Yadda ake saita UFW Firewall akan Ubuntu da Debian
Tacewar zaɓi mai aiki daidai shine mafi mahimmancin ɓangaren cikakken tsaro na tsarin Linux. Ta hanyar tsoho, rarraba Debian da Ubuntu yana zuwa tare da kayan aikin sanyi na Tacewar zaɓi wanda ake kira UFW (Firewall mara rikitarwa), shine mafi mashahuri kuma kayan aikin layin umarni mai sauƙin amfani don daidaitawa da sarrafa bangon wuta akan rarrabawar Ubuntu da Debian.
A cikin wannan labarin, zamuyi bayanin yadda ake girka da saita bangon bangon UFW akan rarrabawar Ubuntu da Debian.
Kafin ka fara da wannan labarin, ka tabbata ka shiga cikin uwar garken Ubuntu ko Debian tare da mai amfani da sudo ko tare da tushen asusun. Idan ba ku da mai amfani da sudo, zaku iya ƙirƙirar ɗaya ta amfani da umarni masu zuwa azaman tushen mai amfani.
# adduser username # usermod -aG sudo username # su - username $ sudo whoami
Sanya UFW Firewall akan Ubuntu da Debian
Ya kamata a shigar da UFW (Uncomplicated Firewall) ta tsohuwa a cikin Ubuntu da Debian, idan ba haka ba, shigar da shi ta amfani da mai sarrafa fakitin APT ta amfani da bin umarni.
$ sudo apt install ufw
Da zarar an gama shigarwa za ku iya duba matsayin UFW ta hanyar bugawa.
$ sudo ufw status verbose
A farkon shigarwa, UFW Tacewar zaɓi yana kashe ta tsohuwa, fitarwa zai yi kama da ƙasa.
Status: inactive
Kuna iya kunna ko kunna Tacewar ta UFW ta amfani da umarni mai zuwa, wanda yakamata ya ɗora bangon kuma yana ba shi damar farawa akan taya.
$ sudo ufw enable
Don musaki UFW Tacewar zaɓi, yi amfani da umarni mai zuwa, wanda ke sauke Tacewar zaɓi kuma ya hana ta farawa akan taya.
$ sudo ufw disable
Ta hanyar tsoho, UFW Tacewar zaɓi ya musanta kowane haɗin da ke shigowa kuma kawai yana ba da damar duk haɗin waje zuwa uwar garken. Wannan yana nufin, babu wanda zai iya shiga uwar garken ku, sai dai idan kun buɗe tashar jiragen ruwa ta musamman, yayin da duk ayyukan da ke gudana ko aikace-aikacen da ke kan uwar garken ku za su iya shiga hanyar sadarwar waje.
Ana sanya tsoffin 'yan sandan wuta na UFW a cikin fayil ɗin /etc/default/ufw kuma ana iya canza su ta amfani da umarni mai zuwa.
$ sudo ufw default deny incoming $ sudo ufw default allow outgoing
Lokacin shigar da fakitin software ta amfani da mai sarrafa fakitin APT, zai haɗa da bayanan aikace-aikacen a cikin /etc/ufw/applications.d directory wanda ke ayyana sabis ɗin kuma yana riƙe saitunan UFW.
Kuna iya lissafin duk bayanan bayanan aikace-aikacen da ke akwai akan sabar ku ta amfani da umarni mai zuwa.
$ sudo ufw app list
Dangane da shigarwar fakitin software akan tsarin ku abin fitarwa zai yi kama da mai zuwa:
Available applications: APACHE APACHE Full APACHE SECURE CUPS OpenSSH Postfix Postfix SMTPS Postfix Submission
Idan kana son samun ƙarin bayani game da takamaiman bayanin martaba da ƙayyadaddun dokoki zaka iya amfani da umarni mai zuwa.
$ sudo ufw app info 'Apache'
Profile: Apache Title: Web Server Description: Apache V2 is the next generation f the omnipresent Apache web server. Ports: 80/tcp
Idan an saita uwar garken ku tare da IPv6, tabbatar cewa an saita UFW ɗinku tare da tallafin IPv6 da IPv4. Don tabbatar da shi, buɗe fayil ɗin sanyi na UFW ta amfani da editan da kuka fi so.
$ sudo vi /etc/default/ufw
Sannan a tabbatar an saita IPV6 zuwa \e\ a cikin fayil ɗin sanyi kamar yadda aka nuna.
IPV6=yes
Ajiye kuma barin. Sannan sake kunna Firewall ɗinku tare da umarni masu zuwa:
$ sudo ufw disable $ sudo ufw enable
Idan kun kunna UFW Tacewar zaɓi a yanzu, zai toshe duk haɗin da ke shigowa kuma idan an haɗa ku da sabar ku akan SSH daga wuri mai nisa, ba za ku sake iya haɗa ta ba.
Bari mu ba da damar haɗin SSH zuwa uwar garken mu don dakatar da hakan daga faruwa ta amfani da umarni mai zuwa:
$ sudo ufw allow ssh
Idan kuna amfani da tashar SSH ta al'ada (misali tashar jiragen ruwa 2222), to kuna buƙatar buɗe waccan tashar a kan Tacewar ta UFW ta amfani da umarni mai zuwa.
$ sudo ufw allow 2222/tcp
Don toshe duk haɗin SSH rubuta umarni mai zuwa.
$ sudo ufw deny ssh/tcp $ sudo ufw deny 2222/tcp [If using custom SSH port]
Hakanan zaka iya buɗe takamaiman tashar jiragen ruwa a cikin Tacewar zaɓi don ba da damar haɗi ta hanyarta zuwa wani sabis. Misali, idan kuna son saita sabar gidan yanar gizo wacce ke saurare akan tashar jiragen ruwa 80 (HTTP) da 443 (HTTPS) ta tsohuwa.
A ƙasa akwai ƴan misalan yadda ake ba da izinin haɗin shiga zuwa sabis na Apache.
$ sudo ufw allow http [By service name] $ sudo ufw allow 80/tcp [By port number] $ sudo ufw allow 'Apache' [By application profile]
$ sudo ufw allow https $ sudo ufw allow 443/tcp $ sudo ufw allow 'Apache Secure'
Da tsammanin kuna da wasu aikace-aikacen da kuke son aiwatarwa akan kewayon tashar jiragen ruwa (5000-5003), zaku iya ƙara duk waɗannan tashoshin ta amfani da bin umarni.
sudo ufw allow 5000:5003/tcp sudo ufw allow 5000:5003/udp
Idan kana son ba da damar haɗi akan duk tashar jiragen ruwa daga takamaiman adireshin IP 192.168.56.1, to kana buƙatar sakawa daga gaban adireshin IP.
$ sudo ufw allow from 192.168.56.1
Don ba da izinin haɗi akan takamaiman tashar jiragen ruwa (misali tashar jiragen ruwa 22) daga injin gidanku mai adireshin IP na 192.168.56.1, to kuna buƙatar ƙara kowane tashar jiragen ruwa da lambar tashar bayan adireshin IP kamar yadda aka nuna.
$ sudo ufw allow from 192.168.56.1 to any port 22
Don ba da damar haɗi don adiresoshin IP na musamman daga 192.168.1.1 zuwa 192.168.1.254 zuwa tashar jiragen ruwa 22 (SSH), gudanar da umarni mai zuwa.
$ sudo ufw allow from 192.168.1.0/24 to any port 22
Don ba da damar haɗi zuwa takamaiman hanyar sadarwa ta eth2 don takamaiman tashar jiragen ruwa 22 (SSH), gudanar da umarni mai zuwa.
$ sudo ufw allow in on eth2 to any port 22
Ta hanyar tsoho, duk haɗin da ke shigowa ana toshe, sai dai idan kun buɗe haɗin kan UFW musamman. Misali, kun bude tashoshin jiragen ruwa 80 da 443 kuma ana kai hari ga sabar gidan yanar gizon ku daga cibiyar sadarwar da ba a sani ba 11.12.13.0/24.
Don toshe duk haɗin kai daga wannan kewayon cibiyar sadarwar 11.12.13.0/24, zaku iya amfani da umarni mai zuwa.
$ sudo ufw deny from 11.12.13.0/24
Idan kawai kuna son toshe haɗin kai akan tashar jiragen ruwa 80 da 443, zaku iya amfani da umarni masu zuwa.
$ sudo ufw deny from 11.12.13.0/24 to any port 80 $ sudo ufw deny from 11.12.13.0/24 to any port 443
Akwai hanyoyi guda 2 don share dokokin UFW, ta lambar ƙa'ida kuma ta ainihin ƙa'ida.
Don share ƙa'idodin UFW ta amfani da lambar ƙa'ida, da farko kuna buƙatar jera dokoki ta lambobi ta amfani da umarni mai zuwa.
$ sudo ufw status numbered
Status: active
To Action From
-- ------ ----
[ 1] 22/tcp ALLOW IN Anywhere
[ 2] 80/tcp ALLOW IN Anywhere
Don share lambar doka 1, yi amfani da umarni mai zuwa.
$ sudo ufw delete 1
Hanya ta biyu ita ce share ka'ida ta hanyar amfani da ainihin ƙa'idar, misali don share ƙa'ida, saka lambar tashar jiragen ruwa tare da yarjejeniya kamar yadda aka nuna.
$ sudo ufw delete allow 22/tcp
Kuna iya gudanar da kowane umarni na ufw ba tare da yin wani canje-canje a cikin tsarin Tacewar zaɓi ta amfani da tutar -- bushe-run ba, wannan yana nuna kawai canje-canjen da ake tsammanin zai faru.
$ sudo ufw --dry-run enable
Don dalili ɗaya ko ɗaya, idan kuna son sharewa/sake saita duk ka'idodin Tacewar zaɓi, buga umarni masu zuwa, zai dawo da duk canje-canjenku kuma ya fara sabo.
$ sudo ufw reset $ sudo ufw status
Tacewar ta UFW na iya sarrafa yin duk abin da iptables ke yi. Ana iya yin wannan tare da fayilolin dokoki daban-daban, waɗanda ba komai bane, amma iptables masu sauƙi-mayar da fayilolin rubutu.
Ba a ba da izinin kunna wuta ta UFW ko ƙara ƙarin umarnin iptables ta hanyar umarnin ufw ba, al'amari ne kawai na canza fayilolin rubutu.
- /etc/default/ufw: Babban fayil ɗin daidaitawa tare da ƙayyadaddun ƙa'idodi.
- /etc/ufw/before[6].dokokin: A cikin wannan fayil ɗin ana ƙididdige dokokin fayil kafin ƙara ta hanyar umarnin ufw.
- /etc/ufw/after[6].dokokin: A cikin wannan fayil ana ƙididdige dokokin bayan ƙara ta hanyar umarnin ufw.
- /etc/ufw/sysctl.conf: Ana amfani da wannan fayil ɗin don daidaita hanyar sadarwar kernel.
- /etc/ufw/ufw.conf: Wannan fayil yana kunna ufw akan boot.
Shi ke nan! UFW kyakkyawan ƙarshen gaba ne zuwa iptables tare da keɓancewar abokantaka mai amfani don ayyana ƙaƙƙarfan dokoki tare da umarnin ufw guda ɗaya.
Idan kuna da wasu tambayoyi ko tunani don raba game da wannan labarin ufw, yi amfani da fam ɗin sharhin da ke ƙasa don isa gare mu.