CentOS7 Firewall firewall Configuration usage detailed

FIREWALLD provides a dynamic firewall management tool that supports network/firewall zone (zone) definition of network links and interface security levels. It supports IPV4, IPV6 firewall settings and Ethernet bridging, and has run-time configuration and permanent configuration options. It also supports interfaces that allow services or applications to add firewall rules directly. The previous System-config-firewall/lokkit firewall model was static, and each modification required a complete reboot of the firewall. This process includes the uninstall of the kernel NetFilter firewall module and the loading of the modules required for the new configuration. The uninstallation of the module will destroy the state firewall and the established connection.

Instead, firewall daemon dynamically manages the firewall and can apply changes without restarting the entire firewall. Therefore, there is no need to overload all the kernel firewall modules. However, to use firewall daemon requires that all changes to the firewall be implemented through the daemon to ensure that the state in the daemon is consistent with the firewall in the kernel. In addition, firewall daemon cannot resolve firewall rules that were added by the Ip*tables and Ebtables command line tools.

The daemon provides the currently activated firewall settings information through D-bus, and also accepts changes made using the PolicyKit authentication method through D-bus.

"Daemon"

Applications, daemons, and users can enable a firewall feature through the D-bus request. Attributes can be predefined firewall features such as a combination of services, ports and protocols, port/datagram forwarding, cloaking, ICMP interception, or custom rules. This feature can be enabled for a certain period of time and can be deactivated again.

Through the so-called direct interface, other services (such as Libvirt) can add their own rules through iptables (arguments) and parameters (parameters).

The NetFilter Firewall Assistant for Amanda, FTP, samba, and TFTP services is also resolved by the daemon, as long as they are also part of a predefined service. The mount for the additional assistant is not part of the current interface. Because some assistants can only be loaded if all connections controlled by the module are closed. Therefore, tracking connection information is important and needs to be considered.

static firewall (System-config-firewall/lokkit)

The static firewall model using System-config-firewall and Lokkit is actually still available and will continue to be provided, but cannot be used concurrently with the daemon. The user or administrator can decide which scheme to use.

A selector will appear when the software is installed, when it is first started, or when it is first networked. It allows you to choose the firewall scheme you want to use. Other solutions will remain intact and can be enabled through replacement mode.

Firewall daemon are independent of system-config-firewall, but they cannot be used at the same time.

Static firewall rules using Iptables and Ip6tables

If you want to use your own iptables and ip6tables static firewall rules, then install iptables-services and disable FIREWALLD to enable Iptables and Ip6tables:

Yum Install iptables-Services
systemctl maskfirewalld.  Service
Systemctl enable Iptables. service
systemctl enable Ip6tables. Service

The static firewall rule configuration file is/etc/sysconfig/iptables and/etc/sysconfig/ip6tables.

Note: The iptables and iptables-services packages do not provide firewall rules that are used in support of the service. These services are used to guarantee compatibility and for people who want to use their own firewall rules. You can install and use System-config-firewall to create the required rules for these services. In order to be able to use System-config-firewall, you must stop FIREWALLD.

After you create a rule for a service and deactivate FIREWALLD, you can enable the iptables and Ip6tables services:

Systemctl Stop FIREWALLD. service
systemctl start iptables. service
systemctl start ip6tablesService

What is an area?

The network area defines the trusted level of the network connection. This is a one-to-many relationship, which means that a single connection can be just one part of an area, and a region can be used for many connections.

Pre-defined Services

A service is a combination of port and/or protocol portals. Alternatives include the NetFilter Helper module and the IPV4, IPV6 address.

Ports and protocols

The TCP or UDP port is defined, and the port can be either a port or a port range.

ICMP blocking

You can select a message for the Internet Control Message protocol. These messages can be information requests or a response to an information request or error condition creation.

Disguise
A private network address can be mapped to a public IP address. This is a formal address translation.

Port forwarding

Ports can be mapped to another port and/or to other hosts.

Which area is available?

The areas provided by FIREWALLD are sorted in order from untrusted to trusted.

Discarded

Any packets that flow into the network are discarded and no response is made. Only outgoing network connections are allowed.

Blocking

Any incoming network connection is rejected, and a IPv4 icmp-host-prohibited message or IPV6 icmp6-adm-prohibited message is returned. Only network connections that are initialized by the system are allowed.

Public

The part that can be made public. You think other computers in the network are not credible and can hurt your computer. Only selected connection access is allowed. (You don't trust the "other computers" networks to not harm your computer. Only selected incoming connections are accepted.)

External

Use an external network that enables cloaking, such as routers. You think other computers in the network are not credible and can hurt your computer. Only selected connection access is allowed.

Quarantine Zone (DMZ)

To allow computers in the demilitarized zone (DMZ) to be limited to access by the outside network. Only the selected connection is accepted.

Job

Used in the work network. You trust most of the computers in your network without affecting your computer. Only the selected connection is accepted.

Family

Used in the home network. You trust most of the computers in your network without affecting your computer. Only the selected connection is accepted.

Internal

Used in the internal network. You trust most of the computers in your network without affecting your computer. Only the selected connection is accepted.

of trusted

All network connections are allowed.

Which area should I choose?

For example, a public WIFI connection should be primarily untrusted, and a home wired network should be fairly trustworthy. Choose from the area that best matches the network you are using.

How do I configure or increase the area?

You can use any of the FIREWALLD configuration tools to configure or add areas, and to modify the configuration. Tools include graphical interface tools such as Firewall-config, firewall-cmd such as command-line tools, and D-bus interfaces. Alternatively, you can create or copy zone files in the configuration file directory. @PREFIX @/lib/firewalld/zones is used for both default and standby configurations,/etc/firewalld/zones is used for user creation and custom profiles.

How to set or modify a zone for a network connection

The locale is stored in the Ifcfg file of the network connection with the zone= option. If this option is missing or empty, FIREWALLD will use the configured default zone.

If the connection is NetworkManager controlled, you can also use Nm-connection-editor to modify the area.

Network Connections controlled by NetworkManager

A firewall cannot configure a network connection by NetworkManager the name it displays, only the network interface can be configured. Therefore, before the network connection NetworkManager the network interface corresponding to the configuration file is told to Firewalld. If no zone is configured in the configuration file, the interface is configured to the default area of the FIREWALLD. If the network connection uses more than one interface, all interfaces will be applied to the FIWEWALLD. The change of interface name will also be controlled by NetworkManager and applied to FIREWALLD.

To simplify, from this, network connections will be used as a relationship to the zone.

If an interface is disconnected, NetworkManager also tells Firewalld to remove the interface from the zone.

When FIREWALLD is started or restarted by a systemd or init script, FIREWALLD notifies NetworkManager to increase the network connection to the zone.

Scripts-controlled networks

There is a limit to the connections that are controlled by the network script: No daemon notifies firewalld to add the connection to the zone. This work is done only in ifcfg-post scripts. Therefore, subsequent renaming of the network connection will not be applied to the FIREWALLD. Similarly, restarting FIREWALLD when a connection is active will cause it to lose its association. It is now intended to fix this situation. The simplest is to add all of the unassigned connections to the default zone.

The zone defines the characteristics of the firewall in this zone:

Using FIREWALLD

You can enable or disable firewall features by using graphical interface tool firewall-config or command line client firewall-cmd.

Using Firewall-cmd

Command line tool Firewall-cmd supports all firewall features. For state and query mode, the command returns only the state, with no other output.

General application

Get FIREWALLD Status

Firewall-cmd--state

The move returns to the FIREWALLD state without any output. The status output can be obtained by using the following methods:

Firewall-cmd--state && echo "Running" | | echo "Not Running"

In Fedora 19, the state output is more intuitive than before:

# RPM-QF $ (which firewall-cmd)
firewalld-0.3.3-2.fc19.noarch# firewall-cmd--state not
running< /c5>

To reload the firewall without changing the state:

Firewall-cmd--reload

If you use –complete-reload, the status information will be lost. This option should be used only when handling firewall problems, for example, state information and firewall rules are normal, but no connection can be established.

Get a list of supported zones

Firewall-cmd--get-zones

This command outputs a space-delimited list.

Get all supported services

Firewall-cmd--get-services

This command outputs a space-delimited list.

Get all supported ICMP types

Firewall-cmd--get-icmptypes

This command outputs a space-delimited list.

List attributes for all enabled zones

Firewall-cmd--list-all-zones

The output format is:

<zone>
  Interfaces: <interface1>. 
  Services: <service1>. 
  ports: <port1>. 
  forward-ports: <forward port1>. 
  ICMP-blocks: <icmp type1> ....

Output area <zone> all enabled attributes. If the region is being skipped, the information for the default area is displayed.

Firewall-cmd [--zone=<zone>]--list-all

Get network settings for the default zone

Firewall-cmd--get-default-zone

Set Default Area

Firewall-cmd--set-default-zone=<zone>

New access requests that flow into the configured interfaces in the default zone are placed in the new default zone. The currently active connection will not be affected.

Get the active zone

Firewall-cmd--get-active-zones

This command will output the interfaces that each zone contains in the following format:

<zone1>: <interface1> <interface2>. <zone2>: <interface3>.

To get an area from an interface

Firewall-cmd--get-zone-of-interface=<interface>

This command outputs the name of the zone to which the interface belongs.

Adding an interface to a zone

Firewall-cmd [--zone=<zone>]--add-interface=<interface>

If the interface does not belong to the zone, the interface is added to the zone. If the area is omitted, the default area is used. The interface will be applied again after reloading.

Modify the zone to which the interface belongs

Firewall-cmd [--zone=<zone>]--change-interface=<interface>

This option is similar to the –add-interface option, but when an interface already exists in another zone, the interface is added to the new zone.

Remove an interface from the zone

Firewall-cmd [--zone=<zone>]--remove-interface=<interface>

Whether an interface is included in the query area

Firewall-cmd [--zone=<zone>]--query-interface=<interface>

Returns whether the interface exists in the zone. No output.

Enumerate services enabled in the zone

Firewall-cmd [--zone=<zone>]--list-services

Enable emergency mode to block all network connections in case of emergency

Firewall-cmd--panic-on

Disable Contingency mode

Firewall-cmd--panic-off

The code is as follows	Copy Code
Contingency mode changed in version 0.3.0 In the FIREWALLD version prior to 0.3.0, the panic option is –enable-panic and –disable-panic.

Query Emergency mode

Firewall-cmd--query-panic

This command returns the state of the contingency mode with no output. The status output can be obtained by using the following methods:

Firewall-cmd--query-panic && echo "On" | | echo "Off"

Working with runtime zones

Changes to a zone in Run-time mode are not permanently valid. Modifications will fail after reloading or rebooting.

Enable one of the services in a zone

Firewall-cmd [--zone=<zone>]--add-service=<service> [--timeout=<seconds>]

This enables a service in the zone. If no range is specified, the default area is used. If the timeout period is set, the service will only enable a specific number of seconds. If the service is active, there will be no warning message.

Example: Make the Ipp-client service in the zone effective for 60 seconds:

Firewall-cmd--zone=home--add-service=ipp-client--timeout=60

Example: Enable HTTP services in the default zone:

Firewall-cmd--add-service=http

Disabling one of the services in a zone

Firewall-cmd [--zone=<zone>]--remove-service=<service>

This disables one of the services in the zone. If no range is specified, the default area is used.

Example: Disable HTTP services in the home zone:

Firewall-cmd--zone=home--remove-service=http

Services for the zone species will be disabled. If the service is not enabled, there will be no warning information.

Whether a specific service is enabled in the query area

Firewall-cmd [--zone=<zone>]--query-service=<service>

If the service is enabled, returns 1 or 0. There is no output information.

Enable zone ports and protocol combinations

Firewall-cmd [--zone=<zone>]--add-port=<port>[-<port>]/<protocol> [--timeout=<seconds "]

This will enable a combination of ports and protocols. The port can be a separate port <port> or a port range <port>-<port>. The protocol can be TCP or UDP.

Disabling ports and protocol combinations

Firewall-cmd [--zone=<zone>]--remove-port=<port>[-<port>]/<protocol>

Whether ports and protocol combinations are enabled in the query area

Firewall-cmd [--zone=<zone>]--query-port=<port>[-<port>]/<protocol>

If enabled, this command will have a return value. There is no output information.

Enable IP camouflage in a zone

Firewall-cmd [--zone=<zone>]--add-masquerade

This enables the camouflage function of the zone. The address of the private network is hidden and mapped to a public IP. This is a form of address translation that is often used for routing. Because of the limitations of the kernel, the cloaking function can only be used for IPV4.

Disabling IP camouflage in a zone

Firewall-cmd [--zone=<zone>]--remove-masquerade

The camouflage state of the query area

Firewall-cmd [--zone=<zone>]--query-masquerade

If enabled, this command will have a return value. There is no output information.

Enable ICMP blocking for zones

Firewall-cmd [--zone=<zone>]--add-icmp-block=<icmptype>

This will enable the selected Internet Control Message Protocol (ICMP) message to block. An ICMP message can be a request message or an answer message that is created, and an error response.

Suppress ICMP blocking for a zone

Firewall-cmd [--zone=<zone>]--remove-icmp-block=<icmptype>

ICMP blocking feature in query area

Firewall-cmd [--zone=<zone>]--query-icmp-block=<icmptype>

If enabled, this command will have a return value. There is no output information.

Example: Response message in a blocking area:

Firewall-cmd--zone=public--add-icmp-block=echo-reply

Enable port forwarding or mapping in a zone

Firewall-cmd [--zone=<zone>]--add-forward-port=port=<port>[-<port>]:p roto=<protocol> {: Toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address>}

A port can be mapped to the same port on another host or to a different port on the same host or another host. The port number can be a separate port <port> or a port range <port>-<port>. The protocol can be TCP or UDP. The destination port can be a port number <port> or a range of ports <port>-<port>. The destination address can be an IPv4 address. The port forwarding feature is only available for IPv4, subject to kernel restrictions.

Prohibit port forwarding or port mapping for zones

Firewall-cmd [--zone=<zone>]--remove-forward-port=port=<port>[-<port>]:p roto=<protocol> {: Toport=<port>[-<port>] |:toaddr=<address> |:toport=<port>[-<port>]:toaddr=< Address>}

Port forwarding or port mapping for the query area

Firewall-cmd [--zone=<zone>]--query-forward-port=port=<port>[-<port>]:p roto=<protocol> { : Toport=<port>[-<port>] | :toaddr=<address> | :toport=<port>[-<port>]:toaddr=<address>}

If enabled, this command will have a return value. There is no output information.

Example: Forward ssh for zone home to 127.0.0.2

Firewall-cmd--zone=home--add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2

Working with permanent zones

Persistent options do not directly affect the state of the runtime. These options are available only when overloading or restarting the service. In order to use Run-time and permanent settings, you need to set the two separately. Option –permanent is the first parameter that needs to be permanently set.

Get the services supported by the persistent option

Firewall-cmd--permanent--get-services

Gets the list of ICMP types supported by the persistent option

Firewall-cmd--permanent--get-icmptypes

Get a supported permanent zone

Firewall-cmd--permanent--get-zones

Enable services in a zone

Firewall-cmd--permanent [--zone=<zone>]--add-service=<service>

This will permanently enable services in the zone. If no range is specified, the default area is used.

Disabling a service in a zone

Firewall-cmd--permanent [--zone=<zone>]--remove-service=<service>

Whether a service in the query area is enabled

Firewall-cmd--permanent [--zone=<zone>]--query-service=<service>

If the service is enabled, this command will have a return value. There is no output information for this command.

Example: permanently enabling the Ipp-client service in the home zone

Firewall-cmd--permanent--zone=home--add-service=ipp-client

Permanently enable one port in the zone-protocol combination

Firewall-cmd--permanent [--zone=<zone>]--add-port=<port>[-<port>]/<protocol>

Permanently disables one port in the zone-protocol combination

Firewall-cmd--permanent [--zone=<zone>]--remove-port=<port>[-<port>]/<protocol>

Ports in query area-whether the protocol combination is permanently enabled

Firewall-cmd--permanent [--zone=<zone>]--query-port=<port>[-<port>]/<protocol>

If the service is enabled, this command will have a return value. There is no output information for this command.

Example: Permanently enabling HTTPS (TCP 443) ports in the home zone

Firewall-cmd--permanent--zone=home--add-port=443/tcp

Permanently enable camouflage in the zone

Firewall-cmd--permanent [--zone=<zone>]--add-masquerade

This enables the camouflage function of the zone. The address of the private network is hidden and mapped to a public IP. This is a form of address translation that is often used for routing. Because of the limitations of the kernel, the cloaking function can only be used for IPV4.

Permanently disable camouflage in a zone

Firewall-cmd--permanent [--zone=<zone>]--remove-masquerade

Permanent state of camouflage in the query area

Firewall-cmd--permanent [--zone=<zone>]--query-masquerade

If the service is enabled, this command will have a return value. There is no output information for this command.

Permanently enable ICMP blocking in a zone

Firewall-cmd--permanent [--zone=<zone>]--add-icmp-block=<icmptype>

This will enable the selected Internet Control Message Protocol (ICMP) message to block. ICMP messages can be request information or create an answer message or an error response message.

Permanently disabling ICMP blocking in a zone

Firewall-cmd--permanent [--zone=<zone>]--remove-icmp-block=<icmptype>

ICMP permanent status in the query area

Firewall-cmd--permanent [--zone=<zone>]--query-icmp-block=<icmptype>

If the service is enabled, this command will have a return value. There is no output information for this command.

Example: Blocking response responses in public areas:

Firewall-cmd--permanent--zone=public--add-icmp-block=echo-reply

Permanently enable port forwarding or mapping in a zone

Firewall-cmd--permanent [--zone=<zone>]--add-forward-port=port=<port>[-<port>]:p roto=< protocol> {: toport=<port>[-<port>] |:toaddr=<address> |: TOPORT=<PORT>[-<PORT>]: Toaddr=<address>}

A port can be mapped to the same port on another host or to a different port on the same host or another host. The port number can be a separate port <port> or a port range <port>-<port>. The protocol can be TCP or UDP. The destination port can be a port number <port> or a range of ports <port>-<port>. The destination address can be an IPv4 address. The port forwarding feature is only available for IPv4, subject to kernel restrictions.

Permanently disallow port forwarding or port mappings for zones

Firewall-cmd--permanent [--zone=<zone>]--remove-forward-port=port=<port>[-<port>]:p roto=< protocol> {: toport=<port>[-<port>] |:toaddr=<address> |: TOPORT=<PORT>[-<PORT>]: Toaddr=<address>}

Port forwarding or port mapping status for the query area

Firewall-cmd--permanent [--zone=<zone>]--query-forward-port=port=<port>[-<port>]:p roto=< protocol> {: toport=<port>[-<port>] |:toaddr=<address> |: TOPORT=<PORT>[-<PORT>]: Toaddr=<address>}

If the service is enabled, this command will have a return value. There is no output information for this command.

Example: forwards the SSH service in the home area to 127.0.0.2

Firewall-cmd--permanent--zone=home--add-forward-port=port=22:proto=tcp:toaddr=127.0.0.2

Direct options

Direct options are primarily used to enable services and applications to add rules. Rules are not saved and must be submitted again after reloading or reboot. The parameters passed are consistent with iptables, Ip6tables, and Ebtables.

Option –direct need to be the first parameter of the direct option.

Pass the command to the firewall. Parameters <args> can be iptables, ip6tables, and Ebtables command-line arguments.

Firewall-cmd--direct--passthrough {IPv4 | ipv6 | eb} <args>

Add a new chain <chain> for table <table>.

Firewall-cmd--direct--add-chain {IPv4 | ipv6 | eb} <table> <chain>

Delete chain <chain> from table <table>.

Firewall-cmd--direct--remove-chain {IPv4 | ipv6 | eb} <table> <chain>

Query <chain> chain exists with table <table> If it is, return 0, otherwise return 1.

Firewall-cmd--direct--query-chain {IPv4 | ipv6 | eb} <table> <chain>

If enabled, this command will have a return value. There is no output information for this command.

Gets a space-delimited list of tables <table> chains.

Firewall-cmd--direct--get-chains {IPv4 | ipv6 | eb} <table>

For table <table> Add a parameter to <args> chain <chain>, priority set to <priority>.

Firewall-cmd--direct--add-rule {IPv4 | ipv6 | eb} <table> <chain> <priority> <args>

Delete chain <chain> with parameter <args> from table <table>.

Firewall-cmd--direct--remove-rule {IPv4 | ipv6 | eb} <table> <chain> <args>

Query with parameter <args> chain <chain> exists in table <table>. If it is, return 0, otherwise return 1.

Firewall-cmd--direct--query-rule {IPv4 | ipv6 | eb} <table> <chain> <args>

If enabled, this command will have a return value. There is no output information for this command.

Gets all the rules added to the Chain <chain> in table <table>, separated by a newline.

Firewall-cmd--direct--get-rules {IPv4 | ipv6 | eb} <table> <chain>

Current FIREWALLD Features

D-bus interface

The D-bus interface provides information about the state of the firewall, making it possible to enable, deactivate, or query settings for the firewall.

Regional

The network or firewall area defines how trustworthy the connection is. The FIREWALLD provides several predefined areas. zone configuration options and generic configuration information can be found in the Firewall.zone (5) manual.

Service

A service can be a series of read-only ports, purposes, and additional information, or it can be a firewall helper module that automatically increases when a service starts. The use of predefined services makes enabling and disabling access to services easier. Service configuration options and generic file information are described in the Firewalld.service (5) manual.

ICMP type

Internet Control Message Protocol (ICMP) is used to Exchange message and Internet Protocol (IP) error messages. ICMP types can be used to restrict message exchange in FIREWALLD. ICMP type configuration options and common file information can refer to the Firewalld.icmptype (5) manual.

Direct interface

Direct interfaces are used primarily for services or applications that add specific firewall rules. These rules are not permanently valid and need to be firewalld after receiving a boot, reboot, overload signal passed by D-bus.

Run-time configuration

Runtime configuration is not permanent and can be restored when reloaded, and these options will be lost when the system or service restarts and stops.

Permanent configuration

The permanent configuration is stored in the configuration file, and is automatically restored each time the machine restarts or the service restarts or reloads.

Small Tray Program

The Tray applet Firewall-applet shows the firewall status and problems for the user. It can also be used to configure settings that the user allows to modify.

Graphical Configuration Tool

The main configuration tool for Firewall daemon is firewall-config. It supports all the features of the firewall (in addition to the direct interfaces used by the service/application addition rules). Administrators can also use it to change system or user policies.

Command line Client

Firewall-cmd is a tool that provides most of the configuration features of graphical tools under the command line.

Support for the Ebtables

Ebtables support is required to meet the full requirements of the Libvirt daemon and to prevent ip*tables and ebtables access issues at the kernel netfilter level. Because these commands are access to the same structure, they cannot be used at the same time.

Default/Standby configuration in/usr/lib/firewalld

This directory contains the default and alternate ICMP types, services, and zone configurations provided by FIREWALLD. The files provided by the FIREWALLD package cannot be modified, even if the modifications are reset as FIREWALLD packages are updated. Other ICMP types, services, and zone configurations can be provided through packages or by creating files.

System configuration settings in/etc/firewalld
The system or user profile stored here can be customized by the system administrator through the configuration interface, or it can be manually customized. These files will overload the default configuration file.

To manually modify a predefined ICMP type, zone, or service, copy the configuration from the default configuration directory to the appropriate system configuration directory and modify it as needed.

If you load an area with a default and alternate configuration, the corresponding file under/ETC/FIREWALLD will be renamed to <file>.old and then the standby configuration is enabled.

Features under development

Rich language

Rich language features provide a mechanism for configuring complex IPv4 and IPV6 firewall rules through high-level languages without the need to understand iptables syntax.

Fedora 19 provides a 2nd milestone version of the rich language feature with D-bus and command-line support. The 3rd Milestone version will also provide support for graphical interface firewall-config.

For more information about this attribute, see: Firewalld Rich Language

Lock

The locking feature adds a simple configuration for FIREWALLD to lock down local applications or service configurations. It is a lightweight application strategy.

Fedora 19 provides a second milestone version of the locking feature, with D-bus and command line support. The 3rd Milestone version will also provide support under the graphical interface firewall-config.

For more information, see: FIREWALLD lockdown

Permanent Direct rule

This feature is in an early state. It will be able to provide the ability to save direct rules and direct chains. The rule does not belong to this attribute. Refer to direct options for more information on the immediate rules.

Migrating from Ip*tables and Ebtables services
This feature is in an early state. It will provide as much as possible a script that translates the iptables,ip6tables and Ebtables service configurations into permanent direct rules. This feature may have limitations in the direct chain integration provided by FIREWALLD.

This feature will require a large number of migration tests for complex firewall configurations.

Planning and proposing functions
Firewall abstract Model

Adding an abstraction layer above the Ip*tables and Ebtables firewall rules makes it simpler and more intuitive to add rules. It is not a simple task to have a powerful abstraction layer, but not complex at the same time. To do this, we have to develop a firewall language. The firewall rules have a fixed location to query for general information such as port access status, access policies, and some other possible firewall features.

Support for the Conntrack

To terminate disabled attributes an established connection requires conntrack. However, in some cases terminating the connection may be bad, such as a firewall service that is enabled to establish a continuous external connection for a limited period of time.

User interaction Model

This is a special mode that a user or administrator in the firewall can enable. All requests for the application to change the firewall are directed to the user for confirmation and denial. It is feasible to set a time limit for the authorization of a connection and limit the host, network, or connection to which it is attached. The configuration can be saved so that the same behavior can be applied without notice in the future. Another feature of this pattern is an external link attempt by management and application-initiated requests for preselection services and ports that have the same functionality. Restrictions on services and ports also limit the number of requests sent to the user.

User Policy support

Administrators can specify which users can use user interaction mode and restrict firewall-usable features.

Port Meta Data information (proposed by Lennart Poettering)

It is good to have a single port independent metadata information. The current static allocation model for/ETC/SERVICES ports and protocols is not a good solution, nor does it reflect current usage. The port of the application or service is dynamic, so the port itself does not describe the usage.

Meta data information can be used to make simple rules for firewalls. Here are some examples:

• Allow external access to file sharing applications or services
• Allow external access to music sharing applications or services
• Allow external access to all shared applications or services
• Allow external access to torrent file sharing applications or services
• Allow external access to HTTP network services

The metadata information here is not limited to specific applications, but can also be a set of usage. For example, a group of all shares or a group file share can correspond to all shared or file-sharing programs (such as torrent file shares). These are just examples, and therefore, may not be of practical use.

Here are two possible ways to get Meta data information in a firewall:
The first is to add to the NetFilter (kernel space). The advantage is that everyone can use it, but there are certain limitations to use. Also consider specific information about the user or system space, all of which need to be implemented at the kernel level.
The second type is added to the firewall daemon. These abstract rules can be used in conjunction with specific information, such as network connection confidence level, user description to be shared as a specific person/host, and administrators who prohibit full sharing.
The benefit of the second solution is that you do not need to recompile the kernel for new metadata groups and included changes (trust level, user preference, or administrator rules, and so on). The addition of these abstract rules makes firewall daemon more free. Even the new security level does not require updating the kernel to be easily added.

Sysctld
There are still sysctl settings that are not properly applied. As an example, a problem occurs when Rc.sysinit is running and the module that provides the settings does not load or reload the module at startup.

Another example is Net.ipv4.ip_forward, which is required for firewall settings, Libvirt, and user/administrator changes. If there are two applications or daemons that turn on ip_forwarding only when needed, one of them may turn off the service without knowing it, and the other will have to reboot it if it is needed.

Sysctl daemon can solve the above problem by using an internal count for the settings. At this point, when the requester is no longer needed, it will return to its previous setting or close it directly.

Firewall rules

NetFilter firewalls are always susceptible to the order of rules because a rule has no fixed position in the chain. Adding or deleting a rule before a rule changes the position of the rule. In the static firewall model, changing the firewall is to rebuild a clean and sophisticated firewall setting, and is limited by the System-config-firewall/lokkit directly supported features. There is also no consolidation of other applications to create firewall rules, and if custom rule file features are not in use s-c-fw/lokkit do not know them. The default chain usually does not have a safe way to add or remove rules without affecting other rules.

The dynamic firewall has an additional firewall function chain. These special chains are called in the order in which they are defined, so adding rules to the chain will not interfere with the rejection and discard rules that were previously invoked. So as to facilitate the creation of a more reasonable and perfect firewall configuration.

Here are some rules created by the daemon, which enable support for SSH, MDNs, and ipp-client in public areas in the filtered list:

*Filter: INPUT ACCEPT [0:0]:forward ACCEPT [0:0]:output ACCEPT [0:0]:forward_zones-[0:0]:forward_direct-] [0:0]:input_zones-[0 : 0]:input_direct-[0:0]:in_zone_public-[0:0]:in_zone_public_allow-[0:0]:in_zone_public_deny-[0:0]:OUTPUT_direct -[0:0]-a input-m conntrack--ctstate related,established-J ACCEPT-A input-i lo-J ACCEPT-A INPUT-J Input_direct-A INPUT-J Input_zones-A input-p ICMP-J ACCEPT-A input-j REJECT--reject-with icmp-host-prohibited-A forward-m conntrack--ctstate related,established-J ACCEPT-A forward-i lo-J ACCEPT-A FORWARD-J Forward_direct-A FORWARD-J Forward_zones-A forward-p ICMP-J ACCEPT-A forward-j REJECT--reject-with icmp-host-prohibited-A OUTPUT-J Output_direct-A in_zone_public-J In_zone_public_deny-A in_zone_public-J In_zone_public_allow-A in_zone_public_allow-p tcp-m tcp--dport 22-m conntrack--ctstate NEW-J ACCEPT-A in_zone_public_allow-d 224.0.0.251/32-p udp-m UDP--dport 5353-m conntrack--ctstate NEW-J ACCEPT-A in_zone_public_allow-p udp-m UDP--dport 631-m conntrack--ctstate new-j ACCEPT

Use the Deny/allow model to build a clear behavior (preferably without conflicting rules). For example, an ICMP block will go into the In_zone_public_deny chain (if set for a public area) and will be processed before the In_zone_public_allow chain.

The model makes it easier to add or remove rules to a specific block without interfering with other blocks.