Ho hlahisoa ha firewall firewall 1.0 e laoloang ka matla, e kenngoe tšebetsong ka mokhoa oa sephutheloana holim'a li-filters tsa pakete tsa nftables le iptables. Firewalld e sebetsa e le ts'ebetso ea morao-rao e u lumellang hore u fetole melao ea filthara ea pakete ka D-Bus ntle le ho kenya melao ea sefahla sa pakete kapa ho tlola likhokahano tse thehiloeng. Morero o se o ntse o sebelisoa liphaellong tse ngata tsa Linux, ho kenyelletsa RHEL 7+, Fedora 18+ le SUSE/openSUSE 15+. Khoutu ea firewalld e ngotsoe ka Python mme e na le laesense tlasa laesense ea GPLv2.
Ho laola firewall, ho sebelisoa firewall-cmd utility, eo, ha ho etsoa melao, e sa thehoang ho liaterese tsa IP, marang-rang a marang-rang le linomoro tsa li-port, empa ka mabitso a litšebeletso (mohlala, ho bula monyetla oa ho fumana SSH eo u lokelang ho e etsa. matha "firewall-cmd -eketsa -service= ssh", ho koala SSH - "firewall-cmd -remove -service=ssh"). Ho fetola tlhophiso ea li-firewall, sebopeho sa setšoantšo sa firewall-config (GTK) le applet ea firewall-applet (Qt) le tsona li ka sebelisoa. Tšehetso bakeng sa tsamaiso ea firewall ka D-BUS API firewalld e fumaneha mererong e kang NetworkManager, libvirt, podman, docker le fail2ban.
Phetoho e kholo ea nomoro ea phetolelo e amahanngoa le liphetoho tse senyang tšebelisano ea morao-rao le ho fetola boitšoaro ba ho sebetsa le libaka. Litekanyetso tsohle tsa ho sefa tse hlalositsoeng sebakeng li se li sebelisoa feela ho sephethephethe se lebisitsoeng ho moamoheli eo firewalld e sebetsang ho eona, 'me ho sefa sephethephethe sa lipalangoang ho hloka ho beha maano. Liphetoho tse hlokomelehang haholo:
- Backend e ileng ea e lumella hore e sebetse ka holim'a iptables e phatlalalitsoe e sa sebetse. Tšehetso ea li-iptables e tla bolokoa bakeng sa bokamoso bo bonahalang, empa backend ena e ke ke ea ntlafatsoa.
- The intra-zone-forward mode e nolofalitsoe ebile e kentsoe tšebetsong ka ho sa feleng bakeng sa libaka tsohle tse ncha, e lumellang ho tsamaea ka bolokolohi ha lipakete lipakeng tsa likhokahano tsa marang-rang kapa mehloli ea sephethephethe sebakeng se le seng (sechaba, boloko, bo tšeptjoang, ba kahare, joalo-joalo). Ho khutlisa boitšoaro ba khale le ho thibela lipakete hore li se ke tsa fetisetsoa sebakeng se le seng, u ka sebelisa taelo "firewall-cmd -permanent -zone public -remove-forward".
- Melao e amanang le phetolelo ea liaterese (NAT) e fetiselitsoe lelapeng la protocol ea "inet" (eo pele e neng e kentsoe ho malapa a "ip" le "ip6", e leng se entseng hore ho hlokahale hore ho be le melaoana ea IPv4 le IPv6). Phetoho e ile ea re lumella ho tlosa likopi ha re sebelisa ipset - ho e-na le likopi tse tharo tsa kenyelletso ea ipset, e 'ngoe e se e sebelisoa.
- Ketso ea "default" e boletsoeng ho "--set-target" paramethara joale e lekana le "hana", ke hore. lipakete tsohle tse sa oeleng tlas'a melao e hlalositsoeng sebakeng li tla thibeloa ka ho sa feleng. Mokhelo o etsoa feela bakeng sa lipakete tsa ICMP, tse ntseng li lumelloa ho feta. Ho khutlisa boitšoaro ba khale bakeng sa sebaka se “tšeptjoang” se fumanehang phatlalatsa, u ka sebelisa melao e latelang: firewall-cmd—permanent—new-policy allowForward firewall-cmd—permanent—policy allowForward—set-target ACCEPT firewall-cmd—permanent — policy allowForward -eketsa-ingress -zone public firewall-cmd -permanent - policy allowForward -eketsa-egress-zone firewall e tšepahalang-cmd - kenya hape
- Melao-motheo e ntle e se e sebelisoa hang hang pele molao oa "-set-target catch-all" o etsoa, ke hore. hajoale pele o eketsa lerotholi la ho qetela, hana kapa u amohele melao, ho kenyeletsoa le ea libaka tse sebelisang "--set-target drop|reject|accept".
- Thibelo ea ICMP hona joale e sebetsa feela ho lipakete tse kenang tse lebisitsoeng ho moamoheli oa hajoale (kenyo) mme ha e ame lipakete tse fetiselitsoeng lipakeng tsa libaka (ho ea pele).
- Ts'ebeletso ea tftp-client, e etselitsoeng ho latela likhokahano tsa protocol ea TFTP, empa e ne e le ka mokhoa o ke keng oa sebelisoa, e tlositsoe.
- Sebopeho sa "ka ho toba" se fokotsehile, se lumella melao ea sefahla sa pakete e lokiselitsoeng hore e kenngoe ka ho toba. Tlhokahalo ea sebopeho sena e ile ea nyamela kamora ho eketsa bokhoni ba ho sefa lipakete tse tsamaisitsoeng le tse tsoang.
- E kenyellelitsoe parameter ea CleanupModulesOnExit, e fetotsoeng ho "che" ka ho sa feleng. U sebelisa paramente ena, u ka laola ho theoloa ha li-module tsa kernel ka mor'a hore firewalld e koale.
- E lumelletsoe ho sebelisa ipset ha ho khethoa sistimi e shebiloeng (sebaka seo u eang ho sona).
- Litlhaloso tse ekelitsoeng bakeng sa lits'ebeletso tsa WireGuard, Kubernetes le netbios-ns.
- E kentse ts'ebetsong melaoana ea ho phethela zsh.
- Tšehetso ea Python 2 e khaolitse.
- Lenane la batho ba itšetlehileng ka bona le khutsufalitsoe. Hore firewalld e sebetse, ntle le Linux kernel, lilaebrari tsa python feela tsa dbus, gobject le nftables lia hlokahala, 'me liphutheloana tsa ebtables, ipset le iptables li khetholloa e le khetho. Mokhabiso oa lilaebrari tsa python le slip li tlositsoe ho tse itšetlehileng ka tsona.
Source: opennet.ru