Firewall is a software that acts as a shield between user’s system and external network allowing some packets to pass while discarding other’s. Firewall commonly operates on network layer i.e. on IP packets both Ipv4 and Ipv6.
Whether a packet will pass or will be bocked, depends on the rules against such type of packets in the firewall. These rules can be built-in or user-defined ones. Each packet which enters the network has to pass through this shield which verifies it against rules defined in it for such type of packets.
Each rule has a target action which is to be applied in case the packet fails to satisfy it. On Linux systems, firewall as a service is provided by many softwares, most common which are: firewalld and iptables.
In Linux there are many different types of firewalls used, but most standard ones are Iptables and Firewalld, which is going to discuss in this article.
What is FirewallD
FirewallD is the Dynamic Firewall Manager of Linux systems. This service is used to configure the network connections, thus deciding which external network or internal packets to allow traversing the network and which to block.
It allows two types of configurations, permanent and runtime. Runtime configurations will get lost ones the service is restarted while the permanent ones get retained across the system boot so that they are followed every time the service gets active.
Corresponding to these configurations, firewallD has two directories, default/fallback one (/usr/lib/firewall) which is lost ones system is updated and the system configuration (/etc/firewall) which remains permanent and overrides the default one if given. This is found as a default service in RHEL/CentOS 7 and Fedora 18.
What is Iptables
Iptables is another service which decides to allow, drop or return IP packets. Iptables service manages Ipv4 packets while Ip6tables manages Ipv6 packets. This service manages a list of tables where each table is maintained for different purpose like: ‘filter‘ table is for firewall rules, ‘nat‘ table is consulted in case of new connection, ‘mangle‘ in case of packet alterations and so on.
Each table further has chains which can be built-in or user-defined where a chain signifies a set of rules which are applies to a packet, thus deciding what the target action for that packet should be i.e. it must be ALLOWED, BLOCKED or RETURNED. This service is a default service on systems like: RHEL/CentOS 6/5 and Fedora, ArchLinux, Ubuntu etc.
No comments:
Post a Comment