Firewall-cmd Firewall command detailed and TCP Wrappers

<span id="Label3"></p><p><p></p></p><p><p><span style="font-size: 14pt; color: #800080;"><strong>Common parameters and functions of firewall-cmd</strong></span></p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">Parameter Action--get-default-zone Query the default zone name--set-default-zone=< Zone name > set the default zone to make it permanent--get-zones Show available areas--get-services displays pre-defined Services--get-active-zones displays the area currently in use with the NIC name--add-source= the source　　　Traffic directed from this IP or subnet to the specified area--remove-source= no longer directs traffic originating from this IP or subnet to a specified area--add-interface=< NIC name > All traffic originating from the network card is directed to a specified zone--change-interface=< NIC name > Associate a network card with the Zone--list-all display the network card configuration parameters, resources, Information such as ports and Services--list-all-zones displays information about network card configuration parameters, resources, ports, and services in all regions--add-service=< service name > Set default zone Allow traffic--add-port=< Port number/association　　> Set the default zone to allow traffic for that port--remove-service=< service name > Set default Zone no longer allow traffic for the service--remove-port=< port Number/protocol > Setting the default zone no longer allows traffic to the port--reload the "permanent" configuration rule takes effect immediately and overwrites the current configuration rule--panic-on turn on emergency mode--panic-off turn off emergency mode</pre></pre><p><p>　</p></p><p><p>As with other firewall policy configuration tools in the Linux system, the firewall policy configured with FIREWALLD defaults to runtime (runtime) mode, which is also known as the current active mode, and is invalidated as the system Restarts. If you want the configuration policy to persist, you need to use the persistent (Permanent) mode by adding the--permanent parameter when the firewall policy is set up properly with the Firewall-cmd command, so that the configured firewall policy can be permanently enforced. however, the permanent active mode has a "inhuman" feature, that is, the policy that is used to set it will not automatically take effect until the system Restarts. If you want the configured policy to take effect immediately, you need to manually execute the Firewall-cmd--reload command.</p></p><p><p></p></p><p><p>To view the area currently used by the FIREWALLD service:</p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">[email protected] ~]# Firewall-cmd--get-default-zone Public</pre></pre><p><p>To view the area of the eth0 Nic in the Firewalld service:</p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">[email protected] ~]# Firewall-cmd--get-zone-of-interface=eth0public</pre></pre><p><p>Modify the default zone of the Eth0 NIC in the FIREWALLD service to external and take effect after the system Restarts. View the name of the zone in the current and permanent mode, respectively:</p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">[email protected] ~]# firewall-cmd--permanent--zone=external--change-interface=eth0success</pre></pre><p><p>View the area of the eth0 Nic in the Firewalld service: as you can see, the default zone of the Eth0 NIC is not changed after the above modification, because we set the--permanent (permanent) mode and need to execute the command firewall-cmd--reload command to take effect immediately.</p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">[email protected] ~]# Firewall-cmd--get-zone-of-interface=eth0public</pre></pre><p><p>Modify the default zone of the Eth0 NIC in the FIREWALLD service to external and take effect after the system Restarts. View the name of the zone in the current and permanent mode, respectively:</p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">[email protected] ~]# firewall-cmd--zone=external--change-interface=eth0--permanent success[[email protected] ~]# Firewall-cmd--get-zone-of-interface=eth0public[[email protected] ~]# firewall-cmd--get-zone-of-interface=eth0-- Permanent External</pre></pre><p><p>Set the current default zone of the FIREWALLD service to Public:</p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">[email protected] ~]# firewall-cmd--set-default-zone=publicwarning:zone_already_set:public[[email protected] ~]# Firewall-cmd--get-default-zone Public</pre></pre><p><p>Start/turn off the emergency mode of FIREWALLD firewall service, block all network connections (use caution when remote control server):</p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">[email protected] ~]# firewall-cmd--panic-on #阻断一切网络Warning: already_enabled[[email protected] ~]# firewall-cmd- -panic-off success</pre></pre><p><p>Query whether the public zone allows traffic to be requested for SSH and HTTPS protocols:</p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">[email protected] ~]# firewall-cmd--zone=public--query-service=ssh yes[[email protected] ~]# firewall-cmd--zone= Public--query-service=httpsno</pre></pre><p><p>Set the traffic that requests the HTTPS protocol in the FIREWALLD service to be allowed permanently and take effect immediately:</p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">[email protected] ~]# firewall-cmd--zone=public--add-service=httpssuccess[[email protected] ~]# firewall-cmd--zone= Public--add-service=https--permanent success[[email protected] ~]# firewall-cmd--reload success[[email protected] ~]# Firewall-cmd--zone=public--query-service=httpsyes</pre></pre><p><p>Set the traffic for the request HTTP protocol in the FIREWALLD service to permanent rejection and take effect immediately:</p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">[email protected] ~]# firewall-cmd--reloadsuccess[[email protected] ~]# firewall-cmd--zone=public--query-service= Httpno</pre></pre><p><p></p></p><p><p></p></p><span id="84" style="font-size: 18pt; color: #800080;"><span id="84" style="font-size: 18pt; color: #800080;"><strong>access Control list for the service (TCP wrappers):</strong></span></span><p><p>TCP wrappers is a traffic monitor that is enabled by default in the Rhel 7 system to allow or deny operations based on the address of the visiting host and the target service program of the native Computer.</p></p><p><p>The firewall policy of the TCP wrappers service is controlled by two control list files, allowing the user to edit the Allow control list file to release the request traffic to the service, or to edit the Deny control list file to block the request traffic to the Service. Control List file modification will take effect immediately, the system will first check the Allow Control list file (/etc/hosts.allow), if matching to the appropriate allowed policy to release traffic, if there is no match, go further to match the Deny control list file (/etc/ hosts.deny), the traffic is rejected if a match is found. If none of the two files match, the traffic is released by Default.</p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">The client type sample satisfies the sample client list for the single host 192.168.10.10 IP address for 192.168.10.10 host to specify the segment 192.168.10. The IP field 192.168.10.0/24 specifies the DNS suffix of the host for the specified network segment 192.168.10.0/255.255.255.0IP is 192.168.10.0/24. jianghua.com all DNS suffixes Are. jiang Hua.com host Specifies host name www.jianghua.com host name www.jianghua.com host specifies all clients all include all hosts</pre></pre><p><p>There are two principles to follow when configuring a TCP wrappers Service:</p></p> <ol> <ol> <li>When writing a deny policy rule, the service name is filled, not the protocol name;</li> <li>It is recommended that you write the Deny policy rule first, and then write the Allow policy rule so that you can visually see the corresponding Effect.</li> </ol> </ol><p><p>Write the Deny policy rule file below to prohibit access to all traffic from the native sshd service (without modifying the original annotation information in The/etc/hosts.deny file):</p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">[[email protected] ~]# Vim/etc/hosts.deny # Hosts.deny This file contains access rules which is used to# deny C Onnections to network services it either use# the tcp_wrappers library or that has been# started through a tcp_ Wrappers-enabled xinetd.## The rules in this file can also bes set up in# /etc/hosts.allow with a ' Deny ' option INS tead.## See ' Man 5 hosts_options ' and ' Mans 5 hosts_access ' # For information on the rule syntax.# see ' man tcpd ' fo R information on Tcp_wrapperssshd:*[[email protected] ~]# ssh 192.168.38.251ssh_exchange_identification:read: Connection Reset by peer</pre></pre><p><p>　　</p></p><p><p>The effect is that the client SSH connection failed:</p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">[c:\~]$ ssh 192.168.38.251Connecting to 192.168.38.251:22...connection established. To escape to local shell, Press ' ctrl+alt+] '. Connection closed by foreign Host. Disconnected from remote host (192.168.38.251:22) at 00:09:10.type "help" to learn how to use Xshell prompt.</pre></pre><p><p>next, add a rule in the Allow policy rules file to release all traffic that originates from the 192.168.38.0/24 network segment and accesses the native sshd service. You can see that the server immediately released the traffic to access the sshd service, the effect is very intuitive:</p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;">[[email protected] ~]# Vim/etc/hosts.allow # hosts.allow This file contains access rules which is used to# allo W or deny connections to network services that# either use the Tcp_wrappers library or that has been# started thr Ough a tcp_wrappers-enabled xinetd.## see ' Man 5 hosts_options ' and ' Mans 5 hosts_access ' # for information on rule syntax.# See "man tcpd" for information on tcp_wrapperssshd:192.168.38.</pre></pre><p><p><strong>Successful connection:</strong></p></p><pre class="brush:python;gutter:true;"><pre class="brush:python;gutter:true;"></pre></pre><p><p></p></p><p><p>Firewall-cmd Firewall command detailed and TCP Wrappers</p></p></span>