menyu
Malangizo apang'onopang'ono pakuyika Hailbytes VPN yokhala ndi Firezone GUI aperekedwa apa.
Kuwongolera: Kukhazikitsa mawonekedwe a seva kumagwirizana mwachindunji ndi gawoli.
Maupangiri Ogwiritsa Ntchito: Zolemba zothandiza zomwe zingakuphunzitseni momwe mungagwiritsire ntchito Firezone ndikuthana ndi zovuta zomwe zimachitika. Seva ikatumizidwa bwino, onani gawo ili.
Split Tunneling: Gwiritsani ntchito VPN kuti mungotumiza kuchuluka kwa anthu kumagawo ena a IP.
Kulembetsa: Khazikitsani adilesi ya IP ya seva ya VPN kuti mugwiritse ntchito zoyera.
Reverse Tunnels: Pangani tunnel pakati pa anzanu angapo pogwiritsa ntchito njira zobwerera kumbuyo.
Ndife okondwa kukuthandizani ngati mukufuna thandizo kukhazikitsa, kusintha mwamakonda, kapena kugwiritsa ntchito Hailbytes VPN.
Ogwiritsa ntchito asanatulutse kapena kutsitsa mafayilo osinthira zida, Firezone ikhoza kukhazikitsidwa kuti ifunikire kutsimikizika. Ogwiritsanso angafunike kutsimikiziranso nthawi ndi nthawi kuti kulumikizana kwawo kwa VPN kukhale kogwira ntchito.
Ngakhale njira yolowera osakhazikika ya Firezone ndi imelo ndi mawu achinsinsi akomweko, imathanso kuphatikizidwa ndi zidziwitso zilizonse za OpenID Connect (OIDC). Ogwiritsa ntchito tsopano atha kulowa mu Firezone pogwiritsa ntchito Okta, Google, Azure AD, kapena zidziwitso zawo zachinsinsi.
Phatikizani Wopereka OIDC Wowonjezera
Zosintha zofunika ndi Firezone kulola SSO pogwiritsa ntchito OIDC zikuwonetsedwa pachitsanzo chomwe chili pansipa. Pa /etc/firezone/firezone.rb, mutha kupeza fayilo yosinthira. Thamangani firezone-ctl reconfigure ndi firezone-ctl restart kuti musinthe pulogalamuyo ndikusintha zosintha.
# Ichi ndi chitsanzo chogwiritsa ntchito Google ndi Okta ngati opereka zidziwitso za SSO.
# Zosintha zingapo za OIDC zitha kuwonjezeredwa pamwambo womwewo wa Firezone.
# Firezone imatha kuletsa VPN ya wogwiritsa ntchito ngati pali cholakwika chilichonse chomwe chikuyesera
# kukonzanso_chizindikiro_chofikira. Izi zimatsimikiziridwa kuti zizigwira ntchito ku Google, Okta, ndi
# Azure SSO ndipo imagwiritsidwa ntchito kulumikiza VPN ya wogwiritsa ntchito ngati ichotsedwa
# kuchokera kwa wothandizira wa OIDC. Siyani izi zitayimitsidwa ngati wothandizira wanu wa OIDC
# ili ndi zovuta zotsitsimutsa ma tokeni chifukwa zitha kusokoneza mwadzidzidzi a
# gawo la VPN la ogwiritsa ntchito.
default['firezone']['authentication']['disable_vpn_on_oidc_error'] = zabodza
default['firezone']['authentication']['oidc'] = {
google: {
discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",
client_id: “ ”,
kasitomala_chinsinsi: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",
response_type: "kodi",
kukula: "mbiri yotseguka ya imelo",
chizindikiro: "Google"
},
chabwino: {
discovery_document_uri: “https:// /.odziwika bwino/openid-configuration”,
client_id: “ ”,
kasitomala_chinsinsi: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",
response_type: "kodi",
kukula: "kutsegula mbiri ya imelo offline_access",
label: "Okta"
}
}
Zokonda zotsatirazi ndizofunikira pakuphatikiza:
Kwa wopereka aliyense wa OIDC ulalo wokongola wofananira umapangidwa kuti utumizidwenso ku ulalo wolowera wa omwe asinthidwa. Mwachitsanzo OIDC config pamwambapa, ma URL ndi:
Othandizira tili ndi zolemba:
Ngati opereka chizindikiritso chanu ali ndi cholumikizira cha OIDC ndipo sichinatchulidwe pamwambapa, chonde pitani ku zolembedwa zawo kuti mudziwe momwe mungatengere zochunira zofunika.
Zokonda pansi pa zoikamo/chitetezo zitha kusinthidwa kuti zifunikire kutsimikiziranso nthawi ndi nthawi. Izi zitha kugwiritsidwa ntchito kukakamiza kuti ogwiritsa ntchito alowe mu Firezone pafupipafupi kuti apitilize gawo lawo la VPN.
Kutalika kwa gawoli kumatha kukhazikitsidwa kukhala pakati pa ola limodzi ndi masiku makumi asanu ndi anayi. Pokhazikitsa izi ku Never, mutha kuloleza magawo a VPN nthawi iliyonse. Uwu ndiye muyezo.
Wogwiritsa ntchito akuyenera kuletsa gawo lawo la VPN ndikulowa ku Firezone portal kuti atsimikizirenso gawo la VPN lomwe linatha nthawi yake (URL yotchulidwa potumiza).
Mutha kutsimikiziranso gawo lanu potsatira malangizo a kasitomala omwe akupezeka pano.
Mkhalidwe wa Kulumikizana kwa VPN
Tsamba la Users la tebulo la VPN Connection likuwonetsa momwe wogwiritsa ntchito alili. Nawa ma status olumikizana:
ZOTHANDIZA - Kulumikizana ndikoyatsidwa.
WOLEMA - Kulumikizanako kumayimitsidwa ndi woyang'anira kapena kulephera kutsitsimutsa kwa OIDC.
YATHA - Kulumikizanako kwayimitsidwa chifukwa cha kutsimikizika kutha kapena wogwiritsa ntchito sanalowemo koyamba.
Kudzera pa cholumikizira cha OIDC, Firezone imathandiza Kusaina Kumodzi (SSO) ndi Google Workspace ndi Cloud Identity. Bukuli likuwonetsani momwe mungapezere magawo osinthika omwe ali pansipa, omwe ndi ofunikira pakuphatikiza:
1. OAuth Config Screen
Ngati aka ndi koyamba kupanga ID yatsopano ya kasitomala wa OAuth, mudzafunsidwa kuti mukonze skrini yololeza.
* Sankhani Zamkati mwa mtundu wa ogwiritsa ntchito. Izi zikuwonetsetsa kuti maakaunti a anthu a mu Google Workspace Organisation yanu okha ndi omwe angapange zochunira zida. OSATI KUSANKHA Zakunja pokhapokha ngati mukufuna kuloleza aliyense yemwe ali ndi Akaunti yovomerezeka ya Google kuti apange makonzedwe a chipangizo.
Pachidziwitso cha App sikirini:
2. Pangani ma ID a OAuth Client
Gawoli latengera zolemba za Google pa kukhazikitsa OAuth 2.0.
Pitani ku Google Cloud Console Tsamba lazidziwitso patsamba, dinani + Pangani Mbiri ndikusankha ID ya kasitomala wa OAuth.
Pa zenera la ID ya kasitomala ya OAuth:
Mukapanga ID ya kasitomala wa OAuth, mudzapatsidwa ID ya kasitomala ndi Chinsinsi cha kasitomala. Izi zidzagwiritsidwa ntchito limodzi ndi URI yolozeranso mu sitepe yotsatira.
Sinthani /etc/firezone/firezone.rb kuphatikiza zomwe zili pansipa:
# Kugwiritsa ntchito Google ngati wopereka zidziwitso za SSO
default['firezone']['authentication']['oidc'] = {
google: {
discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",
client_id: “ ”,
kasitomala_chinsinsi: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",
response_type: "kodi",
kukula: "mbiri yotseguka ya imelo",
chizindikiro: "Google"
}
}
Thamangani firezone-ctl reconfigure ndi firezone-ctl restart kuti musinthe pulogalamu. Muyenera kuwona Lowani ndi batani la Google pamizu ya URL ya Firezone.
Firezone imagwiritsa ntchito cholumikizira wamba cha OIDC kuthandizira Kusayina Kumodzi (SSO) ndi Okta. Phunziroli likuwonetsani momwe mungapezere zosintha zomwe zalembedwa pansipa, zomwe ndizofunikira pakuphatikiza:
Gawo ili la bukhuli lachokera pa Zolemba za Okta.
Mu Admin Console, pitani ku Mapulogalamu> Mapulogalamu ndikudina Pangani Kuphatikiza kwa App. Khazikitsani njira yolowera ku OICD - OpenID Connect ndi mtundu wa Application ku pulogalamu yapaintaneti.
Konzani zokonda izi:
Zokonda zikasungidwa, mudzapatsidwa ID ya kasitomala, Chinsinsi cha kasitomala, ndi Okta Domain. Makhalidwe atatuwa adzagwiritsidwa ntchito mu Gawo 3 kukonza Firezone.
Sinthani /etc/firezone/firezone.rb kuphatikiza zomwe zili pansipa. Anu discovery_document_url adzakhala /.odziwika bwino/openid-configuration onjezerani mpaka kumapeto kwanu okta_domain.
# Kugwiritsa ntchito Okta monga wopereka zidziwitso za SSO
default['firezone']['authentication']['oidc'] = {
chabwino: {
discovery_document_uri: “https:// /.odziwika bwino/openid-configuration”,
client_id: “ ”,
kasitomala_chinsinsi: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",
response_type: "kodi",
kukula: "kutsegula mbiri ya imelo offline_access",
label: "Okta"
}
}
Thamangani firezone-ctl reconfigure ndi firezone-ctl restart kuti musinthe pulogalamu. Muyenera kuwona Lowani ndi batani la Okta pa URL ya Firezone.
Ogwiritsa ntchito omwe atha kupeza pulogalamu ya Firezone akhoza kuletsedwa ndi Okta. Pitani patsamba lanu la Okta Admin Console's Firezone App Integration's Assignments tsamba kuti mukwaniritse izi.
Kudzera pa cholumikizira chamtundu wa OIDC, Firezone imathandizira Single Sign-On (SSO) yokhala ndi Azure Active Directory. Bukuli likuwonetsani momwe mungapezere zosintha zomwe zalembedwa pansipa, zomwe ndizofunikira pakuphatikiza:
Bukuli likuchokera ku Azure Active Directory Docs.
Pitani patsamba la Azure la Azure Active Directory patsamba. Sankhani njira ya Sinthani menyu, sankhani Kulembetsa Kwatsopano, kenako lembani popereka zomwe zili pansipa:
Mukalembetsa, tsegulani tsatanetsatane wa pulogalamuyo ndikukopera ID yofunsira (kasitomala).. Ili likhala mtengo wa kasitomala_id. Kenako, tsegulani menyu yomaliza kuti mutengere OpenID Connect metadata chikalata. Uwu ukhala mtengo wa discovery_document_uri.
Pangani chinsinsi cha kasitomala watsopano podina njira ya Zikalata & zinsinsi pansi pa menyu Sinthani. Lembani chinsinsi cha kasitomala; mtengo wachinsinsi wa kasitomala udzakhala uwu.
Pomaliza, sankhani ulalo wa zilolezo za API pansi pa Sinthani menyu, dinani Onjezani chilolezo, ndi kusankha Microsoft Graph, kuwonjezera imelo, yotseguka, kulowa_kwapaintaneti ndi mbiri ku zilolezo zofunika.
Sinthani /etc/firezone/firezone.rb kuphatikiza zomwe zili pansipa:
# Kugwiritsa Ntchito Azure Active Directory monga wopereka zidziwitso za SSO
default['firezone']['authentication']['oidc'] = {
azure: {
discovery_document_uri: "https://login.microsoftonline.com/ /v2.0/.well-known/openid-configuration”,
client_id: “ ”,
kasitomala_chinsinsi: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/azure/callback/",
response_type: "kodi",
kukula: "kutsegula mbiri ya imelo offline_access",
chizindikiro: "Azure"
}
}
Thamangani firezone-ctl reconfigure ndi firezone-ctl restart kuti musinthe pulogalamu. Muyenera kuwona Lowani ndi batani la Azure pamizu ya Firezone URL.
Azure AD imathandizira olamulira kuti achepetse mwayi wofikira pagulu la ogwiritsa ntchito mkati mwa kampani yanu. Zambiri zamomwe mungachitire izi zitha kupezeka muzolemba za Microsoft.
Chef Omnibus amagwiritsidwa ntchito ndi Firezone kuyang'anira ntchito kuphatikiza kutulutsa, kuyang'anira ndondomeko, kasamalidwe ka chipika, ndi zina zambiri.
Ruby code imapanga fayilo yoyamba yokonzekera, yomwe ili pa /etc/firezone/firezone.rb. Kuyambitsanso sudo firezone-ctl reconfigure pambuyo pakusintha fayiloyi kumapangitsa Chef kuzindikira zosinthazo ndikuzigwiritsa ntchito pamakina omwe alipo.
Onani fayilo yosinthira kuti mupeze mndandanda wathunthu wamasinthidwe ndi mafotokozedwe ake.
Chitsanzo chanu cha Firezone chikhoza kuyendetsedwa kudzera pa firezone-ctl lamulo, monga momwe zilili pansipa. Ma subcommand ambiri amafunikira prefixing ndi sudo.
mizu@demo:~# firezone-ctl
omnibus-ctl: lamulo (subcommand)
General Commands:
yeretsani
Chotsani *zidziwitso zonse* za firezone, ndikuyamba kuyambira pachiyambi.
pangani-kapena-konzanso-admin
Imakonzanso mawu achinsinsi a woyang'anira ndi imelo yotchulidwa mosakhazikika['firezone']['admin_email'] kapena kupanga woyang'anira watsopano ngati imeloyo palibe.
Thandizeni
Sindikizani uthenga wothandizawu.
kusinthanso
Konzaninso pulogalamuyi.
yambitsanso-network
Imakonzanso ma nftables, mawonekedwe a WireGuard, ndi tebulo lamayendedwe kubwerera ku zosasintha za Firezone.
chiwonetsero-config
Onetsani masinthidwe omwe angapangidwe pokonzanso.
teardown-network
Imachotsa mawonekedwe a WireGuard ndi tebulo la firezone nftables.
kukakamiza-cert-kukonzanso
Limbikitsani kukonzanso satifiketi tsopano ngakhale sichinathe.
kuyimitsa-cert-kukonzanso
Imachotsa cronjob yomwe imakonzanso ziphaso.
yochotsa
Iphani njira zonse ndikuchotsa woyang'anira ndondomekoyi (deta idzasungidwa).
Baibulo
Onetsani mtundu wamakono wa Firezone
Malamulo Oyendetsera Ntchito:
kupha mwachisomo
Yesani kuyimitsa mokoma, kenako SIGKILL gulu lonse la ndondomeko.
kup
Tumizani mautumikiwa HUP.
Int
Tumizani ntchitozo INT.
kupha
Tumizani ntchito KILL.
Kamodzi
Yambitsani mautumiki ngati ali pansi. Osawayambitsanso ngati asiya.
yambitsaninso
Imitsani mautumiki ngati akuyenda, ndiye yambaninso.
mndandanda wa ntchito
Lembani ntchito zonse (ntchito zoyatsidwa zimawonekera ndi *.)
chiyambi
Yambitsani mautumiki ngati ali pansi, ndikuyambitsanso ngati ayima.
kachirombo
Onetsani momwe ntchito zonse zilili.
Imani
Imitsani mautumiki, ndipo musawayambitsenso.
mchira
Onerani zilolezo zantchito zonse zoyatsidwa.
akuti
Tumizani ntchito TERM.
usr1
Tumizani ntchitozo USR1.
usr2
Tumizani ntchitozo USR2.
Magawo onse a VPN akuyenera kuthetsedwa musanakonzenso Firezone, zomwe zimafunanso kuti atseke Web UI. Kukachitika kuti chinachake sichikuyenda bwino panthawi yokonzanso, tikulangiza kuti tikhazikitse ola limodzi lokonzekera.
Kuti muwonjezere Firezone, chitani izi:
Ngati pali vuto lililonse, chonde tidziwitseni kutumiza tikiti yothandizira.
Pali zosintha zingapo zosweka ndikusintha kasinthidwe mu 0.5.0 zomwe ziyenera kuyankhidwa. Dziwani zambiri pansipa.
Nginx sichirikizanso mphamvu za SSL ndi magawo omwe si a SSL monga mtundu wa 0.5.0. Chifukwa Firezone ikufunika SSL kuti igwire ntchito, tikukulangizani kuti muchotse ntchito ya Nginx pokhazikitsa kusakhazikika['firezone']['nginx']['enabled'] = zabodza ndikulozera projekiti yanu yakumbuyo ku pulogalamu ya Phoenix pa port 13000 m'malo mwake (mwachisawawa ).
0.5.0 imabweretsa chithandizo cha protocol ya ACME yodzipangiranso ziphaso za SSL ndi ntchito ya Nginx. Kuti athe,
Kuthekera kowonjezera malamulo okhala ndi malo obwereza kwapita ku Firezone 0.5.0. Zolemba zathu zakusamuka zidzazindikira izi panthawi yokweza mpaka 0.5.0 ndikungosunga malamulo omwe kopita kumaphatikizapo lamulo lina. Palibe chomwe muyenera kuchita ngati izi zili bwino.
Kupanda kutero, musanayambe kukweza, tikukulangizani kuti musinthe malamulo anu kuti muchotse izi.
Firezone 0.5.0 imachotsa kuthandizira kwa kachitidwe kakale ka Okta ndi Google SSO m'malo mwa kasinthidwe katsopano ka OIDC kosinthika.
Ngati muli ndi masinthidwe aliwonse pansi pa makiyi a['firezone']['authentication']['okta'] kapena default['firezone']['authentication']['google'] makiyi, muyenera kusamutsira izi ku OIDC yathu. -kutengera kasinthidwe pogwiritsa ntchito kalozera pansipa.
Kusintha komwe kulipo kwa Google OAuth
Chotsani mizere iyi yomwe ili ndi zosintha zakale za Google OAuth pafayilo yanu yosinthira yomwe ili pa /etc/firezone/firezone.rb
default['firezone']['authentication']['google']['enabled']
default['firezone']['authentication']['google']['client_id']
default['firezone']['authentication']['google']['client_secret']
default['firezone']['authentication']['google']['redirect_uri']
Kenako, konzani Google ngati wothandizira OIDC potsatira njira zomwe zili pano.
(Patsani maulalo)<<<<<<<<<<<<<<<<
Konzani Google OAuth yomwe ilipo
Chotsani mizere iyi yomwe ili ndi masinthidwe akale a Okta OAuth pafayilo yanu yosinthira yomwe ili /etc/firezone/firezone.rb
default['firezone']['authentication']['okta']['enabled']
default['firezone']['authentication']['okta']['client_id']
default['firezone']['authentication']['okta']['client_secret']
Kufikira['firezone']['kutsimikizika']['okta']['site']
Kenako, konzani Okta ngati wothandizira OIDC potsatira njira zomwe zili pano.
Kutengera kuyika kwanu komanso mtundu wanu, tsatirani malangizo omwe ali pansipa:
Ngati muli kale ndi kuphatikiza kwa OIDC:
Kwa othandizira ena a OIDC, kukwezera ku>= 0.3.16 kumafunika kupeza chizindikiro chotsitsimutsanso kuti muzitha kulumikiza popanda intaneti. Pochita izi, zimatsimikizirika kuti Firezone imasintha ndi omwe amapereka zidziwitso komanso kuti kugwirizana kwa VPN kumatsekedwa pambuyo poti wosuta achotsedwa. Kubwereza koyambirira kwa Firezone kunalibe izi. Nthawi zina, ogwiritsa ntchito omwe achotsedwa pazidziwitso zanu atha kukhala olumikizidwa ku VPN.
Ndikofunikira kuphatikizirapo mwayi wopezeka osalumikizidwa pa intaneti pazigawo za kasinthidwe ka OIDC kwa opereka OIDC omwe amathandizira kufalikira kwapaintaneti. Kukonzanso kwa Firezone-ctl kuyenera kuchitidwa kuti agwiritse ntchito zosintha pa fayilo ya kasinthidwe ya Firezone, yomwe ili pa /etc/firezone/firezone.rb.
Kwa ogwiritsa ntchito omwe atsimikiziridwa ndi omwe akukupatsani OIDC, mudzawona OIDC Connections yomwe ili patsamba lazambiri la ogwiritsa la intaneti ngati Firezone imatha kubweza chizindikiro chotsitsimutsa.
Ngati izi sizikugwira ntchito, muyenera kufufuta pulogalamu yanu ya OAuth yomwe ilipo ndikubwereza njira zokhazikitsira OIDC kuti pangani pulogalamu yatsopano yophatikiza .
Ndili ndi kuphatikiza kwa OAuth
0.3.11 isanakwane, Firezone inkagwiritsa ntchito operekera OAuth2 okonzedweratu.
Tsatirani malangizo Pano kusamukira ku OIDC.
Sindinaphatikizepo chizindikiritso
Palibe chofunikira.
Mukhoza kutsatira malangizo Pano kuthandizira SSO kudzera mwa wothandizira OIDC.
M'malo mwake, kusasinthika['firezone']['url yakunja'] kwalowa m'malo mwa kusasinthika kosasintha['firezone']['fqdn'].
Khazikitsani izi ku ulalo wa tsamba lanu lapaintaneti la Firezone lomwe anthu onse azitha kuziwona. Idzasintha kukhala https: // kuphatikiza FQDN ya seva yanu ikasiyidwa mosadziwika.
Fayilo yosinthira ili pa /etc/firezone/firezone.rb. Onani fayilo yosinthira kuti mupeze mndandanda wathunthu wamasinthidwe ndi mafotokozedwe ake.
Firezone simasunganso makiyi achinsinsi a chipangizo pa seva ya Firezone kuyambira mtundu wa 0.3.0.
Firezone Web UI sidzakulolani kutsitsanso kapena kuwona masinthidwe awa, koma zida zilizonse zomwe zilipo ziyenera kupitiliza kugwira ntchito momwe zilili.
Ngati mukukweza kuchokera ku Firezone 0.1.x, pali zosintha zingapo zamafayilo zomwe ziyenera kuthetsedwa pamanja.
Kuti musinthe zofunikira pa fayilo /etc/firezone/firezone.rb, yendetsani malamulo omwe ali pansipa ngati mizu.
cp /etc/firezone/firezone.rb /etc/firezone/firezone.rb.bak
sed -i “s/\['enable'\]/\['enabled'\]/” /etc/firezone/firezone.rb
tchulani "default['firezone']['connectivity_checks']['enabled'] = zoona" >> /etc/firezone/firezone.rb
tchulani "default['firezone']['connectivity_checks']['interval'] = 3_600" >> /etc/firezone/firezone.rb
firezone-ctl reconfigure
firezone-ctl kuyambitsanso
Kuyang'ana zipika za Firezone ndi gawo loyamba lanzeru pazinthu zilizonse zomwe zingachitike.
Thamangani sudo firezone-ctl mchira kuti muwone zipika za Firezone.
Mavuto ambiri olumikizana ndi Firezone amabweretsedwa ndi ma iptables osagwirizana kapena malamulo a nftables. Muyenera kuwonetsetsa kuti malamulo aliwonse omwe muli nawo sakusemphana ndi malamulo a Firezone.
Onetsetsani kuti tcheni cha FORWARD chimaloleza mapaketi kuchokera kwa makasitomala anu a WireGuard kupita kumalo omwe mukufuna kuti adutse pa Firezone ngati intaneti yanu imasokonekera nthawi zonse mukatsegula njira yanu ya WireGuard.
Izi zitha kutheka ngati mukugwiritsa ntchito ufw powonetsetsa kuti ndondomeko yosasinthika ndiyololedwa:
ubuntu@fz:~$ sudo ufw kusakhulupirika kulola kuyendetsedwa
Mfundo zokayikitsa zasinthidwa kukhala 'lolera'
(onetsetsani kuti mwasintha malamulo anu moyenera)
A ufw mawonekedwe a seva wamba ya Firezone angawoneke motere:
ubuntu@fz:~$ sudo ufw status verbose
Mkhalidwe: yogwira
Kudula mitengo: pa (otsika)
Zosasintha: kukana (zolowera), lolani (zotuluka), lolani (zolowera)
Mbiri zatsopano: dumpha
Kuchitapo kanthu
————-
22/tcp LOWANI KULOWA kulikonse
80/tcp LOWANI KULOWA kulikonse
443/tcp LOWANI KULOWA kulikonse
51820/udp LOWANI KULOWA kulikonse
22/tcp (v6) LOWANI KULOWA kulikonse (v6)
80/tcp (v6) LOWANI KULOWA kulikonse (v6)
443/tcp (v6) LOWANI KULOWA kulikonse (v6)
51820/udp (v6) LOWANI KULOWA kulikonse (v6)
Tikukulangizani kuti muchepetse mwayi wopezeka pa intaneti kuti mugwiritse ntchito movutikira komanso zofunikira kwambiri, monga tafotokozera pansipa.
Service | Khomo Lofikira | Mverani Adilesi | Kufotokozera |
Nginx | 80, 443 | onse | Doko la Public HTTP(S) poyang'anira Firezone ndikuthandizira kutsimikizika. |
Woteteza | 51820 | onse | Doko la Public WireGuard lomwe limagwiritsidwa ntchito pamagawo a VPN. (UDP) |
Wolemba Postgresql | 15432 | 127.0.0.1 | Doko lokhalo lomwe limagwiritsidwa ntchito pa seva ya Postgresql. |
Phoenix | 13000 | 127.0.0.1 | Doko lakwanuko lokha lomwe limagwiritsidwa ntchito ndi seva ya upstream elixir app. |
Tikukulangizani kuti muganizire zoletsa mwayi wopezeka pa intaneti ya Firezone yomwe ikuwonekera poyera (mwa madoko 443/tcp ndi 80/tcp) ndipo m'malo mwake mugwiritse ntchito njira ya WireGuard kuyang'anira Firezone popanga komanso kutumiza anthu komwe kudzakhala woyang'anira m'modzi yekha. kupanga ndi kugawa masinthidwe a chipangizo kwa ogwiritsa ntchito omaliza.
Mwachitsanzo, ngati woyang'anira apanga masinthidwe a chipangizo ndikupanga njira yokhala ndi adilesi ya WireGuard yapafupi 10.3.2.2, masinthidwe otsatirawa a ufw angathandize woyang'anira kupeza Firezone Web UI pa mawonekedwe a seva a wg-firezone pogwiritsa ntchito 10.3.2.1 adilesi:
root@demo:~# ufw status verbose
Mkhalidwe: yogwira
Kudula mitengo: pa (otsika)
Zosasintha: kukana (zolowera), lolani (zotuluka), lolani (zolowera)
Mbiri zatsopano: dumpha
Kuchitapo kanthu
————-
22/tcp LOWANI KULOWA kulikonse
51820/udp LOWANI KULOWA kulikonse
Kulikonse LOWANI MU 10.3.2.2
22/tcp (v6) LOWANI KULOWA kulikonse (v6)
51820/udp (v6) LOWANI KULOWA kulikonse (v6)
Izi zikanangochoka 22/tcp kuwululidwa kuti mupeze SSH kuyang'anira seva (ngati mukufuna), ndi 51820 / udp kuwonekera kuti akhazikitse tunnel za WireGuard.
Firezone imanyamula seva ya Postgresql ndikufananiza psql zomwe zingagwiritsidwe ntchito kuchokera ku chipolopolo chapafupi monga izi:
/ opt/firezone/ophatikizidwa/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p15432 \
-c "SQL_STATEMENT"
Izi zitha kukhala zothandiza pakuchotsa zolakwika.
Ntchito Zodziwika:
Kulemba onse ogwiritsa ntchito:
/ opt/firezone/ophatikizidwa/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p15432 \
-c "SANKHANI * KWA ogwiritsa ntchito;"
Kuyika zida zonse:
/ opt/firezone/ophatikizidwa/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p15432 \
-c "SANKHANI * KWA Zipangizo;"
Sinthani gawo la ogwiritsa ntchito:
Khazikitsani udindo kukhala 'admin' kapena 'wopanda mwayi':
/ opt/firezone/ophatikizidwa/bin/psql \
-U firezone \
-d firezone \
-h localhost \
-p15432 \
-c "UPDATE owerenga SET role = 'admin' PALI imelo = 'user@example.com';"
Kusunga database:
Kuphatikiza apo, pali pulogalamu ya pg dump, yomwe ingagwiritsidwe ntchito kutenga zosunga zobwezeretsera nthawi zonse. Chitani zotsatirazi kuti mutayire kopi ya database mumtundu wamba wa SQL (m'malo /path/to/backup.sql ndi malo omwe fayilo ya SQL iyenera kupangidwira):
/opt/firezone/embedded/bin/pg_dump \
-U firezone \
-d firezone \
-h localhost \
-p 15432 > /path/to/backup.sql
Firezone ikatumizidwa bwino, muyenera kuwonjezera ogwiritsa ntchito kuti awapatse mwayi wolumikizana ndi netiweki yanu. Web UI imagwiritsidwa ntchito kuchita izi.
Posankha batani la "Add User" pansi / ogwiritsa ntchito, mutha kuwonjezera wosuta. Mudzafunsidwa kuti mupatse wogwiritsa ntchito imelo ndi mawu achinsinsi. Pofuna kulola kuti ogwiritsa ntchito azitha kugwiritsa ntchito m'bungwe lanu zokha, Firezone imathanso kulumikizana ndi kulumikizana ndi omwe akukupatsani. Zambiri zikupezeka mu Tsimikizirani. < Onjezani ulalo ku Authenticate
Tikulangiza kupempha kuti ogwiritsa ntchito azipanga zokonda zawo kuti kiyi yachinsinsi iwonekere kwa iwo okha. Ogwiritsa ntchito amatha kupanga masinthidwe a chipangizo chawo potsatira malangizo pa Malangizo a Makasitomala tsamba.
Zosintha zonse za ogwiritsa ntchito zitha kupangidwa ndi oyang'anira Firezone. Patsamba la mbiri ya ogwiritsa ntchito / ogwiritsa ntchito, sankhani "Onjezani Chipangizo" kuti mukwaniritse izi.
[Ikani chithunzithunzi]
Mutha kutumiza imelo kwa wogwiritsa ntchito fayilo yosinthira ya WireGuard mutapanga mbiri ya chipangizocho.
Ogwiritsa ntchito ndi zida zimalumikizidwa. Kuti mumve zambiri zamomwe mungawonjezere wogwiritsa ntchito, onani Onjezani Ogwiritsa Ntchito.
Kupyolera mukugwiritsa ntchito makina a netfilter a kernel, Firezone imathandizira kuthekera kosefera kwa egress kutchula mapaketi a DROP kapena ACCEPT. Magalimoto onse amaloledwa.
IPv4 ndi IPv6 CIDRs ndi ma adilesi a IP amathandizidwa kudzera pa Allowlist ndi Denylist, motsatana. Mutha kusankha kuyika lamulo kwa wogwiritsa ntchito powonjezera, zomwe zimagwira ntchito pazida zonse za wogwiritsayo.
Ikani ndikusintha
Kuti mukhazikitse kulumikizana kwa VPN pogwiritsa ntchito kasitomala wamba WireGuard, onani bukhuli.
Makasitomala a Official WireGuard omwe ali pano ndi Firezone amagwirizana:
Pitani patsamba lovomerezeka la WireGuard pa https://www.wireguard.com/install/ pamakina a OS omwe sanatchulidwe pamwambapa.
Kaya woyang'anira wanu wa Firezone kapena nokha mutha kupanga fayilo yosinthira chipangizocho pogwiritsa ntchito portal ya Firezone.
Pitani ku ulalo womwe woyang'anira Firezone wanu wapereka kuti mudzipangire nokha fayilo yosinthira chipangizo. Kampani yanu idzakhala ndi ulalo wapadera wa izi; pamenepa, ndi https://instance-id.yourfirezone.com.
Lowani ku Firezone Okta SSO
[Ikani Chithunzithunzi]
Lowetsani fayilo ya.conf mu kasitomala wa WireGuard potsegula. Mwa kutembenuza sinthani Yambitsani, mutha kuyambitsa gawo la VPN.
[Ikani Chithunzithunzi]
Tsatirani malangizo omwe ali pansipa ngati woyang'anira maukonde anu akulamula kuti mutsimikizire mobwerezabwereza kuti kulumikizana kwanu kwa VPN kukhale kogwira ntchito.
Mufunika:
URL ya portal ya Firezone: Funsani woyang'anira netiweki wanu kuti akulumikizani.
Woyang'anira netiweki wanu akuyenera kukupatsani dzina lanu lolowera ndi mawu achinsinsi. Webusaiti ya Firezone ikulimbikitsani kuti mulowe muakaunti yanu pogwiritsa ntchito ntchito imodzi yomwe abwana anu amagwiritsa ntchito (monga Google kapena Okta).
[Ikani Chithunzithunzi]
Pitani ku URL ya portal ya Firezone ndikulowa pogwiritsa ntchito zidziwitso zomwe woyang'anira netiweki wanu wapereka. Ngati mudalowa kale, dinani batani Tsimikizaninso musanalowenso.
[Ikani Chithunzithunzi]
[Ikani Chithunzithunzi]
Kuti mulowetse mbiri yosinthira ya WireGuard pogwiritsa ntchito Network Manager CLI pazida za Linux, tsatirani malangizo awa (nmcli).
Ngati mbiriyo ili ndi chithandizo cha IPv6, kuyesa kutumiza fayilo yosinthira pogwiritsa ntchito Network Manager GUI kungalephereke ndi cholakwika chotsatirachi:
ipv6.method: njira ya "auto" siyimathandizidwa ndi WireGuard
Ndikofunikira kukhazikitsa zida za WireGuard userspace. Ichi chidzakhala phukusi lotchedwa wireguard kapena wireguard-zida zogawira Linux.
Kwa Ubuntu/Debian:
sudo apt kukhazikitsa wireguard
Kugwiritsa ntchito Fedora:
sudo dnf kukhazikitsa zida za wireguard
Arch Linux:
sudo pacman -S wireguard-zida
Pitani patsamba lovomerezeka la WireGuard pa https://www.wireguard.com/install/ kuti mugawidwe zomwe sizinatchulidwe pamwambapa.
Kaya woyang'anira wanu wa Firezone kapena wodzipangira yekha atha kupanga fayilo yosinthira chipangizocho pogwiritsa ntchito portal ya Firezone.
Pitani ku ulalo womwe woyang'anira Firezone wanu wapereka kuti mudzipangire nokha fayilo yosinthira chipangizo. Kampani yanu idzakhala ndi ulalo wapadera wa izi; pamenepa, ndi https://instance-id.yourfirezone.com.
[Ikani Chithunzithunzi]
Lowetsani fayilo yosinthira yomwe mwapatsidwa pogwiritsa ntchito nmcli:
sudo nmcli yolumikizira mtundu wa wireguard fayilo /path/to/configuration.conf
Dzina la fayilo yosinthira lidzagwirizana ndi kulumikizana kwa WireGuard / mawonekedwe. Pambuyo kuitanitsa, kugwirizana kungasinthidwenso ngati kuli kofunikira:
nmcli kugwirizana sinthani [dzina lakale] connection.id [dzina latsopano]
Pogwiritsa ntchito mzere wolamula, gwirizanitsani ku VPN motere:
nmcli kugwirizana [dzina la vpn]
Kusokoneza:
kugwirizana kwa nmcli pansi [dzina la vpn]
Applet ya Network Manager ingagwiritsidwenso ntchito kuyang'anira kulumikizana ngati mukugwiritsa ntchito GUI.
Posankha "inde" panjira yolumikizana ndi autoconnect, kulumikizana kwa VPN kutha kukhazikitsidwa kuti kulumikizane basi:
nmcli kugwirizana sinthani [dzina la vpn] kulumikizana. <<<<<<<<<<<<<<<<<<<<<
autoconnect inde
Kuti mulepheretse kulumikizana kwaotomatiki ikaninso ku ayi:
nmcli kugwirizana sinthani [dzina la vpn] kulumikizana.
autoconnect no
Kuti muyambitse MFA Pitani ku tsamba la Firezone's /user account/register mfa page. Gwiritsani ntchito pulogalamu yanu yotsimikizira kuti muwerenge khodi ya QR ikapangidwa, kenako lowetsani manambala asanu ndi limodzi.
Lumikizanani ndi Mtsogoleri wanu kuti akonzenso chidziwitso cha akaunti yanu ngati simunayike pulogalamu yanu yotsimikizira.
Phunziroli likuthandizani pokhazikitsa gawo logawika la WireGuard ndi Firezone kuti magalimoto okhawo amtundu wa IP atumizidwe kudzera pa seva ya VPN.
Mitundu ya IP yomwe kasitomala angayendetsere kuchuluka kwa magalimoto pa netiweki yakhazikitsidwa mugawo lololedwa la IPs lomwe lili pa /settings/default page. Zosintha zatsopano za WireGuard zopangidwa ndi Firezone ndizomwe zidzakhudzidwe ndi kusintha kwa gawoli.
[Ikani Chithunzithunzi]
Mtengo wokhazikika ndi 0.0.0.0/0, ::/0, womwe umayendetsa magalimoto onse pamanetiweki kuchokera kwa kasitomala kupita ku seva ya VPN.
Zitsanzo zamakhalidwe abwino pankhaniyi ndi izi:
0.0.0.0/0, ::/0 - magalimoto onse pa intaneti adzatumizidwa ku seva ya VPN.
192.0.2.3/32 - magalimoto okha opita ku adilesi imodzi ya IP adzatumizidwa ku seva ya VPN.
3.5.140.0/22 - magalimoto okha opita ku IPs mu 3.5.140.1 - 3.5.143.254 osiyanasiyana adzatumizidwa ku seva ya VPN. Mu chitsanzo ichi, mtundu wa CIDR wa dera la ap-northeast-2 AWS unagwiritsidwa ntchito.
Firezone imasankha mawonekedwe a egress ogwirizana ndi njira yolondola kwambiri pozindikira komwe angayendetse paketi.
Ogwiritsa ntchito ayenera kukonzanso mafayilo osinthira ndikuwonjezera kwa kasitomala wawo wamtundu wa WireGuard kuti asinthe zida zomwe zilipo kale ndi kasinthidwe katsopano kagawo kakang'ono.
Kuti mumve malangizo, onani onjezerani chida. <<<<<<<<<<< Onjezani ulalo
Bukuli liwonetsa momwe mungalumikizire zida ziwiri pogwiritsa ntchito Firezone ngati cholumikizira. Njira imodzi yogwiritsira ntchito ndikupangitsa woyang'anira kuti azitha kupeza seva, chidebe, kapena makina omwe amatetezedwa ndi NAT kapena firewall.
Chithunzichi chikuwonetsa momwe zida A ndi B zimapangira ngalande.
[Lowetsani chithunzi cha zomangamanga za firezone]
Yambani popanga Chipangizo A ndi Chipangizo B popita ku /users/[user_id]/new_device. Muzokonda pa chipangizo chilichonse, onetsetsani kuti magawo otsatirawa akhazikitsidwa kuzinthu zomwe zalembedwa pansipa. Mutha kuyika zokonda pazida mukamapanga zosintha (onani Add Devices). Ngati mukufuna kusintha zosintha pa chipangizo chomwe chilipo, mutha kutero mwa kupanga chosinthira chatsopano.
Zindikirani kuti zida zonse zili ndi /settings/defaults tsamba pomwe PersistentKeepalive ikhoza kukhazikitsidwa.
AllowedIPs = 10.3.2.2/32
Awa ndi IP kapena ma IP a Chipangizo B
PersistentKeepalive = 25
Ngati chipangizocho chili kumbuyo kwa NAT, izi zimatsimikizira kuti chipangizochi chimatha kusunga njirayo ndikupitiriza kulandira mapaketi kuchokera ku mawonekedwe a WireGuard. Nthawi zambiri mtengo wa 25 ndi wokwanira, koma mungafunike kuchepetsa mtengowu kutengera malo anu.
AllowedIPs = 10.3.2.3/32
Awa ndi IP kapena ma IP a Chipangizo A
PersistentKeepalive = 25
Chitsanzochi chikuwonetsa momwe Chipangizo A chimatha kulumikizana ndi Zipangizo B mpaka D mbali zonse ziwiri. Kukhazikitsa uku kutha kuyimira mainjiniya kapena woyang'anira yemwe akupeza zinthu zambiri (maseva, zotengera, kapena makina) pamanetiweki osiyanasiyana.
[Zojambula Zomangamanga]<<<<<<<<<<<<<<<<<<<<<<
Onetsetsani kuti makonda otsatirawa apangidwa muzokonda za chipangizo chilichonse kuzinthu zofananira. Mukamapanga makonzedwe a chipangizocho, mukhoza kutchula zokonda za chipangizo (onani Add Devices). Kusintha kwa chipangizo chatsopano kungapangidwe ngati zosintha pazida zomwe zilipo ziyenera kusinthidwa.
AllowedIPs = 10.3.2.3/32, 10.3.2.4/32, 10.3.2.5/32
Iyi ndi IP ya zipangizo B kupyolera mu D. Ma IP a Zipangizo B kupyolera mu D ayenera kuphatikizidwa mu IP iliyonse yomwe mungasankhe.
PersistentKeepalive = 25
Izi zimatsimikizira kuti chipangizochi chikhoza kusunga njirayo ndikupitiriza kulandira mapaketi kuchokera ku mawonekedwe a WireGuard ngakhale atatetezedwa ndi NAT. Nthawi zambiri, mtengo wa 25 ndi wokwanira, komabe malingana ndi malo omwe mumakhala, mungafunike kuchepetsa chiwerengerochi.
Kuti mupereke IP imodzi, yokhazikika kuti magalimoto onse a gulu lanu atuluke, Firezone itha kugwiritsidwa ntchito ngati chipata cha NAT. Izi zikuphatikizapo kugwiritsidwa ntchito pafupipafupi:
Kufunsira Kukambirana: Funsani kuti kasitomala wanu alembe adilesi imodzi ya IP m'malo mwa IP ya chipangizo cha aliyense wogwira ntchito.
Kugwiritsa ntchito proxy kapena kubisa IP yanu yochokera pachitetezo kapena zinsinsi.
Chitsanzo chophweka chochepetsera mwayi wopezeka pa intaneti yodzipangira nokha ku IP imodzi yovomerezeka ya IP yomwe ikuyenda ndi Firezone iwonetsedwa mu positiyi. M'fanizoli, Firezone ndi zotetezedwa zili m'malo osiyanasiyana a VPC.
Yankholi limagwiritsidwa ntchito nthawi zambiri m'malo mowongolera IP whitelist kwa ogwiritsa ntchito ambiri, zomwe zitha kutenga nthawi pomwe mndandanda wofikira ukukula.
Cholinga chathu ndikukhazikitsa seva ya Firezone pamwambo wa EC2 kuti iwongolere kuchuluka kwa magalimoto a VPN kuzinthu zoletsedwa. Pakadali pano, Firezone ikugwira ntchito ngati projekiti ya netiweki kapena chipata cha NAT kuti ipatse chipangizo chilichonse cholumikizidwa ndi IP yapadera yapagulu.
Pankhaniyi, chochitika cha EC2 chotchedwa tc2.micro chili ndi chochitika cha Firezone chomwe chayikidwapo. Kuti mudziwe zambiri za kutumiza Firezone, pitani ku Deployment Guide. Mogwirizana ndi AWS, onetsetsani:
Gulu lachitetezo la zochitika za Firezone EC2 limalola kuchuluka kwa magalimoto kupita ku adilesi ya IP ya chinthu chotetezedwa.
Chitsanzo cha Firezone chimabwera ndi zotanuka IP. Magalimoto omwe amatumizidwa kudzera pa Firezone kupita kumalo akunja adzakhala ndi awa ngati adilesi yake ya IP. Adilesi ya IP yomwe ikufunsidwa ndi 52.202.88.54.
[Ikani Chithunzithunzi]<<<<<<<<<<<<<<<<<<<<<<<
Pulogalamu yapaintaneti yodzipangira nokha imakhala ngati gwero lotetezedwa pankhaniyi. Pulogalamu yapaintaneti imatha kupezeka kokha ndi zopempha zochokera ku adilesi ya IP 52.202.88.54. Kutengera ndi gwero, pangakhale kofunikira kuloleza magalimoto olowera pamadoko osiyanasiyana komanso mitundu yamagalimoto. Izi sizinafotokozedwe m'bukuli.
[Ikani chithunzithunzi]<<<<<<<<<<<<<<<<<<<<<<<
Chonde uzani gulu lachitatu lomwe likuyang'anira gwero lotetezedwa kuti magalimoto ochokera ku IP osasunthika ofotokozedwa mu Gawo 1 aloledwe (pankhaniyi 52.202.88.54).
Mwachikhazikitso, magalimoto onse ogwiritsira ntchito adzadutsa pa seva ya VPN ndikuchokera ku IP static yomwe inakonzedwa mu Gawo 1 (pankhaniyi 52.202.88.54). Komabe, ngati kugawikana kwagawo kwayatsidwa, zosintha zitha kukhala zofunikira kuwonetsetsa kuti IP yotetezedwa ndi IP yalembedwa pakati pa ma IP Ololedwa.
Chiwonetsero pansipa ndi mndandanda wathunthu wa zosankha zomwe zilipo /etc/firezone/firezone.rb.
mwina | Kufotokoza | mtengo wokhazikika |
default['firezone']['external_url'] | Ulalo womwe umagwiritsidwa ntchito polowa patsamba la Firezone ili. | "https://#{node['fqdn'] || node['hostname']}" |
default['firezone']['config_directory'] | Chikwatu chapamwamba cha kasinthidwe ka Firezone. | /etc/firezone' |
default['firezone']['install_directory'] | Chikwatu chapamwamba kuti muyike Firezone. | /opt/firezone' |
default['firezone']['app_directory'] | Chikwatu chapamwamba kwambiri kuti muyike pulogalamu yapaintaneti ya Firezone. | "#{node['firezone']['install_directory']}/embedded/service/firezone” |
default['firezone']['log_directory'] | Chikwatu chapamwamba kwambiri cha zolemba za Firezone. | /var/log/firezone' |
default['firezone']['var_directory'] | Chikwatu chapamwamba kwambiri cha mafayilo othamanga a Firezone. | /var/opt/firezone' |
default['firezone']['user'] | Dzina la ogwiritsa ntchito a Linux osasankhidwa ntchito zambiri ndi mafayilo adzakhala ake. | firezone' |
default['firezone']['gulu'] | Dzina la Linux gulu mautumiki ambiri ndi mafayilo adzakhala ake. | firezone' |
default['firezone']['admin_email'] | Imelo adilesi ya wosuta woyamba wa Firezone. | "firezone@localhost" |
default['firezone']['max_devices_per_user'] | Zida zochulukira zomwe wogwiritsa ntchito atha kukhala nazo. | 10 |
kusakhazikika['firezone']['lolera_unprivileged_device_management'] | Amalola ogwiritsa ntchito omwe si a admin kupanga ndi kuchotsa zida. | WOONA |
default['firezone']['lolera_unprivileged_device_configuration'] | Amalola ogwiritsa ntchito omwe si a admin kuti asinthe masinthidwe a chipangizo. Zikayimitsidwa, zimalepheretsa ogwiritsa ntchito opanda mwayi kusintha magawo onse a chipangizocho kupatula dzina ndi mafotokozedwe. | WOONA |
default['firezone']['egress_interface'] | Dzina lachiyankhulo komwe magalimoto odutsa adzatuluka. Ngati sichoncho, mawonekedwe osasinthika adzagwiritsidwa ntchito. | nil |
default['firezone']['fips_enabled'] | Yambitsani kapena kuletsa mawonekedwe a OpenSSL FIPs. | nil |
kusakhazikika['firezone']['kudula mitengo']['othandizira'] | Yambitsani kapena kuletsa kudula mitengo kudutsa Firezone. Khazikitsani zabodza kuti muletse kudula mitengo konse. | WOONA |
default['enterprise']['name'] | Dzina logwiritsidwa ntchito ndi cookbook ya Chef 'enterprise'. | firezone' |
default['firezone']['install_path'] | Ikani njira yogwiritsidwa ntchito ndi chef 'enterprise' cookbook. Iyenera kukhazikitsidwa mofanana ndi install_directory pamwambapa. | node['firezone']['install_directory'] |
default['firezone']['sysvinit_id'] | Chizindikiro chogwiritsidwa ntchito mu /etc/inittab. Iyenera kukhala motsatizana mwapadera zilembo 1-4. | SUP' |
kusakhazikika['firezone']['authentication']['local']['enabled'] | Yambitsani kapena kuletsa kutsimikizika kwa imelo/achinsinsi kwanuko. | WOONA |
default['firezone']['authentication']['auto_create_oidc_users'] | Pangani zokha anthu olowa mu OIDC kwa nthawi yoyamba. Letsani kulola ogwiritsa ntchito omwe alipo okha kuti alowe kudzera mu OIDC. | WOONA |
default['firezone']['authentication']['disable_vpn_on_oidc_error'] | Zimitsani VPN ya wogwiritsa ntchito ngati cholakwika chapezeka poyesa kutsitsimutsa chizindikiro chawo cha OIDC. | ZONYENGA |
default['firezone']['authentication']['oidc'] | OpenID Connect config, mumtundu wa {"wopereka" => [config…]} - Onani Zolemba za OpenIDConnect kwa zitsanzo za config. | {} |
default['firezone']['nginx']['enabled'] | Yambitsani kapena kuletsa seva yolumikizidwa ya nginx. | WOONA |
default['firezone']['nginx']['ssl_port'] | HTTPS mvetserani doko. | 443 |
default['firezone']['nginx']['directory'] | Kalozera wosungirako kasinthidwe kogwirizana ndi Firezone nginx. | "#{node['firezone']['var_directory']}/nginx/etc” |
default['firezone']['nginx']['log_directory'] | Kalozera wosungira mafayilo okhudzana ndi Firezone a nginx. | “#{node['firezone']['log_directory']}/nginx” |
default['firezone']['nginx']['log_rotation']['file_maxbytes'] | Kukula kwa fayilo komwe mungasinthe mafayilo a log ya Nginx. | 104857600 |
default['firezone']['nginx']['log_rotation']['nambala_to_keep'] | Chiwerengero cha mafayilo amtundu wa Firezone nginx oti muwasunge musanataye. | 10 |
default['firezone']['nginx']['log_x_forwarded_for'] | Ngati mulowetse Firezone nginx x-forwarded-head. | WOONA |
default['firezone']['nginx']['hsts_header']['wothandizira'] | WOONA | |
default['firezone']['nginx']['hsts_header']['include_subdomains'] | Yambitsani kapena zimitsani kuphatikizaSubDomains pamutu wa HSTS. | WOONA |
default['firezone']['nginx']['hsts_header']['max_age'] | Zaka zambiri zamutu wa HSTS. | 31536000 |
default['firezone']['nginx']['redirect_to_canonical'] | Kutumizanso ma URL ku FQDN yovomerezeka yomwe yatchulidwa pamwambapa | ZONYENGA |
default['firezone']['nginx']['cache']['yathandizira'] | Yambitsani kapena kuletsa cache ya Firezone nginx. | ZONYENGA |
default['firezone']['nginx']['cache']['directory'] | Kalozera wa Firezone nginx cache. | "#{node['firezone']['var_directory']}/nginx/cache” |
default['firezone']['nginx']['user'] | Wogwiritsa ntchito Firezone nginx. | node['firezone']['user'] |
default['firezone']['nginx']['gulu'] | Firezone nginx gulu. | node['firezone']['gulu'] |
default['firezone']['nginx']['dir'] | Mndandanda wapamwamba kwambiri wa nginx kasinthidwe. | node['firezone']['nginx']['directory'] |
default['firezone']['nginx']['log_dir'] | Mndandanda wapamwamba kwambiri wa nginx log. | node['firezone']['nginx']['log_directory'] |
default['firezone']['nginx']['pid'] | Malo a nginx pid file. | "#{node['firezone']['nginx']['directory']}/nginx.pid” |
default['firezone']['nginx']['daemon_disable'] | Letsani nginx daemon mode kuti tiziyang'anira m'malo mwake. | WOONA |
default['firezone']['nginx']['gzip'] | Yatsani kapena kuzimitsa kukakamiza kwa nginx gzip. | pa ' |
default['firezone']['nginx']['gzip_static'] | Yatsani kapena kuzimitsa kukakamiza kwa nginx gzip pamafayilo osasunthika. | choka' |
default['firezone']['nginx']['gzip_http_version'] | Mtundu wa HTTP woti mugwiritse ntchito potumiza mafayilo osasintha. | 1.0 ' |
default['firezone']['nginx']['gzip_comp_level'] | nginx gzip compression level. | 2 ' |
default['firezone']['nginx']['gzip_proxied'] | Imayatsa kapena kuletsa gzipping ya mayankho a zopempha za proxied kutengera pempho ndi mayankho. | chilichonse' |
default['firezone']['nginx']['gzip_vary'] | Imayatsa kapena kuyimitsa kuyika mutu wamayankhidwe a "Vary: Accept-Encoding". | choka' |
default['firezone']['nginx']['gzip_buffers'] | Imayika nambala ndi kukula kwa mabafa omwe amagwiritsidwa ntchito kukakamiza kuyankha. Ngati palibe, nginx default imagwiritsidwa ntchito. | nil |
default['firezone']['nginx']['gzip_types'] | Mitundu ya MIME kuti mutsegule kupsinjika kwa gzip. | ['text/plain', 'text/css','application/x-javascript', 'text/xml', 'application/xml', 'application/rss+xml', 'application/atom+xml', ' text/javascript', 'application/javascript', 'application/json'] |
default['firezone']['nginx']['gzip_min_length'] | Utali wa fayilo wocheperako kuti mutsegule fayilo ya gzip. | 1000 |
default['firezone']['nginx']['gzip_disable'] | Wothandizira-wothandizira kuti aletse kukakamiza kwa gzip. | MSIE [1-6]\.' |
default['firezone']['nginx']['keepalive'] | Imayatsa cache kuti mulumikizane ndi ma seva okwera. | pa ' |
default['firezone']['nginx']['keepalive_timeout'] | Yatha m'masekondi kuti mulumikizane ndi ma seva okwera. | 65 |
default['firezone']['nginx']['worker_processes'] | Chiwerengero cha ntchito za nginx. | node['cpu'] && node['cpu']['total'] ? node['cpu']['total'] : 1 |
default['firezone']['nginx']['worker_connections'] | Chiwerengero chochuluka cha maulumikizidwe munthawi imodzi omwe angatsegulidwe ndi ndondomeko ya ogwira ntchito. | 1024 |
default['firezone']['nginx']['worker_rlimit_nofile'] | Amasintha malire pa kuchuluka kwa mafayilo otseguka anjira za ogwira ntchito. Amagwiritsa ntchito nginx default ngati nil. | nil |
default['firezone']['nginx']['multi_accept'] | Kaya ogwira ntchito avomereze kulumikizana kamodzi kapena kangapo. | WOONA |
default['firezone']['nginx']['chochitika'] | Imatchula njira yolumikizira yolumikizira kuti igwiritse ntchito mkati mwa zochitika za nginx. | epoll' |
default['firezone']['nginx']['server_tokens'] | Imayatsa kapena kuyimitsa kutulutsa kwa nginx pamasamba olakwika komanso pamutu wapamutu wa "Seva". | nil |
default['firezone']['nginx']['server_names_hash_bucket_size'] | Imakhazikitsa kukula kwa chidebe cha ma seva a hashi matebulo. | 64 |
default['firezone']['nginx']['sendfile'] | Imathandizira kapena kuletsa kugwiritsa ntchito nginx's sendfile(). | pa ' |
default['firezone']['nginx']['access_log_options'] | Imakhazikitsa njira zolowera ku nginx. | nil |
default['firezone']['nginx']['error_log_options'] | Imakhazikitsa njira zolembera zolakwika za nginx. | nil |
default['firezone']['nginx']['disable_access_log'] | Imayimitsa chipika chofikira cha nginx. | ZONYENGA |
default['firezone']['nginx']['types_hash_max_size'] | mitundu ya nginx hash max size. | 2048 |
default['firezone']['nginx']['types_hash_bucket_size'] | nginx mitundu hash chidebe kukula. | 64 |
default['firezone']['nginx']['proxy_read_timeout'] | nginx proxy kuwerenga nthawi yatha. Khazikitsani kuti musagwiritse ntchito nginx default. | nil |
default['firezone']['nginx']['client_body_buffer_size'] | nginx kasitomala buffer kukula kwake. Khazikitsani kuti musagwiritse ntchito nginx default. | nil |
default['firezone']['nginx']['client_max_body_size'] | nginx kasitomala max kukula kwa thupi. | 250m' |
default['firezone']['nginx']['default']['modules'] | Tchulani ma module owonjezera a nginx. | [] |
default['firezone']['nginx']['enable_rate_limiting'] | Yambitsani kapena kuletsa kuchepetsa kuchuluka kwa nginx. | WOONA |
default['firezone']['nginx']['rate_limiting_zone_name'] | Dzina la zone yochepetsa kuchuluka kwa Nginx. | firezone' |
default['firezone']['nginx']['rate_limiting_backoff'] | Nginx kuchepetsa kuchepetsa kubwerera. | 10m' |
default['firezone']['nginx']['rate_limit'] | Nginx mlingo malire. | 10r/s' |
default['firezone']['nginx']['ipv6'] | Lolani nginx kuti imvere zopempha za HTTP za IPv6 kuwonjezera pa IPv4. | WOONA |
default['firezone']['postgresql']['enabled'] | Yambitsani kapena kuletsa Postgresql yosungidwa. Khazikitsani zabodza ndikudzaza zomwe zili pansipa kuti mugwiritse ntchito Postgresql yanu. | WOONA |
default['firezone']['postgresql']['username'] | Dzina lolowera la Postgresql. | node['firezone']['user'] |
default['firezone']['postgresql']['data_directory'] | Postgresql data directory. | "#{node['firezone']['var_directory']}/postgresql/13.3/data” |
default['firezone']['postgresql']['log_directory'] | Postgresql log directory. | "#{node['firezone']['log_directory']}/postgresql" |
default['firezone']['postgresql']['log_rotation']['file_maxbytes'] | Postgresql chipika kukula kwake kwakukulu isanazungulidwe. | 104857600 |
default['firezone']['postgresql']['log_rotation']['num_to_keep'] | Chiwerengero cha mafayilo olembedwa a Postgresql kuti musunge. | 10 |
default['firezone']['postgresql']['checkpoint_completion_target'] | Pomaliza cheke cha Postgresql. | 0.5 |
default['firezone']['postgresql']['checkpoint_segments'] | Chiwerengero cha magawo a Postgresql. | 3 |
default['firezone']['postgresql']['checkpoint_timeout'] | Postgresql checkpoint nthawi yatha. | 5min' |
default['firezone']['postgresql']['checkpoint_warning'] | Nthawi yochenjeza ya Postgresql mumasekondi. | 30s' |
default['firezone']['postgresql']['effective_cache_size'] | Postgresql yogwira cache kukula kwake. | 128MB' |
default['firezone']['postgresql']['mvera_adilesi'] | Postgresql mverani adilesi. | 127.0.0.1 ' |
default['firezone']['postgresql']['max_connections'] | Kulumikizana kwakukulu kwa Postgresql. | 350 |
default['firezone']['postgresql']['md5_auth_cidr_addresses'] | Postgresql CIDRs kulola md5 auth. | ['127.0.0.1/32', ':1/128'] |
default['firezone']['postgresql']['port'] | Postgresql mverani doko. | 15432 |
default['firezone']['postgresql']['shared_buffers'] | Postgresql yogawana kukula kwa buffers. | “#{(node['memory']['total'].to_i / 4) / 1024}MB” |
default['firezone']['postgresql']['shmmax'] | Postgresql shmmax mu mabayiti. | 17179869184 |
default['firezone']['postgresql']['shmall'] | Postgresql shmall mu byte. | 4194304 |
default['firezone']['postgresql']['work_mem'] | Kukula kwa kukumbukira kwa Postgresql. | 8MB' |
default['firezone']['database']['user'] | Imatchula dzina lolowera Firezone lomwe lidzagwiritse ntchito kulumikiza ku DB. | node['firezone']['postgresql']['dzina lolowera'] |
default['firezone']['database']['password'] | Ngati mukugwiritsa ntchito DB yakunja, imatchula mawu achinsinsi omwe Firezone adzagwiritsa ntchito kulumikiza ku DB. | change_ine' |
default['firezone']['database']['name'] | Database yomwe Firezone idzagwiritse ntchito. Zidzapangidwa ngati palibe. | firezone' |
default['firezone']['database']['host'] | Wosunga database yemwe Firezone ilumikizako. | node['firezone']['postgresql']['mvera_adilesi'] |
default['firezone']['database']['port'] | Doko la database lomwe Firezone ilumikizako. | node['firezone']['postgresql']['port'] |
default['firezone']['database']['pool'] | Kukula kwa dziwe la Database Firezone kudzagwiritsa ntchito. | [10, etc.nprocessors].max |
default['firezone']['database']['ssl'] | Kuti mulumikizidwe ku database kudzera pa SSL. | ZONYENGA |
default['firezone']['database']['ssl_opts'] | {} | |
default['firezone']['database']['parameters'] | {} | |
default['firezone']['database']['extensions'] | Zowonjezera za database kuti zitheke. | {'plpgsql' => zoona, 'pg_trgm' => zoona } |
default['firezone']['phoenix']['enabled'] | Yambitsani kapena zimitsani pulogalamu yapaintaneti ya Firezone. | WOONA |
default['firezone']['phoenix']['mvera_adilesi'] | Adilesi yomvera pa intaneti ya Firezone. Awa adzakhala adilesi yakumtunda yomvera yomwe ma proxies a nginx. | 127.0.0.1 ' |
default['firezone']['phoenix']['port'] | Firezone web application listen port. Ili likhala doko lakumtunda lomwe nginx proxies. | 13000 |
default['firezone']['phoenix']['log_directory'] | Firezone web application log directory. | “#{node['firezone']['log_directory']}/phoenix” |
default['firezone']['phoenix']['log_rotation']['file_maxbytes'] | Firezone web application log file size. | 104857600 |
default['firezone']['phoenix']['log_rotation']['num_to_keep'] | Nambala ya mafayilo olembetsedwa pa intaneti ya Firezone oti muwasunge. | 10 |
default['firezone']['phoenix']['crash_detection']['enabled'] | Yambitsani kapena zimitsani kutsitsa pulogalamu yapaintaneti ya Firezone zikadziwika. | WOONA |
default['firezone']['phoenix']['external_trusted_proxies'] | Mndandanda wa ma proxies odalirika opangidwa ngati Gulu la IPs ndi/kapena ma CIDR. | [] |
default['firezone']['phoenix']['private_clients'] | Mndandanda wamakasitomala achinsinsi a HTTP, adapanga ma IP ambiri ndi/kapena ma CIDR. | [] |
default['firezone']['wireguard']['wothandizira'] | Yambitsani kapena kuletsa kasamalidwe ka WireGuard. | WOONA |
default['firezone']['wireguard']['log_directory'] | Log chikwatu cha kasamalidwe ka WireGuard. | "#{node['firezone']['log_directory']}/wireguard" |
default['firezone']['wireguard']['log_rotation']['file_maxbytes'] | WireGuard chipika wapamwamba kukula kwake. | 104857600 |
default['firezone']['wireguard']['log_rotation']['nambala_to_kusunga'] | Chiwerengero cha mafayilo a log ya WireGuard oti muwasunge. | 10 |
default['firezone']['wireguard']['interface_name'] | Dzina la mawonekedwe a WireGuard. Kusintha parameter iyi kungayambitse kutayika kwakanthawi mu kulumikizana kwa VPN. | wg-firezone' |
default['firezone']['wireguard']['port'] | WireGuard mvetserani doko. | 51820 |
default['firezone']['wireguard']['mutu'] | Mawonekedwe a WireGuard MTU pa seva iyi komanso masinthidwe a chipangizo. | 1280 |
default['firezone']['wireguard']['endpoint'] | WireGuard Endpoint kuti mugwiritse ntchito kupanga masinthidwe a chipangizo. Ngati palibe, zisintha ku adilesi yapagulu ya seva. | nil |
default['firezone']['wireguard']['dns'] | WireGuard DNS kuti mugwiritse ntchito popanga zida zopangira. | 1.1.1.1, 1.0.0.1' |
default['firezone']['wireguard']['allowed_ips'] | WireGuard AllowedIPs kuti agwiritse ntchito masinthidwe opangidwa. | 0.0.0.0/0, ::/0′ |
default['firezone']['wireguard']['persistent_keepalive'] | Zosintha za PersistentKeepalive zosinthidwa ndi zida zopangidwa. Mtengo wa 0 woyimitsa. | 0 |
default['firezone']['wireguard']['ipv4']['wothandizira'] | Yambitsani kapena kuletsa IPv4 pa netiweki ya WireGuard. | WOONA |
default['firezone']['wireguard']['ipv4']['masquerade'] | Yambitsani kapena kuletsa masquerade pamapaketi omwe akuchoka munjira ya IPv4. | WOONA |
default['firezone']['wireguard']['ipv4']['network'] | WireGuard network IPv4 adilesi dziwe. | 10.3.2.0/24 ' |
default['firezone']['wireguard']['ipv4']['address'] | Mawonekedwe a WireGuard IPv4 adilesi. Ayenera kukhala mkati mwa dziwe la ma adilesi la WireGuard. | 10.3.2.1 ' |
default['firezone']['wireguard']['ipv6']['wothandizira'] | Yambitsani kapena kuletsa IPv6 pa netiweki ya WireGuard. | WOONA |
default['firezone']['wireguard']['ipv6']['masquerade'] | Yambitsani kapena kuletsa masquerade pamapaketi omwe akuchoka munjira ya IPv6. | WOONA |
default['firezone']['wireguard']['ipv6']['network'] | WireGuard network IPv6 adilesi dziwe. | fd00::3:2:0/120′ |
default['firezone']['wireguard']['ipv6']['address'] | Mawonekedwe a WireGuard IPv6 adilesi. Iyenera kukhala mkati mwa dziwe la IPv6. | fd00::3:2:1′ |
default['firezone']['runit']['svlogd_bin'] | Runit svlogd bin malo. | "#{node['firezone']['install_directory']}/embedded/bin/svlogd” |
default['firezone']['ssl']['directory'] | Chikwatu cha SSL chosungira ma cert opangidwa. | /var/opt/firezone/ssl' |
default['firezone']['ssl']['email_address'] | Adilesi ya imelo yoti mugwiritse ntchito podzisainira nokha ndi zidziwitso zakukonzanso kwa protocol ya ACME. | inu@example.com' |
default['firezone']['ssl']['acme']['enabled'] | Yambitsani ACME kuti ipereke cert ya SSL yokha. Letsani izi kuti muletse Nginx kumvetsera pa doko 80. Onani Pano kwa malangizo ena. | ZONYENGA |
default['firezone']['ssl']['acme']['server'] | chichiyama | |
default['firezone']['ssl']['acme']['keylength'] | Tchulani mtundu wa kiyi ndi kutalika kwa satifiketi za SSL. Mwaona Pano | ec-256 |
default['firezone']['ssl']['certificate'] | Njira yopita ku fayilo ya satifiketi ya FQDN yanu. Imachotsa makonda a ACME pamwambapa ngati atchulidwa. Ngati zonse za ACME ndi izi sizikhala cert yodzilembera yokha idzapangidwa. | nil |
default['firezone']['ssl']['certificate_key'] | Njira yopita ku fayilo ya satifiketi. | nil |
default['firezone']['ssl']['ssl_dhparam'] | nginx ssl dh_param. | nil |
default['firezone']['ssl']['country_name'] | Dzina la dziko la cert yodzisayina. | US' |
default['firezone']['ssl']['state_name'] | Dzina lachidziwitso chodzilembera yekha. | CA ' |
default['firezone']['ssl']['locality_name'] | Dzina lamalo la cert yodzisayina. | San Francisco' |
default['firezone']['ssl']['company_name'] | Satifiketi yodzisainira dzina la kampani. | Kampani yanga' |
default['firezone']['ssl']['organizational_unit_name'] | Dzina lagawo la bungwe la cert yodzisayina. | Operations' |
default['firezone']['ssl']['ciphers'] | SSL ciphers kwa nginx kuti mugwiritse ntchito. | ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’ |
default['firezone']['ssl']['fips_ciphers'] | Ma ciphers a SSL amtundu wa FIPs. | FIPS@STRENGTH:!aNULL:!eNULL' |
default['firezone']['ssl']['protocols'] | Ma protocol a TLS oti agwiritse ntchito. | TLSv1 TLSv1.1 TLSv1.2′ |
default['firezone']['ssl']['session_cache'] | Cache ya gawo la SSL. | kugawana: SSL:4m' |
default['firezone']['ssl']['session_timeout'] | Kutha kwa nthawi ya SSL. | 5m' |
kusakhazikika['firezone']['robots_allow'] | ma robot a nginx amalola. | /' |
default['firezone']['robots_disallow'] | maloboti a nginx amakana. | nil |
default['firezone']['outbound_email']['kuchokera'] | Imelo yotuluka kuchokera ku adilesi. | nil |
default['firezone']['outbound_email']['provider'] | Wopereka maimelo otuluka. | nil |
default['firezone']['outbound_email']['configs'] | Wopereka maimelo otuluka amakonza. | onani omnibus/cookbooks/firezone/attributes/default.rb |
default['firezone']['telemetry']['enabled'] | Yambitsani kapena kuletsa telemetry yazinthu zosadziwika. | WOONA |
default['firezone']['connectivity_checks']['enabled'] | Yambitsani kapena kuletsa ntchito yoyang'anira kulumikizidwa kwa Firezone. | WOONA |
default['firezone']['connectivity_checks']['interval'] | Kalekale pakati pakuwunika kulumikizidwa mumasekondi. | 3_600 |
________________________________________________________________
Apa mupeza mndandanda wamafayilo ndi akalozera okhudzana ndi kukhazikitsa kwa Firezone. Izi zitha kusintha kutengera kusintha kwa fayilo yanu yosinthira.
njira | Kufotokoza |
/var/opt/firezone | Chikwatu chapamwamba chomwe chili ndi data komanso masinthidwe opangidwa a ntchito zophatikizidwa ndi Firezone. |
/opt/firezone | Chikwatu chapamwamba chomwe chili ndi malaibulale omangidwa, ma binaries ndi mafayilo othamanga omwe amafunidwa ndi Firezone. |
/usr/bin/firezone-ctl | firezone-ctl chothandizira pakuwongolera kukhazikitsa kwanu kwa Firezone. |
/etc/systemd/system/firezone-runsvdir-start.service | systemd unit file kuti muyambe ntchito ya woyang'anira Firezone runsvdir. |
/etc/firezone | Mafayilo osintha a Firezone. |
__________________________________________________________
Tsambali linalibe zolemba
_____________________________________________________________
Zotsatira zotsatirazi za nftables firewall template zitha kugwiritsidwa ntchito kuteteza seva yomwe ikuyenda Firezone. Template imapanga malingaliro ena; mungafunike kusintha malamulo kuti agwirizane ndi momwe mungagwiritsire ntchito:
Firezone imapanga malamulo akeake a nftables kuti alole / kukana kuchuluka kwa magalimoto kumalo omwe akhazikitsidwa pa intaneti komanso kuthana ndi NAT yotuluka pamagalimoto a kasitomala.
Kugwiritsa ntchito template yomwe ili pansipa pa seva yomwe yayamba kale (osati pa nthawi yoyambira) idzapangitsa kuti malamulo a Firezone achotsedwe. Izi zitha kukhala ndi zotsatira zachitetezo.
Kuti muchite izi, yambitsaninso ntchito ya phoenix:
firezone-ctl kuyambitsanso phoenix
#!/usr/sbin/nft -f
## Chotsani / sinthani malamulo onse omwe alipo
flush malamulo
################################################################## ################
## Dzina la mawonekedwe a intaneti/WAN
fotokozani DEV_WAN = eth0
## Dzina la mawonekedwe a WireGuard
fotokozani DEV_WIREGUARD = wg-firezone
## WireGuard mverani doko
fotokozani WIREGUARD_PORT = 51820
################################################################################################# #############
# Gome lalikulu losefera mabanja a inet
tebulo inet fyuluta {
# Malamulo amayendedwe otumizidwa
# Unyolo uwu umakonzedwa pamaso pa unyolo wakutsogolo wa Firezone
unyolo patsogolo {
lembani fyuluta mbedza patsogolo fyuluta - 5; ndondomeko kuvomereza
}
# Malamulo amayendedwe olowera
chain input {
mtundu fyuluta mbeza zolowetsa patsogolo fyuluta; kugwa kwa sera
## Lolani magalimoto olowera kuti awonekere
ngati ndikuwona \
kuvomereza \
ndemanga "Lolani kuti magalimoto onse alowe kuchokera ku mawonekedwe a loopback"
## Chilolezo chokhazikitsidwa ndi kulumikizana kogwirizana
ct state idakhazikitsidwa, zokhudzana \
kuvomereza \
ndemanga "Chilolezo chokhazikitsidwa / chogwirizana"
## Lolani magalimoto olowera a WireGuard
ife $DEV_WAN udp pa $WIREGUARD_PORT \
counter \
kuvomereza \
ndemanga "Lolani magalimoto olowera a WireGuard"
## Lowani ndikuponya mapaketi atsopano a TCP omwe si a SYN
tcp mbendera != syn ct state new \
malire mlingo 100/miniti kuphulika 150 paketi \
log prefix “MU – Chatsopano !SYN: “ \
ndemanga "Sinthani malire odula mitengo yamalumikizidwe atsopano omwe alibe mbendera ya SYN TCP"
tcp mbendera != syn ct state new \
counter \
dontho \
ndemanga "Sintha maulalo atsopano omwe alibe mbendera ya SYN TCP"
## Lowani ndikugwetsa mapaketi a TCP okhala ndi mbendera zosavomerezeka za fin/syn
tcp mbendera & (fin|syn) == (fin|syn) \
malire mlingo 100/miniti kuphulika 150 paketi \
log prefix “MU – TCP FIN|SIN: “ \
ndemanga "Malireni malire odula mitengo yamapaketi a TCP okhala ndi mbendera yolakwika ya fin/syn"
tcp mbendera & (fin|syn) == (fin|syn) \
counter \
dontho \
ndemanga "Gwirani mapaketi a TCP okhala ndi mbendera yolakwika ya fin/syn"
## Lowani ndi kusiya mapaketi a TCP okhala ndi mbendera zosavomerezeka / zoyambira
tcp mbendera & (syn|rst) == (syn|rst) \
malire mlingo 100/miniti kuphulika 150 paketi \
log prefix “MU – TCP SYN|RST: “ \
ndemanga "Malireni mitengo yodula pamapaketi a TCP okhala ndi mbendera zosagwirizana / zoyambira"
tcp mbendera & (syn|rst) == (syn|rst) \
counter \
dontho \
ndemanga "Gwirani mapaketi a TCP okhala ndi mbendera zosagwirizana / zoyambira"
## Lowani ndikuponya mbendera za TCP zosavomerezeka
tcp mbendera & (fin|syn|rst|psh|ack|urg) < (fin) \
malire mlingo 100/miniti kuphulika 150 paketi \
log prefix "MU - FIN:" \
ndemanga "Malireni odula mitengo ya mbendera za TCP zosalondola (fin|syn|rst|psh|ack|urg) < (fin)"
tcp mbendera & (fin|syn|rst|psh|ack|urg) < (fin) \
counter \
dontho \
ndemanga "Gwirani mapaketi a TCP okhala ndi mbendera (fin|syn|syn|rst|psh|ack|urg) < (fin)"
## Lowani ndikuponya mbendera za TCP zosavomerezeka
tcp mbendera & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
malire mlingo 100/miniti kuphulika 150 paketi \
log prefix "MU - FIN| PSH|URG:" \
ndemanga "Chitani malire odula mitengo ya mbendera za TCP zosalondola (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)"
tcp mbendera & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
counter \
dontho \
ndemanga "Siyani mapaketi a TCP okhala ndi mbendera (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)"
## Kuchepetsa kuchuluka kwa magalimoto okhala ndi malo osalumikizana
ct state ndi yolakwika \
malire mlingo 100/miniti kuphulika 150 paketi \
log mbendera zonse zoyambirira "IN - Zosavomerezeka: " \
ndemanga "Malizani mitengo yodula pamagalimoto omwe ali ndi vuto losalumikizana"
ct state ndi yolakwika \
counter \
dontho \
ndemanga "Kuchepetsa kuchuluka kwa magalimoto omwe ali ndi vuto lolumikizana"
## Lolani mayankho a IPv4 ping/ping koma malire mpaka 2000 PPS
ip protocol icmp icmp mtundu {echo-reply, echo-request} \
malire mlingo 2000/sekondi \
counter \
kuvomereza \
ndemanga "Lolani IPv4 echo (ping) yolowera ku 2000 PPS"
## Lolani zina zonse za IPv4 ICMP
ip protocol icmp \
counter \
kuvomereza \
ndemanga "Lolani IPv4 ICMP ina yonse"
## Lolani mayankho a IPv6 ping/ping koma malire mpaka 2000 PPS
icmpv6 mtundu {echo-reply, echo-request } \
malire mlingo 2000/sekondi \
counter \
kuvomereza \
ndemanga "Lolani IPv6 echo (ping) yolowera ku 2000 PPS"
## Lolani zina zonse za IPv6 ICMP
meta l4proto {icmpv6} \
counter \
kuvomereza \
ndemanga "Lolani IPv6 ICMP ina yonse"
## Lolani madoko olowera a traceroute UDP koma khalani ndi 500 PPS
udp pa 33434-33524 \
malire mlingo 500/sekondi \
counter \
kuvomereza \
ndemanga "Lolani traceroute ya UDP yolowera mpaka 500 PPS"
## Lolani kulowa kwa SSH
tcp pa ssh ct state new \
counter \
kuvomereza \
ndemanga "Lolani kulumikizana kwa SSH"
## Lolani HTTP yolowera ndi HTTPS
tcp dport {http, https } ct state new \
counter \
kuvomereza \
ndemanga "Lolani kulumikizana kwa HTTP ndi HTTPS"
## Lowetsani kuchuluka kwa magalimoto osayerekezeka koma malire odula mitengo mpaka mameseji 60 / mphindi
## Ndondomeko yokhazikika idzagwiritsidwa ntchito pamagalimoto osagwirizana
malire mlingo 60/miniti kuphulika 100 paketi \
log prefix "IN - Drop: " \
ndemanga "Lowani magalimoto aliwonse osafananiza"
## Werengani kuchuluka kwa magalimoto osayerekezeka
counter \
ndemanga “Werengetsani kuchuluka kwa magalimoto onse”
}
# Malamulo amayendedwe otuluka
chain output {
mtundu fyuluta mbedza linanena bungwe patsogolo fyuluta; kugwa kwa sera
## Lolani magalimoto otuluka kuti awonekere
uwu \
kuvomereza \
ndemanga "Lolani kuti magalimoto onse atuluke ku loopback"
## Chilolezo chokhazikitsidwa ndi kulumikizana kogwirizana
ct state idakhazikitsidwa, zokhudzana \
counter \
kuvomereza \
ndemanga "Chilolezo chokhazikitsidwa / chogwirizana"
## Lolani kuchuluka kwa magalimoto a WireGuard musanagwetse kulumikizana ndi mkhalidwe woyipa
oif $DEV_WAN udp masewera $WIREGUARD_PORT \
counter \
kuvomereza \
ndemanga "Permit WireGuard magalimoto otuluka"
## Kuchepetsa kuchuluka kwa magalimoto okhala ndi malo osalumikizana
ct state ndi yolakwika \
malire mlingo 100/miniti kuphulika 150 paketi \
log mbendera zonse zoyambirira "OUT - Zosavomerezeka: " \
ndemanga "Malizani mitengo yodula pamagalimoto omwe ali ndi vuto losalumikizana"
ct state ndi yolakwika \
counter \
dontho \
ndemanga "Kuchepetsa kuchuluka kwa magalimoto omwe ali ndi vuto lolumikizana"
## Lolani IPv4 ICMP ina yonse yotuluka
ip protocol icmp \
counter \
kuvomereza \
ndemanga "Lolani mitundu yonse ya IPv4 ICMP"
## Lolani IPv6 ICMP ina yonse yotuluka
meta l4proto {icmpv6} \
counter \
kuvomereza \
ndemanga "Lolani mitundu yonse ya IPv6 ICMP"
## Lolani madoko a UDP otuluka koma muchepetse 500 PPS
udp pa 33434-33524 \
malire mlingo 500/sekondi \
counter \
kuvomereza \
ndemanga "Lolani njira yotuluka ya UDP yopitilira 500 PPS"
## Lolani kulumikizidwa kwa HTTP ndi HTTPS
tcp dport {http, https } ct state new \
counter \
kuvomereza \
ndemanga "Lolani maulumikizidwe otuluka a HTTP ndi HTTPS"
## Lolani kutumiza kwa SMTP
tcp dport submission ct state new \
counter \
kuvomereza \
ndemanga "Lolani kutumiza kwa SMTP"
## Lolani zopempha za DNS zotuluka
udp pa 53 \
counter \
kuvomereza \
ndemanga "Lolani zopempha za UDP DNS zotuluka"
tcp pa 53 \
counter \
kuvomereza \
ndemanga "Lolani zopempha za TCP DNS zotuluka"
## Lolani zopempha za NTP zotuluka
udp pa 123 \
counter \
kuvomereza \
ndemanga "Lolani zopempha za NTP zotuluka"
## Lowetsani kuchuluka kwa magalimoto osayerekezeka koma malire odula mitengo mpaka mameseji 60 / mphindi
## Ndondomeko yokhazikika idzagwiritsidwa ntchito pamagalimoto osagwirizana
malire mlingo 60/miniti kuphulika 100 paketi \
log prefix "OUT - Dontho: " \
ndemanga "Lowani magalimoto aliwonse osafananiza"
## Werengani kuchuluka kwa magalimoto osayerekezeka
counter \
ndemanga “Werengetsani kuchuluka kwa magalimoto onse”
}
}
# Gome lalikulu losefera la NAT
tebulo inet {
# Malamulo a NAT traffic pre-routing
chain prerouting {
lembani nat hook prerouting priority dstnat; ndondomeko kuvomereza
}
# Malamulo a NAT traffic post-routing
# Gome ili limakonzedwa pamaso pa Firezone post-routing chain
kutumiza kwa unyolo {
lembani nat hook postrouting priority srcnat - 5; ndondomeko kuvomereza
}
}
Chowotcha motocho chiyenera kusungidwa pamalo oyenera kuti Linux isagawidwe. Kwa Debian/Ubuntu izi ndi /etc/nftables.conf ndipo za RHEL izi ndi /etc/sysconfig/nftables.conf.
nftables.service iyenera kukonzedwa kuti iyambe pa boot (ngati sichoncho):
systemctl imathandizira nftables.service
Ngati mukupanga kusintha kulikonse pa template ya firewall syntax ikhoza kutsimikiziridwa poyendetsa cheke lamulo:
nft -f /path/to/nftables.conf -c
Onetsetsani kuti mukutsimikizira kuti firewall ikugwira ntchito monga momwe mukuyembekezeredwa chifukwa zina za nftables sizingakhalepo kutengera kumasulidwa komwe kumayendera pa seva.
_______________________________________________________________
Chikalatachi chikuwonetsa mwachidule za telemetry Firezone zomwe zimasonkhanitsidwa kuchokera pamwambo womwe umakhala nawo komanso momwe mungaletsere.
moto zone amadalira pa telemetry kuti tiyike patsogolo misewu yathu ndikukulitsa zida zauinjiniya zomwe tili nazo kuti Firezone ikhale yabwino kwa aliyense.
Telemetry yomwe timasonkhanitsa ikufuna kuyankha mafunso awa:
Pali malo atatu omwe telemetry imasonkhanitsidwa ku Firezone:
Pazigawo zitatuzi, timatenga chiwerengero chochepa cha deta yofunikira kuti tiyankhe mafunso omwe ali pamwambawa.
Maimelo a oyang'anira amatengedwa pokhapokha mutalowa nawo pazosintha zamalonda. Kupanda kutero, chidziwitso chaumwini ndi konse zosonkhanitsidwa.
Firezone imasunga telemetry muzochitika zokhazikika za PostHog ikuyenda mugulu lachinsinsi la Kubernetes, lopezeka ndi gulu la Firezone. Nachi chitsanzo cha chochitika cha telemetry chomwe chimatumizidwa kuchokera ku Firezone kupita ku seva yathu ya telemetry:
{
"Id": “0182272d-0b88-0000-d419-7b9a413713f1”,
"Timestamp": “2022-07-22T18:30:39.748000+00:00”,
"chochitika": "fz_http_started",
"distinct_id": “1ec2e794-1c3e-43fc-a78f-1db6d1a37f54”,
"katundu":{
"$geoip_city_name": "Ashburn",
"$geoip_continent_code": "N / A",
"$geoip_continent_name": "Kumpoto kwa Amerika",
"$geoip_country_code": "US",
"$geoip_country_name": "United States",
“$geoip_latitude”: 39.0469,
“$geoip_longitude”: -77.4903,
“$geoip_postal_code”: "20149",
“$geoip_subdivision_1_code”: "VA",
"$geoip_subdivision_1_name": "Virginia",
“$geoip_time_zone”: "America/New_York",
"$ip": "52.200.241.107",
"$plugins_deferred": [],
"$mapulagini_alephera": [],
"$mapulagini_apambana": [
"GeoIP (3)"
],
"distinct_id": “1zc2e794-1c3e-43fc-a78f-1db6d1a37f54”,
"fqdn": "awsdemo.firezone.dev",
"kernel_version": "linux 5.13.0",
"mtundu": "0.4.6"
},
"elements_chain": ""
}
ZINDIKIRANI
Gulu lachitukuko la Firezone amadalira pa kusanthula kwazinthu kuti Firezone ikhale yabwino kwa aliyense. Kusiya telemetry ndikothandiza kwambiri komwe mungapange pakukula kwa Firezone. Izi zati, tikumvetsetsa kuti ogwiritsa ntchito ena ali ndi zinsinsi zapamwamba kapena zofunikira zachitetezo ndipo angakonde kuletsa telemetry palimodzi. Ngati ndi inuyo, pitirizani kuwerenga.
Telemetry imayatsidwa mwachisawawa. Kuti muyimitsetu telemetry yazinthu, ikani njira yosinthira yotsatirayi kuti ikhale yabodza /etc/firezone/firezone.rb ndikuyendetsa sudo firezone-ctl reconfigure kuti muthe kusintha.
zosasintha['firezone']['telemetry']['wololedwa'] = zabodza
Izi zidzayimitsa telemetry yonse yazinthu.
Hailbytes
9511 Queens Guard Ct.
Laurel, MD 20723
Foni: (732) 771-9995
Imelo: info@hailbytes.com
