May 24, 2021 That's what Linux should learn
Chapter 2, when explaining Linux commands, has heard that command-line terminals are an efficient way of working, and firewall-cmd is a CLI version of the Firewalld firewall configuration management tool. I ts parameters are generally provided in a "long format", so don't start large when you hear the long format, because the RHEL 7 system supports the parameters of some commands to complement, which contains this command (cool). That is, in addition to being able to automatically complement commands or file names with Tab keys, you can now use Tab keys to complement the long format parameters shown in Table 8-3 (which is great).
The parameters used in Table 8-3 firewall-cmd commands and their effects
Parameters Act -- get-default-zone query default zone name --set-default-zone Set the default zone so that it takes effect permanently -- get-zones show the available regions -- get-services show predefined services -- get-active-zones show the region and network card name currently in use -- add-source - Direct traffic originating from this IP or subnet to the specified area -- remove-sources -- No longer direct traffic originating from this IP or subnet to a specified area -- add-interface Direct all traffic originating from the network card to a specified area --change-interface=lt;network card name Associate a network card with a region --list-all Displays information such as network card configuration parameters, resources, ports, and services for the current region --list-all-zones display information such as network card configuration parameters, resources, ports, and services for all regions --add-service=lt;service name> Setting the default zone allows traffic for the service --add-port=lt;port number/protocol> Setting the default zone allows traffic for that port -- remove-service?lt; setting the default zone no longer allows traffic for the service --remove-port=lt; setting the default zone no longer allows traffic for that port -- reload lets the "permanently effective" configuration rule take effect immediately, and overrides the current configuration rule -- panic-on emergency mode -- panic-off emergency mode, just like other firewall configuration tools in Linux. F irewall policies configured with firewalld default to Runtime mode, also known as current effective mode, and expire as the system restarts. I f you want the configuration policy to be there all the time, you need to use permanent mode by adding the -permanent parameter when you normally set the firewall policy with the firewall-cmd command so that the configured firewall policy can take effect permanently. H owever, the permanent effect mode has the characteristic of "unsystable", that is, the policy set with it can only take effect automatically after the system restarts. If you want the configured policy to take effect immediately, you need to manually execute the firewall-cmd--reload command.
The next experiments are simple, but be sure to take a closer look at whether Mr. Liu is using Runtime mode or Permanent mode. If you don't pay attention to this detail, even if the firewall policy is configured correctly, you may not be able to achieve the desired results.
View the area currently used by the Firewalld service:
The root@linuxprobe of the firewalld service is queried by the get-default-zone public query eno16777728 network card in the firewalld service:
the root@linuxprobe default area of the eno16777728 network card in the firewalld service has been modified to external and will take effect after the system restarts. View the zone names in current and permanent modes, respectively:
(root@linuxprobe) - firewall-cmd -- permanent --zone=external --change-interface=eno16777728 success (root@linuxprobe) - firewall-cmd -get-zone-of-interface=eno1 6777728 public (root@linuxprobe) - firewall-cmd --permanent -- get-zone-of-interface=eno167777728 sets the current default area of the externalfirewalld service to public:
root@linuxprobe the emergency mode of starting/shutting down the firewalld firewall service, blocking all network connections root@linuxprobe (use caution when remotely controlling the server):
The root@linuxprobe-on-on-success-root@linuxprobe-firewall-cmd-panic-off-success queries whether the public region allows traffic requesting SSH and HTTPS protocols:
the root@linuxprobe traffic requesting the HTTP root@linuxprobe S protocol in the firewalld service is set to permanent and effective immediately:
the root@linuxprobe- snr firewall-cmd --zone=public--add-service=https success(root@linuxprobe)-firewall-cmd--permanent --zone=public--add-service=https success(root@linuxprobe)-firewall-cmd--reloadsserfirewalld service to permanently reject traffic requesting the HTTP protocol, effective immediately:
the root@linuxprobe traffic policies for accessing ports 8080 and root@linuxprobe 8081 in the firewalld service are set to allow, but only as currently in effect:
the root@linuxprobe traffic that originally accessed port 888 to port 82, both current and long-term, root@linuxprobe is valid:
The traffic forwarding command format is firewall-cmd --permanent --zone=lt;region=-add-forward-port=port=port=:p roto=lt;protocol=:toport=lt;target port number?gt;:toaddr=lt;target IP address?.html
(root@linuxprobe) - firewall-cmd -- permanent -- zone -- public -- add-forward-port=port=888:proto=tcp:toport=22:toaddr=192.168 .10.10 success (root@linuxprobe) s firewall-cmd --reload success attempts to access port 888 of the 192.168.10.10 host on the client using the ssh command:
[root@client A ~]# ssh -p 888 192.168.10.10 The authenticity of host '[192.168.10.10]:888 ([192.168.10.10]:888)' can't be established. E CDSA key fingerprint is b8:25:88:89:5c:05:b6:dd:ef:76:63:ff:1a:54:02:1a. A re you sure you want to continue connecting (yes/no)? y es Warning: Permanently added '[192.168.10.10]:888' (ECDSA) to the list of known hosts. r [email protected]'s password: Enter the password of the remote root administrator here Last login: Sun Jul 19 21:43:48 2017 from The rich rule in 192.168.10.10 firewalld represents a more detailed and detailed firewall policy configuration that can be more targeted for information such as system services, port numbers, source and destination addresses. I t also has the highest priority of all firewall policies. For example, we can configure a rich rule in the Firewalld service to deny access to the ssh service (22 ports) to all users of the 192.168.10.0/24 segment:
(root@linuxprobe.) firewall-cmd --permanent--zone=public --add-rich-rule="rule family"ipv4" address source="192.168.10.0/24" service name "" ssh "reject" success (root@linuxprobe- s firewall-cmd --reload success in the client using the ssh command to try to access the ssh service of the 192.168.10.10 host (port 22):
[root@client A ~]# ssh 192.168.10.10 Connecting to 192.168.10.10:22... Could not connect to '192.168.10.10' (port 22): Connection failed.