In the Internet, the company provides a variety of network services to users through the erection of a variety of applications, such as Web sites, e-mail, FTP server and so on. And most of them are built using Linux servers. So, you want to protect these servers, filtering unauthorized access, even maliciously enter the internal network. We need to use to - firewall .
In addition to the firewall hardware firewall, Linux firewall system is also very strong, mainly understanding CentOS 7 firewall system today - firewalld .
A, Linux firewall foundation
Whether Linux system, Windows system's firewall or hardware firewall settings are a combination of a series of components between different networks and network security, is the only among the different security domain information (the) mouth. Through testing, limit and change the flow of data across a firewall. External shielding the internal network information as much as possible, the structure and operation of state and can accept external access external networks have a choice. Between internal and external networks set up a safety barrier, in order to avoid entering the internal network without the knowledge of the occurrence of a certain threat to our internal network.
From the traditional sense, a firewall is divided into three categories: packet filtering, application proxies, stateful inspection. No matter how complex the implementation of the firewall, in the final analysis is extended on the basis of these three technologies.
Linux firewall system is mainly working in the network layer, the typical packet filter (also known as network layer firewalls).
Packet filtering firewall works:
- Working on the network layer of the IP packet;
- Statically open ports, have a certain security risk;
- Processing of information reflected in the IP address and port in the packet;
Stateful inspection firewall works:
- Works at the network layer;
- Dynamically open ports;
Application proxy firewall works:
- Work in the application layer;
Firewall system based on Linux kernel coding system to achieve both a very stable performance and high efficiency, and thus obtain a wide range of applications. Linux firewall system are mainly: firewalld, iptables, ebtables. But default firewalld in CentOS 7 system to manage the netfilter subsystem.
- netfilter: refers to the internal structure of the Linux kernel firewall packet filtering, there is no form of a program or file, a " kernel mode " firewall system function;
- firewalld: refers to the command program for managing Linux firewall, are " user mode firewall" management systems.
Strictly speaking, netfilter is a Linux system firewall, firewalld just manage the netfilter tool only!
Two, firewalld Overview
1.firewalld Profile
firewalld provides web links and dynamic firewall security level interface to network management tools to support the defined area, support ipv4, ipv6 firewalls and Ethernet bridge, and has two configuration modes: permanent configuration and runtime configuration. It also supports direct services or applications to add firewall rules.
The area 2.firewalld
firewalld all network traffic is divided into a plurality of regions, thereby simplifying the management of the firewall. The source IP address of the packet or the incoming network interface and other conditions, the data traffic is transferred to a corresponding region firewall rules. For the packet data into the system, it first checks the source address is.
firewalld data processing flow:
First, the source address is checked.
- If the source address associated to a particular region, the region established by the rule is executed;
- If the source address is not associated to a specific area, the used area of the incoming network interface and implementation of the rules established by the region;
- If the network interface is not associated to a particular region, the default area and enforce the rules established by the region;
The default area is not a separate area, but some other areas defined on the implementation of the system. By default, default zone is public, the system administrator can be modified according to the actual situation.
More matching rules, in accordance with the order, the first matching rule wins (from top to bottom, find the stop!)
A range of services which can be configured or ports in each area to be opened or closed, each predefined region firewalld are open by default number of the corresponding service, as shown:
Outgoing traffic: it simply is not a firewall to access the resource itself, but traffic through the firewall called outgoing traffic.
3.firewalld firewall configuration
In CentOS 7 system can be used to configure the firewall in three ways:
- firewall-config graphical tool;
- firewall-cmd command-line tool;
- / Etc / firewalld / configuration files;
Under normal circumstances, it is not recommended to directly modify configuration files!
(1) graphical management tool
Open the graphical management tools in two ways:
1) graphical desktop
2) is opened by command terminal
[root@localhost ~]# firewall-config
As the graphical straightforward, so it is not presented here in detail!
(2) firewall-cmd command-line tool
1) start, stop, view firewalld service
[root@localhost ~]# systemctl start firewalld
//启动firewalld服务
[root@localhost ~]# systemctl enable firewalld
//将firewalld服务设置为开机自启动
[root@localhost ~]# systemctl status firewalld
//查看firewalld服务状态
[root@localhost ~]# firewall-cmd --state
//查看firewalld服务状态
[root@localhost ~]# systemctl stop firewalld
//停止firewalld服务
[root@localhost ~]# systemctl disable firewalld
//将firewalld服务设置为开机不自动启动2) obtaining a pre-defined information
[root@localhost ~]# firewall-cmd --get-zones
//显示预定义的区域信息
[root@localhost ~]# firewall-cmd --get-services
//显示预定义的服务(服务较多,大部分都是常用的,这里就不介绍了)
[root@localhost ~]# firewall-cmd --get-icmptypes
//显示预定义的ICMP类型firewall-cmd --get-icmptypes command execution results in all kinds of meanings:
- destination-unreachable: unreachable destination;
- echo-reply: Answer response;
- parameter-problem: parameters of the problem;
- redirect: redirect;
- router-advertisement: Router Advertisement;
- router-solicitation: a router solicitation;
- source-quench: inhibition source;
- time-exceeded: timeout;
- timestamp-reply: Timestamp reply respond;
- timestamp-request: time stamp request;
3) Regional Management
Common options area management command, as shown:
[root@localhost ~]# firewall-cmd --get-default-zone
//显示当前系统中的默认区域
[root@localhost ~]# firewall-cmd --list-all
//显示默认区域的所有规则
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
//显示网络接口ens33对应的区域
[root@localhost ~]# firewall-cmd --zone=internal --change-interface=ens33
The interface is under control of NetworkManager, setting zone to 'internal'.
success
//将网络接口ens33对应区域改为internal区域
[root@localhost ~]# firewall-cmd --zone=internal --list-interfaces
ens33
[root@localhost ~]# firewall-cmd --get-zone-of-interface=ens33
internal
//验证
[root@localhost ~]# firewall-cmd --get-active-zones
internal
interfaces: ens33
//显示所有激活区域4) Service Management
In the latest version firewalld default defines 70 kinds of services for our use, for each network area, can be configured to allow access to the service. When you need to add the service is not in the list, you can add ports.
Common area service management options, as shown:
[root@localhost ~]# firewall-cmd --list-services
dhcpv6-client ssh
//显示默认区域允许访问的服务
[root@localhost ~]# firewall-cmd --add-service=http
//设置默认区域允许访问http服务
[root@localhost ~]# firewall-cmd --list-services
dhcpv6-client ssh http
//验证效果
[root@localhost ~]# firewall-cmd --zone=internal --add-port=80/tcp
success
//在internal区域上允许TCP协议80端口访问
[root@localhost ~]# firewall-cmd --zone=internal --remove-port=443/tcp
success
//在internal区域上禁止TCP协议443端口访问
[root@localhost ~]# firewall-cmd --list-all --zone=internal
internal (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: dhcpv6-client mdns samba-client ssh
ports: 80/tcp
protocols:
masquerade: no
forward-ports:
sourceports:
icmp-blocks:
rich rules:
//查看指定区域的详细配置Use firewall-cmd command-line tool has two configuration modes:
- Run-time mode: The current running in memory firewall configuration, reboot the system or firewalld configuration will restart the service failure;
- Permanent mode: Restart firewalld representation services or reboot the system, the system will automatically load the firewall rules configuration is permanently stored in the configuration file;
firewall-cmd command tools three options related to configuration mode:
- --reload: reload the firewall and maintain state information, are about to permanently configure the application is configured to run;
- --permanent: command with this option is used to set permanent rules, which only restarted firewalld service is the rule to take effect; if not with this option, it is used to set the runtime rules;
- --runtime-to-permanent: the current running configuration rules written into the configuration file, making it permanent configuration.
About firewalld firewall introduced to this end!