Okokuqala, wonke amakhredithi aya ku- @YukiteruAmano, ngoba lokhu okuthunyelwe kususelwa ku- Ukufundisa uthumele esithangamini. Umehluko ukuthi ngizogxila kuwo Arch, yize izosebenzela amanye ama-distros asuselwa ku- i-systemd.
Yini iFirehol?
Umlilo, uhlelo lokusebenza oluncane olusisiza ukuphatha i-firewall ehlanganiswe ne-kernel nethuluzi layo iptables. IFirehol ayinaso isikhombimsebenzisi sokuqhafaza, konke ukumiswa kufanele kwenziwe ngamafayela wombhalo, kepha ngaphandle kwalokhu, ukumiswa kusese lula kubasebenzisi be-novice, noma kunamandla kulabo abafuna izinketho ezithuthukile. Konke okwenziwa yiFirehol ukwenza kube lula ukwenziwa kwemithetho ye-iptables ngangokunokwenzeka futhi kunike amandla i-firewall enhle yohlelo lwethu.
Ukufakwa nokumiswa
IFirehol ayikho ezinqolobaneni ezisemthethweni ze-Arch, ngakho-ke sizobheka I-AUR.
yaourt -S firehol
Ngemuva kwalokho siya kufayela lokumisa.
sudo nano /etc/firehol/firehol.conf
Futhi sengeza imithetho lapho, ongayisebenzisa ukhona.
Gcina kusebenze i-Firehol ekuqaleni ngakunye. Ilula kalula nge-systemd.
sudo systemctl enable firehol
Saqala iFirehol.
sudo systemctl start firehol
Ekugcineni siqinisekisa ukuthi imithetho ye-iptables yenziwe futhi yalayishwa kahle.
sudo iptables -L
Khubaza i-IPv6
Njengoba umlilo awuphathi ip6table futhi njengoba ukuxhumana kwethu okuningi kungasekeli i- I-IPv6, isincomo sami ukukukhubaza.
En Arch siyengeza ipv6.disable = 1 kulayini we-kernel kufayela le / etc / default / grub
...
GRUB_DISTRIBUTOR="Arch"
GRUB_CMDLINE_LINUX_DEFAULT="rw ipv6.disable=1"
GRUB_CMDLINE_LINUX=""
...
Manje sakha kabusha i- i-grub.cfg:
sudo grub-mkconfig -o /boot/grub/grub.cfg
En Debian kwanele nge:
sudo echo net.ipv6.conf.all.disable_ipv6=1 > /etc/sysctl.d/disableipv6.conf
Angiqondi. Ingabe ulandela okokufundisa futhi usuvele unayo i-Firewall esebenzayo futhi uvimbele konke ukuxhumana? Enye into Isifundo se-Arch siyinkimbinkimbi ngokwesibonelo angikaze ngisebenzise iSudo noma i-yaourt Firewall. Nokho kuyaqondakala. Noma mhlawumbe umuntu omusha ubhala i-yaourt futhi uzothola iphutha. OkweManjaro kulungile.
Njengoba usho u- @felipe, ulandela okokufundisa bese ufaka /etc/firehol/firehol.conf fayela imithetho enikezwe i- @cookie kunamathisela, uzobe usuvele une-firewall elula yokuvikela uhlelo ezingeni eliyisisekelo. Lokhu kulungiselelwa kusebenza kunoma iyiphi i-distro lapho ungabeka khona i-Firehol, ngokukhethekile kwe-distro ngayinye iphatha izinsizakalo zayo ngezindlela ezihlukile (i-Debian ngokusebenzisa i-sysvinit, i-Arch ne-systemd) nangokufakwa, wonke umuntu uyakwazi anakho, ku-Arch kufanele sebenzisa i-AUR ne-yaourt repos, eDebian ezisemthethweni zanele, ngakho-ke kwezinye eziningi, kufanele nje useshe okuncane ezinqolobaneni bese uvumelanisa umyalo wokufaka.
Ngicabanga ukuthi iYukiteru isivele icacisile ukungabaza kwakho.
Manje, mayelana ne-Sudo ne-yaourt, engxenyeni yami angibheki iSudo njengenkinga, vele ubone ukuthi iza ngokuzenzakalela lapho ufaka i-Arch's base system; futhi i-yaourt iyakhethwa, ungalanda i-tarball, uyivule bese uyifaka nge-makepkg -si.
Ngiyabonga, ngiyaqaphela.
Into engikhohliwe ukuyifaka kokuthunyelwe, kepha angikwazi ukukuhlela.
https://www.grc.com/x/ne.dll?bh0bkyd2
Kulelo sayithi ungavivinya i-firewall 😉 yakho (ngiyabonga futhi ngeYukiteru).
Ngigijime lezo zivivinyo kuXubuntu wami futhi konke kuphume kahle! Akuve kujabulisa ukusebenzisa iLinux !!! 😀
Konke lokho kuhle kakhulu ... kepha okubaluleke kakhulu akukho; Kufanele uchaze ukuthi imithetho yenziwa kanjani !!, ukuthi isho ukuthini, nokuthi ungayakha kanjani emisha ... Uma lokho kungachazwanga, okufakayo akusizi ngalutho: - /
Ukudala imithetho emisha kulula, imibhalo ye-firehol icacile futhi inembile maqondana nokwakha imithetho yangokwezifiso, ngakho-ke ukufunda kancane kuzokwenza kube lula kuwe ukuyenza ngendlela oyifisayo futhi uyihambisane nezidingo zakho.
Ngicabanga ukuthi isizathu sokuqala seposi le- @cookie njengeyami esithangamini, bekungukunikeza abasebenzisi nabafundi ithuluzi elibavumela ukuthi banikeze amakhompyutha abo ukuphepha okuthe xaxa, konke kusezingeni eliyisisekelo. Okusele kushiywe eceleni ukuze uvumelane nezidingo zakho.
Uma ufunda isixhumanisi esifundweni saseYukiteru uzobona ukuthi inhloso ukwazisa uhlelo kanye nokumiswa kwe-firewall eyisisekelo. Ngacacisa ukuthi engikuthumelayo bekuyikhophi kuphela eligxile ku-Arch.
Futhi lokhu kungenxa yabantu '? o_O
Zama i-Gufw ku-Arch: https://aur.archlinux.org/packages/gufw/ >> Chofoza Isimo. Noma ufw uma ukhetha ukuphela: Sudo ufw sikwazi
Usuvele uvikelekile uma ungumsebenzisi ojwayelekile. Lokho 'kungokwabantu'
I-Firehol impela ingu-Front-End yama-IPTables futhi uma uyiqhathanisa neyakamuva, ingumuntu 😀 impela
Ngibheka i-ufw (iGufw iyisixhumi nje sayo) njengenketho embi maqondana nezokuphepha. Isizathu: ukuthola eminye imithetho yezokuphepha engiyibhale ku-ufw, angikwazi ukukugwema lokho ezivivinyweni ze-firewall yami, zombili ngeWebhu kanye nalezo ezenziwa kusetshenziswa i-nmap, izinsizakalo ezinjenge-avahi-daemon ne-exim4 zizovela zivulekile, futhi kuphela Ukuhlaselwa kwe- "stealth" kwakwanele ukwazi izici ezincane kakhulu zohlelo lwami, i-kernel kanye nezinsizakalo ezazihamba, okuthile okungazange kwenzeke kimi ngisebenzisa i-firehol noma i-firewall ye-arno.
Hhayi, angazi ngawe, kepha njengoba ngibhale ngenhla, ngisebenzisa uXubuntu futhi i-firewall yami ihamba ne-GUFW futhi ngidlulise ZONKE izivivinyo zesixhumanisi umlobi azibeka ngaphandle kwezinkinga. Konke ukucathula. Akukho okuvuliwe. Ngakho-ke, ekuhlangenwe nakho kwami ufw (ngakho-ke gufw) zilungile kimi. Angigxeki ekusebenziseni ezinye izindlela zokulawula i-firewall, kepha i-gufw isebenza ngokungenaphutha futhi inikeza imiphumela emihle yokuphepha.
Uma unezivivinyo ezithile ocabanga ukuthi zingaphonsa ukuba sengozini ohlelweni lwami, ngitshele ukuthi ziyini futhi ngizozijabulela ngokuzithokozisa lapha futhi ngizokwazisa imiphumela.
Ngezansi ngiphawula okuthile ngendaba ye-ufw, lapho ngithi iphutha engilibone ngo-2008, ngisebenzisa Ubuntu 8.04 Hardy Heron. Yini asebeke bayilungisa? Okungenzeka kakhulu ukuthi lokhu kunjalo, ngakho-ke asikho isizathu sokukhathazeka, kepha noma kunjalo, lokho akusho ukuthi isinambuzane besikhona futhi bengingasikhombisa, yize bekungeyona into embi ukufa, mina kuphela kumiswe amademoni avahi-daemon kanye ne-exim4, futhi sekuxazululwe inkinga. Into exaka kakhulu kunakho konke ukuthi lezo zinqubo ezimbili kuphela ezazinenkinga.
Ngasho leli qiniso njenge-anecdote yomuntu siqu, futhi ngabeka umbono ofanayo lapho ngithi: «Ngicabanga ukuthi ...»
Sanibonani
+1
@Yukiteru: Uzamile kwikhompyutha yakho? Uma ubheka kusuka ku-PC yakho, kuyinto ejwayelekile ukuthi ungangena echwebeni le-X, ngoba ithrafikhi evinjiwe yile yenethiwekhi, hhayi i-localhost:
http://www.ubuntu-es.org/node/140650#.UgJZ3cUyYZg
https://answers.launchpad.net/gui-ufw/+question/194272
Uma kungenjalo, sicela ubike isiphazamisi 🙂
Sanibonani
Kusuka kwenye ikhompyutha kusetshenziswa inethiwekhi yeLan esimweni se-nmap, nange-Web kusetshenziswa leli khasi https://www.grc.com/x/ne.dll?bh0bkyd2Kusetshenziswa inketho yamachweba wangokwezifiso, bobabili bavumile ukuthi i-avahi ne-exim4 babelalele kusuka enetheni yize i-ufw yayilungiselelwe ukuvimba kwabo.
Leyo mininingwane emincane ye-avahi-daemon ne-exim4 ngiyixazulule ngokumane ngikhubaza izinsizakalo futhi yilokho ... angibikanga bug ngaleso sikhathi, futhi ngicabanga ukuthi akunangqondo ukukwenza manje, ngoba lokho ubuyile ngo-2008, esebenzisa uHardy.
U-2008 wayeneminyaka emi-5 eyedlule; ukusuka eHardy Heron kuye eRaring Ringtail kune-10 * buntus. Lokho kuhlolwa okufanayo ku-Xubuntu wami, okwenziwe izolo futhi okuphindiwe namuhla (Agasti 2013) kunika okuphelele kukho konke. Futhi ngisebenzisa i-UFW kuphela.
Ngiyaphinda ngiyasho: Ngabe kukhona ezinye izivivinyo ongazenza? Ngenjabulo ngiyakwenza futhi ngibike okuqhamuka kulolu hlangothi.
Yenza ukuskena kwe-SYN ne-IDLE kwe-PC yakho usebenzisa i-nmap, lokho kuzokunikeza umbono wokuthi iphephe kangakanani isistimu yakho.
Indoda ye-nmap inemigqa engaphezu kuka-3000. Uma unginika imiyalo yokuthi ngiyenze ngenjabulo, ngizoyenza futhi ngizobika umphumela.
Hmm, bengingazi ngamakhasi wamadoda angama-3000 we-nmap. kepha i-zenmap iwusizo lokwenza lokhu engikutshela khona, ingumfanekiso ongaphambili wokuqhafaza we-nmap, kepha nokho inketho yokuskena i-SYN nge-nmap is -sS, Ngenkathi inketho yokuskena kokungenzi lutho ingu -s, kepha umyalo oqondile u-I ngizo.
Yenza ukuskena komunye umshini okhombe i-ip yomshini wakho nge-ubuntu, ungakwenzi kusuka ku-pc yakho, ngoba akusebenzi lokho.
LOL !! Iphutha lami ngamakhasi angama-3000, lapho ayengolayini 😛
Angazi kepha ngicabanga ukuthi i-GUI yalokhu ku-GNU / Linux ukuphatha i-firewall kungaba ukuhlakanipha ngandlela thile futhi ingashiyi yonke into ingamboziwe njengaku-ubuntu noma yonke into embozwe njengakwi-fedora, kufanele ube yi-xD enhle, noma okuthile ukumisa ezinye izindlela zokubulala ezibulalayo xD hjahjahjaja It has little that I fight with them and the open jdk but in the end you also have to keep the principle of kiss
Ngenxa yazo zonke izikhubekiso ezenzeke esikhathini esedlule ngama-iptables, namuhla ngiyakwazi ukuqonda i-niverl eluhlaza, okungukuthi, khuluma naye ngqo njengoba kuvela efektri.
Futhi akuyona into eyinkimbinkimbi, kulula kakhulu ukuyifunda.
Uma umbhali wokuthunyelwe engivumela, ngizothumela ingcaphuno yombhalo we-firewall engiwusebenzisa njengamanje.
# # Imithetho yokuhlanza
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
# # Setha inqubomgomo yokuzenzakalelayo: DROP
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P PHAMBILI IDROPHU
# Sebenza ku-localhost ngaphandle kwemingcele
iptables -A INPUT -i lo -j ACCEPT
iptables -I-OUTPUT -o lo -j YAMUKELA
# Vumela umshini ukuthi uye kuwebhu
iptables -I-INPUT -p tcp -m tcp -sport 80 -m conntrack –ctate state RELATED, ESTABLISHED -j ACCEPT
iptables -I-OUTPUT -p tcp -m tcp -dport 80 -j YAMUKELA
# Kakade futhi ukuvikela ama-webs
iptables -I-INPUT -p tcp -m tcp -sport 443 -m conntrack –ctate state RELATED, ESTABLISHED -j ACCEPT
iptables -I-OUTPUT -p tcp -m tcp -dport 443 -j YAMUKELA
# Vumela ukuphuma ngaphakathi nangaphandle
iptables -I-OUTPUT -p icmp –icmp-type echo-request -j YAMUKELA
iptables -I-INPUT -p icmp –icmp-type echo-reply -j ACCEPT
# Ukuvikelwa kwe-SSH
#Izintambo -I INPUT -p tcp -dport 22 -m conntrack –ststate NEW -m limit --limit 30 / minute --limit-burst 5 -m comment –comment "SSH-kick" -j ACCEPT
#iptables -A INPUT -p tcp -m tcp –dport 22 -j LOG –log-prefix "SSH ACCESS ATTEMPT:" -log-level 4
#Izintambo -I-INPUT -p tcp -m tcp -dport 22 -j DROP
# Imithetho ye-amule yokuvumela ukuxhumana okuphumayo nokungenayo kwitheku
iptables -A INPUT -p tcp -m tcp –dport 16420 -m conntrack –ctstate NEW -m comment –comment "aMule" -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp –sport 16420 -m conntrack –ctstate RELATED, ESTABLISHED -m comment –comment "aMule" -j ACCEPT
iptables -I-INPUT -p udp -dport 9995 -m ukuphawula - ukuphawula "aMule" -j ACCEPT
iptables -I-OUTPUT -p udp -sport 9995 -j YAMUKELA
iptables -A INPUT -p udp -dport 16423 -j ACCEPT
iptables -I-OUTPUT -p udp -sport 16423 -j YAMUKELA
Manje incazelo encane. Njengoba ukwazi ukubona, kunemithetho enenqubomgomo ye-DROP ngokuzenzakalela, akukho okushiya kungene iqembu ngaphandle kokuthi ubatshele.
Ngemuva kwalokho, okuyisisekelo kuyaphasiswa, i-localhost nokuzula kunethiwekhi yamanethiwekhi.
Uyabona ukuthi kukhona nemithetho ye-ssh ne-amule. Uma bebukeka kahle ukuthi benziwa kanjani, bangenza eminye imithetho abayifunayo.
Ubuqili ukubona ukwakheka kwemithetho futhi kusebenza ohlotsheni oluthile lwechweba noma umthetho olandelwayo, kungaba i-udp noma i-tcp.
Ngiyethemba ungakuqonda lokhu engisanda kukuthumela lapha.
Kufanele wenze okuthunyelwe ukukuchaza 😉 kungaba kuhle.
Nginombuzo. Uma kwenzeka ufuna ukwenqaba ukuxhumana kwe-http ne-https engikubekile:
ukwehla kweseva "http https"?
Futhi njalo nganoma iyiphi insizakalo?
Gracias