ProHoster > Блог > wararka internetka > firewalld 1.0 sii daayo

firewalld 1.0 sii daayo

Siideynta dab-damiska dab-damiska 1.0 oo si firfircoon loo maamulo ayaa la soo bandhigay, oo lagu hirgeliyay qaab duubo dusha sare ee filtarrada baakadaha nftables iyo iptables. Firewalld wuxuu u shaqeeyaa sidii hab-socod kaas oo kuu oggolaanaya inaad si firfircoon u beddesho xeerarka shaandhada baakidhka adigoo isticmaalaya D-Bus adiga oo aan dib u soo gelin xeerarka shaandhaynta baakidhka ama jebinaysa xidhiidhada dhisan. Mashruucu waxaa horay loogu isticmaalay qaybin badan oo Linux ah, oo ay ku jiraan RHEL 7+, Fedora 18+ iyo SUSE/openSUSE 15+. Koodhka dab-damiska wuxuu ku qoran yahay Python wuxuuna ku shatiyaysan yahay shatiga GPLv2.

Si loo maareeyo firewall-ka, utility firewall-cmd ayaa la isticmaalaa, kaas oo, marka la abuurayo xeerar, aan ku salaysnayn cinwaanada IP-ga, shabakadaha shabakadaha iyo lambarrada dekedaha, laakiin magacyada adeegyada (tusaale ahaan, si aad u furto gelitaanka SSH waxaad u baahan tahay ku orod “firewall-cmd —add —service=ssh”, si aad u xidhid SSH – “firewall-cmd –remove –service=ssh”). Si aad u bedesho qaabaynta dab-damiska, waxa kale oo la istcmaali karaa dab-damiska-config (GTK) garaafyada garaafyada iyo tufaaxa dabka-applet (Qt). Taageerada maamulka dab-damiska iyada oo loo sii marayo dabka D-BUS API waxaa laga heli karaa mashaariicda sida NetworkManager, libvirt, podman, docker iyo fail2ban.

Isbeddel weyn oo ku yimaadda nambarka nooca ayaa lala xiriiriyaa isbeddelada jebiya iswaafajinta gadaal oo beddela hab-dhaqanka la shaqaynta aagagga. Dhammaan halbeegyada shaandhaynta ee lagu qeexay aagga hadda waxa lagu dabaqaa oo keliya taraafikada loo jeediyo martida loo yahay kaas oo dab-damisku ku socdo, iyo shaandhaynta taraafikada gaadiidka waxay u baahan tahay dejinta siyaasadaha. Isbeddelada ugu muuqda:

  • Dhabarka dambe ee u oggolaaday inuu ku shaqeeyo dusha sare ee iptables ayaa lagu dhawaaqay inuu duugoobay. Taageerada iptables waa la ilaalin doonaa mustaqbalka la filayo, laakiin dhabarka dambe lama horumarin doono.
  • Habka gudbinta intra-zone waa la dajiyay oo si toos ah loogu hawlgeliyay dhammaan aagagga cusub, taas oo u oggolaanaysa dhaqdhaqaaqa xorta ah ee xirmooyinka u dhexeeya is-dhexgalka shabakada ama ilaha taraafikada ee hal aag (dadweyne, xannibaad, la aamini karo, gudaha, iwm.). Si aad u soo celiso hab-dhaqankii hore oo aad uga hortagto baakadaha in lagu soo gudbiyo hal aag, waxaad isticmaali kartaa amarka "firewall-cmd -permanent -zone public -remove-howard".
  • Xeerarka la xidhiidha tarjumaadda ciwaanka (NAT) ayaa loo raray qoyska borotokoolka "innet" (horey loogu daray qoysaska "ip" iyo "ip6", taas oo keentay baahida loo qabo in la nuqulo sharciyada IPv4 iyo IPv6). Isbeddelku wuxuu noo oggolaaday inaan ka takhalusno nuqullada marka la isticmaalayo ipset - halkii laga isticmaali lahaa saddex nuqul oo ah gelinta ipset, mid hadda la isticmaalo.
  • Tallaabada "default" ee lagu qeexay "--set-target" meertada hadda waxay u dhigantaa "diidmo", i.e. Dhammaan baakadaha aan hoos iman xeerarka lagu qeexay aagga waa la xannibi doonaa si toos ah. Waxa ka reebban waxa loo sameeyay baakidhyada ICMP oo keliya, kuwaas oo weli la oggol yahay. Si aad u soo celiso hab-dhaqankii hore ee aagga si guud loo heli karo “aamminsan yahay”, waxaad isticmaali kartaa xeerarka soo socda: firewall-cmd —permanent —new-policy allowForward firewall-cmd —joogta ah —policy allowForward — set-target ACCEPT firewall-cmd — joogto — siyaasadda oggolowForward —add-ingress-zone dadweynaha firewall-cmd —joogta ah —policy allowForward — add-egress-aagga aaminka ah firewall-cmd — dib u soo rar
  • Siyaasadaha mudnaansiinta togan ayaa hadda la fuliyaa isla markiiba ka hor inta aan la fulin xeerka "--set-target catch-all", i.e. wakhtigan xaadirka ah ka hor intaadan ku darin dhibcaha u dambeeya, diid ama aqbal sharciyada, oo ay ku jiraan aagagga isticmaala "--set-target drop|diid|aqbal".
  • Xayiraadda ICMP hadda waxay khusaysaa oo keliya baakooyinka soo galaya ee loogu talagalay martigeliyaha hadda (wax-soo-gelinta) mana saameynayso baakadaha loo kala duwo inta u dhaxaysa aagagga (horay).
  • Adeegga tftp-macmiilka, oo loogu talagalay inuu raadraaco isku xirka borotokoolka TFTP, laakiin ku jiray qaab aan la isticmaali karin, waa laga saaray.
  • Interface-ka "tooska ah" waa la jaray, taasoo u oggolaanaysa in xeerarka shaandhada baakadaha diyaarka ah si toos ah loo geliyo. Baahida interneedkan ayaa meesha ka baxday ka dib markii lagu daray awooda shaandhaynta baakadaha dib loo hagayo iyo kuwa baxaya.
  • Lagu daray CleanupModulesOnExit parameter, kaas oo loo beddelay "maya" si caadi ah. Adigoo isticmaalaya halbeeg-gan, waxaad xakameyn kartaa dejinta cutubyada kernel-ka kadib marka dabku xiro.
  • La oggol yahay in la isticmaalo ipset marka la go'aaminayo nidaamka bartilmaameedka (meesha).
  • Qeexitaanno lagu daray adeegyada WireGuard, Kubernetes iyo netbios-ns.
  • Shuruucda dhamaystirka otomaatiga ee zsh.
  • Taageerada Python 2 waa la tuuray.
  • Liiska ku-tiirsanaanta waa la soo koobay. Dab-damiska si uu u shaqeeyo, marka lagu daro kernel-ka Linux, maktabadaha kaliya ee python dbus, gobject iyo nftables ayaa hadda loo baahan yahay, iyo xirmooyinka ebtables, ipset iyo iptables ayaa loo kala saaray inay yihiin ikhtiyaari. Qurxinta maktabadaha python iyo silbashooyinka ayaa laga saaray ku tiirsanaanta.

Source: opennet.ru

Add a comment