Use firewall under CENOTS7

First, the introduction of FIREWALLD

1, Firewalld Introduction

         FIREWALLD provides support for network/firewall zone (zone) Dynamic firewall management tools that define network links and the level of interface security. It supports IPV4, IPV6 firewall settings, and Ethernet bridging, and has runtime configuration and permanent configuration options. It also supports interfaces that allow services or applications to add firewall rules directly. The previous System-config-firewall/lokkit firewall model is static and requires a full firewall restart for each modification. This process includes the uninstallation of the kernel NetFilter firewall module and the loading of the modules required for the new configuration. The uninstallation of the module destroys the stateful firewall and established connections.

Instead, firewall daemon manages the firewall dynamically, without restarting the entire firewall to apply the changes. Therefore, it is not necessary to reload all kernel firewall modules. However, to use firewall daemon requires that all changes to the firewall be implemented through the daemon to ensure that the state in the daemon is consistent with the firewall in the kernel. Additionally, firewall daemon cannot parse the firewall rules that were added by the Ip*tables and ebtables command-line tools.

The daemon provides the currently activated firewall settings information through D-bus and also D-bus accepts changes made using PolicyKit authentication.

2. Daemon Name mode
Applications, daemons, and users can enable a firewall feature through D-bus requests. Features can be predefined firewall features such as services, combinations of ports and protocols, port/datagram forwarding, spoofing, ICMP interception or custom rules, and so on. The feature can be enabled for a certain period of time or can be deactivated again.

With the so-called direct interface, other services (such as Libvirt) can add their own rules through iptables (arguments) and parameters (parameters).

amanda, FTP, samba, and TFTP services are also resolved by the daemon, as long as they are also part of a predefined service. The mount of the additional assistant is not part of the current interface. Because some assistants can only be loaded when all connections controlled by the module are closed. Therefore, tracking connection information is important and needs to be considered.

3. Static firewall (System-config-firewall/lokkit)
Static firewall models using System-config-firewall and Lokkit are actually still available and will continue to be provided, but cannot be used in conjunction with the daemon. A user or administrator can decide which scenario to use.

A selector will appear when the software is installed, when it is first started or when it is first networked. With it you can choose the firewall scheme you want to use. Other solutions will remain intact and can be enabled through replacement mode.

4, Firewalld added the concept of zone

Drop (immutable) Deny all incoming connections, outgoing ones is accepted.

Any received network packets are discarded without any reply. You can only have network connections that are sent out.

Block (immutable) Deny all incoming connections, with ICMP host prohibited messages issued.

Any received network connection is rejected by IPv4 icmp-host-prohibited information and IPv6 icmp6-adm-prohibited information.

Trusted (immutable) allow all network connections

Accept all network links

Public public areas, don't trust other computers

Used in public areas, you cannot trust that other computers within your network will not be harmful to your computer and can only receive selected connections.

External for computers with masquerading enabled, protecting a local network

In particular, the external network that has the spoofing enabled for the router. You cannot trust other calculations from the network, and you cannot trust that they will not harm your computer, only receive selected connections .

DMZ for computers publicly accessible with restricted access.

for computers in your demilitarized zone, this area is publicly accessible and can be limited to your internal network, receiving only selected connections.

Work for trusted work areas

Accept Web Links within your work                                                                                        

Home for trusted home network connections

Accept links to your home network  

Internal for internal network, restrict incoming connections

Accept links to the internal network                           

Take the work zone as an example, including the following (it is already clear that you do not need to explain it individually)

Work

Interfaces

Sources

Services:dhcpv6-client ipp-client SSH

Ports

Masquerade:no

Forward-ports:

Icmp-blocks:

Rich rules:

Two

Note: The firewall daemon is independent of system-config-firewall, but cannot be used simultaneously.

Two

This article is from the "Thought decision height" blog, please be sure to keep this source http://chuck.blog.51cto.com/10232880/1718766

Use firewall under CENOTS7