Linux
HOGENT toegepaste informatica
Thomas Parmentier, Andy Van Maele, Bert Van Vreckem
2024-2025
$ sudo systemctl status firewalld # is de firewall actief?
$ sudo firewall-cmd --list-all # = toon firewall-regels
$ sudo firewall-cmd --add-service http --permanent
$ sudo firewall-cmd --add-service https --permanent
$ sudo firewall-cmd --reload
Probeer opnieuw de website te bekijken vanaf de Linux Mint VM.
public
zone is meestal voldoendeTask | Command |
---|---|
Toon alle zones | firewall-cmd --get-zones |
Actieve zones | firewall-cmd --get-active-zones |
Voeg IFACE toe aan actieve zone | firewall-cmd --add-interface=IFACE |
Toon huidige regels | firewall-cmd --list-all |
Voor firewall-cmd
moet je root-rechten
hebben!
Task | Command |
---|---|
Laat service toe | firewall-cmd --add-service=http |
Toon beschikbare services | firewall-cmd --get-services |
Laat poort toe | firewall-cmd --add-port=8080/tcp |
Firewall-regels herladen | firewall-cmd --reload |
Alle netwerkverkeer blokkeren | firewall-cmd --panic-on |
Paniekmodus uitschakelen | firewall-cmd --panic-off |
--permanent
optie wordt niet onmiddellijk
toegepast!--permanent
--permanent
uitvoeren, firewall
herladensudo firewall-cmd --add-service=http --permanent
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload
[admin@server ~]$ getenforce
Enforcing
Let op! Dit werkt niet op de Linux Mint-VM!
osboxes@osboxes:~$ getenforce
Command 'getenforce' not found, but can be installed with:
sudo apt install selinux-utils
osboxes@osboxes:~$ sudo aa-status
[sudo] password for osboxes:
apparmor module is loaded.
22 profiles are loaded.
[...]
[admin@server ~]$ cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Op productie-systemen zou SELinux altijd aan moeten staan!
getsebool
, setsebool
ls -Z
, chcon
,
restorecon
sepolicy
In de meeste gevallen is configuratie van booleans/context voldoende!
ls -lZ
/etc/selinux/targeted/contexts/files/files_contexts
sudo restorecon -R /var/www/
sudo chcon -t httpd_sys_content_t test.php
getsebool -a | grep http
sudo setsebool -P httpd_can_network_connect_db on
$ sudo tail -f /var/log/audit/audit.log
$ sudo grep denied /var/log/audit/audit.log