Firewall firewall policy details
1, Firewall
firewalld Firewall is Centos7 The default firewall management tool of the system replaces the previous one iptables In the firewall layer, packet filtering also belongs to the network.
firewalld and iptables are tools used to manage firewalls (in user mode) to define various rules and functions of firewalls. The internal structure points to netfilter network filtering subsystem (in kernel mode) to realize packet filtering firewall function.
firewalld provides a dynamic firewall management tool that supports the network links defined by the network area and the security level of the interface. It supports IPv4, IPv6 firewall settings and Ethernet bridge (which may be used in some advanced services, such as cloud computing), and has two configuration modes: runtime configuration and permanent configuration.
(1) The difference between firewall and Iptables:
- iptables is mainly based on the interface to set rules to judge the security of the network.
Firewall is set based on different regions to ensure the security of the network. It is similar to the setting of hardware firewall. - Iptables stores the configuration in / etc/sysconfig/iptables, and firewalld stores the configuration in
/In various XML files in / etc/firewalld / (priority loading) and / usr/lib/firewalld / (default configuration file). - Using iptables, each individual change means clearing all old rules and reading all new rules from / etc/sysconfig/iptables. Using firewalld will not create any new rules, but only run the differences in the rules. Therefore, firewalld can change the settings without losing the current connection during runtime.
(2) Concept of firewall area:
firewalld firewall divides all network traffic into multiple zone s in order to simplify management. Then, the traffic is transmitted to the corresponding area according to the source IP address of the packet or the incoming network interface. Each region defines its own open or closed ports and service list.
(3) Firewall firewall has 9 predefined zones:
- 1. trusted: allow all incoming traffic.
- 2. public: allow incoming traffic matching ssh or DHCPv6 client predefined services, and reject the rest. Is the default area for newly added network interfaces.
- 3. external: allow incoming traffic that matches the ssh predefined service, and reject the rest.
- By default, IPv4 outgoing traffic that will be forwarded through this area will be masked, which can be used for external networks that have enabled the masquerade function for routers.
- 4. home: allow incoming traffic matching ssh, IPP client, mdns, samba client or DHCPv6 client predefined services, and reject the rest.
- 5. internal: the default value is the same as the home area.
- 6. work: allow incoming traffic matching ssh, IPP client and DHCPv6 client predefined services, and reject the rest.
- 7. dmz (isolated area, also known as demilitarized area): allow incoming traffic matching ssh predefined services, and reject the rest.
- 8. block: reject all incoming traffic.
- 9. drop: discards all incoming traffic and does not generate an error response containing ICMP.
Finally, the security level of an area depends on the rules set by the administrator in this area. Zones are like security doors to the host. Each zone has rules with different degrees of restrictions, which will only allow traffic in line with the rules.
(4) Firewall data processing flow:
firewalld For the data packet entering the system, it will be based on the source of the data packet IP Address or incoming network interface and other conditions to transfer the data traffic to the firewall rules of the corresponding area. For the data packet entering the system, the first thing to check is its source address.
(5) firewalld rules for checking the source address of packets:
- 1. If the source address is associated with a specific region (i.e. there is a conflict between the source address or the region bound by the interface), the rules formulated by the region shall be implemented.
- 2. If the source address is not associated with a specific area (i.e. there is no conflict between the source address and the area bound by the interface), use the area of the incoming network interface and execute the rules formulated by the area.
- 3. If the network interface is not associated with a specific region (that is, neither the source address nor the interface is bound to a specific region), the default region is used and the rules formulated by the region are executed.
(6) Configuration method of firewalld firewall:
- 1. Use the firewall CMD command line tool.
- 2. Use the firewall config graphical tool.
- 3. Write the configuration file in / etc/firewalld /.
systemctl start firewalld.service frequently-used firewall-cmd Command options --get-default-zone : Displays the current default area --set-default-zone=<zone> : Set default area --get-active-zones : Displays the area currently in use and its corresponding network card interface --get-zones : Show all available areas --get-zone-of-interface=<interface> : Displays the area of the specified interface binding --zone=<zone> --add-interface=<interface> : Specifies the binding area for the interface --zone=<zone> --change-interface=<interface> : Change the bound network interface for the specified region --zone=<zone> --remove-interface=<interface> : Deletes the bound network interface for the specified zone --list-all-zones : Show all areas and their rules [--zone=<zone>] --list-all : Display all rules of all specified areas, omitting--zone=<zone>When, it means that only the default area is operated [--zone=<zone>] --list-services : Displays all services allowed to access in the specified area [--zone=<zone>] --add-service=<service> : Set a service that is allowed to access for the specified locale [--zone=<zone>] --remove-service=<service> : Delete a service that has been set to allow access in the specified region [--zone=<zone>] --list-ports : Displays all port numbers that are allowed to access in the specified area [--zone=<zone>] --add-port=<portid>[-<portid>]/<protocol> : Sets an access allowed for the specified locale/Port number of a section (including protocol name) [--zone=<zone>] --remove-port=<portid>[-<portid>]/<protocol> : Delete the port number (including protocol name) that has been set to allow access in the specified region [--zone=<zone>] --list-icmp-blocks : Displays all access denied in the specified area ICMP type [--zone=<zone>] --add-icmp-block=<icmptype> : Sets an item that is denied access for the specified locale ICMP type [--zone=<zone>] --remove-icmp-block=<icmptype> : Deletes an item that has been set to deny access in the specified region ICMP type firewall-cmd --get-icmptypes : Show all ICMP type
Regional management:
(1)Displays the default area in the current system firewall-cmd --get-default-zone (2)Displays all rules for the default area firewall-cmd --list-all (3)Displays the area currently in use and its corresponding network card interface firewall-cmd --get-active-zones (4)Set default area firewall-cmd --set-default-zone=home firewall-cmd --get-default-zone
Service Management:
(1)View all services allowed in the default area firewall-cmd --list-service (2)add to httpd Service to public region firewall-cmd --add-service=http --zone=public (3)see public Zone configured rules firewall-cmd --list-all --zone=public (4)delete public Regional httpd service firewall-cmd --remove-service=http --zone=public (5)Add at the same time httpd,https Service to the default area and set it to take effect permanently firewall-cmd --add-service=http --add-service=https --permanent firewall-cmd --reload firewall-cmd --list-all #Adding the -- permanent option means that the setting is permanently effective. It will take effect only when the firewall service needs to be restarted or the firewall CMD -- reload command needs to be executed to reload the firewall rules. If this option is not provided, it means that it is used to set runtime rules, but these rules will be invalid when the system or firewalld service is restarted or stopped. --runtime-to-permanent: Write the current runtime configuration to the rule configuration file to make it permanent.
Port management:
(1)allow TCP 443 port to internal region firewall-cmd --zone=internal --add-port=443/tcp firewall-cmd --list-all --zone=internal (2)from internal Area will TCP Port 443 removed firewall-cmd --zone=internal --remove-port=443/tcp (3)allow UDP 2048~2050 Port to default area firewall-cmd --add-port=2048-2050/udp firewall-cmd --list-all