Ukukhishwa kwekhithi yokusabalalisa yokudala ama-firewall OPNsense 21.7 kwenzeka, okuyigatsha lephrojekthi ye-pfSense, eyakhiwe ngenhloso yokwakha ikhithi yokusabalalisa evuleke ngokuphelele engaba nokusebenza ezingeni lezixazululo zezentengiso zokuphakela izindonga zomlilo kanye namasango enethiwekhi. . Ngokungafani ne-pfSense, iphrojekthi ibekwe njengengalawulwa yinkampani eyodwa, ithuthukiswe ngokubamba iqhaza okuqondile komphakathi futhi inenqubo yentuthuko esobala ngokuphelele, kanye nokunikeza ithuba lokusebenzisa noma yikuphi ukuthuthukiswa kwayo emikhiqizweni yezinkampani zangaphandle, okuhlanganisa nezohwebo. eyodwa. Ikhodi yomthombo yezingxenye zokusabalalisa, kanye namathuluzi asetshenziselwa ukuhlanganisa, asatshalaliswa ngaphansi kwelayisensi ye-BSD. Imihlangano ilungiswa ngendlela ye-LiveCD kanye nesithombe sohlelo sokuqoshwa kuma-Flash drives (422 MB).
Okuqukethwe okuyisisekelo kokusatshalaliswa kusekelwe kukhodi ye-HardenedBSD, esekela imfoloko evumelanisiwe ye-FreeBSD, ehlanganisa izindlela zokuvikela ezengeziwe nezindlela zokulwa nokuxhashazwa kobungozi. Phakathi kwezici ze-OPNsense kukhona ikhithi yamathuluzi yokwakha evuleke ngokuphelele, ikhono lokufaka ngendlela yamaphakheji ngaphezulu kwe-FreeBSD evamile, amathuluzi okulinganisa umthwalo, isixhumi esibonakalayo sewebhu sokuhlela ukuxhumana kwabasebenzisi kunethiwekhi (ingosi yokuthunjwa), ukuba khona kwezinqubo. ukulandelela izifundazwe zokuxhumanisa (i-firewall esemthethweni esekelwe ku-pf), ukubeka imingcele yomkhawulokudonsa, ukuhlunga kwethrafikhi, ukudala i-VPN esekelwe ku-IPsec, i-OpenVPN ne-PPTP, ukuhlanganiswa ne-LDAP ne-RADIUS, ukusekelwa kwe-DDNS (Dynamic DNS), uhlelo lwemibiko ebonakalayo kanye amagrafu.
Ukusabalalisa kunikeza amathuluzi okudala ukucushwa okubekezelela amaphutha okusekelwe ekusetshenzisweni kwephrothokholi ye-CARP futhi kukuvumela ukuthi uqalise, ngaphezu kwe-firewall eyinhloko, i-node yokusekelayo ezovumelaniswa ngokuzenzakalelayo ezingeni lokumisa futhi izothatha umthwalo isenzakalo sokuhluleka kwe-node eyinhloko. Umlawuli unikezwa isixhumi esibonakalayo sesimanje nesilula sokumisa i-firewall, eyakhiwe kusetshenziswa uhlaka lwewebhu lwe-Bootstrap.
Phakathi kwezinguquko:
- Ukusabalalisa kusekelwe ekuthuthukisweni kwe-HardenedBSD 12.1. Ukukhishwa okulandelayo, i-22.1, ihlela ukuthuthela ku-FreeBSD 13.
- Kuphakanyiswe isifaki esisha esihlinzeka ngosekelo olwakhelwe ngaphakathi lokufakwa kuma-partitions ngohlelo lwefayela le-ZFS futhi kufanelekile ukusebenza emishinini ebonakalayo esebenzisa i-UEFI.
- Isixhumi esibonakalayo sokubuyekeza i-firmware senziwe kabusha.
- Kulogi ebonisa umsebenzi wokuhlunga ithrafikhi, kuyaqinisekiswa ukuthi izihlonzi zemithetho yamanje ziyaboniswa ukuze zigweme ukuhumusha okungalungile ngemva kokushintsha isethi yemithetho.
- Ezifanekisweni ezikuvumela ukuthi uhlobanise isethi yamanethiwekhi, abasingathi nezimbobo ezinegama elithile elingokomfanekiso emithethweni ye-firewall (iziteketiso), ikhono lokucacisa imaski yebhithi (imaski ye-wildcard) kumamaski enethiwekhi yengeziwe.
Source: opennet.ru