ProHoster > Блог > labaran intanet > Firewalld 1.0 saki

Firewalld 1.0 saki

An gabatar da sakin 1.0 na wutan wuta mai ƙarfi mai ƙarfi, wanda aka aiwatar da shi a cikin nau'in abin rufe fuska a kan fakitin fakitin nftables da iptables. Firewalld yana gudana azaman tsari na bango wanda ke ba ku damar canza ƙa'idodin tace fakiti ta hanyar D-Bus ba tare da sake shigar da ka'idodin tace fakiti ko karya kafaffen haɗin gwiwa ba. An riga an yi amfani da aikin a yawancin rarrabawar Linux, gami da RHEL 7+, Fedora 18+ da SUSE/openSUSE 15+. An rubuta lambar ta wuta a cikin Python kuma tana da lasisi ƙarƙashin lasisin GPLv2.

Don sarrafa Tacewar zaɓi, ana amfani da mai amfani Firewall-cmd, wanda, lokacin ƙirƙirar dokoki, ba a dogara da adiresoshin IP ba, musaya na cibiyar sadarwa da lambobin tashar jiragen ruwa, amma akan sunayen sabis (alal misali, don buɗe damar shiga SSH kuna buƙatar. gudanar da "firewall-cmd -add -service = ssh", don rufe SSH - "firewall-cmd -remove -service=ssh"). Don canza saitin bangon wuta, ana iya amfani da madaidaicin hoto na Firewall-config (GTK) da applet ta Firewall-applet (Qt). Taimako don sarrafa tacewar wuta ta hanyar D-BUS API Firewalld yana samuwa a cikin ayyuka kamar NetworkManager, libvirt, podman, docker da fail2ban.

Wani gagarumin canji a lambar sigar yana da alaƙa da canje-canjen da ke karya daidaituwar baya da kuma canza halayen aiki tare da shiyyoyi. Duk sigogin tacewa da aka ayyana a yankin yanzu ana amfani da su ne kawai ga zirga-zirgar ababen hawa da ake magana da shi ga mai watsa shiri wanda firewalld ke gudana akansa, kuma tace zirga-zirgar ababen hawa yana buƙatar saita manufofin. Canje-canjen da aka fi sani:

  • An ayyana baya wanda ya ba shi damar yin aiki a saman iptables. Za a kiyaye goyan bayan iptables na gaba mai zuwa, amma ba za a haɓaka wannan baya ba.
  • An kunna yanayin isar da shiyya-shiyya da kunna ta tsohuwa don duk sabbin yankuna, yana ba da damar motsi na fakiti kyauta tsakanin mu'amalar hanyar sadarwa ko hanyoyin zirga-zirga a cikin yanki ɗaya (jama'a, toshe, amintacce, na ciki, da sauransu). Don dawo da tsohuwar ɗabi'a da hana buƙatun turawa a cikin yanki ɗaya, zaku iya amfani da umarnin "Firewall-cmd -permanent -zone public -remove-forward".
  • Dokokin da ke da alaƙa da fassarar adireshi (NAT) an ƙaura zuwa dangin ladabi na "inet" (wanda aka riga aka ƙara zuwa iyalai "ip" da "ip6", wanda ya haifar da buƙatar kwafin ƙa'idodin IPv4 da IPv6). Canjin ya ba mu damar kawar da kwafi yayin amfani da ipset - maimakon kwafi uku na shigarwar ipset, yanzu ana amfani da ɗaya.
  • Ayyukan "default" da aka ƙayyade a cikin ma'auni na "-set-target" yanzu yayi daidai da " ƙi", watau. duk fakitin da ba su faɗi ƙarƙashin ƙa'idodin da aka ayyana a yankin ba za a toshe su ta tsohuwa. An keɓance don fakitin ICMP kawai, waɗanda har yanzu ana ba da izinin shiga. Don dawo da tsohuwar ɗabi'a ga yankin “amintaccen” mai isa ga jama'a, zaku iya amfani da dokoki masu zuwa: Firewall-cmd — dindindin — sabuwar-siyasa izininForward Firewall-cmd — dindindin — manufofin izinin Gabatarwa — saita-manufa ACCEPT Firewall-cmd — dindindin — manufofin ba da izinin gaba-ƙara-ingress-zone jama'a Firewall-cmd — dindindin — manufofin ƙyalli Gaba - ƙara-egress-zone amintaccen Firewall-cmd — sake saukewa
  • Ana aiwatar da ingantattun manufofin fifiko yanzu nan take kafin a aiwatar da dokar “--set-target catch-all”, watau. a halin yanzu kafin ƙara juzu'i na ƙarshe, ƙi ko karɓar ƙa'idodi, gami da yankuna waɗanda ke amfani da "-set-target drop| reject| karɓa".
  • Katange ICMP yanzu yana aiki ne kawai ga fakiti masu shigowa da aka yi magana da mai masaukin baki na yanzu (shigarwar) kuma baya shafar fakitin da aka karkata tsakanin yankuna (gaba).
  • Sabis ɗin abokin ciniki na tftp, wanda aka ƙera don bin diddigin haɗin kai don ka'idar TFTP, amma yana cikin sigar mara amfani, an cire shi.
  • An soke yanayin “kai tsaye”, yana ba da damar shigar da ƙa'idodin tace fakiti kai tsaye. Bukatar wannan haɗin gwiwar ya ɓace bayan ƙara ikon tace fakitin da aka tura da masu fita.
  • Ƙara ma'aunin CleanupModulesOnExit, wanda aka canza zuwa "a'a" ta tsohuwa. Yin amfani da wannan siga, zaku iya sarrafa zazzage kayan kwaya bayan kashe wutan wuta.
  • An ba da izini don amfani da ipset lokacin ƙayyade tsarin manufa (makowa).
  • Ƙara ma'anoni don WireGuard, Kubernetes da sabis na netbios-ns.
  • Aiwatar da ƙa'idodin kammala auto don zsh.
  • An dakatar da tallafin Python 2.
  • An takaita jerin abubuwan dogaro. Don firewalld yayi aiki, ban da kernel na Linux, yanzu ana buƙatar ɗakin karatu na python dbus, gobject da nftables yanzu, kuma an rarraba fakitin ebtables, ipset da iptables azaman zaɓi. An cire kayan adon dakunan karatu na Python da zamewa daga abubuwan dogaro.

source: budenet.ru

Add a comment