Difference between revisions of "CentOS 8.x firewalld basic theory"

From Notes_Wiki
(Created page with "<yambe:breadcrumb self="firewalld basic theory">CentOS 8.x firewalld|firewalld</yambe:breadcrumb> =CentOS 8.x firewalld basic theory= ==Basic Concepts in Firewalld== ===Zone...")
 
m
 
Line 1: Line 1:
<yambe:breadcrumb self="firewalld basic theory">CentOS 8.x firewalld|firewalld</yambe:breadcrumb>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 8.x]] > [[CentOS 8.x System Administration|System Administration]] > [[CentOS 8.x firewalld|firewalld]] > [[CentOS 8.x firewalld basic theory|Basic theory]]
=CentOS 8.x firewalld basic theory=


==Basic Concepts in Firewalld==
==Basic Concepts in Firewalld==
Line 34: Line 33:




<yambe:breadcrumb self="firewalld basic theory">CentOS 8.x firewalld|firewalld</yambe:breadcrumb>
[[Main Page|Home]] > [[CentOS]] > [[CentOS 8.x]] > [[CentOS 8.x System Administration|System Administration]] > [[CentOS 8.x firewalld|firewalld]] > [[CentOS 8.x firewalld basic theory|Basic theory]]

Latest revision as of 03:36, 19 April 2022

Home > CentOS > CentOS 8.x > System Administration > firewalld > Basic theory

Basic Concepts in Firewalld

Zone

The firewalld daemon manages groups of rules using entities called "zones". Zones are basically sets of rules dictating what traffic should be allowed depending on the level of trust you have in the networks your computer is connected to. Network interfaces are assigned a zone to dictate the behavior that the firewall should allow.

drop
The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
block
Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
public
Represents public, untrusted networks. You don't trust other computers but may allow selected incoming connections on a case-by-case basis.
external
External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
internal
The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
dmz
Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
work
Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
home
A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
trusted
Trust all of the machines in the network. The most open of the available options and should be used sparingly.


Rule Permanence

In firewalld, rules can be designated as either permanent or immediate. If a rule is added or modified, by default, the behavior of the currently running firewall is modified. At the next boot, the old rules will be reverted.

Most firewall-cmd operations can take the --permanent flag to indicate that the non-ephemeral firewall should be targeted. This will affect the rule set that is reloaded upon boot. This separation means that you can test rules in your active firewall instance and then reload if there are problems. You can also use the --permanent flag to build out an entire set of rules over time that will all be applied at once when the reload command is issued.

Refer:


Article contributed by Pavan Ponamala



Home > CentOS > CentOS 8.x > System Administration > firewalld > Basic theory