Introduction to CentOS7firewalld

To learn how to install apache, you need to enable port 80. since firewalld is used by default in centos7 and later versions, the iptables setting method on the Internet is no longer used. I think iptable will not be used anyway, simply move to the official document and learn firewalld. it seems easier than iptables. Official documentation address: https://access.redhat.com/documentation/en-U learning apache installation needs to open port 80, because the centos 7 version after the default use of firewalld, the network on the iptables setting method is no longer used, I think iptable won't be used anyway. I simply moved to the official document and learned firewalld. it seems easier than iptables. Official documentation address: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Introduction_to_firewalld 1, firewalld introduction firewalld is a major feature of centos7, the biggest benefit of two: support for dynamic updates, do not restart the service; the second is to add the "zone" concept of the firewall. firewalld has a graphical interface and a tool interface. for details about the graphic interface, refer to the official documentation, this document introduces the character interface management tool of firewalld as follows: Firewall-cmdFirewalld has two default configuration files:/usr/lib/firewalld/(system configuration, do not modify as much as possible) and/etc/firewalld/(user configuration address) zone concept: by default, a hardware firewall generally has three zones. when firewalld introduces this concept, the system exists in the following areas by default (you can understand it according to the document. if there is an error, please correct it): drop: all packets are discarded by default. block: deny all external connections, allow internal connections public: specify external connections can enter external: this is not clear, the function is the same as above, allow the specified external connection dmz: the same as the hardware firewall, restricted public connections can enter the work: work zone. The concept is the same as workgoup. it is also a specified external connection. allow home: similar to the home group internal: Trust all connections. not too familiar with the firewall, I haven't figured out whether the functions of public, external, dmz, work, and home must be customized to allow connections. the specific difference in usage also requires expert guidance. 2. install firewalldroot for execution. # Yum install firewalld firewall-config3. run, stop, and disable firewalld startup: # Systemctl start firewalldView Status: # Systemctl status firewalldOr Firewall-cmd -- stateStop: # Systemctl disable firewalldDisable: # Systemctl stop firewalld4. configure firewalld to view the version: $ Firewall-cmd -- versionView help: $ Firewall-cmd -- helpView Settings: Display status: $ Firewall-cmd -- stateView region information: $ Firewall-cmd -- get-active-zonesView the region of the specified interface: $ Firewall-cmd -- get-zone-of-interface = eth0Reject all packages: # Firewall-cmd -- panic-onCancel rejection status: # Firewall-cmd -- panic-offCheck whether the request is rejected: $ Firewall-cmd -- query-panicUpdate firewall rules: # Firewall-cmd -- reload # Firewall-cmd -- complete-reloadThe difference between the two is that the first one does not need to be disconnected, that is, one of the firewalld features is to dynamically add rules, the second one needs to be disconnected, similar to restarting the service to add interfaces to the region, the default interfaces are in public # Firewall-cmd -- zone = public -- add-interface = eth0Permanent effect Plus -- PermanentThen reload the firewall to set the default interface area # Firewall-cmd -- set-default-zone = publicEffective immediately. you do not need to restart and open the port (which seems to be the most common) to view all opened ports: # Firewall-cmd -- zone = dmz -- list-portsAdd a port to the region: # Firewall-cmd -- zone = dmz -- add-port = 8080/tcpTo enable the service permanently, open a service in the same way as opening a service. it is similar to visualizing the port. the service must be added to the configuration file. The/etc/firewalld directory contains the services folder. this is not detailed, reference for details # Firewall-cmd -- zone = work -- add-service = smtpRemove service # Firewall-cmd -- zone = work -- remove-service = smtpThe port forwarding, custom complex rules, and lockdown functions are also available.