Firewall Management Tools for Linux

Technology
1

theme: serene-rose

Firewalld: A Firewall Management Tool for Linux

Firewalld is a dynamic firewall management tool designed for Linux systems. It provides a simple way to configure and manage the system firewall, allowing administrators to easily define and adjust firewall rules to protect the system from network attacks.

Why Use Firewalld?

  • Dynamic Updates: Firewalld supports dynamic updates to firewall rules, without requiring a full reload of the entire firewall configuration file. This means you can add, modify, or delete rules instantly without interrupting network connections.

  • Zone-Based Rules: Firewalld divides network connections into different zones, each with a set of predefined rules. This design allows administrators to split zones by the security level of network connections, and flexibly apply different rules.

  • Easy to Use: Firewalld provides both a simple command-line interface and a graphical interface, allowing administrators to easily configure and manage the firewall. Its command structure and syntax are also relatively intuitive, easy to understand and use.

Basic Concepts of Firewalld

  • Zones
    Firewalld divides network connections into different zones, each with a set of predefined rules. Common zones include public zone, private zone, trusted zone, and more. Administrators can assign network interfaces to corresponding zones based on actual needs, and specify appropriate security levels and rule sets for each zone.

  • Services
    A service is a set of predefined firewall rules used to allow or deny specific types of network connections, such as the HTTP service, SSH service, FTP service, etc. By defining services, administrators can easily allow or restrict specific types of network traffic to ensure system security.

  • Ports
    Ports are the endpoints of network communication, and each port corresponds to a different type of network service or protocol. Firewalld allows administrators to control which ports can be opened for network communication, effectively limiting the system's exposure to external networks and reducing the attack surface.

Installing and Using Firewalld

  • Installation
    On most Red Hat-based Linux distributions (such as CentOS, Fedora), Firewalld is already installed as the default firewall management tool. If Firewalld is not yet installed on your system, you can use your package manager to install it.

    On CentOS/RHEL, you can use the following command to install Firewalld:

    sudo yum install firewalld

    On Ubuntu/Debian, you can use the following command to install Firewalld:

    apt-get install firewalld

  • Starting and Configuring Firewalld
    Once Firewalld is installed, you can use the following commands to start it and enable it to run on system boot:

    sudo systemctl start firewalld
sudo systemctl enable firewalld

  • View configuration data:

    firewall-cmd --list-all

  • Add an exposed port:

    firewall-cmd --add-port=8001/tcp [--permanent]     # Add
firewall-cmd --remove-port=8001/tcp [--permanent]  # Remove
# Omitting `--permanent` results in temporary exposure; adding `--permanent` makes the change permanent, which requires a reload to take effect

  • Reload configuration:

    firewall-cmd --reload

Port Forwarding with Firewalld

  • First, enable firewall IP masquerading

    firewall-cmd --query-masquerade   # Check if IP masquerading is enabled
firewall-cmd --add-masquerade     # Enable firewall IP masquerading
firewall-cmd --remove-masquerade  # Disable firewall IP masquerading

  • Forwarding configuration:

    firewall-cmd --add-forward-port=port=80:proto=tcp:toport=8080                       # Forward traffic from port 80 to port 8080
firewall-cmd --add-forward-port=proto=80:proto=tcp:toaddr=192.168.1.0.1             # Forward traffic from port 80 to 192.168.0.1
firewall-cmd --add-forward-port=proto=80:proto=tcp:toaddr=192.168.0.1:toport=8080   # Forward traffic from port 80 to port 8080 on 192.168.0.1

    firewall-cmd --remove-forward-port=port=80:proto=tcp:toport=8080                    # Delete the configuration

If the above rules do not take effect after configuration, check whether port 80 is opened in the firewall.
If port 80 is already open but forwarding still does not work, it may be because the sysctl.conf kernel parameter file does not have ip forwarding enabled.

Specific configuration is as follows

  1. Open the sysctl.conf file

    vim /etc/sysctl.conf

  2. Add the following line to the file:

    net.ipv4.ip_forward = 1

  3. After saving the file, enter the following command to apply the change:

    sysctl -p

Common Firewalld Commands

  • Start and Stop Firewalld
    • Start Firewalld: systemctl start firewalld
    • Stop Firewalld: systemctl stop firewalld
    • Restart Firewalld: systemctl restart firewalld
  • Check Service Status
    • Check Firewalld status: systemctl status firewalld
  • Check Current Firewall Status
    • Check Firewalld status: firewall-cmd --state
  • View and Modify Firewall Zones
    • View default firewall zone: firewall-cmd --get-default-zone
    • View active firewall zones: firewall-cmd --get-active-zones
    • Add a network interface to the specified firewall zone: firewall-cmd --zone=<zone name> --change-interface=<network interface>
  • Add and Remove Firewall Rules
    • Add a firewall rule for the specified service, permanent effect: firewall-cmd --zone=<zone name> --add-service=<service name> --permanent
    • Remove a firewall rule for the specified service, permanent effect: firewall-cmd --zone=<zone name> --remove-service=<service name> --permanent
    • Add a firewall rule for the specified port, permanent effect: firewall-cmd --zone=<zone name> --add-port=<port/protocol> --permanent
    • Remove a firewall rule for the specified port, permanent effect: firewall-cmd --zone=<zone name> --remove-port=<port/protocol> --permanent
  • Reload Firewall Configuration
    • Reload the Firewalld configuration file to apply changes: firewall-cmd --reload

Conclusion

After the introduction in this article, you should now have a deeper understanding of Firewalld, including its basic concepts and the usage of common commands. Firewalld provides a simple and powerful way to configure and manage the firewall on Linux systems. We hope this article helps you better protect your system security.

This is a discussion topic separated from the original thread at https://juejin.cn/post/7369150287654584346