Explanation and configuration of firewalld in Centos7 default firewall

Others 2021-01-22 20:28:03 views: null

Explanation and configuration of firewalld in Centos7 default firewall

Article Directory

One, firewalld overview

The firewalld firewall is the default firewall management tool of the Centos7 system. It replaces the previous iptables firewall. It also works at the network layer and belongs to the packet filtering firewall.

Both firewalld and iptables are tools used to manage firewalls (belonging to the user mode) to define various rules and functions of the firewall, and the internal structure points to the netfilter network filtering subsystem (belonging to the kernel mode) to realize the packet filtering firewall function.

firewalld provides a dynamic firewall management tool that supports network links and interface security levels defined by network zones. It supports IPv4, IPv6 firewall settings and Ethernet bridges (may be used in some advanced services, such as cloud computing), and has two configuration modes: runtime configuration and permanent configuration.

Two, the difference between firewalld and iptables

1. Difference one

iptables is mainly based on the interface to set rules to determine the security of the network.
Firewalld is based on zones, and different rules are set according to different zones to ensure network security. Similar to the setting of hardware firewall.

2. Difference two

iptables 在 /etc/sysconfig/iptables 中储存配置,
firewalld 将配置储存在 /etc/firewalld/(优先加载)和 /usr/lib/firewalld/(默认的配置文件)中的各种 XML 文件里。

3. Difference Three

Using iptables each individual change means clearing all old rules and reading all new rules from /etc/sysconfig/iptables.
Using firewalld does not create any new rules, but only runs the differences in the rules. Therefore, firewalld can change the settings during runtime without losing the
current connection.

Third, the concept of firewalld area

In order to simplify management, firewalld divides all network traffic into multiple zones. Then, according to the source IP address of the data packet or the incoming network interface and other conditions, the traffic is transferred to the corresponding area. Each area defines a list of ports and services that it opens or closes.

(1), firewalld firewall predefined 9 areas

1、trusted(信任区域):允许所有的传入流量。
2、public(公共区域):允许与ssh或dhcpv6-client预定义服务匹配的传入流量,其余均拒绝。是新添加网络接口的默认区域。
3、external(外部区域):允许与 ssh 预定义服务匹配的传入流量,其余均拒绝。 默认将通过此区域转发的IPv4传出流量将进行地址伪装,可用于为路由器启用了伪装功能的外部网络。
4、home(家庭区域):允许与ssh、ipp-client、mdns、samba-client或dhcpv6-client预定义服务匹配的传入流量,其余均拒绝。
5、internal(内部区域):默认值时与home区域相同。
6、work(工作区域):允许与 ssh、ipp-client、dhcpv6-client 预定义服务匹配的传入流量,其余均拒绝。
7、dmz(隔离区域也称为非军事区域):允许与 ssh 预定义服务匹配的传入流量,其余均拒绝。
8、block(限制区域):拒绝所有传入流量。
9、drop(丢弃区域):丢弃所有传入流量,并且不产生包含 ICMP的错误响应。

最终一个区域的安全程度是取决于管理员在此区域中设置的规则。
区域如同进入主机的安全门,每个区域都具有不同限制程度的规则,只会允许符合规则的流量传入。
可以根据网络规模,使用一个或多个区域,但是任何一个 活跃区域 至少需要关联 源地址或接口。
默认情况下,public区域是默认区域,包含所有接口(网卡)

Four, firewalld data processing flow

For data packets entering the system, firewalld will forward the data traffic to the firewall rules of the corresponding area based on the source IP address of the data packet or the incoming network interface and other conditions. For data packets entering the system, the first thing to check is the source address.

Five, firewalld checks the rules of the source address of the packet

1. If the source address is associated with a specific area (that is, there is a conflict between the source address or the area bound to the interface), the rules established by the area will be executed.
2. If the source address is not associated with a specific area (that is, there is no conflict between the source address or the area bound to the interface), the area of ​​the incoming network interface is used and the rules established by the area are executed.
3. If the network interface is also not associated with a specific area (that is, the source address or interface is not bound to a specific area), the default area is used and the rules established by the area are executed.

Six, firewalld firewall configuration method

1、使用firewall-cmd 命令行工具。
2、使用firewall-config 图形工具。
3、编写/etc/firewalld/中的配置文件。

systemctl start firewalld.service

(1) Commonly used firewall-cmd command options

--get-default-zone :显示当前默认区域
--set-default-zone=<zone> :设置默认区域

--get-active-zones :显示当前正在使用的区域及其对应的网卡接口
--get-zones :显示所有可用的区域

--get-zone-of-interface=<interface> :显示指定接口绑定的区域
--zone=<zone> --add-interface=<interface> :为指定接口绑定区域
--zone=<zone> --change-interface=<interface> :为指定的区域更改绑定的网络接口
--zone=<zone> --remove-interface=<interface> :为指定的区域删除绑定的网络接口

--list-all-zones :显示所有区域及其规则
[--zone=<zone>] --list-all :显示所有指定区域的所有规则,省略--zone=<zone>时表示仅对默认区域操作

[--zone=<zone>] --list-services :显示指定区域内允许访问的所有服务
[--zone=<zone>] --add-service=<service> :为指定区域设置允许访问的某项服务
[--zone=<zone>] --remove-service=<service> :删除指定区域已设置的允许访问的某项服务

[--zone=<zone>] --list-ports :显示指定区域内允许访问的所有端口号
[--zone=<zone>] --add-port=<portid>[-<portid>]/<protocol> :为指定区域设置允许访问的某个/某段端口号(包括协议名)
[--zone=<zone>] --remove-port=<portid>[-<portid>]/<protocol> :删除指定区域已设置的允许访问的端口号(包括协议名)

[--zone=<zone>] --list-icmp-blocks :显示指定区域内拒绝访问的所有 ICMP 类型
[--zone=<zone>] --add-icmp-block=<icmptype> :为指定区域设置拒绝访问的某项 ICMP 类型
[--zone=<zone>] --remove-icmp-block=<icmptype> :删除指定区域已设置的拒绝访问的某项ICMP类型
firewall-cmd --get-icmptypes :显示所有 ICMP 类型

(2) Regional management

(1)显示当前系统中的默认区域
firewall-cmd --get-default-zone

(2)显示默认区域的所有规则
firewall-cmd --list-all

(3)显示当前正在使用的区域及其对应的网卡接口
firewall-cmd --get-active-zones

(4)设置默认区域
firewall-cmd --set-default-zone=home
firewall-cmd --get-default-zone

(3) Service management

(1)查看默认区域内允许访问的所有服务
firewall-cmd --list-service

(2)添加httpd 服务到public 区域
firewall-cmd --add-service=http --zone=public

(3)查看public 区域已配置规则
firewall-cmd --list-all --zone=public

(4)删除public 区域的httpd 服务
firewall-cmd --remove-service=http --zone=public

(5)同时添加httpd、https 服务到默认区域,设置成永久生效
firewall-cmd --add-service=http --add-service=https --permanent
firewall-cmd --reload	
firewall-cmd --list-all		
#添加使用 --permanent选项表示设置成永久生效,需要重新启动firewalld服务或执行firewall-cmd --reload命令 重新加载防火墙规则时才会生效。若不带有此选项,表示用于设置运行时规则,但是这些规则在系统或firewalld服务重启、停止时配置将失效。

--runtime-to-permanent:将当前的运行时配置写入规则配置文件中,使之成为永久性配置。

(4) Port management

(1)允许TCP的443端口到internal 区域
firewall-cmd --zone=internal --add-port=443/tcp
firewall-cmd --list-all --zone=internal

(2)从internal 区域将TCP的443端口移除
firewall-cmd --zone=internal --remove-port=443/tcp

(3)允许UDP的2048~2050端口到默认区域
firewall-cmd --add-port=2048-2050/udp
firewall-cmd --list-all

Guess you like

Origin blog.csdn.net/weixin_51573771/article/details/112095013
Recommended
微软回应中国区AI团队“打包赴美”传闻
Ranking
How to use ChatGPT to write 100,000+ hot articles for public accounts (includes prompt words)
sudo echo command execution Permission denied
ADO: Using Transactions to Operate Oracle Database
[Java] [Class and Object] equals, hashCode, clone methods
Linux virtual host function
Порт управления rabbitmq открыт
on,where
jQuery WeUI
How can there be a weed pilot in Hangzhou?
tcp / ip model four
Daily
More
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)

Code World

© 2018 codetd.com