Linux System Management Preliminary (v) Linux system firewall-firewalld editing

CentOS7, the system comes with the NetFilter operation program from Iptables to Firewalld.

I. 9 zone in FIREWALLD

There are 9 zones in the FIREWALLD, each zone is described below
Drop
Any incoming network packets is dropped; There is no reply. Only outgoing network connections is possible.
Block
Any incoming network connections is rejected with a icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for I Pv6. Only network connections initiated from within the system is possible.
Public
For use with public areas. You don't trust the other computers on the network to not harm your computer. Only selected incoming connections is accepted.
External
For use on external networks with masquerading-enabled, especially for routers. You don't trust the other computers on the network to not harm your computer. Only selected incoming connections is accepted.
DMZ
For computers in your demilitarized zone that is publicly-accessible with limited access to your internal network. Only selected incoming connections is accepted.
Work
For use with work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections is accepted.
Home
For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections is accepted.
Internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections is accepted.
Trusted
All network connections is accepted.

President
The areas provided by FIREWALLD are sorted in order from untrusted to trusted.
Drop drop
Any packets that flow into the network are discarded and no response is made. Only outgoing network connections are allowed.
Block block
Any incoming network connection is rejected and returned to the IPV4 icmp-host-prohibited message or IPV6 icmp6-adm-prohibited message. Only network connections that are initialized by the system are allowed.
Public
A part that can be made public. You think other computers on the network are not trusted and may harm your computer. Only selected connection access is allowed.
External external
Use an external network that is enabled for spoofing, such as routers. You think other computers on the network are not trusted and may harm your computer. Only selected connection access is allowed.
Demilitarized Zone DMZ
To allow computers in the demilitarized zone (DMZ) to be limited to access by outside networks. Only the selected connection is accepted.
Working work
Used in the work network. You trust that most of the computers on your network do not affect your computer. Only the selected connection is accepted.
Family home
Used in a home network. You trust that most of the computers on your network do not affect your computer. Only the selected connection is accepted.
Internal internal
Used in the internal network. You trust that most of the computers on your network do not affect your computer. Only the selected connection is accepted.
Trusted trusted
All network connections are allowed.

Second, the application of FIREWALLD

Before proceeding, let's look at what kind of firewall program is being applied in the current system.

Systemctl list-units--all--type=service |egrep ' firewalld|ip6tables|iptables '

Look at the active column, active is the program, if you see firewalld that line is inactive, then we use the following command to start him

Systemctl Start Firewalld #
Systemctl Enable FIREWALLD #

If Iptables.service is active, we're going to have to deactivate him.

Systemctl Stop Iptables
Systemctl Disable Iptables

After execution, you can repeat the first command to see if the service status is consistent.

Firewall command a bit like an English sentence, good understanding, but input a little annoying
For example

Firewall-cmd--get-default-zone
Firewall-cmd--set-default-zone=work
Firewall-cmd--get-zone-interface=ens33

Command-line Operations

(a) operation of the network card and zone relationship

1. View the default zone of the new add-on interface

Firewall-cmd--get-default-zone

2. Set the default zone when new interface joins

Firewall-cmd--set-default-zone=work

3. Check the zone where the interface is located

Firewall-cmd--get-zone-of-interface=ens33

4, set the zone for the specified network card

Firewall-cmd--ZONE=DMZ--d-interface=ens33

5, change the zone of a network card

Firewall-cmd--zone=public--change-interface=ens33

6. Check the zone where all network cards are located

Firewall-cmd--get-active-zones

(ii) service in Operation Zone

Linux System Management Preliminary (v) Linux system firewall-firewalld editing