May 24, 2021 That's what Linux should learn
In various versions of Linux, there are few graphical tools that Mr. Liu can comfort and recommend, but Firewall-config did. I t is the GUI (graphical user interface) version of the Firewalld firewall configuration management tool, which enables almost everything that is done on the command line. I t's no exaggeration to say that even if the reader doesn't have a solid Linux command base, it's perfectly available to configure the firewall policies in RHEL 7. Firewall-config's interface is shown in Figure 8-2, and its functions are as follows.
1: Select the configuration of Runtime mode or Permanent mode.
2: Optional list of policy collection areas.
3: List of commonly used system services.
4: The region currently in use.
5: Manage services in the currently selected area.
6: Manage the ports in the currently selected area.
7: Turn SNAT (source address conversion protocol) technology on or off.
8: Set the port forwarding policy.
9: Control the traffic requesting the icmp service.
10: Manage the rich rules of the firewall.
11: Manage network card devices.
12: The service in the selected area, if checked in front of the service, allows traffic associated with it.
13: The operating status of the firewall-config tool.
Figure 8-2 firewall-config interface
Mr. Liu Wei said a few more words. O nce the firewall policy has been configured using the firewall-config tool, no secondary confirmation is required, as it is automatically saved whenever there are modifications. Here's a hands-on session.
Let's first set the traffic requesting http services in the current zone to allow, but only if it is currently in effect. The specific configuration is shown in Figure 8-3.
Figure 8-3 releases traffic requesting http services
Try adding a firewall policy rule to release traffic accessing ports 8080 to 8088 (TCP protocol) and setting it to take effect permanently for the purpose that the system restarts the firewall policy to remain in effect. O nce the interface shown in Figure 8-4 has been configured, you will also need to click the Reload Firewalld command in the Options menu for the configured firewall policy to take effect immediately (see Figure 8-5). This has the same effect as executing the --reload parameter on the command line.
Figure 8-4 Release traffic accessing ports 8080-8088
Figure 8-5 makes the configured firewall policy rules take effect immediately
SNAT (Source Network Address Translation, Source Network Address Translation) technology was mentioned earlier when explaining the functionality of the Firewall-config tool. S NAT is a technology designed to solve the shortage of IP addresses, which enables users in multiple intranets to access the Internet via the same external IP. T he technology is so widely used that we can even say we use it every day, but we don't realize it. For example, SNAT technology is used when we visit a supporting site in this book www.linuxprobe.com a gateway device at home, such as a wireless router.
You can take a look at the non-use of SNAT technology in the network (see Figure 8-6) and the use of SNAT technology (see Figure 8-7). T here are multiple PCs in the LAN shown in Figure 8-6, if the gateway server does not apply SNAT technology, then the Web site server in the Internet will not be able to find the IP address of the private network in the network when it receives the PC's request packet and returns the response packet, so the PC will not receive the response packet. In the LAN shown in Figure 8-7, because the gateway server applies SNAT technology, the web server in the Internet sends the response packets to the gateway server, which in turn forwards them to the PC in the local area network.
Figure 8-6 does not have a network using SNAT technology
Figure 8-7 Uses SNAT technology to process networks
Using the iptables command to implement SNAT technology can be cumbersome, but it's a piece of cake in firewall-config. The SNAT technology is automatically turned on simply by following Figure 8-8 and selecting the Masquerade zone check box.
Figure 8-8 SNAT technology that turns on the firewall
In order to give you an intuitive view of the differences between different tools in implementing the same functionality, the firewall-config tool is used here to re-demonstrate the previous use of firewall-cmd to configure firewall policy rules, forwarding traffic from port 888 to port 22, and requiring both current and long-term validity, as shown in Figures 8-9 and 8-10.
Figure 8-9 configures local port forwarding
Figure 8-10 makes firewall policy rules effective immediately
Configure the rich rule so that the 192.168.10.20 host can access the 1234 port number of the machine, as shown in Figure 8-11.
Figure 8-11 Configure the firewall rich rule policy
If the server in the production environment has multiple network cards serving at the same time, which is common, the firewall policy area to choose for the network card that serves the intranet and the external network is also different. In other words, the network card can be bound to the firewall policy area (see Figure 8-12), so that you can use different firewall zone policy, the traffic from different network cards for targeted monitoring, the effect will be better.
Finally, what Mr. Liu wants to say is that the firewall-config tool is really practical, many of the original complex long commands are replaced by graphical buttons, the setting rules are simple and clear enough to deal with the daily work. So once again, we emphasize the principle of configuring firewall policies - as long as you can achieve the required functionality, what tools to use please do as you please.
Figure 8-12 binds the network card to the firewall policy area