|
当使用SLES你通过YaST将控制防火墙。
查看当前配置我们可以看看简介
# yast2 防火墙总结
概要:
--------
防火墙开启
-----------------
* 手动启动防火墙
* 防火墙将不会运行后写的配置
未赋值的接口
---------------------
通过这些接口不允许网络流量。
* eth-id-00:30:48:ff:ff:fe
* eth-id-00:30:48:ff:ff:ff
内置空间
-------------
* 没有接口分配给该区域。
控制区
------------------
* 没有接口分配给该区域。
外部空间
-------------
* 没有接口分配给该区域。
#
· 配置您的区域(外部、内部、非控制)我们将想做以下:
# yast2 firewall interfaces add interface=`ip a s dev eth0 | awk '/ether/{printf "eth-id-%s", $2}'` zone=INT
Adding interface eth-id-00:30:48:ff:ff:fe into zone INT...
# yast2 firewall interfaces add interface=`ip a s dev eth1 | awk '/ether/{printf "eth-id-%s", $2}'` zone=EXT
Adding interface eth-id-00:30:48:ff:ff:ff into zone EXT...
# yast2 firewall interfaces show
Network Interfaces in Firewall Zones:
-------------------------------------
Zone Interface Device Name
-------------------------------------------
INT eth-id-00:30:48:ff:ff:fe
EXT eth-id-00:30:48:ff:ff:ff
#
· Configuring the firewall rules couldn't be easier. For a basic web host the following rules should suffice:
# yast2 firewall services add zone=EXT service=http
# yast2 firewall services add zone=EXT service=smtp
# yast2 firewall services add zone=EXT service=pop3
# yast2 firewall services add zone=EXT service=pop3s
# yast2 firewall services add zone=EXT service=imap
# yast2 firewall services add zone=EXT service=imaps
# yast2 firewall services add zone=EXT udpport=53
Should you wish to allow SSH to the public, rather than using our VPN, then you can then add that:
# yast2 firewall services add zone=EXT service=ssh
Custom ports can also be added with ease (eg: sshd listening on port 22099):
# yast2 firewall services add zone=EXT tcpport=22099
· Firewall Logging
By default there is only logging configured for the EXT zone. For the most part this is all that would be needed.
# yast2 firewall logging show
Global Logging Settings:
------------------------
Rule Type Value Logging Level
--------------------------------------
Accepted crit Log only critical
Not accepted crit Log only critical
Logging Broadcast Packets:
--------------------------
Short Zone Name Logging Status
-------------------------------------------
INT Internal Zone Logging disabled
DMZ Demilitarized Zone Logging disabled
EXT External Zone Logging enabled
#
· To control the firewalls startup we will do the following:
# yast2 firewall startup help
YaST Configuration Module firewall
-----------------------------------
Command 'startup'
Start-up settings
Options:
show Show current settings
atboot Start firewall in the boot process
manual Start firewall manually
help Print the help for this command
verbose Show progress information
Example:
startup show
startup atboot
startup manual
#
· To set the Firewall to start on boot we can do the following:
# yast2 firewall startup atboot
Start-Up:
---------
Enabling firewall in the boot process...
#
· To disable the firewall at boot(the firewall is disabled to begin with):
# yast2 firewall startup manual
Start-Up:
---------
Removing firewall from the boot process...
#
· And finally, to start/stop the firewall.
# rcSuSEfirewall2 status
Checking the status of SuSEfirewall2 unused
# rcSuSEfirewall2 start
Starting Firewall Initialization (phase 2 of 2) SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
done
# rcSuSEfirewall2 status
Checking the status of SuSEfirewall2 running
# rcSuSEfirewall2 stop
Shutting down the Firewall SuSEfirewall2: Warning: ip6tables does not support state matching. Extended IPv6 support disabled.
done
# rcSuSEfirewall2 status
Checking the status of SuSEfirewall2 unused
# |
|