firewalld of linux Firewall
1, firewalld overview
1,firewalld
- firewalld firewall is the default firewall management tool of CentOS 7 system, replacing the previous iptables firewall
*It works at the network layer and belongs to the filtering firewall - firewalld and iptables are tools used to manage firewalls (belonging to user state) to define various rules and functions of firewalls
*The internal structure points to the netfilter network filtering subsystem (which belongs to the internal state) to realize packet filtering, and the firewall can - firewalld provides dynamic firewall management tools that support network links defined by network areas and interface security levels
*Support ipv4, ipv6 firewall settings and Ethernet bridge (may be used in some advanced services, such as cloud computing) - There are two configuration modes: runtime configuration and permanent configuration
2. Differences between firewalld and iptables
(1) Action point
- iptables is mainly based on the interface to set rules to judge the security of the network
- firewalld sets different rules according to different regions based on regions, so as to judge the security of the network. It is similar to the setting of hardware firewall.
(2) Storage location
- Iptables stores the configuration in / etc/sysconfig/iptables
- Firewalld stores the configuration in various XML files in / etc/firewalld (load first) and / usr/bid/firewalld / (default configuration file)
(3) Use of new rules
- Using iptables, each individual change means clearing all old rules and reading all new rules from / etc/sysconfig/iptables
- Using firewalld doesn't create any new rules, just run the differences in the rules. Therefore, firewalld can change the settings during runtime without losing the current connection
3. Concept of firewalld region
- firewalld firewall divides all network traffic into multiple zone s in order to simplify management
- Then, the traffic is transmitted to the corresponding area according to the source IP address of the packet or the incoming network interface
- Each region defines its own open or closed port and service list.
firewalld firewall has reserved 9 areas
| Area name | effect |
|---|---|
| Trusted (Trusted Zone) | Allow all incoming traffic. |
| Public (public area) | Allow incoming traffic matching ssh or DHCPv6 client predefined services, and reject the rest. Is the default area for newly added network interfaces. |
| External (external area) | Allow incoming traffic that matches ssh predefined services, and reject the rest. By default, IPv4 outgoing traffic that will be forwarded through this area will be masked, which can be used for external networks that have enabled the masquerade function for routers. |
| Home (home area) | Allow incoming traffic matching ssh, IPP client, mdns, samba client or DHCPv6 client predefined services, and reject the rest. |
| Internal (internal area) | The default value is the same as the home area. |
| Work (work area) | Allow incoming traffic matching ssh, IPP client and DHCPv6 client predefined services, and reject the rest. |
| dmz (isolated area, also known as demilitarized area) | Allow incoming traffic that matches ssh predefined services, and reject the rest. |
| block (restricted area) | Reject all incoming traffic. |
| Drop (drop area) | All incoming traffic is discarded and no error response containing ICMP is generated. |
Finally, the security level of a zone depends on the rules set by the administrator in this zone.
Zones are like the security doors to the host. Each zone has rules with different degrees of restriction, and only traffic conforming to the rules will be allowed to enter.
One or more regions can be used according to the network size, but any active region needs to be associated with at least the source address or interface.
By default, the public area is the default area and contains all interfaces (network cards)
4. firewalld data processing flow
- firewalld for data packets entering the system, the data traffic will be transferred to the firewall rules of the corresponding area according to the source IP address of the data packet or the incoming network interface. For the data packet entering the system, the first thing to check is its source address
firewalld rules for checking the source address of packets:
1. If the source address is associated with a specific region (that is, there is a conflict between the source address or the region bound by the interface), the rules formulated by the region shall be executed.
2. If the source address is not associated with a specific region (that is, there is no conflict between the source address or the region bound by the interface), the region of the incoming network interface is used and the rules formulated by the region are executed.
3. If the network interface is not associated with a specific region (that is, neither the source address nor the interface is bound to a specific region), the default region is used and the rules formulated by the region are executed.
2, firewalld firewall configuration
- Using the firewall CMD command line tool
- Using the firewall config graphical tool
- Write the configuration file in / etc/firewalld /
#Turn on the firewall systemctl start firewalld.service
2. Common firewalld CMD command options
--get-default-zone : Displays the current default area --set-default-zone=<zone> : Set default area --get-active-zones : Displays the area currently in use and its corresponding network card interface --get-zones : Show all available areas --get-zone-of-interface=<interface> : Displays the area of the specified interface binding --zone=<zone> --add-interface=<interface> : Specifies the binding area for the interface --zone=<zone> --change-interface=<interface> : Change the bound network interface for the specified zone --zone=<zone> --remove-interface=<interface> : Deletes the bound network interface for the specified zone --list-all-zones : Show all areas and their rules [--zone=<zone>] --list-all : Display all rules for all specified areas, omitting--zone=<zone>When, it means that only the default area is operated [--zone=<zone>] --list-services : Displays all services that are allowed to access in the specified area [--zone=<zone>] --add-service=<service> : Sets a service that is allowed to access for the specified locale [--zone=<zone>] --remove-service=<service> : Delete a service that has been set to allow access in the specified region [--zone=<zone>] --list-ports : Displays all port numbers that are allowed to access in the specified area [--zone=<zone>] --add-port=<portid>[-<portid>]/<protocol> : Sets an access allowed for the specified locale/Port number of a section (including protocol name) [--zone=<zone>] --remove-port=<portid>[-<portid>]/<protocol> : Delete the port number (including the protocol name) that has been set to allow access in the specified region [--zone=<zone>] --list-icmp-blocks : Displays all access denied in the specified area ICMP type [--zone=<zone>] --add-icmp-block=<icmptype> : Sets an item that is denied access for the specified locale ICMP type [--zone=<zone>] --remove-icmp-block=<icmptype> : Deletes an item that has been set to deny access in the specified region ICMP type firewall-cmd --get-icmptypes : Show all ICMP type
3. Regional management
(1) Displays the default area in the current system
firewall-cmd --get-default-zone
(2) Displays all rules for the default area
firewall-cmd --list-all
(3) Displays the area currently in use and its corresponding network card interface
firewall-cmd --get-active-zones
(4) Set default area
firewall-cmd --set-default-zone=home firewall-cmd --get-default-zone
4. Service management
(1) View all services allowed in the default area
firewall-cmd --list-service
(2) Add httpd service to public zone
firewall-cmd --add-service=http --zone=public
(3) View the configured rules in the public area
firewall-cmd --list-all --zone=public
(4) Delete the httpd service for the publicqu zone
firewall-cmd --remove-service=http --zone=public
(5)
firewall-cmd --add-service=http --add-service=https --permanent firewall-cmd --reload firewall-cmd --list-all #Adding the -- permanent option means that the setting is permanently effective. It will take effect only when the firewall service needs to be restarted or the firewall CMD -- reload command needs to be executed to reload the firewall rules. If this option is not provided, it means that it is used to set runtime rules, but these rules will be invalid when the system or firewalld service is restarted or stopped. --runtime-to-permanent: Writes the current runtime configuration to the rule configuration file to make it permanent.
5. Port management
(1) Connect port 433 of TCP to the internal area
firewall-cmd --zone=internal --add-port=443/tcp firewall-cmd --list-all --zone=internal
(2) Remove tcp port 433 from the internal area
firewall-cmd --zone=internal --remove-port=443/tcp
(3) Allow UDP ports 2048-2050 to the default zone
firewall-cmd --add-port=2048-2050/udp firewall-cmd --list-all
