This is the ninth day of my participation in the August More text Challenge. For details, see: August More Text Challenge
Strictly speaking, it is not accurate to treat Firewalld as firewall software. Firewalld is a front-end control tool of the Linux kernel Netfilter/Iptables packet filtering system. It is used to manage firewall rules and policies at the user layer.
Firewalld provides better ease of use than using Iptables directly. You can easily manage firewall rules as long as you are familiar with common parameters without knowing “four tables and five chains”.
In addition, Firewalld supports dynamic update technology, modifying rules does not require reloading the firewall service. The concepts of Zone and Service are added, enabling users to quickly switch policies in different scenarios and quickly set service rules.
Install and manage Firewalld
Firewalld is included in some Linux distributions by default, such as CentOS 7+ and Fedora 18+. You can use the following command to check whether the service is installed.
# installation
yum install firewalld
The desktop environment can be installed with both the GUI and tray widgets
yum install firewall-config
yum install firewall-applet
Start service and set boot
systemctl start firewalld
systemctl enable firewalld
View the list of allowed ports in the default region
firewall-cmd --list-port
View the list of allowed services in the default region
firewall-cmd --list-services
Copy the codeFirewalld region concept
Firewalld has a concept of “zone” firewall, which is the access control policy that corresponds to different trust levels according to different usage scenarios. By dividing the network into different areas, different network services and traffic transmission types are allowed between different areas.
Firewalld default provides several groups of regional policy template (see table below, the configuration file in/usr/lib/Firewalld/zones/directory), of which the public is the default used area. For most services, you need to manually enable them.
| name | Rule strategy |
|---|---|
| public | Represents a public area where other computers in the network are not trusted and only selected incoming connections are allowed |
| drop | The lowest level of trust. All incoming connections are discarded and there is no response, only outgoing network connections |
| block | Similar to drop, but not simply drop the connection, the icMP-host-prohibited message is returned |
| external | It is usually an external network with NAT masking enabled that does not trust other computers on the network and accepts only selected incoming connections |
| internal | Internal network. Other computers in the trusted network accept only selected incoming connections |
| home | For family areas. Other computers in the trusted network accept only selected incoming connections |
| work | Used in the work area. Other computers in the trusted network accept only selected incoming connections |
| dmz | Computers in an isolated area are publicly accessible over a limited internal network. Accept only selected incoming connections |
| trusted | The highest level of trust area, which can accept all network connections and trust other computers in the network |
View the configuration information about a region, including the region description, network adapter, allowed port, and service parameters. For example, view the public region.
firewall-cmd --info-zone=public -v
Copy the codeTo add a user-defined region, proceed as follows
Create a new zone
firewall-cmd --permanent --new-zone=ZoneName
# Add allowed services (set as needed)
firewall-cmd --permanent --zone=ZoneName --add-service=ssh
firewall-cmd --permanent --zone=ZoneName --add-service=dns
Set to use nic (not required, default nic will be used if not set)
firewall-cmd --zone=ZoneName --change-interface=eth1
Restart network and firewall services for the configuration to take effect
systemctl restart network
systemctl reload firewalld
Copy the codeSet access rules for the service
Firewalld default public area policy, except for key services such as SSH, other services are disabled by default (service generally refers to port/protocol, application). If you need to allow other services to communicate, you need to manually add exceptions.
For example, enable or disable the HTTP service in a public area
firewall-cmd --permanent --zone=public --add-service=http
firewall-cmd --permanent --zone=public --remove-service=http
Copy the codeAfter the operation, run the firewall-cmd –reload command to refresh the configuration.
To see a list of available service names, use the firewall-cmd –get-services command. For further check the service description and its port usage, enter/usr/lib/firewalld/services directory, see the inside of the XML service description file.
To add a user-defined service, go to /etc/firewalld/services and create the corresponding XML service file. You can copy other service files directly and then modify from there. You need to modify the service name, description, and allowed port protocol.
cp /usr/lib/firewalld/services/http.xml /etc/firewalld/services/service-name.xml
Copy the codeIn the following example, we create a custom service and set the service to use TCP 111 and UDP 222 ports
<service>
<short>example-service</short>
<description>This is just an example service. use TCP 111 and UDP 222 network port.</description>
<port protocol="tcp" port="111"/>
<port protocol="udp" port="222"/>
</service>
Copy the codeService management is more convenient than setting specific ports for different services. Therefore, you are advised to use the service mode. In this way, you don’t need to remember the port/protocol parameters of each service, but only need to know the name of the service.
Set access rules for ports/protocols
To allow/deny access to certain ports of specific protocols, run the following command
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --remove-port=80/tcp --permanent
Copy the codeYou can add or delete ports in batches using hyphens to specify the port range
firewall-cmd --zone=public --add-port=80-90/tcp --permanent
firewall-cmd --zone=public --remove-port=80-90/tcp --permanent
Copy the codeConfigure port forwarding. For example, forward traffic from port 80 to port 8080
# Enable NAT
firewall-cmd --zone=public --add-masquerade
# Set port forwarding
firewall-cmd --zone=public --add-forward-port=port=80:proto=tcp:toport=8080
Copy the codeTemporarily open port/service access
For testing purposes, it may sometimes only be open temporarily for a period of time. For example, set to allow 25 ports or SMTP service accessible within 600 seconds
firewall-cmd --add-port=25/tcp --timeout=600
firewall-cmd --add-service=smtp --timeout=600
Copy the codeAllows/disables specific IP access
You can configure the rich-rule parameter to mask access from a specified IP address. (The reject parameter at the end of the command can also be drop. The difference is that DROP directly discards traffic requests, while reject returns a rejection message.)
firewall-cmd --add-rich-rule 'rule family=" reject "source address=1.1.1.1 reject'
Copy the codeAllow specific IP access
firewall-cmd --add-rich-rule 'rule family="ipv4" source address=1.1.1.1 accept'
Copy the codeFurther set access conditions, such as specifying ports and protocols
# Block IP address 1.1.1.1 from accessing TCP port 22
firewall-cmd --add-rich-rule 'rule family=" reject "source address=1.1.1.1 port port=22 protocol= TCP reject'
Allow IP address 1.1.1.1 to access TCP port 22
firewall-cmd --add-rich-rule 'rule family="ipv4" source address=1.1.1.1 port port=22 protocol= TCP accept'
Copy the codeCommon Commands Appendix
| Parameter options | functions |
|---|---|
| – the version | View the software version information |
| – help | View the software help information |
| – permanent | The rule takes effect permanently. You need to reload the configuration to take effect |
| – reload | Reload the firewall configuration to make permanent rules take effect immediately |
| – get – the default – zone | Example Query the current default region name |
| – set-default-zone=< Zone name > | Change the default region (take effect after refreshing firewall configurations) |
| – get – zones | Lists all the region names, separated by Spaces |
| – get – services | Displays all available service names |
| – get – active – zones | Displays the current area and network card name in use |
| – the list – all | Displays detailed parameters in the current area, including information about network adapters, allowed services, and ports |
| – the list – all – zones | Displays detailed parameters of all areas, including information about network adapters, allowed services, and ports |
| – add-service=< Service name > | Set the traffic allowed for the service in the default region |
| – remove-service=< Service name > | Set the default region to disallow the traffic of the service |
| – add-port=< port number/Protocol > | Allow The default zone to allow traffic on the port |
| – remove-port=< port number/protocol > | Allow The default zone disallows traffic on the port |
| – add – source = < IP address > | Redirect this IP or subnet traffic to a specified area |
| – remove – source = < IP address > | The IP address or subnet traffic is not directed to a specified area |
| – add-interface=< NIC Name > | In the future, all traffic of the network adapter is directed to a specified area |
| – change-interface=< Nic name > | Associate a network adapter with a region |
| – direct | Run the Iptables command interface directly |
| – direct – get – all – chains | View the added Iptables chain command |
| – direct – get – all – rules | View the commands of the added Iptables rules |
| – the list – lockdown whitelist — commands | Lists all the commands in the lock whitelist |
| – add – lockdown – whitelist -command = < > command | Add a command to the lock whitelist |
| – remove lockdown — whitelist -command = > < command | Delete command from lock whitelist |
| – the list – lockdown — whitelist users | List all users in the lock whitelist |
| – add-lockdown-whitelist-user=< User name > | Add a user to the lock whitelist |
| – Remove-lockdown -whitelist-user=< User name > | Delete a user from the lock whitelist |
| – lockdown – on | The firewall configuration is locked. After the firewall configuration is locked, you cannot use the firewall-cmd command to manage the configuration |
| – lockdown – off | To unlock the lock status, run the firewall-cmd command in the lock whitelist |
| – the runtime – to – permanent | Save the runtime configuration and use it to override the permanent configuration |
| – panic – on | Enable emergency mode to cut all incoming and outgoing packets |
| – panic – off | Disable emergency mode |
| – complete – reload | A full reload of firewall services, including the NetFilter kernel module, will terminate the active connection |