From fceec5f8c7808495e4bb7ec7d9511b1a4c9792e4 Mon Sep 17 00:00:00 2001 From: qhwdw <33189910+qhwdw@users.noreply.github.com> Date: Tue, 21 Nov 2017 14:51:24 +0800 Subject: [PATCH 1/3] Translated by qhwdw Translated by qhwdw --- ... Firewalld in Multi-Zone Configurations.md | 411 ++++++++++++++++++ 1 file changed, 411 insertions(+) create mode 100644 translated/tech/20170202 Understanding Firewalld in Multi-Zone Configurations.md diff --git a/translated/tech/20170202 Understanding Firewalld in Multi-Zone Configurations.md b/translated/tech/20170202 Understanding Firewalld in Multi-Zone Configurations.md new file mode 100644 index 0000000000..4b071800d5 --- /dev/null +++ b/translated/tech/20170202 Understanding Firewalld in Multi-Zone Configurations.md @@ -0,0 +1,411 @@ +理解多区域配置中的 Firewalld +============================================================ + +脆弱的服务器和数据失窃的事件充斥着现在的新闻。对于一个阅读过安全公告博客的人来说,通过访问有错误配置的服务器,利用最新暴露的安全漏洞或通过窃取的密码来获得系统控制权,这并不是件困难是事情。在一般的 LInux 服务器上的任何因特网服务都可能存在漏洞,允许未经授权的系统访问。 + +因为一个系统上在应用程序级防范任何可能的威胁是不可能做到的事情,防火墙通过限制对系统的访问提供了安全保证。防火墙基于它们的源 IP、目标端口和协议来过滤入站包。这种方式中,仅有几个 IP/port/protocol 的组合与系统交互,而其它的做不到。 + +Linux 防火墙是通过 netfilter 来处理的,它是内核级别的框架。十几年来,iptables 是 netfilter 提供的用户态(userland,译者注:一个基本的 UNIX 系统是由 kernel 和 userland 两部分构成,除 kernel 以外的称为 userland)抽象层。iptables 提交包通过一系列的规则,如果包与 IP/port/protocol 的组合匹配,规则被应用到这个包上,并决定包是被通过、拒绝或丢弃。 + +Firewalld 是最新的 netfilter 用户态抽象层。遗憾的是,由于缺乏描述多区域配置的文档,它的强大而灵活的功能被低估了。这篇文章提供了一个示例去改变这种情况。 + +### Firewalld 的设计目标 + +# + +firewalld 的设计者认识到大多数的 iptables 使用案例仅涉及到几个单播源 IP,仅对每个符合白名单的服务通过,而其它的会被拒绝。这种模式的好处是,firewalld 通过定义的源 IP 和/或网络接口去分类入站流量到区域。每个区域基于指定的准则自己配置去通过或拒绝包。 + +另外的改善是基于 iptables 进行语法简化。Firewalld 通过使用服务名而不是它的端口和协议去指定服务,使它更易于使用,例如,是使用 samba 而不是使用 UDP 端口 137 和 138 和 TCP 端口 139 和 445。它进一步简化语法,就像 iptables 一样,消除对语句顺序的依赖。 + +最后,firewalld 允许交互式修改 netfilter,允许防火墙的改变独立于存储在 XML 中的永久配置。因此,下面的的临时修改将在下次重新加载时被覆盖: + +``` + +# firewall-cmd + +``` + +而,以下的改变在重加载后会永久保存: + +``` + +# firewall-cmd --permanent +# firewall-cmd --reload +``` + +### 区域 + +在 firewalld 中最上层的组织是区域。如果一个包匹配区域相关联的网络接口或源 IP/mask ,它就是区域的一部分。可用的几个预定义区域: + +``` + +# firewall-cmd --get-zones +block dmz drop external home internal public trusted work + +``` + +任何配置了一个网络接口和/或一个源的区域就是一个活动的区域。列出活动的区域: + +``` + +# firewall-cmd --get-active-zones +public + interfaces: eno1 eno2 + +``` + +**Interfaces** 是系统中的硬件和虚拟网络适配器的名字,正如你在上面的示例中所看到的那样。所有的活动的接口都将被分配到区域,要么是默认的区域,要么是用户指定的一个区域。但是,一个接口不能被分配给多于一个的区域。 + +在缺省配置中,firewalld 设置所有接口为公共区域,并且不对任何区域设置源。结果是,公共区域是唯一的活动区域。 + +**Sources** 是入站 IP 地址的范围,它也可以被分配到区域。一个源(或 重叠的源)不能被分配到多个区域。这样做的结果是产生一个未定义的行为,因为不清楚应该将哪些规则应用于该源。 + +因为指定一个源不是必需的,任何包在这里将被一个区域使用一个接口来匹配,但是,这里不需要使用一个源去匹配一个区域。这表示通过使用优先级方式,优先进行多个指定的源区域,稍后,详细说明这种情况。首先,我们来检查公共区域的配置: + +``` + +# firewall-cmd --zone=public --list-all +public (default, active) + interfaces: eno1 eno2 + sources: + services: dhcpv6-client ssh + ports: + masquerade: no + forward-ports: + icmp-blocks: + rich rules: +# firewall-cmd --permanent --zone=public --get-target +default + +``` + +逐行说明如下: + +* `public (default, active)` 表示公共区是默认区(当接口启动时会自动默认),并且它是活动的,因为,它至少有一个接口或源与分配给它。 + +* `interfaces: eno1 eno2` 列出了这个区域上关联的接口。 + +* `sources:` 列出了这个区域的源。现在这里什么都没有,但是,如果这里有内容,它们应该是这样的格式 xxx.xxx.xxx.xxx/xx。 + +* `services: dhcpv6-client ssh` 列出了允许通过这个防火墙的服务。你可以通过运行 `firewall-cmd --get-services` 得到一个防火墙预定义服务的详细列表。 + +* `ports:` 列出了一个允许通过这个防火墙的目标端口。它是用于你需要去允许一个没有在 firewalld 中定义的服务的情况下。 + +* `masquerade: no` 表示这个区域是否允许 IP 伪装。如果允许,它将允许 IP 转发,它可以让你的计算机作为一个路由器。 + +* `forward-ports:` 列出转发的端口。 + +* `icmp-blocks:` 一个阻塞的 icmp 流量的黑名单。 + +* `rich rules:` 在一个区域中优先处理的高级配置。 + +* `default` 是目标区域,它决定了在与该区域匹配的包上的动作,而不是由上面设置中的一个显式处理的。 + +### 一个简单的单区域配置示例 + +如果只是简单地锁定你的防火墙。简单地在删除公共区域上当前允许的服务,并重新加载: + +``` + +# firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client +# firewall-cmd --permanent --zone=public --remove-service=ssh +# firewall-cmd --reload + +``` + +在下面的防火墙上这些命令的结果是: + +``` + +# firewall-cmd --zone=public --list-all +public (default, active) + interfaces: eno1 eno2 + sources: + services: + ports: + masquerade: no + forward-ports: + icmp-blocks: + rich rules: +# firewall-cmd --permanent --zone=public --get-target +default + +``` + +本着尽可能严格地保证安全的精神,如果发生需要在你的防火墙上临时开放一个服务的情况(假设是 ssh),你可以增加这个服务到当前会话中(省略 `--permanent`),并且指示防火墙在一个指定的时间之后恢复修改: + +``` + +# firewall-cmd --zone=public --add-service=ssh --timeout=5m + +``` + +这个 timeout 选项是一个以秒(s)、分(m)或小时(h)为单位的时间值。 + +### 目标 + +当一个区域处理它的源或接口上的一个包时,但是,这里没有一个处理包的显式的规则,这时区域的目标决定了这个行为: + +* `ACCEPT`: 通过这个包。 + +* `%%REJECT%%`: 拒绝这个包,并返回一个拒绝的回复。 + +* `DROP`: 丢弃这个包,不回复任何信息。 + +* `default`: 不做任何事情。区域不再管它,把它踢到“楼上”。 + +在 firewalld 0.3.9 中有一个 bug (已经在 0.3.10 中修复),对于一个目标是除了“默认”以外的源区域,不管允许的服务是什么,这的目标都会被应用。例如,一个使用目标 `DROP` 的源区域,将丢弃所有的包,甚至是白名单中的包。遗憾的是,在 RHEL7 和它的衍生版中打包的这个版本的 firewalld,使它成为一个相当常见的 bug。本文中的示例避免了可能出现这种行为的情况。 +### 优先权 + +活动区域中执行两个不同的规则。关联接口行为的区域作为接口区域,并且,关联源行为的区域作为源区域(一个区域两个规则都可以执行)。Firewalld 按下列顺序处理一个包: + +1. 相应的源区域。可以存在零个或一个这样的区域。如果这个包满足一个富规则(rich rule)、服务是白名单中的、或者目标没有定义,那么源区域处理这个包,并且在这里结束。否则,向上传递这个包。 + +2. 相应的接口区域。有一个完全匹配的区域已经存在。则接口处理这个包,并且到这里结束。否则,向上传递这个包。 + +3. firewalld 定义的动作。通过 icmp 包和拒绝一切。 + +这里的关键信息是,源区域优先于接口区域。因此,对于多区域的 firewalld 配置的一般设计模式是去创建一个优先源区域去允许指定的 IP 提升对系统服务的访问,和一个限制性接口区域去限制任何的访问。 + +### 一个简单的多区域示例 + +为演示优先权,让我们在公共区域中将 http 替换成 ssh,并且为我们喜欢的 IP 地址,如 1.1.1.1,设置一个默认的 internal 区域。以下的命令完成这个任务: + +``` + +# firewall-cmd --permanent --zone=public --remove-service=ssh +# firewall-cmd --permanent --zone=public --add-service=http +# firewall-cmd --permanent --zone=internal --add-source=1.1.1.1 +# firewall-cmd --reload + +``` + +这些命令的结果是生成如下的配置: + +``` + +# firewall-cmd --zone=public --list-all +public (default, active) + interfaces: eno1 eno2 + sources: + services: dhcpv6-client http + ports: + masquerade: no + forward-ports: + icmp-blocks: + rich rules: +# firewall-cmd --permanent --zone=public --get-target +default +# firewall-cmd --zone=internal --list-all +internal (active) + interfaces: + sources: 1.1.1.1 + services: dhcpv6-client mdns samba-client ssh + ports: + masquerade: no + forward-ports: + icmp-blocks: + rich rules: +# firewall-cmd --permanent --zone=internal --get-target +default + +``` + +在上面的配置中,如果有人尝试从 1.1.1.1 去 `ssh`,这个请求将会成功,因为这个源区域(internal)被首先应用,并且它允许 ssh 访问。 + +如果有人尝试从其它的地址,如 2.2.2.2,去访问 ssh,它不是这个源区域的,因为和这个源区域不匹配。因此,这个请求被直接转到接口区域(public),它没有显式处理 ssh,因为,公共的目标是 `default`,这个请求被传递到默认动作,它将被拒绝。 + +如果 1.1.1.1 尝试进行 http 访问会怎样?源区域(internal)不允许它,但是,目标是 `default`,因此,请求将传递到接口区域(public),它被允许访问。 + +现在,让我们假设有人从 3.3.3.3 拖你的网站。去限制从那个 IP 的访问,简单地增加它到预定义的丢弃区域,并适当地为它命名,因为它将丢弃所有的连接: + +``` + +# firewall-cmd --permanent --zone=drop --add-source=3.3.3.3 +# firewall-cmd --reload + +``` + +下一次 3.3.3.3 尝试去访问你的网站,firewalld 将转发请求到源区域(drop)。因为目标是 `DROP`,请求将被拒绝,并且它不会被转发到接口区域(public)。 + +### 一个实用的多区域示例 + +假设你为你的组织的一台服务器配置防火墙。你希望允许全世界使用 http 和 https 的访问,你的组织(1.1.0.0/16)和工作组(1.1.1.0/8)使用 ssh 访问,并且你的工作组可以访问 samba 服务。使用 firewalld 中的区域,我可以用一个很直观的方式去实现这个配置。 + +给它们命名,它的逻辑似乎是,为全世界访问指定为公共区域,并且,为本地使用指定为内部区域。从在公共区域内设置使用 http 和 https 的 dhcpv6-client 和 ssh 服务来开始: + +``` + +# firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client +# firewall-cmd --permanent --zone=public --remove-service=ssh +# firewall-cmd --permanent --zone=public --add-service=http +# firewall-cmd --permanent --zone=public --add-service=https + +``` + +然后,取消内部区域的 mdns、samba-client 和 dhcpv6-client 服务(仅保留 ssh),并增加你的组织为源: + +``` + +# firewall-cmd --permanent --zone=internal --remove-service=mdns +# firewall-cmd --permanent --zone=internal --remove-service=samba-client +# firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client +# firewall-cmd --permanent --zone=internal --add-source=1.1.0.0/16 + +``` + +为容纳你提升的 samba 的权限,增加一个富规则: + +``` + +# firewall-cmd --permanent --zone=internal --add-rich-rule='rule + ↪family=ipv4 source address="1.1.1.0/8" service name="samba" + ↪accept' + +``` + +最后,重新加载,拉这些变化到会话中: + +``` + +# firewall-cmd --reload + +``` + +仅剩下少数的细节了。从一个内部区域以外的 IP 去尝试通过 `ssh` 到你的服务器,结果是回复一个拒绝的消息。它是 firewalld 默认的。更为安全的作法是去显示无效的 IP 行为并断开连接。改变公共区的目标为 `DROP`,而不是 `default` 来实现它: + +``` + +# firewall-cmd --permanent --zone=public --set-target=DROP +# firewall-cmd --reload + +``` + +但是,等等,你不再可以 ping 了,甚至是从内部区域!并且 icmp (ping 使用的协议)并没有在 firewalld 的服务白名单中列出 。那是因为,icmp 是第 3 层的 IP 协议,它没有端口的概念,不像那些捆绑了端口的服务。在设置公共区域为 `DROP` 之前,ping 能够通过防火墙是因为你的 `default` 目标通过它到防火墙的默认(default),是它允许它通过的。现在它已经被删除了。 + +为恢复内部网络的 ping,去使用一个富规则: + +``` + +# firewall-cmd --permanent --zone=internal --add-rich-rule='rule + ↪protocol value="icmp" accept' +# firewall-cmd --reload + +``` + +结果如下,这里是两个活动区域的配置: + +``` + +# firewall-cmd --zone=public --list-all +public (default, active) + interfaces: eno1 eno2 + sources: + services: http https + ports: + masquerade: no + forward-ports: + icmp-blocks: + rich rules: +# firewall-cmd --permanent --zone=public --get-target +DROP +# firewall-cmd --zone=internal --list-all +internal (active) + interfaces: + sources: 1.1.0.0/16 + services: ssh + ports: + masquerade: no + forward-ports: + icmp-blocks: + rich rules: + rule family=ipv4 source address="1.1.1.0/8" + ↪service name="samba" accept + rule protocol value="icmp" accept +# firewall-cmd --permanent --zone=internal --get-target +default + +``` + +这个设置演示了一个三层嵌套的防火墙。最外层,public,是一个接口区域并且包含全世界的访问。紧接着的一层,internal,是一个源区域,并且包含你的组织,它是 public 的一个子集。最后,一个富规则增加到最内层,包含你的工作组,它是 internal 的一个子集。 + +这里的关键信息是,当在一个场景中可以突破嵌套层,最外层将使用接口区域,接下来的将使用一个源区域,并且在源区域中额外使用富规则。 + +### 调试 + +采用直观范式设计的一个防火墙 Firewalld,比它的前任 iptables 更容易产生歧义。将会有无法预料的行为发生,或者无法很好地去理解 firewalld 是怎么去工作的,去获取描述 netfilter 配置的操作是怎么运行的是非常有用的。前一个示例的输出如下,为了简单起见,将输出和日志进行了修剪: + +``` + +# iptables -S +-P INPUT ACCEPT +... (forward and output lines) ... +-N INPUT_ZONES +-N INPUT_ZONES_SOURCE +-N INPUT_direct +-N IN_internal +-N IN_internal_allow +-N IN_internal_deny +-N IN_public +-N IN_public_allow +-N IN_public_deny +-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT +-A INPUT -i lo -j ACCEPT +-A INPUT -j INPUT_ZONES_SOURCE +-A INPUT -j INPUT_ZONES +-A INPUT -p icmp -j ACCEPT +-A INPUT -m conntrack --ctstate INVALID -j DROP +-A INPUT -j REJECT --reject-with icmp-host-prohibited +... (forward and output lines) ... +-A INPUT_ZONES -i eno1 -j IN_public +-A INPUT_ZONES -i eno2 -j IN_public +-A INPUT_ZONES -j IN_public +-A INPUT_ZONES_SOURCE -s 1.1.0.0/16 -g IN_internal +-A IN_internal -j IN_internal_deny +-A IN_internal -j IN_internal_allow +-A IN_internal_allow -p tcp -m tcp --dport 22 -m conntrack + ↪--ctstate NEW -j ACCEPT +-A IN_internal_allow -s 1.1.1.0/8 -p udp -m udp --dport 137 + ↪-m conntrack --ctstate NEW -j ACCEPT +-A IN_internal_allow -s 1.1.1.0/8 -p udp -m udp --dport 138 + ↪-m conntrack --ctstate NEW -j ACCEPT +-A IN_internal_allow -s 1.1.1.0/8 -p tcp -m tcp --dport 139 + ↪-m conntrack --ctstate NEW -j ACCEPT +-A IN_internal_allow -s 1.1.1.0/8 -p tcp -m tcp --dport 445 + ↪-m conntrack --ctstate NEW -j ACCEPT +-A IN_internal_allow -p icmp -m conntrack --ctstate NEW + ↪-j ACCEPT +-A IN_public -j IN_public_deny +-A IN_public -j IN_public_allow +-A IN_public -j DROP +-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack + ↪--ctstate NEW -j ACCEPT +-A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack + ↪--ctstate NEW -j ACCEPT + +``` + +在上面的 iptables 输出中,新的链(以 `-N` 开始的行)是被首先声明的。剩下的规则是附加到(以 `-A` 开始的行) iptables 中的。维护连接和本地流量是允许的,并且入站包被转到 `INPUT_ZONES_SOURCE` 链,在那个时间点如果存在相应的区域,IPs 将被发送到那个区域。从那之后,流量被转到 `INPUT_ZONES` 链,在那个时间点开始,它被路由到一个接口区域。如果在那里它没有被处理,icmp 是通过的,无效的被丢弃,并且其余的都被拒绝。 + +### 结论 + +Firewalld 是一个文档化的防火墙配置工具,它的功能远比大多数人认识到的更为强大。以创新的区域范式,firewalld 允许系统管理员去分解流量到每个唯一处理它的分类中,简化了配置过程。因为它直观的设计和语法,它在实践中不但被用于简单的单一区域中也被用于复杂的多区域配置中。 + +-------------------------------------------------------------------------------- + +via: https://www.linuxjournal.com/content/understanding-firewalld-multi-zone-configurations?page=0,0 + +作者:[ Nathan Vance][a] +译者:[qhwdw](https://github.com/qhwdw) +校对:[校对者ID](https://github.com/校对者ID) + +本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 + +[a]:https://www.linuxjournal.com/users/nathan-vance +[1]:https://www.linuxjournal.com/tag/firewalls +[2]:https://www.linuxjournal.com/tag/howtos +[3]:https://www.linuxjournal.com/tag/networking +[4]:https://www.linuxjournal.com/tag/security +[5]:https://www.linuxjournal.com/tag/sysadmin +[6]:https://www.linuxjournal.com/users/william-f-polik +[7]:https://www.linuxjournal.com/users/nathan-vance From f3a51bee46393f4689f05a76dfb0e78e0fcefa09 Mon Sep 17 00:00:00 2001 From: qhwdw <33189910+qhwdw@users.noreply.github.com> Date: Tue, 21 Nov 2017 14:51:53 +0800 Subject: [PATCH 2/3] Translated by qhwdw Translated by qhwdw --- ... Firewalld in Multi-Zone Configurations.md | 412 ------------------ 1 file changed, 412 deletions(-) delete mode 100644 sources/tech/20170202 Understanding Firewalld in Multi-Zone Configurations.md diff --git a/sources/tech/20170202 Understanding Firewalld in Multi-Zone Configurations.md b/sources/tech/20170202 Understanding Firewalld in Multi-Zone Configurations.md deleted file mode 100644 index 51d00e7f89..0000000000 --- a/sources/tech/20170202 Understanding Firewalld in Multi-Zone Configurations.md +++ /dev/null @@ -1,412 +0,0 @@ -Translating by qhwdw Understanding Firewalld in Multi-Zone Configurations -============================================================ - -Stories of compromised servers and data theft fill today's news. It isn't difficult for someone who has read an informative blog post to access a system via a misconfigured service, take advantage of a recently exposed vulnerability or gain control using a stolen password. Any of the many internet services found on a typical Linux server could harbor a vulnerability that grants unauthorized access to the system. - -Since it's an impossible task to harden a system at the application level against every possible threat, firewalls provide security by limiting access to a system. Firewalls filter incoming packets based on their IP of origin, their destination port and their protocol. This way, only a few IP/port/protocol combinations interact with the system, and the rest do not. - -Linux firewalls are handled by netfilter, which is a kernel-level framework. For more than a decade, iptables has provided the userland abstraction layer for netfilter. iptables subjects packets to a gauntlet of rules, and if the IP/port/protocol combination of the rule matches the packet, the rule is applied causing the packet to be accepted, rejected or dropped. - -Firewalld is a newer userland abstraction layer for netfilter. Unfortunately, its power and flexibility are underappreciated due to a lack of documentation describing multi-zoned configurations. This article provides examples to remedy this situation. - -### Firewalld Design Goals - -# - -The designers of firewalld realized that most iptables usage cases involve only a few unique IP sources, for each of which a whitelist of services is allowed and the rest are denied. To take advantage of this pattern, firewalld categorizes incoming traffic into zones defined by the source IP and/or network interface. Each zone has its own configuration to accept or deny packets based on specified criteria. - -Another improvement over iptables is a simplified syntax. Firewalld makes it easier to specify services by using the name of the service rather than its port(s) and protocol(s)—for example, samba rather than UDP ports 137 and 138 and TCP ports 139 and 445\. It further simplifies syntax by removing the dependence on the order of statements as was the case for iptables. - -Finally, firewalld enables the interactive modification of netfilter, allowing a change in the firewall to occur independently of the permanent configuration stored in XML. Thus, the following is a temporary modification that will be overwritten by the next reload: - -``` - -# firewall-cmd - -``` - -And, the following is a permanent change that persists across reboots: - -``` - -# firewall-cmd --permanent -# firewall-cmd --reload -``` - -### Zones - -The top layer of organization in firewalld is zones. A packet is part of a zone if it matches that zone's associated network interface or IP/mask source. Several predefined zones are available: - -``` - -# firewall-cmd --get-zones -block dmz drop external home internal public trusted work - -``` - -An active zone is any zone that is configured with an interface and/or a source. To list active zones: - -``` - -# firewall-cmd --get-active-zones -public - interfaces: eno1 eno2 - -``` - -**Interfaces** are the system's names for hardware and virtual network adapters, as you can see in the above example. All active interfaces will be assigned to zones, either to the default zone or to a user-specified one. However, an interface cannot be assigned to more than one zone. - -In its default configuration, firewalld pairs all interfaces with the public zone and doesn't set up sources for any zones. As a result, public is the only active zone. - -**Sources** are incoming IP address ranges, which also can be assigned to zones. A source (or overlapping sources) cannot be assigned to multiple zones. Doing so results in undefined behavior, as it would not be clear which rules should be applied to that source. - -Since specifying a source is not required, for every packet there will be a zone with a matching interface, but there won't necessarily be a zone with a matching source. This indicates some form of precedence with priority going to the more specific source zones, but more on that later. First, let's inspect how the public zone is configured: - -``` - -# firewall-cmd --zone=public --list-all -public (default, active) - interfaces: eno1 eno2 - sources: - services: dhcpv6-client ssh - ports: - masquerade: no - forward-ports: - icmp-blocks: - rich rules: -# firewall-cmd --permanent --zone=public --get-target -default - -``` - -Going line by line through the output: - -* `public (default, active)` indicates that the public zone is the default zone (interfaces default to it when they come up), and it is active because it has at least one interface or source associated with it. - -* `interfaces: eno1 eno2` lists the interfaces associated with the zone. - -* `sources:` lists the sources for the zone. There aren't any now, but if there were, they would be of the form xxx.xxx.xxx.xxx/xx. - -* `services: dhcpv6-client ssh` lists the services allowed through the firewall. You can get an exhaustive list of firewalld's defined services by executing `firewall-cmd --get-services`. - -* `ports:` lists port destinations allowed through the firewall. This is useful if you need to allow a service that isn't defined in firewalld. - -* `masquerade: no` indicates that IP masquerading is disabled for this zone. If enabled, this would allow IP forwarding, with your computer acting as a router. - -* `forward-ports:` lists ports that are forwarded. - -* `icmp-blocks:` a blacklist of blocked icmp traffic. - -* `rich rules:` advanced configurations, processed first in a zone. - -* `default` is the target of the zone, which determines the action taken on a packet that matches the zone yet isn't explicitly handled by one of the above settings. - -### A Simple Single-Zoned Example - -Say you just want to lock down your firewall. Simply remove the services currently allowed by the public zone and reload: - -``` - -# firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client -# firewall-cmd --permanent --zone=public --remove-service=ssh -# firewall-cmd --reload - -``` - -These commands result in the following firewall: - -``` - -# firewall-cmd --zone=public --list-all -public (default, active) - interfaces: eno1 eno2 - sources: - services: - ports: - masquerade: no - forward-ports: - icmp-blocks: - rich rules: -# firewall-cmd --permanent --zone=public --get-target -default - -``` - -In the spirit of keeping security as tight as possible, if a situation arises where you need to open a temporary hole in your firewall (perhaps for ssh), you can add the service to just the current session (omit `--permanent`) and instruct firewalld to revert the modification after a specified amount of time: - -``` - -# firewall-cmd --zone=public --add-service=ssh --timeout=5m - -``` - -The timeout option takes time values in seconds (s), minutes (m) or hours (h). - -### Targets - -When a zone processes a packet due to its source or interface, but there is no rule that explicitly handles the packet, the target of the zone determines the behavior: - -* `ACCEPT`: accept the packet. - -* `%%REJECT%%`: reject the packet, returning a reject reply. - -* `DROP`: drop the packet, returning no reply. - -* `default`: don't do anything. The zone washes its hands of the problem, and kicks it "upstairs". - -There was a bug present in firewalld 0.3.9 (fixed in 0.3.10) for source zones with targets other than `default` in which the target was applied regardless of allowed services. For example, a source zone with the target `DROP` would drop all packets, even if they were whitelisted. Unfortunately, this version of firewalld was packaged for RHEL7 and its derivatives, causing it to be a fairly common bug. The examples in this article avoid situations that would manifest this behavior. - -### Precedence - -Active zones fulfill two different roles. Zones with associated interface(s) act as interface zones, and zones with associated source(s) act as source zones (a zone could fulfill both roles). Firewalld handles a packet in the following order: - -1. The corresponding source zone. Zero or one such zones may exist. If the source zone deals with the packet because the packet satisfies a rich rule, the service is whitelisted, or the target is not default, we end here. Otherwise, we pass the packet on. - -2. The corresponding interface zone. Exactly one such zone will always exist. If the interface zone deals with the packet, we end here. Otherwise, we pass the packet on. - -3. The firewalld default action. Accept icmp packets and reject everything else. - -The take-away message is that source zones have precedence over interface zones. Therefore, the general design pattern for multi-zoned firewalld configurations is to create a privileged source zone to allow specific IP's elevated access to system services and a restrictive interface zone to limit the access of everyone else. - -### A Simple Multi-Zoned Example - -To demonstrate precedence, let's swap ssh for http in the public zone and set up the default internal zone for our favorite IP address, 1.1.1.1\. The following commands accomplish this task: - -``` - -# firewall-cmd --permanent --zone=public --remove-service=ssh -# firewall-cmd --permanent --zone=public --add-service=http -# firewall-cmd --permanent --zone=internal --add-source=1.1.1.1 -# firewall-cmd --reload - -``` - -which results in the following configuration: - -``` - -# firewall-cmd --zone=public --list-all -public (default, active) - interfaces: eno1 eno2 - sources: - services: dhcpv6-client http - ports: - masquerade: no - forward-ports: - icmp-blocks: - rich rules: -# firewall-cmd --permanent --zone=public --get-target -default -# firewall-cmd --zone=internal --list-all -internal (active) - interfaces: - sources: 1.1.1.1 - services: dhcpv6-client mdns samba-client ssh - ports: - masquerade: no - forward-ports: - icmp-blocks: - rich rules: -# firewall-cmd --permanent --zone=internal --get-target -default - -``` - -With the above configuration, if someone attempts to `ssh` in from 1.1.1.1, the request would succeed because the source zone (internal) is applied first, and it allows ssh access. - -If someone attempts to `ssh` from somewhere else, say 2.2.2.2, there wouldn't be a source zone, because no zones match that source. Therefore, the request would pass directly to the interface zone (public), which does not explicitly handle ssh. Since public's target is `default`, the request passes to the firewalld default action, which is to reject it. - -What if 1.1.1.1 attempts http access? The source zone (internal) doesn't allow it, but the target is `default`, so the request passes to the interface zone (public), which grants access. - -Now let's suppose someone from 3.3.3.3 is trolling your website. To restrict access for that IP, simply add it to the preconfigured drop zone, aptly named because it drops all connections: - -``` - -# firewall-cmd --permanent --zone=drop --add-source=3.3.3.3 -# firewall-cmd --reload - -``` - -The next time 3.3.3.3 attempts to access your website, firewalld will send the request first to the source zone (drop). Since the target is `DROP`, the request will be denied and won't make it to the interface zone (public) to be accepted. - -### A Practical Multi-Zoned Example - -Suppose you are setting up a firewall for a server at your organization. You want the entire world to have http and https access, your organization (1.1.0.0/16) and workgroup (1.1.1.0/8) to have ssh access, and your workgroup to have samba access. Using zones in firewalld, you can set up this configuration in an intuitive manner. - -Given the naming, it seems logical to commandeer the public zone for your world-wide purposes and the internal zone for local use. Start by replacing the dhcpv6-client and ssh services in the public zone with http and https: - -``` - -# firewall-cmd --permanent --zone=public --remove-service=dhcpv6-client -# firewall-cmd --permanent --zone=public --remove-service=ssh -# firewall-cmd --permanent --zone=public --add-service=http -# firewall-cmd --permanent --zone=public --add-service=https - -``` - -Then trim mdns, samba-client and dhcpv6-client out of the internal zone (leaving only ssh) and add your organization as the source: - -``` - -# firewall-cmd --permanent --zone=internal --remove-service=mdns -# firewall-cmd --permanent --zone=internal --remove-service=samba-client -# firewall-cmd --permanent --zone=internal --remove-service=dhcpv6-client -# firewall-cmd --permanent --zone=internal --add-source=1.1.0.0/16 - -``` - -To accommodate your elevated workgroup samba privileges, add a rich rule: - -``` - -# firewall-cmd --permanent --zone=internal --add-rich-rule='rule - ↪family=ipv4 source address="1.1.1.0/8" service name="samba" - ↪accept' - -``` - -Finally, reload, pulling the changes into the active session: - -``` - -# firewall-cmd --reload - -``` - -Only a few more details remain. Attempting to `ssh` in to your server from an IP outside the internal zone results in a reject message, which is the firewalld default. It is more secure to exhibit the behavior of an inactive IP and instead drop the connection. Change the public zone's target to `DROP`rather than `default` to accomplish this: - -``` - -# firewall-cmd --permanent --zone=public --set-target=DROP -# firewall-cmd --reload - -``` - -But wait, you no longer can ping, even from the internal zone! And icmp (the protocol ping goes over) isn't on the list of services that firewalld can whitelist. That's because icmp is an IP layer 3 protocol and has no concept of a port, unlike services that are tied to ports. Before setting the public zone to `DROP`, pinging could pass through the firewall because both of your `default` targets passed it on to the firewalld default, which allowed it. Now it's dropped. - -To restore pinging to the internal network, use a rich rule: - -``` - -# firewall-cmd --permanent --zone=internal --add-rich-rule='rule - ↪protocol value="icmp" accept' -# firewall-cmd --reload - -``` - -In summary, here's the configuration for the two active zones: - -``` - -# firewall-cmd --zone=public --list-all -public (default, active) - interfaces: eno1 eno2 - sources: - services: http https - ports: - masquerade: no - forward-ports: - icmp-blocks: - rich rules: -# firewall-cmd --permanent --zone=public --get-target -DROP -# firewall-cmd --zone=internal --list-all -internal (active) - interfaces: - sources: 1.1.0.0/16 - services: ssh - ports: - masquerade: no - forward-ports: - icmp-blocks: - rich rules: - rule family=ipv4 source address="1.1.1.0/8" - ↪service name="samba" accept - rule protocol value="icmp" accept -# firewall-cmd --permanent --zone=internal --get-target -default - -``` - -This setup demonstrates a three-layer nested firewall. The outermost layer, public, is an interface zone and spans the entire world. The next layer, internal, is a source zone and spans your organization, which is a subset of public. Finally, a rich rule adds the innermost layer spanning your workgroup, which is a subset of internal. - -The take-away message here is that when a scenario can be broken into nested layers, the broadest layer should use an interface zone, the next layer should use a source zone, and additional layers should use rich rules within the source zone. - -### Debugging - -Firewalld employs intuitive paradigms for designing a firewall, yet gives rise to ambiguity much more easily than its predecessor, iptables. Should unexpected behavior occur, or to understand better how firewalld works, it can be useful to obtain an iptables description of how netfilter has been configured to operate. Output for the previous example follows, with forward, output and logging lines trimmed for simplicity: - -``` - -# iptables -S --P INPUT ACCEPT -... (forward and output lines) ... --N INPUT_ZONES --N INPUT_ZONES_SOURCE --N INPUT_direct --N IN_internal --N IN_internal_allow --N IN_internal_deny --N IN_public --N IN_public_allow --N IN_public_deny --A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT --A INPUT -i lo -j ACCEPT --A INPUT -j INPUT_ZONES_SOURCE --A INPUT -j INPUT_ZONES --A INPUT -p icmp -j ACCEPT --A INPUT -m conntrack --ctstate INVALID -j DROP --A INPUT -j REJECT --reject-with icmp-host-prohibited -... (forward and output lines) ... --A INPUT_ZONES -i eno1 -j IN_public --A INPUT_ZONES -i eno2 -j IN_public --A INPUT_ZONES -j IN_public --A INPUT_ZONES_SOURCE -s 1.1.0.0/16 -g IN_internal --A IN_internal -j IN_internal_deny --A IN_internal -j IN_internal_allow --A IN_internal_allow -p tcp -m tcp --dport 22 -m conntrack - ↪--ctstate NEW -j ACCEPT --A IN_internal_allow -s 1.1.1.0/8 -p udp -m udp --dport 137 - ↪-m conntrack --ctstate NEW -j ACCEPT --A IN_internal_allow -s 1.1.1.0/8 -p udp -m udp --dport 138 - ↪-m conntrack --ctstate NEW -j ACCEPT --A IN_internal_allow -s 1.1.1.0/8 -p tcp -m tcp --dport 139 - ↪-m conntrack --ctstate NEW -j ACCEPT --A IN_internal_allow -s 1.1.1.0/8 -p tcp -m tcp --dport 445 - ↪-m conntrack --ctstate NEW -j ACCEPT --A IN_internal_allow -p icmp -m conntrack --ctstate NEW - ↪-j ACCEPT --A IN_public -j IN_public_deny --A IN_public -j IN_public_allow --A IN_public -j DROP --A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack - ↪--ctstate NEW -j ACCEPT --A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack - ↪--ctstate NEW -j ACCEPT - -``` - -In the above iptables output, new chains (lines starting with `-N`) are first declared. The rest are rules appended (starting with `-A`) to iptables. Established connections and local traffic are accepted, and incoming packets go to the `INPUT_ZONES_SOURCE` chain, at which point IPs are sent to the corresponding zone, if one exists. After that, traffic goes to the `INPUT_ZONES` chain, at which point it is routed to an interface zone. If it isn't handled there, icmp is accepted, invalids are dropped, and everything else is rejected. - -### Conclusion - -Firewalld is an under-documented firewall configuration tool with more potential than many people realize. With its innovative paradigm of zones, firewalld allows the system administrator to break up traffic into categories where each receives a unique treatment, simplifying the configuration process. Because of its intuitive design and syntax, it is practical for both simple single-zoned and complex multi-zoned configurations. - --------------------------------------------------------------------------------- - -via: https://www.linuxjournal.com/content/understanding-firewalld-multi-zone-configurations?page=0,0 - -作者:[ Nathan Vance][a] -译者:[runningwater](https://github.com/runningwater) -校对:[校对者ID](https://github.com/校对者ID) - -本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出 - -[a]:https://www.linuxjournal.com/users/nathan-vance -[1]:https://www.linuxjournal.com/tag/firewalls -[2]:https://www.linuxjournal.com/tag/howtos -[3]:https://www.linuxjournal.com/tag/networking -[4]:https://www.linuxjournal.com/tag/security -[5]:https://www.linuxjournal.com/tag/sysadmin -[6]:https://www.linuxjournal.com/users/william-f-polik -[7]:https://www.linuxjournal.com/users/nathan-vance From 16288f999907f502c26ea6cf7d7b2051359a94b5 Mon Sep 17 00:00:00 2001 From: qhwdw <33189910+qhwdw@users.noreply.github.com> Date: Tue, 21 Nov 2017 15:06:45 +0800 Subject: [PATCH 3/3] Translating by qhwdw Translating by qhwdw --- ...o Linux App Is a Handy Tool for Every Level of Linux User.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources/tech/20170825 Guide to Linux App Is a Handy Tool for Every Level of Linux User.md b/sources/tech/20170825 Guide to Linux App Is a Handy Tool for Every Level of Linux User.md index 16911e7c55..6f7d28484e 100644 --- a/sources/tech/20170825 Guide to Linux App Is a Handy Tool for Every Level of Linux User.md +++ b/sources/tech/20170825 Guide to Linux App Is a Handy Tool for Every Level of Linux User.md @@ -1,4 +1,4 @@ -Guide to Linux App Is a Handy Tool for Every Level of Linux User +Translating by qhwdw Guide to Linux App Is a Handy Tool for Every Level of Linux User ============================================================ ![Guide to Linux](https://www.linux.com/sites/lcom/files/styles/rendered_file/public/guide-to-linux.png?itok=AAcrxjjc "Guide to Linux")