Firewall is one of the essential software for almost all public Linux servers. It can protect the server from network attacks. Many Linux distributions already come with a firewall, usually iptables; on Fedora, CentOS, and Red Hat distributions, the firewall software installed by default is firewalld, which can be configured and controlled through the "firewall-cmd" command.
Linux has firewall and anti-virus software. Firewall is almost a must-have software for Linux servers on the public network. In addition, almost every computer room has hardware firewalls for intrusion detection, attack protection, etc.
A reasonable firewall is the first barrier for your computer to prevent network intrusions. When you surf the Internet at home, usually the Internet service provider will build a firewall in the routing. When you're away from home, the firewall on your computer is the only one, so it's important to configure and control the firewall on your Linux computer. If you maintain a Linux server, it's equally important to know how to manage your firewall so you can protect your server from illegal traffic, whether local or remote.
Linux installation firewall
Normally, iptables is the default firewall that comes with many Linux distributions. It's powerful and customizable, but a bit complex to configure. Developers have written front-end applications to assist users in managing firewalls, replacing cumbersome iptables rules.
On Fedora, CentOS, Red Hat and some similar distributions, the default installed firewall software is firewalld, which is configured and controlled through the firewall-cmd command. Firewalld can be installed on Debian as well as most other distributions via software repositories. Ubuntu comes with a simple firewall, Uncomplicated Firewall (ufw), so to use firewalld, you must enable the universe software repository:
$ sudo add-apt-repository universe $ sudo apt install firewalld
You also need to disable ufw:
$ sudo systemctl disable ufw
There is no reason not to use ufw . It is a powerful firewall front-end. However, this article focuses on firewalld because most distributions support it and it is integrated into systemd, which comes with almost all distributions.
No matter which distribution you have, you must first activate the firewall for it to take effect, and it needs to be loaded at startup:
$ sudo systemctl enable --now firewalld
Understand the domain of the firewall
Firewalld is designed to make firewall configuration as easy as possible. It achieves this goal by establishing domain zones. A domain is a set of reasonable, general rules that adapt to the daily needs of most users. By default there are nine domains.
trusted: Accept all connections. This is a very permissive firewall setting that should only be used in absolutely trusted environments, such as a test lab or a home network where everyone knows each other.
Most connections will be received in these three areas: home, work, and internal. They each exclude incoming traffic from ports that are not expected to be active. All three are suitable for use in a home environment, because there will be no network traffic with uncertain ports and you can generally trust other users on the home network.
public: used in public areas. This is a paranoid setting, used when you don't trust other computers on the network. Only selected common and most secure incoming connections can be accepted.
dmz: DMZ stands for Demilitarized Zone. This domain name is often used for computers that are publicly accessible outside the organization and have limited access to the internal network. This sentence can be rewritten as: Although not very practical for personal computers, it is a crucial choice for some servers.
external: Used for external networks, masquerading will be enabled (the address of your private network is mapped to an external IP address and hidden). Like a DMZ, only select incoming connections are accepted, including SSH.
block: Only accept network connections initialized in this system. Any network connection will be denied and an icmp-host-prohibited message will be sent. This is a very important setting, especially for personal computers or certain types of servers located in untrusted or unsecured environments due to their extremely high level of paranoia.
drop: All received network packets are dropped without any reply. Only outgoing network connections are available. A more extreme solution than this setting is to turn off WiFi and unplug the network cable.
You can view all zones for your distribution, or view administrator settings through the configuration file /usr/lib/firewalld/zones. For example, the FedoraWorkstation zone that comes with Fedora 31 looks like this:
$ cat /usr/lib/firewalld/zones/FedoraWorkstation.xml <?xml version="1.0" encoding="utf-8"?> <zone> <short>Fedora Workstation</short> <description>Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.</description> <service name="dhcpv6-client"/> <service name="ssh"/> <service name="samba-client"/> <port protocol="udp" port="1025-65535"/> <port protocol="tcp" port="1025-65535"/> </zone>
Get the current zone
At any time you can pass the --get-active-zones option To see which domain you are in:
$ sudo firewall-cmd --get-active-zones
The output will include the name of the currently active domain and the network interface assigned to it. On a laptop, being in the default domain usually means you have a WiFi card:
FedoraWorkstation interfaces: wlp61s0
Modify your current domain
要更改你的域,请将网络接口重新分配到不同的域。举个例子,将 wlp61s0 网卡修改为公用域
$ sudo firewall-cmd --change-interface=wlp61s0 --zone=public
你可以在任何时候、任何理由改变一个接口的活动域 —— 无论你是要去咖啡馆,觉得需要增加笔记本的安全策略,还是要去上班,需要打开一些端口进入内网,或者其他原因。在你凭记忆学会 firewall-cmd 命令之前,你只要记住了关键词 change 和 zone,就可以慢慢掌握,因为按下 Tab 时,它的选项会自动补全。
The above is the detailed content of Does linux have a firewall?. For more information, please follow other related articles on the PHP Chinese website!
什么是linux设备节点Apr 18, 2022 pm 08:10 PMlinux设备节点是应用程序和设备驱动程序沟通的一个桥梁;设备节点被创建在“/dev”,是连接内核与用户层的枢纽,相当于硬盘的inode一样的东西,记录了硬件设备的位置和信息。设备节点使用户可以与内核进行硬件的沟通,读写设备以及其他的操作。
Linux中open和fopen的区别有哪些Apr 29, 2022 pm 06:57 PM区别:1、open是UNIX系统调用函数,而fopen是ANSIC标准中的C语言库函数;2、open的移植性没fopen好;3、fopen只能操纵普通正规文件,而open可以操作普通文件、网络套接字等;4、open无缓冲,fopen有缓冲。
linux中什么叫端口映射May 09, 2022 pm 01:49 PM端口映射又称端口转发,是指将外部主机的IP地址的端口映射到Intranet中的一台计算机,当用户访问外网IP的这个端口时,服务器自动将请求映射到对应局域网内部的机器上;可以通过使用动态或固定的公共网络IP路由ADSL宽带路由器来实现。
什么是linux交叉编译Apr 29, 2022 pm 06:47 PM在linux中,交叉编译是指在一个平台上生成另一个平台上的可执行代码,即编译源代码的平台和执行源代码编译后程序的平台是两个不同的平台。使用交叉编译的原因:1、目标系统没有能力在其上进行本地编译;2、有能力进行源代码编译的平台与目标平台不同。
linux中eof是什么May 07, 2022 pm 04:26 PM在linux中,eof是自定义终止符,是“END Of File”的缩写;因为是自定义的终止符,所以eof就不是固定的,可以随意的设置别名,linux中按“ctrl+d”就代表eof,eof一般会配合cat命令用于多行文本输出,指文件末尾。
linux怎么判断pcre是否安装May 09, 2022 pm 04:14 PM在linux中,可以利用“rpm -qa pcre”命令判断pcre是否安装;rpm命令专门用于管理各项套件,使用该命令后,若结果中出现pcre的版本信息,则表示pcre已经安装,若没有出现版本信息,则表示没有安装pcre。
linux怎么查询mac地址Apr 24, 2022 pm 08:01 PMlinux查询mac地址的方法:1、打开系统,在桌面中点击鼠标右键,选择“打开终端”;2、在终端中,执行“ifconfig”命令,查看输出结果,在输出信息第四行中紧跟“ether”单词后的字符串就是mac地址。
linux中rpc是什么意思May 07, 2022 pm 04:48 PM在linux中,rpc是远程过程调用的意思,是Reomote Procedure Call的缩写,特指一种隐藏了过程调用时实际通信细节的IPC方法;linux中通过RPC可以充分利用非共享内存的多处理器环境,提高系统资源的利用率。
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.
SublimeText3 English version
Recommended: Win version, supports code prompts!
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
