I-Firewall efakwe kuhlelo lokusebenza isetshenziselwa ukuvikela ithrafikhi engagunyaziwe phakathi kwamanethiwekhi ekhompyutha. Ibhukwana noma ngokuzenzakalela kwakha imithetho ekhethekile ye-firewall, ebhekele ukulawula ukufinyelela. E-OS, ethuthukiswe eLinux Kernel, CentOS 7 Kukhona i-firewall eyakhelwe ngaphakathi, futhi kulawulwa yi-firewall. Umlilo ozenzakalelayo ubandakanyeka, futhi singathanda ukukhuluma ngakho namuhla.
Yenza ngokwezifiso Firewall e-CentOS 7
Njengoba kushiwo ngenhla, i-firewall ejwayelekile e-CentOS 7 inikezwa umsebenzi we-firewalld. Kungakho ukulungiswa kwe-firewall kuzobhekwa kwisibonelo saleli thuluzi. Ungasetha imithetho yokuhlunga ngezikhala ezifanayo, kepha yenziwa okuhlukile kancane. Sincoma ukuzijwayeza ukucushwa kokusetshenziswa okushiwo ngokuchofoza kusixhumanisi esilandelayo, futhi sizoqala ukungafani kwe-disansekhe ye-firewalld.Uma uyoba njalo okwesikhashana noma unomphela ukhubaze i-firewall, sikucebisa ukuthi usebenzise imiyalo eyethulwe kwesinye isihloko ngesixhumanisi esilandelayo.
Funda kabanzi: Khubaza Firewall kuma-CentOS 7
Bheka imithetho ezenzakalelayo nezindawo ezingabizi
Ngisho ngisho ne-firewall ejwayelekile inemithetho yayo eqondile nezindawo ezifinyelelekayo. Ngaphambi kokuqala ukuhlela kwezepolitiki, sikucebisa ukuthi uzijwayeze ukucushwa kwamanje. Lokhu kwenziwa kusetshenziswa imiyalo elula:
- Indawo ezenzakalelayo izonquma umyalo we-firewall-CMD - -Etget-Zone ozenzakalelayo.
- Ngemuva kokusebenza kwayo, uzobona intambo entsha lapho kuzoboniswa khona ipharamitha efiselekayo. Isibonelo, indawo "yomphakathi" ibhekwa njenge-skrini ngezansi.
- Kodwa-ke, izindawo eziningana zingasebenza ngokushesha, ngaphandle kwalokho, ziboshelwe esibonakalayo esihlukile. Thola lolu lwazi nge-Firewall-Cmd - esebenzayo-Izindawo.
- I-Firewall-CMD - Yonke imiyalo-Yonke imiyalo izokhombisa imithetho ebekelwe indawo ezenzakalelayo. Naka isithombe-skrini esingezansi. Uyabona ukuthi indawo esebenzayo "yomphakathi" yabelwa umthetho we- "Okuzenzakalelayo" - umsebenzi ozenzakalelayo, isikhombimsebenzisi se-ENP0S3 nezinsizakalo ezimbili ezingeziwe.
- Uma unesidingo sokufunda yonke indawo etholakalayo ye-firewall, faka izindawo ezi-Firewall-CMD.
- Amapharamitha wendawo ethile achazwa nge-Firewall-CMD - Igama - igama - konke, lapho igama ligama lendawo.
Ngemuva kokuthola amapharamitha adingekayo, ungathuthela ekushintsheni kwawo futhi ungeze. Ake sihlaziye izilungiselelo ezithandwa kakhulu ngokuningiliziwe.
Ukusetha izindawo ezibonakalayo
Njengoba wazi ngolwazi olungenhla, indawo yakho ezenzakalelayo ichazwa nge-interface ngayinye. Kuzoba kuyo kuze kube yilapho amasethingi eguqula umsebenzisi noma ngokuhlelekile. Kungenzeka udlulise ngesandla isikhombimsebenzisi esiya endaweni ngayinye, futhi kwenziwa ngokwenza i-Sudo Firewall-Cmd --Zone = Umyalo wasekhaya - I-ETH0. Umphumela "Impumelelo" uphakamisa ukuthi ukudluliswa kwaphumelela. Khumbula ukuthi izilungiselelo ezinjalo zisetha kabusha ngokushesha ngemuva kokuqalisa kabusha i-firewall.
Ngoshintsho olunjalo kumapharamitha, kufanele akhunjulwe ukuthi ukusebenza kwezinsizakalo kungasethwa kabusha. Abanye babo abasekeli ukusebenza ezindaweni ezithile, ake sithi, ssh yize itholakala "ekhaya", kepha kumsebenzisi noma insizakalo ekhethekile izosebenza. Qiniseka ukuthi i-interface iboshelwe ngempumelelo egatsheni elisha, ngokungena kwi-Firewall-CMD - -App-ZONET-ZONKE.
Uma ufuna ukusetha kabusha izilungiselelo ezenziwe ngaphambilini, mane nje uqhube kabusha ukuqala kabusha kwe-firewall: sudo systemctl restart firewalld.service.
Kwesinye isikhathi akuhlali kulungele njalo ukushintsha indawo ebonakalayo esimeni esisodwa. Kulokhu, uzodinga ukuhlela ifayela lokucushwa ukuze zonke izilungiselelo zifakwe njalo. Ukuze wenze lokhu, sikucebisa ukuthi usebenzise umhleli wombhalo we-nano, ofakwe kusuka kwisitoreji esisemthethweni se-sudo yum ukufaka nano. Okulandelayo kusalokhu kuhlala kunjalo:
- Vula ifayela lokucushwa ngesihleli ngokufaka i-sudo nano / njll / sysconfig / inethiwekhi-script / ifcfg-eth0, lapho i-eth0 igama elibonakalayo elidingekayo.
- Qinisekisa ukuqinisekiswa kwe-akhawunti yakho ukwenza ezinye izenzo.
- Isakhiwo se- "Zone" ipharamitha futhi sishintsha inani laso lifiselekayo, ngokwesibonelo, emphakathini noma ekhaya.
- Bamba okhiye be-Ctrl + o ukuze ugcine izinguquko.
- Musa ukuguqula igama lefayela, kepha mane uchofoze ku-ENTER.
- Phuma umhleli wombhalo nge-CTRL + X.
Manje indawo ebonakalayo izoba yiyona oyicacisile, kuze kube yilapho ukuhlela okulandelayo kwefayela lokucushwa. Ngamapharamitha abuyekeziwe, run sudo systemctl restart network.service kanye ne-sudo systemctl restart firewalld.service.
Ukubeka indawo okuzenzakalelayo
Ngenhla, sesikhombisile ithimba elikuvumela ukuthi ufunde indawo ezenzakalelayo. Ingashintshwa futhi ngokusetha ipharamitha ukukhetha kwakho. Ukuze wenze lokhu, ku-console, kwanele ukubhalisa iSudo Firewall-CMD - Okuzenzakalelayo-Zone = Igama, lapho igama lendawo edingekayo.
Impumelelo yomyalo izofakazelwa yi-Ocret "Impumelelo" emugqeni ohlukile. Emva kwalokho, zonke izinhlaka zamanje zizozalwa indawo ebekiwe, uma enye ingachazwa kumafayili wokucushwa.
Ukudala Imithetho Yezinhlelo Nezinsizakusebenza
Ekuqaleni kwalesi sihloko, saxoxa ngesenzo sendawo ngayinye. Ukuchazwa kwezinsizakalo, izinsiza nezinhlelo emagatsheni anjalo kuzovumela ukusebenzisa amapharamitha ngamanye ngakolunye lwezicelo zomsebenzisi ngamunye. Okokuqala, sikucebisa ukuthi uzijwayeze ngohlu olugcwele lwezinsizakalo ezitholakala okwamanje: Izinsizakalo ze-Firewall-CMD --Get.
Umphumela uzoboniswa ngqo kwikhonsoli. Iseva ngayinye ihlukaniswe yindawo, futhi ungathola kalula ithuluzi olithandayo. Uma insiza edingekayo ilahlekile, kufanele ifakwe ngokungeziwe. Emithethweni yokufaka, funda kumibhalo esemthethweni yesoftware.
Umyalo ongenhla ukhombisa amagama kuphela ngezinsizakalo. Imininingwane enemininingwane yokuthi ngamunye wabo utholakale ngefayela ngalinye endleleni / Usr / Lib / Firewalld / Services. Lowo madokhumenti anefomethi ye-XML, indlela, ngokwesibonelo, ku-SHSH kubukeka kanjena: /usr/lib/firewalld/services/ssh.xml, futhi idokhumenti inokuqukethwe okulandelayo:
Ssh.
I-Shell evikelekile (i-SSH) iphrothokholi yokungena ngemvume kanye nokwenza imiyalo emishini ekude. Inikeza ukuxhumana okuvikelekile okubethelwe. Uma uhlela ukufinyelela i-remotenet yakho yomshini nge-SSH ngaphezulu kwesibonisi esine-firewareled, vumela le nketho. Udinga iphakethe leseva ye-OpenSsh-Server efakwe kule nketho ukuze ube wusizo.
Ukuxhaswa kwensizakalo kusebenze endaweni ethile ngesandla. Esikhathini esibulalayo, kufanele usethe i-sudo firewall-cmd - I-Public-Service = I-Public-Service = I-HTTP Command, lapho -Zone = Isevisi = Isevisi = = Igama lensizakalo. Qaphela ukuthi ushintsho olunjalo luzosebenza kuphela ngaphakathi kweseshini elilodwa.
Ukungezwa unomphela kwenziwa nge-Sudo Firewall-Cmd --Zone = Umphakathi - I-Public --Permanent --dd-Service = http, nomphumela "Impumelelo" kukhombisa ukuqeda ngempumelelo ukusebenza.
Ungabuka uhlu oluphelele lwemithetho ephelele yendawo ethile ngokubonisa uhlu olayini ohlukile wekhonsoli: I-Sudo Firewall-Cmd --Zone = Izinsizakalo zomphakathi -
Inkinga yesinqumo ngokuntuleka kokufinyelela kwinsizakalo
Imithetho ejwayelekile ye-firewall ikhonjiswa ngezinsizakalo ezithandwa kakhulu futhi ezivikelekile njengoba zivunyelwe, kepha ezinye izinhlelo ezijwayelekile noma zeqembu lesithathu zivimba. Kulokhu, umsebenzisi udinga ukuguqula izilungiselelo ukuxazulula inkinga ngokufinyelela. Ungakwenza lokhu ngezindlela ezimbili ezihlukile.
Ports port
Njengoba wazi, zonke izinsizakalo zenethiwekhi zisebenzisa imbobo ethile. Kutholwa kalula yi-firewall, futhi amabhlokhi angenziwa. Ukugwema izenzo ezinjalo ezivela kwi-firewall, udinga ukuvula itheku elifunekayo le-sudo firewall-Cmd - Umphakathi - IPord-Port = 0000 / TCP, lapho i-Port = I-Port = 0000 / TCP - Inombolo yePort ne-Protocol. Inketho ye-Firewall-CMD - Inketho ye-Ports-Ports izokhombisa uhlu lwamachweba avulekile.
Uma udinga ukuvula amachweba afakwe ebangeni, sebenzisa iSudo Firewall-CMD String --Zone = Umphakathi - I-Port-Port = 0000-9999 / UDP - Ibanga lePort neprotocol yabo.
Imiyalo engenhla ikuvumela kuphela ukuthi uhlole ukusetshenziswa kwamapharamitha afanayo. Uma idlulile ngempumelelo, kufanele ungeze amachweba afanayo kuzilungiselelo ezihlala njalo, futhi lokhu kwenziwa ngokufaka iSudo Firewall-Cmd - 100 / TCP noma i-Sudo Firewall-CMD - I-Zone = Umphakathi - Umphakathi - I-Fact-Port = 0000-9999 / UDP. Uhlu lwamachweba avulekile lwaphakade lubukwa kanjena: Sudo Firewall-Cmd --Zone = Amachweba Womphakathi
Ukuchazwa Kwenkonzo
Njengoba ukwazi ukubona, ukungeza amachweba akubangeli noma ibuphi ubunzima, kepha inqubo iyinkimbinkimbi lapho izinhlelo zokusebenza zisebenzisa inani elikhulu. Ukulandela wonke amachweba asetshenzisiwe kuba nzima, ngokubheka ukuthi ukuzimisela kwensiza kuzoba yindlela efanelekile yini:
- Kopisha ifayela lokucushwa ngokubhala i-Sudo CP /Usr/lib/Firewalld/services/service/firewalld/services/EX samplalld/services, lapho i-Service.xml yigama igama lamakhophi alo.
- Vula ikhophi ukuze ushintshe nganoma isiphi isihleli sombhalo, isibonelo, sudo nano /etc/virewalld/services/exple.xml.
- Isibonelo, sidale ikhophi yensizakalo ye-HTTP. Embhalweni, ngokuyisisekelo ubona i-metadata ehlukahlukene, isibonelo, igama elifushane nencazelo. Kuthinta iseva ukuthi isebenze kuphela ushintsho lwenombolo yetheku nephrothokholi. Ngaphezulu kwentambo "" kufanele yengezwe ukuvula imbobo. I-TCP - Iphrothokholi esetshenzisiwe, i-0000 - Inombolo yePort.
- Gcina zonke izinguquko (Ctrl + O), vala ifayela (Ctrl + x), bese uqala kabusha i-firewall ukuze usebenzise amapharamitha ngokusebenzisa i-Sudo Firewall-Cmd - - -AD - - - - -I-CMD ye-Sudo Firewall-CMD. Emva kwalokho, le nsizakalo izovela ohlwini lokutholakala, olungabukwa nge-Firewall-CMD - Services.
Kufanele ukhethe isisombululo esifanele kunazo zonke enkingeni yensizakalo ngokufinyelela kwinsizakalo bese wenza imiyalo enikeziwe. Njengoba ubona, zonke izenzo zenziwa kalula, futhi akufanele kube khona ubunzima.
Ukwakha izindawo ezenziwe ngokwezifiso
Usuvele uyazi ukuthi ekuqaleni inani elikhulu lezindawo ezahlukahlukene ezinemithetho echaziwe lenziwe ku-firewalld. Kodwa-ke, izimo zenzeka lapho umphathi wesistimu edinga ukudala indawo yomsebenzisi, efana ne- "Punkelweb" yeseva yeWebhu efakiwe noma "izimfihlo ze-DNS. Kulezi zibonelo ezimbili, sizokwazi ukuhlaziya ukungezwa kwamagatsha:
- Dala izindawo ezimbili ezintsha zaphakade yi-sudo firewall-Cmd - i-permanent --New-Zone = PublicWeb kanye neSudo Firewall-CMD - i-Zone -
- Bazotholakala ngemuva kokuqalisa kabusha ithuluzi le-Sudo Firewall-CMD - Ukubonisa izindawo ezihlala njalo, faka i-Sudo Firewall-CMD - Izindawo --Get-Izindawo.
- Yabela izinsizakalo ezidingekayo, njenge- "SSH", "HTTP" ne- "https". Lokhu kwenziwa yi-Sudo Firewall-Cmd --Zeb = Publicweb - Service = SHS, Sudo> I-Add- Service = HTTPS, lapho --Zone = I-PublicWeb yigama le-zone ukwengeza. Ungabuka umsebenzi wezinsizakalo ngokulinda i-Firewall-CMD --Zone = U-PublicWeb - Zonke - konke.
Ukusuka kulesi sihloko, ufunde ukuthi ungazakha kanjani izindawo zangokwezifiso futhi ungeze izinsizakalo kuzo. Sesivele sibatshele njengokuzenzakalelayo futhi sinikezela ngezindawo ezingenhla, ungacacisa kuphela amagama afanele. Ungakhohlwa ukuqala kabusha i-firewall ngemuva koshintsho oluhlala njalo.
Njengoba ukwazi ukubona, i-Firewalld Firewall iyithuluzi le-volumetric elikuvumela ukuthi wenze ukucushwa okuguquguqukayo kwe-firewall. Ihlala kuphela ukuqiniseka ukuthi ukusetshenziswa kwethulwa ngohlelo nemithetho ebekiwe ngokushesha ukuqala umsebenzi wayo. Kwenze ngeSudo SystemctL kunika amandla umyalo we-firewalld.