Yadda ake saita FirewallD a cikin RHEL, Rocky & AlmaLinux


Net-filterkamar yadda muka sani ita wuta ce a Linux. Firewalld shine ƙwaƙƙwaran daemon don sarrafa bangon wuta tare da goyan bayan yankunan cibiyar sadarwa. A cikin sigar farko, RHEL & CentOS muna amfani da iptables azaman daemon don tsarin tace fakiti.

A cikin sababbin sigogin rarraba tushen RHEL kamar Fedora, Rocky Linux, CentOS Stream, AlmaLinux, da openSUSE - ana maye gurbin iptables ta hanyar wuta.

Hakanan kuna iya son: 10 Fayilolin Tsaro na Tsaro na Buɗewa don Tsarin Linux.

Ana ba da shawarar fara amfani da Firewalld maimakon iptables saboda wannan na iya dainawa a nan gaba. Koyaya, iptables har yanzu ana tallafawa kuma ana iya shigar dasu tare da umarnin yum. Ba za mu iya kiyaye Firewalld da iptables duka a cikin tsari ɗaya wanda zai iya haifar da rikici.

A cikin iptables, mun kasance muna saita azaman INPUT, OUTPUT & FORWARD CHAINS amma anan cikin Firewalld, manufar tana amfani da Yankuna. Ta hanyar tsoho, akwai yankuna daban-daban da ake samu a cikin wuta, wanda za'a tattauna a wannan labarin.

Yanki na asali waɗanda suke kamar yankin jama'a da yanki mai zaman kansa. Don yin abubuwa su yi aiki tare da waɗannan yankuna, muna buƙatar ƙara haɗin kai tare da ƙayyadaddun tallafin yanki sannan za mu iya ƙara ayyukan zuwa Firewalld.

Ta hanyar tsoho, akwai ayyuka da yawa da ake samu, ɗayan mafi kyawun fasalulluka na Firewalld shine, yana zuwa tare da takamaiman sabis kuma zamu iya ɗaukar waɗannan ayyukan a matsayin misali don ƙara ayyukanmu ta hanyar kwafi su kawai.

Firewalld yana aiki da kyau tare da IPV4, IPv6, da gadoji na Ethernet kuma. Za mu iya samun keɓantaccen lokacin gudu da na dindindin a cikin Firewalld.

Bari mu fara kan yadda ake aiki tare da yankuna da ƙirƙirar ayyukanmu da ƙarin amfani mai ban sha'awa na Firewalld a cikin Linux.

Operating System :	Red Hat Enterprise Linux release 9.0 (Plow)
IP Address       :	192.168.0.159
Host-name	:	tecmint-rhel9

Mataki 1: Sanya Firewalld a cikin Tsarin RHEL

1. An shigar da kunshin Firewalld ta tsohuwa a cikin RHEL, Fedora, Rocky Linux, CentOS Stream, AlmaLinux, da openSUSE. Idan ba haka ba, zaku iya shigar da shi ta amfani da umarnin yum mai zuwa.

# yum install firewalld -y

2. Bayan an shigar da kunshin wutan wuta, lokaci yayi da za a tabbatar da ko sabis ɗin iptables yana gudana ko a'a, idan yana gudana, kuna buƙatar tsayawa da rufe fuska (ba amfani da ƙarin) sabis ɗin iptables tare da umarnin da ke ƙasa.

# systemctl status iptables
# systemctl stop iptables
# systemctl mask iptables

Mataki 2: Fahimtar Abubuwan Wuta na Wuta (Yankuna da Dokoki)

3. Kafin in tashi don daidaitawar wuta, Ina so in tattauna kowane yanki. Ta hanyar tsoho, akwai wasu yankuna da ake samu. Muna buƙatar sanya wurin dubawa zuwa yankin. Yanki yana bayyana yankin da aka amince da shi ko aka hana shi matakin zuwa mahaɗin don samun haɗi. Yanki na iya ƙunsar ayyuka & tashar jiragen ruwa.

Anan, za mu bayyana kowane yanki da ke cikin Firewalld.

  • Drop Zone: Duk wani fakitin da ke shigowa ana jefar da mu idan muka yi amfani da yankin juzu'i. Wannan daidai yake da yadda muke amfani da shi don ƙara iptables -j drop. Idan muka yi amfani da ka'idar digo, yana nufin babu amsa, haɗin yanar gizo mai fita kawai za a samu.
  • Yankin Katange: Yankin toshewa zai musanta haɗin yanar gizon da ke shigowa tare da haramtacciyar icmp-host-host. Haɗin da aka kafa a cikin uwar garken kawai za a ba shi izini.
  • Yankin Jama'a: Don karɓar zaɓaɓɓun haɗin gwiwar za mu iya ayyana dokoki a yankin jama'a. Wannan zai ba da damar takamaiman tashar jiragen ruwa don buɗewa a cikin uwar garken mu wasu hanyoyin haɗin gwiwa za a bar su.
  • Yankin Waje: Wannan yankin zai yi aiki azaman zaɓin na'ura mai ba da hanya tsakanin hanyoyin sadarwa tare da yin amfani da abin rufe fuska za a bar sauran hanyoyin haɗin gwiwa kuma ba za su karɓa ba, kuma ƙayyadaddun haɗi kawai za a yarda.
  • Yankin DMZ: Idan muna buƙatar ba da izinin shiga wasu ayyukan ga jama'a, kuna iya ayyana shi a cikin yankin DMZ. Wannan kuma yana da fasalin haɗin haɗin da aka zaɓa kawai ana karɓa.
  • Yankin Aiki: A wannan yankin, za mu iya ayyana cibiyoyin sadarwa na ciki kawai watau masu zaman kansu ana ba da izinin zirga-zirga.
  • Yankin Gida: Wannan yankin ana amfani da shi musamman a wuraren gida, za mu iya amfani da wannan yankin don amincewa da sauran kwamfutocin da ke kan cibiyoyin sadarwa don kada su cutar da kwamfutarka kamar yadda a kowane yanki. Wannan kuma yana ba da damar haɗin haɗin da aka zaɓa kawai.
  • Yankin Ciki: Wannan yana kama da yankin aiki tare da zaɓaɓɓun hanyoyin haɗin gwiwa.
  • Yankin Amintacce: Idan muka saita yankin da aka amince da shi duk ana karɓar zirga-zirga.

Yanzu kun sami mafi kyawun ra'ayi game da yankuna, yanzu bari mu gano yankuna da ake da su, da wuraren da ba a taɓa gani ba, kuma ku jera duk yankuna ta amfani da umarni masu zuwa.

# firewall-cmd --get-zones
# firewall-cmd --get-default-zone
# firewall-cmd --list-all-zones

Lura: Fitowar umarnin da ke sama ba zai shiga cikin shafi ɗaya ba saboda wannan zai jera kowane yanki kamar toshe, dmz, drop, waje, gida, ciki, jama'a, amintattu, da aiki. Idan yankunan suna da wasu ƙa'idodi masu kyau, sabis ɗin da aka kunna ko tashar jiragen ruwa kuma za a jera su tare da waɗannan bayanan yanki.

Mataki 3: Saita Default Firewalld Zone

4. Idan kuna son saita yankin tsoho azaman na ciki, waje, digo, aiki, ko kowane yanki, zaku iya amfani da umarnin da ke ƙasa don saita yankin tsoho. Anan muna amfani da yankin na ciki azaman tsoho.

# firewall-cmd --set-default-zone=internal

5. Bayan saita yankin, tabbatar da yankin tsoho ta amfani da umarnin da ke ƙasa.

# firewall-cmd --get-default-zone

6. Anan, Interface ɗin mu shine enp0s3, Idan muna buƙatar bincika yankin da ke da iyaka za mu iya amfani da umarnin da ke ƙasa.

# firewall-cmd --get-zone-of-interface=enp0s3

7. Wani fasali mai ban sha'awa na firewalld shine 'icmptype'yana ɗaya daga cikin nau'ikan icmp da ke goyan bayan firewalld. Don samun jerin goyan bayan nau'ikan icmp za mu iya amfani da umarnin da ke ƙasa.

# firewall-cmd --get-icmptypes

Mataki 4: Ƙirƙirar Sabis na Kanku a cikin Firewalld

8. Sabis wani tsari ne na dokoki tare da tashoshin jiragen ruwa da zaɓuɓɓuka waɗanda Firewalld ke amfani da su. Ayyukan da aka kunna, za a loda su ta atomatik lokacin da sabis na Firewalld ya tashi yana aiki.

Ta hanyar tsoho, yawancin ayyuka suna samuwa, don samun jerin duk sabis ɗin da ake da su, yi amfani da umarni mai zuwa.

# firewall-cmd --get-services

9. Don samun jerin duk tsoffin ayyukan da ake da su, je zuwa kundin adireshi mai zuwa, a nan za ku sami jerin ayyuka.

# cd /usr/lib/firewalld/services/

10. Don ƙirƙirar sabis ɗin ku, kuna buƙatar ayyana shi a wuri mai zuwa. Misali, anan ina so in ƙara sabis don tashar tashar RTMP 1935, fara yin kwafin kowane ɗayan sabis ɗin.

# cd /etc/firewalld/services/
# cp /usr/lib/firewalld/services/ssh.xml /etc/firewalld/services/

Sannan, kewaya zuwa wurin da aka kwafi fayil ɗin sabis ɗinmu, sai a sake sanya sunan fayil ɗin 'ssh.xml' zuwa 'rtmp.xml' kamar yadda aka nuna a hoton da ke ƙasa.

# cd /etc/firewalld/services/
# mv ssh.xml rtmp.xml
# ls -l rtmp.xml

11. Na gaba bude kuma shirya fayil a matsayin Heading, Description, Protocol, and Port number, wanda muke buƙatar amfani da shi don sabis na RTMP kamar yadda aka nuna a hoton da ke ƙasa.

12. Don kunna waɗannan canje-canje, sake kunna sabis na Firewalld, ko sake loda saitunan.

# firewall-cmd --reload

13. Don tabbatarwa, ko an ƙara sabis ko a'a, gudanar da umarnin da ke ƙasa don samun jerin ayyuka.

# firewall-cmd --get-services

Mataki 5: Sanya Sabis zuwa Yankunan Firewalld

14. Anan zamu ga yadda ake sarrafa tacewar wuta ta amfani da umarnin Firewall-cmd. Don sanin halin yanzu na Tacewar zaɓi da duk yankuna masu aiki, rubuta umarni mai zuwa.

# firewall-cmd --state
# firewall-cmd --get-active-zones

15. Don samun yankin jama'a don dubawa enp0s3, wannan shine tsoho dubawa, wanda aka ayyana a cikin /etc/firewalld/firewalld.conf fayil azaman DefaultZone= jama'a.

Don lissafin duk samammun ayyuka a cikin wannan tsohon yanki na mu'amala.

# firewall-cmd --get-service

Mataki 6: Ƙara Sabis zuwa Yankunan Firewalld

16. A cikin misalan da ke sama, mun ga yadda ake ƙirƙirar sabis na kanmu ta hanyar ƙirƙirar sabis na rtmp, a nan za mu ga yadda ake ƙara sabis ɗin rtmp zuwa yankin kuma.

# firewall-cmd --add-service=rtmp

17. Don cire yankin da aka ƙara, rubuta.

# firewall-cmd --zone=public --remove-service=rtmp

Matakin da ke sama na ɗan lokaci ne kawai. Don sanya shi dindindin muna buƙatar aiwatar da umarnin da ke ƙasa tare da zaɓi – dindindin.

# firewall-cmd --add-service=rtmp --permanent
# firewall-cmd --reload

18. Ƙayyade dokoki don kewayon tushen hanyar sadarwa kuma buɗe kowane ɗayan tashoshin jiragen ruwa. Misali, idan kuna son buɗe kewayon hanyar sadarwa ce '192.168.0.0/24' da tashar jiragen ruwa '1935' yi amfani da umarni masu zuwa.

# firewall-cmd --permanent --add-source=192.168.0.0/24
# firewall-cmd --permanent --add-port=1935/tcp

Tabbatar sake loda sabis ɗin tacewar zaɓi bayan ƙara ko cire kowane sabis ko tashar jiragen ruwa.

# firewall-cmd --reload 
# firewall-cmd --list-all

Mataki 7: Ƙara Dokokin Arziki na Firewalld don Range Network

19. Idan ina so in ba da izinin ayyuka irin su http, https, vnc-server, da PostgreSQL, Ina amfani da waɗannan dokoki. Da farko, ƙara ƙa'idar kuma sanya ta dindindin kuma sake shigar da ƙa'idodin kuma duba matsayin.

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' 
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="http" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="https" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="vnc-server" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="vnc-server" accept' --permanent

# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="postgresql" accept'
# firewall-cmd --add-rich-rule 'rule family="ipv4" source address="192.168.0.0/24" service name="postgresql" accept' --permanent

Yanzu, kewayon hanyar sadarwa 192.168.0.0/24 na iya amfani da sabis na sama daga sabar nawa. Za a iya amfani da zaɓin – dindindin a kowace ƙa'ida, amma dole ne mu ayyana ƙa'idar kuma mu bincika samun damar abokin ciniki bayan haka dole ne mu mai da shi dindindin.

20. Bayan ƙara ƙa'idodin da ke sama, kar a manta da sake shigar da ka'idodin Tacewar zaɓi kuma jera dokoki ta amfani da:

# firewall-cmd --reload
# firewall-cmd --list-all

Don ƙarin sani game da Firewalld.

# man firewalld

Shi ke nan, mun ga yadda ake saita tacewar ta hanyar amfani da Firewalld a cikin rarrabawar tushen RHEL kamar Fedora, Rocky Linux, CentOS Stream, AlmaLinux, da openSUSE.

Tace-tace shine tsarin bangon wuta don kowane rarraba Linux. Komawa cikin kowane fitowar RHEL da CentOS, mun yi amfani da iptables amma a cikin sabbin sigogin, sun gabatar da Firewalld. Yana da sauƙin fahimta da amfani da firewalld. Da fatan kun ji daɗin rubutawa.