Linux entry series 10 — firewalld firewall management


The last article learned the user and file related permissions, this article continues to learn firewall technology.

As a protective barrier between public network and Intranet, firewall is very important to the system. Firewall is divided into hardware firewall and software firewall, the main function is to filter the traffic through the firewall according to the set strategy. This article mainly explains the software firewall of centos7 system.

Because in the beginning stage, in order to avoid interference, we often close the firewall directly, but it is not safe to do so in the production environment, so we need to master the relevant configuration method of firewall.

1、 Overview of Linux Firewall

Linux system includes two layers of firewall, one is based on TCP / IP traffic filtering tools, the other is TCP wrappers service. The former includes iptables, firewalld and other firewalls, while the latter is a firewall that can allow or prohibit the Linux system to provide services, so as to protect the security of the system at a higher level.

In rhel7 system, firewalld replaces the previous version of iptables firewall and becomes the default firewall. There is a big difference between the two. The firewall strategy of iptables is handled by the Netfilter network filter at the kernel level, while firewalld is handled by the nftables packet filtering framework at the kernel level.

Strictly speaking, iptables and firewalld are not real firewalls, but just firewall management tools used to define firewall policies. They are both services.

Firewall management tools are mainly used to facilitate the operation and maintenance management personnel to configure and manage the firewall policies. The ideas of these tools are similar. As long as you master one, this paper mainly introduces firewalld, a firewall management tool.

2、 Firewalld firewall management tool

Centos7 integrates a number of firewall tools, the default is firewalld, full name: Dynamic Firewall manager of Linux systems, dynamic firewall manager of Linux system. It is used for two management modes of command line interface (CLI) or graphical user interface (GUI), which will be introduced respectively in the following.

Compared with the traditional firewall management and configuration tool, firewalld supports dynamic update technology and adds the concept of zone. In short, it is to define several sets of firewall policy templates in advance, and users can select them according to the actual scene, so as to realize the fast switch between policies. For example, after setting the home and work area policies, you can choose the home area at home and the work strategy in the company, which greatly improves the application efficiency of the firewall strategy.

The region name and strategy rules of cicada pupa in firewalld are as follows:

region Default policy rule
trusted Run all packets
home Reject incoming traffic, unless associated with outgoing flow. If traffic is related to SSH, mDNS, IPP client, AMBA client, DHCPv6 client services, traffic is allowed
internal Same as home
work Refuse to flow in unless it is related to the number of outgoing flows. If traffic is related to SSH, IPP client and DHCPv6 client services, traffic is allowed
public Reject incoming traffic, unless associated with outgoing flow. If the traffic is related to SSH, DHCPv6 client services, traffic is allowed
external Deny incoming traffic unless it is related to outgoing traffic, and allow traffic if traffic is related to SSH service
dmz Deny incoming traffic unless it is related to outgoing traffic, and allow traffic if traffic is related to SSH service
block Refuse to flow in unless related to outflow
drop Same as block

2.1 firewall-cmd

Firewall CMD is the CLI (command line interface) version of firewalld firewall configuration management tool. Its parameters are generally provided in “long format”. It has many parameters, but since centos7 already supports the completion of the parameters of this command, you need to use the tab key more. The following table lists the commonly used parameters and functions, and more parameters can be viewed by man command.

parameter effect
–get-default-zone Query the default area name
–Set default zone = zone name > Set the default zone to make it permanent
–get-zones Show available areas
–get-active-zones Displays the name of the area and network card currently in use
–get-services Show predefined services
–add-source= Direct traffic from this IP or subnet to a specified area
–remove-source= Traffic from this IP or subnet is no longer directed to a specified area
–Add interface = network card name > All traffic from the network card is directed to a specified area
–Change interface = network card name > Associate a network card with a region
–list-all Display the network card configuration parameters, resources, ports and services of the current area
–list-all-zones Display the network card configuration parameters, resources, ports and services of all areas
–Add service = service name > Set the default zone to allow traffic for the service
–Add port = port number > Set the default zone to allow traffic for this port
–Remove service = service name > Set the default zone to no longer allow traffic for this service
–Remove port = port number > Set the default zone to no longer allow traffic on this port
–reload Make the “permanent” configuration rules take effect immediately and override the current configuration rules
–panic-on Turn on emergency mode
–panic-off Turn off emergency mode

There are two modes to configure policies with firewall: runtime and permanent. Runtime mode is also known as the current effective mode, and it will be invalid as the system is restarted. It is the default mode. If you need to configure it to take effect permanently, you need to add the — permanent parameter.

The main thing to note is that the policy configured in permanent mode can only take effect automatically after restart. If you want the configured policy to take effect immediately, you need to execute the firewall CMD — reload command manually.

2.1.1 firewall state management

If you install this series of tutorials step by step, the system and the firewalld service are installed by default. If you use other systems or do not install firewalld service, you can install it by yourself through the command. Installation command: Yum install firewalld firewall config

  • View firewall status
[[email protected] ~]# firewall-cmd --state 
[[email protected] ~]# systemctl status firewalld
firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled)
   Active: active (running) since Sat 2019-12-21 21:26:53 CST; 1h 31min ago
 Main PID: 915 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─915 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Dec 21 21:26:53 heimatengyun systemd[1]: Started firewalld - dynamic firewal....
Hint: Some lines were ellipsized, use -l to show in full.

You can use firewall CMD — state or systemctl status firewalld to view the firewall status.

  • Restart the firewall service
[[email protected] ~]# systemctl restart firewalld.service

Note that it is equivalent to systemctl restart firewalld, and the service suffix can be omitted.

  • Stop firewall service
[[email protected] ~]# systemctl stop firewalld
[[email protected] ~]# firewall-cmd --state    
not running
  • Start firewall service
[[email protected] ~]# systemctl start firewalld
[[email protected] ~]# firewall-cmd --state     
2.1.2 firewall profile

Configuration file description: firewalld stores the configuration file in two directories, / usr / lib / firewalld / and / etc / firewalld /. The former stores some default files, while the latter mainly stores user-defined data, so the services or rules we add are all carried out under the latter.

[[email protected] ~]# ls /usr/lib/firewalld/
icmptypes  services  zones
[[email protected] ~]# ls /etc/firewalld/
firewalld.conf  icmptypes  lockdown-whitelist.xml  services  zones

Server: storing service data is a set of well-defined rules.

Zones: storage area rules.

firewalld.conf : default configuration file. You can set the default zone. The default zone is public, which corresponds to the public.xml 。

2.1.3 common configuration commands and cases
  • View currently used area
[[email protected] ~]# firewall-cmd --get-default-zone 
  • Check whether the currently used area allows traffic to request SSH and HTTPS protocols
[[email protected] ~]# firewall-cmd --zone=public --query-service=ssh
[[email protected] ~]# firewall-cmd --zone=public --query-service=https
  • Set the HTTPS protocol traffic to permanent permission and take effect immediately
[[email protected] ~]# firewall-cmd --zone=public --add-service=https
[[email protected] ~]# firewall-cmd --zone=public --query-service=https
[[email protected] ~]# firewall-cmd --permanent --zone=public --add-service=https
[[email protected] ~]# firewall-cmd --reload
  • Allow 8080 and 8081 port traffic, only in effect currently
[[email protected] ~]# firewall-cmd --zone=public --list-ports 
[[email protected] ~]# firewall-cmd --zone=public --add-port=8080-8081/tcp
[[email protected] ~]# firewall-cmd --zone=public --list-ports            

2.2 firewall-config

Firewall config is the GUI (graphical user interface) version of firewalld firewall configuration management tool, which can implement almost all operations performed by command line. Even if there is no solid Linux command foundation, it can be used to properly configure the firewall policy in RHEL 7.

2.2.1 main interface

After entering the command, the main interface will be opened

[[email protected] ~]# firewall-config


The configuration at the top corresponds to whether it is running mode or permanent mode.

The zones tab on the left corresponds to different areas.

2.2.2 configuration case

After configuring the firewall policy with firewall config tool, there is no need to confirm it again, because as long as there are changes, it will be saved automatically.

  • The configuration allows HTTP service traffic in the current zone and is only valid for the current zone


  • Try to add a firewall policy rule to allow the traffic to access ports 8080-8088 (TCP protocol) and set it to take effect permanently


After adding rules, you also need to reload the configured policies to take effect immediately.


3、 TCP wrappers service

TCP wrappers is a traffic monitoring program that is enabled by default in rhel7 system. It can allow or reject operations according to the address of the visiting host and the target service program of this machine.

As mentioned above, firewalld is a traffic filtering tool based on TCP / IP protocol, while TCP wrappers service is a firewall that can allow or prohibit Linux system to provide services, thus protecting the safe operation of Linux system at a higher level.

The firewall policy of TCP wrappers service is controlled by two control list files. Users can edit the allow control list file to release the request traffic to the service, or edit the deny control list file to block the request traffic to the service.

After the control list file is modified, the system will check the allowed control list file (/ etc) first/ hosts.allow )If it matches the corresponding permission policy, the traffic will be released; if there is no match, it will be further matched with the rejection control list file (/ etc)/ hosts.deny ), if a match is found, the traffic is rejected. If none of these two files match, the default release flow is.

3.1 configuration principle
  • When writing a rejection policy rule, fill in the service name instead of the protocol name;

  • It is recommended to write a denial policy rule before an allow policy rule.

3.2 common configuration parameters

The common parameters in the control list file of the TCP wrappers service are as follows:

Client type Examples List of clients meeting the criteria
Single host Host with IP address
Specify network segment 192.168.1. Host with IP segment
Specify network segment Host with IP segment
Specify DNS suffix All suffixes are Host for
Specify the host name The host name is Host for
Specify all clients All or* All hosts are included
3.3 cases
  • Configure the specified IP to log in to the server remotely

edit hosts.deny file

[[email protected] ~]# vi /etc/hosts.deny

Add: sshd: * save and exit.

At this time, exit the remote connection tool and connect remotely again. You will not be able to connect.

Log in to the virtual machine directly and edit / etc/ hosts.allow File, allowing the IP of the local computer to connect to the server remotely.

[[email protected] ~]# vi /etc/hosts.allow

add to: sshd:192.168.78. Save and exit

Pay attention to 192.168.78. For the IP address you will access Linux, set it according to the actual situation. In the environment demonstrated in this paper, the IP address of VMnet8 is taken instead of the IP address of the host.

Then use the remote connection tool again and find that it can be connected.

Recommended Today

How to share queues with hypertools 2.5

Share queue with swote To realize asynchronous IO between processes, the general idea is to use redis queue. Based on the development of swote, the queue can also be realized through high-performance shared memory table. Copy the code from the HTTP tutorial on swoole’s official website, and configure four worker processes to simulate multiple producers […]