A daily note: Linux New firewall firewalld dynamic Firewall Manager service simple exploration

FIREWALLD Dynamic Firewall Manager service (Firewall Manager of Linux Systems) is currently the default firewall management tool, with a command line terminal and graphical interface configuration tool, Even unfamiliar with Linux commands can get you started quickly. Compared to the traditional firewall management tools also support the dynamic new technology and added the concept of "zone zone", simply to prepare the user a few sets of firewall policy set (policy template), and then according to the different production scenarios and choose the appropriate set of policies, to achieve a rapid switch between firewall policies.

The common zone area names and applications are as follows (public by default):
Zone name Default Rule policy
Trusted all packets are allowed.
Home rejects incoming traffic unless it is related to outgoing traffic, and if traffic is related to SSH, MDNs, ipp-client, samba-client and dhcpv6-client services, traffic is allowed
Internal equivalent to the home area
Work rejects incoming traffic unless it relates to outgoing traffic, and if traffic is related to SSH, ipp-client, and dhcpv6-client services, traffic is allowed
Public rejects incoming traffic unless it is related to outgoing traffic, and if traffic is related to SSH, dhcpv6-client services, traffic is allowed
External rejects incoming traffic unless it is related to outgoing traffic, and if traffic is related to the SSH service, traffic is allowed
The DMZ rejects incoming traffic unless it is related to outgoing traffic, and traffic is allowed if the traffic is related to the SSH service
Block to reject incoming traffic unless it is related to outgoing traffic
Drop rejects incoming traffic unless it is related to outgoing traffic

Terminal management tool: The Firewall-cmd command is a command-line terminal for the FIREWALLD Dynamic Firewall Manager service
Parameters (Support tab completion) effect
--get-default-zone queries the default (current) zone name.
--set-default-zone=< Zone name > set the default zone for permanent entry.
--get-zones displays the available areas.
--get-services displays pre-defined services.
--get-active-zones displays the name of the zone and network card that is currently in use.
--query-service= queries whether to allow traffic for a service, followed by services such as SSH, HTTPS, etc.
--get-zone-of-interface= Query the current network card in the Firewalld service area, followed by the network card name
--add-source= the traffic that originates from this IP or subnet to the specified region.
--remove-source= no longer directs traffic for this IP or subnet to a specified area.
--add-interface=< network card name > All traffic from this network card is directed to a specified area.
--change-interface=< Network card name > Associate a network card with the zone.
--list-all displays information such as network adapter configuration parameters, resources, ports, and services for the current zone.
--list-all-zones Displays network adapter configuration parameters, resources, ports, and service information for all areas.
--list-ports display ports configured with traffic policies
--add-service=< Service Name > set the default zone to allow traffic for the service.
--add-port=< port number/protocol > set the default zone to allow traffic for that port. Agreement represents TCP\UDP\ICMP
--remove-service=< Service Name > set the default zone no longer allows traffic for that service.
--remove-port=< port number/protocol > setting the default zone no longer allows traffic to that port
--reload allow "permanent" configuration rules to take effect immediately and overwrite current configuration rules
--panic-on Open Emergency Mode
--panic-off closing the emergency condition mode
--zone= Add the zone parameter, followed by the area. Example:--zone=public

The configuration of the FIREWALLD service to the firewall policy defaults to the current active mode (RunTime), and the configuration information is invalidated as the computer restarts, and if you want the configured policy to persist, use the permanent Active mode (Permanent). The method is to add the--permanent parameter to the normal command to represent the command for the perpetual effective mode, but a policy set using the persistent mode requires a reboot to automatically take effect, and if you want the configured policy to take effect immediately, you need to manually execute the following command:
[Email protected] ~]# Firewall-cmd--reload
Example: View the area currently used by the FIREWALLD service
Firewall-cmd--get-default-zone
Querying the area of the eno16777728 NIC in the FIREWALLD service
Firewall-cmd--get-zone-of-interface=eno16777728
Modify the default zone of the eno16777728 NIC in the FIREWALLD service to external and take effect after the system restarts, viewing the name of the zone in the current and persistent mode, respectively:
Firewall-cmd--permanent--zone=external--change-interface=eno16777728
Firewall-cmd--get-zone-of-interface=eno16777728
Firewall-cmd--permanent--get-zone-of-interface=eno16777728
Set the current default zone of the FIREWALLD service to public:
Firewall-cmd--set-default-zone=public
Start/Turn off the emergency mode of FIREWALLD Firewall service, block all network connections (use caution when remote control server)
Firewall-cmd--panic-on
Firewall-cmd--panic-off
Query whether the public zone allows traffic to request SSH and HTTPS protocols
Firewall-cmd--zone=public--query-service=ssh
Firewall-cmd--zone=public--query-service=https
Set the traffic that requests the HTTPS protocol in the FIREWALLD service to be allowed permanently and take effect immediately:
Firewall-cmd--zone=public--add-service=https
Firewall-cmd--permanent--zone=public--add-service=https
Firewall-cmd--reload
Set the traffic for the request HTTP protocol in the FIREWALLD service to permanent rejection and take effect immediately:
Firewall-cmd--permanent--zone=public--remove-service=http
Firewall-cmd--reload
The traffic policy that accesses 8080 and 8081 ports in the FIREWALLD service is set to allow, but is only currently in effect:
? firewall-cmd--zone=public--add-port=8080-8081/tcp
Firewall-cmd--zone=public--list-ports 8080-8081/tcp

Start/Turn off the emergency mode of the FIREWALLD Firewall service, blocking all network connections (use caution when remotely controlling the server). ）：
Firewall-cmd--panic-on
Firewall-cmd--panic-off

Traffic forwarding command format: firewall-cmd--permanent--zone=< Zone >--add-forward-port=port=< Source port number >:p roto=< protocol >:toport= < destination port number >:toaddr=< Destination IP address >
For example: The original access to the 888 port of the traffic to the 22 port, and for the current and long-term effective:
Firewall-cmd--permanent--zone=public--add-forward-port=port=888:proto=tcp:toport=22
: toaddr=192.168.10.10
Firewall-cmd--reload
The client attempts to access the 888 port of the 192.168.10.10 host by using the SSH command:
Ssh-p 888 192.168.10.10 can be successfully connected with SSH, stating that forwarding to Port 22 succeeded

The rich rule in firewalld represents a more granular and detailed firewall policy configuration, which can be configured for more positive policies on a wide range of information, such as system services, port numbers, source addresses, and destination addresses. Its priority is also the highest in all firewall policies.
Example: Configure a rich rule that denies all users of the 192.168.10.0/24 network segment access to the native SSH service (port 22)
Firewall-cmd--permanent--zone=public--add-rich-rule= "rule family=" IPv4 "source address=" 192.168.10.0/24 "service Name= "ssh" reject "
Firewall-cmd--reload
Subsequent use of SSH connection will fail
Parameter--add-rich-rule= "" means adding rich rules

The Firewall-config command is a graphical tool for managing FIREWALLD Firewall policies:
Firewall-config Graphical management tool after configuring the policy, do not need to click the Save or Complete button, as long as the content of the tool will be automatically saved.

In the Options menu, click the reload FIREWALLD command to have the configured firewall policy take effect immediately; This is the same as performing the--reload parameter on the command line

Snat Source Address Translation Protocol is a technology protocol designed to solve the problem of resource scarcity of IP address, and SNAT technology can enable multiple intranet users to surf the internet via an extranet IP address.

The iptables command implements SNAT technology: under the masquerading option in the Firewall-config Graphics Configuration tool
Masquerade Zone is open snat, check to

A daily note: Linux New firewall firewalld dynamic Firewall Manager service simple exploration