A brief introduction to the simple use of CentOS7 firewall and open ports

Overview (official has more detailed description)

Firewalld provides a dynamically managed firewall with support for network/firewall zones for defining trust levels for network connections or interfaces. It supports IPv4, IPv6 firewall settings, Ethernet bridges and IP sets. Runtime and permanent configuration options are separated. It also provides an interface for services or applications to directly add firewall rules.

Since it is simple to use, we must teach you how to check the status of the firewall, as well as how to turn the firewall off and on. We all know that since the firewall is turned on, it must have some port restrictions. You can't just access our host (that is, the server) through the ports you want. In other words, you can only access my host through the ports I open. Otherwise, why do we need a firewall? Anyone who wants to come in can come in (or through any port), and the firewall will become a decoration. Speaking of firewalls, I have to say one more thing. Firewalls have software-level and physical setting levels (a professional physical device in the network). What we are talking about here is the software-level firewall, which is Firewalld. The software firewall commonly used in versions below CentOS7 is Firewalld. Why is it commonly used in versions below CentOS7? This is because previous CentOS versions all use iptables firewalls. To go deeper, this has to be traced back to the development history of CentOS7 and the relationship between RedHad. I'm getting off topic. The main purpose of using a firewall is to manage the security of our hosts, and the main part of it is port management!

Query firewall status

shell

# systemctl status firewalld

execute

[warnerwu@localhost ~]$ systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
  Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
  Active: inactive (dead)
   Docs: man:firewalld(1)

Start the firewall

Note: Only administrators or administrator user groups have the authority to perform management operations on the firewall, ordinary users cannot

shell

# systemctl start firewalld

execute

[root@localhost~]# systemctl start firewalld
[root@localhost~]#

You will find that there is nothing. Those who use Linux or OSX systems know that if there is no prompt, it is the best prompt, which means it has been successful. If there is a prompt, there will be a problem.

Check the firewall status again

shell

# systemctl status firewalld

execute

[root@localhost ~]# sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
  Loaded: loaded (/usr/lib/systemd/system/firewalld.service; disabled; vendor preset: enabled)
  Active: active (running) since 2018-09-07 00:04:55 CST; 5 minutes ago
   Docs: man:firewalld(1)
 Main PID: 11339 (firewalld)
  CGroup: /system.slice/firewalld.service
      └─11339 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Sep 07 00:04:55 izj6c3bcx7adgva5dda2e0z systemd[1]: Starting firewalld - dynamic firewall daemon...
Sep 07 00:04:55 izj6c3bcx7adgva5dda2e0z systemd[1]: Started firewalld - dynamic firewall daemon.
Sep 07 00:04:55 izj6c3bcx7adgva5dda2e0z firewalld[11339]: WARNING: ICMP type 'beyond-scope' is not supported by the kernel for ipv6.
Sep 07 00:04:55 izj6c3bcx7adgva5dda2e0z firewalld[11339]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring in...-time.
Sep 07 00:04:55 izj6c3bcx7adgva5dda2e0z firewalld[11339]: WARNING: ICMP type 'failed-policy' is not supported by the kernel for ipv6.
Sep 07 00:04:55 izj6c3bcx7adgva5dda2e0z firewalld[11339]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignori...-time.
Sep 07 00:04:55 izj6c3bcx7adgva5dda2e0z firewalld[11339]: WARNING: ICMP type 'reject-route' is not supported by the kernel for ipv6.
Sep 07 00:04:55 izj6c3bcx7adgva5dda2e0z firewalld[11339]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring in...-time.
Hint: Some lines were ellipsized, use -l to show in full.

Yes, you will find that it is already running. That's it. I have to say one more thing. If you know CentOS7 or RedHat7 well enough, you will be very familiar with what systemctl is. It is a system service management tool, a system tool used to manage system services. You can understand it this way! Previous CentOS versions all use service to manage system services. For more information about systemctl or service, please Baidu or Google. We have briefly talked about how to check the firewall status and how to start the firewall. Now let's talk about how to open ports!

View the firewall open port list

The firewall port management is done through the firewall-cmd command. This must be made clear. It is also the key to managing your system port. Yes, it is her, it is her, it is her. She is so coquettish. Haha, you can't do anything to her. You can play her and make her obedient. What! You think too much. I didn't say anything. You think so yourself.

shell

# firewall-cmd --list-all

execute

[root@localhost ~]# firewall-cmd --list-all
public
 target: default
 icmp-block-inversion: no
 interfaces:
 sources:
 services: ssh dhcpv6-client
 ports:
 Protocols:
 masquerade: no
 forward-ports:
 source-ports:
 icmp-blocks:
 Rich rules:

You will find it is so empty, without any open ports. Well, this is a newly installed Linux system. Yours may be the same as mine, or it may be different. Please pay attention to this.

Add open ports to the firewall

For example, if we open port 80, other users can access my site

shell

// Step 1: Add open ports to the configuration file# firewall-cmd --zone=public --add-port=80/tcp --permanent

--zone=public Add time zone --add-port=80/tcp Add port --permanent Permanent // Load new firewall configuration file (Enter the following command as root to reload the firewall without interrupting user connections, that is, without losing status information.)

firewall-cmd --reload

Check the firewall open port list again

shell

# firewall-cmd --list-all

execute

[root@localhost ~]# firewall-cmd --list-all
public
 target: default
 icmp-block-inversion: no
 interfaces:
 sources:
 services: ssh dhcpv6-client
 ports: 80/tcp
 Protocols:
 masquerade: no
 forward-ports:
 source-ports:
 icmp-blocks:
 Rich rules:

This time you will find that there is an additional 80/tcp corresponding to the ports, which means it has been added to the firewall open list

1. Basic use of firewalld

Start: systemctl start firewalld
To shut down: systemctl stop firewalld
Check the status: systemctl status firewalld
Disable at boot: systemctl disable firewalld
Enable at boot: systemctl enable firewalld

2.systemctl is the main tool in CentOS7's service management tools, which integrates the functions of the previous service and chkconfig.

Start a service: systemctl start firewalld.service
Shut down a service: systemctl stop firewalld.service
Restart a service: systemctl restart firewalld.service
Display the status of a service: systemctl status firewalld.service
Enable a service at boot: systemctl enable firewalld.service
Disable a service at boot: systemctl disable firewalld.service
Check whether the service is started: systemctl is-enabled firewalld.service
View the list of started services: systemctl list-unit-files | grep enabled
View the list of services that failed to start: systemctl --failed

3. Configure firewalld-cmd

Check the version: firewall-cmd --version
View help: firewall-cmd --help
Show status: firewall-cmd --state
View all open ports: firewall-cmd --zone=public --list-ports
Update firewall rules: firewall-cmd --reload
View zone information: firewall-cmd --get-active-zones
Check the zone to which the specified interface belongs: firewall-cmd --get-zone-of-interface=eth0
Deny all packets: firewall-cmd --panic-on
Cancel the deny state: firewall-cmd --panic-off
Check whether it is rejected: firewall-cmd --query-panic

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.