Does linux have a firewall?

Firewall is one of the essential software for almost all public Linux servers. It can protect the server from network attacks. Many Linux distributions already come with a firewall, usually iptables; on Fedora, CentOS, and Red Hat distributions, the firewall software installed by default is firewalld, which can be configured and controlled through the "firewall-cmd" command.

Linux has firewall and anti-virus software.Firewall is almost a must-have software for Linux servers on the public network. In addition, almost every computer room has hardware firewalls for intrusion detection, attack protection, etc.

A reasonable firewall is the first barrier for your computer to prevent network intrusions. When you surf the Internet at home, usually the Internet service provider will build a firewall in the routing. When you're away from home, the firewall on your computer is the only one, so it's important to configure and control the firewall on your Linux computer. If you maintain a Linux server, it's equally important to know how to manage your firewall so you can protect your server from illegal traffic, whether local or remote.

Linux installation firewall

Normally, iptables is the default firewall that comes with many Linux distributions. It's powerful and customizable, but a bit complex to configure. Developers have written front-end applications to assist users in managing firewalls, replacing cumbersome iptables rules.

On Fedora, CentOS, Red Hat and some similar distributions, the default installed firewall software is firewalld, which is configured and controlled through the firewall-cmd command. Firewalld can be installed on Debian as well as most other distributions via software repositories. Ubuntu comes with a simple firewall, Uncomplicated Firewall (ufw), so to use firewalld, you must enable the universe software repository:

$ sudo add-apt-repository universe $ sudo apt install firewalld

You also need to disable ufw:

$ sudo systemctl disable ufw

There is no reason not to use ufw . It is a powerful firewall front-end. However, this article focuses on firewalld because most distributions support it and it is integrated into systemd, which comes with almost all distributions.

No matter which distribution you have, you must first activate the firewall for it to take effect, and it needs to be loaded at startup:

$ sudo systemctl enable --now firewalld

Understand the domain of the firewall

Firewalld is designed to make firewall configuration as easy as possible. It achieves this goal by establishing domain zones. A domain is a set of reasonable, general rules that adapt to the daily needs of most users. By default there are nine domains.

• trusted: Accept all connections. This is a very permissive firewall setting that should only be used in absolutely trusted environments, such as a test lab or a home network where everyone knows each other.

• Most connections will be received in these three areas: home, work, and internal. They each exclude incoming traffic from ports that are not expected to be active. All three are suitable for use in a home environment, because there will be no network traffic with uncertain ports and you can generally trust other users on the home network.

• public: used in public areas. This is a paranoid setting, used when you don't trust other computers on the network. Only selected common and most secure incoming connections can be accepted.

• dmz: DMZ stands for Demilitarized Zone. This domain name is often used for computers that are publicly accessible outside the organization and have limited access to the internal network. This sentence can be rewritten as: Although not very practical for personal computers, it is a crucial choice for some servers.

• external: Used for external networks, masquerading will be enabled (the address of your private network is mapped to an external IP address and hidden). Like a DMZ, only select incoming connections are accepted, including SSH.

• block: Only accept network connections initialized in this system. Any network connection will be denied and an icmp-host-prohibited message will be sent. This is a very important setting, especially for personal computers or certain types of servers located in untrusted or unsecured environments due to their extremely high level of paranoia.

• drop: All received network packets are dropped without any reply. Only outgoing network connections are available. A more extreme solution than this setting is to turn off WiFi and unplug the network cable.

You can view all zones for your distribution, or view administrator settings through the configuration file /usr/lib/firewalld/zones. For example, the FedoraWorkstation zone that comes with Fedora 31 looks like this:

$ cat /usr/lib/firewalld/zones/FedoraWorkstation.xml   Fedora Workstation Unsolicited incoming network packets are rejected from port 1 to 1024, except for select network services. Incoming packets that are related to outgoing network connections are accepted. Outgoing network connections are allowed.      

Get the current zone

At any time you can pass the --get-active-zones option To see which domain you are in:

$ sudo firewall-cmd --get-active-zones

The output will include the name of the currently active domain and the network interface assigned to it. On a laptop, being in the default domain usually means you have a WiFi card:

FedoraWorkstation interfaces: wlp61s0

Modify your current domain

要更改你的域，请将网络接口重新分配到不同的域。举个例子，将 wlp61s0 网卡修改为公用域

$ sudo firewall-cmd --change-interface=wlp61s0 --zone=public

你可以在任何时候、任何理由改变一个接口的活动域 —— 无论你是要去咖啡馆，觉得需要增加笔记本的安全策略，还是要去上班，需要打开一些端口进入内网，或者其他原因。在你凭记忆学会 firewall-cmd 命令之前，你只要记住了关键词 change 和 zone，就可以慢慢掌握，因为按下 Tab 时，它的选项会自动补全。

The above is the detailed content of Does linux have a firewall?. For more information, please follow other related articles on the PHP Chinese website!