e-1防火墙-selinux-调优
Posted 喝茶等下班
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了e-1防火墙-selinux-调优相关的知识,希望对你有一定的参考价值。
1.
查看防火墙启动状态还可以使用
[root@xuegod23 ~]# firewall-cmd --state
running
2.
防火墙有四种管理方式:1、图形化 2、命令行 3、配置文件 4、cockpit
1、图形化
firewall-config使用这个命令时,要在配置那里下拉框选择永久,然后菜单-选项-重载防火墙,才可以生效。操作完之后,使用下面命令查看有没有生效:
[root@xuegod23 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
2、命令行
[root@xuegod23 ~]# firewall-cmd --version
0.9.3
[root@xuegod23 ~]# firewall-cmd --get-active-zones
public
interfaces: ens33
[root@xuegod23 ~]# firewall-cmd --get-default-zone
public
[root@xuegod23 ~]# firewall-cmd --set-default-zone=work
success
[root@xuegod23 ~]# firewall-cmd --get-default-zone
work
[root@xuegod23 ~]# firewall-cmd --set-default-zone=public
success
[root@xuegod23 ~]# firewall-cmd --get-default-zone
public
指定zone开放8080端口:
[root@xuegod23 ~]# firewall-cmd --zone=work --add-port=8080/tcp #注意这样只是临时生效,要永久生效加--permanent
success
[root@xuegod23 ~]# firewall-cmd --zone=work --list-all
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
## 永久生效
[root@xuegod23 ~]# firewall-cmd --add-port=8080/tcp --permanent
success
[root@xuegod23 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
## 执行后发现没有生效,需要执行reload重新加载
### 删除指定端口,下面只是临时删除,永久删除需要加--permanent参数
[root@xuegod23 ~]# firewall-cmd --remove-port=8080/tcp
success
如果不指定zone,则添加到默认zone即public
3、配置文件
/etc/firewalld/zones
/etc/firewalld/services
系统本身已经内置了一些常用服务的防火墙规则,存放在/usr/lib/firewalld/services/
注意! 请勿编辑/usr/lib/firewalld/services/ ,只有 /etc/firewalld/services 的文件可以被编辑。
[root@xuegod23 services]# pwd
/usr/lib/firewalld/services
[root@xuegod23 services]# ls
amanda-client.xml dns-over-tls.xml imaps.xml matrix.xml pmproxy.xml samba-dc.xml tftp-client.xml
amanda-k5-client.xml dns.xml imap.xml mdns.xml pmwebapis.xml samba.xml tftp.xml
amqps.xml docker-registry.xml ipp-client.xml memcache.xml pmwebapi.xml sane.xml tile38.xml
amqp.xml docker-swarm.xml ipp.xml minidlna.xml pop3s.xml sips.xml tinc.xml
apcupsd.xml dropbox-lansync.xml ipsec.xml mongodb.xml pop3.xml sip.xml tor-socks.xml
audit.xml elasticsearch.xml ircs.xml mosh.xml postgresql.xml slp.xml transmission-client.xml
bacula-client.xml etcd-client.xml irc.xml mountd.xml privoxy.xml smtp-submission.xml upnp-client.xml
bacula.xml etcd-server.xml iscsi-target.xml mqtt-tls.xml prometheus.xml smtps.xml vdsm.xml
bb.xml finger.xml isns.xml mqtt.xml proxy-dhcp.xml smtp.xml vnc-server.xml
bgp.xml foreman-proxy.xml jenkins.xml mssql.xml ptp.xml snmptrap.xml wbem-https.xml
bitcoin-rpc.xml foreman.xml kadmin.xml ms-wbt.xml pulseaudio.xml snmp.xml wbem-http.xml
bitcoin-testnet-rpc.xml freeipa-4.xml kdeconnect.xml murmur.xml puppetmaster.xml spideroak-lansync.xml wsmans.xml
bitcoin-testnet.xml freeipa-ldaps.xml kerberos.xml mysql.xml quassel.xml spotify-sync.xml wsman.xml
bitcoin.xml freeipa-ldap.xml kibana.xml nbd.xml radius.xml squid.xml xdmcp.xml
bittorrent-lsd.xml freeipa-replication.xml klogin.xml nfs3.xml rdp.xml ssdp.xml xmpp-bosh.xml
ceph-mon.xml freeipa-trust.xml kpasswd.xml nfs.xml redis-sentinel.xml ssh.xml xmpp-client.xml
ceph.xml ftp.xml kprop.xml nmea-0183.xml redis.xml steam-streaming.xml xmpp-local.xml
cfengine.xml galera.xml kshell.xml nrpe.xml RH-Satellite-6-capsule.xml svdrp.xml xmpp-server.xml
cockpit.xml ganglia-client.xml kube-apiserver.xml ntp.xml RH-Satellite-6.xml svn.xml zabbix-agent.xml
collectd.xml ganglia-master.xml ldaps.xml nut.xml rpc-bind.xml syncthing-gui.xml zabbix-server.xml
condor-collector.xml git.xml ldap.xml openvpn.xml rquotad.xml syncthing.xml
ctdb.xml grafana.xml libvirt-tls.xml ovirt-imageio.xml rsh.xml synergy.xml
dhcpv6-client.xml gre.xml libvirt.xml ovirt-storageconsole.xml rsyncd.xml syslog-tls.xml
dhcpv6.xml high-availability.xml lightning-network.xml ovirt-vmconsole.xml rtsp.xml syslog.xml
dhcp.xml https.xml llmnr.xml plex.xml salt-master.xml telnet.xml
distcc.xml http.xml managesieve.xml pmcd.xml samba-client.xml tentacle.xml
注意:改完配置文件后,需要reload才能显示出来。
不建议通过修改配置文件方式配置防火墙。
4、使用 cockpit web 控制台管理防火墙
systemctl enable --now cockpit.socket
这种方式可以立即生效,可以通过 firewall-cmd --list-all 查看
注意cockpit 服务端口是9090
添加富规则,下面的命令可以不用加端口访问cockpit web控制台,即192.168.31.0地址段访问443(https)端口时,转发到9090(即cockpit的web端口)
[root@xuegod23 services]# firewall-cmd --permanent --add-rich-rule "rule family=ipv4 source address=192.168.31.0/24 forward-port port=443 protocol=tcp to-port=9090"
success
3.
SELinux是用于确定哪个进程可以访问哪些文件、目录和端口的一组安全规则。每个文件、进程、目录和端口都具有专门的安全标签,称为SELinux上下文
SELinux标签具有多种上下文:用户、角色、类型和敏感度级别。目标策略会根据第三个上下文(即类型上下文)来制定自己的规则,通常以_t 结尾
为了确保您拥有管理SELinux上下文的工具,请根据需要安装policycoreutil软件包和policycoreutil-python软件包。这两个软件包中分别包含restorecon命令和semanage命令
[root@xuegod23 ~]# semanage fcontext -a -t httpd_sys_content_t /virtual(/.*)?
[root@xuegod23 ~]# cd /virtual/
[root@xuegod23 virtual]# ls
index.html
[root@xuegod23 virtual]# touch aaa
[root@xuegod23 virtual]# ll -Z aaa
-rw-r--r--. 1 root root unconfined_u:object_r:default_t:s0 0 1月 31 17:49 aaa
[root@xuegod23 virtual]# semanage fcontext -a -t httpd_sys_content_t /virtual(/.*)?
ValueError: /virtual(/.*)? 的文件上下文已定义
[root@xuegod23 virtual]# ll -Z
总用量 0
-rw-r--r--. 1 root root unconfined_u:object_r:default_t:s0 0 1月 31 17:49 aaa
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 0 1月 31 17:39 index.html
[root@xuegod23 virtual]# restorecon /virtual/aaa
[root@xuegod23 virtual]# ll -Z
总用量 0
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 0 1月 31 17:49 aaa
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 0 1月 31 17:39 index.html
[root@xuegod23 virtual]# restorecon -RFvv /virtual/
Relabeled /virtual from unconfined_u:object_r:default_t:s0 to system_u:object_r:httpd_sys_content_t:s0
Relabeled /virtual/index.html from unconfined_u:object_r:httpd_sys_content_t:s0 to system_u:object_r:httpd_sys_content_t:s0
Relabeled /virtual/aaa from unconfined_u:object_r:httpd_sys_content_t:s0 to system_u:object_r:httpd_sys_content_t:s0
4.
显示所有调优配置
[root@xuegod23 virtual]# tuned-adm list
Available profiles:
- accelerator-performance - Throughput performance based tuning with disabled higher latency STOP states
- balanced - General non-specialized tuned profile
- desktop - Optimize for the desktop use-case
- hpc-compute - Optimize for HPC compute workloads
- intel-sst - Configure for Intel Speed Select Base Frequency
- latency-performance - Optimize for deterministic performance at the cost of increased power consumption
- network-latency - Optimize for deterministic performance at the cost of increased power consumption, focused on low latency network performance
- network-throughput - Optimize for streaming network throughput, generally only necessary on older CPUs or 40G+ networks
- optimize-serial-console - Optimize for serial console use.
- powersave - Optimize for low power consumption
- throughput-performance - Broadly applicable tuning that provides excellent performance across a variety of common server workloads
- virtual-guest - Optimize for running inside a virtual guest
- virtual-host - Optimize for running KVM guests
Current active profile: virtual-guest
调优相关的配置文件所有路径:
[root@xuegod23 ~]# cd /usr/lib/tuned/
[root@xuegod23 tuned]# ll
总用量 16
drwxr-xr-x. 2 root root 24 1月 31 17:59 accelerator-performance
drwxr-xr-x. 2 root root 24 1月 31 17:59 balanced
drwxr-xr-x. 2 root root 24 1月 31 17:59 desktop
-rw-r--r--. 1 root root 15113 7月 22 2021 functions
drwxr-xr-x. 2 root root 24 1月 31 17:59 hpc-compute
drwxr-xr-x. 2 root root 24 1月 31 17:59 intel-sst
drwxr-xr-x. 2 root root 24 1月 31 17:59 latency-performance
drwxr-xr-x. 2 root root 24 1月 31 17:59 network-latency
drwxr-xr-x. 2 root root 24 1月 31 17:59 network-throughput
drwxr-xr-x. 2 root root 24 1月 31 17:59 optimize-serial-console
drwxr-xr-x. 2 root root 41 1月 31 17:59 powersave
drwxr-xr-x. 2 root root 27 1月 31 17:59 recommend.d
drwxr-xr-x. 2 root root 24 1月 31 17:59 throughput-performance
drwxr-xr-x. 2 root root 24 1月 31 17:59 virtual-guest
drwxr-xr-x. 2 root root 24 1月 31 17:59 virtual-host
[root@xuegod23 tuned]# vim virtual-guest/tuned.conf
#
# tuned configuration
#
[main]
summary=Optimize for running inside a virtual guest
include=throughput-performance
[sysctl]
# If a workload mostly uses anonymous memory and it hits this limit, the entire
# working set is buffered for I/O, and any more write buffering would require
# swapping, so its time to throttle writes until I/O can catch up. Workloads
# that mostly use file mappings may be able to use even higher values.
#
# The generator of dirty data starts writeback at this percentage (system default
# is 20%)
vm.dirty_ratio = 30
# Filesystem I/O is usually much more efficient than swapping, so try to keep
# swapping low. Its usually safe to go even lower than this on systems with
# server-grade storage.
vm.swappiness = 30
以上是关于e-1防火墙-selinux-调优的主要内容,如果未能解决你的问题,请参考以下文章