1, Introduction to firewalld firewall
firewalld firewall is the default firewall management tool of Centos7 system, which replaces the previous iptables firewall. It also works in the network layer and belongs to packet filtering firewall
firewalld and iptables are tools used to manage firewalls (in the user state) to define various rules and functions of firewalls. The internal structure points to the netfilter network filtering subsystem (in the kernel state) to realize the packet filtering firewall function.
firewalld provides a dynamic firewall management tool that supports the network connection defined by the network area and the interface security level.
It supports IPv4, IPv6 firewall settings and Ethernet bridges (which may be used in some advanced services, such as cloud computing), and has two configuration modes: runtime configuration and permanent configuration.
2, Differences between firewalld and iptables
1. iptables is mainly based on the interface to set rules to judge the security of the network.
- firewalld is based on regions, and different rules are set according to different regions, so as to ensure the security of the network. It is similar to the setting of hardware firewall.
2. Iptables stores the configuration in / etc/ sysconfig/iptables,
firewalld Store configuration in/etc/firewalld/ ( Priority loading)and/usr/lib/ firewalld/ ( Default profile)Various in XML In the file.
3. Using iptables, each individual change means clearing all old rules and reading all new rules from / etc/sysconfig/iptables.
use firewalld Instead of creating any new rules, just run the differences in the rules. therefore firewalld The settings can be changed during runtime without losing the current connection.
4. iptables firewall type is static firewall
firewalld The firewall type is dynamic firewall
3, Concept of firewalld region
firewalld firewall divides all network traffic into multiple zone s in order to simplify management. Then, the traffic is transmitted to the corresponding area according to the source IP address of the packet or the incoming network interface. Each region defines its own open or closed port and service list.
1. firewalld firewall 9 zones
|trusted (trusted Zone)||Allow all incoming traffic.|
|Public (public area)||Allow incoming traffic matching ssh or DHCPv6 client predefined services, and reject the rest. Is the default area for newly added network interfaces.|
|External (external area)||Allow incoming traffic that matches ssh predefined services, and reject the rest. By default, IPv4 outgoing traffic that will be forwarded through this area will be masked, which can be used for external networks that have enabled the masquerade function for routers.|
|Home (home area)||Allow incoming traffic matching ssh, IPP client, mdns, samba client or DHCPv6 client predefined services, and reject the rest.|
|Internal (internal area)||The default value is the same as the home area.|
|Work (work area)||Allow incoming traffic matching ssh, IPP client and DHCPv6 client predefined services, and reject the rest.|
|dmz (isolated area, also known as demilitarized area)||Allow incoming traffic that matches ssh predefined services, and reject the rest.|
|block (restricted area)||Reject all incoming traffic.|
|Drop (drop area)||All incoming traffic is discarded and no error response containing ICMP is generated.|
2. Regional introduction
Finally, the security level of a zone depends on the rules set by the administrator in this zone.
Zones are like the security doors to the host. Each zone has rules with different degrees of restriction, and only traffic conforming to the rules will be allowed to enter.
One or more regions can be used according to the network size, but any active region needs to be associated with at least the source address or interface.
By default, the public area is the default area and contains all interfaces (network cards)
4, firewalld data processing flow
firewalld for data packets entering the system, the data traffic will be transferred to the firewall rules of the corresponding area according to the source IP address of the data packet or the incoming network interface. For the data packet entering the system, the first thing to check is its source address.
5, firewalld check source address rule of packet
1. If the source address is associated with a specific region (that is, there is a conflict between the source address or the region bound by the interface), the rules formulated by the region shall be executed.
2. If the source address is not associated with a specific region (that is, there is no conflict between the source address or the region bound by the interface), the region of the incoming network interface is used and the rules formulated by the region are executed.
3. If the network interface is not associated with a specific region (that is, neither the source address nor the interface is bound to a specific region), the default region is used and the rules formulated by the region are executed.
6, Configuration method of firewalld firewall
1. Use the firewall CMD command line tool.
2. Use the firewall config graphical tool.
3. Write the configuration file in / etc/firewalld /.
systemctl start firewalld.service #Turn on Firewall Service
Common firewall CMD command options
--get-default-zone : Displays the current default area --set-default-zone=<zone> : Set default area --get-active-zones : Displays the area currently in use and its corresponding network card interface --get-zones : Show all available areas --get-zone-of-interface=<interface> : Displays the area of the specified interface binding --zone=<zone> --add-interface=<interface> : Specifies the binding area for the interface --zone=<zone> --change-interface=<interface> : Change the bound network interface for the specified zone --zone=<zone> --remove-interface=<interface> : Deletes the bound network interface for the specified zone --list-all-zones : Show all areas and their rules [--zone=<zone>] --list-all : Display all rules for all specified areas, omitting--zone=<zone>When, it means that only the default area is operated [--zone=<zone>] --list-services : Displays all services that are allowed to access in the specified area [--zone=<zone>] --add-service=<service> : Sets a service that is allowed to access for the specified locale [--zone=<zone>] --remove-service=<service> : Delete a service that has been set to allow access in the specified region [--zone=<zone>] --list-ports : Displays all port numbers that are allowed to access in the specified area [--zone=<zone>] --add-port=<portid>[-<portid>]/<protocol> : Sets an access allowed for the specified locale/Port number of a section (including protocol name) [--zone=<zone>] --remove-port=<portid>[-<portid>]/<protocol> : Delete the port number (including the protocol name) that has been set to allow access in the specified region [--zone=<zone>] --list-icmp-blocks : Displays all access denied in the specified area ICMP type [--zone=<zone>] --add-icmp-block=<icmptype> : Sets an item that is denied access for the specified locale ICMP type [--zone=<zone>] --remove-icmp-block=<icmptype> : Deletes an item that has been set to deny access in the specified region ICMP type firewall-cmd --get-icmptypes : Show all ICMP type
7, Regional management
Displays the default area in the current system firewall-cmd --get-default-zone Displays all rules for the default area firewall-cmd --list-all Displays the area currently in use and its corresponding network card interface firewall-cmd --get-active-zones Set default area firewall-cmd --set-default-zone=home firewall-cmd --get-default-zone
8, Service management
View all services allowed in the default area firewall-cmd --list-service add to httpd Service to public region firewall-cmd --add-service=http --zone=public see public Zone configured rules firewall-cmd --list-all --zone=public delete public Regional httpd service firewall-cmd --remove-service=http --zone=public Add at the same time httpd,https Service to the default area and set it to take effect permanently firewall-cmd --add-service=http --add-service=https --permanent firewall-cmd --reload firewall-cmd --list-all #Adding the -- permanent option means that the setting is permanently effective. It will take effect only when the firewall service needs to be restarted or the firewall CMD -- reload command needs to be executed to reload the firewall rules. If this option is not provided, it means that it is used to set runtime rules, but these rules will be invalid when the system or firewalld service is restarted or stopped. --runtime-to-permanent: Writes the current runtime configuration to the rule configuration file to make it permanent.
9, Port management
allow TCP 443 port to internal region firewall-cmd --zone=internal --add-port=443/tcp firewall-cmd --list-all --zone=internal from internal Area will TCP 443 port removed firewall-cmd --zone=internal --remove-port=443/tcp allow UDP 2048~2050 Port to default zone firewall-cmd --add-port=2048-2050/udp firewall-cmd --list-all