e-1防火墙-selinux-调优

莫问天涯路几重,轻衫侧帽且从容。这篇文章主要讲述e-1防火墙-selinux-调优相关的知识,希望能为你提供帮助。
1.
查看防火墙启动状态还可以使用

[root@xuegod23 ~]# firewall-cmd --state
running

2.
防火墙有四种管理方式:1、图形化 2、命令行 3、配置文件 4、cockpit
1、图形化
firewall-config使用这个命令时,要在配置那里下拉框选择永久,然后菜单-选项-重载防火墙,才可以生效。操作完之后,使用下面命令查看有没有生效:
[root@xuegod23 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

2、命令行
[root@xuegod23 ~]# firewall-cmd --version
0.9.3
[root@xuegod23 ~]# firewall-cmd --get-active-zones
public
interfaces: ens33
[root@xuegod23 ~]# firewall-cmd --get-default-zone
public
[root@xuegod23 ~]# firewall-cmd --set-default-zone=work
success
[root@xuegod23 ~]# firewall-cmd --get-default-zone
work
[root@xuegod23 ~]# firewall-cmd --set-default-zone=public
success
[root@xuegod23 ~]# firewall-cmd --get-default-zone
public

指定zone开放8080端口:
[root@xuegod23 ~]# firewall-cmd --zone=work --add-port=8080/tcp#注意这样只是临时生效,要永久生效加--permanent
success
[root@xuegod23 ~]# firewall-cmd --zone=work --list-all
work
target: default
icmp-block-inversion: no
interfaces:
sources:
services: cockpit dhcpv6-client ssh
ports: 8080/tcp
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
## 永久生效
[root@xuegod23 ~]# firewall-cmd --add-port=8080/tcp --permanent
success
[root@xuegod23 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: ens33
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
## 执行后发现没有生效,需要执行reload重新加载


### 删除指定端口,下面只是临时删除,永久删除需要加--permanent参数
[root@xuegod23 ~]# firewall-cmd --remove-port=8080/tcp
success

如果不指定zone,则添加到默认zone即public
3、配置文件
/etc/firewalld/zones
/etc/firewalld/services
系统本身已经内置了一些常用服务的防火墙规则,存放在/usr/lib/firewalld/services/注意!    请勿编辑/usr/lib/firewalld/services/ ,只有 /etc/firewalld/services 的文件可以被编辑。

[root@xuegod23 services]# pwd
/usr/lib/firewalld/services
[root@xuegod23 services]# ls
amanda-client.xmldns-over-tls.xmlimaps.xmlmatrix.xmlpmproxy.xmlsamba-dc.xmltftp-client.xml
amanda-k5-client.xmldns.xmlimap.xmlmdns.xmlpmwebapis.xmlsamba.xmltftp.xml
amqps.xmldocker-registry.xmlipp-client.xmlmemcache.xmlpmwebapi.xmlsane.xmltile38.xml
amqp.xmldocker-swarm.xmlipp.xmlminidlna.xmlpop3s.xmlsips.xmltinc.xml
apcupsd.xmldropbox-lansync.xmlipsec.xmlmongodb.xmlpop3.xmlsip.xmltor-socks.xml
audit.xmlelasticsearch.xmlircs.xmlmosh.xmlpostgresql.xmlslp.xmltransmission-client.xml
bacula-client.xmletcd-client.xmlirc.xmlmountd.xmlprivoxy.xmlsmtp-submission.xmlupnp-client.xml
bacula.xmletcd-server.xmliscsi-target.xmlmqtt-tls.xmlprometheus.xmlsmtps.xmlvdsm.xml
bb.xmlfinger.xmlisns.xmlmqtt.xmlproxy-dhcp.xmlsmtp.xmlvnc-server.xml
bgp.xmlforeman-proxy.xmljenkins.xmlmssql.xmlptp.xmlsnmptrap.xmlwbem-https.xml
bitcoin-rpc.xmlforeman.xmlkadmin.xmlms-wbt.xmlpulseaudio.xmlsnmp.xmlwbem-http.xml
bitcoin-testnet-rpc.xmlfreeipa-4.xmlkdeconnect.xmlmurmur.xmlpuppetmaster.xmlspideroak-lansync.xmlwsmans.xml
bitcoin-testnet.xmlfreeipa-ldaps.xmlkerberos.xmlmysql.xmlquassel.xmlspotify-sync.xmlwsman.xml
bitcoin.xmlfreeipa-ldap.xmlkibana.xmlnbd.xmlradius.xmlsquid.xmlxdmcp.xml
bittorrent-lsd.xmlfreeipa-replication.xmlklogin.xmlnfs3.xmlrdp.xmlssdp.xmlxmpp-bosh.xml
ceph-mon.xmlfreeipa-trust.xmlkpasswd.xmlnfs.xmlredis-sentinel.xmlssh.xmlxmpp-client.xml
ceph.xmlftp.xmlkprop.xmlnmea-0183.xmlredis.xmlsteam-streaming.xmlxmpp-local.xml
cfengine.xmlgalera.xmlkshell.xmlnrpe.xmlRH-Satellite-6-capsule.xmlsvdrp.xmlxmpp-server.xml
cockpit.xmlganglia-client.xmlkube-apiserver.xmlntp.xmlRH-Satellite-6.xmlsvn.xmlzabbix-agent.xml
collectd.xmlganglia-master.xmlldaps.xmlnut.xmlrpc-bind.xmlsyncthing-gui.xmlzabbix-server.xml
condor-collector.xmlgit.xmlldap.xmlopenvpn.xmlrquotad.xmlsyncthing.xml
ctdb.xmlgrafana.xmllibvirt-tls.xmlovirt-imageio.xmlrsh.xmlsynergy.xml
dhcpv6-client.xmlgre.xmllibvirt.xmlovirt-storageconsole.xmlrsyncd.xmlsyslog-tls.xml
dhcpv6.xmlhigh-availability.xmllightning-network.xmlovirt-vmconsole.xmlrtsp.xmlsyslog.xml
dhcp.xmlhttps.xmlllmnr.xmlplex.xmlsalt-master.xmltelnet.xml
distcc.xmlhttp.xmlmanagesieve.xmlpmcd.xmlsamba-client.xmltentacle.xml

注意:改完配置文件后,需要reload才能显示出来。
不建议通过修改配置文件方式配置防火墙。
4、使用 cockpit web 控制台管理防火墙systemctl enable --now cockpit.socket
?
这种方式可以立即生效,可以通过 firewall-cmd --list-all 查看访问    ??https://192.168.31.23:9090???


注意cockpit  服务端口是9090
添加富规则,下面的命令可以不用加端口访问cockpit  web控制台,即192.168.31.0地址段访问443(https)端口时,转发到9090(即cockpit的web端口)
[root@xuegod23 services]# firewall-cmd --permanent --add-rich-rule "rule family=ipv4 source address=192.168.31.0/24 forward-port port=443 protocol=tcp to-port=9090"
success



3.
SELinux是用于确定哪个进程可以访问哪些文件、目录和端口的一组安全规则。每个文件、进程、目录和端口都具有专门的安全标签,称为SELinux上下文
SELinux标签具有多种上下文:用户、角色、类型和敏感度级别。目标策略会根据第三个上下文(即类型上下文)来制定自己的规则,通常以_t 结尾

为了确保您拥有管理SELinux上下文的工具,请根据需要安装policycoreutil软件包和policycoreutil-python软件包。这两个软件包中分别包含restorecon命令和semanage命令
[root@xuegod23 ~]# semanage fcontext -a -t httpd_sys_content_t /virtual(/.*)?
[root@xuegod23 ~]# cd /virtual/
[root@xuegod23 virtual]# ls
index.html
[root@xuegod23 virtual]# touch aaa
[root@xuegod23 virtual]# ll -Z aaa
-rw-r--r--. 1 root root unconfined_u:object_r:default_t:s0 0 1月31 17:49 aaa
[root@xuegod23 virtual]# semanage fcontext -a -t httpd_sys_content_t /virtual(/.*)?
ValueError: /virtual(/.*)? 的文件上下文已定义
[root@xuegod23 virtual]# ll -Z
总用量 0
-rw-r--r--. 1 root root unconfined_u:object_r:default_t:s00 1月31 17:49 aaa
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 0 1月31 17:39 index.html
[root@xuegod23 virtual]# restorecon /virtual/aaa
[root@xuegod23 virtual]# ll -Z
总用量 0
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 0 1月31 17:49 aaa
-rw-r--r--. 1 root root unconfined_u:object_r:httpd_sys_content_t:s0 0 1月31 17:39 index.html
[root@xuegod23 virtual]# restorecon -RFvv /virtual/
Relabeled /virtual from unconfined_u:object_r:default_t:s0 to system_u:object_r:httpd_sys_content_t:s0
Relabeled /virtual/index.html from unconfined_u:object_r:httpd_sys_content_t:s0 to system_u:object_r:httpd_sys_content_t:s0
Relabeled /virtual/aaa from unconfined_u:object_r:httpd_sys_content_t:s0 to system_u:object_r:httpd_sys_content_t:s0

4.
显示所有调优配置
[root@xuegod23 virtual]# tuned-adm list
Available profiles:
- accelerator-performance- Throughput performance based tuning with disabled higher latency STOP states
- balanced- General non-specialized tuned profile
- desktop- Optimize for the desktop use-case
- hpc-compute- Optimize for HPC compute workloads
- intel-sst- Configure for Intel Speed Select Base Frequency
- latency-performance- Optimize for deterministic performance at the cost of increased power consumption
- network-latency- Optimize for deterministic performance at the cost of increased power consumption, focused on low latency network performance
- network-throughput- Optimize for streaming network throughput, generally only necessary on older CPUs or 40G+ networks
- optimize-serial-console- Optimize for serial console use.
- powersave- Optimize for low power consumption
- throughput-performance- Broadly applicable tuning that provides excellent performance across a variety of common server workloads
- virtual-guest- Optimize for running inside a virtual guest
- virtual-host- Optimize for running KVM guests
Current active profile: virtual-guest

【e-1防火墙-selinux-调优】调优相关的配置文件所有路径:
[root@xuegod23 ~]# cd /usr/lib/tuned/
[root@xuegod23 tuned]# ll
总用量 16
drwxr-xr-x. 2 root root24 1月31 17:59 accelerator-performance
drwxr-xr-x. 2 root root24 1月31 17:59 balanced
drwxr-xr-x. 2 root root24 1月31 17:59 desktop
-rw-r--r--. 1 root root 15113 7月22 2021 functions
drwxr-xr-x. 2 root root24 1月31 17:59 hpc-compute
drwxr-xr-x. 2 root root24 1月31 17:59 intel-sst
drwxr-xr-x. 2 root root24 1月31 17:59 latency-performance
drwxr-xr-x. 2 root root24 1月31 17:59 network-latency
drwxr-xr-x. 2 root root24 1月31 17:59 network-throughput
drwxr-xr-x. 2 root root24 1月31 17:59 optimize-serial-console
drwxr-xr-x. 2 root root41 1月31 17:59 powersave
drwxr-xr-x. 2 root root27 1月31 17:59 recommend.d
drwxr-xr-x. 2 root root24 1月31 17:59 throughput-performance
drwxr-xr-x. 2 root root24 1月31 17:59 virtual-guest
drwxr-xr-x. 2 root root24 1月31 17:59 virtual-host
[root@xuegod23 tuned]# vim virtual-guest/tuned.conf
#
# tuned configuration
#

[main]
summary=Optimize for running inside a virtual guest
include=throughput-performance

[sysctl]
# If a workload mostly uses anonymous memory and it hits this limit, the entire
# working set is buffered for I/O, and any more write buffering would require
# swapping, so its time to throttle writes until I/O can catch up.Workloads
# that mostly use file mappings may be able to use even higher values.
#
# The generator of dirty data starts writeback at this percentage (system default
# is 20%)
vm.dirty_ratio = 30

# Filesystem I/O is usually much more efficient than swapping, so try to keep
# swapping low.Its usually safe to go even lower than this on systems with
# server-grade storage.
vm.swappiness = 30


    推荐阅读