Does linux have a firewall?

Linux has a firewall, which is almost a must-have software for Linux servers on the public Internet. Many Linux distributions already come with a firewall, usually iptables; on Fedora, CentOS, and Red Hat distributions, the firewall software installed by default is firewalld, which can be configured and controlled through the "firewall-cmd" command.

#The operating environment of this tutorial: linux7.3 system, Dell G3 computer.

Linux has firewall and anti-virus software. Firewall is almost a must-have software for Linux servers on the public network. In addition, almost every computer room has hardware firewalls for intrusion detection, attack protection, etc.

A reasonable firewall is the first barrier for your computer to prevent network intrusions. When you surf the Internet at home, usually the Internet service provider will build a firewall in the routing. When you're away from home, the firewall on your computer is the only one, so it's important to configure and control the firewall on your Linux computer. If you maintain a Linux server, it's equally important to know how to manage your firewall so you can protect your server from illegal traffic, whether local or remote.

Linux installation firewall

Many Linux distributions already come with their own firewall, usually iptables. It's powerful and customizable, but a bit complex to configure. Fortunately, some developers have written some front-end programs to help users control the firewall without writing lengthy iptables rules.

On Fedora, CentOS, Red Hat and some similar distributions, the default installed firewall software is firewalld, which is configured and controlled through the firewall-cmd command. On Debian and most other distributions, firewalld can be installed from your repository. Ubuntu comes with a simple firewall Uncomplicated Firewall (ufw), so to use firewalld, you must enable the universe software repository:

$ sudo add-apt-repository universe
$ sudo apt install firewalld

You also need to disable ufw:

$ sudo systemctl disable ufw

There is no reason not to use ufw . It is a powerful firewall front-end. However, this article focuses on firewalld because most distributions support it and it is integrated into systemd, which comes with almost all distributions.

No matter which distribution you have, you must first activate the firewall for it to take effect, and it needs to be loaded at startup:

$ sudo systemctl enable --now firewalld

Understand the domain of the firewall

Firewalld is designed to make firewall configuration as easy as possible. It achieves this goal by establishing domain zones. A domain is a set of reasonable, general rules that adapt to the daily needs of most users. By default there are nine domains.

• trusted: Accept all connections. This is the least paranoid firewall setup and should only be used in a fully trusted environment, such as a test lab or a home network where everyone on the network knows everyone else.

• home, work, internal: In these three domains, most incoming connections are accepted. They each exclude incoming traffic from ports that are not expected to be active. All three are suitable for use in a home environment, because there will be no network traffic with uncertain ports and you can generally trust other users on the home network.

• public: used in public areas. This is a paranoid setting, used when you don't trust other computers on the network. Only selected common and most secure incoming connections can be accepted.

• dmz: DMZ stands for Demilitarized Zone. This domain is mostly used for publicly accessible computers located on the organization's external network and with limited access to the internal network. For personal computers it is of little use, but for certain types of servers it can be an important option.

• external: Used for external networks, masquerading will be enabled (the address of your private network is mapped to an external IP address and hidden). Like a DMZ, only select incoming connections are accepted, including SSH.

• block: Only accept network connections initialized in this system. Any network connection received will be rejected with an icmp-host-prohibited message. This is an extremely paranoid setting, important for certain types of servers or personal computers in untrusted or unsecured environments.

• drop: All received network packets are dropped without any reply. Only outgoing network connections are available. A more extreme solution than this setting is to turn off WiFi and unplug the network cable.

You can view all zones for your distribution, or view administrator settings through the configuration file /usr/lib/firewalld/zones. For example: The following is the FedoraWorkstation domain that comes with Fefora 31:

$ cat /usr/lib/firewalld/zones/FedoraWorkstation.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
  <short>Fedora Workstation</short>
  <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description>
  <service name="dhcpv6-client"/>
  <service name="ssh"/>
  <service name="samba-client"/>
  <port protocol="udp" port="1025-65535"/>
  <port protocol="tcp" port="1025-65535"/>
</zone>

Get the current domain

At any time you can pass - -get-active-zones option to see which zone you are in:

$ sudo firewall-cmd --get-active-zones

输出结果中，会有当前活跃的域的名字和分配给它的网络接口。笔记本电脑上，在默认域中通常意味着你有个 WiFi 卡：

FedoraWorkstation
  interfaces: wlp61s0

修改你当前的域

要更改你的域，请将网络接口重新分配到不同的域。例如，把例子中的 wlp61s0 卡修改为 public 域：

$ sudo firewall-cmd --change-interface=wlp61s0 --zone=public

你可以在任何时候、任何理由改变一个接口的活动域 —— 无论你是要去咖啡馆，觉得需要增加笔记本的安全策略，还是要去上班，需要打开一些端口进入内网，或者其他原因。在你凭记忆学会 firewall-cmd 命令之前，你只要记住了关键词 change 和 zone，就可以慢慢掌握，因为按下 Tab 时，它的选项会自动补全。

相关推荐：《Linux视频教程》

The above is the detailed content of Does linux have a firewall?. For more information, please follow other related articles on the PHP Chinese website!