Shulou(Shulou.com)06/03 Report--

Overview of Firewalld Firewall Basic``Firewalld

Introduction to Firewalld

A dynamic firewall management tool that supports network links defined by network areas and interface security levels

Support for IPv4, IPv6 firewall settings, and Ethernet bridge

Support services or applications to add firewall rule interfaces directly

There are two configuration modes

​ Runtime configuration

​ permanent configuration

The relationship between Firewalld and iptables

Netfilter

Packet filtering function system located in Linux kernel

The "kernel state" known as the Linux firewall

Firewalld/iptables

CentOS7 default tool for managing firewall rules

The "user mode" called Linux firewall

The difference between Firewalld and iptables

Firewalld network area

Regional introduction

When the network card is not adjusted. Public is the default mode

The zone is like a security door into the mainframe, and each area has different restrictions.

One or more areas can be used, but any active area needs to be at least associated with a source address or interface

By default, the public zone is the default zone and contains all interfaces (network cards)

Firewalld data processing flow

Check the source address of the data source

If the source address is associated with a specific area, the rules specified by that area are executed

If the source address is not associated to a specific area, the area passed into the network interface is used and the rules specified in that area are enforced

If the network interface is not associated to a specific area, the default zone is used and the rules specified by that area are enforced

Configuration method of Firewalld Firewall

Run-time configuration

Takes effect in real time and continues until Firewalld restarts or reloads the configuration

Do not break the existing connection

Cannot modify service configuration

Permanent configuration

Does not take effect immediately unless Firewalld restarts or reloads the configuration

Terminal existing connection

You can modify the service configuration

Firewall-config graphics tool

Runtime configuration / permanent configuration

Reload the firewall

Change the permanent configuration and take effect (associate the network card to the specified area)

Modify the default area

Connection statu

Area tab content

1. "Services" subtab

2. Port subtab

3. Agreement subtab

4. Source Port subtab

5. Camouflage sub-tab

6. Port forwarding subtab

7. ICMP filter subtab

Services Tab

1. Module subtab

2. Destination address subtab

Firewalld Firewall case

Requirements description:

Disable host ping server

Only 192.168.131.129 hosts are allowed to access the SSH service

Allow all hosts to access the Apache service

Use the command on the terminal: firewall-config enters the graphical interface of firewall

Settings that only allow 192.168.131.129 access to the SSH service

Select work in the tab of the zone, and then select the subtab Source to add the IP address 192.168.131.129 that allows access to the SSH service host.

Select work in the area tab, check ssh and dhcp and remove dhcpv6-clicent, and then remove the ssh option in public (common area)

Allow all hosts to access the Apache service configuration

Select public (Public area) in the area tab, check dhcp and remove dhcpv6-clicent

Disable host ping server configuration

Check echo-request in the ICMP filter option of work

Check echo-reply in the ICMP filter option of public (public area)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.