Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Firewall 1.0 kumasulidwa

Firewall 1.0 kumasulidwa

Kutulutsidwa kwa firewall firewalld 1.0 yoyendetsedwa mwamphamvu kumawonetsedwa, kukugwiritsidwa ntchito ngati chopukutira pamasefa a pakiti a nftables ndi iptables. Firewalld imayenda ngati njira yakumbuyo yomwe imakupatsani mwayi wosintha zosefera za paketi kudzera pa D-Bus popanda kuyikanso malamulo osefera paketi kapena kuswa kulumikizana kokhazikika. Pulojekitiyi imagwiritsidwa ntchito kale pamagawidwe ambiri a Linux, kuphatikiza RHEL 7+, Fedora 18+ ndi SUSE/openSUSE 15+. Khodi ya firewall inalembedwa ku Python ndipo ili ndi chilolezo pansi pa layisensi ya GPLv2.

Kuwongolera firewall, firewall-cmd utility imagwiritsidwa ntchito, yomwe, popanga malamulo, sizichokera pa ma adilesi a IP, ma network olumikizirana ndi manambala a doko, koma pa mayina a mautumiki (mwachitsanzo, kuti mutsegule mwayi wa SSH muyenera thamangani "firewall-cmd -add -service= ssh", kutseka SSH - "firewall-cmd -remove -service=ssh"). Kuti musinthe makonzedwe a firewall, mawonekedwe azithunzi a firewall-config (GTK) ndi applet ya firewall-applet (Qt) angagwiritsidwenso ntchito. Thandizo la kasamalidwe ka firewall kudzera pa D-BUS API firewalld likupezeka muma projekiti monga NetworkManager, libvirt, podman, docker ndi fail2ban.

Kusintha kwakukulu kwa nambala yamtunduwu kumalumikizidwa ndi kusintha komwe kumasokoneza kuyanjana kwambuyo ndikusintha machitidwe ogwirira ntchito ndi madera. Zosefera zonse zomwe zafotokozedwa mderali tsopano zikugwiritsidwa ntchito pamagalimoto opita kwa omwe akubwera pomwe firewalld ikugwira ntchito, ndipo kusefa magalimoto amafunikira kukhazikitsa mfundo. Zosintha zodziwika kwambiri:

  • The backend yomwe inalola kuti igwire ntchito pamwamba pa iptables yanenedwa kuti yatha. Thandizo la iptables lidzasungidwa mtsogolo, koma kumbuyoku sikudzapangidwa.
  • Njira yotumizira ma intra-zone imayatsidwa ndikuyatsidwa mwachisawawa pazigawo zonse zatsopano, kulola kusuntha kwaulele kwa mapaketi pakati pa malo olumikizirana ndi netiweki kapena magwero amagalimoto mkati mwa gawo limodzi (pagulu, block, odalirika, mkati, ndi zina). Kubwezera khalidwe lakale ndikuletsa mapaketi kuti asatumizidwe mkati mwa chigawo chimodzi, mungagwiritse ntchito lamulo "firewall-cmd -permanent -zone public -remove-forward".
  • Malamulo okhudzana ndi kumasulira maadiresi (NAT) asunthidwa kubanja la "inet" protocol (yomwe idawonjezedwa kale ku mabanja a "ip" ndi "ip6", zomwe zidapangitsa kuti pafunika kubwereza malamulo a IPv4 ndi IPv6). Kusinthaku kunatilola kuti tichotse zobwereza tikamagwiritsa ntchito ipset - m'malo mwa makope atatu a zolemba za ipset, imodzi imagwiritsidwa ntchito.
  • Zochita za "default" zomwe zafotokozedwa mu "--set-target" parameter tsopano zikufanana ndi "kukana", i.e. mapaketi onse omwe sagwera pansi pa malamulo omwe afotokozedwa m'derali adzatsekedwa mwachisawawa. Kupatula kumapangidwira mapaketi a ICMP okha, omwe amaloledwabe kudutsa. Kuti mubweze khalidwe lachikale la malo omwe anthu angapezeko "odalirika", mungagwiritse ntchito malamulo otsatirawa: firewall-cmd - permanent - new-policy allowForward firewall-cmd -permanent -policy allowForward -set-target ACCEPT firewall-cmd -permanent - policy allowForward -add-ingress -zone public firewall-cmd -permanent -policy allowForward -add-egress-zone trusted firewall-cmd -ikanso
  • Ndondomeko zotsogola zabwino tsopano zikuchitidwa nthawi yomweyo lamulo la "--set-target catch-all" lisanatsatidwe, mwachitsanzo. pakadali pano musanawonjeze dontho lomaliza, kukana kapena kuvomereza malamulo, kuphatikiza madera omwe amagwiritsa ntchito "--set-target drop|reject| accept".
  • Kutsekera kwa ICMP tsopano kumagwira ntchito pamapaketi omwe akubwera omwe amatumizidwa kwa omwe akukhala nawo pano (zolowetsa) ndipo sizikhudza mapaketi omwe amasonkhanitsidwa pakati pa madera (patsogolo).
  • Ntchito yamakasitomala ya tftp, yopangidwa kuti izitsata zolumikizira za protocol ya TFTP, koma inali yosagwiritsidwa ntchito, yachotsedwa.
  • Mawonekedwe "achindunji" adatsitsidwa, kulola kuti malamulo okonzekera paketi apangidwe kuti alowetsedwe mwachindunji. Kufunika kwa mawonekedwe izi mbisoweka pambuyo powonjezera luso zosefera apawolokezedwa ndi wotuluka mapaketi.
  • Wowonjezera CleanupModulesOnExit parameter, yomwe imasinthidwa kukhala "ayi" mwachisawawa. Pogwiritsa ntchito parameter iyi, mutha kuwongolera kutsitsa kwa ma module a kernel pambuyo pa firewalld kuzimitsa.
  • Amaloledwa kugwiritsa ntchito ipset pozindikira dongosolo lomwe mukufuna (kopita).
  • Matanthauzidwe owonjezera a WireGuard, Kubernetes ndi netbios-ns services.
  • Kukhazikitsa malamulo omaliza okha a zsh.
  • Thandizo la Python 2 lathetsedwa.
  • Mndandanda wa odalira wafupikitsidwa. Kuti firewalld igwire ntchito, kuphatikiza pa Linux kernel, ma library a python okha dbus, gobject ndi nftables tsopano akufunika, ndipo ma ebtables, ipset ndi iptables phukusi amasankhidwa ngati mwasankha. Wokongoletsa malaibulale a python ndi slip achotsedwa pazodalira.

Source: opennet.ru

Kuwonjezera ndemanga