Yadda ake Shigarwa, Sanya da Amfani da Firewalld a CentOS da Ubuntu


Firewalld (firewall daemon) madadin sabis ne na iptables, don sarrafa bangon bangon tsarin tare da goyan bayan sassan cibiyar sadarwa (ko Tacewar zaɓi) kuma yana ba da hanyar sadarwa ta D-Bus don sarrafa saiti. Yana da sauƙi don amfani da daidaitawa, kuma yanzu shine tsohuwar kayan aikin sarrafa wuta akan RHEL/CentOS, Fedora da sauran rarrabawar Linux da yawa.

A cikin wannan labarin, za mu tattauna yadda ake saita tsarin Tacewar zaɓi tare da Firewalld da aiwatar da tace fakiti na asali a cikin CentOS/RHEL 7 da Ubuntu.

Tushen Game da Firewalld

Firewalld ya ƙunshi yadudduka uku, waɗanda sune:

  • Layer Layer: alhakin sarrafa tsarin da ƙarshen baya (wanda aka jera a ƙasa).
  • D-Bus interface: hanyar farko ta canzawa da ƙirƙirar tsarin tacewar wuta.
  • backends: don yin hulɗa tare da netfilter (modular kernel na asali da ake amfani da shi don kashe wuta). Sun haɗa da iptables, ip6tables, ebtables, ipset, nft, linnftables; mai sarrafa hanyar sadarwa; da modules.

Yana sarrafa ka'idojin Tacewar zaɓi ta aiwatar da yankunan cibiyar sadarwa/tacewar wuta waɗanda ke ayyana matakin amana na haɗin yanar gizo ko musaya. Sauran fasalulluka masu goyan bayan Tacewar zaɓi sun haɗa da ayyuka, daidaitawa kai tsaye (an yi amfani da su don wucewa kai tsaye iptables syntax), IPSets da nau'ikan ICMP.

Nau'o'i biyu na mahalli na daidaitawa suna goyan bayan firewalld:

  • Tsarin lokacin aiki wanda ke aiki kawai har sai an sake kunna na'ura ko kuma an sake kunna sabis na Firewalld
  • tsari na dindindin wanda aka adana kuma yana aiki dawwama.

Ana amfani da kayan aikin layin umarni Firewall-cmd don sarrafa lokacin aiki da daidaitawa na dindindin. A madadin, zaku iya amfani da kayan aikin daidaitawa na Firewall-Config graphical user interface (GUI) don yin hulɗa tare da daemon.

Bugu da ƙari, firewalld yana ba da ingantaccen ma'anar keɓancewa don wasu sabis na gida ko aikace-aikace don neman canje-canje ga dokokin Tacewar zaɓi kai tsaye, idan suna gudana tare da tushen gata.

Fayil ɗin daidaitawa na duniya don firewalld yana nan a /etc/firewalld/firewalld.conf kuma an saita fasalulluka na Firewall a tsarin XML.

Fahimtar Muhimman Fasalolin Wutar Wuta

Babban fasalin Firewalld shine yanki na cibiyar sadarwa/Firewall. Kowane wata siffa tana daure zuwa yanki. Yankin Tacewar zaɓi yana bayyana matakin amana don haɗi, mu'amala ko ɗaurin adireshin tushe.

Tsarin tsoho ya zo tare da wasu yankuna da aka riga aka tsara bisa ga matakin amana na tsoho daga waɗanda ba a amince da su ba zuwa amintacce: digo, toshe, jama'a, na waje, dmz, aiki, gida, ciki da amintacce. An bayyana su a cikin fayilolin da aka adana a ƙarƙashin /usr/lib/firewalld/zones directory.

Kuna iya saita ko ƙara yankunan ku na al'ada ta amfani da abokin ciniki na CLI ko kawai ƙirƙira ko kwafi fayil ɗin yanki a cikin /etc/firewalld/zones daga fayilolin da ke akwai kuma gyara shi.

Wani muhimmin ra'ayi karkashin Firewalld shine ayyuka. Ana bayyana sabis ta amfani da tashoshin jiragen ruwa da ka'idoji; waɗannan ma'anoni suna wakiltar sabis na cibiyar sadarwa da aka bayar kamar sabar yanar gizo ko sabis na shiga nesa. Ana bayyana ayyuka a cikin fayilolin da aka adana a ƙarƙashin /usr/lib/firewalld/services/ ko /etc/firewalld/services/ directory.

Idan kun san ainihin iptables/ip6tables/ebtables Concepts, za ku iya amfani da keɓancewa kai tsaye (ko daidaitawa) don samun damar kai tsaye zuwa Tacewar zaɓi. Amma, ga waɗanda ba tare da wani ilimin iptables ba, zaku iya amfani da yare mai arziƙi don ƙirƙirar ƙaƙƙarfan ƙa'idodin Tacewar zaɓi don IPv4 da IPv6.

Yadda ake Sanya Kunshin Wuta a cikin Linux

A kan CentOS 7, kunshin firewalld yana zuwa an riga an shigar dashi kuma zaku iya tabbatarwa ta amfani da umarni mai zuwa.

$ rpm -qa firewalld

A kan Ubuntu 16.04 da 18.04, zaku iya shigar da shi ta amfani da mai sarrafa fakitin tsoho kamar yadda aka nuna.

$ sudo apt install firewalld

Yadda ake Sarrafa Sabis na Firewalld a Linux

Firewalld sabis ne na tsarin yau da kullun wanda za'a iya sarrafa shi ta umarnin systemctl.

 
$ sudo systemctl start firewalld	#start the service for the mean time
$ sudo systemctl enable firewalld	#enable the service to auto-start at boot time
$ sudo systemctl status firewalld	#view service status

Bayan fara sabis na Firewalld, zaku iya bincika ko daemon yana gudana ko a'a, ta amfani da kayan aikin Firewall-cmd (idan ba ya aiki, wannan umarni zai fitar da ba ya gudana).

$ sudo firewall-cmd --state

Idan kun faru don adana kowane canje-canje na dindindin, zaku iya sake loda firewalld. Wannan zai sake loda ka'idodin Tacewar zaɓi kuma ya adana bayanan jihar. Tsarin dindindin na yanzu zai zama sabon daidaitawar lokacin aiki.

$ sudo firewall-cmd --reload

Yadda ake Aiki tare da Yankunan Wuta a cikin Firewalld

Don samun jerin duk samammun yankuna da sabis na Tacewar zaɓi, gudanar da waɗannan umarni.

$ sudo firewall-cmd --get-zones
$ sudo firewall-cmd --get-services

Tsohuwar yankin shi ne yankin da ake amfani da shi don kowane fasalin Tacewar zaɓi wanda ba a ɗaure shi kai tsaye zuwa wani yanki ba. Kuna iya samun saitunan yankin tsoho don haɗin yanar gizo da mu'amala ta hanyar gudu.

$ sudo firewall-cmd --get-default-zone

Don saita yankin tsoho, misali zuwa waje, yi amfani da umarni mai zuwa. Lura cewa ƙara zaɓin -- dindindin yana saita tsarin har abada (ko yana ba da damar tambayar bayanai daga yanayin daidaitawa na dindindin).

$ sudo firewall-cmd --set-default-zone=external
OR
$ sudo firewall-cmd --set-default-zone=external --permanent
$ sudo firewall-cmd --reload 

Na gaba, bari mu dubi yadda za a ƙara mai dubawa zuwa yanki. Wannan misalin yana nuna yadda ake ƙara adaftar hanyar sadarwar ku (wlp1s0) zuwa yankin gida, wanda ake amfani da shi a cikin gida.

$ sudo firewall-cmd --zone=home --add-interface=wlp1s0

Za'a iya ƙara maɓalli zuwa yanki ɗaya kawai. Don matsar da shi zuwa wani yanki, yi amfani da canjin --canja-interface kamar yadda aka nuna, ko cire shi daga yankin da ya gabata ta amfani da –remove-interface switch, sannan ƙara shi zuwa sabon yankin.

Da ɗaukan kana son haɗawa zuwa cibiyar sadarwar WI-FI ta jama'a, yakamata ka matsar da keɓancewar sadarwarka zuwa yankin jama'a, kamar haka:

$ sudo firewall-cmd --zone=public --add-interface=wlp1s0
$ sudo firewall-cmd --zone=public --change-interface=wlp1s0

Kuna iya amfani da yankuna da yawa a lokaci guda. Don samun jerin duk yankuna masu aiki tare da abubuwan da aka kunna kamar musaya, ayyuka, tashar jiragen ruwa, ka'idoji, gudanar:

$ sudo firewall-cmd --get-active-zones

Dangane da batun da ya gabata, Idan kuna son samun ƙarin bayani game da wani yanki na musamman, watau duk abin da aka ƙara ko kunnawa a ciki, yi amfani da ɗayan waɗannan umarni:

$ sudo firewall-cmd --zone=home --list-all
OR
$ sudo firewall-cmd --info-zone public

Wani zaɓi mai amfani shine --get-target, wanda ke nuna maka burin yanki na dindindin. Maƙasudi ɗaya ne daga cikin: tsoho, YARDA, JARUWA, KI. Kuna iya bincika manufa ta yankuna daban-daban:

$ sudo firewall-cmd --permanent --zone=public --get-target  
$ sudo firewall-cmd --permanent --zone=block --get-target  
$ sudo firewall-cmd --permanent --zone=dmz --get-target  
$ sudo firewall-cmd --permanent --zone=external --get-target
$ sudo firewall-cmd --permanent --zone=drop --get-target

Yadda ake Buɗewa da Toshe Tashoshi a cikin Firewalld

Don buɗe tashar tashar jiragen ruwa (ko haɗin tashar jiragen ruwa/yarjejeniya) a cikin Tacewar zaɓi, kawai ƙara shi a cikin yanki tare da zaɓin --add-port. Idan ba ku fayyace yankin a sarari ba, za a kunna shi a cikin tsoho yankin.

Misali mai zuwa yana nuna yadda ake ƙara tashar jiragen ruwa 80 da 443 don ba da izinin zirga-zirgar gidan yanar gizo ta hanyar HTTP da HTTPS, bi da bi:

$ sudo firewall-cmd --zone=public --permanent --add-port=80/tcp --add-port=443/tcp

Bayan haka, sake loda Firewalld kuma duba abubuwan da aka kunna a cikin yankin jama'a sau ɗaya, yakamata ku iya ganin tashar jiragen ruwa da aka ƙara.

$ sudo firewall-cmd --reload
$ sudo firewall-cmd --info-zone public

Toshewa ko rufe tashar jiragen ruwa a cikin Tacewar zaɓi abu ne mai sauƙi, kawai cire shi daga yanki tare da zaɓin --remove-port. Misali, don rufe tashoshin jiragen ruwa 80 da 443 a yankin jama'a.

$ sudo firewall-cmd --zone=public --permanent --remove-port=80/tcp --remove-port=443/tcp

Maimakon yin amfani da haɗin tashar jiragen ruwa ko tashar jiragen ruwa/yarjejeniya, za ka iya amfani da sunan sabis ɗin da aka sanya tashar jiragen ruwa zuwa kamar yadda aka bayyana a sashe na gaba.

Yadda ake Buɗewa da Toshe Sabis a cikin Firewalld

Don buɗe sabis a cikin Tacewar zaɓi, kunna ta ta amfani da zaɓin --add-service. Idan an cire yankin, za a yi amfani da yankin tsoho.

Umurni mai zuwa zai ba da damar sabis na http har abada a yankin jama'a.

$ sudo firewall-cmd --zone=public --permanent --add-service=http 
$ sudo firewall-cmd --reload 

Za a iya amfani da zaɓin --remove-service don kashe sabis.

$ sudo firewall-cmd --zone=public --permanent --remove-service=http 
$ sudo firewall-cmd --reload 

Yadda ake Kunnawa da Kashe Mashin IP ta Amfani da Firewalld

IP Masquerading (wanda kuma aka sani da IPMASQ ko MASQ) wata hanya ce ta NAT (Network Address Translation) a cikin sadarwar Linux wanda ke ba da damar rundunonin ku a cikin hanyar sadarwa, tare da adiresoshin IP masu zaman kansu don sadarwa tare da Intanet ta amfani da uwar garken Linux ɗin ku (IPMASQ ƙofar) da aka ba wa jama'a IP. adireshin

Taswira ce ta ɗaya zuwa da yawa. Hanyoyin zirga-zirga daga rundunonin ku marasa ganuwa za su bayyana ga wasu kwamfutoci akan intanit kamar suna fitowa daga uwar garken Linux ɗin ku.

Kuna iya ba da damar yin maƙerin IP a yankin da ake so, misali yankin jama'a. Amma kafin yin haka, da farko a duba ko maskurin yana aiki ko a'a (a \a'a yana nufin naƙasasshe kuma \yes yana nufin wani abu).

$ sudo firewall-cmd --zone=public --query-masquerade
$ sudo firewall-cmd --zone=public --add-masquerade

Halin da ake amfani da shi na yau da kullun don rufe fuska shine yin tura tashar jiragen ruwa. Zaton kuna son SSH daga na'ura mai nisa zuwa mai watsa shiri a cikin hanyar sadarwar ku ta ciki tare da IP 10.20.1.3, wanda sshd daemon ke sauraron tashar jiragen ruwa 5000.

Kuna iya tura duk haɗin kai zuwa tashar jiragen ruwa 22 akan uwar garken Linux ɗinku zuwa tashar da aka nufa akan mai masaukin ku ta hanyar bayarwa:

$ sudo firewall-cmd --zone=public --add-forward-port=port=22=proto=tcp:toport=5000:toaddr=10.20.1.3

Don musaki abin rufe fuska a cikin yanki, yi amfani da canjin --remove-masquerade.

$ sudo firewall-cmd --zone=public --remove-masquerade

Yadda ake kunnawa da kashe saƙon IMCP a cikin Firewalld

Saƙonnin ICMP (Ka'idar Saƙon Saƙon Intanet) ko dai buƙatun bayanai ne ko amsa buƙatun bayanai ko cikin yanayin kuskure.

Kuna iya kunna ko kashe saƙonnin ICMP a cikin Tacewar zaɓi, amma kafin wannan fara lissafin duk nau'ikan icmp da ke goyan bayan.

$ sudo firewall-cmd --get-icmptypes

Don ƙara ko cire nau'in toshe da kuke so.

$ sudo firewall-cmd --zone=home --add-icmp-block=echo-reply
OR
$ sudo firewall-cmd --zone=home --remove-icmp-block=echo-reply

Kuna iya duba duk nau'ikan icmp da aka ƙara a cikin yanki ta amfani da --list-icmp-blocks sauya.

$ sudo firewall-cmd --zone=home --list-icmp-blocks

Yadda ake Amfani da Interface Kai tsaye don Wuce Dokokin Raw iptables

Firewall-cmd kuma yana ba da zaɓuɓɓukan kai tsaye (-- kai tsaye) don samun ƙarin damar shiga Tacewar zaɓi. Wannan yana da amfani ga waɗanda ke da ilimin asali na iptables.

Muhimmi: Ya kamata ku yi amfani da zaɓukan kai tsaye azaman makoma ta ƙarshe lokacin da ba zai yiwu a yi amfani da zaɓuɓɓukan Firewall-cmd na yau da kullun da aka bayyana a sama ba.

Anan akwai misalin yadda ake ƙetare ƙa'idodin iptables, ta amfani da --add-rules sauya. Kuna iya cire waɗannan dokoki cikin sauƙi ta maye gurbin --add-rule tare da --remove-rule:

$ sudo firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp --dport 80 -j ACCEPT

Don ƙarin bayani game da iptables, duba wannan jagorar: Yadda Ake Saita Tacewar Wuta ta Iptables don Ba da damar Samun Nisa zuwa Sabis a Linux.

Idan baku saba da iptables syntax ba, zaku iya zaɓar kalmar harshen arziki na Firewalld don ƙirƙirar ƙaƙƙarfan ƙa'idodin bangon wuta cikin sauƙin fahimta kamar yadda bayani na gaba.

Yadda Ake Amfani da Harshe Mai Kyau a cikin Firewalld

Ana amfani da yare mai wadata (wanda kuma aka sani da ƙa'idodi masu ƙarfi) don ƙara ƙarin hadaddun ƙa'idodin Tacewar zaɓi don IPv4 da IPv6 ba tare da sanin haɗin gwiwar iptables ba.

Yana faɗaɗa fasalin yanki (sabis, tashar jiragen ruwa, icmp-block, masquerade da tashar jiragen ruwa na gaba) waɗanda muka rufe. Yana goyan bayan adiresoshin tushe da inda ake nufi, shiga, ayyuka da iyakoki don rajistan ayyukan da ayyuka.

Ana amfani da --ad-rich-rule don ƙara ƙa'idodi masu kyau. Wannan misalin yana nuna yadda ake ba da izinin sabon haɗin IPv4 da IPv6 don sabis http da shiga 1 a cikin minti ɗaya ta amfani da dubawa:

$ sudo firewall-cmd --add-rich-rule='rule service name="http" audit limit value="1/m" accept'

Don cire ƙarin ƙa'idar, maye gurbin --add-rich-rule zaɓi tare da --remove-rich-rule.

$ sudo firewall-cmd --remove-rich-rule='rule service name="http" audit limit value="1/m" accept'

Wannan fasalin kuma yana ba da damar toshewa ko ba da izinin zirga-zirga daga takamaiman adireshin IP. Misali mai zuwa yana nuna yadda ake ƙin haɗin kai daga IP 10.20.1.20.

$ sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="192.168.0.254" reject'

Yadda ake Kunnawa da Kashe Yanayin tsoro a cikin Firewalld

Yanayin tsoro wani yanayi ne na musamman a ƙarƙashin wuta inda duk fakiti masu ɗaure da waje aka jefar da su, kuma haɗin kai mai aiki zai ƙare da zarar an kunna.
Kuna iya kunna wannan yanayin a cikin yanayin gaggawa inda barazanar yanayin cibiyar sadarwar ku ta fita.

Don neman yanayin tsoro, yi amfani da zaɓin --query-panic.

$ sudo firewall-cmd --query-panic

Don kunna yanayin tsoro, yi amfani da zaɓin --panic-on. Kuna iya gwada idan yana aiki ta amfani da umarnin ping kamar yadda aka nuna. Saboda an jefar da fakitin, sunan www.google.com ba zai iya warwarewa ba, don haka kuskuren ya bayyana.

$ sudo firewall-cmd --panic-on
$ ping -c 2 www.google.com

Don kashe yanayin tsoro, yi amfani da zaɓin --panic-off.

$ sudo firewall-cmd --panic-off

Yadda ake Lockdown Firewalld

Ka tuna, mun ambata a ƙarƙashin tushe game da Firewalld cewa aikace-aikacen gida ko ayyuka na iya canza tsarin tacewar zaɓi idan suna aiki tare da tushen gata. Kuna iya sarrafa waɗanne aikace-aikace ne ke iya buƙatar sauye-sauyen Tacewar zaɓi, ta hanyar ƙididdigewa sannan a cikin jerin abubuwan kullewa.

Ana kashe wannan fasalin ta tsohuwa, zaku iya kunna ko kashe ta tare da kunna --lockdown-on ko --lockdown canzawa da karɓa.

$ sudo firewall-cmd --lockdown-on
OR
$ sudo firewall-cmd --lockdown-off

Lura cewa ana ba da shawarar kunna ko kashe wannan fasalin ta hanyar gyara babban fayil ɗin saitin, saboda ƙila ba za ta kasance a cikin jerin abubuwan kulle-kulle ba lokacin da kuka kunna kullewa.

$ sudo vim /etc/firewalld/firewalld.conf

Nemo madaidaicin Kulle kuma canza ƙimar sa daga no (yana nufin a kashe) zuwa e (yana nufin kunnawa).

Lockdown=yes

Don mayar da wannan saitin dindindin ta sake kunna wuta.

$ sudo firewall-cmd --reload

Firewalld mai sauƙi ne don amfani da maye gurbin sabis ɗin iptables, wanda ke amfani da iptables azaman abin baya. A cikin wannan labarin, mun nuna yadda ake shigar da kunshin Firewalld, mun bayyana mahimman fasalulluka na firewalld kuma mun tattauna yadda za a daidaita su a cikin lokacin aiki da yanayin daidaitawa na dindindin.

Idan kuna da wata tambaya ko tsokaci, jin daɗi ku same mu ta hanyar sharhin da ke ƙasa. Kuna iya komawa zuwa shafin jagora na Firewalld (man firewalld) ko takardun wuta a cikin gidan yanar gizon aikin, don ƙarin bayani.