لینوکس و شبکه

لینوکس و شبکه
طبقه بندی موضوعی
آخرین مطالب
  • ۹۹/۱۱/۱۳
    java

۲ مطلب با کلمه‌ی کلیدی «firewall» ثبت شده است

۰۲
دی

Basic Concepts in Firewalld

Zones: The firewalld daemon manages groups of rules using entities called “zones”

predefined zones:

drop: The lowest level of trust. All incoming connections are dropped without reply and only outgoing connections are possible.
block: Similar to the above, but instead of simply dropping connections, incoming requests are rejected with an icmp-host-prohibited or icmp6-adm-prohibited message.
public: Represents public, untrusted networks. You don’t trust other computers but may allow selected incoming connections on a case-by-case basis.
external: External networks in the event that you are using the firewall as your gateway. It is configured for NAT masquerading so that your internal network remains private but reachable.
internal: The other side of the external zone, used for the internal portion of a gateway. The computers are fairly trustworthy and some additional services are available.
dmz: Used for computers located in a DMZ (isolated computers that will not have access to the rest of your network). Only certain incoming connections are allowed.
work: Used for work machines. Trust most of the computers in the network. A few more services might be allowed.
home: A home environment. It generally implies that you trust most of the other computers and that a few more services will be accepted.
trusted: Trust all of the machines in the network. The most open of the available options and should be used sparingly.

Rule Permanence: In firewalld, rules can be designated as either permanent or immediate. Most firewall-cmd operations can take the "--permanent" flag

Commands

Install

Install and Enable Your Firewall to Start at Boot

$ sudoyum install firewalld  Install
$ sudo systemctl enable firewalld
$ sudo reboot

Show Status(Information)

verify the service is running and reachable by typing:

$ sudo firewall-cmd --state
output:  running

Current Firewall Rules( which zone is currently selected as the default)

firewall-cmd --get-default-zone
output:
   publicPrint currently active zones

Print currently active zones

firewall-cmd --get-active-zones
output:
 privateDNS
   interfaces: eth1
 publicweb
   interfaces: eth0

list of the available zone

$ sudo firewall-cmd --get-zones
output:
block dmz drop external home internal public trusted work

see the specific configuration associated with a zone

$ sudo firewall-cmd --zone=home --list-all
output :
home
  interfaces: 
  sources: 
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports: 
  masquerade: no
  forward-ports: 
  icmp-blocks: 
  rich rules:

see the specific configuration associated with all zone

sudo firewall-cmd --list-all-zones

list of the available services

firewall-cmd --get-services
output
   RH-Satellite-6 amanda-client amanda-k5-client bacula bacula-client bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc ceph ceph-mon cfengine condor-collector ctdb dhcp dhcpv6 dhcpv6-client dns docker-registry dropbox-lansync elasticsearch freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master high-availability http https imap imaps ipp ipp-client ipsec iscsi-target kadmin kerberos kibana klogin kpasswd kshell ldap ldaps libvirt libvirt-tls managesieve mdns mosh mountd ms-wbt mssql mysql nfs nrpe ntp openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy proxy-dhcp ptp pulseaudio puppetmaster quassel radius rpc-bind rsh rsyncd samba samba-client sane sip sips smtp smtp-submission smtps snmp snmptrap spideroak-lansync squid ssh synergy syslog syslog-tls telnet tftp tftp-client tinc tor-socks transmission-client vdsm vnc-server wbem-https xmpp-bosh xmpp-client xmpp-local xmpp-server

list services

sudo firewall-cmd --zone=public --list-all
sudo firewall-cmd --zone=public --list-services

List of ports

sudo firewall-cmd --zone=public --list-ports

 

Modify

Changing the Zone of an Interface

sudo firewall-cmd --zone=home --change-interface=eth0
output
success

Adjusting the Default Zone

sudo firewall-cmd --set-default-zone=home

allow http/https traffic in our “public” zone

sudo firewall-cmd --zone=public --add-service=http
sudo firewall-cmd --zone=public --add-service=http  --permanent
sudo firewall-cmd --zone=public --add-service=https
sudo firewall-cmd --zone=public --permanent --add-service=https

Opening a Port for your Zones

sudo firewall-cmd --zone=public --add-port=5000/tcp
sudo firewall-cmd --zone=public --add-port=4990-4999/udp
sudo firewall-cmd --zone=public --permanent --add-port=5000/tcp
sudo firewall-cmd --zone=public --permanent --add-port=4990-4999/udp
sudo firewall-cmd --zone=public --permanent --list-ports

change interface over zones

sudo firewall-cmd --zone=public --change-interface=eth0

 

URL

  • behrooz mohamadi nsasab
۰۵
فروردين

برنامه ufw فایروالی است که به حالت سرویس به اجرا درآمده و بسته های ورودی و خروجی را فیلتر می‌نماید.

استفاده از آی پی ورژن6

# sudo vim /etc/default/ufw

IPV6=yes

فعال‌ سازی/غیرفعال سازی

# sudo ufw enable/disable

بررسی وضعیت موجود

# sudo ufw status

# sudo ufw status numbered

بررسی وضعیت موجود(جزییات بیشتر)

# sudo ufw status verbose

نمایش رول‌ها

# sudo ufw status numbered
Numbered Output:
Status: active To Action From
-- ------ ----
[1] 22 ALLOW IN 15.15.15.0/24
[2] 80 ALLOW IN Anywhere

حذف رول‌های موجود(شماره [2 ])

# sudo ufw delete 2

# sudo ufw delete allow http

# sudo ufw delete allow 80

تغییر در پالیسی پیش‌فرض ورودی یا خروجی

# sudo ufw default deny incoming

# sudo ufw default allow outgoing

بازگشت به حالت اولیه-فایروال غیرفعال گشته و قوانین حذف خواهند شد (نکته پالیسی‌های پیشفرض ورودی و خروجی تغییر نخواهد کرد)

# sudo ufw reset

باز بودن تمام دسترسی از یک آدرس آی پی خاص

# sudo ufw allow from 15.15.15.51
باز شدن یک دامنه(از 15.15.15.1 تا 15.15.15.254)
# sudo ufw allow from 15.15.15.0/24

باز شدن دسترسی از هاست 15.15.15.51 به پورت 22 سرور

# sudo ufw allow from 15.15.15.51    to any port 22
باز شدن دسترسی از یک دامنه به پورت 22 سرور
# sudo ufw allow from 15.15.15.0/24 to any port 22
باز شدن پورت 80 برای همه آی‌پی‌ها در اینترفیس etj0
# sudo ufw allow in on eth0 to any port 80

باز کردن یک پورت

# sudo ufw allow PORT

# sudo ufw allow PORT/tcp

باز کردن یک بازه پورت

# sudo ufw allow 6000:6007/tcp

باز شدن پورت ssh

# sudo ufw allow ssh

# sudo ufw allow 22

بسته شدن پورت پروتکل اف تی پی

# sudo ufw allow ftp

ریست تمام رول‌ها  به حالت اولیه:

# sudo ufw reset

 

UFW

  • behrooz mohamadi nsasab