5 min Understanding Centos7 Firewall Firewalld

Copyright NOTICE: This content is original content, reprint please declare source.

Original address: Http://www.excelib.com/article/287/show

FIREWALLD Introduction

Centos7 The original firewall iptables upgrade by default in order to FIREWALLD,FIREWALLD and iptables compared with at least two major benefits:

1, FIREWALLD can dynamically modify a single rule, and do not need to like iptables, after modifying the rules must be all refreshed before it can take effect;

2, Firewalld in use than iptables humanized a lot, even if do not understand "five table five chain" and the TCP/IP protocol also do not understand also can achieve most functions.

Know more.

Iptables actually contains five sheets

Most of the iptables's data show that iptables contains four tables, five chains, but in fact Iptables has a fifth table--security table, but this table needs to be used in conjunction with SELinux, Although SELinux has been released for more than 10 years, but until now there are a lot of people do not understand him thoroughly, and even many people will close it!

In fact, the SELinux design concept is very good in safety, and understand the design concept after the use of it is not so complicated, but its built-in rules are very complex, and so there are opportunities for students to introduce the SELinux, and now return to the iptables of five sheets, They are filter, NAT, Mangle, Raw, and security, respectively.

The filter table is our most commonly used filtering table, the NAT table is mainly used for packet forwarding, such as a LAN computer if you want to connect to the Internet, then you can use NAT to forward it; Mangle table rules can modify the packet, such as changing the TTL value, etc. Raw table is mainly for the purpose of improving efficiency, the meaning of raw itself refers to "raw", "unprocessed", the data packet corresponding to the raw table rules will skip some checks, so as to improve efficiency, of course, the raw table priority is also the highest Security is a safe filter for the MAC mode associated with SELinux.

Of course, these things you know, even if you do not understand it can be used to use the FIREWALLD very well.

The relationship between FIREWALLD and iptables

FIREWALLD itself does not have the function of the firewall, but like iptables need through the kernel of the netfilter to achieve, that is, Firewalld and iptables, their role is to maintain the rules, and the actual use of the rules is the kernel of the netfilter, but the structure of FIREWALLD and iptables and the use of different ways.

Structure of the FIREWALLD

What we are talking about here is not the structure of the FIREWALLD software, but the structure of the configuration file.

In the specific introduction of the FIREWALLD configuration file structure before students to introduce the FIREWALLD configuration mode, FIREWALLD configuration mode design is very ingenious, and this design thinking is also very worthy of our reference and learning.

Configuration mode for FIREWALLD

FIREWALLD configuration files are in XML format (exception to master profile firewalld.conf), they have two storage locations

1./etc/firewalld/

2./usr/lib/firewalld/

The rule for use is this: When a file is needed, FIREWALLD will first go to the first directory to find it, and if it can be found, it will be used directly, otherwise it would continue to look in the second directory.

The main function of this configuration file structure of FIREWALLD is this: in the second directory is the general configuration file provided by FIREWALLD, if we want to modify the configuration, you can copy a copy to the first directory, and then modify. There are two benefits to doing so: first we can see very clearly in the future which files we have created or modified, and secondly, if you want to restore the default configuration provided by Firewalld, simply delete the configuration file in the first directory, which is very simple, Instead of having to back it up before you change it like many other software, it's a long time and it's possible to forget what version you backed up before.

Of course, this configuration mode is not Firewalld's first, in many other places also useful, such as in Java for logging The logback is also this mode, he Find the configuration file will first find the Logback-test.xml file in the root directory, if you can find the direct use, if not found will continue to find the Logback.xml file, if you can not find it will use their own package inside the configuration file, so it is very convenient to use it, For example, we can create Logback-test.xml and logback.xml two files, use the Logback-test.xml file on the development machine, and then delete it directly when you deploy to the server! Of course, many of the products also use this configuration mode, many of spring's sub-frameworks also use this mode, such as the component configuration in spring MVC is also the case, if it is not configured to use the default configuration, of course, we are not talking about spring MVC so do not expand, For more details, you can refer to the book "See Spring MVC: Source Code Analysis and Practice", written by students.

Configuration file Structure

The configuration file structure of the FIREWALLD is very simple, with two files and three directories:

Files: firewalld.conf, Lockdown-whitelist.xml

Contents: zones, Services, Icmptypes

In addition, if you use direct, you will also have a direct.xml file. We should note that the directory "" in which the default configuration is saved is /usr/lib/firewalld/ only the directory we are talking about, without the three files firewalld.conf, Lockdown-whitelist.xml, and direct.xml, which means that the three files exist only in the " /etc/firewalld/"directory.

Here are the students to tell you the role of these files and directories

• Firewalld.conf:firewalld's main profile, which is the format of key-value pairs, but very simple, with only five configuration items

• Defaultzone: Default zone, about zone students will give you a detailed introduction later, the default value is public;

• Minimalmark: The minimum value of the tag, the Linux kernel will mark each incoming packet, of course, for the purpose of distinguishing them, for example, students in front of the iptables five table related to the introduction of the data packets that conform to the raw table rules can skip some checks , so how did you skip it? This is actually the tag used, and of course the tag of the packet has a lot of effect. The Minimalmark value set here is the minimum value of the tag, the default value is 100, we do not need to modify it in general, but if we have special needs, we can modify it to tell Linux the minimum value of the tag used, For example, if we need to mark a packet that matches a certain condition as 123, we need to set the Minimalmark to a value greater than 123 to prevent confusion.

• Cleanuponexit: This configuration item is very easy to understand, he indicates whether to clear the firewall rule after exiting the FIREWALLD, the default value is yes;

• Lockdown: This option is related to D-bus interface operation Firewalld, FIREWALLD can allow other programs to operate directly through the D-bus interface, when Lockdown is set to Yes When you can use the Lockdown-whitelist.xml file to restrict which programs can operate on it, and when set to No, there is no limit, the default value is no;

• Ipv6_rpfilter: Its function is similar to Rp_filter, is only for the IPv6 version, its role is to determine whether the received package is forged, check the way is mainly through the routing table in the routing entries to achieve, more detailed information you can search URPF related information, The default value here is yes.

• Lockdown-whitelist.xml: When lockdown is yes to restrict the program that can operate FIREWALLD through the D-bus interface

• Direct.xml: This file allows you to use firewall filtering rules directly, which is very handy for users who are familiar with Iptables, and also provides a green channel for migrating from the original iptables to the FIREWALLD.

• Zones: Save zone configuration file

• Services: Saving service profiles

• Icmptypes: Saving configuration Files related to ICMP types

In the use of FIREWALLD the most basic is the most important is the understanding of zone, but now also generally understand is not very thorough, the following students will come to give you a detailed introduction of the zone exactly what.

Zone

FIREWALLD provides nine zone profiles by default: Block.xml, Dmz.xml, Drop.xml, External.xml, Home.xml, Internal.xml, Public.xml, Trusted.xml, Work.xml, they are all saved in the "/usr/lib/firewalld/zones/" directory. What is the relationship between these zones? What are the scenarios for which they are used separately?

In order to understand these problems, we need to understand the essential meaning of zone first. Students in the last section of the firewall said that the firewall is the equivalent of a doorman, the guard to specific visitors to determine whether the release is dependent on the rules to judge, and our zone here is actually a set of rules, or a set of Judgment plan.

Understanding the meaning of the firewalld is easy, such as the above nine zones is actually nine scenarios, and the decision is actually the content of each XML file contains, rather than the file name, so you do not need to each zone (each file name) The meaning of spending too much effort, For example, trusted this zone will trust all the packets, that is, all the data packets will be released, but the public zone will only release the services that are configured, the other will not be released, in fact, if we have the contents of the two files in exchange for their rules on the exchange, but also Is public this zone will release all the packets, let's take a look at the contents of these two files

Public.xml

<?xmlversion="1.0"encoding="utf-8"?><zone>  <short>Public</short>  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>  <servicename="ssh"/>  <servicename="dhcpv6-client"/></zone>

Trusted.xml

<?xmlversion="1.0"encoding="utf-8"?><zonetarget="ACCEPT">  <short>Trusted</short>  <description>All network connections are accepted.</description></zone>

We should pay special attention to the target of zone in Trusted.xml, because he set up to accept, so he will release all the packets, and The zone in Public.xml does not have the target property, so it will be rejected by default, so public this zone (this scheme) only the services configured in it can pass.

Other zones you can open your own XML file to see, here students are not introduced, the details of the zone configuration file structure and the meaning behind the students to explain, the following students to introduce you to the FIREWALLD service.

Service

Service is another very important concept in firewalld, but its meaning is very simple. Students still take the example of the doorman to explain to you, in the iptables of the times we give the guard to the rules need to tell him "all the people to the building 22nd to release", "all the people to the building 80th to release" and so on, but in the firewalld of the Times do not need this, Instead, you can directly issue orders like "Go to the sales department," and then the doorman finds out that the sales department is in building 80th, so all the people who go to building 80th will be released. We have the building number and port numbers corresponding to the department name and service name corresponding, so that everyone should be able to understand the role of service.

There are two main advantages to changing from the port number to the service name: first, the semantics of using the service name are clear and error-prone, and secondly, when the port number of a service is modified, it is necessary to modify the corresponding service file, without needing to modify the firewall scheme--zone. This is in fact the same reason that DNS associates IP addresses with domain names. The following students will introduce you to the service configuration file.

The service profile naming convention is the < services name >.xml, such as SSH configuration files are ssh.xml,http profiles are http.xml etc., they are saved by default in "/usr/lib/firewalld/services/" directory, the common services can be found, if we want to modify the configuration of a service, then you can copy one to the "/etc/firewalld/services/" directory and then modify it, to restore the default configuration directly to our own configuration file to delete it. Let's take a look at the Ssh.xml file for SSH service

<?xmlversion="1.0" encoding="utf-8"?><service>  <short>SSH</short>  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>  <portprotocol="tcp"port="22"/></service>

You can see that TCP port 22nd is configured here, so the SSH service is configured to use the zone (the default public) after TCP port 22nd is open. If we want to change the port of SSH to 222, then we just need to copy the Ssh.xml to " /firewalld/ services/" and then change the port number to 222. Of course, directly modify the "/usr/lib/firewalld/services/" in the configuration file can also be implemented, but it is strongly recommended not to do so, because I believe we all understand.

Understanding the principle after the use can be very flexible, such as we will " /etc/firewalld/ services/ssh.xml" file copy to " /etc/firewalld/ services/", Then the name is changed to Abc.xml, and the ABC service is configured to the zone used, and Port 22 is open. In other words, the service configured in the zone is not directly related to the actual service, but is related to the content configured in the corresponding configuration file.

Configuration method

There are three main ways to configure FIREWALLD: Firewall-config, Firewall-cmd, and direct editing of XML files, where Firewall-config is a graphical tool, Firewall-cmd is a command-line tool, And for Linux, you should be more accustomed to the use of command-line mode of operation, so firewall-config we will not introduce you. Specific configuration methods students are introduced in the next section.

Reference https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html

5 min Understanding Centos7 Firewall Firewalld