Hailbytes VPN Ndi Zolemba za Firezone Firewall

M'ndandanda wazopezekamo

Zimayamba

Malangizo apang'onopang'ono pakuyika Hailbytes VPN yokhala ndi Firezone GUI aperekedwa apa. 

Kuwongolera: Kukhazikitsa mawonekedwe a seva kumagwirizana mwachindunji ndi gawoli.

Maupangiri Ogwiritsa Ntchito: Zolemba zothandiza zomwe zingakuphunzitseni momwe mungagwiritsire ntchito Firezone ndikuthana ndi zovuta zomwe zimachitika. Seva ikatumizidwa bwino, onani gawo ili.

Maupangiri a Zosintha Zofanana

Split Tunneling: Gwiritsani ntchito VPN kuti mungotumiza kuchuluka kwa anthu kumagawo ena a IP.

Kulembetsa: Khazikitsani adilesi ya IP ya seva ya VPN kuti mugwiritse ntchito zoyera.

Reverse Tunnels: Pangani tunnel pakati pa anzanu angapo pogwiritsa ntchito njira zobwerera kumbuyo.

Pezani thandizo

Ndife okondwa kukuthandizani ngati mukufuna thandizo kukhazikitsa, kusintha mwamakonda, kapena kugwiritsa ntchito Hailbytes VPN.

kutsimikizika

Ogwiritsa ntchito asanatulutse kapena kutsitsa mafayilo osinthira zida, Firezone ikhoza kukhazikitsidwa kuti ifunikire kutsimikizika. Ogwiritsanso angafunike kutsimikiziranso nthawi ndi nthawi kuti kulumikizana kwawo kwa VPN kukhale kogwira ntchito.

Ngakhale njira yolowera osakhazikika ya Firezone ndi imelo ndi mawu achinsinsi akomweko, imathanso kuphatikizidwa ndi zidziwitso zilizonse za OpenID Connect (OIDC). Ogwiritsa ntchito tsopano atha kulowa mu Firezone pogwiritsa ntchito Okta, Google, Azure AD, kapena zidziwitso zawo zachinsinsi.

 

Phatikizani Wopereka OIDC Wowonjezera

Zosintha zofunika ndi Firezone kulola SSO pogwiritsa ntchito OIDC zikuwonetsedwa pachitsanzo chomwe chili pansipa. Pa /etc/firezone/firezone.rb, mutha kupeza fayilo yosinthira. Thamangani firezone-ctl reconfigure ndi firezone-ctl restart kuti musinthe pulogalamuyo ndikusintha zosintha.

 

# Ichi ndi chitsanzo chogwiritsa ntchito Google ndi Okta ngati opereka zidziwitso za SSO.

# Zosintha zingapo za OIDC zitha kuwonjezeredwa pamwambo womwewo wa Firezone.

 

# Firezone imatha kuletsa VPN ya wogwiritsa ntchito ngati pali cholakwika chilichonse chomwe chikuyesera

# kukonzanso_chizindikiro_chofikira. Izi zimatsimikiziridwa kuti zizigwira ntchito ku Google, Okta, ndi

# Azure SSO ndipo imagwiritsidwa ntchito kulumikiza VPN ya wogwiritsa ntchito ngati ichotsedwa

# kuchokera kwa wothandizira wa OIDC. Siyani izi zitayimitsidwa ngati wothandizira wanu wa OIDC

# ili ndi zovuta zotsitsimutsa ma tokeni chifukwa zitha kusokoneza mwadzidzidzi a

# gawo la VPN la ogwiritsa ntchito.

default['firezone']['authentication']['disable_vpn_on_oidc_error'] = zabodza

 

default['firezone']['authentication']['oidc'] = {

  google: {

    discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",

    client_id: “ ”,

    kasitomala_chinsinsi: “ ”,

    redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",

    response_type: "kodi",

    kukula: "mbiri yotseguka ya imelo",

    chizindikiro: "Google"

  },

  chabwino: {

    discovery_document_uri: “https:// /.odziwika bwino/openid-configuration”,

    client_id: “ ”,

    kasitomala_chinsinsi: “ ”,

    redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",

    response_type: "kodi",

    kukula: "kutsegula mbiri ya imelo offline_access",

    label: "Okta"

  }

}



Zokonda zotsatirazi ndizofunikira pakuphatikiza:

  1. discovery_document_uri: The OpenID Connect woperekera URI yomwe imabweza chikalata cha JSON chomwe chimagwiritsidwa ntchito popanga zopempha kwa wopereka OIDC uyu.
  2. client_id: ID ya kasitomala wa pulogalamuyo.
  3. client_secret: Chinsinsi cha kasitomala pakugwiritsa ntchito.
  4. redirect_uri: Imalangiza wopereka OIDC komwe angatumizenso pambuyo potsimikizika. Iyi iyenera kukhala Firezone yanu EXTERNAL_URL + /auth/oidc/ /callback/ (monga https://instance-id.yourfirezone.com/auth/oidc/google/callback/).
  5. response_type: Khazikitsani ku code.
  6. kukula: Zithunzi za OIDC kuti mupeze kuchokera kwa wothandizira wanu wa OIDC. Izi ziyenera kukhazikitsidwa ku mbiri ya imelo yotseguka kapena mbiri ya imelo yotsegula offline_access kutengera wopereka.
  7. label: Zolemba za batani zomwe zimawonekera pazenera lanu lolowera ku Firezone.

Ma URL okongola

Kwa wopereka aliyense wa OIDC ulalo wokongola wofananira umapangidwa kuti utumizidwenso ku ulalo wolowera wa omwe asinthidwa. Mwachitsanzo OIDC config pamwambapa, ma URL ndi:

  • https://instance-id.yourfirezone.com/auth/oidc/google
  • https://instance-id.yourfirezone.com/auth/oidc/okta

Malangizo Pakukhazikitsa Firezone Ndi Othandizira Odziwika Odziwika

Othandizira tili ndi zolemba:

  • Google
  • Okta
  • Azure Active Directory
  • Onelogin
  • Kutsimikizika Kwawo

 

Ngati opereka chizindikiritso chanu ali ndi cholumikizira cha OIDC ndipo sichinatchulidwe pamwambapa, chonde pitani ku zolembedwa zawo kuti mudziwe momwe mungatengere zochunira zofunika.

Pitirizani Kutsimikiziranso Nthawi Zonse

Zokonda pansi pa zoikamo/chitetezo zitha kusinthidwa kuti zifunikire kutsimikiziranso nthawi ndi nthawi. Izi zitha kugwiritsidwa ntchito kukakamiza kuti ogwiritsa ntchito alowe mu Firezone pafupipafupi kuti apitilize gawo lawo la VPN.

Kutalika kwa gawoli kumatha kukhazikitsidwa kukhala pakati pa ola limodzi ndi masiku makumi asanu ndi anayi. Pokhazikitsa izi ku Never, mutha kuloleza magawo a VPN nthawi iliyonse. Uwu ndiye muyezo.

Kutsimikiziranso

Wogwiritsa ntchito akuyenera kuletsa gawo lawo la VPN ndikulowa ku Firezone portal kuti atsimikizirenso gawo la VPN lomwe linatha nthawi yake (URL yotchulidwa potumiza).

Mutha kutsimikiziranso gawo lanu potsatira malangizo a kasitomala omwe akupezeka pano.

 

Mkhalidwe wa Kulumikizana kwa VPN

Tsamba la Users la tebulo la VPN Connection likuwonetsa momwe wogwiritsa ntchito alili. Nawa ma status olumikizana:

ZOTHANDIZA - Kulumikizana ndikoyatsidwa.

WOLEMA - Kulumikizanako kumayimitsidwa ndi woyang'anira kapena kulephera kutsitsimutsa kwa OIDC.

YATHA - Kulumikizanako kwayimitsidwa chifukwa cha kutsimikizika kutha kapena wogwiritsa ntchito sanalowemo koyamba.

Google

Kudzera pa cholumikizira cha OIDC, Firezone imathandiza Kusaina Kumodzi (SSO) ndi Google Workspace ndi Cloud Identity. Bukuli likuwonetsani momwe mungapezere magawo osinthika omwe ali pansipa, omwe ndi ofunikira pakuphatikiza:

  1. discovery_document_uri: The OpenID Connect woperekera URI yomwe imabweza chikalata cha JSON chomwe chimagwiritsidwa ntchito popanga zopempha kwa wopereka OIDC uyu.
  2. client_id: ID ya kasitomala wa pulogalamuyo.
  3. client_secret: Chinsinsi cha kasitomala pakugwiritsa ntchito.
  4. redirect_uri: Imalangiza wopereka OIDC komwe angatumizenso pambuyo potsimikizika. Iyi iyenera kukhala Firezone yanu EXTERNAL_URL + /auth/oidc/ /callback/ (monga https://instance-id.yourfirezone.com/auth/oidc/google/callback/).
  5. response_type: Khazikitsani ku code.
  6. kukula: Zithunzi za OIDC kuti mupeze kuchokera kwa wothandizira wanu wa OIDC. Izi ziyenera kukhazikitsidwa kukhala mbiri ya imelo yotsegulira kuti ipatse Firezone imelo ya wogwiritsa ntchito pazolinga zomwe zabwezedwa.
  7. label: Zolemba za batani zomwe zimawonekera pazenera lanu lolowera ku Firezone.

Pezani Zokonda Zosintha

1. OAuth Config Screen

Ngati aka ndi koyamba kupanga ID yatsopano ya kasitomala wa OAuth, mudzafunsidwa kuti mukonze skrini yololeza.

* Sankhani Zamkati mwa mtundu wa ogwiritsa ntchito. Izi zikuwonetsetsa kuti maakaunti a anthu a mu Google Workspace Organisation yanu okha ndi omwe angapange zochunira zida. OSATI KUSANKHA Zakunja pokhapokha ngati mukufuna kuloleza aliyense yemwe ali ndi Akaunti yovomerezeka ya Google kuti apange makonzedwe a chipangizo.

 

Pachidziwitso cha App sikirini:

  1. Dzina la pulogalamu: Firezone
  2. Chizindikiro cha pulogalamu: Firezone logo (sungani ulalo ngati).
  3. Tsamba loyamba la pulogalamu: ulalo wa zochitika zanu za Firezone.
  4. Madomeni ovomerezeka: dera lapamwamba lachiwonetsero chanu cha Firezone.

 

 

2. Pangani ma ID a OAuth Client

Gawoli latengera zolemba za Google pa kukhazikitsa OAuth 2.0.

Pitani ku Google Cloud Console Tsamba lazidziwitso patsamba, dinani + Pangani Mbiri ndikusankha ID ya kasitomala wa OAuth.

Pa zenera la ID ya kasitomala ya OAuth:

  1. Khazikitsani Mtundu wa Ntchito kukhala pulogalamu yapa intaneti
  2. Onjezani Firezone yanu EXTERNAL_URL + /auth/oidc/google/callback/ (monga https://instance-id.yourfirezone.com/auth/oidc/google/callback/) monga cholowera ku Ma URI Ovomerezeka.

 

Mukapanga ID ya kasitomala wa OAuth, mudzapatsidwa ID ya kasitomala ndi Chinsinsi cha kasitomala. Izi zidzagwiritsidwa ntchito limodzi ndi URI yolozeranso mu sitepe yotsatira.

Firezone Integration

Sinthani /etc/firezone/firezone.rb kuphatikiza zomwe zili pansipa:

 

# Kugwiritsa ntchito Google ngati wopereka zidziwitso za SSO

default['firezone']['authentication']['oidc'] = {

  google: {

    discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",

    client_id: “ ”,

    kasitomala_chinsinsi: “ ”,

    redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",

    response_type: "kodi",

    kukula: "mbiri yotseguka ya imelo",

    chizindikiro: "Google"

  }

}

 

Thamangani firezone-ctl reconfigure ndi firezone-ctl restart kuti musinthe pulogalamu. Muyenera kuwona Lowani ndi batani la Google pamizu ya URL ya Firezone.

Okta

Firezone imagwiritsa ntchito cholumikizira wamba cha OIDC kuthandizira Kusayina Kumodzi (SSO) ndi Okta. Phunziroli likuwonetsani momwe mungapezere zosintha zomwe zalembedwa pansipa, zomwe ndizofunikira pakuphatikiza:

  1. discovery_document_uri: The OpenID Connect woperekera URI yomwe imabweza chikalata cha JSON chomwe chimagwiritsidwa ntchito popanga zopempha kwa wopereka OIDC uyu.
  2. client_id: ID ya kasitomala wa pulogalamuyo.
  3. client_secret: Chinsinsi cha kasitomala pakugwiritsa ntchito.
  4. redirect_uri: Imalangiza wopereka OIDC komwe angatumizenso pambuyo potsimikizika. Iyi iyenera kukhala Firezone yanu EXTERNAL_URL + /auth/oidc/ /callback/ (monga https://instance-id.yourfirezone.com/auth/oidc/okta/callback/).
  5. response_type: Khazikitsani ku code.
  6. kukula: Zithunzi za OIDC kuti mupeze kuchokera kwa wothandizira wanu wa OIDC. Izi zikhazikitsidwe kukhala mbiri yotseguka ya imelo offline_access kuti ipatse Firezone imelo ya wogwiritsa ntchito pazomwe zabwezedwa.
  7. label: Zolemba za batani zomwe zimawonekera pazenera lanu lolowera ku Firezone.

 

Phatikizani Okta App

Gawo ili la bukhuli lachokera pa Zolemba za Okta.

Mu Admin Console, pitani ku Mapulogalamu> Mapulogalamu ndikudina Pangani Kuphatikiza kwa App. Khazikitsani njira yolowera ku OICD - OpenID Connect ndi mtundu wa Application ku pulogalamu yapaintaneti.

Konzani zokonda izi:

  1. Dzina la App: Firezone
  2. Chizindikiro cha pulogalamu: Firezone logo (sungani ulalo ngati).
  3. Mtundu wa Grant: Onani bokosi la Refresh Token. Izi zimawonetsetsa kuti Firezone ilumikizana ndi omwe amapereka zidziwitso ndipo mwayi wa VPN umathetsedwa wogwiritsa ntchito akachotsedwa.
  4. Lowaninso ma URI olozeranso: Onjezani Firezone yanu EXTERNAL_URL + /auth/oidc/okta/callback/ (monga https://instance-id.yourfirezone.com/auth/oidc/okta/callback/) monga cholowera ku Ma URI Ovomerezeka .
  5. Ntchito: Malireni kumagulu omwe mukufuna kuti apereke mwayi wopezeka pazochitika zanu za Firezone.

Zokonda zikasungidwa, mudzapatsidwa ID ya kasitomala, Chinsinsi cha kasitomala, ndi Okta Domain. Makhalidwe atatuwa adzagwiritsidwa ntchito mu Gawo 3 kukonza Firezone.

Phatikizani Firezone

Sinthani /etc/firezone/firezone.rb kuphatikiza zomwe zili pansipa. Anu discovery_document_url adzakhala /.odziwika bwino/openid-configuration onjezerani mpaka kumapeto kwanu okta_domain.

 

# Kugwiritsa ntchito Okta monga wopereka zidziwitso za SSO

default['firezone']['authentication']['oidc'] = {

  chabwino: {

    discovery_document_uri: “https:// /.odziwika bwino/openid-configuration”,

    client_id: “ ”,

    kasitomala_chinsinsi: “ ”,

    redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",

    response_type: "kodi",

    kukula: "kutsegula mbiri ya imelo offline_access",

    label: "Okta"

  }

}

 

Thamangani firezone-ctl reconfigure ndi firezone-ctl restart kuti musinthe pulogalamu. Muyenera kuwona Lowani ndi batani la Okta pa URL ya Firezone.

 

Chepetsani Kufikira Kwa Ogwiritsa Ena

Ogwiritsa ntchito omwe atha kupeza pulogalamu ya Firezone akhoza kuletsedwa ndi Okta. Pitani patsamba lanu la Okta Admin Console's Firezone App Integration's Assignments tsamba kuti mukwaniritse izi.

Azure Active Directory

Kudzera pa cholumikizira chamtundu wa OIDC, Firezone imathandizira Single Sign-On (SSO) yokhala ndi Azure Active Directory. Bukuli likuwonetsani momwe mungapezere zosintha zomwe zalembedwa pansipa, zomwe ndizofunikira pakuphatikiza:

  1. discovery_document_uri: The OpenID Connect woperekera URI yomwe imabweza chikalata cha JSON chomwe chimagwiritsidwa ntchito popanga zopempha kwa wopereka OIDC uyu.
  2. client_id: ID ya kasitomala wa pulogalamuyo.
  3. client_secret: Chinsinsi cha kasitomala pakugwiritsa ntchito.
  4. redirect_uri: Imalangiza wopereka OIDC komwe angatumizenso pambuyo potsimikizika. Iyi iyenera kukhala Firezone yanu EXTERNAL_URL + /auth/oidc/ /callback/ (monga https://instance-id.yourfirezone.com/auth/oidc/azure/callback/).
  5. response_type: Khazikitsani ku code.
  6. kukula: Zithunzi za OIDC kuti mupeze kuchokera kwa wothandizira wanu wa OIDC. Izi zikhazikitsidwe kukhala mbiri yotseguka ya imelo offline_access kuti ipatse Firezone imelo ya wogwiritsa ntchito pazomwe zabwezedwa.
  7. label: Zolemba za batani zomwe zimawonekera pazenera lanu lolowera ku Firezone.

Pezani Zokonda Zosintha

Bukuli likuchokera ku Azure Active Directory Docs.

 

Pitani patsamba la Azure la Azure Active Directory patsamba. Sankhani njira ya Sinthani menyu, sankhani Kulembetsa Kwatsopano, kenako lembani popereka zomwe zili pansipa:

  1. Dzina: Firezone
  2. Mitundu yaakaunti yothandizidwa: (Kalozera Wosasinthika - Wopanga nyumba m'modzi)
  3. Londoleranso URI: Iyi iyenera kukhala firezone yanu EXTERNAL_URL + /auth/oidc/azure/callback/ (monga https://instance-id.yourfirezone.com/auth/oidc/azure/callback/). Onetsetsani kuti mwaphatikizanso slash yotsatsira. Ichi chikhala mtengo wa redirect_uri.

 

Mukalembetsa, tsegulani tsatanetsatane wa pulogalamuyo ndikukopera ID yofunsira (kasitomala).. Ili likhala mtengo wa kasitomala_id. Kenako, tsegulani menyu yomaliza kuti mutengere OpenID Connect metadata chikalata. Uwu ukhala mtengo wa discovery_document_uri.

 

Pangani chinsinsi cha kasitomala watsopano podina njira ya Zikalata & zinsinsi pansi pa menyu Sinthani. Lembani chinsinsi cha kasitomala; mtengo wachinsinsi wa kasitomala udzakhala uwu.

 

Pomaliza, sankhani ulalo wa zilolezo za API pansi pa Sinthani menyu, dinani Onjezani chilolezo, ndi kusankha Microsoft Graph, kuwonjezera imelo, yotseguka, kulowa_kwapaintaneti ndi mbiri ku zilolezo zofunika.

Firezone Integration

Sinthani /etc/firezone/firezone.rb kuphatikiza zomwe zili pansipa:

 

# Kugwiritsa Ntchito Azure Active Directory monga wopereka zidziwitso za SSO

default['firezone']['authentication']['oidc'] = {

  azure: {

    discovery_document_uri: "https://login.microsoftonline.com/ /v2.0/.well-known/openid-configuration”,

    client_id: “ ”,

    kasitomala_chinsinsi: “ ”,

    redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/azure/callback/",

    response_type: "kodi",

    kukula: "kutsegula mbiri ya imelo offline_access",

    chizindikiro: "Azure"

  }

}

 

Thamangani firezone-ctl reconfigure ndi firezone-ctl restart kuti musinthe pulogalamu. Muyenera kuwona Lowani ndi batani la Azure pamizu ya Firezone URL.

Momwe Mungachitire: Kuletsa Kufikira Mamembala Ena

Azure AD imathandizira olamulira kuti achepetse mwayi wofikira pagulu la ogwiritsa ntchito mkati mwa kampani yanu. Zambiri zamomwe mungachitire izi zitha kupezeka muzolemba za Microsoft.

Kulamulira

  • sintha
  • Sinthani Kuyika
  • Mokweza
  • Kusokoneza
  • Malingaliro a Chitetezo
  • Kuthamanga Mafunso a SQL

sintha

Chef Omnibus amagwiritsidwa ntchito ndi Firezone kuyang'anira ntchito kuphatikiza kutulutsa, kuyang'anira ndondomeko, kasamalidwe ka chipika, ndi zina zambiri.

Ruby code imapanga fayilo yoyamba yokonzekera, yomwe ili pa /etc/firezone/firezone.rb. Kuyambitsanso sudo firezone-ctl reconfigure pambuyo pakusintha fayiloyi kumapangitsa Chef kuzindikira zosinthazo ndikuzigwiritsa ntchito pamakina omwe alipo.

Onani fayilo yosinthira kuti mupeze mndandanda wathunthu wamasinthidwe ndi mafotokozedwe ake.

Sinthani Kuyika

Chitsanzo chanu cha Firezone chikhoza kuyendetsedwa kudzera pa firezone-ctl lamulo, monga momwe zilili pansipa. Ma subcommand ambiri amafunikira prefixing ndi sudo.

 

mizu@demo:~# firezone-ctl

omnibus-ctl: lamulo (subcommand)

General Commands:

  yeretsani

    Chotsani *zidziwitso zonse* za firezone, ndikuyamba kuyambira pachiyambi.

  pangani-kapena-konzanso-admin

    Imakonzanso mawu achinsinsi a woyang'anira ndi imelo yotchulidwa mosakhazikika['firezone']['admin_email'] kapena kupanga woyang'anira watsopano ngati imeloyo palibe.

  Thandizeni

    Sindikizani uthenga wothandizawu.

  kusinthanso

    Konzaninso pulogalamuyi.

  yambitsanso-network

    Imakonzanso ma nftables, mawonekedwe a WireGuard, ndi tebulo lamayendedwe kubwerera ku zosasintha za Firezone.

  chiwonetsero-config

    Onetsani masinthidwe omwe angapangidwe pokonzanso.

  teardown-network

    Imachotsa mawonekedwe a WireGuard ndi tebulo la firezone nftables.

  kukakamiza-cert-kukonzanso

    Limbikitsani kukonzanso satifiketi tsopano ngakhale sichinathe.

  kuyimitsa-cert-kukonzanso

    Imachotsa cronjob yomwe imakonzanso ziphaso.

  yochotsa

    Iphani njira zonse ndikuchotsa woyang'anira ndondomekoyi (deta idzasungidwa).

  Baibulo

    Onetsani mtundu wamakono wa Firezone

Malamulo Oyendetsera Ntchito:

  kupha mwachisomo

    Yesani kuyimitsa mokoma, kenako SIGKILL gulu lonse la ndondomeko.

  kup

    Tumizani mautumikiwa HUP.

  Int

    Tumizani ntchitozo INT.

  kupha

    Tumizani ntchito KILL.

  Kamodzi

    Yambitsani mautumiki ngati ali pansi. Osawayambitsanso ngati asiya.

  yambitsaninso

    Imitsani mautumiki ngati akuyenda, ndiye yambaninso.

  mndandanda wa ntchito

    Lembani ntchito zonse (ntchito zoyatsidwa zimawonekera ndi *.)

  chiyambi

    Yambitsani mautumiki ngati ali pansi, ndikuyambitsanso ngati ayima.

  kachirombo

    Onetsani momwe ntchito zonse zilili.

  Imani

    Imitsani mautumiki, ndipo musawayambitsenso.

  mchira

    Onerani zilolezo zantchito zonse zoyatsidwa.

  akuti

    Tumizani ntchito TERM.

  usr1

    Tumizani ntchitozo USR1.

  usr2

    Tumizani ntchitozo USR2.

Mokweza

Magawo onse a VPN akuyenera kuthetsedwa musanakonzenso Firezone, zomwe zimafunanso kuti atseke Web UI. Kukachitika kuti chinachake sichikuyenda bwino panthawi yokonzanso, tikulangiza kuti tikhazikitse ola limodzi lokonzekera.

 

Kuti muwonjezere Firezone, chitani izi:

  1. Sinthani phukusi la firezone pogwiritsa ntchito lamulo limodzi: sudo -E bash -c "$(curl -fsSL https://github.com/firezone/firezone/raw/master/scripts/install.sh)"
  2. Thamangani firezone-ctl reconfigure kuti mutenge zosintha zatsopano.
  3. Thamangani firezone-ctl restart kuti muyambitsenso ntchito.

Ngati pali vuto lililonse, chonde tidziwitseni kutumiza tikiti yothandizira.

Upgrade From =0.5.0

Pali zosintha zingapo zosweka ndikusintha kasinthidwe mu 0.5.0 zomwe ziyenera kuyankhidwa. Dziwani zambiri pansipa.

Zopempha za Bundled za Nginx non_ssl_port (HTTP) zachotsedwa

Nginx sichirikizanso mphamvu za SSL ndi magawo omwe si a SSL monga mtundu wa 0.5.0. Chifukwa Firezone ikufunika SSL kuti igwire ntchito, tikukulangizani kuti muchotse ntchito ya Nginx pokhazikitsa kusakhazikika['firezone']['nginx']['enabled'] = zabodza ndikulozera projekiti yanu yakumbuyo ku pulogalamu ya Phoenix pa port 13000 m'malo mwake (mwachisawawa ).

Thandizo la ACME Protocol

0.5.0 imabweretsa chithandizo cha protocol ya ACME yodzipangiranso ziphaso za SSL ndi ntchito ya Nginx. Kuti athe,

  • Onetsetsani kuti['firezone']['external_url'] ili ndi FQDN yovomerezeka yomwe imakhazikika ku adilesi yapagulu ya seva yanu.
  • Onetsetsani kuti port 80/tcp ikupezeka
  • Yambitsani chithandizo cha ACME protocol ndi kusakhazikika['firezone']['ssl']['acme']['enabled'] = zowona mufayilo yanu yosinthira.

Kudutsana kwa Egress Rule Kopita

Kuthekera kowonjezera malamulo okhala ndi malo obwereza kwapita ku Firezone 0.5.0. Zolemba zathu zakusamuka zidzazindikira izi panthawi yokweza mpaka 0.5.0 ndikungosunga malamulo omwe kopita kumaphatikizapo lamulo lina. Palibe chomwe muyenera kuchita ngati izi zili bwino.

Kupanda kutero, musanayambe kukweza, tikukulangizani kuti musinthe malamulo anu kuti muchotse izi.

Kukonzekeratu Okta ndi Google SSO

Firezone 0.5.0 imachotsa kuthandizira kwa kachitidwe kakale ka Okta ndi Google SSO m'malo mwa kasinthidwe katsopano ka OIDC kosinthika. 

Ngati muli ndi masinthidwe aliwonse pansi pa makiyi a['firezone']['authentication']['okta'] kapena default['firezone']['authentication']['google'] makiyi, muyenera kusamutsira izi ku OIDC yathu. -kutengera kasinthidwe pogwiritsa ntchito kalozera pansipa.

Kusintha komwe kulipo kwa Google OAuth

Chotsani mizere iyi yomwe ili ndi zosintha zakale za Google OAuth pafayilo yanu yosinthira yomwe ili pa /etc/firezone/firezone.rb

 

default['firezone']['authentication']['google']['enabled']

default['firezone']['authentication']['google']['client_id']

default['firezone']['authentication']['google']['client_secret']

default['firezone']['authentication']['google']['redirect_uri']

 

Kenako, konzani Google ngati wothandizira OIDC potsatira njira zomwe zili pano.

(Patsani maulalo)<<<<<<<<<<<<<<<<

 

Konzani Google OAuth yomwe ilipo 

Chotsani mizere iyi yomwe ili ndi masinthidwe akale a Okta OAuth pafayilo yanu yosinthira yomwe ili /etc/firezone/firezone.rb

 

default['firezone']['authentication']['okta']['enabled']

default['firezone']['authentication']['okta']['client_id']

default['firezone']['authentication']['okta']['client_secret']

Kufikira['firezone']['kutsimikizika']['okta']['site']

 

Kenako, konzani Okta ngati wothandizira OIDC potsatira njira zomwe zili pano.

Kwezani kuchokera ku 0.3.x kupita ku >= 0.3.16

Kutengera kuyika kwanu komanso mtundu wanu, tsatirani malangizo omwe ali pansipa:

Ngati muli kale ndi kuphatikiza kwa OIDC:

Kwa othandizira ena a OIDC, kukwezera ku>= 0.3.16 kumafunika kupeza chizindikiro chotsitsimutsanso kuti muzitha kulumikiza popanda intaneti. Pochita izi, zimatsimikizirika kuti Firezone imasintha ndi omwe amapereka zidziwitso komanso kuti kugwirizana kwa VPN kumatsekedwa pambuyo poti wosuta achotsedwa. Kubwereza koyambirira kwa Firezone kunalibe izi. Nthawi zina, ogwiritsa ntchito omwe achotsedwa pazidziwitso zanu atha kukhala olumikizidwa ku VPN.

Ndikofunikira kuphatikizirapo mwayi wopezeka osalumikizidwa pa intaneti pazigawo za kasinthidwe ka OIDC kwa opereka OIDC omwe amathandizira kufalikira kwapaintaneti. Kukonzanso kwa Firezone-ctl kuyenera kuchitidwa kuti agwiritse ntchito zosintha pa fayilo ya kasinthidwe ya Firezone, yomwe ili pa /etc/firezone/firezone.rb.

Kwa ogwiritsa ntchito omwe atsimikiziridwa ndi omwe akukupatsani OIDC, mudzawona OIDC Connections yomwe ili patsamba lazambiri la ogwiritsa la intaneti ngati Firezone imatha kubweza chizindikiro chotsitsimutsa.

Ngati izi sizikugwira ntchito, muyenera kufufuta pulogalamu yanu ya OAuth yomwe ilipo ndikubwereza njira zokhazikitsira OIDC kuti pangani pulogalamu yatsopano yophatikiza .

Ndili ndi kuphatikiza kwa OAuth

0.3.11 isanakwane, Firezone inkagwiritsa ntchito operekera OAuth2 okonzedweratu. 

Tsatirani malangizo Pano kusamukira ku OIDC.

Sindinaphatikizepo chizindikiritso

Palibe chofunikira. 

Mukhoza kutsatira malangizo Pano kuthandizira SSO kudzera mwa wothandizira OIDC.

Kwezani kuchokera ku 0.3.1 mpaka>= 0.3.2

M'malo mwake, kusasinthika['firezone']['url yakunja'] kwalowa m'malo mwa kusasinthika kosasintha['firezone']['fqdn']. 

Khazikitsani izi ku ulalo wa tsamba lanu lapaintaneti la Firezone lomwe anthu onse azitha kuziwona. Idzasintha kukhala https: // kuphatikiza FQDN ya seva yanu ikasiyidwa mosadziwika.

Fayilo yosinthira ili pa /etc/firezone/firezone.rb. Onani fayilo yosinthira kuti mupeze mndandanda wathunthu wamasinthidwe ndi mafotokozedwe ake.

Sinthani kuchokera ku 0.2.x kupita ku 0.3.x

Firezone simasunganso makiyi achinsinsi a chipangizo pa seva ya Firezone kuyambira mtundu wa 0.3.0. 

Firezone Web UI sidzakulolani kutsitsanso kapena kuwona masinthidwe awa, koma zida zilizonse zomwe zilipo ziyenera kupitiliza kugwira ntchito momwe zilili.

Sinthani kuchokera ku 0.1.x kupita ku 0.2.x

Ngati mukukweza kuchokera ku Firezone 0.1.x, pali zosintha zingapo zamafayilo zomwe ziyenera kuthetsedwa pamanja. 

Kuti musinthe zofunikira pa fayilo /etc/firezone/firezone.rb, yendetsani malamulo omwe ali pansipa ngati mizu.

 

cp /etc/firezone/firezone.rb /etc/firezone/firezone.rb.bak

sed -i “s/\['enable'\]/\['enabled'\]/” /etc/firezone/firezone.rb

tchulani "default['firezone']['connectivity_checks']['enabled'] = zoona" >> /etc/firezone/firezone.rb

tchulani "default['firezone']['connectivity_checks']['interval'] = 3_600" >> /etc/firezone/firezone.rb

firezone-ctl reconfigure

firezone-ctl kuyambitsanso

Kusaka zolakwika

Kuyang'ana zipika za Firezone ndi gawo loyamba lanzeru pazinthu zilizonse zomwe zingachitike.

Thamangani sudo firezone-ctl mchira kuti muwone zipika za Firezone.

Kuthetsa Mavuto Olumikizana

Mavuto ambiri olumikizana ndi Firezone amabweretsedwa ndi ma iptables osagwirizana kapena malamulo a nftables. Muyenera kuwonetsetsa kuti malamulo aliwonse omwe muli nawo sakusemphana ndi malamulo a Firezone.

Kulumikizika Kwapaintaneti Kuchepa Pamene Tunnel Ikugwira Ntchito

Onetsetsani kuti tcheni cha FORWARD chimaloleza mapaketi kuchokera kwa makasitomala anu a WireGuard kupita kumalo omwe mukufuna kuti adutse pa Firezone ngati intaneti yanu imasokonekera nthawi zonse mukatsegula njira yanu ya WireGuard.

 

Izi zitha kutheka ngati mukugwiritsa ntchito ufw powonetsetsa kuti ndondomeko yosasinthika ndiyololedwa:

 

ubuntu@fz:~$ sudo ufw kusakhulupirika kulola kuyendetsedwa

Mfundo zokayikitsa zasinthidwa kukhala 'lolera'

(onetsetsani kuti mwasintha malamulo anu moyenera)

 

A ufw mawonekedwe a seva wamba ya Firezone angawoneke motere:

 

ubuntu@fz:~$ sudo ufw status verbose

Mkhalidwe: yogwira

Kudula mitengo: pa (otsika)

Zosasintha: kukana (zolowera), lolani (zotuluka), lolani (zolowera)

Mbiri zatsopano: dumpha

 

Kuchitapo kanthu

————-

22/tcp LOWANI KULOWA kulikonse

80/tcp LOWANI KULOWA kulikonse

443/tcp LOWANI KULOWA kulikonse

51820/udp LOWANI KULOWA kulikonse

22/tcp (v6) LOWANI KULOWA kulikonse (v6)

80/tcp (v6) LOWANI KULOWA kulikonse (v6)

443/tcp (v6) LOWANI KULOWA kulikonse (v6)

51820/udp (v6) LOWANI KULOWA kulikonse (v6)

Malingaliro a Chitetezo

Tikukulangizani kuti muchepetse mwayi wopezeka pa intaneti kuti mugwiritse ntchito movutikira komanso zofunikira kwambiri, monga tafotokozera pansipa.

Services & Madoko

 

Service

Khomo Lofikira

Mverani Adilesi

Kufotokozera

Nginx

80, 443

onse

Doko la Public HTTP(S) poyang'anira Firezone ndikuthandizira kutsimikizika.

Woteteza

51820

onse

Doko la Public WireGuard lomwe limagwiritsidwa ntchito pamagawo a VPN. (UDP)

Wolemba Postgresql

15432

127.0.0.1

Doko lokhalo lomwe limagwiritsidwa ntchito pa seva ya Postgresql.

Phoenix

13000

127.0.0.1

Doko lakwanuko lokha lomwe limagwiritsidwa ntchito ndi seva ya upstream elixir app.

Ntchito Zopanga

Tikukulangizani kuti muganizire zoletsa mwayi wopezeka pa intaneti ya Firezone yomwe ikuwonekera poyera (mwa madoko 443/tcp ndi 80/tcp) ndipo m'malo mwake mugwiritse ntchito njira ya WireGuard kuyang'anira Firezone popanga komanso kutumiza anthu komwe kudzakhala woyang'anira m'modzi yekha. kupanga ndi kugawa masinthidwe a chipangizo kwa ogwiritsa ntchito omaliza.

 

Mwachitsanzo, ngati woyang'anira apanga masinthidwe a chipangizo ndikupanga njira yokhala ndi adilesi ya WireGuard yapafupi 10.3.2.2, masinthidwe otsatirawa a ufw angathandize woyang'anira kupeza Firezone Web UI pa mawonekedwe a seva a wg-firezone pogwiritsa ntchito 10.3.2.1 adilesi:

 

root@demo:~# ufw status verbose

Mkhalidwe: yogwira

Kudula mitengo: pa (otsika)

Zosasintha: kukana (zolowera), lolani (zotuluka), lolani (zolowera)

Mbiri zatsopano: dumpha

 

Kuchitapo kanthu

————-

22/tcp LOWANI KULOWA kulikonse

51820/udp LOWANI KULOWA kulikonse

Kulikonse LOWANI MU 10.3.2.2

22/tcp (v6) LOWANI KULOWA kulikonse (v6)

51820/udp (v6) LOWANI KULOWA kulikonse (v6)

Izi zikanangochoka 22/tcp kuwululidwa kuti mupeze SSH kuyang'anira seva (ngati mukufuna), ndi 51820 / udp kuwonekera kuti akhazikitse tunnel za WireGuard.

Yambitsani Mafunso a SQL

Firezone imanyamula seva ya Postgresql ndikufananiza psql zomwe zingagwiritsidwe ntchito kuchokera ku chipolopolo chapafupi monga izi:

 

/ opt/firezone/ophatikizidwa/bin/psql \

  -U firezone \

  -d firezone \

  -h localhost \

  -p15432 \

  -c "SQL_STATEMENT"

 

Izi zitha kukhala zothandiza pakuchotsa zolakwika.

 

Ntchito Zodziwika:

 

  • Kulemba onse ogwiritsa ntchito
  • Kulemba zida zonse
  • Kusintha udindo wa wogwiritsa ntchito
  • Kusunga database



Kulemba onse ogwiritsa ntchito:

 

/ opt/firezone/ophatikizidwa/bin/psql \

  -U firezone \

  -d firezone \

  -h localhost \

  -p15432 \

  -c "SANKHANI * KWA ogwiritsa ntchito;"



Kuyika zida zonse:

 

/ opt/firezone/ophatikizidwa/bin/psql \

  -U firezone \

  -d firezone \

  -h localhost \

  -p15432 \

  -c "SANKHANI * KWA Zipangizo;"



Sinthani gawo la ogwiritsa ntchito:

 

Khazikitsani udindo kukhala 'admin' kapena 'wopanda mwayi':

 

/ opt/firezone/ophatikizidwa/bin/psql \

  -U firezone \

  -d firezone \

  -h localhost \

  -p15432 \

  -c "UPDATE owerenga SET role = 'admin' PALI imelo = '[imelo ndiotetezedwa]';"



Kusunga database:

 

Kuphatikiza apo, pali pulogalamu ya pg dump, yomwe ingagwiritsidwe ntchito kutenga zosunga zobwezeretsera nthawi zonse. Chitani zotsatirazi kuti mutayire kopi ya database mumtundu wamba wa SQL (m'malo /path/to/backup.sql ndi malo omwe fayilo ya SQL iyenera kupangidwira):

 

/opt/firezone/embedded/bin/pg_dump \

  -U firezone \

  -d firezone \

  -h localhost \

  -p 15432 > /path/to/backup.sql

Zotsatira Zamagwiritsa Ntchito

  • Onjezani Ogwiritsa Ntchito
  • Onjezani Zida
  • Egress Malamulo
  • Malangizo a Makasitomala
  • Gawani Tunnel VPN
  • Reverse Tunnel 
  • NAT Gateway

Onjezani Ogwiritsa Ntchito

Firezone ikatumizidwa bwino, muyenera kuwonjezera ogwiritsa ntchito kuti awapatse mwayi wolumikizana ndi netiweki yanu. Web UI imagwiritsidwa ntchito kuchita izi.

 

UI Webusaiti


Posankha batani la "Add User" pansi / ogwiritsa ntchito, mutha kuwonjezera wosuta. Mudzafunsidwa kuti mupatse wogwiritsa ntchito imelo ndi mawu achinsinsi. Pofuna kulola kuti ogwiritsa ntchito azitha kugwiritsa ntchito m'bungwe lanu zokha, Firezone imathanso kulumikizana ndi kulumikizana ndi omwe akukupatsani. Zambiri zikupezeka mu Tsimikizirani. < Onjezani ulalo ku Authenticate

Onjezani Zida

Tikulangiza kupempha kuti ogwiritsa ntchito azipanga zokonda zawo kuti kiyi yachinsinsi iwonekere kwa iwo okha. Ogwiritsa ntchito amatha kupanga masinthidwe a chipangizo chawo potsatira malangizo pa Malangizo a Makasitomala tsamba.

 

Kupanga kasinthidwe ka chipangizo cha admin

Zosintha zonse za ogwiritsa ntchito zitha kupangidwa ndi oyang'anira Firezone. Patsamba la mbiri ya ogwiritsa ntchito / ogwiritsa ntchito, sankhani "Onjezani Chipangizo" kuti mukwaniritse izi.

 

[Ikani chithunzithunzi]

 

Mutha kutumiza imelo kwa wogwiritsa ntchito fayilo yosinthira ya WireGuard mutapanga mbiri ya chipangizocho.

 

Ogwiritsa ntchito ndi zida zimalumikizidwa. Kuti mumve zambiri zamomwe mungawonjezere wogwiritsa ntchito, onani Onjezani Ogwiritsa Ntchito.

Egress Malamulo

Kupyolera mukugwiritsa ntchito makina a netfilter a kernel, Firezone imathandizira kuthekera kosefera kwa egress kutchula mapaketi a DROP kapena ACCEPT. Magalimoto onse amaloledwa.

 

IPv4 ndi IPv6 CIDRs ndi ma adilesi a IP amathandizidwa kudzera pa Allowlist ndi Denylist, motsatana. Mutha kusankha kuyika lamulo kwa wogwiritsa ntchito powonjezera, zomwe zimagwira ntchito pazida zonse za wogwiritsayo.

Malangizo a Makasitomala

Ikani ndikusintha

Kuti mukhazikitse kulumikizana kwa VPN pogwiritsa ntchito kasitomala wamba WireGuard, onani bukhuli.

 

1. Ikani kasitomala wamba wa WireGuard

 

Makasitomala a Official WireGuard omwe ali pano ndi Firezone amagwirizana:

 

MacOS

 

Windows

 

iOS

 

Android

 

Pitani patsamba lovomerezeka la WireGuard pa https://www.wireguard.com/install/ pamakina a OS omwe sanatchulidwe pamwambapa.

 

2. Koperani chipangizo kasinthidwe wapamwamba

 

Kaya woyang'anira wanu wa Firezone kapena nokha mutha kupanga fayilo yosinthira chipangizocho pogwiritsa ntchito portal ya Firezone.

 

Pitani ku ulalo womwe woyang'anira Firezone wanu wapereka kuti mudzipangire nokha fayilo yosinthira chipangizo. Kampani yanu idzakhala ndi ulalo wapadera wa izi; pamenepa, ndi https://instance-id.yourfirezone.com.

 

Lowani ku Firezone Okta SSO

 

[Ikani Chithunzithunzi]

 

3. Onjezani kasinthidwe ka kasitomala

 

Lowetsani fayilo ya.conf mu kasitomala wa WireGuard potsegula. Mwa kutembenuza sinthani Yambitsani, mutha kuyambitsa gawo la VPN.

 

[Ikani Chithunzithunzi]

Kutsimikiziranso Gawo

Tsatirani malangizo omwe ali pansipa ngati woyang'anira maukonde anu akulamula kuti mutsimikizire mobwerezabwereza kuti kulumikizana kwanu kwa VPN kukhale kogwira ntchito. 



Mufunika:

 

URL ya portal ya Firezone: Funsani woyang'anira netiweki wanu kuti akulumikizani.

Woyang'anira netiweki wanu akuyenera kukupatsani dzina lanu lolowera ndi mawu achinsinsi. Webusaiti ya Firezone ikulimbikitsani kuti mulowe muakaunti yanu pogwiritsa ntchito ntchito imodzi yomwe abwana anu amagwiritsa ntchito (monga Google kapena Okta).

 

1. Zimitsani kulumikizana kwa VPN

 

[Ikani Chithunzithunzi]

 

2. Tsimikizaninso 

Pitani ku URL ya portal ya Firezone ndikulowa pogwiritsa ntchito zidziwitso zomwe woyang'anira netiweki wanu wapereka. Ngati mudalowa kale, dinani batani Tsimikizaninso musanalowenso.

 

[Ikani Chithunzithunzi]

 

Khwerero 3: Yambitsani gawo la VPN

[Ikani Chithunzithunzi]

Network Manager wa Linux

Kuti mulowetse mbiri yosinthira ya WireGuard pogwiritsa ntchito Network Manager CLI pazida za Linux, tsatirani malangizo awa (nmcli).

ZINDIKIRANI

Ngati mbiriyo ili ndi chithandizo cha IPv6, kuyesa kutumiza fayilo yosinthira pogwiritsa ntchito Network Manager GUI kungalephereke ndi cholakwika chotsatirachi:

ipv6.method: njira ya "auto" siyimathandizidwa ndi WireGuard

1. Ikani Zida za WireGuard 

Ndikofunikira kukhazikitsa zida za WireGuard userspace. Ichi chidzakhala phukusi lotchedwa wireguard kapena wireguard-zida zogawira Linux.

Kwa Ubuntu/Debian:

sudo apt kukhazikitsa wireguard

Kugwiritsa ntchito Fedora:

sudo dnf kukhazikitsa zida za wireguard

Arch Linux:

sudo pacman -S wireguard-zida

Pitani patsamba lovomerezeka la WireGuard pa https://www.wireguard.com/install/ kuti mugawidwe zomwe sizinatchulidwe pamwambapa.

2. Koperani kasinthidwe 

Kaya woyang'anira wanu wa Firezone kapena wodzipangira yekha atha kupanga fayilo yosinthira chipangizocho pogwiritsa ntchito portal ya Firezone.

Pitani ku ulalo womwe woyang'anira Firezone wanu wapereka kuti mudzipangire nokha fayilo yosinthira chipangizo. Kampani yanu idzakhala ndi ulalo wapadera wa izi; pamenepa, ndi https://instance-id.yourfirezone.com.

[Ikani Chithunzithunzi]

3. Tengani zoikamo

Lowetsani fayilo yosinthira yomwe mwapatsidwa pogwiritsa ntchito nmcli:

sudo nmcli yolumikizira mtundu wa wireguard fayilo /path/to/configuration.conf

ZINDIKIRANI

Dzina la fayilo yosinthira lidzagwirizana ndi kulumikizana kwa WireGuard / mawonekedwe. Pambuyo kuitanitsa, kugwirizana kungasinthidwenso ngati kuli kofunikira:

nmcli kugwirizana sinthani [dzina lakale] connection.id [dzina latsopano]

4. Lumikizani kapena kutulutsa

Pogwiritsa ntchito mzere wolamula, gwirizanitsani ku VPN motere:

nmcli kugwirizana [dzina la vpn]

Kusokoneza:

kugwirizana kwa nmcli pansi [dzina la vpn]

Applet ya Network Manager ingagwiritsidwenso ntchito kuyang'anira kulumikizana ngati mukugwiritsa ntchito GUI.

Kulumikiza Kwamagalimoto

Posankha "inde" panjira yolumikizana ndi autoconnect, kulumikizana kwa VPN kutha kukhazikitsidwa kuti kulumikizane basi:

 

nmcli kugwirizana sinthani [dzina la vpn] kulumikizana. <<<<<<<<<<<<<<<<<<<<<

 

autoconnect inde

 

Kuti mulepheretse kulumikizana kwaotomatiki ikaninso ku ayi:

 

nmcli kugwirizana sinthani [dzina la vpn] kulumikizana.

 

autoconnect no

Pangani Multi-Factor Authentication Kukhalapo

Kuti muyambitse MFA Pitani ku tsamba la Firezone's /user account/register mfa page. Gwiritsani ntchito pulogalamu yanu yotsimikizira kuti muwerenge khodi ya QR ikapangidwa, kenako lowetsani manambala asanu ndi limodzi.

Lumikizanani ndi Mtsogoleri wanu kuti akonzenso chidziwitso cha akaunti yanu ngati simunayike pulogalamu yanu yotsimikizira.

Gawani Tunnel VPN

Phunziroli likuthandizani pokhazikitsa gawo logawika la WireGuard ndi Firezone kuti magalimoto okhawo amtundu wa IP atumizidwe kudzera pa seva ya VPN.

 

1. Konzani ma IP Ololedwa 

Mitundu ya IP yomwe kasitomala angayendetsere kuchuluka kwa magalimoto pa netiweki yakhazikitsidwa mugawo lololedwa la IPs lomwe lili pa /settings/default page. Zosintha zatsopano za WireGuard zopangidwa ndi Firezone ndizomwe zidzakhudzidwe ndi kusintha kwa gawoli.

 

[Ikani Chithunzithunzi]



Mtengo wokhazikika ndi 0.0.0.0/0, ::/0, womwe umayendetsa magalimoto onse pamanetiweki kuchokera kwa kasitomala kupita ku seva ya VPN.

 

Zitsanzo zamakhalidwe abwino pankhaniyi ndi izi:

 

0.0.0.0/0, ::/0 - magalimoto onse pa intaneti adzatumizidwa ku seva ya VPN.

192.0.2.3/32 - magalimoto okha opita ku adilesi imodzi ya IP adzatumizidwa ku seva ya VPN.

3.5.140.0/22 ​​- magalimoto okha opita ku IPs mu 3.5.140.1 - 3.5.143.254 osiyanasiyana adzatumizidwa ku seva ya VPN. Mu chitsanzo ichi, mtundu wa CIDR wa dera la ap-northeast-2 AWS unagwiritsidwa ntchito.



ZINDIKIRANI

Firezone imasankha mawonekedwe a egress ogwirizana ndi njira yolondola kwambiri pozindikira komwe angayendetse paketi.

 

2. Bweretsaninso masanjidwe a WireGuard

Ogwiritsa ntchito ayenera kukonzanso mafayilo osinthira ndikuwonjezera kwa kasitomala wawo wamtundu wa WireGuard kuti asinthe zida zomwe zilipo kale ndi kasinthidwe katsopano kagawo kakang'ono.

 

Kuti mumve malangizo, onani onjezerani chida. <<<<<<<<<<< Onjezani ulalo

Reverse Tunnel

Bukuli liwonetsa momwe mungalumikizire zida ziwiri pogwiritsa ntchito Firezone ngati cholumikizira. Njira imodzi yogwiritsira ntchito ndikupangitsa woyang'anira kuti azitha kupeza seva, chidebe, kapena makina omwe amatetezedwa ndi NAT kapena firewall.

 

Node kupita ku Node 

Chithunzichi chikuwonetsa momwe zida A ndi B zimapangira ngalande.

 

[Lowetsani chithunzi cha zomangamanga za firezone]

 

Yambani popanga Chipangizo A ndi Chipangizo B popita ku /users/[user_id]/new_device. Muzokonda pa chipangizo chilichonse, onetsetsani kuti magawo otsatirawa akhazikitsidwa kuzinthu zomwe zalembedwa pansipa. Mutha kuyika zokonda pazida mukamapanga zosintha (onani Add Devices). Ngati mukufuna kusintha zosintha pa chipangizo chomwe chilipo, mutha kutero mwa kupanga chosinthira chatsopano.

 

Zindikirani kuti zida zonse zili ndi /settings/defaults tsamba pomwe PersistentKeepalive ikhoza kukhazikitsidwa.

 

Chipangizo A

 

AllowedIPs = 10.3.2.2/32

  Awa ndi IP kapena ma IP a Chipangizo B

PersistentKeepalive = 25

  Ngati chipangizocho chili kumbuyo kwa NAT, izi zimatsimikizira kuti chipangizochi chimatha kusunga njirayo ndikupitiriza kulandira mapaketi kuchokera ku mawonekedwe a WireGuard. Nthawi zambiri mtengo wa 25 ndi wokwanira, koma mungafunike kuchepetsa mtengowu kutengera malo anu.



B chipangizo

 

AllowedIPs = 10.3.2.3/32

Awa ndi IP kapena ma IP a Chipangizo A

PersistentKeepalive = 25

Mlandu Woyang'anira - Ma Node Amodzi mpaka Ambiri

Chitsanzochi chikuwonetsa momwe Chipangizo A chimatha kulumikizana ndi Zipangizo B mpaka D mbali zonse ziwiri. Kukhazikitsa uku kutha kuyimira mainjiniya kapena woyang'anira yemwe akupeza zinthu zambiri (maseva, zotengera, kapena makina) pamanetiweki osiyanasiyana.

 

[Zojambula Zomangamanga]<<<<<<<<<<<<<<<<<<<<<<

 

Onetsetsani kuti makonda otsatirawa apangidwa muzokonda za chipangizo chilichonse kuzinthu zofananira. Mukamapanga makonzedwe a chipangizocho, mukhoza kutchula zokonda za chipangizo (onani Add Devices). Kusintha kwa chipangizo chatsopano kungapangidwe ngati zosintha pazida zomwe zilipo ziyenera kusinthidwa.

 

Chipangizo A (Node Yoyang'anira)

 

AllowedIPs = 10.3.2.3/32, 10.3.2.4/32, 10.3.2.5/32 

    Iyi ndi IP ya zipangizo B kupyolera mu D. Ma IP a Zipangizo B kupyolera mu D ayenera kuphatikizidwa mu IP iliyonse yomwe mungasankhe.

PersistentKeepalive = 25 

    Izi zimatsimikizira kuti chipangizochi chikhoza kusunga njirayo ndikupitiriza kulandira mapaketi kuchokera ku mawonekedwe a WireGuard ngakhale atatetezedwa ndi NAT. Nthawi zambiri, mtengo wa 25 ndi wokwanira, komabe malingana ndi malo omwe mumakhala, mungafunike kuchepetsa chiwerengerochi.

 

Chipangizo B

 

  • AllowedIPs = 10.3.2.2/32: Iyi ndi IP kapena mndandanda wa ma IP a Chipangizo A
  • PersistentKeepalive = 25

Chipangizo C

 

  • AllowedIPs = 10.3.2.2/32: Iyi ndi IP kapena mndandanda wa ma IP a Chipangizo A
  • PersistentKeepalive = 25

Chipangizo D

 

  • AllowedIPs = 10.3.2.2/32: Iyi ndi IP kapena mndandanda wa ma IP a Chipangizo A
  • PersistentKeepalive = 25

NAT Gateway

Kuti mupereke IP imodzi, yokhazikika kuti magalimoto onse a gulu lanu atuluke, Firezone itha kugwiritsidwa ntchito ngati chipata cha NAT. Izi zikuphatikizapo kugwiritsidwa ntchito pafupipafupi:

 

Kufunsira Kukambirana: Funsani kuti kasitomala wanu alembe adilesi imodzi ya IP m'malo mwa IP ya chipangizo cha aliyense wogwira ntchito.

Kugwiritsa ntchito proxy kapena kubisa IP yanu yochokera pachitetezo kapena zinsinsi.

 

Chitsanzo chophweka chochepetsera mwayi wopezeka pa intaneti yodzipangira nokha ku IP imodzi yovomerezeka ya IP yomwe ikuyenda ndi Firezone iwonetsedwa mu positiyi. M'fanizoli, Firezone ndi zotetezedwa zili m'malo osiyanasiyana a VPC.

 

Yankholi limagwiritsidwa ntchito nthawi zambiri m'malo mowongolera IP whitelist kwa ogwiritsa ntchito ambiri, zomwe zitha kutenga nthawi pomwe mndandanda wofikira ukukula.

Chitsanzo cha AWS

Cholinga chathu ndikukhazikitsa seva ya Firezone pamwambo wa EC2 kuti iwongolere kuchuluka kwa magalimoto a VPN kuzinthu zoletsedwa. Pakadali pano, Firezone ikugwira ntchito ngati projekiti ya netiweki kapena chipata cha NAT kuti ipatse chipangizo chilichonse cholumikizidwa ndi IP yapadera yapagulu.

 

1. Ikani seva ya Firezone

Pankhaniyi, chochitika cha EC2 chotchedwa tc2.micro chili ndi chochitika cha Firezone chomwe chayikidwapo. Kuti mudziwe zambiri za kutumiza Firezone, pitani ku Deployment Guide. Mogwirizana ndi AWS, onetsetsani:

 

Gulu lachitetezo la zochitika za Firezone EC2 limalola kuchuluka kwa magalimoto kupita ku adilesi ya IP ya chinthu chotetezedwa.

Chitsanzo cha Firezone chimabwera ndi zotanuka IP. Magalimoto omwe amatumizidwa kudzera pa Firezone kupita kumalo akunja adzakhala ndi awa ngati adilesi yake ya IP. Adilesi ya IP yomwe ikufunsidwa ndi 52.202.88.54.

 

[Ikani Chithunzithunzi]<<<<<<<<<<<<<<<<<<<<<<<

 

2. Kuletsa kugwiritsa ntchito zinthu zomwe zikutetezedwa

Pulogalamu yapaintaneti yodzipangira nokha imakhala ngati gwero lotetezedwa pankhaniyi. Pulogalamu yapaintaneti imatha kupezeka kokha ndi zopempha zochokera ku adilesi ya IP 52.202.88.54. Kutengera ndi gwero, pangakhale kofunikira kuloleza magalimoto olowera pamadoko osiyanasiyana komanso mitundu yamagalimoto. Izi sizinafotokozedwe m'bukuli.

 

[Ikani chithunzithunzi]<<<<<<<<<<<<<<<<<<<<<<<

 

Chonde uzani gulu lachitatu lomwe likuyang'anira gwero lotetezedwa kuti magalimoto ochokera ku IP osasunthika ofotokozedwa mu Gawo 1 aloledwe (pankhaniyi 52.202.88.54).

 

3. Gwiritsani ntchito seva ya VPN kuwongolera magalimoto kumalo otetezedwa

 

Mwachikhazikitso, magalimoto onse ogwiritsira ntchito adzadutsa pa seva ya VPN ndikuchokera ku IP static yomwe inakonzedwa mu Gawo 1 (pankhaniyi 52.202.88.54). Komabe, ngati kugawikana kwagawo kwayatsidwa, zosintha zitha kukhala zofunikira kuwonetsetsa kuti IP yotetezedwa ndi IP yalembedwa pakati pa ma IP Ololedwa.

Onjezani Mawu Anga Omwe Apa

Chiwonetsero pansipa ndi mndandanda wathunthu wa zosankha zomwe zilipo /etc/firezone/firezone.rb.



mwina

Kufotokoza

mtengo wokhazikika

default['firezone']['external_url']

Ulalo womwe umagwiritsidwa ntchito polowa patsamba la Firezone ili.

"https://#{node['fqdn'] || node['hostname']}"

default['firezone']['config_directory']

Chikwatu chapamwamba cha kasinthidwe ka Firezone.

/etc/firezone'

default['firezone']['install_directory']

Chikwatu chapamwamba kuti muyike Firezone.

/opt/firezone'

default['firezone']['app_directory']

Chikwatu chapamwamba kwambiri kuti muyike pulogalamu yapaintaneti ya Firezone.

"#{node['firezone']['install_directory']}/embedded/service/firezone”

default['firezone']['log_directory']

Chikwatu chapamwamba kwambiri cha zolemba za Firezone.

/var/log/firezone'

default['firezone']['var_directory']

Chikwatu chapamwamba kwambiri cha mafayilo othamanga a Firezone.

/var/opt/firezone'

default['firezone']['user']

Dzina la ogwiritsa ntchito a Linux osasankhidwa ntchito zambiri ndi mafayilo adzakhala ake.

firezone'

default['firezone']['gulu']

Dzina la Linux gulu mautumiki ambiri ndi mafayilo adzakhala ake.

firezone'

default['firezone']['admin_email']

Imelo adilesi ya wosuta woyamba wa Firezone.

"firezone@localhost"

default['firezone']['max_devices_per_user']

Zida zochulukira zomwe wogwiritsa ntchito atha kukhala nazo.

10

kusakhazikika['firezone']['lolera_unprivileged_device_management']

Amalola ogwiritsa ntchito omwe si a admin kupanga ndi kuchotsa zida.

WOONA

default['firezone']['lolera_unprivileged_device_configuration']

Amalola ogwiritsa ntchito omwe si a admin kuti asinthe masinthidwe a chipangizo. Zikayimitsidwa, zimalepheretsa ogwiritsa ntchito opanda mwayi kusintha magawo onse a chipangizocho kupatula dzina ndi mafotokozedwe.

WOONA

default['firezone']['egress_interface']

Dzina lachiyankhulo komwe magalimoto odutsa adzatuluka. Ngati sichoncho, mawonekedwe osasinthika adzagwiritsidwa ntchito.

nil

default['firezone']['fips_enabled']

Yambitsani kapena kuletsa mawonekedwe a OpenSSL FIPs.

nil

kusakhazikika['firezone']['kudula mitengo']['othandizira']

Yambitsani kapena kuletsa kudula mitengo kudutsa Firezone. Khazikitsani zabodza kuti muletse kudula mitengo konse.

WOONA

default['enterprise']['name']

Dzina logwiritsidwa ntchito ndi cookbook ya Chef 'enterprise'.

firezone'

default['firezone']['install_path']

Ikani njira yogwiritsidwa ntchito ndi chef 'enterprise' cookbook. Iyenera kukhazikitsidwa mofanana ndi install_directory pamwambapa.

node['firezone']['install_directory']

default['firezone']['sysvinit_id']

Chizindikiro chogwiritsidwa ntchito mu /etc/inittab. Iyenera kukhala motsatizana mwapadera zilembo 1-4.

SUP'

kusakhazikika['firezone']['authentication']['local']['enabled']

Yambitsani kapena kuletsa kutsimikizika kwa imelo/achinsinsi kwanuko.

WOONA

default['firezone']['authentication']['auto_create_oidc_users']

Pangani zokha anthu olowa mu OIDC kwa nthawi yoyamba. Letsani kulola ogwiritsa ntchito omwe alipo okha kuti alowe kudzera mu OIDC.

WOONA

default['firezone']['authentication']['disable_vpn_on_oidc_error']

Zimitsani VPN ya wogwiritsa ntchito ngati cholakwika chapezeka poyesa kutsitsimutsa chizindikiro chawo cha OIDC.

ZONYENGA

default['firezone']['authentication']['oidc']

OpenID Connect config, mumtundu wa {"wopereka" => [config…]} - Onani Zolemba za OpenIDConnect kwa zitsanzo za config.

{}

default['firezone']['nginx']['enabled']

Yambitsani kapena kuletsa seva yolumikizidwa ya nginx.

WOONA

default['firezone']['nginx']['ssl_port']

HTTPS mvetserani doko.

443

default['firezone']['nginx']['directory']

Kalozera wosungirako kasinthidwe kogwirizana ndi Firezone nginx.

"#{node['firezone']['var_directory']}/nginx/etc”

default['firezone']['nginx']['log_directory']

Kalozera wosungira mafayilo okhudzana ndi Firezone a nginx.

“#{node['firezone']['log_directory']}/nginx”

default['firezone']['nginx']['log_rotation']['file_maxbytes']

Kukula kwa fayilo komwe mungasinthe mafayilo a log ya Nginx.

104857600

default['firezone']['nginx']['log_rotation']['nambala_to_keep']

Chiwerengero cha mafayilo amtundu wa Firezone nginx oti muwasunge musanataye.

10

default['firezone']['nginx']['log_x_forwarded_for']

Ngati mulowetse Firezone nginx x-forwarded-head.

WOONA

default['firezone']['nginx']['hsts_header']['wothandizira']

Yambitsani kapena kuletsa Zithunzi za HSTS.

WOONA

default['firezone']['nginx']['hsts_header']['include_subdomains']

Yambitsani kapena zimitsani kuphatikizaSubDomains pamutu wa HSTS.

WOONA

default['firezone']['nginx']['hsts_header']['max_age']

Zaka zambiri zamutu wa HSTS.

31536000

default['firezone']['nginx']['redirect_to_canonical']

Kutumizanso ma URL ku FQDN yovomerezeka yomwe yatchulidwa pamwambapa

ZONYENGA

default['firezone']['nginx']['cache']['yathandizira']

Yambitsani kapena kuletsa cache ya Firezone nginx.

ZONYENGA

default['firezone']['nginx']['cache']['directory']

Kalozera wa Firezone nginx cache.

"#{node['firezone']['var_directory']}/nginx/cache”

default['firezone']['nginx']['user']

Wogwiritsa ntchito Firezone nginx.

node['firezone']['user']

default['firezone']['nginx']['gulu']

Firezone nginx gulu.

node['firezone']['gulu']

default['firezone']['nginx']['dir']

Mndandanda wapamwamba kwambiri wa nginx kasinthidwe.

node['firezone']['nginx']['directory']

default['firezone']['nginx']['log_dir']

Mndandanda wapamwamba kwambiri wa nginx log.

node['firezone']['nginx']['log_directory']

default['firezone']['nginx']['pid']

Malo a nginx pid file.

"#{node['firezone']['nginx']['directory']}/nginx.pid”

default['firezone']['nginx']['daemon_disable']

Letsani nginx daemon mode kuti tiziyang'anira m'malo mwake.

WOONA

default['firezone']['nginx']['gzip']

Yatsani kapena kuzimitsa kukakamiza kwa nginx gzip.

pa '

default['firezone']['nginx']['gzip_static']

Yatsani kapena kuzimitsa kukakamiza kwa nginx gzip pamafayilo osasunthika.

choka'

default['firezone']['nginx']['gzip_http_version']

Mtundu wa HTTP woti mugwiritse ntchito potumiza mafayilo osasintha.

1.0 '

default['firezone']['nginx']['gzip_comp_level']

nginx gzip compression level.

2 '

default['firezone']['nginx']['gzip_proxied']

Imayatsa kapena kuletsa gzipping ya mayankho a zopempha za proxied kutengera pempho ndi mayankho.

chilichonse'

default['firezone']['nginx']['gzip_vary']

Imayatsa kapena kuyimitsa kuyika mutu wamayankhidwe a "Vary: Accept-Encoding".

choka'

default['firezone']['nginx']['gzip_buffers']

Imayika nambala ndi kukula kwa mabafa omwe amagwiritsidwa ntchito kukakamiza kuyankha. Ngati palibe, nginx default imagwiritsidwa ntchito.

nil

default['firezone']['nginx']['gzip_types']

Mitundu ya MIME kuti mutsegule kupsinjika kwa gzip.

['text/plain', 'text/css','application/x-javascript', 'text/xml', 'application/xml', 'application/rss+xml', 'application/atom+xml', ' text/javascript', 'application/javascript', 'application/json']

default['firezone']['nginx']['gzip_min_length']

Utali wa fayilo wocheperako kuti mutsegule fayilo ya gzip.

1000

default['firezone']['nginx']['gzip_disable']

Wothandizira-wothandizira kuti aletse kukakamiza kwa gzip.

MSIE [1-6]\.'

default['firezone']['nginx']['keepalive']

Imayatsa cache kuti mulumikizane ndi ma seva okwera.

pa '

default['firezone']['nginx']['keepalive_timeout']

Yatha m'masekondi kuti mulumikizane ndi ma seva okwera.

65

default['firezone']['nginx']['worker_processes']

Chiwerengero cha ntchito za nginx.

node['cpu'] && node['cpu']['total'] ? node['cpu']['total'] : 1

default['firezone']['nginx']['worker_connections']

Chiwerengero chochuluka cha maulumikizidwe munthawi imodzi omwe angatsegulidwe ndi ndondomeko ya ogwira ntchito.

1024

default['firezone']['nginx']['worker_rlimit_nofile']

Amasintha malire pa kuchuluka kwa mafayilo otseguka anjira za ogwira ntchito. Amagwiritsa ntchito nginx default ngati nil.

nil

default['firezone']['nginx']['multi_accept']

Kaya ogwira ntchito avomereze kulumikizana kamodzi kapena kangapo.

WOONA

default['firezone']['nginx']['chochitika']

Imatchula njira yolumikizira yolumikizira kuti igwiritse ntchito mkati mwa zochitika za nginx.

epoll'

default['firezone']['nginx']['server_tokens']

Imayatsa kapena kuyimitsa kutulutsa kwa nginx pamasamba olakwika komanso pamutu wapamutu wa "Seva".

nil

default['firezone']['nginx']['server_names_hash_bucket_size']

Imakhazikitsa kukula kwa chidebe cha ma seva a hashi matebulo.

64

default['firezone']['nginx']['sendfile']

Imathandizira kapena kuletsa kugwiritsa ntchito nginx's sendfile().

pa '

default['firezone']['nginx']['access_log_options']

Imakhazikitsa njira zolowera ku nginx.

nil

default['firezone']['nginx']['error_log_options']

Imakhazikitsa njira zolembera zolakwika za nginx.

nil

default['firezone']['nginx']['disable_access_log']

Imayimitsa chipika chofikira cha nginx.

ZONYENGA

default['firezone']['nginx']['types_hash_max_size']

mitundu ya nginx hash max size.

2048

default['firezone']['nginx']['types_hash_bucket_size']

nginx mitundu hash chidebe kukula.

64

default['firezone']['nginx']['proxy_read_timeout']

nginx proxy kuwerenga nthawi yatha. Khazikitsani kuti musagwiritse ntchito nginx default.

nil

default['firezone']['nginx']['client_body_buffer_size']

nginx kasitomala buffer kukula kwake. Khazikitsani kuti musagwiritse ntchito nginx default.

nil

default['firezone']['nginx']['client_max_body_size']

nginx kasitomala max kukula kwa thupi.

250m'

default['firezone']['nginx']['default']['modules']

Tchulani ma module owonjezera a nginx.

[]

default['firezone']['nginx']['enable_rate_limiting']

Yambitsani kapena kuletsa kuchepetsa kuchuluka kwa nginx.

WOONA

default['firezone']['nginx']['rate_limiting_zone_name']

Dzina la zone yochepetsa kuchuluka kwa Nginx.

firezone'

default['firezone']['nginx']['rate_limiting_backoff']

Nginx kuchepetsa kuchepetsa kubwerera.

10m'

default['firezone']['nginx']['rate_limit']

Nginx mlingo malire.

10r/s'

default['firezone']['nginx']['ipv6']

Lolani nginx kuti imvere zopempha za HTTP za IPv6 kuwonjezera pa IPv4.

WOONA

default['firezone']['postgresql']['enabled']

Yambitsani kapena kuletsa Postgresql yosungidwa. Khazikitsani zabodza ndikudzaza zomwe zili pansipa kuti mugwiritse ntchito Postgresql yanu.

WOONA

default['firezone']['postgresql']['username']

Dzina lolowera la Postgresql.

node['firezone']['user']

default['firezone']['postgresql']['data_directory']

Postgresql data directory.

"#{node['firezone']['var_directory']}/postgresql/13.3/data”

default['firezone']['postgresql']['log_directory']

Postgresql log directory.

"#{node['firezone']['log_directory']}/postgresql"

default['firezone']['postgresql']['log_rotation']['file_maxbytes']

Postgresql chipika kukula kwake kwakukulu isanazungulidwe.

104857600

default['firezone']['postgresql']['log_rotation']['num_to_keep']

Chiwerengero cha mafayilo olembedwa a Postgresql kuti musunge.

10

default['firezone']['postgresql']['checkpoint_completion_target']

Pomaliza cheke cha Postgresql.

0.5

default['firezone']['postgresql']['checkpoint_segments']

Chiwerengero cha magawo a Postgresql.

3

default['firezone']['postgresql']['checkpoint_timeout']

Postgresql checkpoint nthawi yatha.

5min'

default['firezone']['postgresql']['checkpoint_warning']

Nthawi yochenjeza ya Postgresql mumasekondi.

30s'

default['firezone']['postgresql']['effective_cache_size']

Postgresql yogwira cache kukula kwake.

128MB'

default['firezone']['postgresql']['mvera_adilesi']

Postgresql mverani adilesi.

127.0.0.1 '

default['firezone']['postgresql']['max_connections']

Kulumikizana kwakukulu kwa Postgresql.

350

default['firezone']['postgresql']['md5_auth_cidr_addresses']

Postgresql CIDRs kulola md5 auth.

['127.0.0.1/32', ':1/128']

default['firezone']['postgresql']['port']

Postgresql mverani doko.

15432

default['firezone']['postgresql']['shared_buffers']

Postgresql yogawana kukula kwa buffers.

“#{(node['memory']['total'].to_i / 4) / 1024}MB”

default['firezone']['postgresql']['shmmax']

Postgresql shmmax mu mabayiti.

17179869184

default['firezone']['postgresql']['shmall']

Postgresql shmall mu byte.

4194304

default['firezone']['postgresql']['work_mem']

Kukula kwa kukumbukira kwa Postgresql.

8MB'

default['firezone']['database']['user']

Imatchula dzina lolowera Firezone lomwe lidzagwiritse ntchito kulumikiza ku DB.

node['firezone']['postgresql']['dzina lolowera']

default['firezone']['database']['password']

Ngati mukugwiritsa ntchito DB yakunja, imatchula mawu achinsinsi omwe Firezone adzagwiritsa ntchito kulumikiza ku DB.

change_ine'

default['firezone']['database']['name']

Database yomwe Firezone idzagwiritse ntchito. Zidzapangidwa ngati palibe.

firezone'

default['firezone']['database']['host']

Wosunga database yemwe Firezone ilumikizako.

node['firezone']['postgresql']['mvera_adilesi']

default['firezone']['database']['port']

Doko la database lomwe Firezone ilumikizako.

node['firezone']['postgresql']['port']

default['firezone']['database']['pool']

Kukula kwa dziwe la Database Firezone kudzagwiritsa ntchito.

[10, etc.nprocessors].max

default['firezone']['database']['ssl']

Kuti mulumikizidwe ku database kudzera pa SSL.

ZONYENGA

default['firezone']['database']['ssl_opts']

Hashi ya zosankha zomwe mungatumize ku :ssl_opts njira mukalumikiza pa SSL. Mwaona Zolemba za Ecto.Adapters.Postgres.

{}

default['firezone']['database']['parameters']

Hashi ya magawo oti mutumize ku :parameters polumikiza ku database. Mwaona Zolemba za Ecto.Adapters.Postgres.

{}

default['firezone']['database']['extensions']

Zowonjezera za database kuti zitheke.

{'plpgsql' => zoona, 'pg_trgm' => zoona }

default['firezone']['phoenix']['enabled']

Yambitsani kapena zimitsani pulogalamu yapaintaneti ya Firezone.

WOONA

default['firezone']['phoenix']['mvera_adilesi']

Adilesi yomvera pa intaneti ya Firezone. Awa adzakhala adilesi yakumtunda yomvera yomwe ma proxies a nginx.

127.0.0.1 '

default['firezone']['phoenix']['port']

Firezone web application listen port. Ili likhala doko lakumtunda lomwe nginx proxies.

13000

default['firezone']['phoenix']['log_directory']

Firezone web application log directory.

“#{node['firezone']['log_directory']}/phoenix”

default['firezone']['phoenix']['log_rotation']['file_maxbytes']

Firezone web application log file size.

104857600

default['firezone']['phoenix']['log_rotation']['num_to_keep']

Nambala ya mafayilo olembetsedwa pa intaneti ya Firezone oti muwasunge.

10

default['firezone']['phoenix']['crash_detection']['enabled']

Yambitsani kapena zimitsani kutsitsa pulogalamu yapaintaneti ya Firezone zikadziwika.

WOONA

default['firezone']['phoenix']['external_trusted_proxies']

Mndandanda wa ma proxies odalirika opangidwa ngati Gulu la IPs ndi/kapena ma CIDR.

[]

default['firezone']['phoenix']['private_clients']

Mndandanda wamakasitomala achinsinsi a HTTP, adapanga ma IP ambiri ndi/kapena ma CIDR.

[]

default['firezone']['wireguard']['wothandizira']

Yambitsani kapena kuletsa kasamalidwe ka WireGuard.

WOONA

default['firezone']['wireguard']['log_directory']

Log chikwatu cha kasamalidwe ka WireGuard.

"#{node['firezone']['log_directory']}/wireguard"

default['firezone']['wireguard']['log_rotation']['file_maxbytes']

WireGuard chipika wapamwamba kukula kwake.

104857600

default['firezone']['wireguard']['log_rotation']['nambala_to_kusunga']

Chiwerengero cha mafayilo a log ya WireGuard oti muwasunge.

10

default['firezone']['wireguard']['interface_name']

Dzina la mawonekedwe a WireGuard. Kusintha parameter iyi kungayambitse kutayika kwakanthawi mu kulumikizana kwa VPN.

wg-firezone'

default['firezone']['wireguard']['port']

WireGuard mvetserani doko.

51820

default['firezone']['wireguard']['mutu']

Mawonekedwe a WireGuard MTU pa seva iyi komanso masinthidwe a chipangizo.

1280

default['firezone']['wireguard']['endpoint']

WireGuard Endpoint kuti mugwiritse ntchito kupanga masinthidwe a chipangizo. Ngati palibe, zisintha ku adilesi yapagulu ya seva.

nil

default['firezone']['wireguard']['dns']

WireGuard DNS kuti mugwiritse ntchito popanga zida zopangira.

1.1.1.1, 1.0.0.1'

default['firezone']['wireguard']['allowed_ips']

WireGuard AllowedIPs kuti agwiritse ntchito masinthidwe opangidwa.

0.0.0.0/0, ::/0′

default['firezone']['wireguard']['persistent_keepalive']

Zosintha za PersistentKeepalive zosinthidwa ndi zida zopangidwa. Mtengo wa 0 woyimitsa.

0

default['firezone']['wireguard']['ipv4']['wothandizira']

Yambitsani kapena kuletsa IPv4 pa netiweki ya WireGuard.

WOONA

default['firezone']['wireguard']['ipv4']['masquerade']

Yambitsani kapena kuletsa masquerade pamapaketi omwe akuchoka munjira ya IPv4.

WOONA

default['firezone']['wireguard']['ipv4']['network']

WireGuard network IPv4 adilesi dziwe.

10.3.2.0/24 '

default['firezone']['wireguard']['ipv4']['address']

Mawonekedwe a WireGuard IPv4 adilesi. Ayenera kukhala mkati mwa dziwe la ma adilesi la WireGuard.

10.3.2.1 '

default['firezone']['wireguard']['ipv6']['wothandizira']

Yambitsani kapena kuletsa IPv6 pa netiweki ya WireGuard.

WOONA

default['firezone']['wireguard']['ipv6']['masquerade']

Yambitsani kapena kuletsa masquerade pamapaketi omwe akuchoka munjira ya IPv6.

WOONA

default['firezone']['wireguard']['ipv6']['network']

WireGuard network IPv6 adilesi dziwe.

fd00::3:2:0/120′

default['firezone']['wireguard']['ipv6']['address']

Mawonekedwe a WireGuard IPv6 adilesi. Iyenera kukhala mkati mwa dziwe la IPv6.

fd00::3:2:1′

default['firezone']['runit']['svlogd_bin']

Runit svlogd bin malo.

"#{node['firezone']['install_directory']}/embedded/bin/svlogd”

default['firezone']['ssl']['directory']

Chikwatu cha SSL chosungira ma cert opangidwa.

/var/opt/firezone/ssl'

default['firezone']['ssl']['email_address']

Adilesi ya imelo yoti mugwiritse ntchito podzisainira nokha ndi zidziwitso zakukonzanso kwa protocol ya ACME.

[imelo ndiotetezedwa]'

default['firezone']['ssl']['acme']['enabled']

Yambitsani ACME kuti ipereke cert ya SSL yokha. Letsani izi kuti muletse Nginx kumvetsera pa doko 80. Onani Pano kwa malangizo ena.

ZONYENGA

default['firezone']['ssl']['acme']['server']

Seva ya ACME kuti igwiritse ntchito popereka satifiketi / kukonzanso. Ikhoza kukhala iliyonse seva yovomerezeka ya acme.sh

chichiyama

default['firezone']['ssl']['acme']['keylength']

Tchulani mtundu wa kiyi ndi kutalika kwa satifiketi za SSL. Mwaona Pano

ec-256

default['firezone']['ssl']['certificate']

Njira yopita ku fayilo ya satifiketi ya FQDN yanu. Imachotsa makonda a ACME pamwambapa ngati atchulidwa. Ngati zonse za ACME ndi izi sizikhala cert yodzilembera yokha idzapangidwa.

nil

default['firezone']['ssl']['certificate_key']

Njira yopita ku fayilo ya satifiketi.

nil

default['firezone']['ssl']['ssl_dhparam']

nginx ssl dh_param.

nil

default['firezone']['ssl']['country_name']

Dzina la dziko la cert yodzisayina.

US'

default['firezone']['ssl']['state_name']

Dzina lachidziwitso chodzilembera yekha.

CA '

default['firezone']['ssl']['locality_name']

Dzina lamalo la cert yodzisayina.

San Francisco'

default['firezone']['ssl']['company_name']

Satifiketi yodzisainira dzina la kampani.

Kampani yanga'

default['firezone']['ssl']['organizational_unit_name']

Dzina lagawo la bungwe la cert yodzisayina.

Operations'

default['firezone']['ssl']['ciphers']

SSL ciphers kwa nginx kuti mugwiritse ntchito.

ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’

default['firezone']['ssl']['fips_ciphers']

Ma ciphers a SSL amtundu wa FIPs.

FIPS@STRENGTH:!aNULL:!eNULL'

default['firezone']['ssl']['protocols']

Ma protocol a TLS oti agwiritse ntchito.

TLSv1 TLSv1.1 TLSv1.2′

default['firezone']['ssl']['session_cache']

Cache ya gawo la SSL.

kugawana: SSL:4m'

default['firezone']['ssl']['session_timeout']

Kutha kwa nthawi ya SSL.

5m'

kusakhazikika['firezone']['robots_allow']

ma robot a nginx amalola.

/'

default['firezone']['robots_disallow']

maloboti a nginx amakana.

nil

default['firezone']['outbound_email']['kuchokera']

Imelo yotuluka kuchokera ku adilesi.

nil

default['firezone']['outbound_email']['provider']

Wopereka maimelo otuluka.

nil

default['firezone']['outbound_email']['configs']

Wopereka maimelo otuluka amakonza.

onani omnibus/cookbooks/firezone/attributes/default.rb

default['firezone']['telemetry']['enabled']

Yambitsani kapena kuletsa telemetry yazinthu zosadziwika.

WOONA

default['firezone']['connectivity_checks']['enabled']

Yambitsani kapena kuletsa ntchito yoyang'anira kulumikizidwa kwa Firezone.

WOONA

default['firezone']['connectivity_checks']['interval']

Kalekale pakati pakuwunika kulumikizidwa mumasekondi.

3_600



________________________________________________________________

 

Fayilo ndi Malo Olembera

 

Apa mupeza mndandanda wamafayilo ndi akalozera okhudzana ndi kukhazikitsa kwa Firezone. Izi zitha kusintha kutengera kusintha kwa fayilo yanu yosinthira.



njira

Kufotokoza

/var/opt/firezone

Chikwatu chapamwamba chomwe chili ndi data komanso masinthidwe opangidwa a ntchito zophatikizidwa ndi Firezone.

/opt/firezone

Chikwatu chapamwamba chomwe chili ndi malaibulale omangidwa, ma binaries ndi mafayilo othamanga omwe amafunidwa ndi Firezone.

/usr/bin/firezone-ctl

firezone-ctl chothandizira pakuwongolera kukhazikitsa kwanu kwa Firezone.

/etc/systemd/system/firezone-runsvdir-start.service

systemd unit file kuti muyambe ntchito ya woyang'anira Firezone runsvdir.

/etc/firezone

Mafayilo osintha a Firezone.



__________________________________________________________

 

Ma templates a Firewall

 

Tsambali linalibe zolemba

 

_____________________________________________________________

 

Nftables Firewall Template

 

Zotsatira zotsatirazi za nftables firewall template zitha kugwiritsidwa ntchito kuteteza seva yomwe ikuyenda Firezone. Template imapanga malingaliro ena; mungafunike kusintha malamulo kuti agwirizane ndi momwe mungagwiritsire ntchito:

  • Mawonekedwe a WireGuard amatchedwa wg-firezone. Ngati izi sizili zolondola, sinthani zosintha za DEV_WIREGUARD kuti zifanane ndi zosasintha za['firezone']['wireguard']['interface_name'].
  • Doko la WireGuard lomwe likumvera ndi 51820. Ngati simukugwiritsa ntchito doko lokhazikika sinthani WIREGUARD_PORT kusintha.
  • Magalimoto otsatirawa ndi omwe adzaloledwe ku seva:
    • SSH (TCP port 22)
    • HTTP (TCP port 80)
    • HTTPS (TCP port 443)
    • WireGuard (doko la UDP WIREGUARD_PORT)
    • UDP traceroute (doko la UDP 33434-33524, mlingo wochepera 500 / sekondi)
    • ICMP ndi ICMPv6 (mayankho a ping/ping amangokhala 2000/sekondi)
  • Magalimoto otuluka otsatirawa okha ndi omwe adzaloledwe kuchokera pa seva:
    • DNS (UDP ndi TCP port 53)
    • HTTP (TCP port 80)
    • NTP (UDP port 123)
    • HTTPS (TCP port 443)
    • Kutumiza kwa SMTP (TCP port 587)
    • UDP traceroute (doko la UDP 33434-33524, mlingo wochepera 500 / sekondi)
  • Magalimoto osagwirizana adzalowetsedwa. Malamulo omwe amagwiritsidwa ntchito podula mitengo amasiyanitsidwa ndi malamulo ochepetsa magalimoto ndipo ndi ochepa. Kuchotsa malamulo oyenera odula mitengo sikungakhudze magalimoto.

Malamulo Oyendetsedwa ndi Firezone

Firezone imapanga malamulo akeake a nftables kuti alole / kukana kuchuluka kwa magalimoto kumalo omwe akhazikitsidwa pa intaneti komanso kuthana ndi NAT yotuluka pamagalimoto a kasitomala.

Kugwiritsa ntchito template yomwe ili pansipa pa seva yomwe yayamba kale (osati pa nthawi yoyambira) idzapangitsa kuti malamulo a Firezone achotsedwe. Izi zitha kukhala ndi zotsatira zachitetezo.

Kuti muchite izi, yambitsaninso ntchito ya phoenix:

firezone-ctl kuyambitsanso phoenix

Base Firewall Template

#!/usr/sbin/nft -f

 

## Chotsani / sinthani malamulo onse omwe alipo

flush malamulo

 

################################################################## ################

## Dzina la mawonekedwe a intaneti/WAN

fotokozani DEV_WAN = eth0

 

## Dzina la mawonekedwe a WireGuard

fotokozani DEV_WIREGUARD = wg-firezone

 

## WireGuard mverani doko

fotokozani WIREGUARD_PORT = 51820

################################################################################################# #############

 

# Gome lalikulu losefera mabanja a inet

tebulo inet fyuluta {

 

 # Malamulo amayendedwe otumizidwa

 # Unyolo uwu umakonzedwa pamaso pa unyolo wakutsogolo wa Firezone

 unyolo patsogolo {

   lembani fyuluta mbedza patsogolo fyuluta - 5; ndondomeko kuvomereza

 }

 

 # Malamulo amayendedwe olowera

 chain input {

   mtundu fyuluta mbeza zolowetsa patsogolo fyuluta; kugwa kwa sera

 

   ## Lolani magalimoto olowera kuti awonekere

   ngati ndikuwona \

     kuvomereza \

     ndemanga "Lolani kuti magalimoto onse alowe kuchokera ku mawonekedwe a loopback"

 

   ## Chilolezo chokhazikitsidwa ndi kulumikizana kogwirizana

   ct state idakhazikitsidwa, zokhudzana \

     kuvomereza \

     ndemanga "Chilolezo chokhazikitsidwa / chogwirizana"

 

   ## Lolani magalimoto olowera a WireGuard

   ife $DEV_WAN udp pa $WIREGUARD_PORT \

     counter \

     kuvomereza \

     ndemanga "Lolani magalimoto olowera a WireGuard"

 

   ## Lowani ndikuponya mapaketi atsopano a TCP omwe si a SYN

   tcp mbendera != syn ct state new \

     malire mlingo 100/miniti kuphulika 150 paketi \

     log prefix “MU – Chatsopano !SYN: “ \

     ndemanga "Sinthani malire odula mitengo yamalumikizidwe atsopano omwe alibe mbendera ya SYN TCP"

   tcp mbendera != syn ct state new \

     counter \

     dontho \

     ndemanga "Sintha maulalo atsopano omwe alibe mbendera ya SYN TCP"

 

   ## Lowani ndikugwetsa mapaketi a TCP okhala ndi mbendera zosavomerezeka za fin/syn

   tcp mbendera & (fin|syn) == (fin|syn) \

     malire mlingo 100/miniti kuphulika 150 paketi \

     log prefix “MU – TCP FIN|SIN: “ \

     ndemanga "Malireni malire odula mitengo yamapaketi a TCP okhala ndi mbendera yolakwika ya fin/syn"

   tcp mbendera & (fin|syn) == (fin|syn) \

     counter \

     dontho \

     ndemanga "Gwirani mapaketi a TCP okhala ndi mbendera yolakwika ya fin/syn"

 

   ## Lowani ndi kusiya mapaketi a TCP okhala ndi mbendera zosavomerezeka / zoyambira

   tcp mbendera & (syn|rst) == (syn|rst) \

     malire mlingo 100/miniti kuphulika 150 paketi \

     log prefix “MU – TCP SYN|RST: “ \

     ndemanga "Malireni mitengo yodula pamapaketi a TCP okhala ndi mbendera zosagwirizana / zoyambira"

   tcp mbendera & (syn|rst) == (syn|rst) \

     counter \

     dontho \

     ndemanga "Gwirani mapaketi a TCP okhala ndi mbendera zosagwirizana / zoyambira"

 

   ## Lowani ndikuponya mbendera za TCP zosavomerezeka

   tcp mbendera & (fin|syn|rst|psh|ack|urg) < (fin) \

     malire mlingo 100/miniti kuphulika 150 paketi \

     log prefix "MU - FIN:" \

     ndemanga "Malireni odula mitengo ya mbendera za TCP zosalondola (fin|syn|rst|psh|ack|urg) < (fin)"

   tcp mbendera & (fin|syn|rst|psh|ack|urg) < (fin) \

     counter \

     dontho \

     ndemanga "Gwirani mapaketi a TCP okhala ndi mbendera (fin|syn|syn|rst|psh|ack|urg) < (fin)"

 

   ## Lowani ndikuponya mbendera za TCP zosavomerezeka

   tcp mbendera & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \

     malire mlingo 100/miniti kuphulika 150 paketi \

     log prefix "MU - FIN| PSH|URG:" \

     ndemanga "Chitani malire odula mitengo ya mbendera za TCP zosalondola (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)"

   tcp mbendera & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \

     counter \

     dontho \

     ndemanga "Siyani mapaketi a TCP okhala ndi mbendera (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)"

 

   ## Kuchepetsa kuchuluka kwa magalimoto okhala ndi malo osalumikizana

   ct state ndi yolakwika \

     malire mlingo 100/miniti kuphulika 150 paketi \

     log mbendera zonse zoyambirira "IN - Zosavomerezeka: " \

     ndemanga "Malizani mitengo yodula pamagalimoto omwe ali ndi vuto losalumikizana"

   ct state ndi yolakwika \

     counter \

     dontho \

     ndemanga "Kuchepetsa kuchuluka kwa magalimoto omwe ali ndi vuto lolumikizana"

 

   ## Lolani mayankho a IPv4 ping/ping koma malire mpaka 2000 PPS

   ip protocol icmp icmp mtundu {echo-reply, echo-request} \

     malire mlingo 2000/sekondi \

     counter \

     kuvomereza \

     ndemanga "Lolani IPv4 echo (ping) yolowera ku 2000 PPS"

 

   ## Lolani zina zonse za IPv4 ICMP

   ip protocol icmp \

     counter \

     kuvomereza \

     ndemanga "Lolani IPv4 ICMP ina yonse"

 

   ## Lolani mayankho a IPv6 ping/ping koma malire mpaka 2000 PPS

   icmpv6 mtundu {echo-reply, echo-request } \

     malire mlingo 2000/sekondi \

     counter \

     kuvomereza \

     ndemanga "Lolani IPv6 echo (ping) yolowera ku 2000 PPS"

 

   ## Lolani zina zonse za IPv6 ICMP

   meta l4proto {icmpv6} \

     counter \

     kuvomereza \

     ndemanga "Lolani IPv6 ICMP ina yonse"

 

   ## Lolani madoko olowera a traceroute UDP koma khalani ndi 500 PPS

   udp pa 33434-33524 \

     malire mlingo 500/sekondi \

     counter \

     kuvomereza \

     ndemanga "Lolani traceroute ya UDP yolowera mpaka 500 PPS"

 

   ## Lolani kulowa kwa SSH

   tcp pa ssh ct state new \

     counter \

     kuvomereza \

     ndemanga "Lolani kulumikizana kwa SSH"

 

   ## Lolani HTTP yolowera ndi HTTPS

   tcp dport {http, https } ct state new \

     counter \

     kuvomereza \

     ndemanga "Lolani kulumikizana kwa HTTP ndi HTTPS"

 

   ## Lowetsani kuchuluka kwa magalimoto osayerekezeka koma malire odula mitengo mpaka mameseji 60 / mphindi

   ## Ndondomeko yokhazikika idzagwiritsidwa ntchito pamagalimoto osagwirizana

   malire mlingo 60/miniti kuphulika 100 paketi \

     log prefix "IN - Drop: " \

     ndemanga "Lowani magalimoto aliwonse osafananiza"

 

   ## Werengani kuchuluka kwa magalimoto osayerekezeka

   counter \

     ndemanga “Werengetsani kuchuluka kwa magalimoto onse”

 }

 

 # Malamulo amayendedwe otuluka

 chain output {

   mtundu fyuluta mbedza linanena bungwe patsogolo fyuluta; kugwa kwa sera

 

   ## Lolani magalimoto otuluka kuti awonekere

   uwu \

     kuvomereza \

     ndemanga "Lolani kuti magalimoto onse atuluke ku loopback"

 

   ## Chilolezo chokhazikitsidwa ndi kulumikizana kogwirizana

   ct state idakhazikitsidwa, zokhudzana \

     counter \

     kuvomereza \

     ndemanga "Chilolezo chokhazikitsidwa / chogwirizana"

 

   ## Lolani kuchuluka kwa magalimoto a WireGuard musanagwetse kulumikizana ndi mkhalidwe woyipa

   oif $DEV_WAN udp masewera $WIREGUARD_PORT \

     counter \

     kuvomereza \

     ndemanga "Permit WireGuard magalimoto otuluka"

 

   ## Kuchepetsa kuchuluka kwa magalimoto okhala ndi malo osalumikizana

   ct state ndi yolakwika \

     malire mlingo 100/miniti kuphulika 150 paketi \

     log mbendera zonse zoyambirira "OUT - Zosavomerezeka: " \

     ndemanga "Malizani mitengo yodula pamagalimoto omwe ali ndi vuto losalumikizana"

   ct state ndi yolakwika \

     counter \

     dontho \

     ndemanga "Kuchepetsa kuchuluka kwa magalimoto omwe ali ndi vuto lolumikizana"

 

   ## Lolani IPv4 ICMP ina yonse yotuluka

   ip protocol icmp \

     counter \

     kuvomereza \

     ndemanga "Lolani mitundu yonse ya IPv4 ICMP"

 

   ## Lolani IPv6 ICMP ina yonse yotuluka

   meta l4proto {icmpv6} \

     counter \

     kuvomereza \

     ndemanga "Lolani mitundu yonse ya IPv6 ICMP"

 

   ## Lolani madoko a UDP otuluka koma muchepetse 500 PPS

   udp pa 33434-33524 \

     malire mlingo 500/sekondi \

     counter \

     kuvomereza \

     ndemanga "Lolani njira yotuluka ya UDP yopitilira 500 PPS"

 

   ## Lolani kulumikizidwa kwa HTTP ndi HTTPS

   tcp dport {http, https } ct state new \

     counter \

     kuvomereza \

     ndemanga "Lolani maulumikizidwe otuluka a HTTP ndi HTTPS"

 

   ## Lolani kutumiza kwa SMTP

   tcp dport submission ct state new \

     counter \

     kuvomereza \

     ndemanga "Lolani kutumiza kwa SMTP"

 

   ## Lolani zopempha za DNS zotuluka

   udp pa 53 \

     counter \

     kuvomereza \

     ndemanga "Lolani zopempha za UDP DNS zotuluka"

   tcp pa 53 \

     counter \

     kuvomereza \

     ndemanga "Lolani zopempha za TCP DNS zotuluka"

 

   ## Lolani zopempha za NTP zotuluka

   udp pa 123 \

     counter \

     kuvomereza \

     ndemanga "Lolani zopempha za NTP zotuluka"

 

   ## Lowetsani kuchuluka kwa magalimoto osayerekezeka koma malire odula mitengo mpaka mameseji 60 / mphindi

   ## Ndondomeko yokhazikika idzagwiritsidwa ntchito pamagalimoto osagwirizana

   malire mlingo 60/miniti kuphulika 100 paketi \

     log prefix "OUT - Dontho: " \

     ndemanga "Lowani magalimoto aliwonse osafananiza"

 

   ## Werengani kuchuluka kwa magalimoto osayerekezeka

   counter \

     ndemanga “Werengetsani kuchuluka kwa magalimoto onse”

 }

 

}

 

# Gome lalikulu losefera la NAT

tebulo inet {

 

 # Malamulo a NAT traffic pre-routing

 chain prerouting {

   lembani nat hook prerouting priority dstnat; ndondomeko kuvomereza

 }

 

 # Malamulo a NAT traffic post-routing

 # Gome ili limakonzedwa pamaso pa Firezone post-routing chain

 kutumiza kwa unyolo {

   lembani nat hook postrouting priority srcnat - 5; ndondomeko kuvomereza

 }

 

}

Kagwiritsidwe

Chowotcha motocho chiyenera kusungidwa pamalo oyenera kuti Linux isagawidwe. Kwa Debian/Ubuntu izi ndi /etc/nftables.conf ndipo za RHEL izi ndi /etc/sysconfig/nftables.conf.

nftables.service iyenera kukonzedwa kuti iyambe pa boot (ngati sichoncho):

systemctl imathandizira nftables.service

Ngati mukupanga kusintha kulikonse pa template ya firewall syntax ikhoza kutsimikiziridwa poyendetsa cheke lamulo:

nft -f /path/to/nftables.conf -c

Onetsetsani kuti mukutsimikizira kuti firewall ikugwira ntchito monga momwe mukuyembekezeredwa chifukwa zina za nftables sizingakhalepo kutengera kumasulidwa komwe kumayendera pa seva.



_______________________________________________________________



Telemetry

 

Chikalatachi chikuwonetsa mwachidule za telemetry Firezone zomwe zimasonkhanitsidwa kuchokera pamwambo womwe umakhala nawo komanso momwe mungaletsere.

Chifukwa chiyani Firezone imasonkhanitsa telemetry

moto zone amadalira pa telemetry kuti tiyike patsogolo misewu yathu ndikukulitsa zida zauinjiniya zomwe tili nazo kuti Firezone ikhale yabwino kwa aliyense.

Telemetry yomwe timasonkhanitsa ikufuna kuyankha mafunso awa:

  • Ndi anthu angati omwe amayika, kugwiritsa ntchito, ndi kusiya kugwiritsa ntchito Firezone?
  • Ndi zinthu ziti zomwe zili zamtengo wapatali, ndipo ndi ziti zomwe sizimagwiritsidwa ntchito?
  • Ndi magwiridwe antchito ati omwe amafunikira kuwongolera kwambiri?
  • Chinachake chikasweka, n’chifukwa chiyani chinasweka, ndipo tingapewe bwanji kuti zisadzachitike m’tsogolo?

Momwe timasonkhanitsira telemetry

Pali malo atatu omwe telemetry imasonkhanitsidwa ku Firezone:

  1. Phukusi la telemetry. Zimaphatikizapo zochitika monga kukhazikitsa, kuchotsa, ndi kukweza.
  2. CLI telemetry kuchokera ku malamulo a firezone-ctl.
  3. Telemetry yazinthu zolumikizidwa ndi tsamba la Webusayiti.

Pazigawo zitatuzi, timatenga chiwerengero chochepa cha deta yofunikira kuti tiyankhe mafunso omwe ali pamwambawa.

Maimelo a oyang'anira amatengedwa pokhapokha mutalowa nawo pazosintha zamalonda. Kupanda kutero, chidziwitso chaumwini ndi konse zosonkhanitsidwa.

Firezone imasunga telemetry muzochitika zokhazikika za PostHog ikuyenda mugulu lachinsinsi la Kubernetes, lopezeka ndi gulu la Firezone. Nachi chitsanzo cha chochitika cha telemetry chomwe chimatumizidwa kuchokera ku Firezone kupita ku seva yathu ya telemetry:

{

   "Id": “0182272d-0b88-0000-d419-7b9a413713f1”,

   "Timestamp": “2022-07-22T18:30:39.748000+00:00”,

   "chochitika": "fz_http_started",

   "distinct_id": “1ec2e794-1c3e-43fc-a78f-1db6d1a37f54”,

   "katundu":{

       "$geoip_city_name": "Ashburn",

       "$geoip_continent_code": "N / A",

       "$geoip_continent_name": "Kumpoto kwa Amerika",

       "$geoip_country_code": "US",

       "$geoip_country_name": "United States",

       “$geoip_latitude”: 39.0469,

       “$geoip_longitude”: -77.4903,

       “$geoip_postal_code”: "20149",

       “$geoip_subdivision_1_code”: "VA",

       "$geoip_subdivision_1_name": "Virginia",

       “$geoip_time_zone”: "America/New_York",

       "$ip": "52.200.241.107",

       "$plugins_deferred": [],

       "$mapulagini_alephera": [],

       "$mapulagini_apambana": [

           "GeoIP (3)"

       ],

       "distinct_id": “1zc2e794-1c3e-43fc-a78f-1db6d1a37f54”,

       "fqdn": "awsdemo.firezone.dev",

       "kernel_version": "linux 5.13.0",

       "mtundu": "0.4.6"

   },

   "elements_chain": ""

}

Momwe mungaletsere telemetry

ZINDIKIRANI

Gulu lachitukuko la Firezone amadalira pa kusanthula kwazinthu kuti Firezone ikhale yabwino kwa aliyense. Kusiya telemetry ndikothandiza kwambiri komwe mungapange pakukula kwa Firezone. Izi zati, tikumvetsetsa kuti ogwiritsa ntchito ena ali ndi zinsinsi zapamwamba kapena zofunikira zachitetezo ndipo angakonde kuletsa telemetry palimodzi. Ngati ndi inuyo, pitirizani kuwerenga.

Telemetry imayatsidwa mwachisawawa. Kuti muyimitsetu telemetry yazinthu, ikani njira yosinthira yotsatirayi kuti ikhale yabodza /etc/firezone/firezone.rb ndikuyendetsa sudo firezone-ctl reconfigure kuti muthe kusintha.

zosasintha['firezone']['telemetry']['wololedwa'] = zabodza

Izi zidzayimitsa telemetry yonse yazinthu.