Centos7 and above distributions have tried to bring firewalld firewall, firewalld to bring iptables firewall. The reason is that the firewall policy of iptables is handled by the netfilter network filter at the kernel level, while firewalld is handled by the nftables packet filtering framework at the kernel level. Compared with iptables firewall, firewalld supports dynamic update technology and adds the concept of zone. In simple terms, the area is that firewalld has prepared several sets of firewall policy sets (policy templates) in advance. Users can select the appropriate set of policies according to different production scenarios, so as to achieve rapid switching between firewall policies.
Zone is a major feature for firewalld, but for us, Centos7 is generally on the server, and there is less need to switch zones, so this article will not introduce it. There are more online materials. You can go to Baidu to find information.
Start the service:
systemctl start firewalld
There is no need to worry about being unable to remotely pass ssh after the firewall is enabled. By default, port 22 has an allow rule added.
Out of service:
systemctl stop firewalld
Restart the service:
systemctl restart firewalld
View service status:
systemctl status firewalld
firewalld stores configuration files in two directories, /usr/lib/firewalld and /etc/firewalld. The former stores some default files, and the latter mainly stores user-defined data, so we add service or The rules are all performed under the latter.
The server folder stores service data, which is a set of defined rules.
zones storage area rules
firewalld.conf default configuration file, you can set the default zone, the default zone is public, corresponding to public.xml in the zones directory
The first thing to note here is that when executing the command, if there is no --permanent parameter, the configuration will take effect immediately, but the configuration will not be stored, which is equivalent to restarting the server and it will be lost. If you bring it, the configuration will be stored in the configuration file, but this is just storing the configuration in a file, but it will not take effect in real time. You need to execute the firewall-cmd --reload command to reload the configuration to take effect.
firewall-cmd --reload
firewall-cmd --state
firewall-cmd --list-all
firewall-cmd --panic-on #Reject all traffic, the remote connection will be disconnected immediately, only the local can log in
firewall-cmd --panic-off #Cancel emergency mode, but you need to restart firewalld before you can remote ssh
firewall-cmd --query-panic #Check whether it is emergency mode
firewall-cmd --add-service=<service name> #Add service
firewall-cmd --remove-service=<service name> #Remove service
firewall-cmd --add-port=<port>/<protocol> #Add port/Protocol (TCP/UDP)
firewall-cmd --remove-port=<port>/<protocol> #Remove port/Protocol (TCP/UDP)
firewall-cmd --list-ports #View open ports
firewall-cmd --add-protocol=<protocol> #Allow agreement(Example: icmp, which allows ping)
firewall-cmd --remove-protocol=<protocol> #Cancel agreement
firewall-cmd --list-protocols #View allowed agreements
firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" accept"
example:
firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.2.1" accept" #Indicates allowed from 192.168.2.1 all traffic
firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" protocol value="<protocol>" accept"
example:
firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.2.208" protocol value="icmp" accept" #Allow 192.168.2.208 host's icmp protocol, which allows 192.168.2.208 host ping
firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" service name="<service name>" accept"
example:
firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.2.208" service name="ssh" accept" #Allow 192.168.2.208 host access ssh service
firewall-cmd --add-rich-rule="rule family="ipv4" source address="<ip>" port protocol="<port protocol>" port="<port>" accept"
example:
firewall-cmd --add-rich-rule="rule family="ipv4" source address="192.168.2.1" port protocol="tcp" port="22" accept" #Allow 192.168.2.1 host accesses port 22
8- 11 Each of the commands supports source address to be set as a network segment, that is, the ip of this network segment is adapted to this rule:
E.g:
firewall-cmd --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.2.0/24" port protocol="tcp" port="22" accept"
Indicates that hosts on the 192.168.2.0/24 network segment are allowed to access port 22.
8- 12 In each command, set accept to reject to indicate rejection, and set to drop to indicate direct discard (timeout connection timeout will be returned)
E.g:
firewall-cmd --zone=drop --add-rich-rule="rule family="ipv4" source address="192.168.2.0/24" port protocol="tcp" port="22" reject"
It means that hosts on the 192.168.2.0/24 network segment are prohibited from accessing port 22.
Detailed firewalld firewall by xuad88.