Shulou(Shulou.com)06/01 Report--

Objective: to be able to correctly and skillfully master the configuration of firewalld firewall

What kind of effect can it have: it can configure the firewall strategy skillfully in the actual production process and apply it flexibly to all kinds of actual production environment.

Description of theoretical knowledge points: 1.rhel7 uses firewalld as the firewall by default, the management tool is firewall-cmd, which is the packet filtering mechanism, and the underlying call command is still iptables.

Several firewalls coexist in 2.rhel7: firewall,iptables,ebtables, and because these daemon are conflicting, it is recommended to disable several other services. (systemctl mask iptables ipohtables ebtables)

3.firewaal provides firewall management to support network / firewall zone definition of network connections and interface security levels, with run-time configuration and permanent configuration options. It can also support interfaces that allow 2 services or applications to add firewall rules directly.

4.firewall daemon dynamically manages the firewall to apply changes without rebooting the entire firewall. The network area defines the trust level of the network connection, and the packet must pass through one of these zone in order to enter the kernel, and the scheduling rules are different in different zone.

Topology Diagram:

Predefined services: a service is a combination of ports or protocol populations

Port and protocol: a defined tcp or udp port, which can be a port or port range

Icmp blocking: you can choose the message of the internet control message protocol. These messages can be information requests or responses to information requests or error conditions.

Camouflage: there is a network address that can be mapped to a public ip address, which is a regular address translation

Port forwarding: a port can be mapped to another port or to another host.

One: the custom area of the system (there are nine areas by default, and all of them have a special meaning)

Before I go into firewalld configuration, I'd like to discuss the concept of zones. There are some valid areas by default. The zones provided by firewalld are sorted in the order from untrust to trust.

Drop area (Drop Zone): if a drop area is used, any incoming packets will be discarded. This is similar to our previous use of iptables-j drop. Using the discard rule means that there will be no response.

Blocking area (Block Zone): the blocking area will reject incoming network connections and return icmp-host-prohibited, and only connections that have been established by the server will be passed, that is, only network connections initiated by the system will be allowed.

Public area (Public Zone): only those selected connections are accepted, and only ssh and dhcpv6-client are allowed by default. This zone is the default zone

External area (External Zone): this area is equivalent to the router's enable camouflage (masquerading) option. Only the specified connection will be accepted, that is, ssh, while other connections will be discarded or not accepted.

Quarantined area (DMZ Zone): if you want to allow only some services to be accessed externally, you can define it in the DMZ area. It also has a feature that connects only by being selected, that is, ssh.

Work area (Work Zone): in this area, we can only define internal networks. For example, private network communication is allowed, only ssh,ipp-client and dhcpv6-client are allowed.

Family area (Home Zone): this area is dedicated to the family environment. It also allows only the selected connections, namely ssh,ipp-client,mdns,samba-client and dhcpv6-client.

Internal area (Internal Zone): this area is similar to the work area (Work Zone), only through the selected connection, just like the home area.

Trust zone (Trusted Zone): the trust zone allows all network traffic to pass through.

Remember: because trusted is the most trusted, even if no service is set up, it is allowed because trusted allows all connections

Second: the principle of Firewalld

If a client accesses the server, the server decides which zone policy to use to match according to the following principles

(1) if the source IP address of a client packet matches the sources of zone, then the rules of the zone are appropriate.

With this client; a source can only belong to one zone, not multiple zone at the same time.

(2) if a client packet enters an interface of the server (such as eth0) to match the interfaces of zone

Then the rules of the zone apply to this client; an interface can only belong to one zone, not multiple zone at the same time.

(3) if neither of the above principles is satisfied, then the default zone will be applied.

Three: application

Get the status of the firewall

Reload the firewall without changing the state

Get a list of supported areas

Get a list of supported areas

Enter the directory to list valid services

Get all supported icmp types

List the properties of all enabled areas

All enabled features in the output area

Output the properties started in the specified area

View the default area

Set the default area

Get active area

To get the area according to the interface, you need to see which area is bound to this interface, that is, to see which area an interface belongs to.

Add interfaces to the area

Repair the area where the interface belongs

Delete an interface from the zone (firewall-cmd [--zone]-- remove-interface= interface name)

Query whether an interface is included in the area

List the services started in the area

View enabling services in the home area

Enable emergency mode to block all network connections to prevent emergencies

Disable emergency mode: firewall-cmd-- panic-off

Query emergency mode: firewall-cmd-- query-panic

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.