ماژول pam_access.so در لینوکس وجود دارد ولی به کرنل اضافه نشده است و باید برای ایجاد محدودیت آن را به کرنل اضافه نماییم
برای اینکار:
$ vim /etc/security/access.conf: #add role: + : root : ALL $ vi /etc/pam.d/password-auth account <tab> required <tab> pam-access.so
نکته: میتوان از syntax فایل login موجود در مسیر pam.d موجود در مسیر etc استفاده کرد
Zones: The firewalld daemon manages groups of rules using entities called “zones”
predefined zones:
drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.
Rule Permanence: In firewalld, rules can be designated as either permanent or immediate. Most firewall-cmd operations can take the "--permanent" flag
Install and Enable Your Firewall to Start at Boot
$ sudoyum install firewalld Install $ sudo systemctl enable firewalld $ sudo reboot
verify the service is running and reachable by typing:
$ sudo firewall-cmd --state output: running
Current Firewall Rules( which zone is currently selected as the default)
firewall-cmd --get-default-zone output: publicPrint currently active zones
Print currently active zones
firewall-cmd --get-active-zones output: privateDNS interfaces: eth1 publicweb interfaces: eth0
list of the available zone
$ sudo firewall-cmd --get-zones output: block dmz drop external home internal public trusted work
see the specific configuration associated with a zone
$ sudo firewall-cmd --zone=home --list-all output : home interfaces: sources: services: dhcpv6-client ipp-client mdns samba-client ssh ports: masquerade: no forward-ports: icmp-blocks: rich rules:
see the specific configuration associated with all zone
sudo firewall-cmd --list-all-zones
list of the available services
firewall-cmd --get-services output RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server
list services
sudo firewall-cmd --zone=public --list-all sudo firewall-cmd --zone=public --list-services
List of ports
sudo firewall-cmd --zone=public --list-ports
Changing the Zone of an Interface
sudo firewall-cmd --zone=home --change-interface=eth0 output success
Adjusting the Default Zone
sudo firewall-cmd --set-default-zone=home
allow http/https traffic in our “public” zone
sudo firewall-cmd --zone=public --add-service=http sudo firewall-cmd --zone=public --add-service=http --permanent sudo firewall-cmd --zone=public --add-service=https sudo firewall-cmd --zone=public --permanent --add-service=https
Opening a Port for your Zones
sudo firewall-cmd --zone=public --add-port=5000/tcp sudo firewall-cmd --zone=public --add-port=4990-4999/udp sudo firewall-cmd --zone=public --permanent --add-port=5000/tcp sudo firewall-cmd --zone=public --permanent --add-port=4990-4999/udp sudo firewall-cmd --zone=public --permanent --list-ports
change interface over zones
sudo firewall-cmd --zone=public --change-interface=eth0
cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
vim /etc/selinux/config
SELINUX=enforcing
