Firewall-firewalld
FIREWALLD Service is the default firewall management tool in RHEL7
Features:(1) runtime configuration (2) permanent configuration (3) Support dynamic Update (4) zone area concept
Method: command line :firewall-cmd graphical:firewall-config
A zone defines the level of trust for a network connection:
Regional |
Default Policy |
Trusted |
Allow all packets |
Home |
the incoming packet is rejected unless it is related to the output packet or ssh\mdns\ipp-client\samba-client\dhcpv6-client Service |
Internal |
Equivalent to the home area |
Work |
the incoming packet is rejected unless it is related to the output packet or ssh\ipp-client\dhcpv6-client |
Public |
the incoming packet is rejected unless it is related to the output packet or ssh\dhcpv6-client |
External |
the incoming packet is rejected unless it is related to the output packet or ssh |
Dmz |
the incoming packet is rejected unless it is related to the output packet or ssh |
Block |
Deny incoming packets unless associated with output packets |
Drop |
Deny incoming packets unless associated with output packets |
Command-line administration tools (character management tools)
Efficient management of configuration firewalls
Parameters |
Role |
--get-default-zone |
Query the name of the default zone |
--set-default-zone=< Region name > |
Set default Zone (permanent) |
--get-zones |
Show the available areas |
--get-services |
Querying pre-defined services |
--get-active-zones |
Displays the area and network card name that is currently in use |
--add-source |
Point source IP or subnet traffic to an area |
--remove-source |
Not pointing the source IP or subnet traffic to an area |
--add-interface=< nic name > |
Point all traffic from the NIC to a specified area |
--change-interface=< nic name > |
Associating a network card with a zone |
--list-all |
Displays information about network adapter configuration parameters, resources, ports, and services for the current zone |
--list-all-zones |
Displays information about network adapter configuration parameters, resources, ports, and services for all zones |
--add-service=< Service Name > |
Set the traffic allowed for the service |
--add-port=< Ports/Protocols > |
Allow traffic to this port |
--remove-service=< Service Name > |
Do not allow traffic for this service |
--remove-port=< Ports/Protocols > |
Do not allow traffic on this port |
--reload |
Immediate effect overrides the current |
The FIREWALLD service has two rule policy configuration records:
Runtime: currently running
Permanent: Permanent in force
You need to use parameters when doing experiments that are permanently in effect " --reload " to keep him from stopping the service reload the configuration file
Lab begin~:
1. View the current region:
[Email protected] ~]# firewall-cmd--get-default-~]#
- To view the area of the NIC:
[Email protected] ~]# firewall-cmd--get-zone-of-interface=~]#
- Check whether sshd and httpd services are allowed in public
[Email protected] ~]# firewall-cmd--zone=public--query-service=ssh~]# firewall-cmd--zone=public --query-service=~]#
- Set the default rule to DMZ:
[Email protected] ~]# firewall-cmd--set-default-zone=~]# firewall-cmd--get-default-~]#
- Make the permanently configured file effective immediately:
[Email protected] ~]# firewall-cmd--~]#
- Start/close emergency mode (disconnect all network connections)
[Email protected] ~]# firewall-cmd--panic-on~]# firewall-cmd--panic-off
Lab 1: Allow HTTPS service traffic through the public zone and let it take effect permanently
[[email protected] ~] #firewall-cmd--permanent--zone=public --add-service=~]# firewall-cmd--zone= Public--list-allpublic interfaces: sources: services:dhcpv6ssh ports: Masquerade:no forward-ports: ICMP-blocks: rich rules:
Experiment 2: Do not allow HTTP service traffic to go through the public zone immediately, and the immediate effect is permanently
[Email protected] ~]# firewall-cmd--permanent--zone=public--remove-service=~]# firewall-cmd-- Reloadsuccess
Experiment 3: Allow 8080 and 8081 port traffic through the public zone,
[Email protected] ~]# firewall-cmd--zone=public--add-port=8080-8081/~]# firewall-cmd-- Zone=public--list-ports8080-8081/~]#
Experiment 4: The area of the NIC is modified to the external area, which takes effect after reboot
[Email protected] ~]# firewall-cmd--permanent--zone=external--change-interface=eno16777728success ~ ]# firewall-cmd--get-zone-of-interface=~]#
Experiment 5: Set rich rules so that the PC of 192.168.10.0/24 network segment cannot access the SSH service of this machine
Rich rules: For detailed configuration of services, ports, protocols
[Email protected] ~]# firewall-cmd--permanent--zone=public--add-rich-rule="Rule family="IPv4"Source address="192.168.10.0/ -"Service Name="SSH"Reject"Success[[email protected]~]# firewall-cmd--permanent--zone=public--list-rich-Rulesrule Family="IPv4"SOURCE address="192.168.10.0/24"Service Name="SSH"Reject[[email protected]~]#
linux[base]-27-[firewall]-[firewalld]-[03]