Linux under the Firewall management tool Firewall-cmd

About FIREWALLD

As the kernel of the management software Firewall-cmd, by using this software to indirectly manage the Linux kernel open and close, and so on, while the Firewall-cmd software itself supports firewall-cmd (command) firewall-config (graphics management tools) Two management modes to manage Kerne lnetfilte.

configuration file : /span> /usr/lib/firewalld/ /etc /firewalld/ XML

Firewall The ability to classify different network connections into different levels of trust, Zone The following levels are available:

Drop: Discard all incoming packets without giving any response

BLOCK: deny all externally initiated connections, allow internally initiated connections

Public : allows the specified entry connection

external: as above, the entry connection to the disguise, generally used for routing and forwarding

DMZ: allow restricted access connections

Work : allow trusted computers to be restricted into the connection, similar to Workgroup

Home: Ditto, similar HomeGroup

internal: Ibid., range for all internet users

Trusted: Trust all Connections

1) Installing Yum install firewall-y (usually comes with the installed time)

Firewall-config------FIREWALLD's graphical management tools

Runtime: Changed to effective at that time, but the Systemctl restart firewall after the failure.

Permanent:y is permanently in force, but must be systemctl restart after finishing firewall

All persistent changes are saved in the corresponding XML file in the/usr/lib/firewall/zones/directory, such as in the/usr/lib/firewall/zones/public.xml file.

2) command Firewall-cmd add various functions

Firewall-cmd--state------------View firewall status

Firewall-cmd--get-default-zone----------Viewing the default domain

Firewall-cmd--get-active-zones---------------View the status of the current active domain

Firewall-cmd-get-zones-------------View all domains that exist

Firewall-cmd--zone=public--list-all------------------View all information for the public domain

Firewall-cmd--list-all-zones--------------View all information for all domains

Firewall-cmd--set-default-zone=home---------------Set the default domain to home

3) Advanced command settings

1, firewall-cmd-zone=public--add-source=172.25.254.50/24---------add 172.25.254.50 host to the native public block so that it can access local resources

Firewall-cmd--zone=public--remove-source=172.25.254.50/24--------------Remove the 172.25.254.50 host.

Firewall-cmd--remove-intenface=eth0------------Remove interface eth0

Firewall-cmd--add-interface=eth0-----------Add interface eth0.

Firewall-cmd--permanent--remove-port=80/tcp----------------Remove Port 80

The difference between Firewall-cmd--reload and Firewall-cmd--complete-reload:

Firewall-cmd--reload does not interrupt a running service after execution, and Firewall-cmd--complete-reload will interrupt the running service, such as first 172.25.254.50 The host 172.25.254.220 is connected via SSH, then when the 50 host is added to the block domain and the last firewall-cmd--complete-reload command is executed, the 50 host will not have the opportunity to enter the characters. So the Firewall-cmd--complete-reload can be banned at any time which host.

3) , Directrules

through Firewall-cmd Tools , can use --direct option to add or remove chains during run time. If you are unfamiliar with iptables, It is dangerous to use a direct interface because you may inadvertently cause the firewall to be compromised. Direct port mode is available for services or programs to add specific firewall rules during run time. Rules added by direct port mode are applied first.

Parameters:Filter(Local data limit):(- SSource Address,- DDestination Address,- PAgreement,--dportPorts,-jBehavior/rejectReject/acceptAgree/dropdiscarded)

Firewall-cmd--direct--add-rule IPv4 filter in_public_allow 0-p TCP--dport 80-jaccept--- Add Rule

Firewall-cmd--direct--get-all-rules--- List Rules

Firewall-cmd--direct-add-rule IPv4 filter INPUT 1-s 172.25.254.50-p tcp-dport 22-j REJECT----------reject 50 22 port access for the host.

4) Richrules

Through this method, complex firewall rules can be established by means of the method which is easier to understand than the direct interface method. In addition, the retention settings can be persisted permanently, using the keyword value for this syntax.

Main parameters: Source Source Address, Destination Destination Address, Service Service Name, Port Ports, Protocol protocol name

Example of address spoofing:

The 220 host was connected, but the 220 host successfully forwarded the connection request to the 50 host.

Linux under the Firewall management tool Firewall-cmd