ProHoster > Blog > internet nhau > Firewall 1.0 kuburitswa

Firewall 1.0 kuburitswa

Kuburitswa kweiyo dynamically controlled firewall firewalld 1.0 inounzwa, inoshandiswa muchimiro chekuputira pamusoro pe nftables uye iptables packet mafirita. Firewalld inomhanya senge yekumashure maitiro ayo inokutendera iwe kuti uchinje zvine simba mitemo yepakiti yefirita kuburikidza neD-Bhazi pasina kudzoreredza iyo packet sefa yemitemo kana kutyora yakamiswa kubatana. Iyo purojekiti yakatoshandiswa mukugovera kwakawanda kweLinux, kusanganisira RHEL 7+, Fedora 18+ uye SUSE/openSUSE 15+. Iyo firewalld kodhi yakanyorwa muPython uye ine rezinesi pasi peGPLv2 rezinesi.

Kugadzirisa firewall, iyo firewall-cmd inoshandiswa inoshandiswa, iyo, pakugadzira mitemo, haibvi pa IP kero, network interfaces uye nhamba dzechiteshi, asi pamazita emasevhisi (semuenzaniso, kuvhura mukana weSSH unofanirwa mhanya "firewall-cmd -add -service= ssh", kuvhara SSH - "firewall-cmd -remove -service=ssh"). Kushandura firewall configuration, firewall-config (GTK) graphical interface uye firewall-applet (Qt) applet inogona kushandiswawo. Tsigiro ye firewall manejimendi kuburikidza neD-BUS API firewalld inowanikwa mumapurojekiti akadai seNetworkManager, libvirt, podman, docker uye fail2ban.

Shanduko yakakosha munhamba yevhezheni inodyidzana neshanduko dzinotyora kumashure kuenderana uye kuchinja maitiro ekushanda nemazoni. Ese maparamendi ekusefa anotsanangurwa munharaunda ave kushandiswa chete kune traffic yakanangidzirwa kune iyo host iyo firewalld iri kushanda, uye kusefa traffic yekufambisa kunoda kuseta marongero. Iko kunonyanya kuoneka kuchinja:

  • Iyo backend iyo yakabvumira kuti ishande pamusoro pe iptables yakanzi isingachashandi. Tsigiro yeiptables ichachengeterwa ramangwana rinoonekwa, asi iyi backend haigadziriswe.
  • Iyo intra-zone-yekufambisa modhi inogoneswa uye inogadziriswa nekusarudzika kune ese mazoni matsva, achibvumira kufamba kwemahara kwemapaketi pakati petiweki interfaces kana traffic masosi mukati meimwe zone (yeruzhinji, block, yakavimbika, yemukati, nezvimwewo). Kudzosa maitiro ekare uye kudzivirira mapaketi kuti asaendeswa mukati menzvimbo imwe, unogona kushandisa murairo "firewall-cmd -permanent -zone public -remove-forward".
  • Mitemo ine chekuita nekushandura kero (NAT) yakaendeswa kumhuri ye "inet" protocol (yakambowedzerwa kumhuri dze"ip" ne"ip6", izvo zvakaita kuti padiwe kutevedzera mitemo yeIPv4 neIPv6). Shanduko iyi yakatibvumira kubvisa zvakapetwa kana tichishandisa ipset - panzvimbo yemakopi matatu ezvinyorwa zvepset, imwe yava kushandiswa.
  • Iyo "default" chiito chakataurwa mu "--set-target" parameter ikozvino yakaenzana ne "ramba", i.e. ese mapaketi asingawire pasi pemitemo inotsanangurwa munharaunda ichavharwa nekusarudzika. Kusarudzika kunoitirwa chete ICMP mapaketi, ayo achiri kubvumidzwa kuburikidza. Kudzosa maitiro ekare enzvimbo inosvikirwa neruzhinji "yakavimbika" nzvimbo, unogona kushandisa inotevera mitemo: firewall-cmd -permanent -new-policy allowForward firewall-cmd -permanent -policy allowForward -set-target ACCEPT firewall-cmd -permanent - mutemo unobvumidzaKutungamira -add-ingress -zone public firewall-cmd -permanent -policy allowForward -add-egress-zone trusted firewall-cmd -reload
  • Positive priority policy dzave kuitwa pakarepo mutemo we "-set-target catch-all" usati waitwa, kureva. parizvino usati wawedzera donhwe rekupedzisira, ramba kana kubvuma mitemo, kusanganisira yenzvimbo dzinoshandisa "-set-target drop|reject| accept".
  • ICMP ichivharira ikozvino inoshanda chete kumapaketi anouya anonyorerwa kune yazvino muenzi (yekuisa) uye haikanganisi mapaketi anotungamirwa pakati penzvimbo (mberi).
  • Iyo tftp-client sevhisi, yakagadzirirwa kuteedzera kubatana kweiyo TFTP protocol, asi yaive muchimiro chisinga shandiswe, yakabviswa.
  • Iyo "yakananga" interface yakaderedzwa, ichibvumira yakagadzirira-yakagadzirwa packet filter mitemo kuti iiswe zvakananga. Kudiwa kweiyi interface kwakanyangarika mushure mekuwedzera kugona kusefa yakadzoserwa uye inobuda mapaketi.
  • Yakawedzera CleanupModulesOnExit parameter, iyo inoshandurwa kuita "kwete" nekukasira. Uchishandisa iyi parameter, unogona kudzora kurodha kwema kernel module mushure mekunge firewalld yadzima.
  • Inotenderwa kushandisa ipset kana uchitarisa iyo inotarirwa system (kwakuenda).
  • Yakawedzerwa tsananguro yeWireGuard, Kubernetes uye netbios-ns masevhisi.
  • Yakaitwa otomatiki mitemo ye zsh.
  • Python 2 rutsigiro rwakamiswa.
  • Rondedzero yevanotsamira yapfupikiswa. Kuti firewalld ishande, mukuwedzera kuLinux kernel, iyo chete python raibhurari dbus, gobject uye nftables zvave kudiwa, uye ebtables, ipset uye iptables mapakeji akaiswa seyakasarudzika. Iyo python raibhurari yekushongedza uye slip yakabviswa kubva kune zvinotsamira.

Source: opennet.ru

Voeg