The Firewalld of CentOS firewall

1.FIREWALLD Introduction

FIREWALLD is a major feature of CENTOS7, with two benefits: support for dynamic updates, no need to restart services, and the second is the "zone" concept of a firewall.

FIREWALLD has a graphical interface and command line interface. The FIREWALLD command Line Management command is firewall-cmd.

The FIREWALLD default profile has two:/usr/lib/firewalld/(System configuration, try not to modify) and/etc/firewalld/(User Configuration address).

Zone concept: Hardware firewall default generally has three areas, FIREWALLD introduced this concept system default exists in the following areas:

Drop: Discard all packages by default;

Block: Deny all external connections, allow internal initiated connections;

Public: Specifies that external connections can be entered;

External: Allows the specified external connection;

DMZ: As with a hardware firewall, restricted public connections can be entered;

Work: The work area, the concept and the Workgoup, is also the specified external connection permission;

Home: Family group;

Internal: Trust all connections.

2.FIREWALLD Installation

# yum Install Firewalld Firewall-config

3.FIREWALLD Process Management Command

View Status: # Systemctl status Firewalld or Firewall-cmd--state

Start: # systemctl start Firewalld

Stop: # systemctl Stop Firewalld

To enable: # Systemctl Enable Firewalld

Disabled: # systemctl Disable FIREWALLD

4. Configure FIREWALLD Firewall rules

View version: # Firewall-cmd--version

View Help: # Firewall-cmd--help

View area information: # Firewall-cmd--get-active-zones

View the zone to which the specified interface belongs: # firewall-cmd--get-zone-of-interface=eth0

Reject All Packages: # Firewall-cmd--panic-on

Cancel reject Status: # Firewall-cmd--panic-off

See whether to reject: $ firewall-cmd--query-panic

Set the default interface area

# Firewall-cmd--set-default-zone=public

This setting takes effect immediately without restarting

Add an interface to a zone, and the default interface is public

# firewall-cmd--zone=public--add-interface=eth0 --permanent

The--permanent parameter specifies that the configuration is permanently in effect, if not added--permanent only this time.

To view all open ports:

# Firewall-cmd--zone=public--list-ports

Join a port to the zone:

# Firewall-cmd--zone=public--add-port=80/tcp

To be permanently effective method Ibid

Open a service that is similar to visualizing ports, services need to be added to the configuration file,/etc/firewalld directory has a Services folder
# Firewall-cmd--zone=public--ADD-SERVICE=SMTP

Removing services
# Firewall-cmd--zone=public--REMOVE-SERVICE=SMTP

FIREWALLD Open VRRP

Firewall-cmd--permanent--add-rich-rule "rule family=ipv4 source address=192.168.1.0/24 port Name=" "Reject"

Firewall-cmd--zone=public--permanent--add-rich-rule "rule Family=ipv4 source Address=192.168.1.237/32 accept"

Firewall-cmd--zone=public--permanent--add-rich-rule "rule Family=ipv4 source Address=192.168.1.238/32 accept"

Firewall-cmd--reload

Firewall-cmd--zone=public--list-rich-rules

5. Effective firewall rules:

Note: After all firewall configurations have been modified, the following reload command is executed to make the configuration immediately effective

# Firewall-cmd--reload

Or

# Firewall-cmd--complete-reload

The difference between the two is that the first one does not need to disconnect, that is, one of the FIREWALLD features dynamically adding rules, the second need to disconnect, similar to restart the service.