CentOS7 firewall management firewalld
- 2020-05-15 03:26:43
- OfStack
When learning apache installation, port 80 needs to be opened. Since firewalld is used by default after centos version 7, the setting method of iptables on the Internet has not worked. Considering that iptable is not familiar with iptable anyway, I simply transfer it to the official document and learn firewalld, which seems to be easier than iptables.
Official document address: https: / / access redhat. com/documentation/en - US Red_Hat_Enterprise_Linux / 7 / html Security_Guide/sec - Using_Firewalls. html # sec - Introduction_to_firewalld
1. Introduction to firewalld
firewalld is a big feature of centos7, with two major benefits: support for dynamic updates without having to restart the service; The second is the "zone" concept with firewalls
firewalld has a graphical interface and a tool interface. Since I use it on the server, please refer to the official documentation for the graphical interface. This article is introduced by the character interface
The character interface management tool for firewalld is firewall-cmd
There are two default configuration files for firewalld: /usr/lib/firewalld/ (system configuration, try not to modify) and /etc/firewalld/ (user configuration address)
zone concept:
Hardware firewall default 1 generally has 3 zones, firewalld introduced this 1 concept system default exists in the following zones (according to the understanding of the document, please correct if wrong) :
drop: discard all packages by default
block: rejects all external connections and allows internally initiated connections
public: specifies that external connections can be entered
external: this is not clear, the function is the same as above, allowing the specified external connection
dmz: like hardware firewall 1, restricted public connections can be accessed
work: workspace, concept and workgoup1 like, also specified external connection allowed
home: similar family group
internal: trust all connections
I am not familiar with the firewall, and I have not figured out that public, external, dmz, work and home all need to be customized to allow connection from the function, and the difference in the specific use needs to be instructed by the superior
2. Install firewalld
root perform
# yum install firewalld firewall-config3. Run, stop and disable firewalld
Activation:
# systemctl start firewalldView status:
# systemctl status firewalld or firewall-cmd --stateStop:
# systemctl disable firewalldDisable:
# systemctl stop firewalld 4. Configure firewalld
View version:
$ firewall-cmd --versionSee help:
$ firewall-cmd --helpView Settings:
Display status:
$ firewall-cmd --stateView area information:
$ firewall-cmd --get-active-zonesView the region of the specified interface:
$ firewall-cmd --get-zone-of-interface=eth0Reject all packages:
# systemctl start firewalldCancel reject status:
# systemctl start firewalldCheck whether to reject:
# systemctl start firewalldUpdate firewall rules:
# firewall-cmd --reload
# firewall-cmd --complete-reload
The difference between the two is that the first one does not need to be disconnected, which means that firewalld feature 1 dynamically adds rules, and the second one needs to be disconnected, which is similar to restarting the service
Add the interface to the region. The default interface is public
# systemctl start firewalldPermanent effect plus --permanent and then reload firewall
Set the default interface area
# systemctl start firewalldEffective immediately, no restart is required
Open port (seems to be the most common)
View all open ports:
# systemctl start firewalldAdd 1 port to region:
# systemctl start firewalldTo be permanently effective, ibid
Open a service, similar to port visualization, which needs to be added in the configuration file. /etc/firewalld directory has the services folder. This is not detailed, please refer to the documentation for details
# firewall-cmd --zone=work --add-service=smtpRemove the service
# systemctl start firewalld
There is also port forwarding function, custom complex rules function, lockdown, since it is not used yet, I will learn it later