Ipkungfu Tulemüür: Difference between revisions
From ICO wiki
Jump to navigationJump to search
No edit summary |
No edit summary |
||
| Line 46: | Line 46: | ||
Konfiguratsiooni failid asuvad kaustas /etc/ipkungfu mida on võimalik vastavalt soovile muuta.[http://www.adercon.com/ac/node/93] | Konfiguratsiooni failid asuvad kaustas /etc/ipkungfu mida on võimalik vastavalt soovile muuta.[http://www.adercon.com/ac/node/93] | ||
Ava fail /etc/ipkungfu/ipkungfu.conf [FAILI LINK] | *Ava fail /etc/ipkungfu/ipkungfu.conf [FAILI LINK] | ||
nano /etc/ipkungfu/ipkungfu.conf | nano /etc/ipkungfu/ipkungfu.conf | ||
Muudan faili vastavalt soovile. Testis tegin järgmised muudatused failis: | |||
Määran logide asukoha | *Määran logide asukoha | ||
# Set the path to ipkungfu's runtime error log. | # Set the path to ipkungfu's runtime error log. | ||
# Default: /var/log/ipkungfu.log | # Default: /var/log/ipkungfu.log | ||
IPKUNGFU_LOG= /var/log/ipconfig.log | IPKUNGFU_LOG= /var/log/ipconfig.log | ||
Määran IP vahemiku | *Määran IP vahemiku | ||
# IP Range of your internal network. Use "127.0.0.1" | # IP Range of your internal network. Use "127.0.0.1" | ||
# for a standalone machine. Default is a reasonable | # for a standalone machine. Default is a reasonable | ||
| Line 62: | Line 62: | ||
LOCAL_NET="192.168.0.0/255.255.0.0" | LOCAL_NET="192.168.0.0/255.255.0.0" | ||
Eemaldan kommentaari | *Eemaldan kommentaari | ||
# Set this to 0 for a standalone machine, or 1 for | # Set this to 0 for a standalone machine, or 1 for | ||
# a gateway device to share an Internet connection. | # a gateway device to share an Internet connection. | ||
| Line 68: | Line 68: | ||
GATEWAY=1 | GATEWAY=1 | ||
Määran keelatud pordid | *Määran keelatud pordid | ||
# Temporarily block future connection attempts from an | # Temporarily block future connection attempts from an | ||
# IP that hits these ports (If module is present) | # IP that hits these ports (If module is present) | ||
| Line 75: | Line 75: | ||
FORBIDDEN_PORTS="135 137 139" | FORBIDDEN_PORTS="135 137 139" | ||
Keelan PING paketid: | *Keelan PING paketid: | ||
# Drop all ping packets? | # Drop all ping packets? | ||
# Set to 1 for yes, 0 for no. Default is no. | # Set to 1 for yes, 0 for no. Default is no. | ||
BLOCK_PINGS=1 | BLOCK_PINGS=1 | ||
Keelan ebaturvalised paketid: | *Keelan ebaturvalised paketid: | ||
# What to do with 'probably malicious' packets | # What to do with 'probably malicious' packets | ||
#SUSPECT="REJECT" | #SUSPECT="REJECT" | ||
SUSPECT="DROP" | SUSPECT="DROP" | ||
Keelan vale liikluse: | *Keelan vale liikluse: | ||
# What to do with obviously invalid traffic | # What to do with obviously invalid traffic | ||
# This is also the action for FORBIDDEN_PORTS | # This is also the action for FORBIDDEN_PORTS | ||
KNOWN_BAD="REJECT" | |||
Keelan portide skännimise: | *Keelan portide skännimise: | ||
# What to do with port scans | # What to do with port scans | ||
#PORT_SCAN="REJECT" | #PORT_SCAN="REJECT" | ||
Revision as of 19:38, 13 May 2015
Sissejuhatus
Artikli eesmärgiks on tutvustada ipkungfu tulemüüri, anda ülevaade rakenduse paigaldamisest, konfigureerimisest, haldamisest ning eesmärkidest.
Eeldused
Artikli koostamisel on testimiseks kasutatud Ubuntu v.12.04 LTS
Mis on ipkungfu
Tegemist on iptables[1] baasil loodud, kuid lihtsustatud Linuxi tulemüüriga mis hõlbustab võrguliikluse administreerimist. Rakendus töötab iptables ja sysctl baasil. Võib öelda, et tegemist on iptables liidesega mis on omakorda kerneli tulemüürimooduli Netfilter'i kasutajaliides. Tänu lihtsale menüüle sobib rakendus nii algajale kui eksperdile. Toote trumpideks peetakse: [2]
- Turvalisust
- Lihtsat hallatavust
- Jõudlust
Tänu Linuxi kerneli võimekusele leiab tarkvara laialdast rakendust ning toetab [3]
- Võrguühenduse jagamist
- Virtualhoste
- IP suunamist
- IP maskimist
- Logide jälgmist ning kontrollimist
Eelised: [4]
- Võimalik kiiresti paigaldada ning koheselt kasutama hakata
- Seadistamine lihtne ning vähe aega nõudev
- Ei vaja töötavat teenust ega erilisi teadmisi
Installeerimine
Tulemüür töötab iptables ja sysctl baasil. Võib öelda, et tegemist on iptables liidesega mis on kerneli tulemüürimooduli Netfilter'i kasutajaliides. Konfiguratsiooni failid asuvad kaustas /etc/ipkungfu (lisa conf fail?) mida on võimalik vastavalt soovile muuta.[5]
- Enne installimist uuenda olemasolevaid pakette [6]
sudo apt-get update
- Installi tarkvara
sudo apt-get install ipkungfu
- ipkungfu käivitamine
sudo ipkungfu
- ipkungfu rakenduse peatamine
ipkungfu -d
Konfigureerimine
Konfiguratsiooni failid asuvad kaustas /etc/ipkungfu mida on võimalik vastavalt soovile muuta.[7]
- Ava fail /etc/ipkungfu/ipkungfu.conf [FAILI LINK]
nano /etc/ipkungfu/ipkungfu.conf
Muudan faili vastavalt soovile. Testis tegin järgmised muudatused failis:
- Määran logide asukoha
# Set the path to ipkungfu's runtime error log. # Default: /var/log/ipkungfu.log IPKUNGFU_LOG= /var/log/ipconfig.log
- Määran IP vahemiku
# IP Range of your internal network. Use "127.0.0.1" # for a standalone machine. Default is a reasonable # guess. Separate multiple ranges with spaces. LOCAL_NET="192.168.0.0/255.255.0.0"
- Eemaldan kommentaari
# Set this to 0 for a standalone machine, or 1 for # a gateway device to share an Internet connection. # Default is 1. GATEWAY=1
- Määran keelatud pordid
# Temporarily block future connection attempts from an # IP that hits these ports (If module is present) # Hits to these ports will be logged as "BADGUY" hits # regardless of log.conf settings. FORBIDDEN_PORTS="135 137 139"
- Keelan PING paketid:
# Drop all ping packets? # Set to 1 for yes, 0 for no. Default is no. BLOCK_PINGS=1
- Keelan ebaturvalised paketid:
# What to do with 'probably malicious' packets #SUSPECT="REJECT" SUSPECT="DROP"
- Keelan vale liikluse:
# What to do with obviously invalid traffic # This is also the action for FORBIDDEN_PORTS KNOWN_BAD="REJECT"
- Keelan portide skännimise:
# What to do with port scans #PORT_SCAN="REJECT" PORT_SCAN="DROP"
- Tulemüüri automaatseks käivitamiseks ava järgnev fail ning muuda seadistust:
nano /etc/default/ipkungfu
#IPKFSTART=0
IPKFSTART=1
Reeglite vaatamine: [8]
- You can check ipkungfu with the following:
$ ipkungfu -c
- You can list all of ipkungfu rules with the following:
$ ipkungfu -l
- You can test ipkungfu with the following:
$ ipkungfu -t
- List all iptables rules with the following:
$ iptables -L -n
Parameetrid
Võimalused:[9]
-c (or --check)
Check whether ipkungfu is loaded, and report any command
line options it may have been loaded with.
-t (or --test)
Runs a configuration test, and displays the results. Note
that this does not test or display all configuration
options. This gives you an opportunity to verify that
major configuration options are correct before putting them
into action.
-d (or --disable)
Disables the firewall. It is important to know exactly
what this option does. All traffic is allowed in and out,
and in the case of a gateway, all NATed traffic is
forwarded (the option retains your connection sharing
options). Custom rules are not implemented, and
deny_hosts.conf is ignored.
-f (or --flush)
Disables the firewall COMPLETELY. All rules are flushed,
all chains are removed. Any port forwarding or internet
connection sharing will cease to work.
-h (or --help)
Displays brief usage information and exits.
-v (or --version)
Displays version information and exits.
--quiet Runs ipkungfu with no standard output
--panic Drops ALL traffic in all directions on all network
interfaces. You should probably never use this option.
The --panic option is available for the highly unusual
situation where you know that an attack is underway but you
know of no other way to stop it.
--failsafe If ipkungfu fails, --failsafe will cause all firewall
policies to revert to ACCEPT. This is useful when working
with ipkungfu remotely, to prevent loss of remote access
due to firewall failure.
--no-caching
Disables rules caching feature.
Mõned näited kasutamise kohta
Kokkuvõte
Kasutatud kirjandus
- http://manpages.ubuntu.com/manpages/trusty/man8/ipkungfu.8.html
- https://help.ubuntu.com/community/firewall/ipkungfu
- http://teqnix.blogspot.com/2006/06/ipkungfu-kicks-firestarter-out-of-my.html
- http://www.adercon.com/ac/node/93
- https://wiki.itcollege.ee/index.php/Iptables
- http://www.linuxkungfu.org/
- http://manpages.ubuntu.com/manpages/trusty/man8/iptables.8.html
- http://www.zarzax.com/blog/2009/3/4/ipkungfu-easy-iptables-based-server-firewall.html
Koostas
Heiko Niidas AK-31, 2015
