5-minute understanding of Centos7 firewall firewalld and centos7firewalld

5-minute understanding of Centos7 firewall firewalld and centos7firewalld

Copyright Disclaimer: This content is original content. For details, please declare the source.

Address: http://www.excelib.com/article/287/show

Firewalld Overview

In Centos7, the old firewall iptables is upgraded to firewalld by default. firewalld and iptables have at least two advantages:

1. firewalld can dynamically modify a single rule, instead of refreshing all the rules as iptables does;

2. firewalld is much more user-friendly than iptables in terms of use. Even if you do not understand the "Five table five links" and do not understand the TCP/IP protocol, you can implement most of the functions.

 

Know more

Iptables actually contains five tables

Most iptables documents show that iptables contains four tables and five links. However, iptables actually has the fifth table-security table, but this table needs to be used with selinux, although selinux has been released for more than a decade, many still do not have a thorough understanding of it, and many may even close it!

In fact, the design concept of selinux is very good in terms of security. It is not that complicated to use it after understanding the design concept, but its built-in rules are very complicated, if you have the opportunity to introduce selinux to you, you can go back to the five iptables tables: filter, nat, mangle, raw, and security.

The filter table is the most commonly used filter table. The nat table is mainly used for packet forwarding. For example, if a LAN Computer wants to connect to the Internet, it can use nat to forward data to it; the rules of the mangle table can be modified, such as the ttl value. The raw table is mainly used to improve efficiency, raw itself refers to "native" and "unprocessed". data packets that comply with the rules of raw tables will skip some checks, which improves efficiency. Of course, raw tables have the highest priority. security is the security filtering of MAC mode related to selinux.

Of course, you just need to understand the content. Even if you don't understand it, you can use firewalld very well.

 

Relationship between firewalld and iptables

Firewalld itself does not have the firewall function, but needs to be implemented through the kernel netfilter like iptables. That is to say, like firewalld and iptables, they are used to maintain rules, the real use of rules is the kernel's netfilter, but the structure and usage of firewalld and iptables are different.

Firewalld Structure

The structure we mentioned here is not the structure of the firewalld software, but the structure of the configuration file.

Before introducing the firewalld configuration file structure, students will first introduce the firewalld configuration mode. The firewalld configuration mode design is very clever, and this design idea is also worth learning.

Firewalld Configuration Mode

Firewalld configuration files are mainly in xml format (except for the main configuration file firewalld. conf). They have two storage locations.

1,/etc/firewalld/

2,/usr/lib/firewalld/

The rule for use is as follows: when a file is needed, firewalld first searches for the file in the first directory. If yes, use it directly, otherwise, it will continue to the second directory.

The main role of firewalld's configuration file structure is as follows: the second directory stores the general configuration file provided by firewalld. If we want to modify the configuration, copy the file to the first directory and then modify it. There are two advantages: first, we can clearly see which files are created or modified by ourselves in the future. If you want to restore the default configuration provided by firewalld, you only need to delete the configuration file in the first directory, which is very simple, and you do not need to back up the configuration file before modification like many other software, after a long time, you may forget the version that was previously backed up.

Of course, this configuration mode is not the first in firewalld and is also useful in many other places. For example, this mode is also used for logging logback in java, he will first find the logback-test.xml file in the root directory when looking for the configuration file, if you can find it directly use, if not found will then find logback. xml file, if you still can not find will use their own package in the configuration file, so it is very convenient to use, such as we can put the logback-test.xml and logback. both xml files are created, using the logback-test.xml file on the development machine, and then directly delete it when deploying to the server! Of course, many products also use this configuration mode, which is also used by many spring sub-frameworks, such as the component configuration in spring MVC, if no configuration is available, the default configuration will be used. Of course, we are not talking about Spring MVC here, so we will not start it, for more details, see Spring MVC: source code analysis and practice.

Configuration file structure

The configuration file structure of firewalld is very simple, mainly including two files and three directories:

File: firewalld. conf, lockdown-whitelist.xml

Directory: zones, services, icmptypes

In addition, if direct is used, there will be a direct. xml file. Note that in the directory where the default configuration is saved,/usr/lib/firewalld/"There is only the directory we mentioned here, and there are no firewalld. conf, lockdown-whitelist.xml, and direct. xml files, that is, the three files only exist in"/etc/firewalld/"Directory.

The following students will introduce the roles of these files and directories respectively.

• Firewalld. conf: The main configuration file of firewalld. It is in the key-Value Pair format, but it is very simple and has only five configuration items.

• DefaultZone: the default zone. For details about zone students, the default value is public;

• MinimalMark: the minimum value of the tag. the Linux kernel will mark each incoming packet to distinguish them, for example, when students added the content related to the five iptables tables, they introduced how to skip some checks for data packets that comply with the raw table rules? Here is actually the mark used, of course, it has a lot to do with the mark of data packets. The MinimalMark value is the minimum value of the tag. The default value is 100. Generally, we do not need to modify it, however, if we have special requirements, we can modify them to tell linux the minimum value of the tag used. For example, we need to mark a packet that meets certain conditions as 123, in this case, MinimalMark must be set to a value greater than 123 to prevent confusion;

• CleanupOnExit: This configuration item is easy to understand. It indicates whether to clear firewall rules after exiting firewalld. The default value is yes;

• Lockdown: This option is related to the D-BUS interface to operate firewalld, firewalld allows other programs to operate directly through the D-BUS interface, when Lockdown is set to yes, you can use the lockdown-whitelist.xml file to limit which programs can operate on it, and when set to no, there is no limit, the default value is no;

• IPv6_rpfilter: its function is similar to rp_filter, but it is only for the ipv6 version. Its function is to determine whether the received packet is forged. The check mode is mainly implemented through the route entries in the route table, for more details, you can search for uRPF-related materials. The default value here is yes.

• Lockdown-whitelist.xml: When Lockdown is yes, it is used to restrict the program that can operate firewalld through the D-BUS Interface

• Direct. xml: You can directly use the firewall filter rules through this file, which is very handy for users familiar with iptables. It also provides a green channel for migration from the original iptables to firewalld.

• Zones: Save the zone configuration file

• Services: Save the service configuration file

• Icmptypes: saves configuration files related to the icmp type.

 

The most basic and important thing to use firewalld is the understanding of the zone. However, the general understanding is still not very thorough. The students below will explain in detail what the zone is.

Zone

Firewalld provides nine zone configuration files by default: block. xml, dmz. xml, drop. xml, external. xml, home. xml, internal. xml, public. xml, trusted. xml, work. xml, they are all stored in the "/usr/lib/firewalld/zones/" directory. What is the relationship between these zones? What scenarios are they applicable?

To understand these problems, we need to first understand the essential meaning of the zone. When the student introduced the firewall in the previous section, he said that the firewall is equivalent to a guard. The guard judges whether a Visitor should allow the firewall based on rules, the zone here is actually a set of rules, or a set of judgment solutions.

It is easy to understand the meaning of this layer. For example, the nine zones above are actually nine solutions, and what determines is the content of each xml file, not the file name, therefore, you do not need to spend too much energy on the meaning of each zone (each file name). For example, the trusted zone will trust all data packets, that is, all data packets will be released, however, the public zone will only allow the services configured in it, and other services will not be allowed. In fact, if we swap the contents of these two files, their rules will be changed, that is, the public zone will allow all data packets. Let's take a look at the content of these two files.

Public. xml

<?xml version="1.0" encoding="utf-8"?><zone>  <short>Public</short>  <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>  <service name="ssh"/>  <service name="dhcpv6-client"/></zone>

Trusted. xml

<?xml version="1.0" encoding="utf-8"?><zone target="ACCEPT">  <short>Trusted</short>  <description>All network connections are accepted.</description></zone>

We should pay special attention to trusted. the target of the zone in xml is set to ACCEPT, so all data packets are allowed, while public. the zone in xml does not have the target attribute, so it will be rejected by default, so the public zone (this scheme) can only pass through the configured service.

You can open the xml file for other zones. Here, the students will not introduce them one by one. The detailed structure and meaning of the zone configuration file will be explained later by the students, the following students will introduce the service in firewalld to you.

Service

Service is another very important concept in firewalld, but its meaning is very simple. The students still give explanations to everyone using the guard example, in the iptables era, when we give rules to the guard, we need to tell him that "all the people in building 22 are allowed", and "all the people in building 80 are allowed, however, in the firewalld era, you don't need to do this. Instead, you can directly issue commands like "allow all the requests to the sales department". Then the guard finds that the sales department is in building 80, all the guards in building 80 will be allowed. The building number corresponds to the port number. The Department name and service name correspond to each other, so that you can understand the role of the service.

There are two main advantages to change the service name from the port number to the service name: first, the meaning of the service name configuration is clear, and it is not prone to errors; second, when you modify the port number of a service, you only need to modify the corresponding service file, instead of modifying the firewall solution-zone. This is the same as how DNS associates IP addresses with domain names. Next, I will introduce the service configuration file.

The naming rule for the service configuration file is <service name>. xml. For example, the ssh configuration file is ssh. xml. The http configuration file is http. xml and so on. They are stored in the "/usr/lib/firewalld/services/" directory by default. Common services can be found in the directory. If we want to modify the configuration of a service, copy a copy to the "/etc/firewalld/services/" directory and modify it. To restore the default configuration, delete our configuration file. Let's take a look at the ssh. xml file of the ssh service.

<?xml version="1.0" encoding="utf-8"?><service>  <short>SSH</short>  <description>Secure Shell (SSH) is a protocol for logging into and executing commands on remote machines. It provides secure encrypted communications. If you plan on accessing your machine remotely via SSH over a firewalled interface, enable this option. You need the openssh-server package installed for this option to be useful.</description>  <port protocol="tcp" port="22"/></service>

We can see that tcp port 22 is configured here, so the port 22 of tcp is opened after the ssh service is configured to the zone (public by default) in use. To change the ssh port to 222, copy ssh. xml to"/firewalld/Services/, and then modify the port number to 222. Of course, you can directly modify the configuration file in "/usr/lib/firewalld/services/", but we strongly recommend that you do not do this because everyone understands it.

After understanding the principle, you can use it very flexibly. For example,/etc/firewalld/Copy the services/ssh. xml file to/etc/firewalld/Services/", and then change the name to abc. xml, and configure the abc service to the zone in use, then port 22 will be open. That is to say, the service configured in the zone is not directly related to the actual service, but to the configuration content in the corresponding configuration file.

Configuration method

Firewalld can be configured in three ways: firewall-config, firewall-cmd, and directly edit xml files. firewall-config is a graphical tool, and firewall-cmd is a command line tool, for linux, you should be more accustomed to using command line operations, so we will not introduce firewall-config to you. The specific configuration methods will be introduced in the next section.

References https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html