1, Introduction to firewalld
In the Centos7 system, the iptables firewall has been replaced by firewalld firewall. It works in the network layer, packet filtering firewall
iptables and firewalld are tools used to manage firewalls. They both belong to user mode. Their internal structures point to netfilter network filtering subsystem (kernel mode) to realize packet filtering firewall function.
firewalld firewall divides all network traffic into multiple zone s in order to simplify management. Then, the traffic is transmitted to the corresponding area according to the source IP address of the packet or the incoming network interface. Each region defines its own open or closed ports and service list.
2, The difference between iptables and firewalld
1. Iptables stores the configuration in / etc /sysconfig/iptables.
The configuration file of firewalld is stored in various XML files in / etc / firewalld (priority loading) and / usr/lib/ firewalld / (default configuration file).
2. iptables is mainly based on the interface to set rules.
firewalld is based on regions and sets different rules according to different regions
3. iptables is a static firewall
firewalld is a dynamic firewall
4. Each individual change of iptables means that all old rules are cleared and new rules are read from / etc/sysconfig/iptables
Using firewalld doesn't create any new rules, just run the differences in the rules. Therefore, firewalld can change the settings without losing the current connection during runtime.
3, firewalld 9 zones of firewall
1. trusted: allow all incoming traffic.
2. public: allow incoming traffic matching ssh or DHCPv6 client predefined services, and reject the rest. Is the default area for newly added network interfaces.
3. External: allow incoming traffic that matches the ssh predefined service, and reject the rest. By default, IPv4 outgoing traffic that will be forwarded through this area will be masked, which can be used for external networks that have enabled the masquerade function for routers.
4. home: allow incoming traffic matching ssh, IPP client, mdns, samba client or DHCPv6 client predefined services, and reject the rest.
5. internal: the default value is the same as the home area.
6. work: allow incoming traffic matching ssh, IPP client and DHCPv6 client predefined services, and reject the rest.
7. dmz (isolated area, also known as demilitarized area): allow incoming traffic matching ssh predefined services, and reject the rest.
8. block: reject all incoming traffic.
9. drop: discards all incoming traffic and does not generate an error response containing ICMP.
4, firewalld data processing flow
firewalld for data packets entering the system, the data traffic will be transferred to the firewall rules of the corresponding area according to the source IP address of the data packet or the incoming network interface and other conditions. For the data packet entering the system, the first thing to check is its source address.
5, Configuration method of firewalld firewall
1. Use the CMD firewall command.
2. Use the firewall config graphical tool.
3. Write the configuration file in / etc/firewalld /.
Common options
--get-default-zone : Displays the current default area --set-default-zone=<zone> : Set default area --get-active-zones : Displays the area currently in use and its corresponding network card interface --get-zones : Show all available areas --get-zone-of-interface=<interface> : Displays the area of the specified interface binding --zone=<zone> --add-interface=<interface> : Specifies the binding area for the interface --zone=<zone> --change-interface=<interface> : Change the bound network interface for the specified region --zone=<zone> --remove-interface=<interface> : Deletes the bound network interface for the specified zone --list-all-zones : Show all areas and their rules [--zone=<zone>] --list-all : Display all rules of all specified areas, omitting--zone=<zone>When, it means that only the default area is operated [--zone=<zone>] --list-services : Displays all services allowed to access in the specified area [--zone=<zone>] --add-service=<service> : Set a service that is allowed to access for the specified locale [--zone=<zone>] --remove-service=<service> : Delete a service that has been set to allow access in the specified region [--zone=<zone>] --list-ports : Displays all port numbers that are allowed to access in the specified area [--zone=<zone>] --add-port=<portid>[-<portid>]/<protocol> : Sets an access allowed for the specified locale/Port number of a section (including protocol name) [--zone=<zone>] --remove-port=<portid>[-<portid>]/<protocol> : Delete the port number (including protocol name) that has been set to allow access in the specified region [--zone=<zone>] --list-icmp-blocks : Displays all access denied in the specified area ICMP type [--zone=<zone>] --add-icmp-block=<icmptype> : Sets an item that is denied access for the specified locale ICMP type [--zone=<zone>] --remove-icmp-block=<icmptype> : Deletes an item that has been set to deny access in the specified region ICMP type firewall-cmd --get-icmptypes : Show all ICMP type