CSC
CRIPTOGRAFIE ȘI SECURITATE CIBERNETICĂ
Laborator
Configurări specifice Fedora 35
FIREWALL
controlul accesului la nivel de adrese, porturi, protocoale
|
Initial Settings : Firewall
|
|
Configure Firewall and SELinux.
|
|
| [1] | It's possible to see FireWall Service Status like follows. (enabled by default) |
[root@localhost ~]# systemctl status firewalld
* firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor>
Active: active (running) since Thu 2021-11-04 08:41:32 JST; 5min ago
Docs: man:firewalld(1)
Main PID: 762 (firewalld)
Tasks: 2 (limit: 4647)
Memory: 34.3M
CPU: 388ms
CGroup: /system.slice/firewalld.service
+-- 762 /usr/bin/python3 -s /usr/sbin/firewalld --nofork --nopid
# [Active: active (running) ***] means firewalld is running now |
| [2] |
If you use FireWall service, it needs to modify FireWall settings manually because incoming requests for services are mostly not allowed by default.
Refer to here for basic Firewall operation and settins Configuration examples of Fedora 35 on this site are based on the environment Firewalld service is always enabled. |
| [3] | If you don't need FireWall service because of some reasons like that some FireWall Machines are running in your Local Netowrk or others, it's possbile to stop and disable FireWall service on Fedora server like follows. |
|
# disable service [root@localhost ~]# systemctl disable firewalld Removed /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. |
|
Initial Settings : SELinux
|
| [4] | It's possible to show current SELinux (Security-Enhanced Linux) Status like follows. (enabled by default) |
[root@localhost ~]# getenforce
Enforcing # SELinux is enabled
|
| [5] |
If you enable SELinux, there are cases to modify SELinux policy manually because sometimets SELinux stop applications.
Refer to here for basic SELinux operation and settins (CentOS Stream 8). Configuration examples of Fedora 35 on this site are based on the environment SELinux is always Enforcing. |
| [6] | If you don't need SELinux feature because of some reasons like that your server is running only in Local safety Network or others, it's possbile to disable SELinux like follows. |
|
# disable SELinux [root@localhost ~]# grubby --update-kernel ALL --args selinux=0 # restart computer to apply changes [root@localhost ~]# reboot # if falling back to enable, run like follows [root@localhost ~]# grubby --update-kernel ALL --remove-args selinux |
DHCP
alocare de adrese
|
DHCP : Configure DHCP Server
|
|
Configure DHCP ( Dynamic Host Configuration Protocol ) Server to assign IP addresses to client hosts in local network.
|
|
| [1] | Install and Configure DHCP. On this example, it shows only for IPv4 configuration. |
|
[root@dlp ~]# dnf -y install dhcp-server
[root@dlp ~]# vi /etc/dhcp/dhcpd.conf
# create new # specify domain name option domain-name "srv.world"; # specify DNS server's hostname or IP address option domain-name-servers dlp.srv.world; # default lease time default-lease-time 600; # max lease time max-lease-time 7200; # this DHCP server to be declared valid authoritative; # specify network address and subnetmask subnet 10.0.0.0 netmask 255.255.255.0 { # specify the range of lease IP address range dynamic-bootp 10.0.0.200 10.0.0.254; # specify broadcast address option broadcast-address 10.0.0.255; # specify gateway option routers 10.0.0.1; } |
| [2] | If Firewalld is running, allow DHCP service. DHCP Server uses [67/UDP]. |
|
[root@dlp ~]# firewall-cmd --add-service=dhcp
success [root@dlp ~]# firewall-cmd --runtime-to-permanent success |
-
Captura pachete (Wireshark/tcpdump)
-
- consolă la distanță (SSH)
- urmarire fisiere de evenimente (log-uri)
Mirror
putty-0.62 for x86putty-0.62-installer
Referinte
http://ro.wikipedia.org/wiki/Router... Realizati configurarea unei versiuni de firewall