Menu
Litaelo tsa mohato ka mohato tsa ho tsamaisa Hailbytes VPN ka Firezone GUI li fanoe mona.
Laola: Ho theha mohlala oa seva ho amana ka kotloloho le karolo ena.
Litaelo tsa Basebelisi: Litokomane tse thusang tse ka u rutang mokhoa oa ho sebelisa Firezone le ho rarolla mathata a tloaelehileng. Ka mor'a hore seva se sebetse ka katleho, sheba karolo ena.
Split Tunneling: Sebelisa VPN ho romella feela sephethephethe ho mekhahlelo e itseng ea IP.
Whitelist: Beha aterese ea IP e sa fetoheng ea seva ea VPN hore u sebelise whitelist.
Reverse Tunnels: Theha lithanele lipakeng tsa lithaka tse 'maloa u sebelisa lithanele tse ka morao.
Re thabela ho u thusa haeba u hloka thuso ea ho kenya, ho iketsetsa, kapa ho sebelisa Hailbytes VPN.
Pele basebelisi ba ka hlahisa kapa ba khoasolla lifaele tsa tlhophiso ea sesebelisoa, Firezone e ka hlophisoa hore e hloke netefatso. Basebelisi ba kanna ba hloka ho netefatsa nako le nako ho boloka khokahano ea bona ea VPN e sebetsa.
Leha mokhoa oa ho kena oa kamehla oa Firezone e le lengolo-tsoibila le phasewete ea lehae, e ka boela ea kopanngoa le mofani ofe kapa ofe ea tloaelehileng oa boitsebahatso oa OpenID Connect (OIDC). Basebelisi ba se ba khona ho kena ho Firezone ba sebelisa Okta, Google, Azure AD kapa mangolo a poraefete a mofani oa boitsebiso.
Kopanya Mofani oa OIDC ea generic
Mekhatlo ea tlhophiso e hlokoang ke Firezone ho lumella SSO ho sebelisa mofani oa OIDC e bontšitsoe mohlaleng o ka tlase. Ho /etc/firezone/firezone.rb, u ka fumana faele ea tlhophiso. Matha firezone-ctl reconfigure 'me firezone-ctl restart ho nchafatsa ts'ebeliso le ho kenya tšebetsong liphetoho.
# Ona ke mohlala o sebelisang Google le Okta joalo ka mofani oa boitsebiso oa SSO.
# Litlhophiso tse ngata tsa OIDC li ka eketsoa ketsahalong e tšoanang ea Firezone.
# Firezone e ka tima VPN ea mosebelisi haeba ho na le phoso e fumanoeng e leka
# ho nchafatsa_tokene_ea_ho kena. Sena se netefalitsoe hore se sebetsa ho Google, Okta, le
# Azure SSO mme e sebelisetsoa ho itokolla VPN ea mosebelisi haeba e tlositsoe
# ho tsoa ho mofani oa OIDC. Tlohela sena se holofetse haeba mofani oa hau oa OIDC
# e na le litaba tse khathollang li-tokens tsa phihlello kaha e ka sitisa a sa lebelloa
Seboka sa # VPN sa basebelisi.
default['firezone']['authentication']['disable_vpn_on_oidc_error'] = bohata
default['firezone']['authentication']['oidc'] = {
google: {
discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",
client_id: “ ”,
client_secret: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",
response_type: “khoutu”,
scope: "profile ea imeile e bulehileng",
label: "Google"
},
hantle: {
discovery_document_uri: “https:// /.well-known/openid-configuration”,
client_id: “ ”,
client_secret: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",
response_type: “khoutu”,
scope: "profile ea imeile e bulehileng offline_access",
label: "Okta"
}
}
Litlhophiso tse latelang tsa config lia hlokahala bakeng sa ho kopanya:
Bakeng sa mofani e mong le e mong oa OIDC ho entsoe URL e ntle e tsamaisanang le eona bakeng sa ho fetisetsa ho URL ea ho kena ho mofani ea lokiselitsoeng. Mohlala oa OIDC config ka holimo, li-URL ke:
Bafani ba rona re na le litokomane tsa:
Haeba mofani oa boitsebiso oa hau a e-na le sehokelo se akaretsang sa OIDC 'me se sa thathamisoa ka holimo, ka kopo, etela litokomane tsa bona ho fumana lintlha tsa ho khutlisa litlhophiso tse hlokahalang.
Litlhophiso tse tlas'a li-setting/ts'ireletso li ka fetoloa hore li hloke netefatso ea nako le nako. Sena se ka sebelisoa ho tiisa tlhokahalo ea hore basebelisi ba kene Firezone khafetsa molemong oa ho ntšetsa pele lenaneo la bona la VPN.
Bolelele ba kopano bo ka hlophisoa hore bo be pakeng tsa hora le matsatsi a mashome a robong. Ka ho beha sena ho Never, o ka nolofalletsa linako tsa VPN ka nako efe kapa efe. Ena ke tekanyetso.
Mosebelisi o tlameha ho emisa seshene ea hae ea VPN mme a kene ho portal ea Firezone e le hore a netefatse hape nako ea VPN (URL e boletsoeng nakong ea phetisetso).
U ka boela ua netefatsa nako ea hau ka ho latela litaelo tse nepahetseng tsa bareki tse fumanehang mona.
Boemo ba Khokahano ea VPN
Kholomo ea tafole ea Khokahano ea VPN ea leqephe la Basebelisi e bonts'a boemo ba khokahanyo ea mosebelisi. Ana ke maemo a khokahano:
E THUSOA - Khokahano e nolofalitsoe.
E THIBELETSOE - Khokahano e emisitsoe ke molaoli kapa ho hloleha ho khatholla ha OIDC.
E fetiloe ke nako - Khokahano e emisitsoe ka lebaka la ho felloa ke nako ea netefatso kapa mosebelisi ha a sa kena ka lekhetlo la pele.
Ka sehokelo sa kakaretso sa OIDC, Firezone e nolofalletsa ho Sign-On (SSO) ka Google Workspace le Cloud Identity. Tataiso ena e tla u bontša mokhoa oa ho fumana liparamente tsa tlhophiso tse thathamisitsoeng ka tlase, tse hlokahalang bakeng sa ho kopanya:
1. OAuth Config Screen
Haeba e le lekhetlo la pele u etsa ID ea moreki e ncha ea OAuth, u tla kopuoa ho lokisa skrine ea tumello.
* Khetha ea Hare bakeng sa mofuta oa mosebelisi. Sena se tiisa hore liakhaonto tsa basebelisi ba Mokhatlo oa hau oa Google Workspace ke tsona feela tse ka etsang litlhophiso tsa sesebelisoa. U SE KE U KHETHA Ka ntle ntle le haeba u batla ho lumella mang kapa mang ea nang le Akhaonto e nepahetseng ea Google ho etsa litlhophiso tsa sesebelisoa.
Ho skrine sa lintlha tsa App:
2. Etsa li-ID tsa Client tsa OAuth
Karolo ena e ipapisitse le litokomane tsa Google ho ho theha OAuth 2.0.
Etela Google Cloud Console Leqephe la lintlha leqepheng, tobetsa + Theha Lintlha ebe u khetha ID ea moreki oa OAuth.
Ho skrine sa tlhahiso ea ID ea moreki oa OAuth:
Kamora ho theha ID ea moreki oa OAuth, o tla fuoa ID ea Client le Lekunutu la Client. Tsena li tla sebelisoa hammoho le URI e tsamaisang botjha mohatong o latelang.
Fetola /etc/firezone/firezone.rb ho kenyelletsa likhetho tse ka tlase:
# Ho sebelisa Google joalo ka mofani oa boitsebiso oa SSO
default['firezone']['authentication']['oidc'] = {
google: {
discovery_document_uri: "https://accounts.google.com/.well-known/openid-configuration",
client_id: “ ”,
client_secret: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/google/callback/",
response_type: “khoutu”,
scope: "profile ea imeile e bulehileng",
label: "Google"
}
}
Matha firezone-ctl reconfigure 'me firezone-ctl restart ho nchafatsa sesebelisoa. Joale o lokela ho bona konopo ea ho kena ka Google ho motso oa URL ea Firezone.
Firezone e sebelisa sehokelo sa generic sa OIDC ho thusa ho Kena ha Motho a le Mong (SSO) ka Okta. Thupelo ena e tla u bontša mokhoa oa ho fumana liparamente tsa tlhophiso tse thathamisitsoeng ka tlase, tse hlokahalang bakeng sa ho kopanya:
Karolo ena ea tataiso e thehiloe ho Litokomane tsa Okta.
Ho Admin Console, e ea ho Likopo> Likopo ebe u tobetsa Theha Khokahanyo ea App. Beha mokhoa oa ho Kena ho OICD – OpenID Connect le mofuta oa Tshebediso ho tshebediso ya Webe.
Lokisa litlhophiso tsena:
Hang ha li-setting li se li bolokiloe, u tla fuoa ID ea Client, Lekunutu la Client, le Okta Domain. Lintlha tsena tse 3 li tla sebelisoa Mohatong oa 2 ho hlophisa Firezone.
Fetola /etc/firezone/firezone.rb ho kenyelletsa likhetho tse ka tlase. Hao discovery_document_url e tla ba /.well-known/openid-configuration e ekelitsoeng ho isa pheletsong ea hau okta_domain.
# Ho sebelisa Okta joalo ka mofani oa boitsebiso oa SSO
default['firezone']['authentication']['oidc'] = {
hantle: {
discovery_document_uri: “https:// /.well-known/openid-configuration”,
client_id: “ ”,
client_secret: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/okta/callback/",
response_type: “khoutu”,
scope: "profile ea imeile e bulehileng offline_access",
label: "Okta"
}
}
Matha firezone-ctl reconfigure 'me firezone-ctl restart ho nchafatsa sesebelisoa. Joale o lokela ho bona Kena ka konopo ea Okta motso oa Firezone URL.
Basebelisi ba khonang ho fihlella app ea Firezone ba ka thibeloa ke Okta. E-ea leqepheng la likabelo tsa Okta Admin Console's Firezone App Integration ea Kabelo ho phetha sena.
Ka sehokelo sa generic sa OIDC, Firezone e thusa ho saena ho le Mong (SSO) ka Azure Active Directory. Bukana ena e tla u bontša mokhoa oa ho fumana liparamente tsa tlhophiso tse thathamisitsoeng ka tlase, tse hlokahalang bakeng sa ho kopanya:
Tataiso ena e nkiloe ho Azure Active Directory Docs.
Eya leqepheng la Azure Active Directory ea portal ea Azure. Khetha khetho ea Laola menu, khetha Ngoliso e Ncha, ebe u ingolisa ka ho fana ka lintlha tse ka tlase:
Ka mor'a ho ingolisa, bula pono ea lintlha tsa kopo ebe u kopitsa ID ea kopo (moreki). Ena e tla ba boleng ba client_id. Ka mor'a moo, bula menu ea li-endpoints ho fumana lifaele Tokomane ea metadata ea OpenID Connect. Ena e tla ba boleng ba discovery_document_uri.
Theha lekunutu le lecha la moreki ka ho tobetsa khetho ea Litifikeiti le liphiri tlas'a menu ea Laola. Kopitsa lekunutu la moreki; boleng ba lekunutu la moreki e tla ba sena.
Qetellong, khetha sehokelo sa litumello tsa API tlasa Manage menu, tobetsa Kenya tumello, 'me u khethe Kerafo ea Microsoft, eketsa imeile, bulehileng, offline_access 'me profile ho ditumello tse hlokehang.
Fetola /etc/firezone/firezone.rb ho kenyelletsa likhetho tse ka tlase:
# Ho sebelisa Azure Active Directory joalo ka mofani oa boitsebiso ba SSO
default['firezone']['authentication']['oidc'] = {
azure: {
discovery_document_uri: "https://login.microsoftonline.com/ /v2.0/.well-known/openid-configuration”,
client_id: “ ”,
client_secret: “ ”,
redirect_uri: "https://instance-id.yourfirezone.com/auth/oidc/azure/callback/",
response_type: “khoutu”,
scope: "profile ea imeile e bulehileng offline_access",
Label: "Azure"
}
}
Matha firezone-ctl reconfigure 'me firezone-ctl restart ho nchafatsa sesebelisoa. Joale o lokela ho bona ho kena ka konopo ea Azure motso oa Firezone URL.
Azure AD e thusa batsamaisi ho fokotsa phihlello ea app ho sehlopha se itseng sa basebelisi ka har'a k'hamphani ea hau. Lintlha tse ling mabapi le mokhoa oa ho etsa sena li ka fumanoa litokomaneng tsa Microsoft.
Chef Omnibus e sebelisoa ke Firezone ho laola mesebetsi e kenyelletsang ho paka ho lokolla, ho laola ts'ebetso, tsamaiso ea log, le tse ling.
Khoutu ea Ruby e etsa faele ea mantlha ea tlhophiso, e fumanehang ho /etc/firezone/firezone.rb. Ho qala hape sudo firezone-ctl reconfigure kamora ho etsa liphetoho faeleng ena ho etsa hore Chef e lemohe liphetoho le ho li sebelisa ho sistimi ea hajoale ea ts'ebetso.
Sheba referense ea faele ea tlhophiso bakeng sa lenane le felletseng la mefuta-futa ea litlhophiso le litlhaloso tsa tsona.
Mohlala oa hau oa Firezone o ka laoloa ka mokhoa oa firezone-ctl taelo, joalokaha ho bontšitsoe ka tlase. Litaelo tse nyane tse ngata li hloka prefixing ka sudo.
motso @ demo: ~ # firezone-ctl
omnibus-ctl: taelo (subcommand)
Litaelo tse akaretsang:
hlakola
Hlakola lintlha tsa *tsohle* tsa firezone, 'me u qale ho tloha qalong.
theha-kapa-reset-admin
E beha bocha password ea motsamaisi ka lengolo-tsoibila le boletsoeng ke kamehla['firezone']['admin_email'] kapa e theha motsamaisi e mocha haeba lengolo-tsoibila leo le le sieo.
Thusa
Hatisa molaetsa ona oa thuso.
boitlhopho bocha
Lokisa sesebelisoa hape.
reset-network
E hlophisa bocha li-nftables, sehokelo sa WireGuard, le tafole ea ho tsamaisa li-default tsa Firezone.
show-config
Hlahisa tlhophiso e ka hlahisoang ke reconfigure.
teardown-network
E tlosa sebopeho sa WireGuard le tafole ea li-firezone nftables.
nchafatsa-setifikeiti
Qobella ho nchafatsa setifikeiti hona joale le ha se so felloe ke nako.
nchafatso ea ho emisa
E tlosa cronjob e nchafatsang litifikeiti.
Uninstall
Bolaea lits'ebetso tsohle 'me u tlose mookameli oa ts'ebetso (data e tla bolokoa).
tlhahiso
Hlahisa mofuta oa hajoale oa Firezone
Litaelo tsa Tsamaiso ea Litšebeletso:
ho bolaea ka mohau
Leka ho ema ha monate, ebe SIGKILL sehlopha sohle sa tšebetso.
hup
Romella litšebeletso HUP.
eth
Romella litšebeletso ka INT.
bolaea
Romella litšebeletso KILL.
Hang
Qala litšebeletso haeba li theohile. U se ke ua li qala bocha haeba li emisa.
qala hape
Emisa lits'ebeletso haeba li ntse li sebetsa, ebe u li qala hape.
lethathamo la litšebeletso
Thathamisa lits'ebeletso tsohle (lits'ebeletso tse lumelletsoeng li hlaha ka *.)
qale
Qala litšebeletso haeba li theohile, 'me u li qale hape ha li emisa.
boemo
Bontša boemo ba litšebeletso tsohle.
Ema
Emisa litšebeletso, 'me u se ke ua li qala bocha.
mohatla
Sheba li-log tsa lits'ebeletso tsa lits'ebeletso tsohle tse lumelletsoeng.
ho sebelisitsoe lentsoe le
Romella litšebeletso ka TERM.
usr1
Romella litšebeletso ka USR1.
usr2
Romella litšebeletso ka USR2.
Linako tsohle tsa VPN li tlameha ho emisoa pele ho ntlafatso ea Firezone, e hlokang ho koala UI ea Marang-rang. Haeba ho na le ntho e sa tsamaeeng hantle nakong ea ntlafatso, re eletsa ho behella ka thōko hora bakeng sa tlhokomelo.
Ho ntlafatsa Firezone, etsa mehato e latelang:
Haeba mathata a hlaha, ka kopo re tsebise ka ho fana ka tekete ea tšehetso.
Ho na le liphetoho tse 'maloa tse robehileng le liphetoho tsa tlhophiso ho 0.5.0 tse lokelang ho rarolloa. Fumana ho eketsehileng ka tlase.
Nginx ha e sa ts'ehetsa matla a SSL le liparamente tsa boema-kepe tse seng tsa SSL joalo ka mofuta oa 0.5.0. Hobane Firezone e hloka SSL hore e sebetse, re eletsa ho tlosa ts'ebeletso ea Nginx ka ho seta kamehla['firezone']['nginx']['enabled'] = bohata 'me u lebise moemeli oa hau oa morao ho app ea Phoenix ho port 13000 ho e-na le hoo (ka kamehla ).
0.5.0 e hlahisa tšehetso ea protocol ea ACME bakeng sa ho nchafatsa litifikeiti tsa SSL ka bo eona ka ts'ebeletso e kopaneng ea Nginx. Ho thusa,
Monyetla oa ho eketsa melao ka libaka tse kopitsoang o felile ho Firezone 0.5.0. Script ea rona ea ho falla e tla lemoha maemo ana ka bo eona nakong ea ntlafatso ho 0.5.0 mme e boloke melao eo sebaka sa eona se kenyelletsang molao o mong. Ha ho letho leo u lokelang ho le etsa haeba sena se lokile.
Ho seng joalo, pele u ntlafatsa, re eletsa ho fetola melao ea hau ho tlosa maemo ana.
Firezone 0.5.0 e tlosa tšehetso bakeng sa peakanyo ea khale ea Okta le Google SSO molemong oa tokiso e ncha, e tenyetsehang haholoanyane ea OIDC.
Haeba u na le litlhophiso life kapa life tlas'a linotlolo tsa kamehla['firezone']['authentication']['okta'] kapa default['firezone']['authentication']['google'] linotlolo, u hloka ho li fallisa ho OIDC ea rona. tlhophiso e thehiloeng ho sebelisa tataiso e ka tlase.
Tokiso e teng ea Google OAuth
Tlosa mela ena e nang le litlhophiso tsa khale tsa Google OAuth faeleng ea hau e fumanehang ho /etc/firezone/firezone.rb
default['firezone']['authentication']['google']['enabled']
default['firezone']['authentication']['google']['client_id']
default['firezone']['authentication']['google']['client_secret']
default['firezone']['authentication']['google']['redirect_uri']
Ebe, lokisa Google joalo ka mofani oa OIDC ka ho latela lits'ebetso mona.
(Fana ka litaelo tsa khokahanyo)<<<<<<<<<<<<<<<<
Lokisa Google OAuth e Teng
Tlosa mela ena e nang le litlhophiso tsa khale tsa Okta OAuth ho tsoa faeleng ea hau e fumanehang ho /etc/firezone/firezone.rb
default['firezone']['authentication']['okta']['enabled']
default['firezone']['authentication']['okta']['client_id']
default['firezone']['authentication']['okta']['client_secret']
Kamehla['firezone']['tiiso']['okta']['site']
Ebe, lokisa Okta joalo ka mofani oa OIDC ka ho latela lits'ebetso mona.
Ho ipapisitse le seta sa hau sa hajoale le mofuta oa hau, latela litaelo tse ka tlase:
Haeba u se u ntse u e-na le kopanyo ea OIDC:
Bakeng sa bafani ba bang ba OIDC, ho nyollela ho >= 0.3.16 ho hloka ho fumana tokene ea ho nchafatsa bakeng sa sebaka sa phihlello ntle le inthanete. Ka ho etsa sena, ho netefatsoa hore Firezone e nchafatsoa le mofani oa boitsebiso le hore khokahano ea VPN e koetsoe ka mor'a hore mosebelisi a hlakoloe. Liphetoho tsa pejana tsa Firezone li ne li se na tšobotsi ena. Maemong a mang, basebelisi ba hlakotsoeng ho mofani oa boitsebiso ba hau ba ntse ba ka hokeloa ho VPN.
Hoa hlokahala ho kenyelletsa phihlello kantle ho marang-rang ho paramethara ea skoupo ea litlhophiso tsa hau tsa OIDC bakeng sa bafani ba OIDC ba tšehetsang sebaka sa phihlello ntle le inthanete. Reconfigure ea Firezone-ctl e tlameha ho etsoa molemong oa ho sebelisa liphetoho faeleng ea tlhophiso ea Firezone, e fumanehang ho /etc/firezone/firezone.rb.
Bakeng sa basebelisi ba netefalitsoeng ke mofani oa hau oa OIDC, u tla bona Lihokelo tsa OIDC leqepheng la lintlha tsa mosebelisi la UI ea tepo haeba Firezone e khona ho khutlisa tokene ea ho khatholla ka katleho.
Haeba sena se sa sebetse, o tla hloka ho hlakola sesebelisoa sa hau se teng sa OAuth ebe o pheta mehato ea ho seta ea OIDC ho theha khokahano e ncha ea app .
Ke na le kopano e teng ea OAuth
Pele ho 0.3.11, Firezone e ne e sebelisa bafani ba OAuth2 ba neng ba hlophisitsoe esale pele.
Latela litaelo Mona ho fallela OIDC.
Ha kea kopanya mofani oa boitsebiso
Ha ho ketso e hlokahalang.
U ka latela litaelo Mona ho nolofalletsa SSO ka mofani oa OIDC.
Sebakeng sa eona, default['firezone']['external url'] e nkile sebaka sa khetho ea tlhophiso['firezone']['fqdn'].
Beha sena ho URL ea sebaka sa hau sa marang-rang sa Firezone se fumanehang ho batho bohle. E tla lula e le https: // hammoho le FQDN ea seva sa hau haeba e tlohetsoe e sa hlalosoa.
Faele ea tlhophiso e teng ho /etc/firezone/firezone.rb. Sheba referense ea faele ea tlhophiso bakeng sa lenane le felletseng la mefuta-futa ea litlhophiso le litlhaloso tsa tsona.
Firezone ha e sa boloka linotlolo tsa lekunutu tsa sesebelisoa ho seva sa Firezone ho tloha ka mofuta oa 0.3.0.
Firezone Web UI e ke ke ea u lumella ho khoasolla kapa ho bona litlhophiso tsena, empa lisebelisoa life kapa life tse teng li lokela ho tsoela pele ho sebetsa kamoo li leng kateng.
Haeba u ntse u ntlafatsa ho tloha Firezone 0.1.x, ho na le liphetoho tse seng kae tsa lifaele tsa tlhophiso tse lokelang ho rarolloa ka letsoho.
Ho etsa liphetoho tse hlokahalang faeleng ea hau ea /etc/firezone/firezone.rb, tsamaisa litaelo tse ka tlase e le motso.
cp /etc/firezone/firezone.rb /etc/firezone/firezone.rb.bak
sed -i “s/\['enable'\]/\['enabled'\]/” /etc/firezone/firezone.rb
echo "default['firezone']['connectivity_checks']['enabled'] = 'nete" >> /etc/firezone/firezone.rb
echo "default['firezone']['connectivity_checks']['interval'] = 3_600" >> /etc/firezone/firezone.rb
firezone-ctl reconfigure
firezone-ctl qala bocha
Ho hlahloba li-logs tsa Firezone ke mohato o bohlale oa pele bakeng sa mathata leha e le afe a ka hlahang.
Matha sudo firezone-ctl mohatla ho sheba li-log tsa Firezone.
Boholo ba mathata a khokahanyo le Firezone a tlisoa ke li-iptables tse sa lumellaneng kapa melao ea nftables. U tlameha ho etsa bonnete ba hore melao efe kapa efe eo u nang le eona ha e hohlane le melao ea Firezone.
Etsa bonnete ba hore ketane ea FORWARD e lumella lipakete ho tsoa ho bareki ba hau ba WireGuard ho ea libakeng tseo u batlang ho li lumella ho Firezone haeba khokahano ea hau ea Marang-rang e senyeha nako le nako ha u kenya kotopo ea WireGuard.
Sena se ka finyelloa haeba u sebelisa ufw ka ho etsa bonnete ba hore leano la kamehla la litsela le lumelloa:
ubuntu@fz:~$ sudo ufw default lumella ho tsamaisoa
Leano la kamehla le fetotsoe ho 'lumella'
(etsa bonnete ba ho ntlafatsa melao ea hau ka nepo)
A Wow boemo ba seva e tloaelehileng ea Firezone bo ka shebahala tjena:
ubuntu@fz:~$ sudo ufw boemo verbose
Boemo: bo sebetsa
Ho rengoa ha lifate: ho (tlase)
Ka linako tsohle: hana (tse kenang), lumella (tse tsoang), lumella (li tsamaisoa)
Litaba tse ncha: tlola
Ho Bohato Ho Tsoa
————-
22/tcp DUMELLA HO KENA Kae kapa kae
80/tcp DUMELLA HO KENA Kae kapa kae
443/tcp DUMELLA HO KENA Kae kapa kae
51820/udp DUMELLA HO KENA Kae kapa kae
22/tcp (v6) DUMELLA HO TLOHA kae kapa kae (v6)
80/tcp (v6) DUMELLA HO TLOHA kae kapa kae (v6)
443/tcp (v6) DUMELLA HO KENA Kae kapa kae (v6)
51820/udp (v6) DUMELLA HO TLOHA kae kapa kae (v6)
Re eletsa ho fokotsa phihlello ea sehokelo sa Marang-rang bakeng sa phepelo e hlokolosi haholo le e bohlokoa haholo, joalo ka ha ho hlalositsoe ka tlase.
Service | Boema-kepe ba kamehla | Mamela Aterese | Tlhaloso |
Nginx | 80, 443 | bohle | Boema-kepe ba sechaba ba HTTP(S) bakeng sa ho tsamaisa Firezone le ho thusa ho netefatsa. |
Motsamaisi | 51820 | bohle | Boema-kepe ba Public WireGuard bo sebelisetsoang linako tsa VPN. (UDP) |
posogresql | 15432 | 127.0.0.1 | Boema-kepe ba lehae feela bo sebelisetsoang seva ea Postgresql e kopaneng. |
Phoenix | 13000 | 127.0.0.1 | Boema-kepe ba lehae feela bo sebelisoang ke seva ea app ea elixir e holimo. |
Re u eletsa hore u nahane ka ho thibela ho kena ho UI ea marang-rang e pepesitsoeng phatlalatsa ea Firezone (ka li-ports tsa kamehla 443/tcp le 80/tcp) 'me u sebelise kotopo ea WireGuard ho laola Firezone bakeng sa tlhahiso le phepelo e shebaneng le sechaba moo ho tla laoloa ke molaoli a le mong. ea ho theha le ho aba litlhophiso tsa lisebelisoa ho basebelisi ba ho qetela.
Mohlala, haeba molaoli a entse tokiso ea sesebelisoa mme a theha kotopo e nang le aterese ea WireGuard ea lehae ea 10.3.2.2, tlhophiso e latelang ea ufw e tla nolofalletsa motsamaisi ho fihlella UI ea webo ea Firezone ho sehokelo sa seva sa wg-firezone a sebelisa 10.3.2.1 ea kamehla aterese ea kotopo:
motso @ demo: ~ # boemo ba ufw verbose
Boemo: bo sebetsa
Ho rengoa ha lifate: ho (tlase)
Ka linako tsohle: hana (tse kenang), lumella (tse tsoang), lumella (li tsamaisoa)
Litaba tse ncha: tlola
Ho Bohato Ho Tsoa
————-
22/tcp DUMELLA HO KENA Kae kapa kae
51820/udp DUMELLA HO KENA Kae kapa kae
Kae kapa kae DUMELLA HO 10.3.2.2
22/tcp (v6) DUMELLA HO TLOHA kae kapa kae (v6)
51820/udp (v6) DUMELLA HO TLOHA kae kapa kae (v6)
Sena se ne se tla tloha feela 22/tcp e pepesitsoe bakeng sa phihlello ea SSH ho tsamaisa seva (ka boikhethelo), le 51820/udp e pepesitsoe molemong oa ho theha lithanele tsa WireGuard.
Firezone e bokella seva ea Postgresql le e bapisang psql lisebelisoa tse ka sebelisoang ho tsoa ho khetla ea lehae joalo ka:
/opt/firezone/embedded/bin/psql\
-U firezone \
-d firezone \
-h localhost \
-leq 15432
-c "SQL_STATEMENT"
Sena se ka thusa molemong oa ho lokisa liphoso.
Mesebetsi e Tloaelehileng:
E thathamisa basebelisi bohle:
/opt/firezone/embedded/bin/psql\
-U firezone \
-d firezone \
-h localhost \
-leq 15432
-c "KHETHA * HO BAsebelisi;"
E thathamisa lisebelisoa tsohle:
/opt/firezone/embedded/bin/psql\
-U firezone \
-d firezone \
-h localhost \
-leq 15432
-c "KHETHA * HO TSOA lisebelisoa;"
Fetola karolo ea mosebelisi:
Beha karolo ho 'admin' kapa 'unprivileged':
/opt/firezone/embedded/bin/psql\
-U firezone \
-d firezone \
-h localhost \
-leq 15432
-c "UPDATE basebelisi SET role = 'admin' MAKA lengolo-tsoibila = 'user@example.com';"
Ho boloka database:
Ho feta moo, ho kenyelelitsoe lenaneo la pg dump, le ka sebelisoang ho nka li-backups tsa kamehla tsa database. Etsa khoutu e latelang ho lahlela kopi ea database ka mokhoa o tloaelehileng oa SQL (fetola sebaka /path/to/backup.sql sebaka seo faele ea SQL e lokelang ho etsoa ho sona):
/opt/firezone/embedded/bin/pg_dump\
-U firezone \
-d firezone \
-h localhost \
-p 15432 > /path/to/backup.sql
Kamora hore Firezone e sebelisoe ka katleho, o tlameha ho eketsa basebelisi ho ba fa monyetla oa ho kena marang-rang a hau. Web UI e sebelisetsoa ho etsa sena.
Ka ho khetha konopo ea "Add User" tlasa / basebelisi, o ka eketsa mosebelisi. U tla kopuoa ho fa mosebelisi aterese ea lengolo-tsoibila le password. E le ho lumella ho fihlella ho basebelisi mokhatlong oa hau ka bo eona, Firezone e ka boela ea hokahanya le mofani oa boitsebiso. Lintlha tse ling li fumaneha ho Netefatsa. < Kenya sehokelo ho Netefatsa
Re eletsa ho kopa hore basebelisi ba iketsetse litlhophiso tsa lisebelisoa tsa bona hore senotlolo sa lekunutu se bonahale ho bona feela. Basebelisi ba ka iketsetsa litlhophiso tsa lisebelisoa tsa bona ka ho latela litaelo ho Litaelo tsa bareki leqephe.
Litlhophiso tsohle tsa lisebelisoa tsa basebelisi li ka etsoa ke balaoli ba Firezone. Leqepheng la boemo ba mosebelisi le fumanehang ho / basebelisi, khetha khetho ea "Eketsa Sesebelisoa" ho etsa sena.
[Kenya skrini]
U ka romella mosebelisi faele ea tlhophiso ea WireGuard kamora ho theha profaele ea sesebelisoa.
Basebelisi le lisebelisoa li hokahane. Bakeng sa lintlha tse ling mabapi le mokhoa oa ho eketsa mosebelisi, bona Kenya Basebelisi.
Ka ts'ebeliso ea sistimi ea kernel's netfilter, Firezone e thusa bokhoni ba ho sefa egress ho hlakisa lipakete tsa DROP kapa ACCEPT. Sephethephethe kaofela se lumelletsoe.
IPv4 le IPv6 CIDRs le liaterese tsa IP li tšehetsoa ka Allowlist le Denylist, ka ho latellana. U ka khetha ho beha molao ho mosebelisi ha u o eketsa, o sebelisang molao ho lisebelisoa tsohle tsa mosebelisi.
Kenya le ho lokisa
Ho theha khokahano ea VPN u sebelisa moreki oa lehae oa WireGuard, sheba tataiso ena.
Bareki ba Official WireGuard ba fumanehang mona ke Firezone e tsamaellanang:
Etela webosaete ea semmuso ea WireGuard ho https://www.wireguard.com/install/ bakeng sa litsamaiso tsa OS tse sa boleloang kaholimo.
Ekaba molaoli oa hau oa Firezone kapa uena u ka iketsetsa faele ea tlhophiso ea sesebelisoa u sebelisa portal ea Firezone.
Etela URL eo molaoli oa hau oa Firezone a faneng ka eona ho iketsetsa faele ea litlhophiso tsa sesebelisoa. Feme ea hau e tla ba le URL e ikhethang bakeng sa sena; tabeng ena, ke https://instance-id.yourfirezone.com.
Kena ho Firezone Okta SSO
[Kenya Screenshot]
Kenya faele ea.conf ho moreki oa WireGuard ka ho e bula. Ka ho tobetsa konopo ea Activate, o ka qala lenaneo la VPN.
[Kenya Screenshot]
Latela litaelo tse ka tlase haeba molaoli oa marang-rang a u laetse ho netefatsa khafetsa ho boloka khokahano ea hau ea VPN e sebetsa.
U hloka:
URL ea portal ea Firezone: Kopa molaoli oa marang-rang bakeng sa khokahano.
Mookameli oa marang-rang oa hau o lokela ho fana ka sebaka sa hau sa ho kena le sa password. Webosaete ea Firezone e tla u khothaletsa ho kena u sebelisa ts'ebeletso e le 'ngoe eo mohiri oa hau a e sebelisang (joalo ka Google kapa Okta).
[Kenya Screenshot]
Eya ho URL ea portal ea Firezone 'me u kene u sebelisa mangolo a netefalitsoeng ke molaoli oa marang-rang oa hau. Haeba o se o kene, tobetsa konopo ea Tiisetso Hape pele o kena hape.
[Kenya Screenshot]
[Kenya Screenshot]
Ho kenya profil ea tlhophiso ea WireGuard o sebelisa Network Manager CLI ho lisebelisoa tsa Linux, latela litaelo tsena (nmcli).
Haeba profil e na le tšehetso ea IPv6 e lumelletsoeng, ho leka ho kenya faele ea tlhophiso ho sebelisa Network Manager GUI ho ka hloleha ka phoso e latelang:
ipv6.method: mokhoa oa "auto" ha o tšehetsoe bakeng sa WireGuard
Hoa hlokahala ho kenya lisebelisoa tsa sebaka sa basebelisi tsa WireGuard. Ena e tla ba sephutheloana se bitsoang wireguard kapa lisebelisoa tsa wireguard bakeng sa phepelo ea Linux.
Bakeng sa Ubuntu/Debian:
sudo apt kenya wireguard
Ho sebelisa Fedora:
sudo dnf kenya lisebelisoa tsa wireguard
Arch Linux:
sudo pacman -S lisebelisoa tsa wireguard
Etela webosaete ea semmuso ea WireGuard ho https://www.wireguard.com/install/ bakeng sa liphallelo tse sa boleloang ka holimo.
Ekaba molaoli oa hau oa Firezone kapa motho ea iketsetsang eona a ka hlahisa faele ea tlhophiso ea sesebelisoa a sebelisa portal ea Firezone.
Etela URL eo molaoli oa hau oa Firezone a faneng ka eona ho iketsetsa faele ea litlhophiso tsa sesebelisoa. Feme ea hau e tla ba le URL e ikhethang bakeng sa sena; tabeng ena, ke https://instance-id.yourfirezone.com.
[Kenya Screenshot]
Kenya faele ea tlhophiso e fanoeng u sebelisa nmcli:
Mofuta oa khokahanyo ea sudo nmcli mofuta oa wireguard file /path/to/configuration.conf
Lebitso la faele ea tlhophiso le tla lumellana le khokahanyo ea WireGuard. Kamora ho kenya, khokahano e ka rehoa bocha ha ho hlokahala:
nmcli connection fetola [lebitso la khale] connection.id [lebitso le lecha]
Ka mohala oa taelo, hokela ho VPN ka tsela e latelang:
khokahano ea nmcli [lebitso la vpn]
Ho hakolla:
khokahano ea nmcli tlase [lebitso la vpn]
Applet ea Network Manager e sebetsang e ka boela ea sebelisoa ho laola khokahanyo haeba u sebelisa GUI.
Ka ho khetha "e" bakeng sa khetho ea autoconnect, khokahano ea VPN e ka hlophisoa hore e hokahane ka bo eona:
khokahano ea nmcli fetola [lebitso la vpn] khokahano. <<<<<<<<<<<<<<<<<<<<<
autoconnect e
Ho tima khokahano ea othomathiki e khutlisetse ho no:
khokahano ea nmcli fetola [lebitso la vpn] khokahano.
autoconnect no
Ho kenya MFA, Eya ho portal ea Firezone /user account/register mfa page. Sebelisa sesebelisoa sa hau sa netefatso ho hlahloba khoutu ea QR ka mor'a hore e etsoe, ebe u kenya khoutu ea linomoro tse tšeletseng.
Ikopanye le Mookameli oa hau ho hlophisa bocha lintlha tsa phihlello tsa ak'haonte ea hau haeba u fositse sesebelisoa sa hau sa netefatso.
Thupelo ena e tla u tsamaisa molemong oa ho theha sebopeho sa WireGuard se arohaneng le Firezone e le hore feela sephethephethe sa marang-rang a IP se fetisoe ka seva sa VPN.
Maemo a IP ao moreki a tla tsamaisa sephethephethe sa marang-rang a behiloe lebaleng la Allowed IPs le fumanehang ho /settings/default page. Ke feela tlhophiso e ncha e entsoeng ea WireGuard e hlahisoang ke Firezone e tla angoa ke liphetoho lebaleng lena.
[Kenya Screenshot]
Boleng ba kamehla ke 0.0.0.0/0, ::/0, e tsamaisang sephethephethe sa marang-rang ho tloha ho moreki ho ea ho seva sa VPN.
Mehlala ea boleng sebakeng sena e kenyelletsa:
0.0.0.0/0, ::/0 - sephethephethe sohle sa marang-rang se tla fetisetsoa ho seva sa VPN.
192.0.2.3/32 - sephethephethe feela se eang atereseng e le 'ngoe ea IP se tla fetisetsoa ho seva sa VPN.
3.5.140.0/22 - sephethephethe feela ho IPs ka har'a 3.5.140.1 - 3.5.143.254 mefuta e tla fetisetsoa ho seva sa VPN. Mohlala ona, sebaka sa CIDR sa sebaka sa ap-leboea-bochabela-2 AWS se sebelisitsoe.
Firezone e khetha sebopeho sa egress se amanang le tsela e nepahetseng ka ho fetesisa pele ha e etsa qeto ea hore na e tsamaisa pakete hokae.
Basebelisi ba tlameha ho nchafatsa lifaele tsa tlhophiso mme ba li kenye ho moreki oa bona oa WireGuard e le hore ba ka ntlafatsa lisebelisoa tse teng tsa basebelisi ka tlhophiso e ncha ea kotopo.
Bakeng sa litaelo, bona eketsa sesebelisoa. <<<<<<<<<<< Eketsa sehokelo
Bukana ena e tla bonts'a mokhoa oa ho hokahanya lisebelisoa tse peli ho sebelisa Firezone joalo ka relay. Nyeoe e 'ngoe e tloaelehileng ea ts'ebeliso ke ho nolofalletsa motsamaisi ho fihlella seva, setshelo, kapa mochini o sirelelitsoeng ke NAT kapa firewall.
Setšoantšo sena se bontša boemo bo tobileng boo ho bona Lisebelisoa tsa A le B li hahang kotopo.
[Kenya setšoantšo sa meralo sa libaka tsa mollo]
Qala ka ho theha Sesebelisoa sa A le Sesebelisoa sa B ka ho ea ho /users/[user_id]/new_device. Litlhophisong tsa sesebelisoa ka seng, etsa bonnete ba hore liparamente tse latelang li behiloe ho litekanyetso tse thathamisitsoeng ka tlase. U ka seta li-setting tsa sesebelisoa ha u theha tlhophiso ea sesebelisoa (sheba Eketsa Lisebelisoa). Haeba o hloka ho nchafatsa li-setting sesebelisoa se seng se ntse se le teng, o ka etsa joalo ka ho hlahisa tlhophiso e ncha ea sesebelisoa.
Hlokomela hore lisebelisoa tsohle li na le leqephe la /settings/defaults moo PersistentKeepalive e ka hlophisoang teng.
AllowedIPs = 10.3.2.2/32
Ena ke IP kapa mefuta e fapaneng ea li-IP tsa Sesebelisoa sa B
PersistentKeepalive = 25
Haeba sesebelisoa se ka morao ho NAT, sena se tiisa hore sesebelisoa se khona ho boloka kotopo e ntse e phela 'me e tsoele pele ho fumana lipakete ho tsoa ho sebopeho sa WireGuard. Hangata boleng ba 25 bo lekane, empa o ka hloka ho fokotsa boleng bona ho latela tikoloho ea hau.
AllowedIPs = 10.3.2.3/32
Ena ke IP kapa mofuta oa li-IP tsa Sesebelisoa sa A
PersistentKeepalive = 25
Mohlala ona o bontša boemo boo ho bona Sesebelisoa sa A se ka buisanang le Lisebelisoa tsa B ho ea ho D ka mahlakoreng ka bobeli. Setupo sena se ka emela moenjiniere kapa molaoli ea fumanang lisebelisoa tse ngata (li-server, lijana kapa mechini) marang-rang a fapaneng.
[Sets'oants'o sa Meaho]<<<<<<<<<<<<<<<<<<<<<<<
Etsa bonnete ba hore li-setting tse latelang li etsoa litlhophisong tsa sesebelisoa ka seng ho latela litekanyetso. Ha o theha tlhophiso ea sesebelisoa, o ka hlakisa litlhophiso tsa sesebelisoa (sheba Eketsa Lisebelisoa). Tokiso e ncha ea sesebelisoa e ka etsoa haeba litlhophiso tsa sesebelisoa se teng li hloka ho ntlafatsoa.
AllowedIPs = 10.3.2.3/32, 10.3.2.4/32, 10.3.2.5/32
Ena ke IP ea lisebelisoa tsa B ho ea ho D. Li-IP tsa Lisebelisoa tsa B ho ea ho D li tlameha ho kenyelletsoa ho mofuta ofe kapa ofe oa IP oo u khethang ho o beha.
PersistentKeepalive = 25
Sena se tiisa hore sesebelisoa se ka boloka kotopo mme se tsoela pele ho fumana lipakete ho tsoa ho sebopeho sa WireGuard le haeba se sirelelitsoe ke NAT. Maemong a mangata, boleng ba 25 bo lekane, empa ho itšetlehile ka tikoloho ea hau, u ka 'na ua hloka ho theola palo ena.
Ho fana ka IP e le 'ngoe, e tsitsitseng e le hore sephethephethe sa sehlopha sa hau se tsoe, Firezone e ka sebelisoa e le khoro ea NAT. Maemo ana a kenyelletsa tšebeliso ea eona khafetsa:
Ho Buisana le Likamano: Kopa hore moreki oa hau a khethe aterese e le 'ngoe ea IP e sa fetoheng ho e-na le IP ea mohiruoa e mong le e mong.
Ho sebelisa proxy kapa ho pata mohloli oa IP oa hau molemong oa ts'ireletso kapa boinotšing.
Mohlala o bonolo oa ho fokotsa phihlello ea sesebelisoa sa marang-rang se ikemetseng ho IP e le 'ngoe e tšoeu e sebetsang Firezone e tla bontšoa posong ena. Papisong ena, Firezone le mohloli o sirelelitsoeng li libakeng tse fapaneng tsa VPC.
Tharollo ena e sebelisoa khafetsa sebakeng sa ho laola IP whitelist bakeng sa basebelisi ba bangata ba ho qetela, e ka nkang nako ha lenane la phihlello le ntse le hola.
Sepheo sa rona ke ho theha seva sa Firezone ketsahalong ea EC2 ho fetisetsa sephethephethe sa VPN mohloling o thibetsoeng. Ketsahalong ena, Firezone e sebetsa e le moemeli oa marang-rang kapa khoro ea NAT ho fa sesebelisoa se seng le se seng se hokahaneng IP e ikhethang ea sechaba.
Tabeng ena, mohlala oa EC2 o bitsoang tc2.micro o na le mohlala oa Firezone o kentsoeng ho oona. Ho fumana leseli mabapi le ho tsamaisa Firezone, ea ho Tataiso ea ho Deployment. Mabapi le AWS, etsa bonnete ba hore:
Sehlopha sa ts'ireletso sa ketsahalo ea Firezone EC2 se lumella sephethephethe se tsoang ho aterese ea IP ea mohloli o sirelelitsoeng.
Mohlala oa Firezone o tla le IP elastic. Sephethephethe se fetisetsoang ketsahalong ea Firezone ho ea libakeng tse kantle se tla ba le aterese ea IP ea mohloli. Aterese ea IP eo ho buuoang ka eona ke 52.202.88.54.
[Kenya Screenshot]<<<<<<<<<<<<<<<<<<<<<<<<
Sesebelisoa sa marang-rang se ikemetseng se sebetsa e le mohloli o sirelelitsoeng tabeng ena. Sesebelisoa sa marang-rang se ka fumaneha feela ka likopo tse tsoang ho aterese ea IP 52.202.88.54. Ho ipapisitse le sesebelisoa, ho ka hlokahala ho lumella sephethephethe se kenang likoung tse fapaneng le mefuta ea sephethephethe. Sena ha se akaretsoe bukeng ena.
[Kenya skrini]<<<<<<<<<<<<<<<<<<<<<<<<
Ka kopo, bolella motho oa boraro ea ikarabellang bakeng sa sesebelisoa se sirelelitsoeng hore sephethephethe se tsoang ho IP e sa fetoheng se hlalositsoeng Mohatong oa 1 se tlameha ho lumelloa (tabeng ena 52.202.88.54).
Ka nako e sa lekanyetsoang, sephethephethe sa basebelisi bohle se tla kena ka har'a seva sa VPN 'me se tsoa ho IP e tsitsitseng e neng e lokiselitsoe Mohato oa 1 (tabeng ena 52.202.88.54). Leha ho le joalo, haeba karohano ea tunnel e lumelletsoe, litlhophiso li ka hlokahala ho etsa bonnete ba hore sebaka sa IP sa mohloli o sirelelitsoeng se thathamisitsoe har'a li-IP tse lumelletsoeng.
Ho bontšitsoe ka tlase lethathamo le felletseng la likhetho tsa tlhophiso tse fumanehang ho /etc/firezone/firezone.rb.
kgetho | Tlhaloso | boleng ba kamehla |
kamehla['firezone']['external_url'] | URL e sebelisitsoeng ho kena sebakeng sa marang-rang sa ketsahalo ena ea Firezone. | “https://#{node['fqdn'] || node['hostname']}" |
kamehla['firezone']['config_directory'] | Lenane la maemo a holimo bakeng sa tlhophiso ea Firezone. | /etc/firezone' |
kamehla['firezone']['install_directory'] | Lenane la maemo a holimo ho kenya Firezone ho. | /opt/firezone' |
kamehla['firezone']['app_directory'] | Lenane la maemo a holimo ho kenya ts'ebeliso ea webo ea Firezone. | “#{node['firezone']['install_directory']}/embedded/service/firezone” |
kamehla['firezone']['log_directory'] | Lenane la maemo a holimo bakeng sa li-log tsa Firezone. | /var/log/firezone' |
kamehla['firezone']['var_directory'] | Lenane la maemo a holimo bakeng sa lifaele tsa nako ea ho sebetsa ea Firezone. | /var/opt/firezone' |
kamehla['firezone']['user'] | Lebitso la basebelisi ba Linux ba se nang monyetla litšebeletso le lifaele tse ngata li tla ba tsa. | firezone' |
kamehla['firezone']['group'] | Lebitso la sehlopha sa Linux litšebeletso le lifaele tse ngata li tla ba tsa. | firezone' |
kamehla['firezone']['admin_email'] | Aterese ea lengolo-tsoibila bakeng sa mosebelisi oa pele oa Firezone. | "firezone@localhost" |
kamehla['firezone']['max_devices_per_user'] | Boholo ba lisebelisoa tseo mosebelisi a ka bang le tsona. | 10 |
kamehla['firezone']['allow_unprivileged_device_management'] | E lumella basebelisi bao e seng batsamaisi ho etsa le ho hlakola lisebelisoa. | 'NETE |
kamehla['firezone']['allow_unprivileged_device_configuration'] | E lumella basebelisi bao e seng batsamaisi ho fetola litlhophiso tsa lisebelisoa. Ha e koaletsoe, e thibela basebelisi ba se nang tokelo ho fetola likarolo tsohle tsa lisebelisoa ntle le lebitso le tlhaloso. | 'NETE |
kamehla['firezone']['egress_interface'] | Lebitso la sehokelo moo sephethe-phethe se tla tsoa. Haeba ho se na, ho tla sebelisoa mokhoa oa kamehla oa tsela. | nil |
kamehla['firezone']['fips_enabled'] | Numella kapa o tima mokhoa oa OpenSSL FIPs. | nil |
kamehla['firezone']['regging']['enabled'] | Dumella kapa o tima ho rema lifate ho pholletsa le Firezone. Beha leshano ho thibela ho rema lifate ka botlalo. | 'NETE |
kamehla['enterprise']['name'] | Lebitso le sebelisitsoeng ke Chef 'enterprise' cookbook. | firezone' |
kamehla['firezone']['install_path'] | Kenya tsela e sebelisoang ke Chef 'enterprise' cookbook. E lokela ho hlophisoa ho tšoana le install_directory e ka holimo. | node['firezone']['install_directory'] |
kamehla['firezone']['sysvinit_id'] | Sekhetho se sebelisitsoeng ho /etc/inittab. E tlameha ho ba le tatelano e ikhethang ea litlhaku tse 1-4. | SUP' |
default['firezone']['authentication']['local']['enabled'] | Numella kapa o tima netefatso ea lengolo-tsoibila / password. | 'NETE |
default['firezone']['authentication']['auto_create_oidc_users'] | Iketsetse basebelisi ho saena ho tsoa ho OIDC lekhetlo la pele. E thibela ho lumella basebelisi ba seng ba ntse ba le teng feela ho kena ka OIDC. | 'NETE |
default['firezone']['authentication']['disable_vpn_on_oidc_error'] | Tlosa VPN ea mosebelisi haeba ho fumanoa phoso ha a leka ho nchafatsa tokene ea bona ea OIDC. | BA BOHATA |
default['firezone']['authentication']['oidc'] | OpenID Connect config, ka sebopeho sa {"mofani" => [config…]} - Bona Litokomane tsa OpenIDConnect bakeng sa mehlala ea config. | {} |
kamehla['firezone']['nginx']['enabled'] | Lumella kapa u tima seva sa nginx se bokelletsoeng. | 'NETE |
kamehla['firezone']['nginx']['ssl_port'] | Boema-kepe ba ho mamela ba HTTPS. | 443 |
kamehla['firezone']['nginx']['directory'] | Lenane la ho boloka litlhophiso tse amanang le nginx tse amanang le Firezone. | “#{node['firezone']['var_directory']}/nginx/etc” |
kamehla['firezone']['nginx']['log_directory'] | Lenane la ho boloka lifaele tsa log tse amanang le Firezone. | “#{node['firezone']['log_directory']}/nginx” |
kamehla['firezone']['nginx']['log_rotation']['file_maxbytes'] | Saese ea faele eo ho eona o ka potolohang lifaele tsa log tsa Nginx. | 104857600 |
kamehla['firezone']['nginx']['log_rotation']['num_to_keep'] | Palo ea lifaele tsa log tsa Firezone nginx tseo u lokelang ho li boloka pele u li lahla. | 10 |
kamehla['firezone']['nginx']['log_x_forwarded_for'] | Hore na o ka kena Firezone nginx x-fetisetsoa-bakeng sa hlooho. | 'NETE |
default['firezone']['nginx']['hsts_header']['enabled'] | 'NETE | |
default['firezone']['nginx']['hsts_header']['include_subdomains'] | Numella kapa thibela kenyeletsaSubDomains bakeng sa hlooho ea HSTS. | 'NETE |
default['firezone']['nginx']['hsts_header']['max_age'] | Lilemo tse phahameng bakeng sa hlooho ea HSTS. | 31536000 |
kamehla['firezone']['nginx']['redirect_to_canonical'] | Hore na li-URL li tla lebisoa ho li-canonical FQDN tse boletsoeng ka holimo | BA BOHATA |
kamehla['firezone']['nginx']['cache']['enabled'] | Numella kapa u tima "cache" ea Firezone nginx. | BA BOHATA |
kamehla['firezone']['nginx']['cache']['directory'] | Directory bakeng sa Firezone nginx cache. | “#{node['firezone']['var_directory']}/nginx/cache” |
kamehla['firezone']['nginx']['user'] | Mosebelisi oa Firezone nginx. | node['firezone']['user'] |
kamehla['firezone']['nginx']['group'] | Sehlopha sa Firezone nginx. | node['firezone']['group'] |
kamehla['firezone']['nginx']['dir'] | Lenane la tlhophiso ea nginx ea boemo bo holimo. | node['firezone']['nginx']['directory'] |
kamehla['firezone']['nginx']['log_dir'] | Lenane la log ea nginx ea boemo bo holimo. | node['firezone']['nginx']['log_directory'] |
kamehla['firezone']['nginx']['pid'] | Sebaka sa faele ea nginx pid. | “#{node['firezone']['nginx']['directory']}/nginx.pid” |
kamehla['firezone']['nginx']['daemon_disable'] | Tlosa nginx daemon mode hore re e shebelle. | 'NETE |
kamehla['firezone']['nginx']['gzip'] | Bulela kapa u tima compression ea nginx gzip. | ka ' |
kamehla['firezone']['nginx']['gzip_static'] | Bulela kapa u tima compression ea nginx gzip bakeng sa lifaele tse tsitsitseng. | theoha' |
kamehla['firezone']['nginx']['gzip_http_version'] | Mofuta oa HTTP o ka sebelisoang ho sebeletsa lifaele tse tsitsitseng. | 1.0 ' |
kamehla['firezone']['nginx']['gzip_comp_level'] | boemo ba compression ba nginx gzip. | 2 ' |
kamehla['firezone']['nginx']['gzip_proxied'] | E nolofaletsa kapa e tima likarabo tsa likarabo bakeng sa likopo tsa proxied ho latela kopo le karabo. | efe kapa efe' |
kamehla['firezone']['nginx']['gzip_vary'] | E nolofalletsa kapa e tima ho kenya sehlooho sa karabo sa "Vary: Accept-Encoding". | theoha' |
kamehla['firezone']['nginx']['gzip_buffers'] | E beha palo le boholo ba li-buffer tse sebelisoang ho hatella karabo. Haeba ho se na, nginx default e sebelisoa. | nil |
kamehla['firezone']['nginx']['gzip_types'] | Mefuta ea MIME ho nolofalletsa compression ea gzip bakeng sa. | ['text/plain', 'text/css','application/x-javascript', 'text/xml', 'application/xml', 'application/rss+xml', 'application/atom+xml', ' text/javascript', 'application/javascript', 'application/json'] |
kamehla['firezone']['nginx']['gzip_min_length'] | Bonyane bolelele ba faele ho nolofalletsa compression ea gzip bakeng sa. | 1000 |
kamehla['firezone']['nginx']['gzip_disable'] | Sebapi sa moemeli oa mosebelisi ho thibela khatello ea gzip bakeng sa. | MSIE [1-6]\.' |
kamehla['firezone']['nginx']['keepalive'] | E bula cache bakeng sa khokahanyo ho li-server tse holimo. | ka ' |
kamehla['firezone']['nginx']['keepalive_timeout'] | Nako e felile ka metsotsoana bakeng sa khokahano ea Keepalive ho li-server tse holimo. | 65 |
default['firezone']['nginx']['worker_processes'] | Palo ea lits'ebetso tsa basebetsi ba nginx. | node['cpu'] && node['cpu']['total'] ? node['cpu']['kakaretso'] : 1 |
default['firezone']['nginx']['worker_connections'] | Nomoro e kholo ea likhokahano tsa nako e le 'ngoe tse ka buloang ke ts'ebetso ea basebetsi. | 1024 |
default['firezone']['nginx']['worker_rlimit_nofile'] | E fetola moeli ho palo e kholo ea lifaele tse bulehileng bakeng sa lits'ebetso tsa basebetsi. E sebelisa default nginx haeba e le sieo. | nil |
kamehla['firezone']['nginx']['multi_accept'] | Hore na basebetsi ba lokela ho amohela khokahano e le 'ngoe ka nako kapa makhetlo a mangata. | 'NETE |
kamehla['firezone']['nginx']['ketsahalo'] | E hlalosa mokhoa oa ts'ebetso oa khokahanyo o ka sebelisoang kahare ho liketsahalo tsa nginx. | epoll' |
kamehla['firezone']['nginx']['server_tokens'] | E nolofalletsa kapa e tima mofuta oa nginx maqepheng a liphoso le karolong ea hlooho ea karabo ea "Server". | nil |
default['firezone']['nginx']['server_names_hash_bucket_size'] | E beha boholo ba bakete bakeng sa litafole tsa li-server tsa hash. | 64 |
kamehla['firezone']['nginx']['sendfile'] | E nolofalletsa kapa e tima ts'ebeliso ea nginx's sendfile(). | ka ' |
kamehla['firezone']['nginx']['access_log_options'] | E beha likhetho tsa ho kena ho nginx. | nil |
kamehla['firezone']['nginx']['error_log_options'] | E beha likhetho tsa log ea liphoso tsa nginx. | nil |
kamehla['firezone']['nginx']['disable_access_log'] | E tima tlaleho ea phihlello ea nginx. | BA BOHATA |
kamehla['firezone']['nginx']['types_hash_max_size'] | mefuta ea nginx hash max size. | 2048 |
kamehla['firezone']['nginx']['types_hash_bucket_size'] | mefuta ea nginx boholo ba bakete ea hash. | 64 |
kamehla['firezone']['nginx']['proxy_read_timeout'] | nginx proxy bala nako e felile. Beha ho nil ho sebelisa nginx kamehla. | nil |
kamehla['firezone']['nginx']['client_body_buffer_size'] | nginx client buffer size size. Beha ho nil ho sebelisa nginx kamehla. | nil |
kamehla['firezone']['nginx']['client_max_body_size'] | nginx client boholo ba 'mele. | 250m' |
kamehla['firezone']['nginx']['default']['modules'] | Hlalosa li-module tse ling tsa nginx. | [] |
kamehla['firezone']['nginx']['enable_rate_limiting'] | Nolofatsa kapa o tima sekhahla sa sekhahla sa nginx. | 'NETE |
kamehla['firezone']['nginx']['rate_limiting_zone_name'] | Lebitso la sebaka se fokotsang sekhahla sa Nginx. | firezone' |
kamehla['firezone']['nginx']['rate_limiting_backoff'] | Sekhahla sa Nginx se fokotsa ho khutla. | 10m' |
kamehla['firezone']['nginx']['rate_limit'] | Sekhahla sa Nginx. | 10r/s' |
kamehla['firezone']['nginx']['ipv6'] | Lumella nginx ho mamela likopo tsa HTTP tsa IPv6 ho kenyelletsa IPv4. | 'NETE |
default['firezone']['postgresql']['enabled'] | Nolofatsa kapa o tima Postgresql e kopantsoeng. Beha leshano 'me u tlatse likhetho tsa database tse ka tlase ho sebelisa mohlala oa hau oa Postgresql. | 'NETE |
default['firezone']['postgresql']['username'] | Username bakeng sa Postgresql. | node['firezone']['user'] |
default['firezone']['postgresql']['data_directory'] | Lenane la data la Postgresql. | “#{node['firezone']['var_directory']}/postgresql/13.3/data” |
default['firezone']['postgresql']['log_directory'] | Buka ea Postgresql. | “#{node['firezone']['log_directory']}/postgresql” |
default['firezone']['postgresql']['log_rotation']['file_maxbytes'] | Postgresql log file boholo ba boholo pele e ka fetoloa. | 104857600 |
kamehla['firezone']['postgresql']['log_rotation']['num_to_keep'] | Palo ea lifaele tsa log tsa Postgresql tseo u lokelang ho li boloka. | 10 |
kamehla['firezone']['postgresql']['checkpoint_completion_target'] | Sepheo sa ho phethela sebaka sa postgresql. | 0.5 |
kamehla['firezone']['postgresql']['checkpoint_segments'] | Palo ea likarolo tsa tlhahlobo ea Postgresql. | 3 |
default['firezone']['postgresql']['checkpoint_timeout'] | Postgresql Checkpoint nako e felile. | 5min' |
kamehla['firezone']['postgresql']['checkpoint_temoso'] | Nako ea temoso ea postgresql ka metsotsoana. | 30s' |
default['firezone']['postgresql']['effective_cache_size'] | Postgresql e sebetsang ka boholo ba cache. | 128MB |
kamehla['firezone']['postgresql']['mamela_aterese'] | Postgresql mamela aterese. | 127.0.0.1 ' |
default['firezone']['postgresql']['max_connections'] | Likhokahanyo tse ngata tsa Postgresql. | 350 |
default['firezone']['postgresql']['md5_auth_cidr_addresses'] | Postgresql CIDRs ho lumella md5 auth. | ['127.0.0.1/32', ':1/128'] |
kamehla['firezone']['postgresql']['port'] | Sebaka sa ho mamela sa Postgresql. | 15432 |
kamehla['firezone']['postgresql']['shared_buffers'] | Postgresql e arolelanoa ka boholo ba li-buffers. | “#{(node['memory']['total'].to_i / 4) / 1024}MB” |
kamehla['firezone']['postgresql']['shmmax'] | Postgresql shmmax ka li-byte. | 17179869184 |
kamehla['firezone']['postgresql']['shmall'] | Postgresql shmall ka li-byte. | 4194304 |
kamehla['firezone']['postgresql']['work_mem'] | Postgresql e sebetsa boholo ba memori. | 8MB |
kamehla['firezone']['database']['user'] | E hlakisa lebitso la mosebelisi Firezone e tla le sebelisa ho hokela DB. | node['firezone']['postgresql']['lebitso la mosebedisi'] |
kamehla['firezone']['database']['password'] | Haeba o sebelisa DB e kantle, e hlalosa password eo Firezone e tla e sebelisa ho hokela DB. | fetola_nna' |
kamehla['firezone']['database']['lebitso'] | Database eo Firezone e tla e sebelisa. E tla etsoa haeba e le sieo. | firezone' |
kamehla['firezone']['database']['host'] | Sebaka sa polokelo ea polokelo eo Firezone e tla hokela ho eona. | node['firezone']['postgresql']['mamela_aterese'] |
kamehla['firezone']['database']['port'] | Boema-kepe ba polokelo eo Firezone e tla hokela ho eona. | node['firezone']['postgresql']['port'] |
kamehla['firezone']['database']['pool'] | Boholo ba letamo la polokelo ea data Firezone e tla sebelisa. | [10, Etc.nprocessors].max |
kamehla['firezone']['database']['ssl'] | Hore na o hokela polokelong ea litaba ka SSL. | BA BOHATA |
kamehla['firezone']['database']['ssl_opts'] | {} | |
kamehla['firezone']['database']['parameters'] | {} | |
kamehla['firezone']['database']['extensions'] | Li-extensions tsa polokelo ea data ho bulela. | {'plpgsql' => nnete, 'pg_trgm' => nnete } |
kamehla['firezone']['phoenix']['enabled'] | Numella kapa o tima ts'ebeliso ea webo ea Firezone. | 'NETE |
kamehla['firezone']['phoenix']['mamela_aterese'] | Sebaka sa marang-rang sa Firezone ho mamela aterese. Ena e tla ba aterese ea ho mamela e holimo eo li-proxies tsa nginx. | 127.0.0.1 ' |
kamehla['firezone']['phoenix']['port'] | Firezone web application listen port. Ena e tla ba boema-kepe bo ka holimo boo nginx proxies. | 13000 |
kamehla['firezone']['phoenix']['log_directory'] | Lenane la tlaleho ea kopo ea webo ea Firezone. | “#{node['firezone']['log_directory']}/phoenix” |
default['firezone']['phoenix']['log_rotation']['file_maxbytes'] | Boholo ba faele ea polokelo ea kopo ea webo ea Firezone. | 104857600 |
kamehla['firezone']['phoenix']['log_rotation']['num_to_keep'] | Palo ea lifaele tsa marang-rang tsa Firezone tse lokelang ho bolokoa. | 10 |
kamehla['firezone']['phoenix']['crash_detection']['enabled'] | Dumella kapa o thibele ho theola sesebediswa sa webo sa Firezone ha ho lemohuwa kotsi. | 'NETE |
kamehla['firezone']['phoenix']['external_trusted_proxies'] | Lethathamo la li-proxies tse tšeptjoang tse hlophisitsoeng e le Array of IPs le/kapa li-CIDR. | [] |
kamehla['firezone']['phoenix']['private_clients'] | Lethathamo la bareki ba marang-rang ba HTTP, ba hlophisitsoeng ka mefuta e mengata ea li-IP le/kapa li-CIDR. | [] |
kamehla['firezone']['wireguard']['enabled'] | Numella kapa o tima taolo ea WireGuard e kopaneng. | 'NETE |
kamehla['firezone']['wireguard']['log_directory'] | Lenane la li-log bakeng sa taolo e kopaneng ea WireGuard. | “#{node['firezone']['log_directory']}/wireguard” |
kamehla['firezone']['wireguard']['log_rotation']['file_maxbytes'] | WireGuard log file boholo ba boholo. | 104857600 |
kamehla['firezone']['wireguard']['log_rotation']['num_to_keep'] | Palo ea lifaele tsa log tsa WireGuard tse lokelang ho bolokoa. | 10 |
kamehla['firezone']['wireguard']['interface_name'] | Lebitso la sebopeho sa WireGuard. Ho fetola paramente ena ho ka baka tahlehelo ea nakoana khokahanong ea VPN. | wg-firezone' |
kamehla['firezone']['wireguard']['port'] | WireGuard mamela koung. | 51820 |
kamehla['firezone']['wireguard']['mtu'] | WireGuard interface MTU bakeng sa seva sena le bakeng sa litlhophiso tsa lisebelisoa. | 1280 |
kamehla['firezone']['wireguard']['endpoint'] | WireGuard Endpoint e ka sebelisoang ho etsa litlhophiso tsa sesebelisoa. Haeba ho se na, e ea ho aterese ea IP ea sechaba. | nil |
kamehla['firezone']['wireguard']['dns'] | WireGuard DNS eo u ka e sebelisang bakeng sa tlhophiso ea lisebelisoa tse hlahisitsoeng. | 1.1.1.1, 1.0.0.1′ |
kamehla['firezone']['wireguard']['allowed_ips'] | WireGuard AllowedIPs ho sebelisoa bakeng sa tlhophiso ea lisebelisoa tse hlahisitsoeng. | 0.0.0.0/0, ::/0′ |
kamehla['firezone']['wireguard']['persistent_keepalive'] | Litlhophiso tsa kamehla tsa PersistentKeepalive bakeng sa litlhophiso tsa lisebelisoa tse hlahisitsoeng. Boleng ba 0 bo tima. | 0 |
default['firezone']['wireguard']['ipv4']['enabled'] | Numella kapa o tima IPv4 bakeng sa marang-rang a WireGuard. | 'NETE |
kamehla['firezone']['wireguard']['ipv4']['masquerade'] | Lumella kapa u tima masquerade bakeng sa lipakete tse tlohang kotopong ea IPv4. | 'NETE |
kamehla['firezone']['wireguard']['ipv4']['network'] | Letamo la aterese la WireGuard la IPv4. | 10.3.2.0/24 ' |
kamehla['firezone']['wireguard']['ipv4']['aterese'] | WireGuard interface IPv4 aterese. E tlameha ho ba ka har'a letamo la liaterese la WireGuard. | 10.3.2.1 ' |
default['firezone']['wireguard']['ipv6']['enabled'] | Numella kapa o tima IPv6 bakeng sa marang-rang a WireGuard. | 'NETE |
kamehla['firezone']['wireguard']['ipv6']['masquerade'] | Lumella kapa u tima masquerade bakeng sa lipakete tse tlohang kotopong ea IPv6. | 'NETE |
kamehla['firezone']['wireguard']['ipv6']['network'] | Letamo la aterese la WireGuard la IPv6. | fd00::3:2:0/120′ |
kamehla['firezone']['wireguard']['ipv6']['aterese'] | WireGuard interface IPv6 aterese. E tlameha ho ba ka har'a letamo la liaterese tsa IPv6. | fd00::3:2:1′ |
kamehla['firezone']['runit']['svlogd_bin'] | Runit svlogd bin sebaka. | “#{node['firezone']['install_directory']}/embedded/bin/svlogd” |
kamehla['firezone']['ssl']['directory'] | Sengoloa sa SSL bakeng sa ho boloka li-cert tse hlahisitsoeng. | /var/opt/firezone/ssl' |
kamehla['firezone']['ssl']['email_address'] | Aterese ea lengolo-tsoibila eo u ka e sebelisang bakeng sa li-cert tse saenneng le litsebiso tsa nchafatso ea protocol ea ACME. | you@mohlala.com' |
default['firezone']['ssl']['acme']['enabled'] | Numella ACME bakeng sa ho fana ka setifikeiti sa SSL ka boiketsetso. Thibela sena ho thibela Nginx ho mamela ho port 80. Bona Mona bakeng sa litaelo tse ling. | BA BOHATA |
kamehla['firezone']['ssl']['acme']['server'] | letsencrypt | |
kamehla['firezone']['ssl']['acme']['keylength'] | Hlalosa mofuta oa senotlolo le bolelele ba setifikeiti sa SSL. Bona Mona | ec-256 |
default['firezone']['ssl']['certificate'] | Tsela e eang faeleng ea setifikeiti bakeng sa FQDN ea hau. E fetisa litlhophiso tsa ACME ka holimo haeba ho boletsoe. Haeba ka bobeli ACME le sena ha se setifikeiti se ingoletseng se tla hlahisoa. | nil |
kamehla['firezone']['ssl']['certificate_key'] | Tsela e eang faeleng ea setifikeiti. | nil |
kamehla['firezone']['ssl']['ssl_dhparam'] | nginx ssl dh_param. | nil |
kamehla['firezone']['ssl']['naha_name'] | Lebitso la naha bakeng sa setifikeiti se ingoletseng. | US' |
kamehla['firezone']['ssl']['state_name'] | Lebitso la naha bakeng sa setifikeiti se ingodisitseng. | CA ' |
default['firezone']['ssl']['locality_name'] | Lebitso la sebaka bakeng sa setifikeiti se ingodisitseng. | San Francisco' |
default['firezone']['ssl']['company_name'] | Setifikeiti se itekenetseng lebitso la khamphani. | Khampani ea ka' |
default['firezone']['ssl']['organizational_unit_name'] | Lebitso la yuniti ya mokgatlo bakeng sa setifikeiti se ingodisitseng. | Ts'ebetso' |
kamehla['firezone']['ssl']['ciphers'] | Li-ciphers tsa SSL bakeng sa nginx ho sebelisoa. | ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’ |
kamehla['firezone']['ssl']['fips_ciphers'] | Li-ciphers tsa SSL bakeng sa mokhoa oa FIPs. | FIPS@STRENGTH:!aNULL:!eNULL' |
kamehla['firezone']['ssl']['protocols'] | TLS protocols ho sebelisoa. | TLSv1 TLSv1.1 TLSv1.2′ |
kamehla['firezone']['ssl']['session_cache'] | Cache ea seboka sa SSL. | e arolelanoeng:SSL:4m' |
kamehla['firezone']['ssl']['session_timeout'] | SSL nako e felile. | 5m' |
kamehla['firezone']['robots_allow'] | liroboto tsa nginx li lumella. | /' |
kamehla['firezone']['robots_disallow'] | liroboto tsa nginx ha li lumelle. | nil |
kamehla['firezone']['outbound_email']['from'] | Lengolo-tsoibila le tsoang atereseng. | nil |
default['firezone']['outbound_email']['provider'] | Mofani oa litšebeletso tsa imeile tse tsoang. | nil |
kamehla['firezone']['outbound_email']['configs'] | Litlhophiso tsa mofani oa lengolo-tsoibila le tsoang kantle. | bona omnibus/cookbooks/firezone/attributes/default.rb |
kamehla['firezone']['telemetry']['enabled'] | Lumella kapa o tima telemetry ea sehlahisoa se sa tsejoeng. | 'NETE |
default['firezone']['connectivity_checks']['enabled'] | Lumella kapa u tima litšebeletso tsa tlhahlobo ea khokahanyo ea Firezone. | 'NETE |
default['firezone']['connectivity_checks']['interval'] | Karohano pakeng tsa ho hlahloba khokahanyo ka metsotsoana. | 3_600 |
________________________________________________________________
Mona u tla fumana lethathamo la lifaele le li-directory tse amanang le ts'ebetso e tloaelehileng ea Firezone. Tsena li ka fetoha ho ipapisitse le liphetoho faeleng ea hau ea tlhophiso.
tsela | Tlhaloso |
/var/opt/firezone | Lenane la maemo a holimo le nang le lintlha le litlhophiso tse hlahisitsoeng bakeng sa lits'ebeletso tse kopaneng tsa Firezone. |
/opt/firezone | Lenane la maemo a holimo le nang le lilaeborari tse hahiloeng, li-binaries le lifaele tsa nako ea ho sebetsa tse hlokoang ke Firezone. |
/usr/bin/firezone-ctl | firezone-ctl utility bakeng sa ho laola ho kenya Firezone ea hau. |
/etc/systemd/system/firezone-runsvdir-start.service | systemd unit file bakeng sa ho qala ts'ebetso ea mookameli oa Firezone runsvdir. |
/etc/firezone | Lifaele tsa tlhophiso ea Firezone. |
__________________________________________________________
Leqephe lena le ne le se na litokomane
_____________________________________________________________
Template e latelang ea firewall ea nftables e ka sebelisoa ho boloka seva e sebelisang Firezone. Setšoantšo se fana ka maikutlo a itseng; o ka hloka ho fetola melao hore e lumellane le boemo ba hau ba ts'ebeliso:
Firezone e theha melao ea eona ea li-nftables ho lumella / ho hana sephethephethe ho ea libakeng tse hlophisitsoeng sebakeng sa marang-rang le ho sebetsana le NAT e tsoang kantle bakeng sa sephethephethe sa bareki.
Ho sebelisa template e ka tlase ea firewall ho seva se seng se ntse se sebetsa (eseng ka nako ea boot) ho tla etsa hore melao ea Firezone e hlakoloe. Sena se ka ba le litlamorao tsa ts'ireletso.
Ho sebetsana le sena qala hape tšebeletso ea phoenix:
firezone-ctl qala hape phoenix
#!/usr/sbin/nft -f
## Hlakola/hlakola melao yohle e teng
flush melaoana
################################## LIKHETHONG TSA ################### ################
## Lebitso la sehokelo sa Marang-rang / WAN
hlalosa DEV_WAN = eth0
## Lebitso la sebopeho sa WireGuard
hlalosa DEV_WIREGUARD = wg-firezone
## WireGuard mamela koung
hlalosa WIREGUARD_PORT = 51820
################################### # LIA FETILENG FELA ##################### #############
# Tafole ea mantlha ea ho sefa lelapa la innet
filthara ea inet ea tafole {
# Melao ea sephethephethe se fetisitsoeng
# Ketane ena e sebetsoa pele ho ketane ea pele ea Firezone
ketane pele {
filthara ea mofuta oa hoka pele filtara ea bohlokoa - 5; leano amohela
}
# Melao ea ho kenya sephethephethe
tlhahiso ea ketane {
mofuta filthara hook input priority filter; ho theoha ha leano
## Lumella sephethephethe se kenang ho sehokelo sa loopback
haeba ke bona \
amohela \
ba fane ka tlhaloso "Lumella sephethephethe sohle ho tsoa ho sehokelo sa loopback"
## Tumello e thehiloeng le likhokahano tse amanang
ct state e thehiloe, e amana \
amohela \
ba fane ka tlhaloso "Lumella likhokahano tse thehiloeng / tse amanang"
## Lumella sephethephethe sa WireGuard se kenang
haeba $DEV_WAN udp dport $WIREGUARD_PORT \
counter \
amohela \
ba fane ka tlhaloso "Lumella sephethephethe sa WireGuard se kenelletseng"
## Kenya le ho theola lipakete tse ncha tsa TCP tseo e seng tsa SYN
tcp lifolakha != syn ct state new \
sekhahla sa moeli 100/metsotso e phatlohile 150 lipakete \
log prefix “IN – E Ncha !SYN: “ \
ba fane ka tlhaloso "Lekanya moeli oa ho rema lifate bakeng sa likhokahano tse ncha tse se nang folakha ea SYN TCP"
tcp lifolakha != syn ct state new \
counter \
rotha \
ba fane ka tlhaloso "Lahla likhokahano tse ncha tse se nang folakha ea SYN TCP"
## Kenya le ho theola lipakete tsa TCP tse nang le sete e sa sebetseng ea li-fin/syn
tcp lifolakha & (fin|syn) == (fin|syn) \
sekhahla sa moeli 100/metsotso e phatlohile 150 lipakete \
log prefix “KA – TCP FIN|SIN: “ \
ba fane ka tlhaloso "Lekanya moeli oa ho rema lipakete tsa TCP tse nang le lifolakha tse sa sebetseng tsa "fin / syn"
tcp lifolakha & (fin|syn) == (fin|syn) \
counter \
rotha \
ba fane ka tlhaloso "Lahla lipakete tsa TCP tse nang le lifolakha tse sa sebetseng tsa fin/syn"
## Reka 'me u lahlele lipakete tsa TCP tse nang le sete e fosahetseng ea syn / ea pele
tcp lifolakha & (syn|rst) == (syn|rst) \
sekhahla sa moeli 100/metsotso e phatlohile 150 lipakete \
log prefix “KA – TCP SYN|RST: “ \
ba fane ka tlhaloso "Lekanya moeli oa ho rema bakeng sa lipakete tsa TCP tse nang le sete e fosahetseng ea syn / ea pele"
tcp lifolakha & (syn|rst) == (syn|rst) \
counter \
rotha \
ba fane ka tlhaloso "Lahla lipakete tsa TCP tse nang le sete e fosahetseng ea syn / ea pele"
## Kenya le ho theola lifolakha tse sa sebetseng tsa TCP
tcp lifolakha & (fin|syn|rst|psh|ack|urg) < (fin) \
sekhahla sa moeli 100/metsotso e phatlohile 150 lipakete \
log prefix “HO FIN:” \
ba fane ka tlhaloso "Reiti ea ho rengoa ha lifate bakeng sa lifolakha tse sa sebetseng tsa TCP (fin|syn|rst|psh|ack|urg) < (fin)"
tcp lifolakha & (fin|syn|rst|psh|ack|urg) < (fin) \
counter \
rotha \
ba fane ka tlhaloso "Lahla lipakete tsa TCP tse nang le lifolakha (fin|syn| rst|psh|ack|urg) < (fin)"
## Kenya le ho theola lifolakha tse sa sebetseng tsa TCP
tcp lifolakha & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
sekhahla sa moeli 100/metsotso e phatlohile 150 lipakete \
log prefix “KA – FIN| PSH|URG:” \
ba fane ka tlhaloso "Reiti ea ho rengoa ha lifate bakeng sa lifolakha tse sa sebetseng tsa TCP (fin|syn|st|psh|ack|urg) == (fin|psh|urg)"
tcp lifolakha & (fin|syn|rst|psh|ack|urg) == (fin|psh|urg) \
counter \
rotha \
ba fane ka tlhaloso "Lahla lipakete tsa TCP tse nang le lifolakha (fin|syn|rst|psh|ack|urg) == (fin|psh|urg)"
## Theha sephethephethe ka boemo bo sa nepahaleng ba khokahano
ct state ha e sebetse \
sekhahla sa moeli 100/metsotso e phatlohile 150 lipakete \
log lifolakha tsohle prefix “IN – Ha e sebetse: “ \
ba fane ka tlhaloso "Reita moeli oa ho rengoa ha sephethephethe se nang le boemo bo fosahetseng ba khokahano"
ct state ha e sebetse \
counter \
rotha \
ba fane ka tlhaloso "Theola sephethephethe ka boemo bo fosahetseng ba khokahano"
## Lumella likarabo tsa IPv4 ping/ping empa moeli oa sekhahla ho 2000 PPS
ip mofuta oa protocol icmp icmp {echo-reply, echo-request } \
sekhahla sa moeli 2000/motsotsoana\
counter \
amohela \
ba fane ka tlhaloso "Lumella IPv4 echo (ping) e kenelletseng ho 2000 PPS"
## Lumella tse ling tsohle tse kenelletseng tsa IPv4 ICMP
ip protocol icmp
counter \
amohela \
ba fane ka tlhaloso "Lumella tse ling kaofela tsa IPv4 ICMP"
## Lumella likarabo tsa IPv6 ping/ping empa moeli oa sekhahla ho 2000 PPS
icmpv6 mofuta {echo-reply, echo-request } \
sekhahla sa moeli 2000/motsotsoana\
counter \
amohela \
ba fane ka tlhaloso "Lumella IPv6 echo (ping) e kenelletseng ho 2000 PPS"
## Lumella tse ling tsohle tse kenelletseng tsa IPv6 ICMP
meta l4proto {icmpv6} \
counter \
amohela \
ba fane ka tlhaloso "Lumella tse ling kaofela tsa IPv6 ICMP"
## Lumella boema-kepe ba traceroute ba UDP empa u behe moeli ho 500 PPS
udp dport 33434-33524
sekhahla sa moeli 500/motsotsoana\
counter \
amohela \
ba fane ka tlhaloso "Lumella traceroute ea UDP e kenang e lekanyelitsoe ho 500 PPS"
## Lumella SSH e kenang
tcp dport ssh ct e ncha \
counter \
amohela \
ba fane ka tlhaloso "Lumella likhokahano tsa SSH tse kenang"
## Lumella HTTP le HTTPS tse kenang
tcp dport {http, https} ct e ncha \
counter \
amohela \
ba fane ka tlhaloso "Lumella likhokahano tsa HTTP le HTTPS"
## Kenya sephethephethe leha e le sefe se sa bapisitsoeng empa ho rengoa ha lifate ho isa ho palo e kholo ea melaetsa e 60 ka motsotso
## Leano la kamehla le tla sebelisoa ho sephethephethe se sa bapisoang
sekhahla sa moeli 60/metsotso e phatlohile 100 lipakete \
log prefix "IN - Drop:" \
ba fane ka tlhaloso "Ngola sephethephethe leha e le sefe se sa bapisoang"
## Bala sephethephethe se sa bapisweng
counter \
ba fane ka tlhaloso “Bala sephethephethe se seng le se seng”
}
# Melao bakeng sa sephethephethe sa tlhahiso
tlhahiso ea ketane {
mofuta oa filthara hook sephetho sa pele; ho theoha ha leano
## Lumella sephethephethe se tsoang ho sehokelo sa loopback
ho lokile \
amohela \
ba fane ka tlhaloso "Lumella sephethephethe sohle hore se kene ka har'a sehokelo sa loopback"
## Tumello e thehiloeng le likhokahano tse amanang
ct state e thehiloe, e amana \
counter \
amohela \
ba fane ka tlhaloso "Lumella likhokahano tse thehiloeng / tse amanang"
## Lumella sephethephethe sa WireGuard se tsoang kantle pele u tlohela likhokahano le boemo bo bobe
oif $DEV_WAN lipapali tsa udp $WIREGUARD_PORT \
counter \
amohela \
ba fane ka tlhaloso "Permit WireGuard traffic out"
## Theha sephethephethe ka boemo bo sa nepahaleng ba khokahano
ct state ha e sebetse \
sekhahla sa moeli 100/metsotso e phatlohile 150 lipakete \
log lifolakha tsohle prefix “OUT – Ha e sebetse: “ \
ba fane ka tlhaloso "Reita moeli oa ho rengoa ha sephethephethe se nang le boemo bo fosahetseng ba khokahano"
ct state ha e sebetse \
counter \
rotha \
ba fane ka tlhaloso "Theola sephethephethe ka boemo bo fosahetseng ba khokahano"
## Lumella tse ling tsohle tse tsoang IPv4 ICMP
ip protocol icmp
counter \
amohela \
ba fane ka tlhaloso "Lumella mefuta eohle ea IPv4 ICMP"
## Lumella tse ling tsohle tse tsoang IPv6 ICMP
meta l4proto {icmpv6} \
counter \
amohela \
ba fane ka tlhaloso "Lumella mefuta eohle ea IPv6 ICMP"
## Lumella likou tsa traceroute tsa UDP tse kantle empa u behe moeli ho 500 PPS
udp dport 33434-33524
sekhahla sa moeli 500/motsotsoana\
counter \
amohela \
ba fane ka tlhaloso "Lumella traceroute ea UDP e tsoang ho 500 PPS"
## Lumella likhokahano tsa HTTP le HTTPS tse tsoang kantle
tcp dport {http, https} ct e ncha \
counter \
amohela \
ba fane ka tlhaloso "Lumella likhokahano tsa HTTP le HTTPS tse tsoang kantle"
## Lumella tlhahiso ea SMTP e tsoang kantle
tcp dport submission ct state new \
counter \
amohela \
ba fane ka tlhaloso "Lumella tlhahiso ea SMTP e tsoang kantle"
## Lumella likopo tse tsoang ho DNS
udp dport 53 \
counter \
amohela \
ba fane ka tlhaloso "Lumella likopo tse tsoang ho UDP DNS"
tcp dport 53 \
counter \
amohela \
ba fane ka tlhaloso "Lumella likopo tse tsoang ho TCP DNS"
## Lumella likopo tse tsoang ho NTP
udp dport 123 \
counter \
amohela \
ba fane ka tlhaloso "Lumella likopo tse tsoang ho NTP"
## Kenya sephethephethe leha e le sefe se sa bapisitsoeng empa ho rengoa ha lifate ho isa ho palo e kholo ea melaetsa e 60 ka motsotso
## Leano la kamehla le tla sebelisoa ho sephethephethe se sa bapisoang
sekhahla sa moeli 60/metsotso e phatlohile 100 lipakete \
log prefix “TSWA – Theoha: “ \
ba fane ka tlhaloso "Ngola sephethephethe leha e le sefe se sa bapisoang"
## Bala sephethephethe se sa bapisweng
counter \
ba fane ka tlhaloso “Bala sephethephethe se seng le se seng”
}
}
# Tafole ea mantlha ea ho sefa ea NAT
tafole net nat {
# Melao ea ho tsamaisa sephethephethe sa NAT esale pele
ketane prerouting {
thaepa nat hook prerouting ea bohlokoa dstnat; leano amohela
}
# Melao ea ho tsamaisa sephethe-phethe sa NAT ka mor'a ho tsamaea
# Tafole ena e sebetsoa ka pel'a ketane ea morao-rao ea Firezone
ketane postrouting {
thaepa nat hook postrouting priority srcnat - 5; leano amohela
}
}
Firewall e lokela ho bolokoa sebakeng se loketseng bakeng sa kabo ea Linux e ntseng e sebetsa. Bakeng sa Debian/Ubuntu sena ke /etc/nftables.conf le bakeng sa RHEL sena ke /etc/sysconfig/nftables.conf.
nftables.service e tla hloka ho hlophisoa hore e qale ka boot (haeba e se e se e se):
systemctl thusa nftables.service
Haeba ho etsa liphetoho leha e le life template ea firewall syntax e ka netefatsoa ka ho tsamaisa taelo ea ho hlahloba:
nft -f /path/to/nftables.conf -c
Etsa bonnete ba hore u netefatsa hore firewall e sebetsa joalo ka ha ho lebelletsoe kaha likarolo tse ling tsa nftables li kanna tsa se fumanehe ho latela tokollo e sebetsang ho seva.
_______________________________________________________________
Tokomane ena e fana ka kakaretso ea pokello ea telemetry Firezone ho tsoa ketsahalong e u tšoaretseng le mokhoa oa ho e tima.
Sebaka sa mollo itšetleha ho telemetry ho beha 'mapa oa rona pele le ho ntlafatsa lisebelisoa tsa boenjiniere tseo re nang le tsona ho etsa hore Firezone e be betere bakeng sa motho e mong le e mong.
Telemetry eo re e bokellang e ikemiselitse ho araba lipotso tse latelang:
Ho na le libaka tse tharo tsa mantlha moo telemetry e bokelloang ho Firezone:
Ho e 'ngoe le e' ngoe ea maemo ana a mararo, re nka bonyane ba data e hlokahalang ho araba lipotso tse karolong e ka holimo.
Li-imeile tsa batsamaisi li bokelloa ha feela u khetha ho kena ho lintlafatso tsa sehlahisoa ka ho hlaka. Ho seng joalo, tlhahisoleseding ea botho-identifiable ke ha ho mohla bokelletsoe.
Firezone e boloka telemetry ketsahalong e ikemetseng ea PostHog e sebetsang ka har'a sehlopha sa poraefete sa Kubernetes, se fumanehang feela ke sehlopha sa Firezone. Mohlala ke ona oa ketsahalo ea telemetry e rometsoeng ho tloha mohlaleng oa hau oa Firezone ho ea ho seva sa rona sa telemetry:
{
"id": “0182272d-0b88-0000-d419-7b9a413713f1”,
"setempe sa nako": “2022-07-22T18:30:39.748000+00:00”,
"ketsahalo": "fz_http_started",
“distinct_id”: “1ec2e794-1c3e-43fc-a78f-1db6d1a37f54”,
"thepa":{
“$geoip_city_name”: "Ashburn",
“$geoip_continent_code”: "NA",
“$geoip_continent_name”: "Amerika e leboea",
“$geoip_country_code”: "US",
“$geoip_country_name”: "United States",
“$geoip_latitude”: 39.0469,
“$geoip_longitude”: -77.4903,
“$geoip_postal_code”: "20149",
“$geoip_subdivision_1_code”: "VA",
“$geoip_subdivision_1_name”: "Virginia",
“$geoip_time_zone”: “Amerika/New_York”,
"$ip": "52.200.241.107",
“$plugins_deferred”: [],
“$plugins_feiled”: [],
"$plugins_succeeded": [
"GeoIP (3)"
],
“distinct_id”: “1zc2e794-1c3e-43fc-a78f-1db6d1a37f54”,
"fqdn": "awsdemo.firezone.dev",
"kernel_version": "linux 5.13.0",
"phetolelo": "0.4.6"
},
"elements_chain": ""
}
HLOKOMELA
Sehlopha sa ntlafatso sa Firezone itšetleha ho analytics ea lihlahisoa ho etsa hore Firezone e be betere bakeng sa motho e mong le e mong. Ho tlohela telemetry ke tlatsetso e le 'ngoe ea bohlokoahali eo u ka e etsang ho nts'etsopele ea Firezone. Ho boletse joalo, re utloisisa basebelisi ba bang ba na le litlhoko tse phahameng tsa lekunutu kapa ts'ireletso mme ba ka khetha ho tima telemetry ka botlalo. Haeba ke uena, tsoela pele ho bala.
Telemetry e nolofalitsoe ke kamehla. Ho tima telemetry ea sehlahisoa ka botlalo, beha khetho e latelang ea tlhophiso hore e be leshano ho /etc/firezone/firezone.rb' me u tsamaise sudo firezone-ctl reconfigure ho nka liphetoho.
kamehla["firezone"]["telemetry"]['sebelisoa'] = bohata
Seo se tla thibela telemetry ea sehlahisoa ka botlalo.
Hailbytes
9511 Queens Guard Ct.
Laurel, MD 20723
Fono: (732) 771-9995
Lengolo-tsoibila: info@hailbytes.com
