firewalld 를 이용해서 방화벽을 구성해 보자.

• RedHat, Ubuntu, OpenSUSE LEAP 15.0 등은 시스템 기본 파이어월 관리자로 firewalld 를 제공한다고 한다.

firewalld

firewalld 는 ….

firewalld는 ufw 처럼 iptables 을 구성할 수 있다.

네트워크를 지역 관리가 가능해서 다른 네트워크, 지역에 따라 다른 규칙으로 구성해서 사용할 수 있다.
For example “Home” and “Office” where all communications with local machines are allowed, and “Public Wi-Fi” where no communication with the same subnet would be allowed.

https://www.ctrl.blog/entry/ufw-vs-firewalld

firewalld 설치

OpenSUSE LEAP 15.0, RedHat, Ubuntu 등은 시스템 기본 파이어월 관리자로 firewalld 를 제공한다고 한다.

1

$ sudo apt install firewalld

Start firewalld

To start firewalld, enter the following command as root:

1

systemctl start firewalld

root 사용자로 시작한다.

1
2

sudo systemctl enable firewalld
sudo reboot

For more information about the service status, use the systemctl status sub-command:

1
2
3
4
5
6

sudo systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: disabled)
   Active: active (running) since Thu 1970-01-01 09:01:48 KST; 48 years 6 months ago

sudo firewall-cmd --state

Stop firewalld

To stop firewalld, enter the following command as root:

1

systemctl stop firewalld

To prevent firewalld from starting automatically at system start, enter the following command as root:

1

systemctl disable firewalld

To make sure firewalld is not started by accessing the firewalld D-Bus interface and also if other services require firewalld, enter the following command as root:

1

systemctl mask firewalld

사용해 보기

firewalld 는 명령라인 firewall-cmd 와 GUI로 firewall-config 명령을 지원한다.

Zone 설정

Get a list of all supported zones

1

firewall-cmd --get-zones

List all zones with the enabled features.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

$ firewall-cmd --list-all-zones
...

public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh dhcpv6-client http https
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

기본으로 제공하는 Zone

• drop: Any incoming network packets are dropped, there is no reply. Only outgoing network connections are possible.
• block: Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
• public: For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
• external: For use on external networks with masquerading enabled especially for routers. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
• dmz: For computers in your demilitarized zone that are publicly-accessible with limited access to your internal network. Only selected incoming connections are accepted.
• work
  For use in work areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
• home
  For use in home areas. You mostly trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
• internal
  For use on internal networks. You mostly trust the other computers on the networks to not harm your computer. Only selected incoming connections are accepted.
• trusted
  All network connections are accepted.

Zone

1
2

sudo firewall-cmd --get-default-zone
public

서비스

This command prints a space separated list.

Get a list of all supported services

1

$ firewall-cmd --get-services

This command prints a space separated list.

Get a list of all supported icmptypes

1

firewall-cmd --get-icmptypes

서비스를 제거하려면

1
2
3
4

# firewall-cmd --zone=public --remove-service=http
success
root@odroidc2:/home/qkboo# firewall-cmd --zone=public --remove-service=https
success

Http, Ssh 방화벽 활성화

http, https 를 공개 서비스를 지원하는 기본 존인 public에 추가한다.

1
2
3

sudo firewall-cmd --add-service=ssh
sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https

sudo firewall-cmd –zone=public –add-service=http –permanent

방화벽을 갱신한다

1
2

firewall-cmd --reload
firewall-cmd --state

혹은 zone을 지정해 추가한다.

1
2
3
4

sudo firewall-cmd --zone=web --add-service=ssh
sudo firewall-cmd --zone=web --add-service=http
sudo firewall-cmd --zone=web --add-service=https
sudo firewall-cmd --zone=web --list-all

Likewise, we can add the DNS service to our “privateDNS” zone:

1
2

sudo firewall-cmd --zone=privateDNS --add-service=dns
sudo firewall-cmd --zone=privateDNS --list-all

Zone 에 구성한 서비스 등은 런타임 혹은 완전히 방화벽에 구성할 수 있다.

To change settings in both modes, you can use two methods:
Change runtime settings and then make them permanent as follows:

1
2

firewall-cmd <other options>
firewall-cmd --runtime-to-permanent

Set permanent settings and reload the settings into runtime mode:

1
2

firewall-cmd --permanent <other options>
firewall-cmd --reload

모든 구성 내용 확인:

1
2
3
4
5
6
7
8
9
10
11
12
13
14

$ sudo firewall-cmd --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh dhcpv6-client http https
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

특정 zone 에 대한 내역을 출력한다:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

$ sudo firewall-cmd --zone=public --list-all
public
  target: default
  icmp-block-inversion: no
  interfaces:
  sources:
  services: ssh dhcpv6-client http https
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

참조

https://www.linode.com/docs/security/firewalls/introduction-to-firewalld-on-centos/

FirewallD

• RedHat: Getting started with firewalld

• How to set up firewalld on CentOS 7

Firewalld configuration and usage

Raspberry Pi 3 64bit OS openSUSE 는 이글은 3개 글타래로 구성되며, openSUSE 설치 및 사용에 대해 작성한다.

Opensuse 에서 Raspberry Pi 3를 위한 64bit OS openSESE Leap 42.3 을 제공하고 있다.

• https://en.opensuse.org/HCL:Raspberry_Pi3

1. Install 64bit openSUSE Leap 42.3 / JeOS
2. openSUSE: Managing Service daemon
3. openSUSE: Basic OS Security for Server
4. Install & Configuration - Nginx, Node JS
5. Build MongoDB 3.4.x

openSUSE: Basic OS Security for Server

이전 글에서 라즈베리파이 3에 설치한 64bit OS openSUSE LEAP / JeOS를 서버 구성을 위해서 보안 설정을 한다. 이 글은 다음 세가지 내용을 포함하고 있다.

• ssh와 sshd 설정
• 방화벽 설정: YaST Firewall 대비 ufw 설치
• Fail2ban 설치 및 설정

sshd_config

ssh 사용시

sshd securities

방화벽 설정

openSUSE는 SuSEfirewall2 가 기본으로 제공되어 서비스를 활성화 하면 사용할 수 있다. 아직 익숙치 않아서 SuSEFirewall2 을 우분투/데비안에서 익숙한 ufw 를 설치해 사용하겠다.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

Basic Syntax:
    yast2 firewall interactive
    yast2 firewall <command> [verbose] [options]
    yast2 firewall help
    yast2 firewall longhelp
    yast2 firewall xmlhelp
    yast2 firewall <command> help

Commands:
    broadcast     Broadcast packet settings
    disable       Disables firewall
    enable        Enables firewall
    interfaces    Network interfaces configuration
    logging       Logging settings
    masqredirect  Redirect requests to masqueraded IP
    masquerade    Masquerading settings
    services      Allowed services, ports, and protocols
    startup       Start-up settings
    summary       Firewall configuration summary
    zones         Known firewall zones

먼저 SuSEfirewall2 를 멈추고 비활성화 한다.

1

sudo yast firewall disable

1
2

systemctl stop SuSEfirewall2
systemctl disable SuSEfirewall2

그리고 ufw를 설치하고

1

zypper in ufw

1
2
3
4

ufw default deny
ufw enable
systemctl enable ufw
systemctl start ufw

Fail2ban

rsyslog 를 설치한다.

https://en.opensuse.org/SDB:SSH_systematic_attack_protection

https://www.howtoforge.com/fail2ban_opensuse10.3

ssh

ufw

fail2ban

zypper in fail2ban

참조

OpenSSH Public Key Authentication

https://doc.opensuse.org/documentation/leap/security/html/book.security/cha.security.firewall.html