Introduction to firewall

• Origin of firewall

A firewall (Firewall) , Also called protective wall , By Check Point founder Gil Shwed On 1993 The invention and introduction of the Internet .
It is a network security system between internal network and external network , It's actually an isolation technology

• The main types of firewalls

1. Network layer firewall – It can be regarded as a kind of IP Packet filter

Newer firewalls can use the various attributes of packets to filter , for example : source IP Address 、 Source port number 、 Purpose IP Address or port number 、 Service type ( Such as HTTP or FTP). It can also be via communication protocol 、TTL value 、 The domain name or segment of the source , And other attributes to filter .

2. Application layer firewall

Application layer firewall can block all packets in and out of an application , And block other packet firewalls by monitoring all packets and finding out what doesn't conform to the rules , It can prevent the rapid spread of computer worms or Trojan horse programs . But in terms of implementation , This method is tedious and complicated ( There are thousands of kinds of software ), Therefore, most firewalls will not be designed in this way .

Depending on the emphasis , Can be divided into : Packet filtering firewall 、 Application layer gateway firewall 、 Server firewall .

3. Database firewall

Database firewall is a database security protection system based on database protocol analysis and control technology . Based on the active defense mechanism , Realize the access behavior control of database 、 Dangerous operation blocking 、 Suspicious behavior audit . Database firewall through SQL Protocol analysis , According to the pre-defined prohibition and permission policy, let the legal SQL The operation passes , Blocking illegal operations , Form the peripheral defense circle of the database , Realization SQL Active prevention of dangerous operation 、 Real time audit .

• The characteristics of firewall

1、 All network data flows between the internal network and the external network must pass through the firewall ;
2、 Only data flows that comply with the security policy can pass through the firewall ;
3、 The firewall itself should have very strong anti attack immunity ;
4、 The application layer firewall has more detailed protection capability ;
5、 The blocking ability of database firewall against database malicious attacks ;
6、 Firewall can strengthen security policy ;
7、 Firewalls can effectively record Internet. Activities on
8、 Firewalls limit user exposure points .
9、 Firewalls can be used to separate one network segment from another in a network . such , It can prevent problems that affect a network segment from spreading through the whole network .
10、 A firewall is a checkpoint for security policies . All incoming and outgoing information must pass through the firewall , Firewalls become checkpoints for security issues , Allow suspicious access to be denied outside the door

A firewall firewalld

View firewall status

systemctl status firewalld

Linux The kernel contains a powerful network filtering subsystem : netfilter

Netfilter allow Linux Check each packet . Whether it's entry , Leaving or forwarding packets , Between components that reach the user , Will be checked , modify , Discard or reject . He is Redhat 7 The main module of building firewall in

Red hat 7 Before ,iptables It's used to communicate with netfilter Communication procedure , The tool is relatively low-level , Managing firewalls can be challenging

Redhat 7 The above uses firewalld, What I used before was iptables.Eirewalld in The concept of domain is introduced

Eirewalld.service and iptables service as well as ip6tables service,ebtables. service Services conflict with each other .
Systemctl mask service dservice, Used to shield unwanted services .

Firewall Yes. Redhat 7 The default firewall in the system , Tools , Can support temporary and permanent configuration , Support regional functions .

• firewalld Domain

Eirewalld Divide the network traffic into multiple areas , Thus simplifying firewall management .

Eirewalld According to the source in the packet IP Address , Transfer the flow to the corresponding area . No matching traffic , It will also go to the default area

Most regions will allow certain characteristic ports and protocols (631/udp, ssh) If the flow is at a certain - No zones are allowed , Will refuse to .

• Predefined domains for firewalls

firewalld Zone default configuration

By default, all network card interfaces are in public domain
firewalld Services are predefined

firewall -cmd - -get -servicesI： You can list all the predefined services

/usr/lib/ firewalld/services/ ： Put the configuration files of all scheduled services

Set up firewall

• Command tool firewall-cmd

get-default- zone Query the default area name ;
set- default- zone=< name > Set default area , permanent ;
get-zones Show available areas ;
get- services Show predefined services ;
get- active- zones Displays the area currently in use ;
add.source= The future comes from this IP Or the traffic of the subnet is directed to the designated area .
remove-source= Don't add this again IP Or the traffic of the subnet is directed to a specific area
list- all Display the network card configuration parameters of the current area , resources , Port and service information ;
list- all- zones Display the network card configuration parameters of all areas , resources , Port and service information
add service= < service name > Set the default area to allow traffic for this service .

• Graphically set up the firewall firewall-config

perform firewall-config Command to see firewalld Firewall graphical management tool , It's really powerful , Can complete a lot of complex work .

Common firewall commands

CentOS 7 firewall Common commands

 Start the firewall 
systemctl start firewalld.service

 Turn off firewall 
systemctl stop firewalld.service

 Check the running status of the firewall 
firewall-cmd --state

 service crond reload , For example, after adding rules , This command needs to be executed 
firewall-cmd --reload

 List supported zone
firewall-cmd --get-zones

 Check the list of open ports 
firewall-cmd --list-ports

 List supported services , The services in the list are released 
firewall-cmd --get-services

 see ftp Does the service support 
firewall-cmd --query-service ftp

 Temporary opening ftp service 
firewall-cmd --add-service=ftp

 Permanent opening ftp service 
firewall-cmd --add-service=ftp --permanent

 Permanently removed ftp service 
firewall-cmd --remove-service=ftp --permanent

 Permanent add 80 port 
firewall-cmd --add-port=80/tcp --permanent

 view help 
man firewall-cmd