document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-03-21 02:10:11 +08:00
Code Issues Packages Projects Releases Wiki Activity

翻译完成

Browse Source
This commit is contained in:
chen ni 2019-07-06 16:07:37 +08:00 committed by GitHub
parent 467345e79b
commit 558efa4b4a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 261 additions and 276 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

276
sources/tech/20190702 Make Linux stronger with firewalls.md
View File

@ -1,276 +0,0 @@
[#]: collector: (lujun9972)
[#]: translator: (chen-ni)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Make Linux stronger with firewalls)
[#]: via: (https://opensource.com/article/19/7/make-linux-stronger-firewalls)
[#]: author: (Seth Kenlon https://opensource.com/users/seth)
Make Linux stronger with firewalls
======
Learn how firewalls work and which settings to tweak for better Linux
security.
![People working together to build ][1]
Everyone's heard of firewalls, even if only as a plot device in a TV cybercrime drama. Many people also know that their computer is (likely) running a firewall, but fewer people understand how to take control of their firewall when necessary.
Firewalls block unwanted network traffic, but different networks have different threat levels. For instance, if you're at home, you probably trust the other computers and devices on your network a lot more than when you're out at the local café using public WiFi. You can hope your computer differentiates between a trusted network and an untrusted one, or you can learn to manage, or at least verify, your security settings yourself.
### How firewalls work
Communication between devices on a network happens through gateways called _ports_. Port, in this context, doesn't mean a physical connection like a USB port or an HDMI port. In network lingo, a port is an entirely virtual concept representing pathways for a specific type of data to either arrive at or depart from a computer. This system could have been called anything, like "connections" or "doorways," but they were named ports at least [as early as 1981][2], and that's the name in use today. The point is, there's nothing special about any port; they're just a way to designate an address where data transference may happen.
Back in 1972, [a list of port numbers][3] (then called "sockets") was published, and this has since evolved into a set of well-known standard port numbers that help manage specific kinds of traffic. For instance, you access ports 80 and 443 on a daily basis when you visit a website, because most everyone on the internet has agreed, implicitly or explicitly, that data is transferred from web servers over those ports. You can test this theory by opening a web browser and navigating to a website with a nonstandard port appended to the URL. For instance, if you navigate to **example.com:42**, your request is denied because example.com does not serve a website at port 42.
![Navigating to a nonstandard port produces an error][4]
If you revisit the same website at port 80, you get a website, as expected. You can specify port 80 with **:80** at the end of the URL, but because port 80 is the standard port for HTTP traffic, your web browser assumes port 80 by default.
When a computer, like a web server, expects traffic at a specific port, it's acceptable (and necessary) to have the port open for traffic. The danger is leaving ports open that you have no reason to expect traffic on, and that's exactly what a firewall is for.
### Install firewalld
There are many interfaces for firewall configuration. This article covers [**firewalld**][5], which integrates with Network Manager on the desktop and **firewall-cmd** in the terminal. Many Linux distributions ship with these tools installed. If yours doesn't, you can either take this article as general advice for firewall management and apply it to what you use, or you can install **firewalld**.
On Ubuntu, for instance, you must enable the **universe** repository, deactivate the default **ufw** firewall, and then install **firewalld**:
```
$ sudo systemctl disable ufw
$ sudo add-apt-repository universe
$ sudo apt install firewalld
```
Fedora, CentOS, RHEL, OpenSUSE, and many others include **firewalld** by default.
Regardless of your distribution, for a firewall to be effective, it must be active and set to be loaded at boot. The less you have to think about firewall maintenance, the better.
```
`$ sudo systemctl enable --now firewalld`
```
### Choose your zone with Network Manager
You probably connect to many different networks every day. You're on one network at work, another at the café, and yet another at home. Your computer can detect which network you use more frequently than others, but it doesn't know which you trust.
A firewall _zone_ contains presets deciding what ports to open and close. Using zones, you can choose a policy that makes the most sense for the network you're currently on.
To see a list of available zones, open the Network Manager Connection Editor, found in your Applications menu, or with the **nm-connection-editor &** command.
![Network Manager Connection Editor][6]
From the list of network connections, double-click on your current network.
In the network configuration window that appears, click the General tab.
In the General panel, click the drop-down menu next to Firewall Zone for a list of all available zones.
![Firewall zones][7]
You can get this same list with this terminal command:
```
`$ sudo firewall-cmd --get-zones`
```
The zone titles indicate what their designers had in mind when creating them, but you can get the specifics of any zone with this terminal command:
```
$ sudo firewall-cmd --zone work --list-all
work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  [...]
```
In this example, the **work** zone is configured to permit SSH and DHCPv6-client incoming traffic but drops any other incoming traffic not explicitly requested by the user. (In other words, the **work** zone doesn't block HTTP response traffic when you visit a website, but it _does_ deny an HTTP request on your port 80.)
View each zone to get familiar with the traffic each one allows. The most common ones are:
* **Work:** Use this one when on a network you mostly trust. SSH, DHCPv6, and mDNS are permitted, and you can add more as needed. This zone is meant to be a starting point for a custom work environment based on your daily office requirements.
* **Public:** For networks you do not trust. This zone is the same as the work zone, but presumably, you would not add the same exceptions as your work zone.
* **Drop:** All incoming connections are dropped with no response given. This is as close to a stealth mode as you can get without shutting off networking entirely because only outgoing network connections are possible (even a casual port scanner could detect your computer from outgoing traffic, though, so don't mistake this zone for a cloaking device). This is arguably the safest zone when on public WiFi, and definitely the best when you have reason to believe a network is hostile.
* **Block:** All incoming connections are rejected with a message declaring that the requested port is prohibited. Only network connections you initiate are possible. This is a "friendly" version of the drop zone because, even though no port is open for incoming traffic, a port verbosely declines an uninitiated connection.
* **Home:** Use this when you trust other computers on the network. Only selected incoming connections are accepted, and you can add more as needed.
* **Internal:** Similar to the work zone, this is intended for internal networks where you mostly trust the other computers. You can open more ports and services as needed but still maintain a different rule set than you have on your work zone.
* **Trusted:** All network connections are accepted. Good for troubleshooting or on networks you absolutely trust.
### Assigning a zone to a network
You can assign a zone to any network connection you make. Furthermore, you can assign a different zone to each network interface (Ethernet cable, WiFi, and so on) that attaches to each network.
Select the zone you want and click the Save button to commit the change.
![Setting a new zone][8]
The easiest way to get into the habit of assigning a zone to a network interface is to tend to the networks you use most often. Assign the home zone to your home network, the work zone to your work network, and the public network to your favorite library or café network.
Once you have assigned a zone to all your usual networks, make an effort to assign a zone to the next new network you join, whether it's a new café or your mate's home network. Assigning zones is the best way to reinforce your own awareness that networks are not all equal and that you're not any more secure than anybody else just because you run Linux.
### Default zone
Rather than prompting you for a zone every time you join a new network, firewalld assigns any unknown network a default zone. Open a terminal and type this command to get your default zone:
```
$ sudo firewall-cmd --get-default
public
```
In this example, the public zone is the default. It's expected that you will keep the public zone highly restrictive, so it's a pretty safe zone to assign unknown networks. However, you can set your own default instead.
For instance, if you're more paranoid than most, or if you know that you frequent networks you have reason to distrust, you can assign a highly restrictive zone as default:
```
$ sudo firewall-cmd --set-default-zone drop
success
$ sudo firewall-cmd --get-default
drop
```
Now any new network you join will be subject to the drop zone rules unless you manually change it to something less restrictive.
### Customizing zones by opening ports and services
Firewalld's developers don't intend for their zone definitions to satisfy the needs of all the different networks and levels of trust in existence. They're just starting points for you to use and customize.
You don't have to know much about firewalls to be able to open and close ports based on the kinds of network activity you know you generate.
#### Predefined services
The simplest way to add permissions to your firewall is to add a predefined service. Strictly speaking, there's no such thing as a "service" as far as your firewall knows, because firewalls understand port numbers and protocol types. However, firewalld provides collections of ports and protocols based on standards and conventions.
For example, if you're a web developer and want to open your computer up on your local network so your colleagues can see the website you're building, you would add the **http** and **https** services. If you're a gamer and you're running the open source [murmur][9] voice-chat server for your guild, then you'd add the **murmur** service. There are many other services available, which you can view with this command:
```
$ sudo firewall-cmd --get-services
amanda-client amanda-k5-client bacula bacula-client \
bgp bitcoin bitcoin-rpc ceph cfengine condor-collector \
ctdb dhcp dhcpv6 dhcpv6-client dns elasticsearch \
freeipa-ldap freeipa-ldaps ftp [...]
```
If you see a service you need, add it to your current firewall configuration, for example:
```
`$ sudo firewall-cmd --add-service murmur`
```
This command opens all the ports and protocols needed for a particular service _within your default zone_, but only until you reboot your computer or restart your firewall. To make your changes permanent, use the **\--permanent** flag:
```
`$ sudo firewall-cmd --add-service murmur --permanent`
```
You can also issue the command for a zone other than your default:
```
`$ sudo firewall-cmd --add-service murmur --permanent --zone home`
```
#### Ports
Sometimes you want to allow traffic for something that just isn't defined by firewalld's services. Maybe you're setting up a nonstandard port for a common service or you need to open an arbitrary port.
For example, maybe you're running the open source [virtual tabletop][10] software [MapTool][11]. Since you're running the MapTool server and there's no industry standard governing which port MapTool runs on, you can decide what port it uses and then "poke a hole" in your firewall to allow traffic on that port.
The process is basically the same as for services:
```
`$ sudo firewall-cmd --add-port 51234/tcp`
```
This command opens port 51234 to incoming TCP connections _in your default zone_, but only until you reboot your computer or restart your firewall. To make your changes permanent, use the **\--permanent** flag:
```
`$ sudo firewall-cmd --add-port 51234/tcp --permanent`
```
You can also issue the command for a zone other than your default:
```
`$ sudo firewall-cmd --add-port 51234/tcp --permanent --zone home`
```
Allowing traffic through your computer is different from letting traffic through your router"s firewall. Your router probably has a different interface for its own embeded firewall (though the principle is the same), which is outside the scope of this article.
### Removing ports and services
If you decide a service or a port is no longer needed, you can restart your firewall to clear your changes, unless you use the **\--permanent** flag.
If you made your changes permanent, use the **\--remove-port** or **\--remove-service** flag:
```
`$ sudo firewall-cmd --remove-port 51234/tcp --permanent`
```
You can remove ports and services from a zone other than your default zone by specifying a zone in your command:
```
`$ sudo firewall-cmd --remove-service murmur --permanent --zone home`
```
### Custom zones
You can use and abuse the default zones provided by firewalld, but you also have the freedom to create your own. For instance, if it makes sense for you to have a zone specific to gaming, then you can create one and switch over to it only while gaming.
To create a new, empty zone, create a new zone called **game** and reload the firewall rules so that your new zone becomes active:
```
$ sudo firewall-cmd --new-zone game --permanent
success
$ sudo firewall-cmd --reload
```
Once it's created and active, you can customize it with all the services and ports you need to have open for game night.
### Diligence
Start thinking about your firewall strategy today. Start slow, and build up some sane defaults that make sense for you. It may take time before you make it a habit to think about your firewall and understand which network services you use, but with a little exploration, you can strengthen your Linux workstation no matter what your environment.
--------------------------------------------------------------------------------
via: https://opensource.com/article/19/7/make-linux-stronger-firewalls
作者:[Seth Kenlon][a]
选题:[lujun9972][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/seth
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/BUSINESS_buildtogether.png?itok=9Tvz64K5 (People working together to build )
[2]: https://tools.ietf.org/html/rfc793
[3]: https://tools.ietf.org/html/rfc433
[4]: https://opensource.com/sites/default/files/uploads/web-port-nonstandard.png (Navigating to a nonstandard port produces an error)
[5]: https://firewalld.org/
[6]: https://opensource.com/sites/default/files/uploads/nm-connection-editor.png (Network Manager Connection Editor)
[7]: https://opensource.com/sites/default/files/uploads/nm-zone.png (Firewall zones)
[8]: https://opensource.com/sites/default/files/uploads/nm-set.png (Setting a new zone)
[9]: https://www.mumble.com/
[10]: https://opensource.com/article/18/5/maptool
[11]: https://github.com/RPTools

261
translated/tech/20190702 Make Linux stronger with firewalls.md Normal file
View File

@ -0,0 +1,261 @@
[#]: collector: (lujun9972)
[#]: translator: (chen-ni)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
[#]: subject: (Make Linux stronger with firewalls)
[#]: via: (https://opensource.com/article/19/7/make-linux-stronger-firewalls)
[#]: author: (Seth Kenlon https://opensource.com/users/seth)
使用防火墙让你的 Linux 更加强大
======
掌握防火墙的工作原理,以及如何设置防火墙来提高 Linux 的安全性
![People working together to build ][1]
所有人都听说过防火墙(哪怕仅仅是在网络犯罪片里看到过相关的情节设定),很多人也知道他们的计算机里很可能正运行着防火墙,但是很少有人明白在必要的时候如何驾驭防火墙。
防火墙被用来拦截那些不请自来的网络流量,然而不同网络需要的安全级别也不尽相同。比如说,和在外面一家咖啡馆里使用公共 WiFi 相比,你在家里的时候可以更加信任网络里的其它计算机和设备。你或许希望计算机能够区分可以信任和不可信任的网络,不过最好还是应该学会自己去管理(或者至少是核实)你的安全设置。
### 防火墙的工作原理
网络里不同设备之间的通信是通过一种叫做 **端口** 的网关实现的。这里的端口指的并不是像 USB 端口 或者 HDMI 端口这样的物理连接。在网络术语中,端口是一个纯粹的虚拟概念,用来表示某种类型的数据到达或离开一台计算机时候所走的路径。其实也可以换个名字来称呼,比如叫“连接”或者“门道”,不过 [早在 1981 年的时候][2] 它们就被称作端口了,这个叫法也沿用至今。其实端口这个东西没有任何特别之处,只是一种用来指代一个可能会发生数据传输的地址的方式。
1972 年,一份 [端口数字清单][3](那时候的端口被称为“套接字”)被发布了,并且从此演化为一组众所周知的标准端口号,帮助管理特定类型的网络流量。比如说,你每天访问网站的时候都会使用 80 和 443 端口,因为互联网上的绝大多数人都同意(或者是默认)数据从 web 服务器上传输的时候是通过这两个端口的。如果想要验证这一点,你可以在使用浏览器访问网站的时候在 URL 后面加上一个非标准的端口号码。比如说,访问 **example.com:42** 的请求会被拒绝,因为 example.com 在 42 端口上并不提供网站服务。
![Navigating to a nonstandard port produces an error][4]
如果你是通过 80 端口访问同一个网站,就可以(不出所料地)正常访问了。你可以在 URL 后面加上 **:80** 来指定使用 80 端口,不过由于 80 端口是 HTTP 访问的标准端口,所以你的浏览器其实已经默认在使用 80 端口了。
当一台计算机(比如说 web 服务器)准备在指定端口接收网络流量的时候,保持该端口向网络流量开放是一种可以接受的(也是必要的)行为。但是不需要接收流量的端口如果也处在开放状态就比较危险了,这就是需要用防火墙解决的问题。
#### 安装 firewalld
有很多种配置防火墙的方式,这篇文章介绍 [**firewalld**][5]。在桌面环境下它被集成在网络管理器Network Manager在终端里则是集成在 **firewall-cmd** 里。很多 Linux 发行版都预装了这些工具。如果你的发行版里没有,你可以把这篇文章当成是管理防火墙的通用性建议,在你所使用的防火墙软件里使用类似的方法,或者你也可以选择安装 **firewalld**
比如说在 Ubuntu 上,你必须启用 **universe** 软件仓库,关闭默认的 **ufw** 防火墙,然后再安装 **firewalld**
```
$ sudo systemctl disable ufw
$ sudo add-apt-repository universe
$ sudo apt install firewalld
```
Fedora、CentOS、RHEL、OpenSUSE以及其它很多发行版默认就包含了 **firewalld**
无论你使用哪个发行版,如果希望防火墙发挥作用,就必须保持它在开启状态,并且设置成开机自动加载。你应该尽可能减少在防火墙维护工作上所花费的精力。
```
`$ sudo systemctl enable --now firewalld`
```
### 使用网络管理器选择区域
或许你每天都会连接到很多不同的网络。在工作的时候使用的是一个网络,在咖啡馆里是另一个,在家里又是另一个。你的计算机可以判断出哪一个网络的使用频率比较高,但是它并不知道哪一个是你信任的网络。
一个防火墙的 **区域** 里包含了端口开放和关闭的预设规则。你可以通过使用区域来选择一个对当前网络最适用的策略。
你可以打开网络管理器里的连接编辑器(可以在应用菜单里找到),或者是使用 **nm-connection-editor &** 命令以获取所有可用区域的列表。
![Network Manager Connection Editor][6]
在网络连接列表中,双击你现在所使用的网络。
在出现的网络配置窗口中,点击“通用”标签页。
在“通用”面板中,点击“防火墙区域”旁边的下拉菜单以获取所有可用区域的列表。
![Firewall zones][7]
也可以使用下面的终端命令以获取同样的列表:
```
`$ sudo firewall-cmd --get-zones`
```
每个区域的名称已经可以透露出设计者创建这个区域的意图,不过你也可以使用下面这个终端命令获取任何一个区域的详细信息:
```
$ sudo firewall-cmd --zone work --list-all
work
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh dhcpv6-client
  ports:
  protocols:
  [...]
```
在这个例子中,**工作**区域的配置是允许接收 SSH 和 DHCPv6-client 的流量,但是拒绝接收其他任何用户没有明确请求的流量。(换句话说,**工作**区域并不会在你浏览网站的时候拦截 HTTP 响应流量,但是 **会** 拦截一个针对你计算机上 80 端口的 HTTP 请求。)
你可以依次查看每一个区域,弄清楚它们分别都允许什么样的流量。比较常见的有:
* **工作:** 这个区域应该在你非常信任的网络上使用。它允许 SSH、DHCPv6 和 mDNS并且还可以添加更多允许的项目。该区域非常适合作为一个基础配置然后在此之上根据日常办公的需求自定义一个工作环境。
* **公共:** 用在你不信任的网络上。这个区域的配置和工作区域是一样的,但是你不应该再继续添加其它任何允许项目。
* **丢弃:** 所有传入连接都会被丢弃,并且不会有任何响应。在不彻底关闭网络的条件下,这已经是最接近隐形模式的配置了,因为只允许传出网络连接(不过随便一个端口扫描器就可以通过传出流量检测到你的计算机,所以这个区域并不是一个隐形装置)。如果你在使用公共 WiFi这个区域可以说是最安全的选择如果你觉得当前的网络比较危险这个区域也一定是最好的选择。
* **拦截:** 所有传入连接都会被拒绝,但是会返回一个消息说明所请求的端口被禁用了。只有你主动发起的网络连接是被允许的。这是一个友好版的 **丢弃** 区域,因为虽然还是没有任何一个端口允许传入流量,但是说明了会拒绝接收任何不是本机主动发起的连接。
* **家庭:** 在你信任网络里的其它计算机的情况下使用这个区域。该区域只会允许你所选择的传入连接,但是你可以根据需求添加更多的允许项目。
* **内部:** 和工作区域类似,该区域适用于内部网络,你应该在基本信任网络里的计算机的情况下使用。你可以根据需求开放更多的端口和服务,同时保持和工作区域不同的一套规则。
* **信任:** 接受所有的网络连接。适合在故障排除的情况下或者是在你绝对信任的网络上使用。
### 为网络指定一个区域
你可以为你的任何一个网络连接都指定一个区域并且对于同一个网络的不同连接方式比如以太网、WiFi 等等)也可以指定不同的区域。
选择你想要的区域,点击“保存”按钮提交修改。
![Setting a new zone][8]
养成为网络连接指定区域的习惯的最好办法是从你最常用的网络开始。为你的家庭网络指定家庭区域,为工作网络指定工作区域,为你最喜欢的图书馆或者咖啡馆的网络指定公关区域。
一旦你为所有常用的网络都指定了一个区域,在之后加入新的网络的时候(无论是一个新的咖啡馆还是你朋友家的网络),试图也为它指定一个区域吧。这样可以很好地让你意识到不同的网络的安全性是不一样的,你并不会仅仅因为使用了 Linux 而比任何人更加安全。
### 默认区域
每次你加入一个新的网络的时候firewalld 并不会提示你进行选择,而是会指定一个默认区域。你可以在终端里输入下面这个命令来获取你的默认区域:
```
$ sudo firewall-cmd --get-default
public
```
在这个例子里,默认区域是公共区域。你应该保证公共区域有非常严格的限制规则,这样在将它指定到未知网络中的时候才比较安全。或者你也可以设置你自己的默认区域。
比如说,如果你是一个比较多疑的人,或者需要经常接触不可信任的网络的话,你可以设置一个非常严格的默认区域:
```
$ sudo firewall-cmd --set-default-zone drop
success
$ sudo firewall-cmd --get-default
drop
```
这样一来,任何你新加入的网络都会被指定使用丢弃区域,除非你手动将它制定为另一个没有这么严格的区域。
### 通过开放端口和服务实现自定义区域
Firewalld 的开发者们并不是想让他们设定的区域能够适应世界上所有不同的网络和所有级别的信任程度。你可以直接使用这些区域,也可以在它们基础上进行个性化配置。
你可以根据自己所需要进行的网络活动决定开放或关闭哪些端口,这并不需要对防火墙有多深的理解。
#### 预设服务
在你的防火墙上添加许可的最简单的方式就是添加预设服务。严格来讲,你的防火墙并不懂什么是“服务”,因为它只知道端口号码和使用协议的类型。不过在标准和传统的基础之上,防火墙可以为你提供一套端口和协议的组合。
比如说,如果你是一个 web 开发者并且希望你的计算机对本地网络开放(这样你的同事就可以看到你正在搭建的网站了),可以添加 **http****https** 服务。如果你是一名游戏玩家,并且在为你的游戏公会运行开源的 [murmur][9] 语音聊天服务器,那么你可以添加 **murmur** 服务。还有其它很多可用的服务,你可以使用下面这个命令查看:
```
$ sudo firewall-cmd --get-services
amanda-client amanda-k5-client bacula bacula-client \
bgp bitcoin bitcoin-rpc ceph cfengine condor-collector \
ctdb dhcp dhcpv6 dhcpv6-client dns elasticsearch \
freeipa-ldap freeipa-ldaps ftp [...]
```
如果你找到了一个自己需要的服务,可以将它添加到当前的防火墙配置中,比如说:
```
`$ sudo firewall-cmd --add-service murmur`
```
这个命令 **在你的默认区域里** 添加了指定服务所需要的所有端口和协议,不过在重启计算机或者防火墙之后就会失效。如果想让你的修改永久有效,可以使用 **\--permanent** 标志:
```
`$ sudo firewall-cmd --add-service murmur --permanent`
```
你也可以将这个命令用于一个非默认区域:
```
`$ sudo firewall-cmd --add-service murmur --permanent --zone home`
```
#### 端口
有时候你希望允许的流量并不在 firewalld 定义的服务之中。也许你想在一个非标准的端口上运行一个常规服务,或者就是想随意开放一个端口。
举例来说,也许你正在运行开源的 [虚拟桌游][10] 软件 [MapTool][11]。由于 MapTool 服务器应该使用哪个端口这件事情并没有一个行业标准,所以你可以自行决定使用哪个端口,然后在防火墙上“开一个洞”,让它允许该端口上的流量。
实现方式和添加服务差不多:
```
`$ sudo firewall-cmd --add-port 51234/tcp`
```
这个命令 **在你的默认区域** 里将 51234 端口向 TCP 传入连接开放,不过在重启计算机或者防火墙之后就会失效。如果想让你的修改永久有效,可以使用 **\--permanent** 标志:
```
`$ sudo firewall-cmd --add-port 51234/tcp --permanent`
```
你也可以将这个命令用于一个非默认区域:
```
`$ sudo firewall-cmd --add-port 51234/tcp --permanent --zone home`
```
在路由器的防火墙上设置允许流量和在本机上设置的方式是不同的。你的路由器可能会为它的内嵌防火墙提供一个不同的配置界面(原理上是相同的),不过这就超出本文范围了。
### 移除端口和服务
如果你不再需要某项服务或者某个端口了,并且设置的时候没有使用 **\--permanent** 标志的话,那么可以通过重启防火墙来清除修改。
如果你已经将修改设置为永久生效了,可以使用 **\--remove-port** 或者 **\--remove-service** 标志来清除:
```
`$ sudo firewall-cmd --remove-port 51234/tcp --permanent`
```
你可以通过在命令中指定一个区域以将端口或者服务从一个非默认区域中移除。
```
`$ sudo firewall-cmd --remove-service murmur --permanent --zone home`
```
### 自定义区域
你可以随意使用 firewalld 默认提供的这些区域,不过也完全可以创建自己的区域。比如如果希望有一个针对游戏的特别区域,你可以创建一个,然后只有在玩儿游戏的时候切换到该区域。
如果想要创建一个新的空白区域,你可以创建一个名为 **game** 的新区域,然后重新加载 firewall 规则,这样你的新区域就启用了:
```
$ sudo firewall-cmd --new-zone game --permanent
success
$ sudo firewall-cmd --reload
```
一旦创建好并且处于启用状态,你就可以通过添加玩游戏时所需要的服务和端口来实现个性化定制了。
### 勤勉
从今天起开始思考你的防火墙策略吧。不用着急,可以试着慢慢搭建一些合理的默认规则。你也许需要花上一段时间才能习惯于思考防火墙的配置问题,以及弄清楚你使用了哪些网络服务,不过无论是处在什么样的环境里,只要稍加探索你就可以让自己的 Linux 工作站变得更为强大。
--------------------------------------------------------------------------------
via: https://opensource.com/article/19/7/make-linux-stronger-firewalls
作者:[Seth Kenlon][a]
选题:[lujun9972][b]
译者:[chen-ni](https://github.com/chen-ni)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/seth
[b]: https://github.com/lujun9972
[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/BUSINESS_buildtogether.png?itok=9Tvz64K5 (People working together to build )
[2]: https://tools.ietf.org/html/rfc793
[3]: https://tools.ietf.org/html/rfc433
[4]: https://opensource.com/sites/default/files/uploads/web-port-nonstandard.png (Navigating to a nonstandard port produces an error)
[5]: https://firewalld.org/
[6]: https://opensource.com/sites/default/files/uploads/nm-connection-editor.png (Network Manager Connection Editor)
[7]: https://opensource.com/sites/default/files/uploads/nm-zone.png (Firewall zones)
[8]: https://opensource.com/sites/default/files/uploads/nm-set.png (Setting a new zone)
[9]: https://www.mumble.com/
[10]: https://opensource.com/article/18/5/maptool
[11]: https://github.com/RPTools