Shulou(Shulou.com)06/01 Report--

Main points of content:

Overview of firewalld

The relationship between firewalld and iptables

Firewalld network area

Configuration method of firewalld Firewall

Firewalld-config graphics tool

I. Overview of firewalld

Introduction to firewalld:

A dynamic firewall management tool that supports network links defined by network areas and interface security levels

Support for IPv4, IPv6 firewall settings, and Ethernet bridge

Support services or applications to add firewall rule interfaces directly

There are two configuration modes

Run-time configuration (settings no longer take effect after restart)

Permanent configuration (declared in the configuration file)

2. The relationship between Firewalld and iptables

Netfilter

Packet filtering function system located in Linux kernel

The "kernel state" known as the Linux firewall

Firewalld/iptables

CentOS7 default tool for managing firewall rules (Firewalld)

The "user mode" called Linux firewall

III. Network area

Zone description (default zone is public)

The zone is like a security door into the mainframe, and each area has different restrictions.

One or more areas can be used, but any active area at least needs to be associated with a source address or interface

By default, the public zone domain is the default zone and contains all interfaces (network cards)

Firewalld data processing flow

Check the source address of the data source

If the source address is associated with a specific area, the rules specified by that area are executed

If the source address is not associated to a specific area, the area passed into the network interface is used and the rules specified in that area are enforced

If the network interface is not associated to a specific area, the default zone is used and the rules specified by that area are enforced

Fourth, the configuration method of firewalld firewall

Run-time configuration

Takes effect in real time and continues until Firewalld restarts or reloads the configuration

Do not break the existing connection

Cannot modify service configuration

Permanent configuration

Does not take effect immediately unless Firewalld restarts or reloads the configuration

Break an existing connection

You can modify the service configuration

Firewall-config graphics tool

Runtime configuration / permanent configuration

Reload the firewall

Change the permanent configuration and take effect

Associate the network card to the specified area

Modify the default area

Connection statu

Firewall-cmd command line tool

1. Start, stop, and view firewalld services

When you install the Cent0S7 system, firewalld and the graphics tool firewall-config are installed automatically. Execute the following command to start firewalld and set it to power on.

[root@localhost ~] # systemctl start firewalld / / start firemal1d [root @ localhost ~] # systemctl enable firewalld / / set firewalld to boot if firewalld is running, you can check its running status through the systemctl status firewalld or firewall-cmd command. [root@localhost ~] # systemctl status firewalld [root@1ocalhost ~] # systemct1 stop firewalld / / stop firewal1d [root@localhost ~] # systemct1 disable firewalld / / set firewalld not to start automatically

2. Obtain predefined information

There are three main types of firewall-cmd predefined information: available areas, available services, and available ICMP blocking types, as shown in the following view commands.

[root@localhost ~] # firewall-cmd-- get-zones / / displays predefined areas work drop internal external trusted home dmz public block [root@localhost ~] # firewall-cmd-get service / / displays predefined service RH- Sate1ite-6 amanda-client amanda- k5-client bacul abacula-client cephcephmondhcp dhcpv6 dhcpv6-client dnsdocker- registrx dropbox-lansyncfreeipa-1dap. [root@localhost ~] # firewall-cmd-- get-icmptypes / / shows predefined ICMP types Destinatian-unreachable echo-reply echo-request parameter-problem redirect router-advertisement router-solici tati on source- quench time-exceeded timestamp- reply timestamp-request

The meanings of the various blocking types in the execution results of the firewall-cmd-- get-icmptypes command are shown below.

Destination-unreachable: destination address is unreachable. Echo-reply: reply response (pong). Parameter-problem: parameter problem. Redirect: redirect. Router- advertisement: router advertisement. Router- solicitation: router search. Source-quench: source-side suppression. Time-exceeded:: timed out. Timestamp-reply:: timestamp reply reply. Timestamp-request: timestamp request.

3. Regional management

4. Firewalld port operation command

5. Firewalld blocking ICMP operation command

6. Two configuration modes

-- reload: reload the firewall rules and maintain the status information, that is, the permanent configuration is applied to the runtime configuration. -- permanent:: commands with this option are used to set persistence rules that take effect only when firewalld is restarted or firewall rules are reloaded; if not, they are used to set runtime rules. -- runtime-to-permanent: writes the current runtime configuration to the rule configuration file, making it permanent

Configuration file in / etc/firewalld/

Firewalld gives priority to the configuration in / etc/firewalld/ if no configuration file exists.

/ etc/firewalld/: user-defined configuration files, which can be copied from usr/lib/firewalld/ if needed

/ usr/lib/firewalld/: default configuration file, which is not recommended. If you restore to the default configuration, you can delete the configuration in / etcfirewalld/ directly.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.