-
Introduction to Firewalld
from CentOS7, the default is no iptables, and the use of firewall firewall, FirewallD provides a support network / dynamic firewall management tools (zone) the definition of network links and security level of the firewall zone interface.
What is the dynamic firewall recall firewall rules iptables service management modes:? User to add into the / etc / sysconfig / iptables configuration files among new firewall rule, and then execute the command service iptables reload the rule change takes effect.
Behind this whole process, iptables service first, the old firewall rules were empty, and then re fully loaded all the new firewall rules, and if the configuration requires reload the kernel module, then behind the process will also include unloading and re-loading the kernel module action, but unfortunately, this action is likely to generate additional adverse effect on the operation of the system, especially in the network is very busy system.
Even if only one rule should be modified to reload all the rules of the mode is called static firewall, then firewalld provided mode can be called dynamic firewall, it appears that in order to solve this problem, do not change any rules the entire list of firewall rules need to be reloaded, simply change the section to save and update iptables to run in.
and the relationship between the firewalld iptables, firewalld-Service and provides a daemon, as well as command-line and graphical interface configuration tool, it is only partially replaced iptables-Service, the underlying or used as a firewall rule management iptables inlet. firewalld using python language development, the new version has been planning to use c ++ rewrite daemon section. - What is the area (zone)?
Firewalld card will correspond to a different area (zone), zone default total of 9, block dmz drop external home internal public trusted work.
The difference between the different areas of its deal with the default behavior of the packet is different depending on the region we can name intuitive know the nature of the region, in CentOS7 systems, the default region is set as public.
among the most recent version of fedora (fedora21) version and the server workstation with version differentiation add two different custom zone FedoraServer and FedoraWorkstation two versions respectively.
Use the following command to list the all supported Zone
Firewall-cmd --get-Zones
Block drop the DMZ External Internal public Trusted Home Work
view the current default Zone
Firewall-cmd --get-default-Zone
public
area (zone) as follows :
iptables Service are stored in / etc / sysconfig / iptables to configure
various XML configuration file firewalld will be stored in / usr / lib / firewalld / and / etc / firewalld / in the
/ etc / firewalld / region setting is a series It can be performed quickly to a preset network interface. List and briefly described as follows:
drop (discard)
any received network data packet is discarded, without any response. There are only sent to the network connection.
Block (restricted)
network connection any received are rejected icmp-host-prohibited information of IPv4 and icmp6-adm-prohibited information about IPv6.
public (public)
use in public areas, can not believe that other computers in the network will not cause harm to your computer, can only receive through the selected connection.
external (outside)
especially for routers enabled extranet camouflage function. You can not trust other computing from the network, can not believe they do not cause harm to your computer, can only receive through the selected connection.
DMZ (demilitarized zone)
for your computer demilitarized zone, publicly accessible within this area and to be limited access to your internal network, receive only the chosen connection.
work (work)
for the work area. You can basic trust other computers in the network will not harm your computer. After receiving only selected connection.
home (home)
for home networking. You can basically trust the other computers in the network will not harm your computer. After receiving only selected connection.
internal (inner)
used in a network. You can basically trust the other computers in the network will not threaten your computer. Just accept the chosen connection.
Trusted (trusted)
accept all of the network connections.
Designate one area for the default zone is feasible. When added to the interface NetworkManager, they are assigned to a default zone. When installing firewalld in the region is set as the default public areas.
- What is a service?
-
In / usr / lib / firewalld / services / directory also stores another type of configuration files, each corresponding to a particular network service, such as service ssh etc.
corresponding configuration file recorded in the services tcp / udp port used by default 70+ kinds of services have been defined for us to use the latest version of firewalld in.
when the service is not provided by default or required by custom port for a service, we need to service configuration file placed in the / etc / firewalld / services / directory.
Configuration service benefits are obvious:
first, through the service name to manage rules more user-friendly,
second, to organize port packet mode services by more efficient, if a service uses a number of network ports, the service configuration file is quite to provide a bulk operation shortcut to the rules of the management port.
Each load a service configuration would mean opening the corresponding port access, use the following command to list the all supported service
firewall-cmd --get-services
RH-Satellite-6 amanda-client bacula bacula-client dhcp dhcpv6 dhcpv6-client dns ftp high-availability http https imaps ipp ipp-client ipsec kerberos kpasswd ldap ldaps libvirt libvirt-tls mdns mountd ms-wbt mysql nfs ntp open*** pmcd pmproxy pmwebapi pmwebapis pop3s postgresql proxy-dhcp radius rpc-bind samba samba-client smtp ssh telnet tftp tftp-client transmission-client vnc-server wbem-https
查看当前 zone 种加载的 service
firewall-cmd --list-services
dhcpv6-client ssh
Dynamically add a firewall rule as follows:
Suppose from ssh port number 12222 as defined, the following command to add a new firewall rule port:
Firewall-cmd --add-Port = 12222 / TCP --permanent
if the rule needs to be saved to zone configuration file, you need to add parameters -permanent