Preface ： The anchor has something on his mind these days , So there is no preface , But as an operation and maintenance personnel , Although not used much , but Firewalld Firewall is still very complicated

Catalog

1.Firewalld

1.1Firewalld Overview

1.2Firewalld and iptables The relationship between

1.3firewalld A firewall

1.4firewalld Data processing flow

1.5firewalld Check the source address rule of the packet

1.6firewalld Configuration method of firewall

1.6.1​ frequently-used firewall-cmd Command options

2. Regional management

2.1 Displays the default area in the current system

2.2 Displays all rules in the default area

2.3 Displays the area currently in use and its corresponding network card interface

2.4 Set default area

3. Service management

3.1  View all services allowed in the default area

3.2 add to httpd Service to public Area

3.3 see public The zone has been configured with rules

3.4 Delete public Regional httpd service

3.5 Simultaneous addition httpd、https Service to default area , Set to permanent

4. Port Management

4.1  allow TCP Of 443 Port to internal Area

4.2 from internal The region will TCP Of 443 Port removal

4.3 allow UDP Of 2048~2050 Port to default zone

5. summary

1.Firewalld

1.1Firewalld Overview

1. A dynamic firewall management tool that supports the network link defined by the network area and the interface security level

2. Support IPv4,IPv6 Firewall settings and Ethernet bridges

3. Support services or applications to directly add firewall rule interfaces

4. There are two configuration modes

     4.1 Runtime configuration ： The temporary command is valid until it is restarted , Clear after restart

     4.2 Permanent configuration ： The configuration command can only take effect after restarting +（--permanent）

1.2Firewalld and iptables The relationship between

1.iptables Mainly based on interface , To set the rules , So as to judge the security of the network .firewalld It's based on region , Set different rules according to different regions , So as to ensure the security of the network . Similar to the setting of hardware firewall .

2.iptables stay /etc/ sysconfig/iptables Storage configuration in ,firewalld Store configuration in /etc/firewalld/ ( Priority load ) and /usr/lib/ firewalld/ ( Default profile ) All kinds of XML In the document .

3. Use iptables Every single change means removing all old rules and from /etc/sysconfig/iptables Read all the new rules . Use firewalld It won't create any new rules , Just run the differences in the rules . therefore firewalld It's possible to , Change the settings without losing the current connection .（ The service needs to be restarted for permanent settings ）

4.iptables The firewall type is static ,firewalld The firewall type is dynamic firewall .

1.3firewalld A firewall

firewalld The protective wall is predefined 9 Regions ：

1、trusted（ Trust zone ）： Allow all incoming traffic .
2、public（ Public area ）： Allow and ssh or dhcpv6-client Predefined services match incoming traffic , The rest refused . Is the default area for newly added network interfaces .
3、external（ The outer area ）： Allow and  ssh  Predefined services match incoming traffic , The rest refused .  By default, the will be forwarded through this area IPv4 Outgoing traffic will be masqueraded with addresses , Can be used for   The router is an external network with camouflage enabled .
4、home（ Family area ）： Allow and ssh、ipp-client、mdns、samba-client or dhcpv6-client Predefined services match incoming traffic , The rest refused .
5、internal（ Internal area ）： The default value is the same as home Same area .
6、work（ Work area ）： Allow and  ssh、ipp-client、dhcpv6-client  Predefined services match incoming traffic , The rest refused .
7、dmz（ The area of separation is also known as the demilitarized area ）： Allow and  ssh  Predefined services match incoming traffic , The rest refused .
8、block（ Restricted area ）： Reject all incoming traffic .
9、drop（ Discard area ）： Discard all incoming traffic , And does not produce a containing ICMP Error response to .

Finally, the security level of an area depends on the rules set by the administrator in this area .

The area is like a safety door into the host , Each area has rules with different restrictions , Only traffic that meets the rules will be allowed to enter .

According to the network size , Use one or more areas , But any one Active areas At least you need to associate Source address or interface .

By default ,public Area is the default area , Include all interfaces （ network card ）

1.4firewalld Data processing flow

firewalld For packets entering the system , According to the source of the packet IP Address or incoming network interface , Firewall rules for transferring data traffic to the corresponding area . For packets entering the system , The first thing to check is its source address .

1.5firewalld Check the source address rule of the packet

1. If the source address is associated with a specific region （ That is, there is a conflict between the source address or the bound area of the interface ）, Then implement the rules formulated in the area .

2. If the source address is not associated with a specific region （ That is, there is no conflict between the source address or the bound area of the interface ）, Then use the area of the incoming network interface and execute the rules made by the area .

3. If the network interface is not associated with a specific area （ That is, neither the source address nor the interface is bound to a specific region ）, Then use the default area and execute the rules made in this area .

1.6firewalld Configuration method of firewall

1. Use firewall-cmd Command line tools .

2. Use firewall-config Graphical tools .

3. To write /etc/firewalld/ Configuration file in .

systemctl start firewalld.service        # Turn on the firewall service 

1.6.1​ frequently-used firewall-cmd Command options

1.--get-default-zone ： Displays the current default area
2.--set-default-zone=<zone> ： Set default area
 
3.--get-active-zones ： Displays the area currently in use and its corresponding network card interface
4.--get-zones ： Show all available areas
 
5.--get-zone-of-interface=<interface> ： Displays the area of the specified interface binding
6.--zone=<zone> --add-interface=<interface> ： Bind the region for the specified interface
 
7.--zone=<zone> --change-interface=<interface> ： Change the bound network interface for the specified region
8.--zone=<zone> --remove-interface=<interface> ： The binding area of the specified interface is deleted
 
9.--list-all-zones ： Show all areas and their rules
10.[--zone=<zone>] --list-all ： Displays all rules for all specified areas , Omit --zone=<zone> When, it means that only the default area is operated
 
11.[--zone=<zone>] --list-services ： Display all services allowed to access in the specified area
12.[--zone=<zone>] --add-service=<service> ： Set a service that is allowed to be accessed for the specified locale
13.[--zone=<zone>] --remove-service=<service> ： Delete a service that has been set to allow access in the specified region
 
14.[--zone=<zone>] --list-ports ： Display all port numbers allowed to access in the specified area
15.[--zone=<zone>] --add-port=<portid>[-<portid>]/<protocol> ： For the specified area Set a... That is allowed to be accessed / Port number of a certain section （ Include protocol name ）
16.[--zone=<zone>] --remove-port=<portid>[-<portid>]/<protocol> ： Delete the allowed access port number set in the specified region （ Include protocol name ）
 
17.[--zone=<zone>] --list-icmp-blocks ： Show all access denied in the specified area ICMP type
18.[--zone=<zone>] --add-icmp-block=<icmptype> ： Deny access for the specified locale ICMP type
19.[--zone=<zone>] --remove-icmp-block=<icmptype> ： Delete an item that has been set to deny access in the specified region ICMP type
20.firewall-cmd --get-icmptypes ： Show all ICMP type

2. Regional management

2.1 Displays the default area in the current system

firewall-cmd --get-default-zone

2.2 Displays all rules in the default area

firewall-cmd --list-all

2.3 Displays the area currently in use and its corresponding network card interface

firewall-cmd --get-active-zones

2.4 Set default area

firewall-cmd --set-default-zone=home
firewall-cmd --get-default-zone

3. Service management

3.1  View all services allowed in the default area

firewall-cmd --list-service

3.2 add to httpd Service to public Area

firewall-cmd --add-service=http --zone=public

3.3 see public The zone has been configured with rules

firewall-cmd --list-all --zone=public

3.4 Delete public Regional httpd service

firewall-cmd --remove-service=http --zone=public

3.5 Simultaneous addition httpd、https Service to default area , Set to permanent

firewall-cmd --add-service=http --add-service=https --permanent
 or firewall-cmd --add-service={http,https} --permanent
firewall-cmd --reload 
firewall-cmd --list-all

# Add and use --permanent Option indicates that the setting is permanent , Reboot required firewalld Service or execution firewall-cmd --reload command It will not take effect until the firewall rules are reloaded . Without this option , Represents the rule used to set the runtime , But these rules are in the system or firewalld Service to restart 、 When stopped, the configuration will fail .

--runtime-to-permanent： Writes the current runtime configuration to the rule configuration file , Make it a permanent configuration 

4. Port Management

4.1  allow TCP Of 443 Port to internal Area

firewall-cmd --zone=internal --add-port=443/tcp
firewall-cmd --list-all --zone=internal

4.2 from internal The region will TCP Of 443 Port removal

firewall-cmd --zone=internal --remove-port=443/tcp

4.3 allow UDP Of 2048~2050 Port to default zone

firewall-cmd --add-port=2048-2050/udp
firewall-cmd --list-all

5. summary

1.Fireword Introduction to firewall