Firewall of security technology

Posted by DMeerholz on Mon, 01 Nov 2021 14:28:27 +0100

1, Security technology and firewall

1.1 safety technology

  • Intrusion detection systems: it is characterized by not blocking any network access, quantifying and locating from internal and external networks
    The threat situation is mainly to provide alarm and post supervision, and provide targeted guidance measures and safety decision-making basis. Similar to the monitoring system, it generally adopts bypass deployment (looking at you silently).
  • Intrusion prevention system: it works in a transparent mode and analyzes the contents of data packets, such as overflow attack and denial of service
    Conduct accurate analysis and judgment on denial of service attacks, Trojans, worms and system vulnerabilities, and block them immediately after they are determined to be attacks
    The effective protection of network security, - generally adopts online deployment. (the only way)
  • Firewall: the isolation function works at the edge of the network or host and checks the data packets entering and leaving the network or host based on fixed rules
    Query and processed by the behavior defined by the rule when matching a rule -- the components of group functions are basically closed by default
    Close all pass through access and only open the access allowed policy, which will place the hosts that want access from the external network in the DMZ (demilitarized zone) network

1 waterproof wall
2 waterproof wall in a broad sense: compared with firewall, waterproof wall 1 is a security product to prevent internal information leakage. Network, peripheral interface, storage medium and printer constitute all ways of information leakage. For these four ways of leakage, the waterproof wall shall be fully protected before, during and after the event. Together with anti-virus products and external security products, it constitutes a complete network security system.

1.2 classification of firewall

Divided by protection scope:

  • Host firewall: the service scope is the current host
  • Network firewall: the service scope is the LAN on one side of the firewall

Divided by implementation mode:

  • Hardware firewall: a firewall that realizes some functions at the dedicated hardware level; Another part of the function is based on software implementation, such as Huawei, Shanshi hillstone, Tianrongxin, Qiming star, Lvmeng, etc.
  • Software firewall: application software of firewall running on general hardware platform, Windows firewall ISA – > forefront TMG

By network protocol:

  • Network layer firewall: four layers under OSI model, also known as packet filtering firewall

  • Application firewall / proxy server: proxy proxy gateway, OSI model, seven layers

Packet filtering firewall
The network layer selects the data packet based on the filtering logic set in the system, which is called access control list (ACL). It determines whether to allow the data packet to pass through by checking the source address, destination address, port number and protocol status of each data in the data stream, or their combination
Advantages: transparent to users. Fast processing speed and easy maintenance disadvantages: unable to check application layer data, such as viruses
But low: unable to check application layer data, such as viruses
Application layer firewall
Application layer firewall / proxy service firewall, also known as Proxy Server, divides all network communication links across the firewall into two sections
Both internal and external network users access through the "link" on the proxy server. Advantages: it is safer to check the data in the application layer
Disadvantages: increase the load of firewall

2, Firewall tools

2.1 Iptables

The command line tool provided by the software package iptables works in the user space to write rules. The written rules are sent to netfilter to tell the kernel how to process information packets

[root@localhost ~]# iptables --version
iptables v1.4.21

2.2 firewalld

New front-end management tools have been introduced since CentOS version 7
Software package:
Management tools:
Firewall CMD command line tool
Firewall config graphics

2.3 nftables

nftables is a new packet classification framework and a new linux Firewall manager, which aims to replace the existing {ip,ip6,arp,eb}_tables. In short:

  • It is available when the Linux kernel version is higher than 3.13.
  • It has a new command-line tool ntf, and its syntax is different from iptables.
  • It also includes a compatibility layer that lets you run iptables commands on top of the new nftables kernel framework.
  • It provides a common collection foundation that allows you to establish mappings and associations. You can use this new feature to classify your rule set into a multidimensional tree, which greatly reduces the number of rules to check before finding the final behavior of the package.

2.4 nftables features

  • Have some advanced programming language like capabilities, such as defining variables and including external files, that is, the ability to use additional scripts. nftables can also be used to filter and process a variety of address clusters.

  • Unlike iptables, nftables does not contain any built-in tables. It is up to the administrator to decide which tables are needed and add processing rules for these tables.

  • The table contains a rule chain, which contains rules.

2.5 five hook functions and message flow direction in Netfilter

Netfilter selects five locations in the kernel and puts five hook functions (input, OUTPUT, FORWARD
Preouting and POSTROUTING), and these five hook function s are open to users through a command tool
(iptables) write rules to it

2.5.1 Netfilter overview

     Netfilter/IPTables yes Linux2.4.x After a new generation Linux Firewall mechanism, yes linux A subsystem of the kernel. Netfilter It adopts modular design and has good scalability. Its important tool module IPTables From user status iptables Connected to kernel state Netfilter In our architecture, Netfilter And IP The protocol stack fits seamlessly and allows users to filter, address translate, process and other operations on datagrams.

2.5.2 three message flows

  • Inflow to the local machine: preempting -- > input – > user space process (accessing my service)
  • Out of the machine: user space process -- > output – > postrouting (through me)
  • Forwarding: forwarding -- > forward -- > postrouting

Built in chain: each built-in chain corresponds to a hook function

User defined chain: used to extend or supplement the built-in chain to realize a more flexible rule organization and management mechanism; Hook hook only

It takes effect only when the user-defined chain is used.


. five tables tble: filter, nat, mangle, raw and security

Filter: filter rule table, which filters qualified packets according to predefined rules. The default table is

nat: network address translation rule table

mangle: modify data tag bit rule table

raw: turn off the enabled connection tracking mechanism to speed up the packet passing through the firewall

3, firewalld service

3.1 introduction to firewalld

Firewalld is a new user space software tool for managing netfilter launched by CentOS 7.0. It is also supported by Ubuntu version 18.04 or above (apt install firewalld can be installed)

Firewalld is a system daemon that configures and monitors firewall rules. The functions of iptables, IP6 tables and ebtables can be implemented. Firewalld service is provided by firewalld package

**Classification order of zone:

  • First, according to the source address in the packet, it is included as a zone
  • It is the zone to which the network interface belongs
  • Include the default zone, which is public by default. Administrators can change it to other zones
  • The network card belongs to the public zone by default, and the lo network interface belongs to the trusted zone

firewalld supports the division of regional zones, and each zone can set independent firewall rules

  1. The zone already exists
  2. Using firewall is to associate specific traffic to a zone
  • Associate zone s through source network segments

  • Associate zone area through network card

  • If there is no associated data message between them, it will go to the default zone
    3firewalld zone classification

    Predefined Services

    firewalld predefined service configuration

  • Firewall CMD -- get services view a list of predefined services

  • /usr/lib/firewalld/services/*.xml configuration of predefined services

Three configuration methods of firewalld

  • Firewall config graphical tool: firewall config package needs to be installed
  • Firewall CMD command line tool: firewalld package, installed by default
  • /The / etc/firewalld / configuration file is generally not recommended, such as: / etc/firewalld/zones/public.xml

3.2 viewing existing firewall settings

[root@localhost ~]#systemctl start firewalld
[root@localhost ~]#systemctl stop firewalld.service
[root@localhost ~]#systemctl status firewalld
#View status
[root@localhost ~]#firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  services: ssh dhcpv6-client
  masquerade: no
  rich rules: 
[root@localhost ~]#Firewall CMD -- list all -- zones = zone name

3.3 setting the default viewing area

[root@localhost ~]#firewall-cmd --zone=
#Viewing area
block     dmz       drop      external  home      internal  public    trusted   work
[root@localhost ~]#firewall-cmd --get-default-zone 
#View default area

[root@localhost ~]#firewall-cmd --set-default-zone 
block     dmz       drop      external  home      internal  public    trusted   work      
[root@localhost ~]#firewall-cmd --set-default-zone 
block     dmz       drop      external  home      internal  public    trusted   work      
[root@localhost ~]#firewall-cmd --set-default-zone home
[root@localhost ~]#firewall-cmd --get-default-zone 

3.4 add source address (network segment), port and service

[root@localhost ~]#firewall-cmd --permanent --add-port=80/tcp
#Add 80 ports
[root@localhost ~]#firewall-cmd --permanent --add-port=80/tcp --zone=home 
#You can specify an area

[root@localhost ~]#firewall-cmd --add-service=http
#Allow http services
[root@localhost ~]#firewall-cmd --permanent --add-icmp-block=echo-request
#Prohibit ping
[root@localhost ~]#firewall-cmd --reload 

[root@localhost ~]#firewall-cmd --permanent --add-source=
#					The basic command takes effect permanently. Add the subnet mask of the source network segment
[root@localhost ~]#firewall-cmd --reload
[root@localhost ~]#firewall-cmd --list-all
#View effective policies

Small experiment
 Try opening httpd service

####Delete source
[root@localhost ~]#firewall-cmd --zone=home --remove-source= --remove-source= --remove-source= --permanent 

3.5 rich management rules

rich rules are more powerful than the basic firewalld syntax. They can not only allow / deny, but also log syslog and syslog

auditd can also realize port forwarding, camouflage and rate limiting

Rule implementation sequence:

Port forwarding and camouflage rules in this area

Log rules for this area

Allow rules for this area

Reject rules for this area

Each matching rule takes effect. All rules do not match. The default rules in this area take effect
rich syntax:


4, bond

4.1 nmli command

nmcli con add help
#Configuring the network using nmcli
nmcli con show
#Show all active connections
nmcli con show --active
#Display network connection configuration
nmcli con show  "System eth0"
#Display device status
nmcli dev status 
#Display network interface properties
nmcli dev show eth0
#Create a new connection default, and the IP is automatically obtained through dhcp
nmcli con add con-name default type Ethernet ifname eth0
#Delete connection
nmcli con del default
#Create a new connection static, specify a static IP, and do not connect automatically
nmcti con add con-name static   ifname eth0 autoconnect no type Ethernet 
ipv4.addresses 172.25.X.10/24 ipv4.gateway   172.25.X.254
#Enable static connection configuration
nmcli con up static
#Enable default connection configuration
nmcli con up default
#Modify connection settings
nmcli con mod "static" connection.autoconnect no
nmcli con mod "static" ipv4.dns 172.25.X.254
nmcli con mod "static"  +ipv4.dns
nmcli con mod "static"  -ipv4.dns
nmcli con mod "static" ipv4.addresses "172.16.X.10/24  172.16.X.254"
nmcli con mod "static"  +ipv4.addresses
#DNS settings are stored in / etc/resolv.conf. PEERDNS=no indicates that DNS is still manually set when IP is automatically obtained through dhcp,
Do not get automatically is equivalent to the following command
nmcli con mod "system eth0" ipv4.ignore-auto-dns yes
#Add binding interface
nmcli con add type bond con-name mybond0 ifname bond0 mode active-backup 
ipv4.method manual ipv4.addresses
#Add slave interface
nmcli con add type bond-slave ifname ens7 master bond0
nmcli con add type bond-slave ifname ens33 master bond0
#Note: if no connection name is provided for the dependent interface, the name is composed of interface name and type
#To start binding, you must first start the slave interface
nmcli con up bond-slave-ens33
nmcli con up bond-slave-ens37
#Start binding
nmcli con up mybond0

5.2 practical operation

[root@localhost ~]#nmcli connection add con-name mybond0 ifname bond0 type bond ipv4.method manual ipv4.addresses mode active-backup 
Connect“ mybond0"(422ba65f-12cd-4edd-9d4d-367b6c205823) Successfully added.
[root@localhost network-scripts]#ls
ifcfg-ens33    ifdown-isdn      ifup-bnep   ifup-routes
ifcfg-ens37   ifdown-post      ifup-eth    ifup-sit
ifcfg-lo       ifdown-ppp       ifup-ib     ifup-Team
ifcfg-mybond0  ifdown-routes    ifup-ippp   ifup-TeamPort
ifdown         ifdown-sit       ifup-ipv6   ifup-tunnel
ifdown-bnep    ifdown-Team      ifup-isdn   ifup-wireless
ifdown-eth     ifdown-TeamPort  ifup-plip   init.ipv6-global
ifdown-ib      ifdown-tunnel    ifup-plusb  network-functions
ifdown-ippp    ifup             ifup-post   network-functions-ipv6
ifdown-ipv6    ifup-aliases     ifup-ppp
[root@localhost network-scripts]#cat ifcfg-mybond0 
[root@localhost network-scripts]#nmcli connection add type bond-slave ifname ens37 master bond0
 Connect“ bond-slave-ens37"(386628bb-94b5-4c98-9023-f3fab154943d) Successfully added.
[root@localhost network-scripts]#nmcli connection add type bond-slave ifname ens33 master bond0
 Connect“ bond-slave-ens33"(c97d22d5-23c2-472f-891e-dff378b7f69f) Successfully added.
[root@localhost network-scripts]#nmcli connection 
name              UUID                                  type            equipment   
ens33             12156d92-6495-4c69-82e9-c0e22f532f76  802-3-ethernet  ens33  
mybond0           422ba65f-12cd-4edd-9d4d-367b6c205823  bond            bond0  
virbr0            335fcf86-189c-4513-9deb-da344ff280dd  bridge          virbr0 
Wired connection 1        d62f0f08-f45b-3548-815d-30dbca7821f6  802-3-ethernet  ens37  
bond-slave-ens33  c97d22d5-23c2-472f-891e-dff378b7f69f  802-3-ethernet  --     
bond-slave-ens37  386628bb-94b5-4c98-9023-f3fab154943d  802-3-ethernet  --     
[root@localhost network-scripts]#nmcli connection up bond-slave-ens33
 The connection was successfully activated( D-Bus Active path:/org/freedesktop/NetworkManager/ActiveConnection/24)
[root@localhost network-scripts]#nmcli connection up bond-slave-ens37
 The connection was successfully activated( D-Bus Active path:/org/freedesktop/NetworkManager/ActiveConnection/25)
[root@localhost network-scripts]#cat /proc/net/bonding/bond0 
Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011)

Bonding Mode: fault-tolerance (active-backup)
Primary Slave: None
Currently Active Slave: ens33
MII Status: up
MII Polling Interval (ms): 100
Up Delay (ms): 0
Down Delay (ms): 0

Slave Interface: ens33
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:0c:29:fe:e5:bf
Slave queue ID: 0

Slave Interface: ens37
MII Status: up
Speed: 1000 Mbps
Duplex: full
Link Failure Count: 0
Permanent HW addr: 00:0c:29:fe:e5:c9
Slave queue ID: 0

Topics: network security