1. Introduction to
firewalld firewalld is a major feature of centos7. The biggest benefits are two: it supports dynamic updates without restarting the service; the second is to add the "zone" concept of firewall
firewalld has a graphical interface and a tool interface. Since I use it on the server, please refer to the official document for the graphical interface. This article introduces the character interface
The character interface management tool of firewalld is firewall-cmd
There are two default firewalld configuration files: /usr/lib/firewalld/ (system configuration, try not to modify) and /etc/firewalld/ (user configuration address)
Zone concept:
hardware firewalls generally have three zones by default. The concept introduced by firewalld has the following zones by default. (According to the documentation, please correct me if you make a mistake):
drop: discard all packets by default
block: deny all external connections and allow internal origination connecting
public: Specifies the external connection can access
external: this do not quite understand the function and the same as above, it allows you to specify an external connection
dmz: hardware firewalls, restricted access to public connection
work: the work area, the same concepts and workgoup , Is also the specified external connection to allow
home: similar to the home group
internal: trusting all connections is
not too familiar with the firewall, and I haven’t figured out that public, external, dmz, work, and home all need to be customized to allow connections in terms of functions. For specific use The difference still needs expert guidance
2. Install firewalld
root execute # yum install firewalld firewall-config
3. Run, stop, and disable firewalld
startup: # systemctl start firewalld
view status: # systemctl status firewalld or firewall-cmd --state
stop: # systemctl disable firewalld
disable: # systemctl stop firewalld
4. Configure firewalld
view version: $ firewall-cmd --version
view help: $ firewall-cmd --help
view settings:
display status: $ firewall-cmd --state
view area information: $ firewall-cmd --get-active -zones
view the zone to which the specified interface belongs: $ firewall-cmd --get-zone-of-interface=eth0
Deny all packages: # firewall-cmd --panic-on
cancel the denial status: # firewall-cmd --panic-off
view Whether to reject: $ firewall-cmd --query-panic
Update firewall rules: # firewall-cmd --reload
# firewall-cmd --complete-reload
The difference between the two is that the first one does not need to be disconnected, it is one of the firewalld features to dynamically add rules, and the second one needs to be disconnected. Similar to restart service
Add interfaces to the zone, the default interfaces are all in public
# firewall-cmd --zone=public --add-interface=eth0
Permanently take effect plus --permanent and then reload the firewall
Set the default interface area
# firewall-cmd --set-default-zone=public
Effective immediately without restart
Open ports (it looks like this is the most commonly used) to
view all open ports:
# firewall-cmd --zone=dmz --list-ports
Add a port to the zone:
# firewall-cmd --zone=dmz --add-port=8080/tcp
The method is the same as above
Opening a service is similar to visualizing the port. The service needs to be added to the configuration file. There is a services folder under the /etc/firewalld directory.
# firewall-cmd --zone=work --add-service=smtp
Remove service
# firewall-cmd --zone=work --remove-service=smtp
Sample code:
# 查看public区域的所有开放的端口信息
[root@centos77 ~]# firewall-cmd --zone=public --list-ports
20/tcp 22/tcp 80/tcp 8888/tcp 39000-40000/tcp 9999/tcp
# 查看dmz区域的所有开放的端口信息
[root@centos77 ~]# firewall-cmd --zone=dmz --list-ports
# 查看home区域的所有开放的端口信息
[root@centos77 ~]# firewall-cmd --zone=home --list-ports
[root@centos77 ~]# firewall-cmd --zone=public --list-ports
20/tcp 22/tcp 80/tcp 8888/tcp 39000-40000/tcp 9999/tcp
[root@centos77 ~]# firewall-cmd --zone=public --list-ports
20/tcp 22/tcp 80/tcp 8888/tcp 39000-40000/tcp 9999/tcp
#默认端口信息查询以及添加都是添加到激活的区域中,默认的是public区域
[root@centos77 ~]# firewall-cmd --list-ports
20/tcp 22/tcp 80/tcp 8888/tcp 39000-40000/tcp 9999/tcp
[root@centos77 ~]# firewall-cmd --add-port=7777/tcp
success
[root@centos77 ~]# firewall-cmd --list-ports
20/tcp 22/tcp 80/tcp 8888/tcp 39000-40000/tcp 9999/tcp 7777/tcp
# 删除默认激活的区域端口 或者添加zone指定区域事项。
[root@centos77 ~]# firewall-cmd --remove-port=7777/tcp
success
# 查询默认区域的端口事项
[root@centos77 ~]# firewall-cmd --list-ports
20/tcp 22/tcp 80/tcp 8888/tcp 39000-40000/tcp 9999/tcp
[root@centos77 ~]#
设置默认接口区域
# firewall-cmd --set-default-zone=public
--get-default-zone #查询当前默认区域。
[root@centos77 ~]# firewall-cmd --list-all
# 显示默认区域的所有信息
[root@centos77 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client ssh telnet
ports: 20/tcp 22/tcp 80/tcp 8888/tcp 39000-40000/tcp 9999/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Table content information:
Common commands of firewall-cmd: