document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-26 21:30:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'LCTT/master'

Browse Source
This commit is contained in:
Xingyu Wang 2019-07-07 10:28:59 +08:00
commit 3a6eb8578b
5 changed files with 380 additions and 395 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
translated/tech/20190513 When to be concerned about memory levels on Linux.md → published/20190513 When to be concerned about memory levels on Linux.md
View File

@ -1,30 +1,32 @@
[#]: collector: (lujun9972)
[#]: translator: (luuming)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: reviewer: (wxy)
[#]: publisher: (wxy)
[#]: url: (https://linux.cn/article-11067-1.html)
[#]: subject: (When to be concerned about memory levels on Linux)
[#]: via: (https://www.networkworld.com/article/3394603/when-to-be-concerned-about-memory-levels-on-linux.html)
[#]: author: (Sandra Henry-Stocker https://www.networkworld.com/author/Sandra-Henry_Stocker/)
何时需要关注 linux 的内存层面
何时需要关注 Linux 的内存用量
======
Linux 上的内存管理很复杂。尽管使用率高但未必存在问题。你也应当关注一些其他的事情。
![Qfamily \(CC BY 2.0\)][1]
> Linux 上的内存管理很复杂。尽管使用率高但未必存在问题。你也应当关注一些其他的事情。
![](https://img.linux.net.cn/data/attachment/album/201907/06/173913n6rjbxwj6bfrjxwx.jpg)
在 Linux 上用光内存通常并不意味着存在严重的问题。为什么?因为健康的 Linux 系统会在内存中缓存磁盘活动,基本上占用掉了未被使用的内存,这显然是一件好事情。
换句话说它不让内存浪费掉。使用空闲的内存增加磁盘访问速度并且不占用运行中应用程序的内存。你也能够想到使用这种内存缓存比起直接访问硬盘驱动HDD快上数百倍也比明显快于直接访问固态硬盘驱动。内存占满或几乎占满通常意味着系统正在尽可能高效地运行当中——并不是运行中遇到了问题。
换句话说,它不让内存浪费掉。使用空闲的内存增加磁盘访问速度,并且不占用运行中应用程序的内存。你也能够想到,使用这种内存缓存比起直接访问硬盘驱动HDD快上数百倍也比明显快于直接访问固态硬盘驱动。内存占满或几乎占满通常意味着系统正在尽可能高效地运行当中 —— 并不是运行中遇到了问题。
### 缓存如何工作
磁盘缓存简单地意味着系统充分利用未使用的资源(空闲内存)来加速磁盘读取与写入。应用程序不会失去任何东西,并且大多数时间里能够按需求获得更多的内存。此外,磁盘缓存不会导致应用程序使用交换分区。反而,用作磁盘缓存的内存空间当被需要时会立即归还,并且磁盘内容会被更新。
磁盘缓存简单地意味着系统充分利用未使用的资源(空闲内存)来加速磁盘读取与写入。应用程序不会失去任何东西,并且大多数时间里能够按需求获得更多的内存。此外,磁盘缓存不会导致应用程序转而使用交换分区。反而,用作磁盘缓存的内存空间当被需要时会立即归还,并且磁盘内容会被更新。
### 主要和次要的页故障
Linux 系统通过分割物理内存为进程分配空间,将分割成的块称为“页”,并且映射这些页到每个进程的虚拟内存上。不再会用到的页也许会从内存中移除,尽管相关的进程还在运行。当进程需要一个没有被映射或没在内存中页时,故障便会产生。所以,“<ruby>故障<rt>fault</rt></ruby>”并不意味着“<ruby>错误<rt>error</rt></ruby>”而是“<ruby>不可用<rt>unavailables</rt></ruby>”,并且故障在内存管理中扮演者一个重要的角色。
Linux 系统通过分割物理内存为进程分配空间,将分割成的块称为“页”,并且映射这些页到每个进程的虚拟内存上。不再会用到的页也许会从内存中移除,尽管相关的进程还在运行。当进程需要一个没有被映射或没在内存中页时,故障便会产生。所以,这个<ruby>故障<rt>fault</rt></ruby>”并不意味着“<ruby>错误<rt>error</rt></ruby>”而是“<ruby>不可用<rt>unavailables</rt></ruby>”,并且故障在内存管理中扮演者一个重要的角色。
次要故障意味着在内存中的页未分配给请求的进程或未在内存管理单元中标记为出现。主要故障意味着页保留在内存中。
次要故障意味着在内存中的页未分配给请求的进程或未在内存管理单元中标记为出现。主要故障意味着页没有保留在内存中。
如果你想切身感受一下次要页故障和主要页故障出现的频率,像这样试一下 `ps` 命令。注意我们要的是与页故障和产生它的命令相关的项。输出中省略了很多行。`MINFL` 显示出次要故障的数目,而 `MAJFL` 表示了主要故障的数目。
@ -45,7 +47,7 @@ $ ps -eo min_flt,maj_flt,cmd
927 0 gdm-session-worker [pam/gdm-password]
```
汇报单一进程,你可以尝试这样的命令:
汇报单一进程,你可以尝试这样的命令LCTT 译注:参数里面的 `1` 是要查看的进程的 PID
```
$ ps -o min_flt,maj_flt 1
@ -53,7 +55,7 @@ $ ps -o min_flt,maj_flt 1
230064 150
```
你也可以添加其他的,例如进程所有者的 UID 和 GID。
你也可以添加其他的显示字段,例如进程所有者的 UID 和 GID。
```
$ ps -o min_flt,maj_flt,cmd,args,uid,gid 1
@ -63,7 +65,7 @@ $ ps -o min_flt,maj_flt,cmd,args,uid,gid 1
### 多少才算满?
一种较好的方法来掌握内存究竟使用了多少是用 `free -m` 命令。`-m` 选项指定了数字的单位是 <ruby>MiBs<rt>mebibytes</rt></ruby> 而不是字节。
一种较好的方法来掌握内存究竟使用了多少是用 `free -m` 命令。`-m` 选项指定了数字的单位是 <ruby>MiB<rt>mebibyte</rt></ruby> 而不是字节。
```
$ free -m
@ -76,7 +78,7 @@ Swap: 3535 0 3535
### 什么时候要担心
如果 Linux 系统上的性能表现良好——应用程序响应度高,命令行没有显示出问题——很可能系统状况良好。记住,一些应用也许会出于某种原因而变慢,但它不影响整个系统。
如果 Linux 系统上的性能表现良好 —— 应用程序响应度高,命令行没有显示出问题 —— 很可能系统状况良好。记住,一些应用也许会出于某种原因而变慢,但它不影响整个系统。
过多的硬故障也许表明确实存在问题,但要将其与观察到的性能相比较。
@ -91,11 +93,10 @@ Swap: 3535 0 3535
### Linux 性能很复杂
把所有的放在一边Linux 系统上的内存可能会变满,并且性能可能会降低。当系统出现问题时不要仅将单一的内存使用报告作为指标。
抛开这些不说Linux 系统上的内存可能会变满,并且性能可能会降低。当系统出现问题时不要仅将单一的内存使用报告作为指标。
Linux 系统的内存管理很复杂,因为它采取的措施需要确保系统资源得到最好的利用。不要受到一开始内存占满的欺骗,使你认为系统存在问题,但实际上并没有。
在 [Facebook][4] 和 [LinkedIn][5] 上加入网络研讨会发表你的评论。
--------------------------------------------------------------------------------
@ -104,7 +105,7 @@ via: https://www.networkworld.com/article/3394603/when-to-be-concerned-about-mem
作者:[Sandra Henry-Stocker][a]
选题:[lujun9972][b]
译者:[LuuMing](https://github.com/LuuMing)
校对:[校对者ID](https://github.com/校对者ID)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出

276
sources/tech/20190702 Make Linux stronger with firewalls.md
View File

@ -1,276 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: (chen-ni)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Make Linux stronger with firewalls)
[#]: via: (https://opensource.com/article/19/7/make-linux-stronger-firewalls)
[#]: author: (Seth Kenlon https://opensource.com/users/seth)
Make Linux stronger with firewalls
======
Learn how firewalls work and which settings to tweak for better Linux
security.
![People working together to build ][1]
Everyone's heard of firewalls, even if only as a plot device in a TV cybercrime drama. Many people also know that their computer is (likely) running a firewall, but fewer people understand how to take control of their firewall when necessary.
Firewalls block unwanted network traffic, but different networks have different threat levels. For instance, if you're at home, you probably trust the other computers and devices on your network a lot more than when you're out at the local café using public WiFi. You can hope your computer differentiates between a trusted network and an untrusted one, or you can learn to manage, or at least verify, your security settings yourself.
### How firewalls work
Communication between devices on a network happens through gateways called _ports_. Port, in this context, doesn't mean a physical connection like a USB port or an HDMI port. In network lingo, a port is an entirely virtual concept representing pathways for a specific type of data to either arrive at or depart from a computer. This system could have been called anything, like "connections" or "doorways," but they were named ports at least [as early as 1981][2], and that's the name in use today. The point is, there's nothing special about any port; they're just a way to designate an address where data transference may happen.
Back in 1972, [a list of port numbers][3] (then called "sockets") was published, and this has since evolved into a set of well-known standard port numbers that help manage specific kinds of traffic. For instance, you access ports 80 and 443 on a daily basis when you visit a website, because most everyone on the internet has agreed, implicitly or explicitly, that data is transferred from web servers over those ports. You can test this theory by opening a web browser and navigating to a website with a nonstandard port appended to the URL. For instance, if you navigate to **example.com:42**, your request is denied because example.com does not serve a website at port 42.
![Navigating to a nonstandard port produces an error][4]
If you revisit the same website at port 80, you get a website, as expected. You can specify port 80 with **:80** at the end of the URL, but because port 80 is the standard port for HTTP traffic, your web browser assumes port 80 by default.
When a computer, like a web server, expects traffic at a specific port, it's acceptable (and necessary) to have the port open for traffic. The danger is leaving ports open that you have no reason to expect traffic on, and that's exactly what a firewall is for.
### Install firewalld
There are many interfaces for firewall configuration. This article covers [**firewalld**][5], which integrates with Network Manager on the desktop and **firewall-cmd** in the terminal. Many Linux distributions ship with these tools installed. If yours doesn't, you can either take this article as general advice for firewall management and apply it to what you use, or you can install **firewalld**.
On Ubuntu, for instance, you must enable the **universe** repository, deactivate the default **ufw** firewall, and then install **firewalld**:
```
$ sudo systemctl disable ufw
$ sudo add-apt-repository universe
$ sudo apt install firewalld
```
Fedora, CentOS, RHEL, OpenSUSE, and many others include **firewalld** by default.
Regardless of your distribution, for a firewall to be effective, it must be active and set to be loaded at boot. The less you have to think about firewall maintenance, the better.
```
`$ sudo systemctl enable --now firewalld`
```
### Choose your zone with Network Manager
You probably connect to many different networks every day. You're on one network at work, another at the café, and yet another at home. Your computer can detect which network you use more frequently than others, but it doesn't know which you trust.
A firewall _zone_ contains presets deciding what ports to open and close. Using zones, you can choose a policy that makes the most sense for the network you're currently on.
To see a list of available zones, open the Network Manager Connection Editor, found in your Applications menu, or with the **nm-connection-editor &amp;** command.
![Network Manager Connection Editor][6]
From the list of network connections, double-click on your current network.
In the network configuration window that appears, click the General tab.
In the General panel, click the drop-down menu next to Firewall Zone for a list of all available zones.
![Firewall zones][7]
You can get this same list with this terminal command:
```
`$ sudo firewall-cmd --get-zones`
```
The zone titles indicate what their designers had in mind when creating them, but you can get the specifics of any zone with this terminal command:
```
$ sudo firewall-cmd --zone work --list-all
work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  [...]
```
In this example, the **work** zone is configured to permit SSH and DHCPv6-client incoming traffic but drops any other incoming traffic not explicitly requested by the user. (In other words, the **work** zone doesn't block HTTP response traffic when you visit a website, but it _does_ deny an HTTP request on your port 80.)
View each zone to get familiar with the traffic each one allows. The most common ones are:
* **Work:** Use this one when on a network you mostly trust. SSH, DHCPv6, and mDNS are permitted, and you can add more as needed. This zone is meant to be a starting point for a custom work environment based on your daily office requirements.
* **Public:** For networks you do not trust. This zone is the same as the work zone, but presumably, you would not add the same exceptions as your work zone.
* **Drop:** All incoming connections are dropped with no response given. This is as close to a stealth mode as you can get without shutting off networking entirely because only outgoing network connections are possible (even a casual port scanner could detect your computer from outgoing traffic, though, so don't mistake this zone for a cloaking device). This is arguably the safest zone when on public WiFi, and definitely the best when you have reason to believe a network is hostile.
* **Block:** All incoming connections are rejected with a message declaring that the requested port is prohibited. Only network connections you initiate are possible. This is a "friendly" version of the drop zone because, even though no port is open for incoming traffic, a port verbosely declines an uninitiated connection.
* **Home:** Use this when you trust other computers on the network. Only selected incoming connections are accepted, and you can add more as needed.
* **Internal:** Similar to the work zone, this is intended for internal networks where you mostly trust the other computers. You can open more ports and services as needed but still maintain a different rule set than you have on your work zone.
* **Trusted:** All network connections are accepted. Good for troubleshooting or on networks you absolutely trust.
### Assigning a zone to a network
You can assign a zone to any network connection you make. Furthermore, you can assign a different zone to each network interface (Ethernet cable, WiFi, and so on) that attaches to each network.
Select the zone you want and click the Save button to commit the change.
![Setting a new zone][8]
The easiest way to get into the habit of assigning a zone to a network interface is to tend to the networks you use most often. Assign the home zone to your home network, the work zone to your work network, and the public network to your favorite library or café network.
Once you have assigned a zone to all your usual networks, make an effort to assign a zone to the next new network you join, whether it's a new café or your mate's home network. Assigning zones is the best way to reinforce your own awareness that networks are not all equal and that you're not any more secure than anybody else just because you run Linux.
### Default zone
Rather than prompting you for a zone every time you join a new network, firewalld assigns any unknown network a default zone. Open a terminal and type this command to get your default zone:
```
$ sudo firewall-cmd --get-default
public
```
In this example, the public zone is the default. It's expected that you will keep the public zone highly restrictive, so it's a pretty safe zone to assign unknown networks. However, you can set your own default instead.
For instance, if you're more paranoid than most, or if you know that you frequent networks you have reason to distrust, you can assign a highly restrictive zone as default:
```
$ sudo firewall-cmd --set-default-zone drop
success
$ sudo firewall-cmd --get-default
drop
```
Now any new network you join will be subject to the drop zone rules unless you manually change it to something less restrictive.
### Customizing zones by opening ports and services
Firewalld's developers don't intend for their zone definitions to satisfy the needs of all the different networks and levels of trust in existence. They're just starting points for you to use and customize.
You don't have to know much about firewalls to be able to open and close ports based on the kinds of network activity you know you generate.
#### Predefined services
The simplest way to add permissions to your firewall is to add a predefined service. Strictly speaking, there's no such thing as a "service" as far as your firewall knows, because firewalls understand port numbers and protocol types. However, firewalld provides collections of ports and protocols based on standards and conventions.
For example, if you're a web developer and want to open your computer up on your local network so your colleagues can see the website you're building, you would add the **http** and **https** services. If you're a gamer and you're running the open source [murmur][9] voice-chat server for your guild, then you'd add the **murmur** service. There are many other services available, which you can view with this command:
```
$ sudo firewall-cmd --get-services
amanda-client amanda-k5-client bacula bacula-client \
bgp bitcoin bitcoin-rpc ceph cfengine condor-collector \
ctdb dhcp dhcpv6 dhcpv6-client dns elasticsearch \
freeipa-ldap freeipa-ldaps ftp [...]
```
If you see a service you need, add it to your current firewall configuration, for example:
```
`$ sudo firewall-cmd --add-service murmur`
```
This command opens all the ports and protocols needed for a particular service _within your default zone_, but only until you reboot your computer or restart your firewall. To make your changes permanent, use the **\--permanent** flag:
```
`$ sudo firewall-cmd --add-service murmur --permanent`
```
You can also issue the command for a zone other than your default:
```
`$ sudo firewall-cmd --add-service murmur --permanent --zone home`
```
#### Ports
Sometimes you want to allow traffic for something that just isn't defined by firewalld's services. Maybe you're setting up a nonstandard port for a common service or you need to open an arbitrary port.
For example, maybe you're running the open source [virtual tabletop][10] software [MapTool][11]. Since you're running the MapTool server and there's no industry standard governing which port MapTool runs on, you can decide what port it uses and then "poke a hole" in your firewall to allow traffic on that port.
The process is basically the same as for services:
```
`$ sudo firewall-cmd --add-port 51234/tcp`
```
This command opens port 51234 to incoming TCP connections _in your default zone_, but only until you reboot your computer or restart your firewall. To make your changes permanent, use the **\--permanent** flag:
```
`$ sudo firewall-cmd --add-port 51234/tcp --permanent`
```
You can also issue the command for a zone other than your default:
```
`$ sudo firewall-cmd --add-port 51234/tcp --permanent --zone home`
```
Allowing traffic through your computer is different from letting traffic through your router"s firewall. Your router probably has a different interface for its own embeded firewall (though the principle is the same), which is outside the scope of this article.
### Removing ports and services
If you decide a service or a port is no longer needed, you can restart your firewall to clear your changes, unless you use the **\--permanent** flag.
If you made your changes permanent, use the **\--remove-port** or **\--remove-service** flag:
```
`$ sudo firewall-cmd --remove-port 51234/tcp --permanent`
```
You can remove ports and services from a zone other than your default zone by specifying a zone in your command:
```
`$ sudo firewall-cmd --remove-service murmur --permanent --zone home`
```
### Custom zones
You can use and abuse the default zones provided by firewalld, but you also have the freedom to create your own. For instance, if it makes sense for you to have a zone specific to gaming, then you can create one and switch over to it only while gaming.
To create a new, empty zone, create a new zone called **game** and reload the firewall rules so that your new zone becomes active:
```
$ sudo firewall-cmd --new-zone game --permanent
success
$ sudo firewall-cmd --reload
```
Once it's created and active, you can customize it with all the services and ports you need to have open for game night.
### Diligence
Start thinking about your firewall strategy today. Start slow, and build up some sane defaults that make sense for you. It may take time before you make it a habit to think about your firewall and understand which network services you use, but with a little exploration, you can strengthen your Linux workstation no matter what your environment.
--------------------------------------------------------------------------------
via: https://opensource.com/article/19/7/make-linux-stronger-firewalls
作者:[Seth Kenlon][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/seth
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/BUSINESS_buildtogether.png?itok=9Tvz64K5 (People working together to build )
[2]: https://tools.ietf.org/html/rfc793
[3]: https://tools.ietf.org/html/rfc433
[4]: https://opensource.com/sites/default/files/uploads/web-port-nonstandard.png (Navigating to a nonstandard port produces an error)
[5]: https://firewalld.org/
[6]: https://opensource.com/sites/default/files/uploads/nm-connection-editor.png (Network Manager Connection Editor)
[7]: https://opensource.com/sites/default/files/uploads/nm-zone.png (Firewall zones)
[8]: https://opensource.com/sites/default/files/uploads/nm-set.png (Setting a new zone)
[9]: https://www.mumble.com/
[10]: https://opensource.com/article/18/5/maptool
[11]: https://github.com/RPTools

102
sources/tech/20190706 Say WHAAAT- Mozilla has Been Nominated for the -Internet Villain- Award in the UK.md
View File

@ -1,102 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: ( )
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Say WHAAAT? Mozilla has Been Nominated for the “Internet Villain” Award in the UK)
[#]: via: (https://itsfoss.com/mozilla-internet-villain/)
[#]: author: (Ankush Das https://itsfoss.com/author/ankush/)
Say WHAAAT? Mozilla has Been Nominated for the “Internet Villain” Award in the UK
======
Mozilla Firefox is one of the most popular browsers available out there. A lot of users prefer it over Chrome just because it encourages privacy protection and features options to keep your Internet activity as private as possible.
But, one of the recently proposed features **[DoH (DNS-over-HTTPS)][1]** which is still in the testing phase didnt receive a good response from the UKs ISPs trade association.
So, the ISPA (Internet Services Providers Association) of UK decided to [nominate][2] Mozilla as one of the “Internet Villains” among the nominees for 2019. This is for an award ceremony to be held on 11th July in London by the ISP trade association of the UK.
![][3]
### Why “Mozilla” is the “Internet Villain” here?
In their announcement, the ISPA mentioned that Mozilla is one of the Internet Villains for supporting **DoH** (DNS-over-HTTPS).
> [@mozilla][4] is nominated for the [#ISPAs][5] [#InternetVillain][6] for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining [#internet][7] safety standards in the UK. <https://t.co/d9NaiaJYnk> [pic.twitter.com/WeZhLq2uvi][8]
>
> — Internet Services Providers Association (ISPAUK) (@ISPAUK) [July 4, 2019][9]
Along with Mozilla, Article 13 Copyright Directive and President Donald Trump also appear in the list. Heres how ISPA explained in their announcement:
_**Mozilla**_ _ for their proposed approach to introduce DNS-over-HTTPS in such a way as to bypass UK filtering obligations and parental controls, undermining internet safety standards in the UK_.
**_Article_ _13 Copyright Directive_** _ for threatening freedom of expression online by requiring content recognition technologies across platforms_
_**President Donald Trump**_ _ for causing a huge amount of uncertainty across the complex, global telecommunications supply chain in the course of trying to protect national security_
### What is DNS-over-HTTPS?
DoH basically means that your DNS requests will be encrypted over an HTTPS connection.
Traditionally, the DNS requests are unencrypted and your DNS provider or the ISP can monitor/control your browsing activity. Without DoH, you can easily enforce blocking/content filtering through your DNS provider or the ISP can do that when they want.
[][10]
Suggested read  Firefox: The Internet's Knight in Shining Armor
However, DoH completely takes that out of the equation and hence, you get a private browsing experience.
You can explore [how Mozilla implements this partnering with Cloudflare][11] and set it up for yourself if you want.
### Is DoH helpful?
Yes and no.
Of course, on one side of the coin, it lets user bypass any content filters enforced by the DNS or the ISPs. So, it is a good thing that we want to put a stop to Internet censorship and DoH helps us with that.
But, on the other side, if you are a parent, you can no longer [set content filters][12] if your kid utilizes DoH on Mozilla Firefox. It depends on how good/bad the [firewall is configured][13].
But potentially DoH is a solution for some to bypass parental controls, which could be a bad thing.
Correct me if Im wrong here in the comments below.
Also, using DoH means that you can no longer use the local host file (in case you are using it for ad blocking or something else)
### Wrapping Up
What do you think about DoH in general? Is it good enough?
And, whats your take on ISPAs decision? Do you think that they are encouraging Internet censorship and government monitoring on netizens with this kind of announcement?
Personally, I find it hilarious. Even if DoH isnt the ultimate feature that everyone wants, it is always good to have an option to protect your privacy in some way.
Let us know your thoughts in the comments below. Meanwhile, Ill just put this quote here:
> In a time of universal deceit, telling the truth is a revolutionary act
--------------------------------------------------------------------------------
via: https://itsfoss.com/mozilla-internet-villain/
作者:[Ankush Das][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://itsfoss.com/author/ankush/
[b]: https://github.com/lujun9972
[1]: https://en.wikipedia.org/wiki/DNS_over_HTTPS
[2]: https://www.ispa.org.uk/ispa-announces-finalists-for-2019-internet-heroes-and-villains-trump-and-mozilla-lead-the-way-as-villain-nominees/
[3]: https://i0.wp.com/itsfoss.com/wp-content/uploads/2019/07/mozilla-internet-villain.jpg?resize=800%2C450&ssl=1
[4]: https://twitter.com/mozilla?ref_src=twsrc%5Etfw
[5]: https://twitter.com/hashtag/ISPAs?src=hash&ref_src=twsrc%5Etfw
[6]: https://twitter.com/hashtag/InternetVillain?src=hash&ref_src=twsrc%5Etfw
[7]: https://twitter.com/hashtag/internet?src=hash&ref_src=twsrc%5Etfw
[8]: https://t.co/WeZhLq2uvi
[9]: https://twitter.com/ISPAUK/status/1146725374455373824?ref_src=twsrc%5Etfw
[10]: https://itsfoss.com/why-firefox/
[11]: https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/
[12]: https://itsfoss.com/how-to-block-porn-by-content-filtering-on-ubuntu/
[13]: https://itsfoss.com/set-up-firewall-gufw/

261
translated/tech/20190702 Make Linux stronger with firewalls.md Normal file
View File

@ -0,0 +1,261 @@
[#]: collector: (lujun9972)
[#]: translator: (chen-ni)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Make Linux stronger with firewalls)
[#]: via: (https://opensource.com/article/19/7/make-linux-stronger-firewalls)
[#]: author: (Seth Kenlon https://opensource.com/users/seth)
使用防火墙让你的 Linux 更加强大
======
掌握防火墙的工作原理,以及如何设置防火墙来提高 Linux 的安全性
![People working together to build ][1]
所有人都听说过防火墙(哪怕仅仅是在网络犯罪片里看到过相关的情节设定),很多人也知道他们的计算机里很可能正运行着防火墙,但是很少有人明白在必要的时候如何驾驭防火墙。
防火墙被用来拦截那些不请自来的网络流量,然而不同网络需要的安全级别也不尽相同。比如说,和在外面一家咖啡馆里使用公共 WiFi 相比,你在家里的时候可以更加信任网络里的其它计算机和设备。你或许希望计算机能够区分可以信任和不可信任的网络,不过最好还是应该学会自己去管理(或者至少是核实)你的安全设置。
### 防火墙的工作原理
网络里不同设备之间的通信是通过一种叫做 **端口** 的网关实现的。这里的端口指的并不是像 USB 端口 或者 HDMI 端口这样的物理连接。在网络术语中,端口是一个纯粹的虚拟概念,用来表示某种类型的数据到达或离开一台计算机时候所走的路径。其实也可以换个名字来称呼,比如叫“连接”或者“门道”,不过 [早在 1981 年的时候][2] 它们就被称作端口了,这个叫法也沿用至今。其实端口这个东西没有任何特别之处,只是一种用来指代一个可能会发生数据传输的地址的方式。
1972 年,一份 [端口数字清单][3](那时候的端口被称为“套接字”)被发布了,并且从此演化为一组众所周知的标准端口号,帮助管理特定类型的网络流量。比如说,你每天访问网站的时候都会使用 80 和 443 端口,因为互联网上的绝大多数人都同意(或者是默认)数据从 web 服务器上传输的时候是通过这两个端口的。如果想要验证这一点,你可以在使用浏览器访问网站的时候在 URL 后面加上一个非标准的端口号码。比如说,访问 **example.com:42** 的请求会被拒绝,因为 example.com 在 42 端口上并不提供网站服务。
![Navigating to a nonstandard port produces an error][4]
如果你是通过 80 端口访问同一个网站,就可以(不出所料地)正常访问了。你可以在 URL 后面加上 **:80** 来指定使用 80 端口,不过由于 80 端口是 HTTP 访问的标准端口,所以你的浏览器其实已经默认在使用 80 端口了。
当一台计算机(比如说 web 服务器)准备在指定端口接收网络流量的时候,保持该端口向网络流量开放是一种可以接受的(也是必要的)行为。但是不需要接收流量的端口如果也处在开放状态就比较危险了,这就是需要用防火墙解决的问题。
#### 安装 firewalld
有很多种配置防火墙的方式,这篇文章介绍 [**firewalld**][5]。在桌面环境下它被集成在网络管理器Network Manager在终端里则是集成在 **firewall-cmd** 里。很多 Linux 发行版都预装了这些工具。如果你的发行版里没有,你可以把这篇文章当成是管理防火墙的通用性建议,在你所使用的防火墙软件里使用类似的方法,或者你也可以选择安装 **firewalld**
比如说在 Ubuntu 上,你必须启用 **universe** 软件仓库,关闭默认的 **ufw** 防火墙,然后再安装 **firewalld**
```
$ sudo systemctl disable ufw
$ sudo add-apt-repository universe
$ sudo apt install firewalld
```
Fedora、CentOS、RHEL、OpenSUSE以及其它很多发行版默认就包含了 **firewalld**
无论你使用哪个发行版,如果希望防火墙发挥作用,就必须保持它在开启状态,并且设置成开机自动加载。你应该尽可能减少在防火墙维护工作上所花费的精力。
```
`$ sudo systemctl enable --now firewalld`
```
### 使用网络管理器选择区域
或许你每天都会连接到很多不同的网络。在工作的时候使用的是一个网络,在咖啡馆里是另一个,在家里又是另一个。你的计算机可以判断出哪一个网络的使用频率比较高,但是它并不知道哪一个是你信任的网络。
一个防火墙的 **区域** 里包含了端口开放和关闭的预设规则。你可以通过使用区域来选择一个对当前网络最适用的策略。
你可以打开网络管理器里的连接编辑器(可以在应用菜单里找到),或者是使用 **nm-connection-editor &amp;** 命令以获取所有可用区域的列表。
![Network Manager Connection Editor][6]
在网络连接列表中,双击你现在所使用的网络。
在出现的网络配置窗口中,点击“通用”标签页。
在“通用”面板中,点击“防火墙区域”旁边的下拉菜单以获取所有可用区域的列表。
![Firewall zones][7]
也可以使用下面的终端命令以获取同样的列表:
```
`$ sudo firewall-cmd --get-zones`
```
每个区域的名称已经可以透露出设计者创建这个区域的意图,不过你也可以使用下面这个终端命令获取任何一个区域的详细信息:
```
$ sudo firewall-cmd --zone work --list-all
work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  [...]
```
在这个例子中,**工作**区域的配置是允许接收 SSH 和 DHCPv6-client 的流量,但是拒绝接收其他任何用户没有明确请求的流量。(换句话说,**工作**区域并不会在你浏览网站的时候拦截 HTTP 响应流量,但是 **会** 拦截一个针对你计算机上 80 端口的 HTTP 请求。)
你可以依次查看每一个区域,弄清楚它们分别都允许什么样的流量。比较常见的有:
* **工作:** 这个区域应该在你非常信任的网络上使用。它允许 SSH、DHCPv6 和 mDNS并且还可以添加更多允许的项目。该区域非常适合作为一个基础配置然后在此之上根据日常办公的需求自定义一个工作环境。
* **公共:** 用在你不信任的网络上。这个区域的配置和工作区域是一样的,但是你不应该再继续添加其它任何允许项目。
* **丢弃:** 所有传入连接都会被丢弃,并且不会有任何响应。在不彻底关闭网络的条件下,这已经是最接近隐形模式的配置了,因为只允许传出网络连接(不过随便一个端口扫描器就可以通过传出流量检测到你的计算机,所以这个区域并不是一个隐形装置)。如果你在使用公共 WiFi这个区域可以说是最安全的选择如果你觉得当前的网络比较危险这个区域也一定是最好的选择。
* **拦截:** 所有传入连接都会被拒绝,但是会返回一个消息说明所请求的端口被禁用了。只有你主动发起的网络连接是被允许的。这是一个友好版的 **丢弃** 区域,因为虽然还是没有任何一个端口允许传入流量,但是说明了会拒绝接收任何不是本机主动发起的连接。
* **家庭:** 在你信任网络里的其它计算机的情况下使用这个区域。该区域只会允许你所选择的传入连接,但是你可以根据需求添加更多的允许项目。
* **内部:** 和工作区域类似,该区域适用于内部网络,你应该在基本信任网络里的计算机的情况下使用。你可以根据需求开放更多的端口和服务,同时保持和工作区域不同的一套规则。
* **信任:** 接受所有的网络连接。适合在故障排除的情况下或者是在你绝对信任的网络上使用。
### 为网络指定一个区域
你可以为你的任何一个网络连接都指定一个区域并且对于同一个网络的不同连接方式比如以太网、WiFi 等等)也可以指定不同的区域。
选择你想要的区域,点击“保存”按钮提交修改。
![Setting a new zone][8]
养成为网络连接指定区域的习惯的最好办法是从你最常用的网络开始。为你的家庭网络指定家庭区域,为工作网络指定工作区域,为你最喜欢的图书馆或者咖啡馆的网络指定公关区域。
一旦你为所有常用的网络都指定了一个区域,在之后加入新的网络的时候(无论是一个新的咖啡馆还是你朋友家的网络),试图也为它指定一个区域吧。这样可以很好地让你意识到不同的网络的安全性是不一样的,你并不会仅仅因为使用了 Linux 而比任何人更加安全。
### 默认区域
每次你加入一个新的网络的时候firewalld 并不会提示你进行选择,而是会指定一个默认区域。你可以在终端里输入下面这个命令来获取你的默认区域:
```
$ sudo firewall-cmd --get-default
public
```
在这个例子里,默认区域是公共区域。你应该保证公共区域有非常严格的限制规则,这样在将它指定到未知网络中的时候才比较安全。或者你也可以设置你自己的默认区域。
比如说,如果你是一个比较多疑的人,或者需要经常接触不可信任的网络的话,你可以设置一个非常严格的默认区域:
```
$ sudo firewall-cmd --set-default-zone drop
success
$ sudo firewall-cmd --get-default
drop
```
这样一来,任何你新加入的网络都会被指定使用丢弃区域,除非你手动将它制定为另一个没有这么严格的区域。
### 通过开放端口和服务实现自定义区域
Firewalld 的开发者们并不是想让他们设定的区域能够适应世界上所有不同的网络和所有级别的信任程度。你可以直接使用这些区域,也可以在它们基础上进行个性化配置。
你可以根据自己所需要进行的网络活动决定开放或关闭哪些端口,这并不需要对防火墙有多深的理解。
#### 预设服务
在你的防火墙上添加许可的最简单的方式就是添加预设服务。严格来讲,你的防火墙并不懂什么是“服务”,因为它只知道端口号码和使用协议的类型。不过在标准和传统的基础之上,防火墙可以为你提供一套端口和协议的组合。
比如说,如果你是一个 web 开发者并且希望你的计算机对本地网络开放(这样你的同事就可以看到你正在搭建的网站了),可以添加 **http****https** 服务。如果你是一名游戏玩家,并且在为你的游戏公会运行开源的 [murmur][9] 语音聊天服务器,那么你可以添加 **murmur** 服务。还有其它很多可用的服务,你可以使用下面这个命令查看:
```
$ sudo firewall-cmd --get-services
amanda-client amanda-k5-client bacula bacula-client \
bgp bitcoin bitcoin-rpc ceph cfengine condor-collector \
ctdb dhcp dhcpv6 dhcpv6-client dns elasticsearch \
freeipa-ldap freeipa-ldaps ftp [...]
```
如果你找到了一个自己需要的服务,可以将它添加到当前的防火墙配置中,比如说:
```
`$ sudo firewall-cmd --add-service murmur`
```
这个命令 **在你的默认区域里** 添加了指定服务所需要的所有端口和协议,不过在重启计算机或者防火墙之后就会失效。如果想让你的修改永久有效,可以使用 **\--permanent** 标志:
```
`$ sudo firewall-cmd --add-service murmur --permanent`
```
你也可以将这个命令用于一个非默认区域:
```
`$ sudo firewall-cmd --add-service murmur --permanent --zone home`
```
#### 端口
有时候你希望允许的流量并不在 firewalld 定义的服务之中。也许你想在一个非标准的端口上运行一个常规服务,或者就是想随意开放一个端口。
举例来说,也许你正在运行开源的 [虚拟桌游][10] 软件 [MapTool][11]。由于 MapTool 服务器应该使用哪个端口这件事情并没有一个行业标准,所以你可以自行决定使用哪个端口,然后在防火墙上“开一个洞”,让它允许该端口上的流量。
实现方式和添加服务差不多:
```
`$ sudo firewall-cmd --add-port 51234/tcp`
```
这个命令 **在你的默认区域** 里将 51234 端口向 TCP 传入连接开放,不过在重启计算机或者防火墙之后就会失效。如果想让你的修改永久有效,可以使用 **\--permanent** 标志:
```
`$ sudo firewall-cmd --add-port 51234/tcp --permanent`
```
你也可以将这个命令用于一个非默认区域:
```
`$ sudo firewall-cmd --add-port 51234/tcp --permanent --zone home`
```
在路由器的防火墙上设置允许流量和在本机上设置的方式是不同的。你的路由器可能会为它的内嵌防火墙提供一个不同的配置界面(原理上是相同的),不过这就超出本文范围了。
### 移除端口和服务
如果你不再需要某项服务或者某个端口了,并且设置的时候没有使用 **\--permanent** 标志的话,那么可以通过重启防火墙来清除修改。
如果你已经将修改设置为永久生效了,可以使用 **\--remove-port** 或者 **\--remove-service** 标志来清除:
```
`$ sudo firewall-cmd --remove-port 51234/tcp --permanent`
```
你可以通过在命令中指定一个区域以将端口或者服务从一个非默认区域中移除。
```
`$ sudo firewall-cmd --remove-service murmur --permanent --zone home`
```
### 自定义区域
你可以随意使用 firewalld 默认提供的这些区域,不过也完全可以创建自己的区域。比如如果希望有一个针对游戏的特别区域,你可以创建一个,然后只有在玩儿游戏的时候切换到该区域。
如果想要创建一个新的空白区域,你可以创建一个名为 **game** 的新区域,然后重新加载 firewall 规则,这样你的新区域就启用了:
```
$ sudo firewall-cmd --new-zone game --permanent
success
$ sudo firewall-cmd --reload
```
一旦创建好并且处于启用状态,你就可以通过添加玩游戏时所需要的服务和端口来实现个性化定制了。
### 勤勉
从今天起开始思考你的防火墙策略吧。不用着急,可以试着慢慢搭建一些合理的默认规则。你也许需要花上一段时间才能习惯于思考防火墙的配置问题,以及弄清楚你使用了哪些网络服务,不过无论是处在什么样的环境里,只要稍加探索你就可以让自己的 Linux 工作站变得更为强大。
--------------------------------------------------------------------------------
via: https://opensource.com/article/19/7/make-linux-stronger-firewalls
作者:[Seth Kenlon][a]
选题:[lujun9972][b]
译者:[chen-ni](https://github.com/chen-ni)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/seth
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/BUSINESS_buildtogether.png?itok=9Tvz64K5 (People working together to build )
[2]: https://tools.ietf.org/html/rfc793
[3]: https://tools.ietf.org/html/rfc433
[4]: https://opensource.com/sites/default/files/uploads/web-port-nonstandard.png (Navigating to a nonstandard port produces an error)
[5]: https://firewalld.org/
[6]: https://opensource.com/sites/default/files/uploads/nm-connection-editor.png (Network Manager Connection Editor)
[7]: https://opensource.com/sites/default/files/uploads/nm-zone.png (Firewall zones)
[8]: https://opensource.com/sites/default/files/uploads/nm-set.png (Setting a new zone)
[9]: https://www.mumble.com/
[10]: https://opensource.com/article/18/5/maptool
[11]: https://github.com/RPTools

101
translated/tech/20190706 Say WHAAAT- Mozilla has Been Nominated for the -Internet Villain- Award in the UK.md Normal file
View File

@ -0,0 +1,101 @@
[#]: collector: (lujun9972)
[#]: translator: (chen-ni)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Say WHAAAT? Mozilla has Been Nominated for the “Internet Villain” Award in the UK)
[#]: via: (https://itsfoss.com/mozilla-internet-villain/)
[#]: author: (Ankush Das https://itsfoss.com/author/ankush/)
什么Mozilla 被提名英国“互联网恶棍”奖
======
Mozilla Firefox 是目前最流行的浏览器之一。很多用户喜欢它胜过 Chrome 就是因为它鼓励隐私保护,并且可以通过一些选项设置让你的互联网活动尽可能地私密。
不过最近推出的功能之一 —— 仍然处于测试阶段的 **[DoH (DNS-over-HTTPS)][1]** 功能却受到了英国互联网服务提供商行业协会的负面评价。
英国互联网服务提供商行业协会Internet Services Providers Association简称 ISPA决定将 Mozilla 列入 2019 年“互联网恶棍”奖的最终入围者名单。该奖项将在 ISPA 于 7 月 11 日在伦敦举行的颁奖典礼上进行颁发。
![][3]
### 为什么说 “Mozilla” 是 “互联网恶棍”?
ISPA 在他们的声明中表示Mozilla 因为支持了 **DoH**DNS-over-HTTPS而被视为“互联网恶棍”。
> [@mozilla][4] 被提名为 [#ISPA][5] 的 [#互联网恶棍][6] 是因为他们试图推行 DNS-over-HTTPS 以绕开英国的内容过滤系统和家长监护模式,破坏了英国 [#互联网][7] 安全准则。 <https://t.co/d9NaiaJYnk> [pic.twitter.com/WeZhLq2uvi][8]
>
> — 英国互联网提供商行业协会 (ISPAUK) (@ISPAUK) [2019 年 7 月 4 日][9]
和 Mozilla 一同被列入最终入围者名单的还有欧盟版权指令第 13 条和美国总统特朗普。ISPA 在他们的声明里是这样解释的:
**Mozilla**:因为试图推行 DNS-over-HTTPS 以绕开英国的内容过滤系统和家长监护模式,破坏了英国互联网安全准则。
**欧盟版权指令第 13 条**:因为要求各平台使用“内容识别技术”,威胁到了线上言论自由。
**美国总统特朗普**:因为在试图保护国家安全的过程中,为复杂的全球通信供应链带来了巨大的不确定性。
### 什么是 DNS-over-HTTPS?
你可以将 DoH 理解为域名解析服务DNS的请求在 HTTPS 连接中会被加密。
传统意义上的 DNS 请求是不会被加密的,因此你的 DNS 提供商或者是互联网服务提供商可以监视或者是控制你的浏览行为。如果没有 DoH你很容易被 DNS 提供商强制推行拦截和内容过滤系统,并且你的互联网服务提供商也同样可以做到。
[][10]
然而 DoH 颠覆了这一点,可以让你得到一个私密的浏览体验。
你可以研究一下 [Mozilla 是如何开展和 Cloudflare 的合作的][11],并且可以自己配置一下 DoH如果需要的话
### DoH 有用吗?
既有用又没有用。
当然了从事情的一方面来看DoH 可以帮助用户绕过 DNS 或者互联网服务提供商推行的内容过滤系统。如果说 DoH 有助于满足我们避开互联网审查的需求,那么它是一件好事情。
不过从事情的另一方面来看,如果你是一位家长,而你的孩子在 Mozilla Firefox 上使用了 DoH 的话,你就无法 [设置内容过滤器][12] 了。这取决于 [防火墙配置][13] 的好坏。
DoH 可能会成为一些人绕过家长监护的手段,这可能不是一件好事。
如果我这样的说法有问题,你可以在下面的评论区纠正我。
并且,使用 DoH 就意味着你没办法使用本地 host 文件了(如果你正用它作为广告拦截或者是其它用途的话)。
### 总结
你是如何看待 DoH 的呢?它足够好吗?
你又是如何看待 ISPA 的决定的呢?你觉得他们这样的声明是不是在鼓励互联网审查和政府对网民的监控呢?
我个人觉得这个决定非常可笑。即使 DoH 并不是所有人都需要的那个终极功能,能够有一种保护个人隐私的选择也总不是件坏事。
在下面的评论区里发表你的看法吧。最后我想引用这么一句话:
> 在谎言遍地的时代说真话是一种革命行为。LCTT 译注:引自乔治奥威尔)
--------------------------------------------------------------------------------
via: https://itsfoss.com/mozilla-internet-villain/
作者:[Ankush Das][a]
选题:[lujun9972][b]
译者:[chen-ni](https://github.com/chen-ni)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://itsfoss.com/author/ankush/
[b]: https://github.com/lujun9972
[1]: https://en.wikipedia.org/wiki/DNS_over_HTTPS
[2]: https://www.ispa.org.uk/ispa-announces-finalists-for-2019-internet-heroes-and-villains-trump-and-mozilla-lead-the-way-as-villain-nominees/
[3]: https://i0.wp.com/itsfoss.com/wp-content/uploads/2019/07/mozilla-internet-villain.jpg?resize=800%2C450&ssl=1
[4]: https://twitter.com/mozilla?ref_src=twsrc%5Etfw
[5]: https://twitter.com/hashtag/ISPAs?src=hash&ref_src=twsrc%5Etfw
[6]: https://twitter.com/hashtag/InternetVillain?src=hash&ref_src=twsrc%5Etfw
[7]: https://twitter.com/hashtag/internet?src=hash&ref_src=twsrc%5Etfw
[8]: https://t.co/WeZhLq2uvi
[9]: https://twitter.com/ISPAUK/status/1146725374455373824?ref_src=twsrc%5Etfw
[10]: https://itsfoss.com/why-firefox/
[11]: https://blog.nightly.mozilla.org/2018/06/01/improving-dns-privacy-in-firefox/
[12]: https://itsfoss.com/how-to-block-porn-by-content-filtering-on-ubuntu/
[13]: https://itsfoss.com/set-up-firewall-gufw/