Yadda ake Shigarwa, Sanya da Amfani da Firewalld a CentOS da Ubuntu
Firewalld (firewall daemon) madadin sabis ne na iptables, don sarrafa bangon bangon tsarin tare da goyan bayan sassan cibiyar sadarwa (ko Tacewar zaɓi) kuma yana ba da hanyar sadarwa ta D-Bus don sarrafa saiti. Yana da sauƙi don amfani da daidaitawa, kuma yanzu shine tsohuwar kayan aikin sarrafa wuta akan RHEL/CentOS, Fedora da sauran rarrabawar Linux da yawa.
A cikin wannan labarin, za mu tattauna yadda ake saita tsarin Tacewar zaɓi tare da Firewalld da aiwatar da tace fakiti na asali a cikin CentOS/RHEL 7 da Ubuntu.
Tushen Game da Firewalld
Firewalld ya ƙunshi yadudduka uku, waɗanda sune:
- Layer Layer: alhakin sarrafa tsarin da ƙarshen baya (wanda aka jera a ƙasa).
- D-Bus interface: hanyar farko ta canzawa da ƙirƙirar tsarin tacewar wuta.
- backends: don yin hulɗa tare da netfilter (modular kernel na asali da ake amfani da shi don kashe wuta). Sun haɗa da iptables, ip6tables, ebtables, ipset, nft, linnftables; mai sarrafa hanyar sadarwa; da modules.
Yana sarrafa ka'idojin Tacewar zaɓi ta aiwatar da yankunan cibiyar sadarwa/tacewar wuta waɗanda ke ayyana matakin amana na haɗin yanar gizo ko musaya. Sauran fasalulluka masu goyan bayan Tacewar zaɓi sun haɗa da ayyuka, daidaitawa kai tsaye (an yi amfani da su don wucewa kai tsaye iptables syntax), IPSets da nau'ikan ICMP.
Nau'o'i biyu na mahalli na daidaitawa suna goyan bayan firewalld:
- Tsarin lokacin aiki wanda ke aiki kawai har sai an sake kunna na'ura ko kuma an sake kunna sabis na Firewalld
- tsari na dindindin wanda aka adana kuma yana aiki dawwama.
Ana amfani da kayan aikin layin umarni Firewall-cmd don sarrafa lokacin aiki da daidaitawa na dindindin. A madadin, zaku iya amfani da kayan aikin daidaitawa na Firewall-Config graphical user interface (GUI) don yin hulɗa tare da daemon.
Bugu da ƙari, firewalld yana ba da ingantaccen ma'anar keɓancewa don wasu sabis na gida ko aikace-aikace don neman canje-canje ga dokokin Tacewar zaɓi kai tsaye, idan suna gudana tare da tushen gata.
Fayil ɗin daidaitawa na duniya don firewalld yana nan a /etc/firewalld/firewalld.conf kuma an saita fasalulluka na Firewall a tsarin XML.
Fahimtar Muhimman Fasalolin Wutar Wuta
Babban fasalin Firewalld shine yanki na cibiyar sadarwa/Firewall. Kowane wata siffa tana daure zuwa yanki. Yankin Tacewar zaɓi yana bayyana matakin amana don haɗi, mu'amala ko ɗaurin adireshin tushe.
Tsarin tsoho ya zo tare da wasu yankuna da aka riga aka tsara bisa ga matakin amana na tsoho daga waɗanda ba a amince da su ba zuwa amintacce: digo, toshe, jama'a, na waje, dmz, aiki, gida, ciki da amintacce. An bayyana su a cikin fayilolin da aka adana a ƙarƙashin /usr/lib/firewalld/zones directory.
Kuna iya saita ko ƙara yankunan ku na al'ada ta amfani da abokin ciniki na CLI ko kawai ƙirƙira ko kwafi fayil ɗin yanki a cikin /etc/firewalld/zones daga fayilolin da ke akwai kuma gyara shi.
Wani muhimmin ra'ayi karkashin Firewalld shine ayyuka. Ana bayyana sabis ta amfani da tashoshin jiragen ruwa da ka'idoji; waɗannan ma'anoni suna wakiltar sabis na cibiyar sadarwa da aka bayar kamar sabar yanar gizo ko sabis na shiga nesa. Ana bayyana ayyuka a cikin fayilolin da aka adana a ƙarƙashin /usr/lib/firewalld/services/ ko /etc/firewalld/services/ directory.
Idan kun san ainihin iptables/ip6tables/ebtables Concepts, za ku iya amfani da keɓancewa kai tsaye (ko daidaitawa) don samun damar kai tsaye zuwa Tacewar zaɓi. Amma, ga waɗanda ba tare da wani ilimin iptables ba, zaku iya amfani da yare mai arziƙi don ƙirƙirar ƙaƙƙarfan ƙa'idodin Tacewar zaɓi don IPv4 da IPv6.
Yadda ake Sanya Kunshin Wuta a cikin Linux
A kan CentOS 7, kunshin firewalld yana zuwa an riga an shigar dashi kuma zaku iya tabbatarwa ta amfani da umarni mai zuwa.
$ rpm -qa firewalld
A kan Ubuntu 16.04 da 18.04, zaku iya shigar da shi ta amfani da mai sarrafa fakitin tsoho kamar yadda aka nuna.
$ sudo apt install firewalld
Yadda ake Sarrafa Sabis na Firewalld a Linux
Firewalld sabis ne na tsarin yau da kullun wanda za'a iya sarrafa shi ta umarnin systemctl.
$ sudo systemctl start firewalld #start the service for the mean time $ sudo systemctl enable firewalld #enable the service to auto-start at boot time $ sudo systemctl status firewalld #view service status
Bayan fara sabis na Firewalld, zaku iya bincika ko daemon yana gudana ko a'a, ta amfani da kayan aikin Firewall-cmd (idan ba ya aiki, wannan umarni zai fitar da ba ya gudana).
$ sudo firewall-cmd --state
Idan kun faru don adana kowane canje-canje na dindindin, zaku iya sake loda firewalld. Wannan zai sake loda ka'idodin Tacewar zaɓi kuma ya adana bayanan jihar. Tsarin dindindin na yanzu zai zama sabon daidaitawar lokacin aiki.
$ sudo firewall-cmd --reload
Yadda ake Aiki tare da Yankunan Wuta a cikin Firewalld
Don samun jerin duk samammun yankuna da sabis na Tacewar zaɓi, gudanar da waɗannan umarni.
$ sudo firewall-cmd --get-zones $ sudo firewall-cmd --get-services
Tsohuwar yankin shi ne yankin da ake amfani da shi don kowane fasalin Tacewar zaɓi wanda ba a ɗaure shi kai tsaye zuwa wani yanki ba. Kuna iya samun saitunan yankin tsoho don haɗin yanar gizo da mu'amala ta hanyar gudu.
$ sudo firewall-cmd --get-default-zone
Don saita yankin tsoho, misali zuwa waje, yi amfani da umarni mai zuwa. Lura cewa ƙara zaɓin -- dindindin
yana saita tsarin har abada (ko yana ba da damar tambayar bayanai daga yanayin daidaitawa na dindindin).
$ sudo firewall-cmd --set-default-zone=external OR $ sudo firewall-cmd --set-default-zone=external --permanent $ sudo firewall-cmd --reload
Na gaba, bari mu dubi yadda za a ƙara mai dubawa zuwa yanki. Wannan misalin yana nuna yadda ake ƙara adaftar hanyar sadarwar ku (wlp1s0) zuwa yankin gida, wanda ake amfani da shi a cikin gida.
$ sudo firewall-cmd --zone=home --add-interface=wlp1s0
Za'a iya ƙara maɓalli zuwa yanki ɗaya kawai. Don matsar da shi zuwa wani yanki, yi amfani da canjin --canja-interface
kamar yadda aka nuna, ko cire shi daga yankin da ya gabata ta amfani da –remove-interface switch, sannan ƙara shi zuwa sabon yankin.
Da ɗaukan kana son haɗawa zuwa cibiyar sadarwar WI-FI ta jama'a, yakamata ka matsar da keɓancewar sadarwarka zuwa yankin jama'a, kamar haka:
$ sudo firewall-cmd --zone=public --add-interface=wlp1s0 $ sudo firewall-cmd --zone=public --change-interface=wlp1s0
Kuna iya amfani da yankuna da yawa a lokaci guda. Don samun jerin duk yankuna masu aiki tare da abubuwan da aka kunna kamar musaya, ayyuka, tashar jiragen ruwa, ka'idoji, gudanar:
$ sudo firewall-cmd --get-active-zones
Dangane da batun da ya gabata, Idan kuna son samun ƙarin bayani game da wani yanki na musamman, watau duk abin da aka ƙara ko kunnawa a ciki, yi amfani da ɗayan waɗannan umarni:
$ sudo firewall-cmd --zone=home --list-all OR $ sudo firewall-cmd --info-zone public
Wani zaɓi mai amfani shine --get-target
, wanda ke nuna maka burin yanki na dindindin. Maƙasudi ɗaya ne daga cikin: tsoho, YARDA, JARUWA, KI. Kuna iya bincika manufa ta yankuna daban-daban:
$ sudo firewall-cmd --permanent --zone=public --get-target $ sudo firewall-cmd --permanent --zone=block --get-target $ sudo firewall-cmd --permanent --zone=dmz --get-target $ sudo firewall-cmd --permanent --zone=external --get-target $ sudo firewall-cmd --permanent --zone=drop --get-target
Yadda ake Buɗewa da Toshe Tashoshi a cikin Firewalld
Don buɗe tashar tashar jiragen ruwa (ko haɗin tashar jiragen ruwa/yarjejeniya) a cikin Tacewar zaɓi, kawai ƙara shi a cikin yanki tare da zaɓin --add-port
. Idan ba ku fayyace yankin a sarari ba, za a kunna shi a cikin tsoho yankin.
Misali mai zuwa yana nuna yadda ake ƙara tashar jiragen ruwa 80 da 443 don ba da izinin zirga-zirgar gidan yanar gizo ta hanyar HTTP da HTTPS, bi da bi:
$ sudo firewall-cmd --zone=public --permanent --add-port=80/tcp --add-port=443/tcp
Bayan haka, sake loda Firewalld kuma duba abubuwan da aka kunna a cikin yankin jama'a sau ɗaya, yakamata ku iya ganin tashar jiragen ruwa da aka ƙara.
$ sudo firewall-cmd --reload $ sudo firewall-cmd --info-zone public
Toshewa ko rufe tashar jiragen ruwa a cikin Tacewar zaɓi abu ne mai sauƙi, kawai cire shi daga yanki tare da zaɓin --remove-port
. Misali, don rufe tashoshin jiragen ruwa 80 da 443 a yankin jama'a.
$ sudo firewall-cmd --zone=public --permanent --remove-port=80/tcp --remove-port=443/tcp
Maimakon yin amfani da haɗin tashar jiragen ruwa ko tashar jiragen ruwa/yarjejeniya, za ka iya amfani da sunan sabis ɗin da aka sanya tashar jiragen ruwa zuwa kamar yadda aka bayyana a sashe na gaba.
Yadda ake Buɗewa da Toshe Sabis a cikin Firewalld
Don buɗe sabis a cikin Tacewar zaɓi, kunna ta ta amfani da zaɓin --add-service
. Idan an cire yankin, za a yi amfani da yankin tsoho.
Umurni mai zuwa zai ba da damar sabis na http har abada a yankin jama'a.
$ sudo firewall-cmd --zone=public --permanent --add-service=http $ sudo firewall-cmd --reload
Za a iya amfani da zaɓin --remove-service
don kashe sabis.
$ sudo firewall-cmd --zone=public --permanent --remove-service=http $ sudo firewall-cmd --reload
Yadda ake Kunnawa da Kashe Mashin IP ta Amfani da Firewalld
IP Masquerading (wanda kuma aka sani da IPMASQ ko MASQ) wata hanya ce ta NAT (Network Address Translation) a cikin sadarwar Linux wanda ke ba da damar rundunonin ku a cikin hanyar sadarwa, tare da adiresoshin IP masu zaman kansu don sadarwa tare da Intanet ta amfani da uwar garken Linux ɗin ku (IPMASQ ƙofar) da aka ba wa jama'a IP. adireshin
Taswira ce ta ɗaya zuwa da yawa. Hanyoyin zirga-zirga daga rundunonin ku marasa ganuwa za su bayyana ga wasu kwamfutoci akan intanit kamar suna fitowa daga uwar garken Linux ɗin ku.
Kuna iya ba da damar yin maƙerin IP a yankin da ake so, misali yankin jama'a. Amma kafin yin haka, da farko a duba ko maskurin yana aiki ko a'a (a \a'a yana nufin naƙasasshe kuma \yes yana nufin wani abu).
$ sudo firewall-cmd --zone=public --query-masquerade $ sudo firewall-cmd --zone=public --add-masquerade
Halin da ake amfani da shi na yau da kullun don rufe fuska shine yin tura tashar jiragen ruwa. Zaton kuna son SSH daga na'ura mai nisa zuwa mai watsa shiri a cikin hanyar sadarwar ku ta ciki tare da IP 10.20.1.3, wanda sshd daemon ke sauraron tashar jiragen ruwa 5000.
Kuna iya tura duk haɗin kai zuwa tashar jiragen ruwa 22 akan uwar garken Linux ɗinku zuwa tashar da aka nufa akan mai masaukin ku ta hanyar bayarwa:
$ sudo firewall-cmd --zone=public --add-forward-port=port=22=proto=tcp:toport=5000:toaddr=10.20.1.3
Don musaki abin rufe fuska a cikin yanki, yi amfani da canjin --remove-masquerade
.
$ sudo firewall-cmd --zone=public --remove-masquerade
Yadda ake kunnawa da kashe saƙon IMCP a cikin Firewalld
Saƙonnin ICMP (Ka'idar Saƙon Saƙon Intanet) ko dai buƙatun bayanai ne ko amsa buƙatun bayanai ko cikin yanayin kuskure.
Kuna iya kunna ko kashe saƙonnin ICMP a cikin Tacewar zaɓi, amma kafin wannan fara lissafin duk nau'ikan icmp da ke goyan bayan.
$ sudo firewall-cmd --get-icmptypes
Don ƙara ko cire nau'in toshe da kuke so.
$ sudo firewall-cmd --zone=home --add-icmp-block=echo-reply OR $ sudo firewall-cmd --zone=home --remove-icmp-block=echo-reply
Kuna iya duba duk nau'ikan icmp da aka ƙara a cikin yanki ta amfani da --list-icmp-blocks
sauya.
$ sudo firewall-cmd --zone=home --list-icmp-blocks
Yadda ake Amfani da Interface Kai tsaye don Wuce Dokokin Raw iptables
Firewall-cmd kuma yana ba da zaɓuɓɓukan kai tsaye (-- kai tsaye
) don samun ƙarin damar shiga Tacewar zaɓi. Wannan yana da amfani ga waɗanda ke da ilimin asali na iptables.
Muhimmi: Ya kamata ku yi amfani da zaɓukan kai tsaye azaman makoma ta ƙarshe lokacin da ba zai yiwu a yi amfani da zaɓuɓɓukan Firewall-cmd na yau da kullun da aka bayyana a sama ba.
Anan akwai misalin yadda ake ƙetare ƙa'idodin iptables, ta amfani da --add-rules
sauya. Kuna iya cire waɗannan dokoki cikin sauƙi ta maye gurbin --add-rule
tare da --remove-rule
:
$ sudo firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 80 -j ACCEPT
Don ƙarin bayani game da iptables, duba wannan jagorar: Yadda Ake Saita Tacewar Wuta ta Iptables don Ba da damar Samun Nisa zuwa Sabis a Linux.
Idan baku saba da iptables syntax ba, zaku iya zaɓar kalmar harshen arziki na Firewalld don ƙirƙirar ƙaƙƙarfan ƙa'idodin bangon wuta cikin sauƙin fahimta kamar yadda bayani na gaba.
Yadda Ake Amfani da Harshe Mai Kyau a cikin Firewalld
Ana amfani da yare mai wadata (wanda kuma aka sani da ƙa'idodi masu ƙarfi) don ƙara ƙarin hadaddun ƙa'idodin Tacewar zaɓi don IPv4 da IPv6 ba tare da sanin haɗin gwiwar iptables ba.
Yana faɗaɗa fasalin yanki (sabis, tashar jiragen ruwa, icmp-block, masquerade da tashar jiragen ruwa na gaba) waɗanda muka rufe. Yana goyan bayan adiresoshin tushe da inda ake nufi, shiga, ayyuka da iyakoki don rajistan ayyukan da ayyuka.
Ana amfani da --ad-rich-rule
don ƙara ƙa'idodi masu kyau. Wannan misalin yana nuna yadda ake ba da izinin sabon haɗin IPv4 da IPv6 don sabis http da shiga 1 a cikin minti ɗaya ta amfani da dubawa:
$ sudo firewall-cmd --add-rich-rule='rule service name="http" audit limit value="1/m" accept'
Don cire ƙarin ƙa'idar, maye gurbin --add-rich-rule
zaɓi tare da --remove-rich-rule
.
$ sudo firewall-cmd --remove-rich-rule='rule service name="http" audit limit value="1/m" accept'
Wannan fasalin kuma yana ba da damar toshewa ko ba da izinin zirga-zirga daga takamaiman adireshin IP. Misali mai zuwa yana nuna yadda ake ƙin haɗin kai daga IP 10.20.1.20.
$ sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.254" reject'
Yadda ake Kunnawa da Kashe Yanayin tsoro a cikin Firewalld
Yanayin tsoro wani yanayi ne na musamman a ƙarƙashin wuta inda duk fakiti masu ɗaure da waje aka jefar da su, kuma haɗin kai mai aiki zai ƙare da zarar an kunna.
Kuna iya kunna wannan yanayin a cikin yanayin gaggawa inda barazanar yanayin cibiyar sadarwar ku ta fita.
Don neman yanayin tsoro, yi amfani da zaɓin --query-panic
.
$ sudo firewall-cmd --query-panic
Don kunna yanayin tsoro, yi amfani da zaɓin --panic-on
. Kuna iya gwada idan yana aiki ta amfani da umarnin ping kamar yadda aka nuna. Saboda an jefar da fakitin, sunan www.google.com ba zai iya warwarewa ba, don haka kuskuren ya bayyana.
$ sudo firewall-cmd --panic-on $ ping -c 2 www.google.com
Don kashe yanayin tsoro, yi amfani da zaɓin --panic-off
.
$ sudo firewall-cmd --panic-off
Yadda ake Lockdown Firewalld
Ka tuna, mun ambata a ƙarƙashin tushe game da Firewalld cewa aikace-aikacen gida ko ayyuka na iya canza tsarin tacewar zaɓi idan suna aiki tare da tushen gata. Kuna iya sarrafa waɗanne aikace-aikace ne ke iya buƙatar sauye-sauyen Tacewar zaɓi, ta hanyar ƙididdigewa sannan a cikin jerin abubuwan kullewa.
Ana kashe wannan fasalin ta tsohuwa, zaku iya kunna ko kashe ta tare da kunna --lockdown-on
ko --lockdown
canzawa da karɓa.
$ sudo firewall-cmd --lockdown-on OR $ sudo firewall-cmd --lockdown-off
Lura cewa ana ba da shawarar kunna ko kashe wannan fasalin ta hanyar gyara babban fayil ɗin saitin, saboda ƙila ba za ta kasance a cikin jerin abubuwan kulle-kulle ba lokacin da kuka kunna kullewa.
$ sudo vim /etc/firewalld/firewalld.conf
Nemo madaidaicin Kulle kuma canza ƙimar sa daga no
(yana nufin a kashe) zuwa e
(yana nufin kunnawa).
Lockdown=yes
Don mayar da wannan saitin dindindin ta sake kunna wuta.
$ sudo firewall-cmd --reload
Firewalld mai sauƙi ne don amfani da maye gurbin sabis ɗin iptables, wanda ke amfani da iptables azaman abin baya. A cikin wannan labarin, mun nuna yadda ake shigar da kunshin Firewalld, mun bayyana mahimman fasalulluka na firewalld kuma mun tattauna yadda za a daidaita su a cikin lokacin aiki da yanayin daidaitawa na dindindin.
Idan kuna da wata tambaya ko tsokaci, jin daɗi ku same mu ta hanyar sharhin da ke ƙasa. Kuna iya komawa zuwa shafin jagora na Firewalld (man firewalld) ko takardun wuta a cikin gidan yanar gizon aikin, don ƙarin bayani.