I-firewall manje isiphenduke elinye lamathuluzi ayisisekelo okuphepha kunoma iyiphi ikhompyutha, kungaba ekhaya noma ebhizinisini. Ukucushwa kwayo kaningi akulula Futhi kungaba yikhanda kubasebenzisi abangenawo amava. Ukusiza kulo msebenzi kunamathuluzi afana ne-UWF (Uncomplicated Firewall) azama lula ukuphathwa komthetho we-firewall weqembu.
I-UWF i-iptables front-end elungele kahle amaseva futhi empeleni, ithuluzi lokumisa elizenzakalelayo ku-Ubuntu Linux. Ukuthuthuka kwayo kwenziwa ngomqondo wokudala uhlelo lokusebenza olulula nolusebenziseka kalula futhi bekulokhu kunjalo. Ukudala imithetho yamakheli we-IPv4 ne-IPv6 akukaze kube lula kangako. Esifundweni esikubonisa sona ngezansi, sizokufundisa ukusebenzisa imiyalo eyisisekelo ye-UWF ukumisa imithetho ejwayelekile ongayidinga ku-firewall yakho.
Imisebenzi eyisisekelo esingayenza ku-firewall yohlelo ihlukahlukene kakhulu futhi ifaka phakathi ukuvimba ikheli elithile le-IP noma itheku ukuvumela ithrafikhi kuphela kusuka ku-subnet ethile. Manje sizobuyekeza ezifanele kakhulu sisebenzisa imiyalo edingekayo yokuncenga i-UWF, yebo, njalo kusuka esigungwini sohlelo:
Vimba ikheli elithile le-IP nge-UWF
I-syntax eyisisekelo okufanele siyethule yile elandelayo:
sudo ufw deny from {dirección-ip} to any
Ukuvimba noma ukuvimbela ukudlula kwawo wonke amaphakethe ekheli elithile le-IP sizokwethula:
sudo ufw deny from {dirección-ip} to any
Khombisa isimo se-firewall nemithetho yaso
Singayiqinisekisa imithetho emisha esisanda kuyethula ngomusho olandelayo:
$ sudo ufw status numbered
Noma ngomyalo olandelayo:
$ sudo ufw status
Ukuvinjwa okuqondile kwekheli elithile le-IP noma itheku
Isi syntax kuleli cala kungaba okulandelayo:
ufw deny from {dirección-ip} to any port {número-puerto}
Futhi, uma sifuna ukuqinisekisa imithetho sizoyenza ngomyalo olandelayo:
$ sudo ufw status numbered
Isibonelo sokukhishwa okuzonikezwa yilo myalo yilokhu okulandelayo:
Isimo: kuyasetshenzelwa kusenzelwa kusuka - ------ ---- [1] 192.168.1.10 80 / tcp VUMELELA noma ikuphi [2] 192.168.1.10 22 / tcp VUMELA Noma kuphi [3] Nomaphi DENY 192.168.1.20 [4] 80 PHIKA NGO-202.54.1.5
Vimba ikheli elithile le-IP, ichweba, nohlobo lwephrothokholi
Ukuze uvimbele ikheli elithile le-IP, itheku kanye / noma uhlobo lomthetho olandelwayo kukhompyutha yakho, kufanele ufake umyalo olandelayo:
sudo ufw deny proto {tcp|udp} from {dirección-ip} to any port {número-puerto}
Isibonelo, uma ngabe besithola ukuhlaselwa okuvela ku- hacker Kusuka kukheli le-IP 202.54.1.1, kudlulela ethekwini 22 nangaphansi komthetho olandelwayo we-TCP, isigwebo esizofakwa kungaba okulandelayo:
$ sudo ufw deny proto tcp from 202.54.1.1 to any port 22 $ sudo ufw status numbered
Ukuvimba i-subnet
Kuleli cala elithile i-syntax ifana kakhulu namacala angaphambilini, qaphela:
$ sudo ufw deny proto tcp from sub/net to any port 22 $ sudo ufw deny proto tcp from 202.54.1.0/24 to any port 22
Vulela ikheli le-IP noma susa umthetho
Uma ungasafuni ukuvimba ikheli le-IP ngaphakathi kohlelo lwakho noma umane wadideka lapho ufaka umthetho, zama umyalo olandelayo:
$ sudo ufw status numbered $ sudo ufw delete NUM
Isibonelo, uma sifuna ukususa umthetho wenombolo 4, kufanele sifake umyalo ngale ndlela elandelayo:
$ sudo ufw delete 4
Njengomphumela womyalo ofakiwe, sizothola umlayezo esikrinini ofana nokulandelayo esikukhombisa wona:
Iyasusa:
deni kusuka ku-202.54.1.5 kunoma iyiphi ichweba 80
Qhubeka nokusebenza (y | n)? y
Umthetho ususiwe
Ungayenza kanjani i-UWF ingavimbeli ikheli le-IP
Imithetho i-UWF (noma i-iptables, kuya ngokuthi uyibuka kanjani) iyasebenza zihlala zilandela i-oda lakho futhi zenziwa ngokushesha nje lapho umdlalo uvela. Ngakho-ke, ngokwesibonelo, uma umthetho uvumela ikhompyutha enekheli elithile le-IP ukuxhuma kukhompyutha yethu nge-port 22 nangephrothokholi ye-TCP (yithi, sudo ufw vumela i-22), futhi kamuva kunomthetho omusha ovimba ngqo ikheli elithile le-IP ethekwini elifanayo 22 (ngokwesibonelo ufw yenqaba i-proto tcp kusuka ku-192.168.1.2 kunoma iyiphi i-port 22), umthetho osetshenziswe kuqala yilowo ovumela ukufinyelela ku-port 22 futhi kamuva, lowo ovimba lelo chweba ku-IP ekhonjisiwe, cha. Kungenxa yalokho ukuhleleka kwemithetho kuyisinqumo esinqumayo lapho kulungiswa i-firewall yomshini.
Uma sifuna ukuvimbela le nkinga ukuthi ingenzeki, singahlela ifayela elitholakala ku- /etc/ufw/before.rules futhi, ngaphakathi kwalo, engeza isigaba esifana nokuthi "Vimba ikheli le-IP", ngemuva nje komugqa okhombisa ukuphela kolayini ofanayo "# End edingekayo".
Umhlahlandlela esikulungiselele wona uphelela lapha. Njengoba ukwazi ukubona, kusukela manje kuqhubeke futhi ngosizo lwe-UWF ukuphathwa kwe- firewall Ngeke isagxila kubaphathi bohlelo noma kubasebenzisi abaphambili.
thekelisa UWF = UFW
?