Comprehensive Analysis of Linux Firewall! Securing the Operating System (Part 2)

Linux | Red Hat Certification | IT Technology | Operations Engineer
👇 1000-person technical exchange QQ group Note [Public Account] for faster access

Comprehensive Analysis of Linux Firewall! Securing the Operating System (Part 2)

1. Firewall Service Management

View current active services

firewall-cmd --list-service[root@localhost ~]# firewall-cmd --set-default-zone=publicsuccess[root@localhost ~]# firewall-cmd --list-servicessh dhcpv6-client[root@localhost ~]# firewall-cmd --set-default-zone=homesuccess[root@localhost ~]# firewall-cmd --list-servicessh mdns samba-client dhcpv6-client# This allows for a more intuitive view of the services supported in different zones

Add services to a specified zone

firewall-cmd --add-service=service_name --zone=zone_name[root@localhost ~]# firewall-cmd --add-service=http --zone=homesuccess      # Add the http service to the home zone policy[root@localhost ~]# firewall-cmd --list-servicessh mdns samba-client dhcpv6-client http  # Check if the http service was successfully added[root@localhost ~]# firewall-cmd --add-service=http --zone=publicsuccess        # Add the http service to the public zone policy[root@localhost ~]# firewall-cmd --list-service --zone=publicssh dhcpv6-client http         # Check if the http service was successfully added

Remove a specified service from a zone

firewall-cmd --remove-servic=service_name --zone=zone_name[root@localhost ~]# firewall-cmd --remove-servic=http --zone=publicsuccess        # Remove the newly added http service from the public zone[root@localhost ~]# firewall-cmd --list-service --zone=publicssh dhcpv6-client    # Now the http service is no longer present

Note:

The commands for adding or removing services are temporary; after a firewall restart, the services will revert to their default configurations. Firewall restart command: firewall-cmd --reload or systemctl restart firewalld[root@localhost ~]# firewall-cmd --reloadsuccess[root@localhost ~]# firewall-cmd --list-service --zone=homessh mdns samba-client dhcpv6-client    # The http service in the home zone did not get removed, and after restart, it returned to its default state

To make it permanent:

firewall-cmd --runtime-to-permanent (use after executing the add service command)[root@localhost ~]# firewall-cmd --add-service=http --zone=publicsuccess              # Add http service to public zone[root@localhost ~]# firewall-cmd --list-service --zone=publicssh dhcpv6-client http      # Check services in the public zone[root@localhost ~]# firewall-cmd --runtime-to-permanentsuccess              # Write the current running configuration rules to the configuration file to make them permanent[root@localhost ~]# firewall-cmd --reloadsuccess              # Restart the firewall service to verify if the permanent settings are successful[root@localhost ~]# firewall-cmd --list-service --zone=publicssh dhcpv6-client http      # Check the public zone services again, and find that the http service still exists after restarting the firewall service

2. Firewall Port Management (Common)

Often when deploying related services, we need web browsers to access them. If we do not disable the firewall, access may not work properly. However, for security reasons, we do not want to turn off the firewall completely. Therefore, allowing access to specific ports becomes particularly important.

Add ports to a specified zone

firewall-cmd --zone=zone_name --add-port=port_number/protocol_name[root@localhost ~]# firewall-cmd --get-default-zonehome            # View the current default zone[root@localhost ~]# firewall-cmd --zone=home --add-port=443/tcpsuccess            # Add port 443 to the home zone; the port must be followed by the protocol name, otherwise an error will occur[root@localhost ~]# firewall-cmd --zone=home --add-port=6600/tcpsuccess            # Add port 6600 to the home zone[root@localhost ~]# firewall-cmd --list-port --zone=home443/tcp 6600/tcp      # View ports in the home zone[root@localhost ~]# firewall-cmd --zone=public --add-port=3000-3010/udpsuccess            # If adding multiple ports to a zone, a '-' can be used to indicate a range[root@localhost ~]# firewall-cmd --list-port --zone=public3000-3010/udp        # View the newly opened ports in the public zone

Note: If the command does not include –zone=zone_name, operations will be performed in the default zone.

Set added ports to be permanently effective

Need to add ‘–permanent’ option to remove portfirewall-cmd --zone=zone_name --remove-port=port_number/protocol_name[root@localhost ~]# firewall-cmd --zone=public --remove-port=3000-3010/udpsuccess            # Remove ports 3000-3010 just added to the public zone; the port number must also be followed by the service name[root@localhost ~]# firewall-cmd --list-port --zone=public# At this point, check that the 3000-3010 ports no longer exist in the public zone

3. Summary of Common Firewall Commands

# 1. Start/stop commandsystemctl status firewalld          # Check the running status of the firewall systemctl start firewalld          # Start the firewalld service systemctl restart firewalld          # Restart the firewalld service systemctl stop firewalld          # Stop the firewalld service firewall-cmd --reload            # Restart the firewall # 2. Zone commands firewall-cmd --get-default-zone        # Show the current default zone firewall-cmd --set-default-zone=<zone>    # Modify the default zone firewall-cmd --get-active-zones        # Show currently active zones and their corresponding network interfaces firewall-cmd --get-zones          # Show all available zones firewall-cmd --zone=<zone> --add-interface=<interface># Bind a specified interface to a zone firewall-cmd --zone=<zone> --remove-interface=<interface>   # Remove the binding of a network interface from a specified zone firewall-cmd --list-all-zones        # Show all zones and their policies # 3. Service commands firewall-cmd --list-service          # View all services allowed in the default zone firewall-cmd --add-service=<service_name> --zone=<specified_zone># Add the corresponding service to the specified zone firewall-cmd --add-service=http --zone=public# Add the httpd service to the public zone firewall-cmd --remove-service=<service_name> --zone=<specified_zone># Remove the service from the specified zone firewall-cmd --add-service=<service_name> --zone=<specified_zone> --permanent                                          # Add the corresponding service to the specified zone and make it permanent # 4. Port commands firewall-cmd --zone=<zone_name> --add-port=<port_name>/<protocol_name># Add port to specified zone, must follow with protocol name firewall-cmd --zone=home --add-port=443/tcp# Add TCP protocol port 443 to home zone firewall-cmd --zone=home --add-port=443/tcp --permanent# Permanently add TCP protocol port 443 to home zone firewall-cmd --list-port --zone=<port_name>    # View the opened ports in the specified zone firewall-cmd --zone=<zone_name> --remove-port=<port_name>/<protocol_name># Remove port from specified zone firewall-cmd --zone=home --remove-port=443/tcp# Remove TCP port 443 from the home zone</protocol_name></port_name></zone_name></port_name></protocol_name></port_name></zone_name></specified_zone></service_name></specified_zone></service_name></specified_zone></service_name></interface></zone></interface></zone></zone>
Comprehensive Analysis of Linux Firewall! Securing the Operating System (Part 2)
Comprehensive Analysis of Linux Firewall! Securing the Operating System (Part 2)
Course consultation add: HCIE666CCIE
↑ Or scan the QR code above ↑
What technical points and content do you want to see?
You can leave a message below to let us know!

Related posts

  1. Setting Up an Embedded Development IDE with VS Code
  2. Installing OpenWrt Themes: A Step-by-Step Guide
  3. Key Technologies and Development Trends of Industrial Real-Time Operating Systems
  4. ZhiXin Company’s Embedded Operating System – Hub 4.0 Achieves 100% Autonomy and Control
  5. Top 5 Most Common Linux Interview Questions
  6. Installing NVIDIA Drivers on Linux: Common Pitfalls
  7. How to Mask a Service in Linux Using Systemctl
  8. Common Linux Inspection Commands
  9. 9 Tips to Optimize Linux Server Efficiency
  10. How to Install Parking Lot Induction Loops: Key Considerations
  11. Six Steps to Install and Remote Control Raspberry Pi System
  12. Fundamentals of Cortex-M3 Registers
  13. Can Cortex-M Run Linux Operating System?
  14. NVIDIA Jetson: Embedded AI Systems
  15. Understanding the True Value of Guitars: A Call for Awareness
  16. Introduction to ARM Architecture
  17. Overview and Summary of ARMv8-M TrustZone
  18. Integrating ‘Two Studies and Two Educations’ in Embedded System Training
  19. Understanding Computer Operating Systems

Leave a Comment