This is the second day of my participation in Gwen Challenge
Firewall classification:
Hardware firewall Software firewall
Function of firewall
Firewall is mainly to do isolation, strict filtering inbound, allow outbound
Software firewall: do the protection of this machine
Firewalld of actual combat
Firewalld introduction
The default firewall system in centos7 is a system with multiple firewall management tools, command line terminal and other graphical interface configuration tools.
In contrast to iptables firewalls, Firewalld supports dynamic update technology and adds the concept of zones. To put it simply, Firewalld prepares several sets of firewall policy sets (policy templates) in advance. Users can select appropriate policy sets based on different production scenarios to quickly switch between firewall policies
It is installed by default and automatically starts by default
System services: Firewalld Management tools: firewalld-cmd, firewall-config(graphic tool)
Restart the firewall:
[root@itlaoxin162 ~]# systemctl restart firewalld
Copy the codeFirewalld four common areas
According to the network location, there are four parts of the preset protection rule set that are widely used:
-
Public: allows access to only the SSH, DHCP, and ping services of the local host
-
Trusted: Allows any access
-
Block: block any call request (explicitly reject, giving the client a response)
-
Drop: drops any incoming packets (directly, with no response to the client, saving resources)
Firewall matching rules:
A packet contains three parts: source IP address, destination IP address, and data
- View the source IP address in the data packet, and then query the rules in all zones. If the rules of the source IP address exist in the zone, the zone is displayed
- If no, enter the default zone (public).
Of course, the default area can be modified.
How do I view the default region?
Case 1: View the default zone
[root@itlaoxin162 ~]# firewall-cmd --get-default-zone
public
Copy the codeCommon Command Parameters
| parameter | role |
|---|---|
| –get-default-zone | Look up the default zone name |
| –set-default-zone=< zone name > | Set the default region to make it permanent |
| –get-zones | Displays available areas |
| –get-services | Displays the predefined services |
| –get-active-zones | Displays the currently in use area, source address, and nic name |
| –add-source= | Directs traffic originating from this IP address or subnet to a specified area |
| –remove-source= | Traffic originating from this IP or subnet is no longer directed to this area |
| –list-all | Displays information about nic configuration parameters, resources, ports, and services in the current area |
| –list-all-zones | Displays information about nic configuration parameters, resources, ports, and services in all areas |
| –add-service=< service name > | Set the default zone to allow traffic for the service |
| –add-port=< port number/protocol > | Set the amount of traffic allowed for the port in the default area |
| –remove-service=< service name > | Set the default zone to no longer allow traffic for the service |
| –remove-port=< port number/protocol > | Set the default zone to no longer allow traffic on the port |
| –reload | The permanent configuration rule takes effect immediately and overwrites the current configuration rule |
Case 2: Modify the default zone
Modify the default region:
[root@itlaoxin162 ~]# firewall-cmd --set-default-zone=block
success
[root@itlaoxin162 ~]# firewall-cmd --get-default-zone Block you can see that the default area is changed to blockCopy the codeCase 3: Add a protocol to the public zone
[root@itlaoxin162 ~]# firewall-cmd --zone=public --add-service=ftp
success
[root@itlaoxin162 ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client ftp ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Copy the codeNote: Once restarted, the protocol we added in public will be gone and restored to its original form
So the Firewall gives us permanent rules
To use permanent to permanently add rules, run the –permanent parameter after the firewall-cmd command. In this way, the configured firewall policy takes effect permanently
Case 4: Permanently add THE HTTP protocol to the public zone
[root@itlaoxin162 ~]# firewall-cmd --permanent --zone=public --add-service=http
success
Copy the codeCheck it out:
[root@itlaoxin162 ~]# firewall-cmd --reload
success
[root@itlaoxin162 ~]# firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client http ssh
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
Copy the codeCase 5: Deny an IP address
[root@itlaoxin-163 ~]# ping 192.168.1.16264 bytes from 192.168.1.163: ICmp_seq =1 TTL =64 time= 0.097msCopy the codeWe write the source IP address of 192.168.1.163 to the block area
[root@itlaoxin162 ~]# firewall-cmd
[root@itlaoxin162 ~]# is firewall - CMD - zone = block - add - source = 192.168.1.162
success
[root@itlaoxin162 ~]# firewall-cmd --zone=block --list-allBlock (active) target: %%REJECT%% ICMP-block-inversion: no interfaces: ens32 sources: 192.168.1.162 Services: ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:Copy the codeLet’s ping it again and see what happens
[root@itlaoxin-163 ~]# ping 192.168.1.162PING 192.168.1.162 (192.168.1.162) 56(84) bytes of data. From 192.168.1.162 ICMP_seq =1 Destination Host ProhibitedCopy the codeThere will be an errorCopy the codeThere are two common ideas:
-
Loose: The default zone is trsuted, and separate rejected source IP addresses are written to the block
-
Strict: The default zone is block, and separate allowed source IP addresses are written to trsuted
conclusion
Firewall side about to write 4 articles, this is the first, take you a preliminary understanding and experience of the firewall.