Last time, we challenged linux's firewall's "upholstery" eptables, which many friends felt was powerful, but that complex collection of "watches" and "chains" was indeed “refuting”。
Don't be afraid, times are moving forward! Starting with centos 7, the official offer us a simpler and more humane new-generation firewall management tool, fairewall-cmd。
If iptables were an old driver who needed a manual block and drifted with his toes, firewall-cmd was an “automated block” that everyone could easily handle. Today, let's look at how useful this `people-friendly' security is。
I. Firawall-cmd's core thought: from “rules” to “scene”
The idea of iptables is “rule-based”, and you need to define which ip and which port is allowed to pass manually, like writing a legal text。
And fairewall-cmd's thinking is “scenario-based”, it's smarter. It introduces two core concepts:
1. Region (zone)
Services (service)
Ii. Common orders: 5 minutes to action
The command of fairwall-cmd is very semantic and understands it。
1. Status view
2. Core operations: open services and ports
[reload effective] with the addition of the permanent rule, the firewall must be reloaded: firwall-cmd-reload open (e. G. 8080): firwall-cmd-zone=public-add-port=8080/tcp-person
Iii. Conclusion: between new and old, not hard
Firewall-cmd, managed with its ease of use and landscape, significantly lowered the configuration threshold for the linux firewall and was well suited for daily and standardized applications。
Of course, iptables, with their unparalleled flexibility and strong bottom control capacity, remain irreplaceable in dealing with complex and sophisticated web strategies。
For modern transport engineers, firewall-cmd is like an easy-to-use “automated block”, while iptables are like a “manual block” that can be played by a master, and at the same time mastered, in order to be able to overwhelm the battlefield of server safety。
If this “personal” version of the firewall manual gives you something, please make sure that you have the following. We're closing in on our "order lines" series, and next issue will open a whole new, more intuitive chapter -- - wireshawk packing from the first to the precision, bringing you the real "see" package
