firewalld: 各个zone的用途
一,查看linux当前的所有zone
[root@blog ~]$ firewall-cmd --get-zones
block dmz drop external home internal nm-shared public trusted work二,各个zone的区别
1, 一个网络区域(zone)定义了网络连接的信任级别,
trusted 区 受信任区。
接受所有网络连接。该区绑定的规则(如:网卡、源网段、服务等)不受防火墙阻挡,所有流量均可通过。
internal 区 用于内部网络。
home 区 用于家庭区域。
work 区 用于工作区域。
internal、home、work 这 3 个区你基本上相信网络上的其他计算机不会损害你的计算机。只接受选定的传入连接。
dmz 区 用于在非军事区内可公开访问但对内部网络有限制访问的计算机。只接受选定的传入连接。
external 区 用于启用伪装的外部网络,特别是路由器。你不相信网络上的其他计算机不会损害你的计算机。只接受选定的传入连接。
public 区 在公共场所使用。你不相信网络上的其他计算机不会损害你的计算机。只接受选定的传入连接。
block 区 任何传入的网络连接将被拒绝,IPv4和IPv6将分别发送icmp-host- forbid消息和icmp6-adm- forbid消息。只有在这个系统内发起的网络连接是可能的。
drop 区 任何传入的网络数据包被丢弃,没有应答。只可能传出网络连接。
2, 查看各个区默认的规则:每个zone就是一组规则的集合,如何查看它们默认的规则有哪些?
默认规则的保存路径:
/usr/lib/firewalld/zones/上面的这个路径可以用rpm查询firewalld安装包得到
[root@blog zones]# rpm -ql firewalld | grep zones
/etc/firewalld/zones
/usr/lib/firewalld/zones/block.xml
/usr/lib/firewalld/zones/dmz.xml
/usr/lib/firewalld/zones/drop.xml
/usr/lib/firewalld/zones/external.xml
/usr/lib/firewalld/zones/home.xml
/usr/lib/firewalld/zones/internal.xml
/usr/lib/firewalld/zones/public.xml
/usr/lib/firewalld/zones/trusted.xml
/usr/lib/firewalld/zones/work.xml
/usr/share/man/man5/firewalld.zones.5.gz进入目录后可以看到默认zone的xml配置文件:
[root@blog zones]# cd /usr/lib/firewalld/zones/
[root@blog zones]# ls
block.xml dmz.xml drop.xml external.xml home.xml internal.xml nm-shared.xml public.xml trusted.xml work.xml3,查看各个zone规则的不同:
drop.xml
[root@blog zones]# more drop.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="DROP">
<short>Drop</short>
<description>Unsolicited incoming network packets are dropped. Incoming packets that are related
to outgoing network connections are accepted. Outgoing network connections are
allowed.</description>
<forward/>
</zone>block
[root@blog zones]# more block.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="%%REJECT%%">
<short>Block</short>
<description>Unsolicited incoming network packets are rejected. Incoming packets that are related to outgoing
network connections are accepted. Outgoing network connections are
allowed.</description>
<forward/>
</zone>public
[root@blog zones]# more public.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
<description>For use in public areas. You do not trust the other computers on networks to not harm your computer.
Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="cockpit"/>
<forward/>
</zone>trusted
[root@blog zones]# more trusted.xml
<?xml version="1.0" encoding="utf-8"?>
<zone target="ACCEPT">
<short>Trusted</short>
<description>All network connections are accepted.</description>
<forward/>
</zone>work
[root@blog zones]# more work.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Work</short>
<description>For use in work areas. You mostly trust the other computers on networks to not harm your computer.
Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="dhcpv6-client"/>
<service name="cockpit"/>
<forward/>
</zone>home
[root@blog zones]# more home.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Home</short>
<description>For use in home areas. You mostly trust the other computers on networks to not harm your computer.
Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="mdns"/>
<service name="samba-client"/>
<service name="dhcpv6-client"/>
<service name="cockpit"/>
<forward/>
</zone>dmz
[root@blog zones]# more dmz.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>DMZ</short>
<description>For computers in your demilitarized zone that are publicly-accessible with limited access to your
internal network. Only selected incoming connections are accepted
.</description>
<service name="ssh"/>
<forward/>
</zone>external
[root@blog zones]# more external.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>External</short>
<description>For use on external networks. You do not trust the other computers on networks to not harm your
computer. Only selected incoming connections are accepted.</descrip
tion>
<service name="ssh"/>
<masquerade/>
<forward/>
</zone>internal
[root@blog zones]# more internal.xml
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Internal</short>
<description>For use on internal networks. You mostly trust the other computers on the networks to not harm
your computer. Only selected incoming connections are accepted.</description>
<service name="ssh"/>
<service name="mdns"/>
<service name="samba-client"/>
<service name="dhcpv6-client"/>
<service name="cockpit"/>
<forward/>
</zone>三,查看九个内置zone的默认target
1, 分别查询:
说明:可以看到:多数zone的target就是default,
但有三个不同的zone:
trusted: target为ACCEPT
drop: target为DROP
block: target为REJECT
所以在生产环境中,不会对这三个zone添加复杂的规则,只是把它们作为白名单、黑名单使用
[root@blog ~]# firewall-cmd --zone=trusted --permanent --get-target
ACCEPT
[root@blog ~]# firewall-cmd --zone=public --permanent --get-target
default
[root@blog ~]# firewall-cmd --zone=drop --permanent --get-target
DROP
[root@blog ~]# firewall-cmd --zone=block --permanent --get-target
REJECT
[root@blog ~]# firewall-cmd --zone=external --permanent --get-target
default
[root@blog ~]# firewall-cmd --zone=internal --permanent --get-target
default
[root@blog ~]# firewall-cmd --zone=dmz --permanent --get-target
default
[root@blog ~]# firewall-cmd --zone=work --permanent --get-target
default
[root@blog ~]# firewall-cmd --zone=home --permanent --get-target
default2,列出所有zone的规则:
[root@blog ~]# firewall-cmd --list-all-zones 四,比较public/home/external/internal/work/dmz这六个zone的区别
这六个zone的target同为default,它们的区别在哪里?
它们的不同之处在于默认规则的不同
1,work/public
work和public两个zone相同,都允许ssh/dhcpv6-client/cockpit三种服务的访问
ssh不用说了,
dhcpv6-client是dhcpv6的客户端,所用的端口是:546
如果不是动态的ip,建议关闭此服务
cockpit: 红帽开发的网页版图像化服务管理工具,优点是无需中间层,且可以管理多种服务
它所用的端口是:9090
如果不需要从图形界面对服务器管理,建议关闭此服务
2,home/internal
home和internal两个zone相同,都允许 ssh/mdns/samba-client/dhcpv6-client/cockpit五种服务的访问
ssh/dhcpv6-client/cockpit 上面已讲到
samba-client:提供samba服务的客户端服务
它的端口是:udp协议138
mdns:mDNS是一种基于多播的服务发现协议,通过它可以使设备在局域网内自动发现彼此的服务,
它的端口是:udp协议5353
3,dmz/external
dmz只提供ssh服务,
external则额外打开了<masquerade/>:它用来开启端口转发或代理上网
