fully fundment of network terms in Internet

Item Definition
Router Routers connect different networks together.
Your N4L Managed Router links the school network to the Internet, so users can share the connection.
Routers act as a dispatcher, choosing the best path for information to travel so it’s received quickly.[1]
WAN Wide Area Network – e.g. the Internet (on the out-side of the router)
LAN Local Area Network – e.g. the School’s network (on the in-side of the router)
VLAN A Virtual LAN separates parts of a physical network from each other.
You can have many VLANs on one LAN.
Each device in a VLAN is only able to communicate with other devices in that VLAN.
In schools, this is commonly used to segregate traffic, so that e.g. WiFi Guests can’t see School servers.
To let devices in VLANs communicate with devices in other VLANs, you need a Router to connect them together.
Interface The part of a router that connects to a network (real or virtual) e.g. the WAN Interface is the part of the router that connects it to the Internet.
Firewall A network security device (software or hardware) that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic
based on a defined set of security rules.[2]

Firewall Rules

The Firewall function of a Router is made up of Rules.
A Rule can apply to Inbound traffic or Outbound traffic (or both).
Without Rules that specifically allow traffic in one direction or the other, the firewall will drop the traffic – preventing data transmission.

Inbound vs Outbound

Inbound or Outbound is the direction traffic moves between networks. It is relative to whichever network you are referencing.
Inbound traffic refers to information coming-in to a network.

User-added image
Figure 1: Inbound Traffic
Outbound traffic refers to information going-out of a network.

User-added image
Figure 2: Outbound Traffic
The network could be the School network (as a whole), the Internet, or the Virtual LANs (VLANs) inside the school network.

Because the Managed Router is directing the traffic, it becomes our point of reference.
Think about where traffic is flowing to and from.

From To Direction (School Computer’s Perspective)
Internet School LAN Inbound
School LAN Internet Outbound


For VLANs, think about which VLAN is sending, and which is receiving.

User-added image
Figure 3: VLAN Traffic Directions
From To Outbound Inbound
VLAN 2 (Servers) VLAN 3 (Students) VLAN 2 VLAN 3
VLAN 3 (Students) VLAN 2 (Servers) VLAN 3 VLAN 2

Port Forwards
Public and Private IP Addresses

Often, servers need to be accessible both inside and outside the School network. For example, if the School’s Website is hosted on a Web Server inside the school, Parents, Staff and Students wanting to view it from home must connect to the server inside the School.

But the Web Server has a Private IP Address – it’s on the School Network side of the Managed Router, and only devices inside the School Network can communicate with it.

How can a user outside the School Network connect to the School Web Site?

The Managed Router sits in between the School Network and the Internet. It has a Public IP Address allocated to it. No one else in the world is allowed to use that IP Address while it is allocated to your Managed Router.

The Managed Router listens on that IP Address for connections from the Internet, and then decides where to send that traffic inside the School Network.

People wanting to connect to the School Website get directed to the Web Server, without knowing its Private IP Address.

Connecting to a Specific Server

This works well when we only have one device (our Web Server). But School Networks have many devices.
If we have two devices, both listening for connections on Port 3389, where does the Router direct the connection?
How does the Managed Router decide which internal device to send traffic to?

User-added image
Figure 4: A confused router
We set up a Port Forward.

What are Ports?

When a message, notice or package is received for a Teacher at School, the delivery person doesn’t come into the School and deliver personally to each Teacher.

The message is placed in their named Pigeonhole, probably by an Office Administrator, and the Teacher collects the message.

If we think of data as the messages, Ports are like the Pigeonholes, each one with its own number.
Each Pigeonhole has a unique name, otherwise the Office Admin wouldn’t know where to deliver the message. Similarly, only one of each Port number can be used on a device at any one time.
The Managed Router is like the hard-working Office Admin.
Each Device – the Router, each Computer – has its own set of Ports.

What is Port Forwarding?

When a data message reaches a Router or Computer, the message has a Port Number attached, and so is directed to the associated Port.

A Port Forward is a specific mapping between an external Port on the Router, and an internal Port (on a computer).

Messages sent to the external Port are forwarded to the internal Port.

User-added image
Figure 5: A Port Forward

How can Both Computers Receive Connections on the Same Port?

In the above example, they can’t. There is only one Port 3389 on the Router, and it is Forwarding traffic to in VLAN 2.

But in a Port Forward, the external port can be different from the internal port.

In this way, in VLAN 3 can receive connections from outside as well, if we set up a Port Forward from another external port.

User-added image
Figure 6: Two port forwards
Which Ports can I use?

Valid ports are in the range 1 to 65535. These are further classified:

Ports 1 – 1023 are system or well-known ports. These are used by many protocols e.g. 80 (HTTP), 443 (SSL/HTTPS), 25 (SMTP – Email)
Ports 1024 – 49151 are user or regsitered ports.
Ports 49151 – 65535 are dynamic or private ports.

You can use any of these ports inside of your School Network.
Some ports may be in use by existing services – remember that ports in use must be unique to that device.

As a developer, is the Hong Kong server configuration correct?

As we all know, the server is actually a computer that can be accessed from outside, and the parameters of the server are the same as those of the computer. Combining the project attributes and computer configuration on the Hong Kong server under specific needs, the most suitable server configuration can be selected.

First of all, we have to figure out what the Hong Kong server is for renting. It can be used to put websites, run applications, build local area networks, store data, etc. Each server has its own purpose. Developers must first understand what the Hong Kong server is used for, and then they can know what server configuration they need.

For example, developers need to develop high-concurrency, high-computing, graphics-processing or large-capacity project attributes, which are probably projects that will be accessed in a short time. Not only the project itself needs to be optimized, but also the data storage of the project is required. Optimization, which requires selecting a Hong Kong server configuration that can support large throughput.

If the developer is just a personal webmaster, there is no need for a higher Hong Kong server configuration. However, it is recommended that individual webmasters choose an independent server, so that you do not have to worry about the impact of IP sites on your site. Moreover, the access speed of high-quality Hong Kong servers is much faster than shared servers, and your own data will be more secure.

The price of the server also fluctuates according to the configuration of the server. At present, there are many domestic Hong Kong server rental providers. Choosing a good server provider will make your business more effective. It is best to choose a service that provides 7*24 hours after-sales technical support. The service provider can help you solve any problems encountered during the operation of the server, and can ensure that your business will not be too much loss.

Ten most common Linux system comparison + introduction + download address

Have you ever known where the charm or power of Linux comes from? That is, because many distributions are in full swing, the Linux camp is growing, and each distribution has a large number of users, and developers are willing to devote their energy to related projects. Linux distributions are all kinds of, and they are designed to meet every conceivable need. The purpose of this article is to briefly describe why a distribution exists, who its target users are, and what special features it has compared with other distributions.

  1. Debian

Debian runs extremely stable, which makes it very suitable for servers. Debian usually maintains three official software libraries and one non free software library, which has inspired several other distributions, such as Ubuntu and Kali. Debian’s operating system has spawned multiple Linux distributions. It has more than 37500 packages, and the only other distribution that outperforms Debian is Gentoo. Debian uses apt or aptitude to install and update software.

Debian is no doubt not suitable for novice users, but for system administrators and advanced users. Debian supports most architectures (processors) today.

Download Debian ISO image file: http://www.debian.org/distrib/

Debian Linux

  1. Gentoo

Like Debian, Gentoo’s operating system includes a large number of software packages. Gentoo does not appear in the form of precompiling, but needs to be compiled for each system at a time. Even the Gentoo community finds Gentoo difficult to install and use; however, it is considered to be the best learning object to learn more about the internal workings of the Linux operating system. When it comes to Gentoo, someone always says, “if you want to learn to use the Linux distribution, learn to use that distribution; if you learn Gentoo, you learn Linux.” Gentoo uses portage to install and update software.

Gentoo is an operating system suitable for users who are already familiar with Linux.

Download and install Gentoo: http://www.gentoo.org/main/en/where.xml

Gentoo Linux

  1. Ubuntu

Ubuntu is a spin off of Debian and the most popular free operating system today. Ubuntu focuses on its application in this market and is common on servers, cloud computing, and even some mobile devices running Ubuntu Linux. As a derivative of Debian GNU Linux, most of the process, look and feel of Ubuntu are still the same as Debian. It uses apt software management tools to install and update software. It is also one of the easiest distributions to use on the market today. Ubuntu uses apt based package manager.

Ubuntu is an operating system that novice users must love.

Download the Ubuntu ISO image file: http://www.ubuntu.com/download

Ubuntu Linux

  1. Damn Vulnerable Linux

Of course, most people may not have heard of this distribution before, but it still has a place in this article. So, what’s so extraordinary about it? Damn vulnerable Linux is exactly the name: it literally means “damn vulnerable Linux.”. Vulnerable Linux (DVL) is not a good Linux distribution in the general sense. It intentionally bundles bad, improperly configured, outdated, and easily attacked by criminals.

Its purpose is to use the opportunity to train Linux administrators. Is there anything better than giving Linux administrators a bad distribution to fix problems? Faced with older or broken versions of Apache, mysql, PHP, FTP and SSH, trained administrators are busy enough.

Damn vulnerable Linux is a lab designed to train administrators.

Damn Vulnerable Linux

  1. Red Hat Enterprise Linux

This is the first Linux distribution for the commercial market. It has server versions and supports a wide range of processor architectures, including x86 and x86_ 64。 Red hat company through the course of red hat certification system administrator / red hat Certification Engineer (rhcsa / RHCE), the system administrator training and certification. In terms of the global market, 80% of the total profit comes from support and another 20% comes from training and certification, but not in India.

In India, 80% of red hat’s profits come from certification and training, and only 20% from support. Fedora is a platform, not a test environment for developing new products or applications; once it becomes a stable version, it is bundled with Red Hat Enterprise Linux, including support. Red hat offers a lot of stable applications, but the well-known drawback is that it’s really expensive to package too many old packages. However, if security is the primary concern, Red Hat Enterprise Linux is the perfect distribution, using the yum package manager.

Red Hat Enterprise Linux is the first choice for system administrators. It has a large number of packages and very good support.

Since the distribution is a commercial product, it is not free. However, you can download a beta version for teaching purposes.

Note: it is generally believed that Marc Ewin, who developed the distribution, named the product red hat because he had lost the red hat that seemed to be his favorite, which was a gift from his grandfather on his birthday.

Red Hat Enterprise Linux

  1. CentOS

CentOS is an Enterprise Linux distribution that is rebuilt using free source code from Red Hat Enterprise Linux. This refactoring completely removes the registered trademark and a very subtle change in the binary package. Some people don’t want to pay a lot of money and enjoy Red Hat Enterprise Linux; for them, CentOS is worth a try. In addition, CentOS appears to look and behave like the parent Red Hat Enterprise Linux. CentOS uses Yum to manage software packages.

It’s a very stable package; anyone who wants to test how the server works on the desktop should try this operating system.

Download the CentOS 6.4 DVD ISO image file: http://wiki.centos.org/Download

CentOS Linux

  1. Fedora

The compact Fedora is for those who want to try the most advanced technology and can’t wait for a stable version of the program to come out. In fact, Fedora is red hat’s test platform; products are developed and tested on this platform before they become enterprise release. Fedora is a very good distribution with a huge user forum and lots of packages in the library. Fedora also uses Yum to manage software packages.

Download the Fedora 18 (spherical cow) DVD ISO image file: http://fedoraproject.org/en/get-fedora

Fedora Linux

  1. Kali Linux

Kali Linux is a derivative of Debian. Kali is designed for penetration testing. It was only released about three months ago. Before Kali

vpb multiple ip| create vm or vps by Citrix xenserver

The page made guide on how to create vm on citrix xenserver.The guide copy from VPB dedicated hosting company

let’s start with space for windows ISO

A:command line:vgdisplay 

B:Lvcreate -n mylv -L 15G VG_XenStorage-8ffde80f-9969-d46d-67f9-632d380f3b60

C:C:mkfs.ext3 /dev/VG_XenStorage-8ffde80f-9969-d46d-67f9-632d380f3b60/mylv 

D:mkdir data 

F:mount /dev/VG_XenStorage-8ffde80f-9969-d46d-67f9-632d380f3b60/mylv /data 

D:vi /etc/fstab

/dev/mapper/VG_XenStorage–8ffde80f–9969–d46d–67f9–632d380f3b60-mylv /data ext3 defaults 0 0 // the command against disappearance of ISO space when you reboot server\

vi /etc/rc.d/rc.local

lvchange -ay /dev/VG_XenStorage-8ffde80f-9969-d46d-67f9-632d380f3b60/mylv

mount /dev/VG_XenStorage-8ffde80f-9969-d46d-67f9-632d380f3b60/mylv /data

D:Mkdir ISO

F:xe sr-create name-label=GRT_ISO type=iso device-config:location=/data/ISO device-config:legacy_mode=true content-type=iso

G:download ISO you want to the direction /data/ISO

Alright,let’s go to install interface of xenserver.just type server ip in the browser.you will get pic saying below

next,next … until you choose ISO bin

just choose you build up ISO spece

the rest is easy to done. more tech issue here

How to expand root partition with LVM

How to expand root partition with LVM. it is easy to get more space / direction via Logical Volume Management.Five steps done with expand

Overview of partition with LVM

  1. Format partition

mkfs.ext4 -y /dev/sdd

  1. Switch bit extended partition

vgextend VolGroup /dev/sdd

  1. Root partition expansion capacity

lvextend -L +9.99G /dev/VolGroup/LogVol00

  1. Refresh the root partition capacity

resize2fs /dev/VolGroup/LogVol00

  1. Check whether it is successful

df –HT

Let’s specify the process in partitions via LVM

[[email protected] ~]# fdisk -l

Disk /dev/sda: 21.5 GB, 21474836480 bytes

255 heads, 63 sectors/track, 2610 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x00028846

Device Boot Start End Blocks Id System

/dev/sda1 * 1 26 204800 83 Linux

Partition 1 does not end on cylinder boundary.

/dev/sda2 26 2611 20765696 8e Linux LVM

Disk /dev/sdc: 10.7 GB, 10737418240 bytes

255 heads, 63 sectors/track, 1305 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x00000000

Disk /dev/sdb: 10.7 GB, 10737418240 bytes

255 heads, 63 sectors/track, 1305 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x00000000

Disk /dev/mapper/VolGroup-LogVol00: 42.7 GB, 42718986240 bytes

255 heads, 63 sectors/track, 5193 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x00000000

Disk /dev/sdd: 10.7 GB, 10737418240 bytes

255 heads, 63 sectors/track, 1305 cylinders

Units = cylinders of 16065 * 512 = 8225280 bytes

Sector size (logical/physical): 512 bytes / 512 bytes

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disk identifier: 0x00000000

[[email protected] ~]# mkfs.ext4 -y /dev/sdd

mkfs.ext4: invalid option — ‘y’

Usage: mkfs.ext4 [-c|-l filename] [-b block-size] [-f fragment-size]

[-i bytes-per-inode] [-I inode-size] [-J journal-options]

[-G meta group size] [-N number-of-inodes]

[-m reserved-blocks-percentage] [-o creator-os]

[-g blocks-per-group] [-L volume-label] [-M last-mounted-directory]

[-O feature[,…]] [-r fs-revision] [-E extended-option[,…]]

[-T fs-type] [-U UUID] [-jnqvFKSV] device [blocks-count]

[[email protected] ~]# vgextend VolGroup /dev/sdd

Physical volume “/dev/sdd” successfully created

Volume group “VolGroup” successfully extended

[[email protected] ~]# lvextend -L +9.99G /dev/VolGroup/LogVol00

Rounding size to boundary between physical extents: 9.99 GiB.

Size of logical volume VolGroup/LogVol00 changed from 39.79 GiB (10185 extents ) to 49.78 GiB (12743 extents).

Logical volume LogVol00 successfully resized.

[[email protected] ~]# resize2fs /dev/VolGroup/LogVol00

resize2fs 1.41.12 (17-May-2010)

Filesystem at /dev/VolGroup/LogVol00 is mounted on /; on-line resizing required

old desc_blocks = 3, new_desc_blocks = 4

Performing an on-line resize of /dev/VolGroup/LogVol00 to 13048832 (4k) blocks.

The filesystem on /dev/VolGroup/LogVol00 is now 13048832 blocks long.

[[email protected] ~]# df -HT

Filesystem Type Size Used Avail Use% Mounted on


ext4 53G 791M 50G 2% /

tmpfs tmpfs 977M 0 977M 0% /dev/shm

/dev/sda1 ext4 199M 40M 150M 21% /boot

[[email protected] ~]#

Here you go

lease dedicated servers on VPB Inc. hosting company

More Tech issues please go the way:troubleshooter

Firewall configuration details

you know what are ways you setup firewall in centos server? VPB Inc that is specialized Data center will show you up with approaches you leverage to let firewall up well.

bitcoin buy dedicated hosting across the world

1.firewalld, iptables, ebtables.

Several firewalls coexist in CentOS 7:

By default, firewalld is used to manage the Netfilter subsystem, but the underlying commands are still iptables and so on.

Compared with iptables, the disadvantage of firewalld is that each service needs to be set up before it can be released, because it is rejected by default.

In iptables, by default, every service is allowed, and only those that need to be rejected can be restricted.

Next go with The link between firewalld and iptables

Compared with iptables, firewalld has at least two advantages:

1) Firewalld can dynamically modify a single rule, instead of having to refresh all rules to take effect like iptables;

2) Firewalld is much more user-friendly than iptables. Even if you don’t understand “five tables and five links” and don’t understand TCP / IP protocol, most functions can be achieved.

Note: firewalld itself does not have the function of firewall, but like iptables, it needs to be implemented through the Netfilter of the kernel,

That is to say, like iptables, firewalld is used to maintain rules, and what really works with rules is Netfilter of the kernel, but firewalld and iptables have different structures and usage methods.

2.An important concept: regional management

2.1 firewalld maps network cards to different zones. There are 9 zones by default:

block dmz drop external home internal public trusted work.

The difference between different regions is that they have different default behaviors for packets. According to the region name, we can know the characteristics of the region intuitively. In centos7 system, the default area is set to public

In the latest version of Fedora (Fedora 21), with the differentiation of server version and workstation version, two different custom zones have been added. Fedora server and fedora workstation correspond to two versions respectively.

By dividing the network into different regions, the access control strategy between different regions is formulated to control the data flow transmitted between different program regions.

For example, the Internet is an untrusted zone, while the intranet is a highly trusted zone. The network security model can be initialized at the time of installation, initial startup and network connection establishment.

2.2 the model describes the trust level of the whole network environment to which the host is connected, and defines the processing method of new connection.

There are several different initialization areas as follows:

Block: any incoming network packets will be blocked.

Work area: believe that other computers on the network will not damage your computer.

Home: believe that other computers on the network will not damage your computer.

Public: do not trust any computers on the network, only choose to accept incoming network connections.

Isolated area (DMZ): the isolated area is also known as the demilitarized area. A layer of network is added between the internal and external networks, which acts as a buffer. For isolated zones, only choose to accept incoming network connections.

Trusted: all network connections are acceptable.

Drop: any incoming network connection is denied.

Internal: trust other computers on the network without damaging your computer. Only choose to accept incoming network connections.

External: don’t trust other computers on the network, it won’t damage your computer. Only choose to accept incoming network connections.

Note: the default area for firewall D is public.

2.3 firewalld provides nine zone configuration files by default: block.xml , dmz.xml , drop.xml , external.xml 、 home.xml , internal.xml , public.xml , trusted.xml , work.xml ,

They are all stored in the directory “/ usr / lib / firewalld / zones /”.

By default, there is only one under / etc / firewalld / zones public.xml 。 If you make some changes to another zone and save them permanently, the corresponding configuration file will be generated automatically

For example, add a port to the work zone

firewall-cmd –permanent –zone=work –add-port=1000/tcp

A work.xml Configuration file for

2.4 to view the permanent configuration file of XX area:

[ [email protected] ~]# cat /etc/firewalld/zones/ XX.xml

Note: the firewall configuration file can also be modified manually. Remember to reload the firewall after modification

2.5 configuration method

Firewalld can be configured in three ways: firewall config, firewall CMD and directly editing XML files,

Firewall config is a graphical tool and firewall CMD is a command line tool.

For Linux, you should be more used to using command-line operation, so we will not introduce firewall config to you.

There are two default firewalld configuration files:

/Usr / lib / firewalld / (system configuration, try not to modify)

/Etc / firewalld / (user configured address)

3.What is service?

3.1 in the / usr / lib / firewalld / services / directory, another type of configuration file is saved. Each file corresponds to a specific network service, such as SSH service

The corresponding configuration file records the TCP / UDP ports used by various services. In the latest version of firewalld, 70 + services have been defined for us by default

When the services provided by default are insufficient or the port of a service needs to be customized, we need to place the service configuration file in the / etc / firewalld / services / directory

First, it is more humanized to manage rules through service names,

Second, it is more efficient to organize port grouping by services. If a service uses several network ports, the configuration file of the service is equivalent to providing batch operation shortcut for rule management to these ports.

If you do not want to use the default FTP port of 1122.21, the server will not use the default port of FTP.

The code is as follows:

Copy the template to / etc for modification and invocation

[ [email protected] ~]# cp /usr/lib/firewalld/services/ ftp.xml /etc/firewalld/services/

Modify template configuration

[ [email protected] ~]# vim /etc/firewalld/services/ ftp.xml

Change 21 to 1121

[ [email protected] ~]# vim /etc/firewalld/zones/ public.xml

Public is the default zone, so to edit this, add a line, as follows

Load firewall reconfiguration

[ [email protected] ~]# firewall-cmd –reload

4.Install, enable and close firewalld

4.1 installing firewalld

[ [email protected] ~]# yum install firewalld firewall-config

4.2 start up service

[ [email protected] ~]# systemctl start firewalld

4.3 automatic startup service

[ [email protected] ~]# systemctl enable firewalld

4.4 view status

[ [email protected] ~]# systemctl status

4.5 closing services

[ [email protected] ~]# systemctl stop firewalld

4.6 cancel startup

[ [email protected] ~]# systemctl disable firewalld

4.7 abandon firewalld firewall and use iptables instead

[ [email protected] ~]# yum install iptables-services

[ [email protected] ~]# systemctl start iptables

[ [email protected] ~]# systemctl enable iptables

4.8 view version

[ [email protected] ~]# firewall-cmd –version

4.9 view help

[ [email protected] ~]# firewall-cmd –help

4.10 display status

[ [email protected] ~]# firewall-cmd –state

4.11 view activity area information

[ [email protected] ~]# firewall-cmd –get-active-zones

  1. View the interface area

[ [email protected] ~]# firewall-cmd –get-zone-of-interface=XX

4.13 reject all packages

[ [email protected] ~]# firewall-cmd –panic-on

4.14 cancel rejection status

[ [email protected] ~]# firewall-cmd –panic-off

4.15 check whether to reject

[ [email protected] ~]# firewall-cmd –query-panic

4.16 check whether firewalld is on

[ [email protected] ~]# systemctl is-enabled firewalld

4.17 restart the firewall (enter the following command as root to reload the firewall without interrupting the user’s connection, that is, not losing the status information:)

[ [email protected] ~]# firewall-cmd –reload

4.18 restart the firewall completely (enter the following command as root to reload the firewall and disconnect the user, i.e., discard the status information:)

[ [email protected] ~]# firewall-cmd –complete-reload

Note: this command is usually used when there is a serious problem with the firewall. For example, firewall rules are correct, but there are status information problems and unable to establish a connection.

The difference between firewall CMD — reload and firewall CMD — complete reload is as follows:

The first one does not need to be disconnected. It is one of the firewalld features to add rules dynamically. The second one needs to be disconnected, similar to restarting a service

4.19 display default area

[ [email protected] ~]# firewall-cmd –get-default-zone

4.20 add interface to area (add interface to XX area, or add to default area if no area is specified)

[ [email protected] ~]# firewall-cmd –zone=XX –add-interface=eth0

Permanent effect plus — permanent and reload firewall

4.21 set the default area, which takes effect immediately without restart

[ [email protected] ~]# firewall-cmd –set-default-zone=XX

4.22 check the ports opened in XX area

[ [email protected] ~]# firewall-cmd –zone=XX –list-ports

4.23 view services loaded in XX area

[ [email protected] ~]# firewall-cmd –zone=XX –list-services

4.24 add a port temporarily to XX area

[ [email protected] ~]# firewall-cmd –zone=XX –add-port=8080/tcp

To make the method permanent, add a parameter — permanent

4.25 opening a service is similar to visualizing the port. The service needs to be added to the configuration file. There is a services folder under the / etc / firewalld directory. View other XML files and refer to the methods mentioned above

[ [email protected] ~]# firewall-cmd –zone=work –add-service=smtp

4.26 removal of services

[ [email protected] ~]# firewall-cmd –zone=work –remove-service=smtp

4.27 display the list of supported areas

[ [email protected] ~]# firewall-cmd –get-zones

4.28 list all zone enabled features

[ [email protected] ~]# firewall-cmd –list-all-zones

4.29 display XX area details

[ [email protected] ~]# firewall-cmd –zone=XX –list-all

4.30 view current active area

[ [email protected] ~]# firewall-cmd –get-active-zones

4.31 set the area of XX interface

[ [email protected] ~]# firewall-cmd –get-zone-of-interface=XX

4.32 query whether XX interface is included in YY area

[ [email protected] ~]# firewall-cmd –zone=YY –query-interface=XX

4.33 delete the zone where XX NIC is located (take YY as an example)

[ [email protected] ~]# firewall-cmd –zone=YY –remove-interface=XX

  1. Modify the permanent interface to XX

[ [email protected] ~]# firewall-cmd –zone=YY –change-interface=XX

4.35 control ports / services

The opening of ports can be controlled in two ways:

1) One is to specify the port number and the other is to specify the service name.

Although opening HTTP service means opening port 80, it can’t be closed by port number. That is to say, if the service is opened by specifying the service name, it must be closed by specifying the service name;

2) Open by the specified port number is closed by the specified port number.

3) Another thing to note is that when you specify the port, you must specify what protocol it is, TCP or UDP.

4.36 rich rules

[ [email protected] ~]# firewall-cmd –permanent –add-rich-rule=”rule family=”ipv4″ source address=”″ port protocol=”tcp” port=”5432″ accept”

[ [email protected] ~]# systemctl restart firewalld.service

5.Firewalld service management

5.1 show supported services

[ [email protected] ~]# firewall-cmd –get-services

5.2 temporarily allow Samba service to pass for 600 seconds

[ [email protected] ~]# firewall-cmd –add-service=samba –timeout=600

5.3 display the services opened in the default area. If you want to check a certain area, add the parameter — zone = XX

[ [email protected] ~]# firewall-cmd –list-services

5.4 add HTTP service to internal and save to configuration file

[ [email protected] ~]# firewall-cmd –permanent –zone=internal –add-service=http

5.5 reload firewall without changing state

[ [email protected] ~]# firewall-cmd –reload

5.6 open MySQL service

[ [email protected] ~]# firewall-cmd –add-service=mysql

5.7 block MySQL service

[ [email protected] ~]# firewall-cmd –remove-service=mysql

5.8 port management, temporarily open 443 / TCP port, effective immediately

[ [email protected] ~]# firewall-cmd –add-port=443/tcp

5.9 permanently open 3690 / TCP port

[ [email protected] ~]# firewall-cmd –permanent –add-port=3690/tcp

5.10 to open a port permanently, you need to reload it. If you use reload, the temporarily opened port will be invalid

[ [email protected] ~]# firewall-cmd –reload

5.11 view the settings of all areas of the firewall, including the added ports and services

[ [email protected] ~]# firewall-cmd –list-all

5.12 open access to 3306 via TCP

[ [email protected] ~]# firewall-cmd –add-port=3306/tcp

5.13 block tcp80

[ [email protected] ~]# firewall-cmd –remove-port=80/tcp

5.14 open access through UDP 233

[ [email protected] ~]# firewall-cmd –add-port=233/udp

5.15 view open ports

[ [email protected] ~]# firewall-cmd –list-ports

5.16 open custom SSH port number is 12222 (- the – permanent parameter can be permanently saved to the configuration file)

[ [email protected] ~]# firewall-cmd –add-port=12222/tcp –permanent

Restart the firewall. To open a port permanently, you need to reload it. If you use reload, the temporarily opened port will fail

[ [email protected] ~]# firewall-cmd –reload

5.16 add port range

[ [email protected] ~]# firewall-cmd –add-port=2000-4000/tcp

5.17 add port for specified zone XX

[ [email protected] ~]# firewall-cmd –permanent –zone=XX –add-port=443/tcp

bitcoin buy dedicated hosting across the world

6.Manage the objects in the area

6.1 areas for permanent support

[ [email protected] ~]# firewall-cmd –permanent –get-zones

6.2 enable services in the zone (this will permanently enable services in the zone. If no region is specified, the default region is used.)

firewall-cmd –permanent [–zone=] –add-service=

6.3 open the MySQL service temporarily and take effect immediately

[ [email protected] ~]# firewall-cmd –add-service=mysql

6.4 public area, add httpd service and save it, but it will not take effect immediately. You need reload firewall

[ [email protected] ~]# firewall-cmd –permanent –zone=public –add-service=httpd

6.5 public area, disable httpd service and save it, but it will not take effect immediately. Reload firewall is required

[ [email protected] ~]# firewall-cmd –permanent –zone=public –remove-service=httpd

7.Port forwarding

Port forwarding can forward traffic to the specified port with the specified address when it accesses the specified port.

If the destination of forwarding is not specified, it will default to the local computer. If IP is specified but no port is specified, the source port is used by default.

Typical practice:

1) Nat intranet port mapping

2) SSH tunnel forwarding data

If the port forwarding is not available after configuration, you can check the following two problems:

For example, I forward port 80 to port 8080. First, check whether the local port 80 and the target port 8080 are open for listening

Secondly, check whether the camouflage IP is allowed. If not, the masquerade ip should be turned on

7.1 forwarding traffic from port 80 to port 8080

[ [email protected] ~]# firewall-cmd –add-forward-port=port=80:proto= tcp:toport=8080

7.2 forward the traffic of port 80 to

[ [email protected] ~]# firewall-cmd –add-forward-port=proto=80:proto= tcp:toaddr=

7.3 forward the traffic of port 80 to port 8080 of

[ [email protected] ~]# firewall-cmd –add-forward-port=proto=80:proto= tcp:toaddr= :toport=8080

7.4 port forwarding or port mapping in forbidden area

firewall-cmd [–zone=] –remove-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=| :toport=[-]:toaddr=}

7.5 port forwarding or port mapping of query area

firewall-cmd [–zone=] –query-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=| :toport=[-]:toaddr=}

7.6 enable port forwarding or mapping permanently in the zone

firewall-cmd –permanent [–zone=] –add-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=| :toport=[-]:toaddr=}

Ports can be mapped to the same port on another host or to different ports on the same host or another host.

The port number can be a single port or a range of ports.

The protocol can be TCP or UDP.

The destination port can be a port number or a port range.

The destination address can be an IPv4 address. Restricted by the kernel, port forwarding is only available for IPv4.

7.7 port forwarding or port mapping in permanently forbidden areas

firewall-cmd –permanent [–zone=] –remove-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=| :toport=[-]:toaddr=}

7.8 port forwarding or port mapping status of query area

firewall-cmd –permanent [–zone=] –query-forward-port=port=[-]:proto= { :toport=[-] | :toaddr=| :toport=[-]:toaddr=}

If the service is enabled, this command will have a return value. This command has no output information.

7.9 forward the SSH service of home area to

[ [email protected] ~]# firewall-cmd –permanent –zone=home –add-forward-port=port=22:proto= tcp:toaddr=

8.Camouflage IP

8.1 check if IP camouflage is allowed

[ [email protected] ~]# firewall-cmd –query-masquerade

8.2 allow firewall to disguise IP

[ [email protected] ~]# firewall-cmd –add-masquerade

8.3 prohibit firewall from camouflage IP

[ [email protected] ~]# firewall-cmd –remove-masquerade

8.4 camouflage in permanently enabled areas

firewall-cmd –permanent [–zone=] –add-masquerade

This enables the camouflage function of the zone. The address of the private network will be hidden and mapped to a public IP.

This is a form of address translation, commonly used in routing. Due to the limitation of the kernel, the camouflage function can only be used for IPv4.

8.5 IP camouflage in temporarily disabled areas

firewall-cmd [–zone=] –remove-masquerade

8.6 camouflage in permanently prohibited areas

firewall-cmd –permanent [–zone=] –remove-masquerade

8.7 persistent state of camouflage in query area

firewall-cmd –permanent [–zone=] –query-masquerade

If the service is enabled, this command will have a return value. This command has no output information.

8.8 camouflage state of query area

firewall-cmd [–zone=] –query-masquerade

If enabled, this command will have a return value. No output information.

9.ICMP control

9.1 get the list of ICMP types supported by persistent options

[ [email protected] ~]# firewall-cmd –permanent –get-icmptypes

9.2 get all supported ICMP types

[ [email protected] ~]# firewall-cmd –get-icmptypes

9.3 to enable ICMP blocking in the zone permanently, reload firewall is required,

firewall-cmd –permanent [–zone=] –add-icmp-block=

This will enable the selected Internet control message protocol (ICMP) packets to be blocked. ICMP message can be request information or created response message or error response message.

9.4 ICMP blocking in permanently disabled area requires reload firewall,

firewall-cmd –permanent [–zone=] –remove-icmp-block=

9.5 ICMP persistent state in query area

firewall-cmd –permanent [–zone=] –query-icmp-block=

If the service is enabled, this command will have a return value. This command has no output information.

Blocking response message in common area:

[ [email protected] ~]# firewall-cmd –permanent –zone=public –add-icmp-block=echo-reply

9.6 enable ICMP blocking function of area immediately

firewall-cmd [–zone=] –add-icmp-block=

This will enable the selected Internet control message protocol (ICMP) packets to be blocked. ICMP message can be request information or created response message, as well as error response.

9.7 ICMP blocking function in immediate forbidden area

firewall-cmd [–zone=] –remove-icmp-block=

9.8 ICMP blocking function of query area

firewall-cmd [–zone=] –query-icmp-block=

If enabled, this command will have a return value. No output information.

Example: response response message of blocking area:

[ [email protected] ~]# firewall-cmd –zone=public –add-icmp-block=echo-reply

10. firewalld through configuration file

bitcoin buy dedicated hosting across the world

The system itself has built-in firewall rules for some common services, which are stored in / usr / lib / firewalld / services/

Attention!! do not edit / usr / lib / firewalld / services /, only files of / etc / firewalld / services can be edited.

The following examples take the system’s own public zone as an example

10.1 case 1: if you want to open port 80 for Internet access to HTTP services, please do the following

Step 1: Set http.xml Copy to / etc / firewalld / services / to manage the firewall as a service,

The system will first read the files in / etc / firewalld. After reading, it will read again in / usr / lib / firewalld / services /. For ease of modification and management, it is highly recommended to copy to / etc / firewalld

[ [email protected] ~]# cp /usr/lib/firewalld/services/ http.xml /etc/firewalld/services/

Modify / etc / firewalld / zones/ public.xml , join HTTP service

vi /etc/firewalld/zones/ public.xml

Public For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.

Add this line to match the file name in the / etc / firewalld / services / folder

Enter the following command as root to reload the firewall without interrupting the user’s connection, that is, not losing the status information:

[ [email protected] ~]# firewall-cmd –reload

Or enter the following information as root, reload the firewall and disconnect the user connection, that is, discard the status information:

[ [email protected] ~]# firewall-cmd –complete-reload

Note: this command is usually used when there is a serious problem with the firewall. For example, firewall rules are correct, but there are status information problems and unable to establish a connection.

10.2 case 2: SSH is a non default port, which requires normal access

[ [email protected] ~]# cp /usr/lib/firewalld/services/ ssh.xml /etc/firewalld/services/

[ [email protected] ~]# vi /etc/firewalld/services/ ssh.xml

Change the default 22 to the current SSH port number

[ [email protected] ~]# firewall-cmd –reload

10.3 case 3: modifying the zone configuration file allows only specific hosts to connect to SSH

[ [email protected] ~]# cp /usr/lib/firewalld/services/ ssh.xml /etc/firewalld/services/

[ [email protected] ~]# vi /etc/firewalld/zones/ public.xml

Make sure the configuration file has the following

End of configuration

It takes effect after the firewall is restarted

[ [email protected] ~]# firewall-cmd –reload

11.Firewalld direct mode

For the most advanced users, or iptables experts, firewalld provides a direct interface that allows you to pass the original iptables commands to it.

Direct interface rules are not persistent unless — permanent is used.

Direct options are primarily used to enable services and applications to add rules. Rules are not saved and must be submitted again after reloading or restarting. The parameters passed are consistent with iptables, ip6tables, and ebtables.

Option – direct needs to be the first parameter of the direct option. Pass the command to the firewall. Parameters can be iptables, ip6tables, and ebtables command-line parameters.

firewall-cmd –direct –passthrough { ipv4 | ipv6 | eb }

11.1 add a new chain to the table.

firewall-cmd –direct –add-chain { ipv4 | ipv6 | eb }

11.2 remove the chain from the table.

firewall-cmd –direct –remove-chain { ipv4 | ipv6 | eb }

11.3 query whether the chain exists or not and the table. If yes, return 0, otherwise return 1

firewall-cmd –direct –query-chain { ipv4 | ipv6 | eb }

If enabled, this command will have a return value. This command has no output information.

11.4 get a list of chains in the table separated by spaces.

firewall-cmd –direct –get-chains { ipv4 | ipv6 | eb }

11.5 add a chain with parameter to the table, and set the priority to.

firewall-cmd –direct –add-rule { ipv4 | ipv6 | eb }

11.6 remove the chain with parameters from the table.

firewall-cmd –direct –remove-rule { ipv4 | ipv6 | eb }

11.7 query whether the chain with parameters exists in the table. If yes, return 0, otherwise return 1

firewall-cmd –direct –query-rule { ipv4 | ipv6 | eb }

If enabled, this command will have a return value. This command has no output information.

11.8 get all the rules added to the chain in the table and separate them with newlines.

Firewall CMD — direct — get rules {IPv4 | IPv6 | EB} allows port number with iptables command, and restart takes effect

[ [email protected] ~]# firewall-cmd –direct -add-rule ipv4 filter INPUT 0 -p tcp –dport 9000 -j ACCEPT

[ [email protected] ~]# firewall-cmd –reload

12 add rich rule:

12.1 allow all connections of hosts.

[ [email protected] ~]# firewall-cmd –add-rich-rule=’rule family=”ipv4″ source address=”″ accept’

12.2 allow 2 new connections to access FTP service per minute.

[ [email protected] ~]# firewall-cmd –add-rich-rule=’rule service name=ftp limit value=2/m accept’

12.3 agree new IP V4 and IP V6 to connect to FTP and log in once every minute using audit.

[ [email protected] ~]# firewall-cmd –add-rich-rule=’rule service name=ftp log limit value=”1/m” audit accept’

12.4 allow new IPv4 connections from the address to connect to the TFTP service and record every minute.

[ [email protected] ~]# firewall-cmd –add-rich-rule=’rule family=”ipv4″ source address=”″ service name=ssh log prefix=”ssh” level=”notice” limit value=”3/m” accept’

12.5 discard all ICMP packets

[ [email protected] ~]# firewall-cmd –permanent –add-rich-rule=’rule protocol value=icmp drop’

12.6 when using source and destination to specify an address, you must have the family parameter to specify IPv4 or IPv6. If you specify a timeout, the rule is activated for the specified number of seconds and is automatically removed after that.

[ [email protected] ~]# firewall-cmd –add-rich-rule=’rule family=ipv4 source address= reject’ –timeout=10

12.7 all hosts from the 2001: db8:: / 64 subnet are denied access to the DNS service, and only audit logs once an hour.

[ [email protected] ~]# firewall-cmd –add-rich-rule=’rule family=ipv6 source address=”2001:db8::/64″ service name=”dns” audit limit value=”1/h” reject’ –timeout=300

12.8 allow hosts in network segment to access FTP service

[ [email protected] ~]# firewall-cmd –permanent –add-rich-rule=’rule family=ipv4 source address= service name=ftp accept’

12.9 forward from IPv6 address 1:2:3:4:6:: TCP port 4011 to TCP port 4012 at 1:2:3:4:7

[ [email protected] ~]# firewall-cmd –add-rich-rule=’rule family=”ipv6″ source address=”1:2:3:4:6::” forward-port to-addr=”1::2:3:4:7″ to-port=”4012″ protocol=”tcp” port=”4011″‘

12.10 allow all IPv4 traffic from host

[ [email protected] ~]# firewall-cmd –zone=public –add-rich-rule ‘rule family=”ipv4″ source address= accept’

12.11 reject TCP traffic from IPv4 from host to port 22.

[ [email protected] ~]# firewall-cmd –zone=public –add-rich-rule ‘rule family=”ipv4″ source address=”″ port port=22 protocol=tcp reject’

12.12 view rich rules

[ [email protected] ~]# firewall-cmd –list-rich-rules

bitcoin buy dedicated hosting across the world

new Data center in HongKong