Detailed explanation of the basic commands of Firewalld firewall in Centos7

1. Basics of Linux Firewall

The Linux firewall system mainly works at the network layer, filtering and restricting TCP/IP data packets in real time. It is a typical packet filtering firewall (or network layer firewall). The firewall system of the Linux system is based on the coexistence of the kernel: firewalld, iptables, and ebtables. By default, firewalld is used to manage the netfilter subsystem.

Netfilter: refers to the internal structure of the packet filtering firewall in the Linux kernel. It does not exist in the form of a program or file and belongs to the "kernel state" firewall function system.
Firewalld: refers to the command program used to manage the Linux firewall, which belongs to the "user mode" firewall management system;

1. Overview of firewalld

The role of firewalld is to provide matching rules (or policies) for the packet filtering mechanism. Through various rules, it tells netfilter how to handle data packets coming from a specified source, going to a specified destination, or having certain protocol characteristics. In order to organize and manage firewalls more conveniently, firewalld provides dynamic firewall management tools that support network links and interface security levels defined by network zones. Supports IPv4, IPv6 firewall settings and Ethernet bridge, and has two configuration modes:

Run Configuration
Permanent Configuration

It also supports services or applications to directly add firewall rules interfaces.

2. Firewalld network area

Firewalld divides all network data traffic into multiple zones, thus simplifying firewall management. Firewall rules that divert data traffic to the appropriate area based on conditions such as the source IP address of the data packet or the incoming network interface.

For packets entering the system, the first thing to check is its source address:

If the source address is associated with a specific area, the rules set for that area are executed;
If the source address is not associated with a specific zone, the zone of the incoming network interface is used and the rules defined for that zone are executed;
If the network interface is not associated with a specific zone, the default zone is used and the rules defined for that zone are executed;

The default zone is not a separate zone, but points to some other zone defined on the system. By default, the default zone is public, but this can be changed. The above matching rules are in order, and the first matching rule wins. In each area, you can configure a series of services or ports to be opened or closed. Each predefined area of firewalld is set with services that are opened by default.

3. Description of firewalld predefined areas

Trusted (trust zone): can receive all network connections;
public: (Public zone): Deny incoming traffic unless it is related to outgoing traffic or matches the ssh or dhcpv6-client predefined services;
work (work zone): Deny incoming traffic unless it is related to outgoing traffic or matches the ssh, ipp-client, dhcpv6-client predefined services. Used for the work zone.
home (home zone): Deny incoming traffic unless it is related to outgoing traffic or matches the ssh, ipp-client, mdns, samba-client, dhcpv6-client predefined services. Used for home networks.
internal zone: Denies incoming traffic unless it is related to outgoing traffic or matches the ssh, ipp-client, mdns, samba-client, dhcpv6-client predefined services. Used for internal networks.
external (external zone): Deny incoming traffic unless it is related to outgoing traffic or matches the ssh predefined service;
DMZ (demilitarized zone): Denies incoming traffic unless it is related to outgoing traffic or matches the SSH predefined service.
blocak (restricted zone): denies all incoming traffic unless it is related to outgoing traffic;
drop (drop zone): drops all incoming traffic unless it is related to outgoing traffic, and does not generate error responses including ICMP;

2. Configuration method of firewalld firewall

In Centos 7 system, firewalld can be configured in three ways:

firewalld-config graphical tool;
firewalld-cmd command line tool;
Configuration files in /etc/firewalld/;

Generally, it is not recommended to edit the configuration file directly;

1. Basic commands of firewalld-cmd

[root@centos01 ~]# systemctl start firewalld <!--Start firewalld-->
[root@centos01 ~]# systemctl enable firewalld<!--Set firewalld to start automatically at boot-->
[root@centos01 ~]# systemctl status firewalld <!--Check the running status of the firewall-->
[root@localhost ~]# firewall-cmd --state <!-- View the firewall permission status -->
running
[root@centos01 ~]# systemctl stop firewalld<!--Stop firewalld-->
[root@centos01 ~]# systemctl disable firewalld<!--Set firewalld not to start automatically at boot-->
[root@centos01 ~]# firewall-cmd --get-zones <!--View the predefined areas of the firewall-->
[root@centos01 ~]# firewall-cmd --get-service <!--View the predefined service types supported by the firewall-->
[root@centos01 ~]# firewall-cmd --get-default-zone <!--View the default zone of the system-->
[root@localhost /]# firewall-cmd --reload <!--Reload firewall-->
[root@centos01 ~]# firewall-cmd --get-active-zones <!--View the activated areas-->

[root@centos01 ~]# firewall-cmd --get-icmptypes <!--Display predefined ICMP types-->
address-unreachable bad-header communication-prohibited destination-unreachable 
echo-reply echo-request fragmentation-needed host-precedence-violation host-prohibited
host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement
neighbour-solicitation network-prohibited network-redirect network-unknown 
network-unreachable no-route packet-too-big parameter-problem port-unreachable
precedence-cutoff protocol-unreachable redirect required-option-missing
router-advertisement router-solicitation source-quench source-route-failed time-exceeded
timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable 
tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly 
ttl-zero-during-transit unknown-header-type unknown-option

The meanings of some blocking types in the firewall-cmd --get-icmptypes command execution results are as follows:

destination-unreachable: The destination address is unreachable.
echo-reply: reply;
parameter-problem: parameter problem;
redirect: redirect;
router-advertisement: router advertisement;
router-solicitation: router solicitation;
source-quench: source-end suppression;
time-exceeded: timeout;
timestamp-reply: timestamp reply response;
timestamp-request: timestamp request;

2. Firewalld zone management options

--get-default-zone: Display the default zone of a network connection or interface;
--set-default-zone=<zone>: Set the default zone for the network connection or interface;
--get-active-zones: Display all activated zones;
--get-zone-of-interface=<interface>: Display the zone bound to the specified interface;
--zone=<zone> --add-interface=<interface>: specifies the zone to bind the interface to;
--zone=<zone> --change-interface=<interface>: Change the bound network interface for the specified zone;
--zone=<zone> --remove-interface=<interface>: Delete the bound network interface for the specified zone;
--list-all=zones: Display all zones and their rules;
[--zone=<zone>] --list-all: Displays all rules for all specified zones. When --zone=<zone> is omitted, it means that only the default zone is operated.

The following is an example of area management:

[root@centos01 ~]# firewall-cmd --get-default-zone <!--Display the default zone in the current system-->
[root@centos01 ~]# firewall-cmd --list-all<!--Display all rules of the default area-->
[root@centos01 ~]# firewall-cmd --get-zone-of-interface=ens32 <!-- View the zone where the ens32 interface is located -->
internal
[root@centos01 ~]# firewall-cmd --zone=internal --change-interface=ens32 <!--Modify the area corresponding to the ens32 interface to the internal area-->
 The interface is under control of NetworkManager, setting zone to 'internal'.
success
[root@centos01 ~]# firewall-cmd --zone=internal --list-interface <!--View the interface list in the internal area-->
ens32
[root@centos01 ~]# firewall-cmd --get-active-zones <!--Display all activated zones-->
internal
 interfaces: ens32

3. Firewalld service management

For ease of management, firewalld predefines many services, which are stored in the /usr/lib/firewalld/services/ directory. Services are specified through a single XML configuration file. These configuration files are named in the following format: service-name.xml. Each file corresponds to a specific network service, such as ssh service. We need to place the service configuration file in the /etc/firewalld/services/ directory. The service configuration has the following advantages:

Managing rules by service name is more user-friendly;

The mode of organizing port groups by service is more efficient. If a service uses several network ports, the service configuration file is equivalent to providing a batch operation shortcut for rule management of these ports.

1) Description of common options for service management in the firewalld-cmd command area:

[--zone=<zone>] --list-services: Display all services allowed to be accessed in the specified zone;
[--zone=<zone>] --add-service=<service>: Set a service that is allowed to be accessed for the specified zone;
[--zone=<zone>] --remove-service=<service>: Delete a service that is allowed to be accessed in the specified zone;
[--zone=<zone>] --list-ports: Display all port numbers allowed to be accessed in the specified zone;
[--zone=<zone>] --add-port=<portid>[-<portid>]/<protocol>: Set a port number/port range (including protocol number) that is allowed to be accessed for the specified zone;
[--zone=<zone>] --remove-port=<portid>[-<portid>]/<protocl>: Delete the port number (including protocol name) that is allowed to be accessed in the specified zone.
[--zone=<zone>] --list-icmp-blocaks: Display all ICMP types that deny access in the specified zone;
[--zone=<zone>] --add-icmp-block=<icmptype>: Set a certain ICMP type to deny access to the specified zone;
[--zone=<zone>] --remove-icmp-block=<icmptype>: Delete a certain ICMP type that has been set to deny access in the specified zone. If --zone=<zone> is omitted, it means the operation is performed on the default zone.

2) The following is an example of firewalld service management (setting services allowed to be accessed for the default zone):

 [root@centos01 ~]# firewall-cmd --list-services <!--Display all services allowed to be accessed in the default area-->
dhcpv6-client ssh 
[root@centos01 ~]# firewall-cmd --add-service=http <!--Set the default area to allow access to http service-->
success
[root@centos01 ~]# firewall-cmd --add-service=https <!--Set the default area to allow access to https service-->
success
[root@centos01 ~]# firewall-cmd --list-services <!--Display all services allowed to be accessed in the default area-->

dhcpv6-client ssh https http

3) The following is an example of firewalld service management (setting services that are allowed to be accessed for the internal zone):

[root@centos01 ~]# firewall-cmd --zone=internal --add-service=mysql 
       <!--Set the internal area to allow access to the MySQL service-->
success
[root@centos01 ~]# firewall-cmd --zone=internal --remove-service=samba-client 
     <!--Set the internal area to not allow access to the Samba-client service-->
success
[root@centos01 ~]# firewall-cmd --zone=internal --list-services 
       <!--Show all services allowed to be accessed in the internal area-->
ssh mdns dhcpv6-client mysql

4. Port Management

When configuring services, predefined network services can be configured using service names, and the ports involved in the services will be automatically opened. However, for non-predefined services, you can only manually add ports for the specified zone. For example, you can open port 443/TCP in the internal zone by performing the following operations: Here is an example:

 [root@centos01 ~]# firewall-cmd --zone=internal --add-port=443/tcp
         <!--Open port 443/tcp in the internal area-->
success

If you want to prohibit access to port 443/TCP in the internal zone, execute the following command:

 [root@centos01 ~]# firewall-cmd --zone=internal --remove-port=443/tcp
        <!--Prohibit access to port 443/tcp in the internal area-->
success

The above configurations are all temporary configurations. If you want to save the current configuration as a permanent configuration, you can use the following command:

 [root@centos01 ~]# firewall-cmd --runtime-to-permanent
success

To configure it as a permanent rule directly, you must include the --permanent option, as follows:

[root@centos01 ~]# firewall-cmd --add-icmp-block=echo-request --permanent <!--Prohibit ping-->

success
[root@centos01 ~]# firewall-cmd --zone=external --add-icmp-block=echo-request --permanent      
      <!--Configure external area to prohibit ping-->
success

3. Two configuration modes of firewalld

As mentioned earlier, the firewall-cmd command tool has two configuration modes: Runtime mode refers to the firewall configuration currently running in memory, which will become invalid when the system or firewalld service is restarted or stopped; Permanent mode refers to the rule configuration when the firewall is restarted or reloaded, which is permanently stored in the configuration file.

The firewall-cmd command tool has three options related to configuration mode:

--reload: reloads the firewall rules and saves the status information, that is, applies the permanent configuration as the runtime configuration;
--permanent: Commands with this option are used to set permanent rules. These rules will only take effect when the firewall rules are restarted or reloaded. Without this option, it means that it is used to set runtime rules.
--runtime-to-permanent: Write the current runtime configuration to the rule configuration file, making the current rules in memory permanent configuration;

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.

You may also be interested in: