | eb}

From the table

Delete the chain with parameters in the.

Firewall-cmd-- direct-- remove-rule {ipv4 | ipv6 | eb}

Query whether there is a table in the chain with parameters

Medium. If so, return 0, otherwise return 1.

Firewall-cmd-- direct-- query-rule {ipv4 | ipv6 | eb}

If enabled, this command will have a return value. This command does not output information.

Get tabl

All rules that are added to the chain are separated by line breaks.

Firewall-cmd-- direct-- get-rules {ipv4 | ipv6 | eb}

Current firewalld feature D-BUS interface

The D-BUS interface provides information about the status of the firewall, making it possible to enable, disable, or query settings for the firewall.

Region

The network or firewall zone defines the degree of trust of the connection. Firewalld provides several predefined areas. Regional configuration options and general configuration information can be found in the firewall.zone (5) manual.

Service

The service can be a series of read ports, purposes, and additional information, or it can be a firewall helper module that is automatically added when the service starts. The use of predefined services makes it easier to enable and disable access to services. Service configuration options and general documentation information are described in the firewalld.service (5) manual.

ICMP Typ

Internet Control message Protocol (ICMP) is used to exchange messages and Internet Protocol (IP) error messages. The ICMP type can be used in firewalld to restrict message exchange. ICMP type configuration options and common file information can be found in the firewalld.icmptype (5) manual.

Direct interface

Direct interfaces are mainly used for services or applications to add specific firewall rules. These rules are not permanent and need to be reapplied after receiving the startup, restart, and reload signals sent by firewalld through D-Bus.

Run-time configuration

The runtime configuration is not permanent and can be restored on reload, but these options will be lost when the system or service is restarted or stopped.

Permanent configuration

The permanent configuration is stored in the configuration file and will be automatically restored every time the machine is restarted or the service is restarted or reloaded.

Pallet Mini Program

The tray Mini Program firewall-applet shows the user the status of the firewall and the problems. It can also be used to configure settings that users are allowed to modify.

Graphical configuration tool

The main configuration tool for firewall daemon is firewall-config. It supports all the features of the firewall (except the direct interface used by the service / application to add rules). Administrators can also use it to change system or user policies.

Command line client

Firewall-cmd is the tool that provides most of the graphical tool configuration features on the command line.

Support for ebtables

Ebtables support is required to meet all the requirements of libvirt daemon and prevent access problems between ip*tables and ebtables at the kernel netfilter level. Because these commands access the same structure, they cannot be used simultaneously.

Default / standby configuration in / usr/lib/firewalld

This directory contains default and alternate ICMP types, services, and zone configurations provided by firewalld. These files provided by the firewalld package cannot be modified, and even the changes will be reset as the firewalld package is updated. Other ICMP types, services, and zone configurations can be provided through software packages or by creating files.

System configuration settings in / etc/firewalld

The system or user profile stored here can be customized by the system administrator through the configuration interface or manually. These files will overload the default configuration files.

To manually modify a predefined icmp type, region, or service, copy the configuration from the default configuration directory to the appropriate system configuration directory, and then modify it as needed.

If you load an area with default and backup configuration, the corresponding file under / etc/firewalld will be renamed .old and then enable the backup configuration.

The feature under development is rich in language

The rich language feature provides a mechanism for configuring complex IPv4 and IPv6 firewall rules through a high-level language without knowing the iptables syntax.

Fedora 19 provides the second milestone version of rich language features with D-Bus and command line support. The third milestone version will also provide support for graphical interface firewall-config.

Lock

The locking feature adds a simple configuration way for firewalld to lock local applications or service configurations. It is a lightweight application strategy.

Fedora 19 provides the second milestone version of the locking feature with D-Bus and command line support. The third milestone version will also provide support under the graphical interface firewall-config.

Permanent direct rule

This feature is in its early state. It will be able to provide the ability to save direct rules and direct chains. The pass rule does not belong to this property.

Migrate from ip*tables and ebtables servic

This feature is in its early state. As far as possible, it will provide scripts that are converted from iptables,ip6tables and ebtables service configurations to permanent direct rules. This feature may have limitations in terms of direct chain integration provided by firewalld.

This feature will require a large number of migration tests for complex firewall configurations.

Abstract Model of Planning and proposing function Firewall

Adding a layer of abstraction on top of ip*tables and ebtables firewall rules makes adding rules easier and more intuitive. It is not a simple task for the abstraction layer to be powerful but not complex at the same time. For this reason, a firewall language has to be developed. Make the firewall rules have a fixed location, you can query the port access status, access policies and other common information and some other possible firewall features.

Support for conntrack

Conntrack is required to terminate a connection where the disabled feature has been established. However, it may not be good to terminate the connection in some cases, such as firewall services enabled to establish continuous external connections for a limited period of time.

User interaction model

This is a special mode that users or administrators can enable in the firewall. All requests from the application to change the firewall will be directed to the user for confirmation and denial. It is possible to set a time limit for the authorization of a connection and limit the hosts, networks, or connections to which it is connected. The configuration can be saved so that the same behavior can be applied without notification in the future. Another feature of this pattern is the management of external link attempts that request pre-selected services and ports with the same functionality initiated by the application. Service and port restrictions also limit the number of requests sent to users.

User policy support

Administrators can specify which users can use the user interaction mode and limit the features available to the firewall.

Port metadata information (proposed by Lennart Poettering)

It is good to have a port-independent metadata information. The current static port and protocol allocation model for / etc/services is not a good solution, nor does it reflect current usage. The port of an application or service is dynamic, so the port itself does not describe usage.

Metadata information can be used to make simple rules for firewalls. Here are some examples:

Allow external access to file sharing applications or services

Allow external access to music sharing applications or services

Allow external access to all shared applications or services

Allow external access to torrent file sharing applications or services

Allow external access to http network services

The metadata information here is not only a specific application, but also a set of usage cases. For example, the group "share all" or the group "file share" can correspond to all shares or file sharing programs (such as torrent file sharing). These are just examples and, therefore, may not be of practical use.

Here are two possible ways to get metadata information in a firewall:

The first is to add to netfilter (kernel space). The advantage is that everyone can use it, but there are certain restrictions on its use. Also consider the specific information of the user or system space, all of which need to be implemented at the kernel level.

The second is to add to firewall daemon. These abstract rules can be used with specific information (such as trusted level of network connections, user descriptions to be shared as specific individuals / hosts, rules that administrators prohibit full sharing, etc.).

The benefit of the second solution is that there is no need to recompile the kernel for new metadata sets and inclusion changes (trustworthiness, user preferences, administrator rules, etc.). The addition of these abstract rules makes firewall daemon freer. Even new security levels can be easily added without updating the kernel.

Sysctld

There are still sysctl settings that are not applied correctly. An example is when a module that provides settings does not load or reload the module at startup while rc.sysinit is running.

Another example is net.ipv4.ip_forward, which is required for firewall settings, libvirt, and user / administrator changes. If there are two applications or daemons that turn on ip_forwarding only when needed, then one of them may turn off the service without knowing it, and the other needs it, so you have to restart it at this point.

Sysctl daemon can solve the above problem by using an internal count on the settings. At this point, when the previous requestor no longer needs it, it will return to its previous set state or turn it off directly.

Firewall Rul

Netfilter firewalls are always vulnerable to the order of rules because a rule has no fixed place in the chain. Adding or removing a rule before a rule changes the position of the rule. In the static firewall model, changing the firewall is to rebuild a clean and perfect firewall setting, which is limited by the functions directly supported by system-config-firewall / lokkit. There is no integration with other applications to create firewall rules, and if the custom rules file feature is not using s-c-fw / lokkit, you don't know about them. The default chain also usually has no safe way to add or remove rules without affecting other rules.

Dynamic firewalls have additional firewall function chains. These special chains are called in a defined order, so adding rules to the chain will not interfere with previously invoked reject and discard rules. Thus it is beneficial to create a more reasonable and perfect firewall configuration.

Here are some rules created by daemons that enable support for ssh, mdns, and ipp-client in public areas in the filter list:

* filter

: INPUT ACCEPT [0:0]

: FORWARD ACCEPT [0:0]

: OUTPUT ACCEPT [0:0]

: FORWARD_ZONES-[0:0]

: FORWARD_direct-[0:0]

: INPUT_ZONES-[0:0]

: INPUT_direct-[0:0]

: IN_ZONE_public-[0:0]

: IN_ZONE_public_allow-[0:0]

: IN_ZONE_public_deny-[0:0]

: OUTPUT_direct-[0:0]

-An INPUT-m conntrack-- ctstate RELATED,ESTABLISHED-j ACCEPT

-An INPUT-I lo-j ACCEPT

-An INPUT-j INPUT_direct

-An INPUT-j INPUT_ZONES

-An INPUT-p icmp-j ACCEPT

-An INPUT-j REJECT-- reject-with icmp-host-prohibited

-A FORWARD-m conntrack-- ctstate RELATED,ESTABLISHED-j ACCEPT

-A FORWARD-I lo-j ACCEPT

-A FORWARD-j FORWARD_direct

-A FORWARD-j FORWARD_ZONES

-A FORWARD-p icmp-j ACCEPT

-A FORWARD-j REJECT-- reject-with icmp-host-prohibited

-An OUTPUT-j OUTPUT_direct

-An IN_ZONE_public-j IN_ZONE_public_deny

-An IN_ZONE_public-j IN_ZONE_public_allow

-An IN_ZONE_public_allow-p tcp-m tcp-- dport 22-m conntrack-- ctstate NEW-j ACCEPT

-An IN_ZONE_public_allow-d 224.0.0.251 ACCEPT 32-p udp-m udp-- dport 5353-m conntrack-- ctstate NEW-j ACCEPT

-An IN_ZONE_public_allow-p udp-m udp-- dport 631-m conntrack-- ctstate NEW-j ACCEPT

Use the deny/allow model to build a clear behavior (preferably without conflicting rules). For example: the ICMP block will enter the IN_ZONE_public_deny chain (if set for the public area) and will be processed before the IN_ZONE_public_allow chain.

This model makes it easier to add or remove rules to a specific block without interfering with other blocks.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.