Warning: mysqli_query(): MySQL server has gone away in /www/wwwroot/developpaper.com/wp-includes/wp-db.php on line 2056

Warning: mysqli_query(): Error reading result set's header in /www/wwwroot/developpaper.com/wp-includes/wp-db.php on line 2056
Detailed explanation of firewall basic command of centos7 | Develop Paper

Detailed explanation of firewall basic command of centos7

Time:2020-11-10

1、 The foundation of Linux Firewall

Linux firewall system mainly works in the network layer. Aiming at the real-time filtering and restriction of TCP / IP packets, Linux belongs to the typical packet filtering firewall (or network layer firewall). The firewall system of Linux system is based on kernel coexistence: firewalld, iptables, ebtables. Firewalld is used to manage Netfilter subsystem by default.

  • Netfilter: it refers to the internal structure of packet filtering firewall in Linux kernel, which does not exist in the form of program or file, and belongs to the “kernel state” firewall function system;
  • Firewalld: refers to the command program used to manage Linux firewall, belonging to the “user mode” firewall management system;

1. Overview of firewalld

The function of firewalld is to provide matching rules (or policies) for packet filtering mechanism. Through various rules, it tells Netfilter what to do with packets coming from a specified source, going to a specified destination or having some protocol characteristics. In order to organize and manage firewalls more conveniently, firewalld provides a dynamic firewall management tool which supports the network links defined by the network area and the interface security level. Supports IPv4, IPv6 firewall settings and Ethernet bridge, and has two configuration modes:

  • run setup
  • Permanent configuration

It also supports the service or application to add firewall rule interface directly.

2. Firewalld network area

Firewalld divides all network data traffic into multiple areas, thus simplifying firewall management. According to the source IP address of the packet or the incoming network interface and other conditions, the data flow is transferred to the firewall rules of the corresponding area.

For packets entering the system, the first thing to check is its source address:

  • If the source address is associated with a specific region, the rules made by the region are executed;
  • If the source address is not associated with a specific area, the region of the incoming network interface is used and the rules formulated by the region are executed;
  • If the network interface is not associated with a specific area, the default region is used and the rules formulated by the region are executed;

The default area is not a separate area, but points to some other area defined on the system. By default, the default area is public, but you can also change the default area. According to the above matching rules, the first matching rule wins. In each zone, you can configure a series of services or ports to be opened or closed. Each predefined zone of firewalld has set the default open services.

3. Firewalld predefined area description

  • Trusted (trust zone): can receive all network connections;
  • Public: (public area): unless it is related to outgoing traffic or matched with SSH or DHCPv6 client predefined services, the incoming traffic is rejected;
  • Work (work area): unless it is related to outgoing traffic or matched with the predefined services of SSH, IPP client and DHCPv6 client, the incoming traffic is rejected and used in the workspace;
  • Home (home area): unless it is related to outgoing traffic or matched with the predefined services of SSH, IPP client, mDNS, samba client and DHCPv6 client, it is used for home network;
  • Internal (internal area): unless it is related to outgoing traffic or matched with the predefined services of SSH, IPP client, mDNS, samba client and DHCPv6 client, it is used for internal network;
  • External (external area): the incoming traffic is rejected unless it is related to the outgoing traffic or matched with the SSH predefined service;
  • DMZ (isolated area, also known as demilitarized area): the incoming traffic is rejected unless it is related to the outgoing traffic or matched with the SSH predefined service;
  • Blocak (restricted area): all incoming traffic is rejected unless it is related to outgoing traffic;
  • Drop (drop area): all incoming traffic is discarded unless it is related to outgoing traffic, and no error response including ICMP is generated;

2、 Configuration method of firewalld firewall

In CentOS 7 system, firewalld firewall can be configured in three ways:

  • Firewalld config graphical tool;
  • Firewalld CMD command line tool;
  • /Configuration file in etc / firewalld /;

In general, it is not recommended to edit the configuration file directly;

1. Basic command of firewalld CMD

[ root@centos01  ~]#Systemctl start firewalld <! -- start firewalld -- >
[ root@centos01  ~]#Systemctl enable firewalld <! -- set automatic startup firewalld -- >
[ root@centos01  ~]#Systemctl status firewalld
[ root@localhost  ~]#Firewall CMD -- state <! -- View firewall permission status -- >
running
[ root@centos01  ~]#Systemctl stop firewalld <! -- stop firewalld -- >
[ root@centos01  ~]#Systemctl disable firewalld
[ root@centos01  ~]#Firewall CMD -- get zones <! -- view the predefined zones of the firewall -- >
[ root@centos01  ~]#Firewall CMD -- get service <! -- view the predefined service types supported by firewall -- >
[ root@centos01  ~]#Firewall CMD -- get default zone <! -- view the default area of the system -- >
[ root@localhost  /]#Firewall CMD -- reload
[ root@centos01  ~]#Firewall CMD -- get active zones <! -- view active zones -- >

[ root@centos01  ~]#Firewall CMD -- get icmptypes <! -- displays predefined ICMP types -- >
address-unreachable bad-header communication-prohibited destination-unreachable 
echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited
host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement
neighbour-solicitation network-prohibited network-redirect network-unknown 
network-unreachable no-route packet-too-big parameter-problem port-unreachable
precedence-cutoff protocol-unreachable redirect required-option-missing
router-advertisement router-solicitation source-quench source-route-failed time-exceeded
timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable 
tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly 
ttl-zero-during-transit unknown-header-type unknown-option

The meanings of partial blocking types in the execution results of the firewall CMD — get icmptypes command are as follows:

  • Destination unreachable: the destination address is unreachable;
  • Echo reply: response;
  • Parameter problem: parameter problem;
  • Redirect: reorientation;
  • Router advertisement: router advertisement;
  • Router solicitation: router solicitation;
  • Source query: source suppression;
  • Time exceeded: timeout;
  • Timestamp reply: timestamp reply;
  • Timestamp request: timestamp request;

2. Firewalld zone management options

  • –Get default zone: displays the default area of network connection or interface;
  • –Set default zone = < zone >: set the default area of network connection or interface;
  • –Get active zones: display all activated regions;
  • –Get zone of interface = < interface >: displays the binding area of the specified interface;
  • –Zone = < zone > — add interface = < interface >: the area bound for the specified interface;
  • –Zone = < zone > — change interface = < interface >: change the bound network interface for the specified area;
  • –Zone = < zone > — remove interface = < interface >: delete the bound network interface for the specified area;
  • –List all = zones: displays all regions and their rules;
  • [– zone = < zone >] — list all: displays all rules of all specified regions. Omitting — zone = < zone > indicates that only the default zone is operated;

Examples of regional management are as follows:

[ root@centos01  ~]#Firewall CMD -- get default zone <! -- displays the default zone in the current system -- >
[ root@centos01  ~]#Firewall CMD -- list all <! -- displays all rules in the default area -- >
[ root@centos01  ~]#Firewall CMD -- get zone of interface = ens32 <! -- view the area where the ens32 interface is located -- >
internal
[ root@centos01  ~]#Firewall CMD -- zone = internal -- change interface = ens32 <! -- modify the area corresponding to the ens32 interface to the internal area -- >
 The interface is under control of NetworkManager, setting zone to 'internal'.
success
[ root@centos01  ~]#Firewall CMD -- zone = internal -- list interface <! -- view the interface list of internal area -- >
ens32
[ root@centos01  ~]#Firewall CMD -- get active zones <! -- display all active zones -- >
internal
 interfaces: ens32

3. Firewalld service management

In order to facilitate management, firewalld defines many services in advance, which are stored in the / usr / lib / firewalld / services / directory. The services are specified by a single xml configuration file. These configuration files are named in the following format: service- name.xml Each file corresponds to a specific network service, such as SSH service. We need to put the service configuration file in the / etc / firewalld / services / directory. Service configuration has the following advantages:

It is more humanized to manage rules by service name;

If a service uses several network ports, the configuration file of the service is equivalent to providing batch operation shortcut of rule management to these ports;

1) Description of common service management options in firewalld CMD command area:

  • [– zone = < zone >] — List Services: displays all services allowed to access in the specified area;
  • [– zone = < zone >] — add service = < Service >: set a service allowed to be accessed for the specified area;
  • [– zone = < zone >] — remove service = < Service >: delete a service that is allowed to access in the specified area;
  • [– zone = < zone >] — List ports: displays all port numbers allowed to be accessed in the specified area;
  • [– zone = < zone >] — add port = < PortId > [- < PortId >] / < protocol >: set a port number (including protocol number) allowed to be accessed for the specified area;
  • [– zone = < zone >] — remove port = < PortId > [- < PortId >] / < protocol >: delete the port number (including protocol name) that has been set in the specified area;
  • [– zone = < zone >] — List ICMP blocks: displays all ICMP types that are denied access in the specified area;
  • [– zone = < zone >] — add ICMP block = < icmptype >: set an ICMP type to deny access for the specified region;
  • [– zone = < zone >] — remove ICMP block = < icmptype >: delete an ICMP type that has been set in the specified area, and omitting — zone = < zone > indicates the operation on the default zone;

2) An example of firewalld service management is as follows (set the allowed services for the default locale)

[ root@centos01  ~]#Firewall CMD -- List Services <! -- displays all the services that are allowed to access in the default zone -- >
dhcpv6-client ssh 
[ root@centos01  ~]#Firewall CMD -- add service = http <! -- set the default zone to allow access to HTTP services -- >
success
[ root@centos01  ~]#Firewall CMD -- add service = HTTPS <! -- set the default area to allow access to the HTTPS Service -- >
success
[ root@centos01  ~]#Firewall CMD -- List Services <! -- displays all the services that are allowed to access in the default zone -- >

dhcpv6-client ssh https http

3) An example of firewalld service management is as follows (set the allowed services for the internal locale)

[root@centos01 ~]# firewall-cmd --zone=internal --add-service=mysql 
       <! -- set the internal area to allow access to MySQL services -- >
success
[root@centos01 ~]# firewall-cmd --zone=internal --remove-service=samba-client 
     <! -- set the internal zone to not allow access to Samba client service -- >
success
[root@centos01 ~]# firewall-cmd --zone=internal --list-services 
       <! -- displays all services that are allowed to access in the internal area -- >
ssh mdns dhcpv6-client mysql

4. Port management

During service configuration, predefined network services can be configured with service name, and the ports involved in the service will be opened automatically. However, for non predefined services, you can only manually add ports for the specified zone. For example, do the following to open 443 / TCP port in the internal area. Examples are as follows:

[root@centos01 ~]# firewall-cmd --zone=internal --add-port=443/tcp
         <! -- open port 443 / TCP in internal area -- >
success

If you want to disable 443 / TCP port access in the internal area, you can execute the following command:

[root@centos01 ~]# firewall-cmd --zone=internal --remove-port=443/tcp
        <! -- Disable 443 / TCP port access in internal area -- >
success

The above configurations are temporary. If you want to save the current configuration as a permanent configuration, you can use the following command:


 [root@centos01 ~]# firewall-cmd --runtime-to-permanent
success

If it is directly configured as a permanent rule, it must have the — permanent option, as follows:

[ root@centos01  ~]#Firewall CMD -- add ICMP block = echo request -- permanent <! -- Disable Ping -- >

success
[root@centos01 ~]# firewall-cmd --zone=external --add-icmp-block=echo-request --permanent      
      <! -- configure external area to disable Ping -- >
success

3、 Two configuration modes of firewalld

As mentioned above, the firewall CMD command tool has two configuration modes: runtime mode refers to the firewall configuration currently running in memory, and the configuration will be invalid when the system or firewalld service is restarted or stopped; permanent mode refers to the rule configuration when the firewall is restarted or reloaded, which is permanently stored in the configuration file.

The firewall CMD command tool has three options related to configuration mode:

  • –Reload: reload the firewall rules and keep the status information, that is, the permanent configuration is applied to run-time configuration;
  • –Permanent: the command with this option is used to set the persistent rules, which will take effect only when the firewall rules are restarted or reloaded; if not, it is used to set the runtime rules;
  • –Runtime to permanent: write the current runtime configuration to the rule configuration file, so that the rules in the current memory are called permanent configuration;

The above is the whole content of this article, I hope to help you in your study, and I hope you can support developeppaer more.

Recommended Today

Swift advanced (XV) extension

The extension in swift is somewhat similar to the category in OC Extension can beenumeration、structural morphology、class、agreementAdd new features□ you can add methods, calculation attributes, subscripts, (convenient) initializers, nested types, protocols, etc What extensions can’t do:□ original functions cannot be overwritten□ you cannot add storage attributes or add attribute observers to existing attributes□ cannot add parent […]


    Warning: mysqli_query(): MySQL server has gone away in /www/wwwroot/developpaper.com/wp-includes/wp-db.php on line 2056

    Warning: mysqli_query(): Error reading result set's header in /www/wwwroot/developpaper.com/wp-includes/wp-db.php on line 2056

    Warning: mysqli_query(): MySQL server has gone away in /www/wwwroot/developpaper.com/wp-includes/wp-db.php on line 2056

    Warning: mysqli_query(): Error reading result set's header in /www/wwwroot/developpaper.com/wp-includes/wp-db.php on line 2056