linux[base]-27-[Firewall]-[firewalld]-[03]

Firewall-firewalld

FIREWALLD Service is the default firewall management tool in RHEL7

Features:(1) runtime configuration (2) permanent configuration (3) Support dynamic Update (4) zone area concept

Method: command line :firewall-cmd graphical:firewall-config

A zone defines the level of trust for a network connection:

Regional		Default Policy
Trusted	Allow all packets
Home	the incoming packet is rejected unless it is related to the output packet or ssh\mdns\ipp-client\samba-client\dhcpv6-client Service
Internal	Equivalent to the home area
Work	the incoming packet is rejected unless it is related to the output packet or ssh\ipp-client\dhcpv6-client
Public	the incoming packet is rejected unless it is related to the output packet or ssh\dhcpv6-client
External	the incoming packet is rejected unless it is related to the output packet or ssh
Dmz	the incoming packet is rejected unless it is related to the output packet or ssh
Block	Deny incoming packets unless associated with output packets
Drop	Deny incoming packets unless associated with output packets

Command-line administration tools (character management tools)

Efficient management of configuration firewalls

Parameters	Role
--get-default-zone	Query the name of the default zone
--set-default-zone=< Region name >	Set default Zone (permanent)
--get-zones	Show the available areas
--get-services	Querying pre-defined services
--get-active-zones	Displays the area and network card name that is currently in use
--add-source	Point source IP or subnet traffic to an area
--remove-source	Not pointing the source IP or subnet traffic to an area
--add-interface=< nic name >	Point all traffic from the NIC to a specified area
--change-interface=< nic name >	Associating a network card with a zone
--list-all	Displays information about network adapter configuration parameters, resources, ports, and services for the current zone
--list-all-zones	Displays information about network adapter configuration parameters, resources, ports, and services for all zones
--add-service=< Service Name >	Set the traffic allowed for the service
--add-port=< Ports/Protocols >	Allow traffic to this port
--remove-service=< Service Name >	Do not allow traffic for this service
--remove-port=< Ports/Protocols >	Do not allow traffic on this port
--reload	Immediate effect overrides the current

The FIREWALLD service has two rule policy configuration records:

Runtime: currently running

Permanent: Permanent in force

You need to use parameters when doing experiments that are permanently in effect " --reload " to keep him from stopping the service reload the configuration file

Lab begin~:

1. View the current region:

[Email protected] ~]# firewall-cmd--get-default-~]#

1. To view the area of the NIC:

[Email protected] ~]# firewall-cmd--get-zone-of-interface=~]#

1. Check whether sshd and httpd services are allowed in public

[Email protected] ~]# firewall-cmd--zone=public--query-service=ssh~]# firewall-cmd--zone=public --query-service=~]#

1. Set the default rule to DMZ:

[Email protected] ~]# firewall-cmd--set-default-zone=~]# firewall-cmd--get-default-~]#

1. Make the permanently configured file effective immediately:

[Email protected] ~]# firewall-cmd--~]#

1. Start/close emergency mode (disconnect all network connections)

[Email protected] ~]# firewall-cmd--panic-on~]# firewall-cmd--panic-off

Lab 1: Allow HTTPS service traffic through the public zone and let it take effect permanently

[[email protected] ~] #firewall-cmd--permanent--zone=public --add-service=~]# firewall-cmd--zone= Public--list-allpublic  interfaces:  sources:  services:dhcpv6ssh  ports:  Masquerade:no  forward-ports:  ICMP-blocks:  rich rules:

Experiment 2: Do not allow HTTP service traffic to go through the public zone immediately, and the immediate effect is permanently

[Email protected] ~]# firewall-cmd--permanent--zone=public--remove-service=~]# firewall-cmd--  Reloadsuccess

Experiment 3: Allow 8080 and 8081 port traffic through the public zone,

[Email protected] ~]# firewall-cmd--zone=public--add-port=8080-8081/~]# firewall-cmd-- Zone=public--list-ports8080-8081/~]#

Experiment 4: The area of the NIC is modified to the external area, which takes effect after reboot

[Email protected] ~]# firewall-cmd--permanent--zone=external--change-interface=eno16777728success             ~ ]# firewall-cmd--get-zone-of-interface=~]#

Experiment 5: Set rich rules so that the PC of 192.168.10.0/24 network segment cannot access the SSH service of this machine

Rich rules: For detailed configuration of services, ports, protocols

[Email protected] ~]# firewall-cmd--permanent--zone=public--add-rich-rule="Rule family="IPv4"Source address="192.168.10.0/ -"Service Name="SSH"Reject"Success[[email protected]~]# firewall-cmd--permanent--zone=public--list-rich-Rulesrule Family="IPv4"SOURCE address="192.168.10.0/24"Service Name="SSH"Reject[[email protected]~]#

linux[base]-27-[firewall]-[firewalld]-[03]