介绍 (Introduction)
firewalld is firewall management software available for many Linux distributions, which acts as a frontend for Linux’s in-kernel nftables or iptables packet filtering systems.
firewalld是可用于许多Linux发行版的防火墙管理软件,它充当Linux内核内可移植对象或iptables数据包过滤系统的前端。
In this guide, we will show you how to set up a firewalld firewall for your CentOS 8 server, and cover the basics of managing the firewall with the firewall-cmd administrative tool.
在本指南中,我们将向您展示如何为CentOS 8服务器设置防火墙防火墙,并介绍使用firewall-cmd管理工具管理防火墙的基础知识。
先决条件 (Prerequisites)
To complete this tutorial, you will need a server running CentOS 8. We will assume you are logged into this server as a non-root, sudo-enabled user. To set this up, see our Initial Server Setup for CentOS 8 guide.
要完成本教程,您将需要一台运行CentOS 8的服务器。我们假定您以非root用户 ,启用了sudo用户身份登录到该服务器。 要进行设置,请参阅我们的CentOS 8初始服务器设置指南。
Firewalld中的基本概念 (Basic Concepts in firewalld)
Before we begin talking about how to actually use the firewall-cmd utility to manage your firewall configuration, we should get familiar with a few concepts that the tool introduces.
在开始讨论如何实际使用firewall-cmd实用程序来管理防火墙配置之前,我们应该熟悉该工具引入的一些概念。
区域 (Zones)
The firewalld daemon manages groups of rules using entities called zones. Zones are sets of rules that dictate what traffic should be allowed depending on the level of trust you have in the network. Network interfaces are assigned to a zone to dictate the behavior that the firewall should allow.
firewalld守护程序使用称为zone的实体管理规则组。 区域是一组规则,这些规则根据您在网络中的信任级别来决定应允许的流量。 将网络接口分配给区域,以指示防火墙应允许的行为。
For computers that might move between networks frequently (like laptops), this kind of flexibility provides a good method of changing your rules depending on your environment. You may have strict rules in place prohibiting most traffic when operating on a public WiFi network, while allowing more relaxed restrictions when connected to your home network. For a server, these zones are often not as important because the network environment rarely, if ever, changes.
对于可能经常在网络之间移动的计算机(例如笔记本电脑),这种灵活性提供了一种根据环境更改规则的好方法。 在公共WiFi网络上运行时,您可能有严格的规则禁止大多数流量,而在连接到家庭网络时允许放宽限制。 对于服务器,这些区域通常并不那么重要,因为网络环境很少(如果有的话)发生变化。
Regardless of how dynamic your network environment may be, it is still useful to be familiar with the general idea behind each of the predefined zones for firewalld. The predefined zones within firewalld are, in order from least trusted to most trusted:
无论您的网络环境有多动态,熟悉firewalld d的每个预定义区域背后的一般思想仍然很有用。 按最低信任到最受信任的顺序, firewalld中的预定义区域是:
-
drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
drop :最低信任级别。 所有传入的连接都将被丢弃而不会回复,并且只能进行传出连接。
-
block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
block :与上述类似,但不是简单地丢弃连接,而是使用icmp-host-prohibited或icmp6-adm-prohibited消息拒绝传入的请求。
-
public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
public :代表公共的,不受信任的网络。 您不信任其他计算机,但可能会视情况允许选择的传入连接。
-
external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
external :如果您使用防火墙作为网关,则为外部网络。 将其配置为伪装NAT,以便您的内部网络保持私有但可访问。
-
internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
内部 :外部区域的另一侧,用于网关的内部。 这些计算机相当值得信赖,并且可以使用一些其他服务。
-
dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
dmz :用于DMZ中的计算机(将无法访问网络其余部分的隔离计算机)。 仅允许某些传入连接。
-
work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
工作 :用于工作机。 信任网络中的大多数计算机。 可能还允许其他一些服务。
-
home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
home :家庭环境。 通常,这意味着您信任其他大多数计算机,并且将接受其他一些服务。
-
trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.
Trusted :信任网络中的所有计算机。 可用选项中最开放的,应谨慎使用。
To use the firewall, we can create rules and alter the properties of our zones and then assign our network interfaces to whichever zones are most appropriate.
要使用防火墙,我们可以创建规则并更改区域的属性,然后将网络接口分配给最合适的区域。
规则永久性 (Rule Permanence)
In firewalld, rules can be applied to the current runtime ruleset, or be made permanent. When a rule is added or modified, by default, only the currently running firewall is modified. After the next reboot – or reload of the firewalld service – only the permanent rules will remain.
在firewalld中,规则可以应用于当前的运行时规则集,也可以成为永久规则。 添加或修改规则时, 默认情况下,仅修改当前运行的防火墙 。 下次重新启动后-或重新加载firewalld服务-仅保留永久性规则。
Most firewall-cmd operations can take a --permanent flag to indicate that the changes should be applied to the permenent configuration. Additionally, the currently running firewall can be saved to the permanent configuration with the firewall-cmd --runtime-to-permanent command.
大多数firewall-cmd操作都可以带有--permanent标志,以指示应将更改应用于永久配置。 另外,可以使用firewall-cmd --runtime-to-permanent命令将当前正在运行的防火墙保存到永久配置。
This separation of runtime vs permanent configuration means that you can safely test rules in your active firewall, then reload to start over if there are problems.
运行时间与永久配置的这种分离意味着您可以在活动防火墙中安全地测试规则,然后在出现问题时重新加载以重新开始。
安装和启用防火墙 (Installing and Enabling firewalld)
firewalld is installed by default on some Linux distributions, including many images of CentOS 8. However, it may be necessary for you to install firewalld yourself:
默认情况下, firewalld是在某些Linux发行版上安装的,包括许多CentOS 8映像。但是,您可能需要自己安装firewalld:
- sudo dnf install firewalld 须藤dnf安装firewalld
After you install firewalld, you can enable the service and reboot your server. Keep in mind that enabling firewalld will cause the service to start up at boot. It is best practice to create your firewall rules and take the opportunity to test them before configuring this behavior in order to avoid potential issues.
安装firewalld ,您可以启用该服务并重新启动服务器。 请记住,启用firewalld将导致该服务在启动时启动。 最好的做法是在配置此行为之前创建防火墙规则并借此机会对其进行测试,以避免潜在的问题。
- sudo systemctl enable firewalld sudo systemctl启用防火墙
- sudo systemctl start firewalld 须藤systemctl启动firewalld
When the server restarts, your firewall should be brought up, your network interfaces should be put into the zones you configured (or fall back to the configured default zone), and any rules associated with the zone(s) will be applied to the associated interfaces.
服务器重新启动时,应启动防火墙,将网络接口放入配置的区域(或退回到配置的默认区域),并且与该区域关联的所有规则都将应用于关联的区域。接口。
We can verify that the service is running and reachable by typing:
我们可以通过输入以下内容来验证该服务正在运行并且
