ProHoster > Блог > ozi ịntanetị > Mwepụta Firewalld 1.0

Mwepụta Firewalld 1.0

Ewepụtala mwepụta nke firewalld 1.0 na-achịkwa nke ọma, etinyere ya n'ụdị ihe mkpuchi n'elu nftables na nzacha iptables. Firewalld na-agba ọsọ dị ka usoro ndabere nke na-enye gị ohere ịgbanwe iwu nzacha ngwugwu site na D-Bus na-enweghị ibugharị iwu nzacha ngwugwu ma ọ bụ mebie njikọ eguzobere. Ejirilarị ọrụ a n'ọtụtụ nkesa Linux, gụnyere RHEL 7+, Fedora 18+ na SUSE/openSUSE 15+. Edere koodu firewalld na Python ma nwee ikikere n'okpuru ikike GPLv2.

Iji jikwaa firewall, a na-eji firewall-cmd utility, nke, mgbe ị na-emepụta iwu, adabereghị na adreesị IP, netwọk netwọk na nọmba ọdụ ụgbọ mmiri, kama na aha ọrụ (dịka ọmụmaatụ, iji mepee ohere na SSH ị kwesịrị. na-agba ọsọ “firewall-cmd —gbakwunye —ọrụ = ssh”, imechi SSH – “firewall-cmd –remove –service=ssh”). Ka ịgbanwee nhazi nke firewall, a nwekwara ike iji ngwa ngwa firewall-config (GTK) na ngwa ngwa firewall-applet (Qt). Nkwado maka njikwa ọkụ site na D-BUS API firewalld dị na ọrụ dịka NetworkManager, libvirt, podman, docker na fail2ban.

Mgbanwe dị ịrịba ama na nọmba mbipute ahụ jikọtara ya na mgbanwe ndị na-emebi ndakọrịta azụ ma gbanwee omume nke ịrụ ọrụ na mpaghara. A na-etinye ihe nzacha niile akọwapụtara na mpaghara ugbu a naanị na okporo ụzọ akpọgara onye ọbịa nke firewalld na-agba na ya, na nzacha okporo ụzọ njem chọrọ ịtọ atumatu. Mgbanwe ndị kacha pụta ìhè:

  • Akwụghachi azụ nke nyere ya ohere ịrụ ọrụ n'elu iptables ka ekwuputala na ọ gaghịzi adị. A ga-edobe nkwado maka iptables maka ọdịnihu a na-ahụ anya, mana a gaghị emepụta azụ azụ a.
  • A na-eme ka ọnọdụ mbugharị intra-mpaghara ma rụọ ọrụ site na ndabara maka mpaghara ọhụrụ niile, na-enye ohere ịmegharị ngwugwu efu n'etiti oghere netwọk ma ọ bụ isi mmalite okporo ụzọ n'ime otu mpaghara (ọha, ngọngọ, ntụkwasị obi, ime, wdg). Iji weghachi omume ochie wee gbochie ibugharị ngwugwu n'ime otu mpaghara, ị nwere ike iji iwu "firewall-cmd -permanent -zone public -remove-forward".
  • Iwu ndị metụtara ntụgharị asụsụ adreesị (NAT) ebugharịla na ezinụlọ protocol "inet" (agbakwunyere na mbụ na ezinụlọ "ip" na "ip6", nke butere mkpa ịmegharị iwu maka IPv4 na IPv6). Mgbanwe ahụ nyere anyị ohere iwepụ oyiri mgbe ị na-eji ipset - kama nke atọ nke ntinye ipset, a na-eji otu ugbu a.
  • Omume "ndabere" akọwapụtara na paramita "-set-target" dị ugbu a na "ajụ", ya bụ. A ga-egbochi ngwugwu niile na-adaghị n'okpuru iwu akọwapụtara na mpaghara ahụ na ndabara. Emebere naanị maka ngwugwu ICMP, nke a ka na-anabata. Iji weghachi omume ochie maka mpaghara “nwere ntụkwasị obi” ọha nwere ike ịnweta, ị nwere ike iji iwu ndị a: firewall-cmd —permanent —new-policy allowForward firewall-cmd —permanent —policy allowForward —set-target ACCEPT firewall-cmd —permanent — amụma ekweForward — add-ingress -zone ọha firewall-cmd — na-adịgide adịgide — atumatu ekweForward — tinye-egress-zone tụkwasịrị obi firewall-cmd — bugharịa
  • A na-emezi amụma ndị kacha mkpa ozugbo tupu emee iwu "--set-target catch-all", ya bụ. N'oge a tupu ịgbakwunye nkwụsị ikpeazụ, jụ ma ọ bụ nabata iwu, gụnyere mpaghara ndị na-eji "--set-target drop|reject|nabata".
  • Mgbochi ICMP ugbu a na-emetụta naanị ngwugwu mbata na-agwa ndị ọbịa ugbu a (ntinye) na anaghị emetụta ngwugwu ebugharịrị n'etiti mpaghara (n'ihu).
  • Ewepụla ọrụ tftp-client, nke emebere iji soro njikọ maka protocol TFTP, mana ọ nọ n'ụdị enweghị ike iji ya.
  • Akwụsịla interface “kpọmkwem”, na-enye ohere itinye iwu nzacha ngwugwu emebere ozugbo. Mkpa interface a kwụsịrị ka ọ gbakwụnyechara ikike nzacha nzacha ebugharị na nke na-apụ apụ.
  • agbakwunyere CleanupModulesOnExit paramita, nke agbanwere ka ọ bụrụ "mba" na ndabara. Iji paramita a, ị nwere ike ijikwa nbudata kernel modul mgbe firewalld kwụsịrị.
  • Enyere ohere iji ipset mgbe ị na-achọpụta usoro ebumnuche (ebe aga).
  • Nkọwa agbakwunyere maka WireGuard, Kubernetes na ọrụ netbios-ns.
  • Emebere iwu mmecha akpaaka maka zsh.
  • Akwụsịla nkwado maka Python 2.
  • E mebiala ndepụta ndabere. Maka firewalld ka ọ rụọ ọrụ, na mgbakwunye na kernel Linux, naanị ụlọ akwụkwọ python dbus, gobject na nftables ka achọrọ ugbu a, na ngwugwu ebtables, ipset na iptables bụ nkewa dị ka nhọrọ. Ewepụla ihe ndozi ụlọ ọba akwụkwọ Python na slọlụ na ndabere.

isi: opennet.ru

Tinye a comment