Différences
Ci-dessous, les différences entre deux révisions de la page.
| Les deux révisions précédentesRévision précédenteProchaine révision | Révision précédente | ||
| elearning:workbooks:debian:10:junior:l119 [2022/05/17 08:26] – admin | elearning:workbooks:debian:10:junior:l119 [2023/08/24 11:16] (Version actuelle) – admin | ||
|---|---|---|---|
| Ligne 1: | Ligne 1: | ||
| ~~PDF: | ~~PDF: | ||
| - | Version : **2022.01** | + | Version : **2023.01** |
| Dernière mise-à-jour : ~~LASTMOD~~ | Dernière mise-à-jour : ~~LASTMOD~~ | ||
| - | ======LDF513 | + | ======LDF600 |
| =====Contenu du Module===== | =====Contenu du Module===== | ||
| - | * **LDF513 | + | * **LDF600 |
| * Contenu du Module | * Contenu du Module | ||
| + | * Prérequis | ||
| + | * Matériel | ||
| + | * Logiciels | ||
| + | * Internet | ||
| + | * Programme de la Formation | ||
| + | |||
| + | |||
| + | |||
| + | =====Programme de la Formation===== | ||
| + | |||
| + | * **LDF600 - Présentation de la Formation**. | ||
| + | * Prérequis | ||
| + | * Matériel | ||
| + | * Logiciels | ||
| + | * Internet | ||
| + | * Programme de la Formation | ||
| + | |||
| + | * **LDF601 - Gestion des Paramètres et les Ressources du Matériel** | ||
| + | * Présentation des Fichiers Spéciaux | ||
| + | * LAB #1 - Commandes | ||
| + | * 1.1 - La Commande lspci | ||
| + | * 1.2 - La Commande lsusb | ||
| + | * 1.3 - La Commande lsblk | ||
| + | * 1.4 - La Commande dmidecode | ||
| + | * LAB #2 - La Commande sysctl | ||
| + | * 2.1 - Répertoire /proc | ||
| + | * Fichiers | ||
| + | * Processeur | ||
| + | * Interruptions système | ||
| + | * Canaux DMA | ||
| + | * Plages d' | ||
| + | * Périphériques | ||
| + | * Modules | ||
| + | * Statistiques de l' | ||
| + | * Partitions | ||
| + | * Espaces de pagination | ||
| + | * Statistiques d' | ||
| + | * Statistiques d' | ||
| + | * Version du noyau | ||
| + | * Répertoires | ||
| + | * ide/scsi | ||
| + | * acpi | ||
| + | * bus | ||
| + | * net | ||
| + | * sys | ||
| + | * 2.2 - Utilisation de la Commande sysctl | ||
| + | * LAB #3 - Interprétation des informations dans /proc | ||
| + | * 3.1 - free | ||
| + | * 3.2 - uptime ou w | ||
| + | * 3.3 - iostat | ||
| + | * 3.4 - hdparm | ||
| + | * 3.5 - vmstat | ||
| + | * 3.6 - mpstat | ||
| + | * 3.7 - sar | ||
| + | * Modules usb | ||
| + | * udev | ||
| + | * La Commande udevadm | ||
| + | * Système de fichiers /sys | ||
| + | * LAB #4 - Limiter les Ressources | ||
| + | * 4.1 - ulimit | ||
| + | * 4.2 - Groupes de Contrôle | ||
| + | * CGroups v1 | ||
| + | * Préparation | ||
| + | * Présentation | ||
| + | * Limitation de la Mémoire | ||
| + | * La Commande cgcreate | ||
| + | * La Commande cgdelete | ||
| + | * Le Fichier / | ||
| + | * La Commande cgconfigparser | ||
| + | * CGroups v2 | ||
| + | |||
| + | * **LDF602 - Gestion du Noyau et des Quotas** | ||
| + | * Rôle du noyau | ||
| + | * LAB #1 - Compilation et installation du noyau | ||
| + | * 1.1 - Déplacer /home | ||
| + | * 1.2 - Télécharger le Code Source du Noyau | ||
| + | * 1.3 - Configurer le Noyau | ||
| + | * 1.4 - Compiler le Noyau | ||
| + | * 1.5 - Installer le Nouveau Noyau | ||
| + | * 1.6 - Désinstaller un Noyau | ||
| + | * LAB #2 - Mise à Jour du Noyau avec le Gestionnaire des Paquets | ||
| + | * LAB #3 - Gestion des Quotas | ||
| + | * 3.1 - La Commande quotacheck | ||
| + | * 3.2 - La Commande edquota | ||
| + | * 3.3 - La Commande quotaon | ||
| + | * 3.4 - La Commande repquota | ||
| + | * 3.5 - La Commande quota | ||
| + | * 3.6 - La Commande warnquota | ||
| + | |||
| + | * **LDF603 - Gestion du Réseau** | ||
| * Présentation | * Présentation | ||
| * La Commande nmcli | * La Commande nmcli | ||
| Ligne 55: | Ligne 145: | ||
| * Le mode Panic de firewalld | * Le mode Panic de firewalld | ||
| - | =====Présentation===== | + | * **LDF604 |
| - | + | * Support | |
| - | Debian 11 utilise **Network Manager** pour gérer le réseau. Network Manager est composé de deux éléments : | + | * Rappel |
| - | + | * Validation Globale | |
| - | * un service qui gère les connexions réseaux et rapporte leurs états, | + | * Évaluation |
| - | * des front-ends qui passent par un API de configuration du service. | + | |
| - | + | ||
| - | <WRAP center round important 60%> | + | |
| - | **Important** : Notez qu' | + | |
| - | </ | + | |
| - | + | ||
| - | Le service NetworkManager doit toujours être lancé : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | ● NetworkManager.service - Network Manager | + | |
| - | | + | |
| - | | + | |
| - | Docs: man: | + | |
| - | | + | |
| - | Tasks: 3 (limit: 4632) | + | |
| - | | + | |
| - | CPU: 1.811s | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | May 01 18:00:05 debian11 NetworkManager[499]: | + | |
| - | May 01 18:00:05 debian11 NetworkManager[499]: | + | |
| - | May 01 18:00:05 debian11 NetworkManager[499]: | + | |
| - | May 01 18:00:05 debian11 NetworkManager[499]: | + | |
| - | May 01 18:00:05 debian11 NetworkManager[499]: | + | |
| - | May 01 18:00:05 debian11 NetworkManager[499]: | + | |
| - | May 01 18:00:05 debian11 NetworkManager[499]: | + | |
| - | May 01 18:00:05 debian11 NetworkManager[499]: | + | |
| - | May 01 18:00:05 debian11 NetworkManager[499]: | + | |
| - | May 01 18:00:05 debian11 NetworkManager[499]: | + | |
| - | lines 1-21/21 (END) | + | |
| - | [q] | + | |
| - | </ | + | |
| - | + | ||
| - | ===La Commande nmcli=== | + | |
| - | + | ||
| - | La commande | + | |
| - | + | ||
| - | Les options et les sous-commandes peuvent être consultées en utilisant les commandes suivantes : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | Usage: nmcli [OPTIONS] OBJECT { COMMAND | help } | + | |
| - | + | ||
| - | OPTIONS | + | |
| - | -a, --ask ask for missing parameters | + | |
| - | -c, --colors auto|yes|no | + | |
| - | -e, --escape yes|no | + | |
| - | -f, --fields < | + | |
| - | -g, --get-values < | + | |
| - | -h, --help | + | |
| - | -m, --mode tabular|multiline | + | |
| - | -o, --overview | + | |
| - | -p, --pretty | + | |
| - | -s, --show-secrets | + | |
| - | -t, --terse | + | |
| - | -v, --version | + | |
| - | -w, --wait < | + | |
| - | + | ||
| - | OBJECT | + | |
| - | g[eneral] | + | |
| - | n[etworking] | + | |
| - | r[adio] | + | |
| - | c[onnection] | + | |
| - | d[evice] | + | |
| - | a[gent] | + | |
| - | m[onitor] | + | |
| - | </ | + | |
| - | + | ||
| - | =====LAB #1 - Configuration du Réseau===== | + | |
| - | + | ||
| - | ====1.1 - Connections et Profils==== | + | |
| - | + | ||
| - | NetworkManager inclus la notion de **connections** ou **profils** permettant des configurations différentes en fonction | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | NAME UUID TYPE DEVICE | + | |
| - | Wired connection 1 77c569e6-3176-4c10-8008-40d7634d2504 | + | |
| - | </ | + | |
| - | + | ||
| - | Créez donc un profil IP fixe rattaché au périphérique **ens18** : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | Connection ' | + | |
| - | </ | + | |
| - | + | ||
| - | Constatez sa présence : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | NAME UUID TYPE DEVICE | + | |
| - | Wired connection 1 77c569e6-3176-4c10-8008-40d7634d2504 | + | |
| - | ip_fixe | + | |
| - | </ | + | |
| - | + | ||
| - | Notez que la sortie n' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | GENERAL.DEVICE: | + | |
| - | GENERAL.TYPE: | + | |
| - | GENERAL.HWADDR: | + | |
| - | GENERAL.MTU: | + | |
| - | GENERAL.STATE: | + | |
| - | GENERAL.CONNECTION: | + | |
| - | GENERAL.CON-PATH: | + | |
| - | WIRED-PROPERTIES.CARRIER: | + | |
| - | IP4.ADDRESS[1]: | + | |
| - | IP4.GATEWAY: | + | |
| - | IP4.ROUTE[1]: | + | |
| - | IP4.ROUTE[2]: | + | |
| - | IP4.DNS[1]: | + | |
| - | IP4.DNS[2]: | + | |
| - | IP6.ADDRESS[1]: | + | |
| - | IP6.GATEWAY: | + | |
| - | IP6.ROUTE[1]: | + | |
| - | IP6.ROUTE[2]: | + | |
| - | + | ||
| - | GENERAL.DEVICE: | + | |
| - | GENERAL.TYPE: | + | |
| - | GENERAL.HWADDR: | + | |
| - | GENERAL.MTU: | + | |
| - | lines 1-23 | + | |
| - | [q] | + | |
| - | </ | + | |
| - | + | ||
| - | Pour activer le profil ip_fixe, utilisez la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# nmcli connection up ip_fixe | + | |
| - | + | ||
| - | </ | + | |
| - | + | ||
| - | Notez que votre terminal est bloqué à cause du changement de l' | + | |
| - | + | ||
| - | <WRAP center round todo 60%> | + | |
| - | **A faire** - Revenez à votre Gateway et re-connectez-vous à la VM en tant que trainee en utilisant l' | + | |
| - | </ | + | |
| - | + | ||
| - | Le profil ip_fixe est maintenant activé tandis que le profil enp0s3 a été désactivé : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | NAME UUID TYPE DEVICE | + | |
| - | ip_fixe | + | |
| - | Wired connection 1 77c569e6-3176-4c10-8008-40d7634d2504 | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | GENERAL.DEVICE: | + | |
| - | GENERAL.TYPE: | + | |
| - | GENERAL.HWADDR: | + | |
| - | GENERAL.MTU: | + | |
| - | GENERAL.STATE: | + | |
| - | GENERAL.CONNECTION: | + | |
| - | GENERAL.CON-PATH: | + | |
| - | WIRED-PROPERTIES.CARRIER: | + | |
| - | IP4.ADDRESS[1]: | + | |
| - | IP4.GATEWAY: | + | |
| - | IP4.ROUTE[1]: | + | |
| - | IP4.ROUTE[2]: | + | |
| - | IP6.ADDRESS[1]: | + | |
| - | IP6.GATEWAY: | + | |
| - | IP6.ROUTE[1]: | + | |
| - | IP6.ROUTE[2]: | + | |
| - | + | ||
| - | GENERAL.DEVICE: | + | |
| - | GENERAL.TYPE: | + | |
| - | lines 1-19 | + | |
| - | [q] | + | |
| - | </ | + | |
| - | + | ||
| - | Pour consulter les paramètres du profil **Wired connection 1**, utilisez la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | =============================================================================== | + | |
| - | Connection profile details (Wired connection 1) | + | |
| - | =============================================================================== | + | |
| - | connection.id: | + | |
| - | connection.uuid: | + | |
| - | connection.stable-id: | + | |
| - | connection.type: | + | |
| - | connection.interface-name: | + | |
| - | connection.autoconnect: | + | |
| - | connection.autoconnect-priority: | + | |
| - | connection.autoconnect-retries: | + | |
| - | connection.multi-connect: | + | |
| - | connection.auth-retries: | + | |
| - | connection.timestamp: | + | |
| - | connection.read-only: | + | |
| - | connection.permissions: | + | |
| - | connection.zone: | + | |
| - | connection.master: | + | |
| - | connection.slave-type: | + | |
| - | connection.autoconnect-slaves: | + | |
| - | connection.secondaries: | + | |
| - | connection.gateway-ping-timeout: | + | |
| - | connection.metered: | + | |
| - | connection.lldp: | + | |
| - | connection.mdns: | + | |
| - | connection.llmnr: | + | |
| - | connection.wait-device-timeout: | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | 802-3-ethernet.port: | + | |
| - | 802-3-ethernet.speed: | + | |
| - | 802-3-ethernet.duplex: | + | |
| - | 802-3-ethernet.auto-negotiate: | + | |
| - | 802-3-ethernet.mac-address: | + | |
| - | 802-3-ethernet.cloned-mac-address: | + | |
| - | 802-3-ethernet.generate-mac-address-mask: | + | |
| - | 802-3-ethernet.mac-address-blacklist: | + | |
| - | 802-3-ethernet.mtu: | + | |
| - | 802-3-ethernet.s390-subchannels: | + | |
| - | 802-3-ethernet.s390-nettype: | + | |
| - | 802-3-ethernet.s390-options: | + | |
| - | 802-3-ethernet.wake-on-lan: | + | |
| - | 802-3-ethernet.wake-on-lan-password: | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | ipv4.method: | + | |
| - | ipv4.dns: | + | |
| - | ipv4.dns-search: | + | |
| - | ipv4.dns-options: | + | |
| - | ipv4.dns-priority: | + | |
| - | ipv4.addresses: | + | |
| - | ipv4.gateway: | + | |
| - | ipv4.routes: | + | |
| - | ipv4.route-metric: | + | |
| - | ipv4.route-table: | + | |
| - | ipv4.routing-rules: | + | |
| - | ipv4.ignore-auto-routes: | + | |
| - | ipv4.ignore-auto-dns: | + | |
| - | lines 1-56 | + | |
| - | [q] | + | |
| - | </ | + | |
| - | + | ||
| - | De même, pour consulter les paramètres du profil | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | =============================================================================== | + | |
| - | | + | |
| - | =============================================================================== | + | |
| - | connection.id: | + | |
| - | connection.uuid: | + | |
| - | connection.stable-id: | + | |
| - | connection.type: | + | |
| - | connection.interface-name: | + | |
| - | connection.autoconnect: | + | |
| - | connection.autoconnect-priority: | + | |
| - | connection.autoconnect-retries: | + | |
| - | connection.multi-connect: | + | |
| - | connection.auth-retries: | + | |
| - | connection.timestamp: | + | |
| - | connection.read-only: | + | |
| - | connection.permissions: | + | |
| - | connection.zone: | + | |
| - | connection.master: | + | |
| - | connection.slave-type: | + | |
| - | connection.autoconnect-slaves: | + | |
| - | connection.secondaries: | + | |
| - | connection.gateway-ping-timeout: | + | |
| - | connection.metered: | + | |
| - | connection.lldp: | + | |
| - | connection.mdns: | + | |
| - | connection.llmnr: | + | |
| - | connection.wait-device-timeout: | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | 802-3-ethernet.port: | + | |
| - | 802-3-ethernet.speed: | + | |
| - | 802-3-ethernet.duplex: | + | |
| - | 802-3-ethernet.auto-negotiate: | + | |
| - | 802-3-ethernet.mac-address: | + | |
| - | 802-3-ethernet.cloned-mac-address: | + | |
| - | 802-3-ethernet.generate-mac-address-mask: | + | |
| - | 802-3-ethernet.mac-address-blacklist: | + | |
| - | 802-3-ethernet.mtu: | + | |
| - | 802-3-ethernet.s390-subchannels: | + | |
| - | 802-3-ethernet.s390-nettype: | + | |
| - | 802-3-ethernet.s390-options: | + | |
| - | 802-3-ethernet.wake-on-lan: | + | |
| - | 802-3-ethernet.wake-on-lan-password: | + | |
| - | ------------------------------------------------------------------------------- | + | |
| - | ipv4.method: | + | |
| - | ipv4.dns: | + | |
| - | ipv4.dns-search: | + | |
| - | ipv4.dns-options: | + | |
| - | ipv4.dns-priority: | + | |
| - | ipv4.addresses: | + | |
| - | ipv4.gateway: | + | |
| - | ipv4.routes: | + | |
| - | ipv4.route-metric: | + | |
| - | ipv4.route-table: | + | |
| - | ipv4.routing-rules: | + | |
| - | ipv4.ignore-auto-routes: | + | |
| - | ipv4.ignore-auto-dns: | + | |
| - | lines 1-56 | + | |
| - | [q] | + | |
| - | </ | + | |
| - | + | ||
| - | Pour consulter la liste profils associés à un périphérique, | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | CONNECTIONS.AVAILABLE-CONNECTION-PATHS: | + | |
| - | CONNECTIONS.AVAILABLE-CONNECTIONS[1]: | + | |
| - | CONNECTIONS.AVAILABLE-CONNECTIONS[2]: | + | |
| - | lines 1-3/3 (END) | + | |
| - | [q] | + | |
| - | </ | + | |
| - | + | ||
| - | Les fichiers | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | total 8 | + | |
| - | -rw------- 1 root root 284 May 2 14:23 ip_fixe.nmconnection | + | |
| - | -rw------- 1 root root 249 Apr 25 07:01 'Wired connection 1' | + | |
| - | </ | + | |
| - | + | ||
| - | ====1.2 - Résolution des Noms==== | + | |
| - | + | ||
| - | L' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | [connection] | + | |
| - | id=ip_fixe | + | |
| - | uuid=c52994fc-0918-4108-81d2-d86dade62c7a | + | |
| - | type=ethernet | + | |
| - | interface-name=ens18 | + | |
| - | permissions= | + | |
| - | + | ||
| - | [ethernet] | + | |
| - | mac-address-blacklist= | + | |
| - | + | ||
| - | [ipv4] | + | |
| - | address1=10.0.2.41/ | + | |
| - | dns-search= | + | |
| - | method=manual | + | |
| - | + | ||
| - | [ipv6] | + | |
| - | addr-gen-mode=stable-privacy | + | |
| - | dns-search= | + | |
| - | method=auto | + | |
| - | + | ||
| - | [proxy] | + | |
| - | </ | + | |
| - | + | ||
| - | La résolution des noms est donc inactive : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | ping: www.free.fr: | + | |
| - | </ | + | |
| - | + | ||
| - | Modifiez donc la configuration du profil **ip_fixe** : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | </ | + | |
| - | + | ||
| - | L' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | [connection] | + | |
| - | id=ip_fixe | + | |
| - | uuid=c52994fc-0918-4108-81d2-d86dade62c7a | + | |
| - | type=ethernet | + | |
| - | interface-name=ens18 | + | |
| - | permissions= | + | |
| - | timestamp=1651499105 | + | |
| - | + | ||
| - | [ethernet] | + | |
| - | mac-address-blacklist= | + | |
| - | + | ||
| - | [ipv4] | + | |
| - | address1=10.0.2.41/ | + | |
| - | dns=8.8.8.8; | + | |
| - | dns-search= | + | |
| - | method=manual | + | |
| - | + | ||
| - | [ipv6] | + | |
| - | addr-gen-mode=stable-privacy | + | |
| - | dns-search= | + | |
| - | method=auto | + | |
| - | + | ||
| - | [proxy] | + | |
| - | </ | + | |
| - | + | ||
| - | Afin que la modification du serveur DNS soit prise en compte, re-démarrez le service NetworkManager : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | </ | + | |
| - | + | ||
| - | Vérifiez que le fichier **/ | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | # Generated by NetworkManager | + | |
| - | nameserver 8.8.8.8 | + | |
| - | </ | + | |
| - | + | ||
| - | Dernièrement vérifiez la resolution des noms : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | PING www.free.fr (212.27.48.10) 56(84) bytes of data. | + | |
| - | 64 bytes from www.free.fr (212.27.48.10): | + | |
| - | 64 bytes from www.free.fr (212.27.48.10): | + | |
| - | ^C | + | |
| - | --- www.free.fr ping statistics --- | + | |
| - | 2 packets transmitted, | + | |
| - | rtt min/ | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important 60%> | + | |
| - | **Important** : Notez qu'il existe un front-end graphique en mode texte, **nmtui**, pour configurer NetworkManager. | + | |
| - | </ | + | |
| - | + | ||
| - | ====1.3 - Ajouter une Deuxième Adresse IP à un Profil==== | + | |
| - | + | ||
| - | Pour ajouter une deuxième adresse IP à un profil sous Debian 11, il convient d' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | </ | + | |
| - | + | ||
| - | Rechargez la configuration du profil : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | Connection successfully activated (D-Bus active path: / | + | |
| - | </ | + | |
| - | + | ||
| - | Saisissez ensuite la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | connection.id: | + | |
| - | connection.uuid: | + | |
| - | connection.stable-id: | + | |
| - | connection.type: | + | |
| - | connection.interface-name: | + | |
| - | connection.autoconnect: | + | |
| - | connection.autoconnect-priority: | + | |
| - | connection.autoconnect-retries: | + | |
| - | connection.multi-connect: | + | |
| - | connection.auth-retries: | + | |
| - | connection.timestamp: | + | |
| - | connection.read-only: | + | |
| - | connection.permissions: | + | |
| - | connection.zone: | + | |
| - | connection.master: | + | |
| - | connection.slave-type: | + | |
| - | connection.autoconnect-slaves: | + | |
| - | connection.secondaries: | + | |
| - | connection.gateway-ping-timeout: | + | |
| - | connection.metered: | + | |
| - | connection.lldp: | + | |
| - | connection.mdns: | + | |
| - | connection.llmnr: | + | |
| - | connection.wait-device-timeout: | + | |
| - | 802-3-ethernet.port: | + | |
| - | 802-3-ethernet.speed: | + | |
| - | 802-3-ethernet.duplex: | + | |
| - | 802-3-ethernet.auto-negotiate: | + | |
| - | 802-3-ethernet.mac-address: | + | |
| - | 802-3-ethernet.cloned-mac-address: | + | |
| - | 802-3-ethernet.generate-mac-address-mask: | + | |
| - | 802-3-ethernet.mac-address-blacklist: | + | |
| - | 802-3-ethernet.mtu: | + | |
| - | 802-3-ethernet.s390-subchannels: | + | |
| - | 802-3-ethernet.s390-nettype: | + | |
| - | 802-3-ethernet.s390-options: | + | |
| - | 802-3-ethernet.wake-on-lan: | + | |
| - | 802-3-ethernet.wake-on-lan-password: | + | |
| - | ipv4.method: | + | |
| - | ipv4.dns: | + | |
| - | ipv4.dns-search: | + | |
| - | ipv4.dns-options: | + | |
| - | ipv4.dns-priority: | + | |
| - | ipv4.addresses: | + | |
| - | ipv4.gateway: | + | |
| - | ipv4.routes: | + | |
| - | ipv4.route-metric: | + | |
| - | ipv4.route-table: | + | |
| - | ipv4.routing-rules: | + | |
| - | ipv4.ignore-auto-routes: | + | |
| - | ipv4.ignore-auto-dns: | + | |
| - | ipv4.dhcp-client-id: | + | |
| - | ipv4.dhcp-iaid: | + | |
| - | ipv4.dhcp-timeout: | + | |
| - | ipv4.dhcp-send-hostname: | + | |
| - | ipv4.dhcp-hostname: | + | |
| - | lines 1-56 | + | |
| - | [Space Bar] | + | |
| - | IP4.ADDRESS[1]: | + | |
| - | IP4.ADDRESS[2]: | + | |
| - | IP4.GATEWAY: | + | |
| - | IP4.ROUTE[1]: | + | |
| - | IP4.ROUTE[2]: | + | |
| - | IP4.ROUTE[3]: | + | |
| - | IP4.DNS[1]: | + | |
| - | lines 57-112 | + | |
| - | [q] | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important 60%> | + | |
| - | **Important** : Notez l' | + | |
| - | </ | + | |
| - | + | ||
| - | Consultez maintenant le contenu | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | [connection] | + | |
| - | id=ip_fixe | + | |
| - | uuid=c52994fc-0918-4108-81d2-d86dade62c7a | + | |
| - | type=ethernet | + | |
| - | interface-name=ens18 | + | |
| - | permissions= | + | |
| - | timestamp=1651499263 | + | |
| - | + | ||
| - | [ethernet] | + | |
| - | mac-address-blacklist= | + | |
| - | + | ||
| - | [ipv4] | + | |
| - | address1=10.0.2.41/ | + | |
| - | address2=192.168.1.2/ | + | |
| - | dns=8.8.8.8; | + | |
| - | dns-search= | + | |
| - | method=manual | + | |
| - | + | ||
| - | [ipv6] | + | |
| - | addr-gen-mode=stable-privacy | + | |
| - | dns-search= | + | |
| - | method=auto | + | |
| - | + | ||
| - | [proxy] | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important 60%> | + | |
| - | **Important** : Notez l' | + | |
| - | </ | + | |
| - | + | ||
| - | ====1.4 - La Commande hostname==== | + | |
| - | + | ||
| - | La procédure de la modification du hostname est simplifiée et sa prise en compte est immédiate : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | debian11 | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | debian11.ittraining.loc | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | debian11.ittraining.loc | + | |
| - | </ | + | |
| - | + | ||
| - | ====1.5 - La Commande ip==== | + | |
| - | + | ||
| - | Sous Debian 11 la commande **ip** est préférée par rapport à la commande ifconfig : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | 1: lo: < | + | |
| - | | + | |
| - | inet 127.0.0.1/8 scope host lo | + | |
| - | | + | |
| - | inet6 ::1/128 scope host | + | |
| - | | + | |
| - | 2: ens18: < | + | |
| - | link/ether f6: | + | |
| - | altname enp0s18 | + | |
| - | inet 10.0.2.41/ | + | |
| - | | + | |
| - | inet 192.168.1.2/ | + | |
| - | | + | |
| - | inet6 fe80:: | + | |
| - | | + | |
| - | </ | + | |
| - | + | ||
| - | En cas de besoin, pour extraire les adresses IP de cette sortie, utilisez les commandes suivantes : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | 10.0.2.41 | + | |
| - | 192.168.1.2 | + | |
| - | </ | + | |
| - | + | ||
| - | Les options de cette commande sont : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | Usage: ip [ OPTIONS ] OBJECT { COMMAND | help } | + | |
| - | ip [ -force ] -batch filename | + | |
| - | where OBJECT := { link | address | addrlabel | route | rule | neigh | ntable | | + | |
| - | | + | |
| - | netns | l2tp | fou | macsec | tcp_metrics | token | netconf | ila | | + | |
| - | vrf | sr | nexthop | mptcp } | + | |
| - | | + | |
| - | -h[uman-readable] | -iec | -j[son] | -p[retty] | | + | |
| - | -f[amily] { inet | inet6 | mpls | bridge | link } | | + | |
| - | -4 | -6 | -I | -D | -M | -B | -0 | | + | |
| - | -l[oops] { maximum-addr-flush-attempts } | -br[ief] | | + | |
| - | -o[neline] | -t[imestamp] | -ts[hort] | -b[atch] [filename] | | + | |
| - | -rc[vbuf] [size] | -n[etns] name | -N[umeric] | -a[ll] | | + | |
| - | -c[olor]} | + | |
| - | </ | + | |
| - | + | ||
| - | ====1.6 - Activer/ | + | |
| - | + | ||
| - | Deux commandes existent pour désactiver et activer manuellement une interface réseau : | + | |
| - | + | ||
| - | < | + | |
| - | # nmcli device disconnect enp0s3 | + | |
| - | # nmcli device connect enp0s3 | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important 60%> | + | |
| - | **Important** : Veuillez ne **PAS** exécuter ces deux commandes. | + | |
| - | </ | + | |
| - | + | ||
| - | ====1.7 - Routage Statique==== | + | |
| - | + | ||
| - | ===La commande ip=== | + | |
| - | + | ||
| - | Sous Debian 11, pour supprimer la route vers le réseau 192.168.1.0 il convient d' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | default via 10.0.2.1 dev ens18 proto static metric 100 | + | |
| - | 10.0.2.0/24 dev ens18 proto kernel scope link src 10.0.2.41 metric 100 | + | |
| - | 192.168.1.0/ | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | default via 10.0.2.1 dev ens18 proto static metric 100 | + | |
| - | 10.0.2.0/24 dev ens18 proto kernel scope link src 10.0.2.41 metric 100 | + | |
| - | </ | + | |
| - | + | ||
| - | Pour ajouter la route vers le réseau 192.168.1.0 : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | default via 10.0.2.1 dev ens18 proto static metric 100 | + | |
| - | 10.0.2.0/24 dev ens18 proto kernel scope link src 10.0.2.41 metric 100 | + | |
| - | 192.168.1.0/ | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important 60%> | + | |
| - | **Important** - La commande utilisée pour ajouter une passerelle par défaut prend la forme suivante **ip route add default via //adresse ip//**. | + | |
| - | </ | + | |
| - | + | ||
| - | ===Activer le routage sur le serveur=== | + | |
| - | + | ||
| - | Pour activer le routage sur le serveur, il convient d' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | root@debian11: | + | |
| - | 1 | + | |
| - | </ | + | |
| - | + | ||
| - | =====LAB #2 - Diagnostique du Réseau===== | + | |
| - | + | ||
| - | ====2.1 - ping==== | + | |
| - | + | ||
| - | Pour tester l' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | PING 10.0.2.1 (10.0.2.1) 56(84) bytes of data. | + | |
| - | 64 bytes from 10.0.2.1: icmp_seq=1 ttl=64 time=0.184 ms | + | |
| - | 64 bytes from 10.0.2.1: icmp_seq=2 ttl=64 time=0.167 ms | + | |
| - | 64 bytes from 10.0.2.1: icmp_seq=3 ttl=64 time=0.168 ms | + | |
| - | ^C | + | |
| - | --- 10.0.2.1 ping statistics --- | + | |
| - | 3 packets transmitted, | + | |
| - | rtt min/ | + | |
| - | </ | + | |
| - | + | ||
| - | Les options de cette commande sont : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | ping: invalid option -- ' | + | |
| - | + | ||
| - | Usage | + | |
| - | ping [options] < | + | |
| - | + | ||
| - | Options: | + | |
| - | < | + | |
| - | -a use audible ping | + | |
| - | -A use adaptive ping | + | |
| - | -B | + | |
| - | -c < | + | |
| - | -D print timestamps | + | |
| - | -d use SO_DEBUG socket option | + | |
| - | -f flood ping | + | |
| - | -h print help and exit | + | |
| - | -I < | + | |
| - | -i < | + | |
| - | -L | + | |
| - | -l < | + | |
| - | -m < | + | |
| - | -M <pmtud opt> | + | |
| - | -n no dns name resolution | + | |
| - | -O | + | |
| - | -p < | + | |
| - | -q quiet output | + | |
| - | -Q < | + | |
| - | -s < | + | |
| - | -S < | + | |
| - | -t < | + | |
| - | -U print user-to-user latency | + | |
| - | -v | + | |
| - | -V print version and exit | + | |
| - | -w < | + | |
| - | -W < | + | |
| - | + | ||
| - | IPv4 options: | + | |
| - | -4 use IPv4 | + | |
| - | -b allow pinging broadcast | + | |
| - | -R | + | |
| - | -T < | + | |
| - | + | ||
| - | IPv6 options: | + | |
| - | -6 use IPv6 | + | |
| - | -F < | + | |
| - | -N < | + | |
| - | + | ||
| - | For more details see ping(8). | + | |
| - | </ | + | |
| - | + | ||
| - | ====2.2 - netstat -i==== | + | |
| - | + | ||
| - | Pour visualiser les statistiques réseaux, vous disposez de la commande **netstat** : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | -bash: netstat: command not found | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | Kernel Interface table | + | |
| - | Iface MTU RX-OK RX-ERR RX-DRP RX-OVR | + | |
| - | ens18 | + | |
| - | lo | + | |
| - | </ | + | |
| - | + | ||
| - | Les options de cette commande sont : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | usage: netstat [-vWeenNcCF] [< | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | -r, --route | + | |
| - | -i, --interfaces | + | |
| - | -g, --groups | + | |
| - | -s, --statistics | + | |
| - | -M, --masquerade | + | |
| - | + | ||
| - | -v, --verbose | + | |
| - | -W, --wide | + | |
| - | -n, --numeric | + | |
| - | --numeric-hosts | + | |
| - | --numeric-ports | + | |
| - | --numeric-users | + | |
| - | -N, --symbolic | + | |
| - | -e, --extend | + | |
| - | -p, --programs | + | |
| - | -o, --timers | + | |
| - | -c, --continuous | + | |
| - | + | ||
| - | -l, --listening | + | |
| - | -a, --all display all sockets (default: connected) | + | |
| - | -F, --fib display Forwarding Information Base (default) | + | |
| - | -C, --cache | + | |
| - | -Z, --context | + | |
| - | + | ||
| - | < | + | |
| - | | + | |
| - | < | + | |
| - | List of possible address families (which support routing): | + | |
| - | inet (DARPA Internet) inet6 (IPv6) ax25 (AMPR AX.25) | + | |
| - | netrom (AMPR NET/ROM) ipx (Novell IPX) ddp (Appletalk DDP) | + | |
| - | x25 (CCITT X.25) | + | |
| - | </ | + | |
| - | + | ||
| - | ====2.3 - traceroute==== | + | |
| - | + | ||
| - | La commande ping est à la base de la commande | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | traceroute to www.free.fr (212.27.48.10), | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | 10 10.200.2.65 (10.200.2.65) | + | |
| - | 11 * * * | + | |
| - | 12 194.149.166.61 (194.149.166.61) | + | |
| - | 13 * * * | + | |
| - | 14 * * * | + | |
| - | 15 * * * | + | |
| - | 16 * * * | + | |
| - | 17 * * * | + | |
| - | 18 * * * | + | |
| - | 19 * * * | + | |
| - | 20 * * * | + | |
| - | 21 * * * | + | |
| - | 22 * * * | + | |
| - | 23 * * * | + | |
| - | 24 * * * | + | |
| - | 25 * * * | + | |
| - | 26 * * * | + | |
| - | 27 * * * | + | |
| - | 28 * * * | + | |
| - | 29 * * * | + | |
| - | 30 * * * | + | |
| - | </ | + | |
| - | + | ||
| - | Les options de cette commande sont : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | Usage: | + | |
| - | traceroute [ -46dFITnreAUDV ] [ -f first_ttl ] [ -g gate,... ] [ -i device ] [ -m max_ttl ] [ -N squeries ] [ -p port ] [ -t tos ] [ -l flow_label ] [ -w MAX, | + | |
| - | Options: | + | |
| - | -4 Use IPv4 | + | |
| - | -6 Use IPv6 | + | |
| - | -d --debug | + | |
| - | -F --dont-fragment | + | |
| - | -f first_ttl | + | |
| - | Start from the first_ttl hop (instead from 1) | + | |
| - | -g gate, | + | |
| - | Route packets through the specified gateway | + | |
| - | (maximum 8 for IPv4 and 127 for IPv6) | + | |
| - | -I --icmp | + | |
| - | -T --tcp Use TCP SYN for tracerouting (default port is 80) | + | |
| - | -i device | + | |
| - | Specify a network interface to operate with | + | |
| - | -m max_ttl | + | |
| - | Set the max number of hops (max TTL to be | + | |
| - | reached). Default is 30 | + | |
| - | -N squeries | + | |
| - | Set the number of probes to be tried | + | |
| - | simultaneously (default is 16) | + | |
| - | -n Do not resolve IP addresses to their domain names | + | |
| - | -p port --port=port | + | |
| - | initial udp port value for " | + | |
| - | (incremented by each probe, default is 33434), or | + | |
| - | initial seq for " | + | |
| - | default from 1), or some constant destination | + | |
| - | port for other methods (with default of 80 for | + | |
| - | " | + | |
| - | -t tos --tos=tos | + | |
| - | traffic class) value for outgoing packets | + | |
| - | -l flow_label | + | |
| - | Use specified flow_label for IPv6 packets | + | |
| - | -w MAX, | + | |
| - | Wait for a probe no more than HERE (default 3) | + | |
| - | times longer than a response from the same hop, | + | |
| - | or no more than NEAR (default 10) times than some | + | |
| - | next hop, or MAX (default 5.0) seconds (float | + | |
| - | point values allowed too) | + | |
| - | -q nqueries | + | |
| - | Set the number of probes per each hop. Default is | + | |
| - | 3 | + | |
| - | -r Bypass the normal routing and send directly to a | + | |
| - | host on an attached network | + | |
| - | -s src_addr | + | |
| - | Use source src_addr for outgoing packets | + | |
| - | -z sendwait | + | |
| - | Minimal time interval between probes (default 0). | + | |
| - | If the value is more than 10, then it specifies a | + | |
| - | number in milliseconds, | + | |
| - | seconds (float point values allowed too) | + | |
| - | -e --extensions | + | |
| - | -A --as-path-lookups | + | |
| - | print results directly after the corresponding | + | |
| - | addresses | + | |
| - | -M name --module=name | + | |
| - | for traceroute operations. Most methods have | + | |
| - | their shortcuts (`-I' means `-M icmp' etc.) | + | |
| - | -O OPTS, | + | |
| - | Use module-specific option OPTS for the | + | |
| - | traceroute module. Several OPTS allowed, | + | |
| - | separated by comma. If OPTS is " | + | |
| - | about available options | + | |
| - | --sport=num | + | |
| - | `-N 1' | + | |
| - | --fwmark=num | + | |
| - | -U --udp Use UDP to particular port for tracerouting | + | |
| - | (instead of increasing the port per each probe), | + | |
| - | default port is 53 | + | |
| - | -UL Use UDPLITE for tracerouting (default dest port | + | |
| - | is 53) | + | |
| - | -D --dccp | + | |
| - | is 33434) | + | |
| - | -P prot --protocol=prot | + | |
| - | --mtu | + | |
| - | `-F -N 1' | + | |
| - | --back | + | |
| - | print if it differs | + | |
| - | -V --version | + | |
| - | --help | + | |
| - | + | ||
| - | Arguments: | + | |
| - | + | + | |
| - | packetlen | + | |
| - | header plus 40). Can be ignored or increased to a minimal | + | |
| - | allowed value | + | |
| - | </ | + | |
| - | + | ||
| - | =====LAB #3 - Connexions à Distance===== | + | |
| - | + | ||
| - | ==== 3.1 - Telnet ==== | + | |
| - | + | ||
| - | La commande **telnet** est utilisée pour établir une connexion à distance avec un serveur telnet : | + | |
| - | + | ||
| - | < | + | |
| - | # telnet numero_ip | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important 60%> | + | |
| - | **Important** - Le service telnet revient à une redirection des canaux standards d' | + | |
| - | </ | + | |
| - | + | ||
| - | Les options de cette commande sont : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | / | + | |
| - | root@debian11: | + | |
| - | telnet: invalid option -- ' | + | |
| - | Usage: telnet [-4] [-6] [-8] [-E] [-L] [-a] [-d] [-e char] [-l user] | + | |
| - | [-n tracefile] [ -b addr ] [-r] [host-name [port]] | + | |
| - | </ | + | |
| - | + | ||
| - | ==== 3.2 - wget ==== | + | |
| - | + | ||
| - | La commande **wget** est utilisée pour récupérer un fichier via http, https ou ftp : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | --2022-05-03 10: | + | |
| - | Resolving www.dropbox.com (www.dropbox.com)... 162.125.67.18, | + | |
| - | Connecting to www.dropbox.com (www.dropbox.com)|162.125.67.18|: | + | |
| - | HTTP request sent, awaiting response... 301 Moved Permanently | + | |
| - | Location: / | + | |
| - | --2022-05-03 10: | + | |
| - | Reusing existing connection to www.dropbox.com: | + | |
| - | HTTP request sent, awaiting response... 302 Found | + | |
| - | Location: https:// | + | |
| - | --2022-05-03 10: | + | |
| - | Resolving uc64dcd84ee4be2a0c2f111bd2ab.dl.dropboxusercontent.com (uc64dcd84ee4be2a0c2f111bd2ab.dl.dropboxusercontent.com)... 162.125.67.15, | + | |
| - | Connecting to uc64dcd84ee4be2a0c2f111bd2ab.dl.dropboxusercontent.com (uc64dcd84ee4be2a0c2f111bd2ab.dl.dropboxusercontent.com)|162.125.67.15|: | + | |
| - | HTTP request sent, awaiting response... 200 OK | + | |
| - | Length: 46 [text/ | + | |
| - | Saving to: ‘wget_file.txt’ | + | |
| - | + | ||
| - | wget_file.txt | + | |
| - | + | ||
| - | 2022-05-03 10:07:51 (26.8 MB/s) - ‘wget_file.txt’ saved [46/46] | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | This is a file retrieved by the wget command. | + | |
| - | </ | + | |
| - | + | ||
| - | Les options de cette commande sont : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | GNU Wget 1.21, a non-interactive network retriever. | + | |
| - | Usage: wget [OPTION]... [URL]... | + | |
| - | + | ||
| - | Mandatory arguments to long options are mandatory for short options too. | + | |
| - | + | ||
| - | Startup: | + | |
| - | -V, --version | + | |
| - | -h, --help | + | |
| - | -b, --background | + | |
| - | -e, --execute=COMMAND | + | |
| - | + | ||
| - | Logging and input file: | + | |
| - | -o, --output-file=FILE | + | |
| - | -a, --append-output=FILE | + | |
| - | -d, --debug | + | |
| - | -q, --quiet | + | |
| - | -v, --verbose | + | |
| - | -nv, --no-verbose | + | |
| - | | + | |
| - | -i, --input-file=FILE | + | |
| - | -F, --force-html | + | |
| - | -B, --base=URL | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | Download: | + | |
| - | -t, --tries=NUMBER | + | |
| - | | + | |
| - | | + | |
| - | -O, --output-document=FILE | + | |
| - | -nc, --no-clobber | + | |
| - | | + | |
| - | | + | |
| - | -c, --continue | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | -N, --timestamping | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | the one on the server | + | |
| - | -S, --server-response | + | |
| - | | + | |
| - | -T, --timeout=SECONDS | + | |
| - | | + | |
| - | | + | |
| - | | + | |
| - | -w, --wait=SECONDS | + | |
| - | | + | |
| - | --More-- | + | |
| - | [q] | + | |
| - | </ | + | |
| - | + | ||
| - | ==== 3.3 - ftp ==== | + | |
| - | + | ||
| - | <WRAP center round important 60%> | + | |
| - | **Important** - Si la commande **ftp** n'est pas installée sous Debian 11, installez-le à l'aide de la commande **apt install ftp** en tant que root. | + | |
| - | </ | + | |
| - | + | ||
| - | La commande **ftp** est utilisée pour le transfert de fichiers. Une fois connecté, il convient d' | + | |
| - | + | ||
| - | < | + | |
| - | ftp> help | + | |
| - | Commands may be abbreviated. | + | |
| - | + | ||
| - | ! | + | |
| - | $ | + | |
| - | account | + | |
| - | append | + | |
| - | ascii | + | |
| - | bell glob mode quote | + | |
| - | binary | + | |
| - | bye | + | |
| - | case idle newer | + | |
| - | cd image | + | |
| - | cdup ipany | + | |
| - | chmod | + | |
| - | close | + | |
| - | cr lcd | + | |
| - | delete | + | |
| - | debug | + | |
| - | ftp> | + | |
| - | </ | + | |
| - | + | ||
| - | Le caractère **!** permet d' | + | |
| - | + | ||
| - | < | + | |
| - | ftp> !pwd | + | |
| - | /root | + | |
| - | </ | + | |
| - | + | ||
| - | Pour transférer un fichier vers le serveur, il convient d' | + | |
| - | + | ||
| - | < | + | |
| - | ftp> put nom_fichier_local nom_fichier_distant | + | |
| - | </ | + | |
| - | + | ||
| - | Vous pouvez également transférer plusieurs fichiers à la fois grâce à la commande **mput**. Dans ce cas précis, il convient de saisir la commande suivante: | + | |
| - | + | ||
| - | < | + | |
| - | ftp> mput nom*.* | + | |
| - | </ | + | |
| - | + | ||
| - | Pour transférer un fichier du serveur, il convient d' | + | |
| - | + | ||
| - | < | + | |
| - | ftp> get nom_fichier | + | |
| - | </ | + | |
| - | + | ||
| - | Vous pouvez également transférer plusieurs fichiers à la fois grâce à la commande **mget** ( voir la commande **mput** ci-dessus ). | + | |
| - | + | ||
| - | Pour supprimer un fichier sur le serveur, il convient d' | + | |
| - | + | ||
| - | < | + | |
| - | ftp> del nom_fichier | + | |
| - | </ | + | |
| - | + | ||
| - | Pour fermer la session, il convient d' | + | |
| - | + | ||
| - | < | + | |
| - | ftp> quit | + | |
| - | root@debian11: | + | |
| - | </ | + | |
| - | + | ||
| - | ====3.4 - SSH==== | + | |
| - | + | ||
| - | ===Présentation=== | + | |
| - | + | ||
| - | La commande **[[wpfr> | + | |
| - | + | ||
| - | * Le **serveur SSH** | + | |
| - | * le démon sshd, qui s' | + | |
| - | * Le **client SSH** | + | |
| - | * ssh ou scp, qui assure la connexion et le dialogue avec le serveur, | + | |
| - | * La **session** qui représente la connexion courante et qui commence juste après l' | + | |
| - | * Les **clefs** | + | |
| - | * **Couple de clef utilisateur asymétriques** et persistantes qui assurent l' | + | |
| - | * **Clef hôte asymétrique et persistante** garantissant l' | + | |
| - | * **Clef serveur asymétrique et temporaire** utilisée par le protocole SSH1 qui sert au chiffrement de la clé de session, | + | |
| - | * **Clef de session symétrique qui est générée aléatoirement** et qui permet le chiiffrement de la communication entre le client et le serveur. Elle est détruite en fin de session. SSH-1 utilise une seule clef tandis que SSH-2 utilise une clef par direction de la communication, | + | |
| - | * La **base de données des hôtes connus** qui stocke les clés des connexions précédentes. | + | |
| - | + | ||
| - | SSH fonctionne de la manière suivante pour la la mise en place d'un canal sécurisé: | + | |
| - | + | ||
| - | * Le client contacte le serveur sur son port 22, | + | |
| - | * Les client et le serveur échangent leur version de SSH. En cas de non-compatibilité de versions, l'un des deux met fin au processus, | + | |
| - | * Le serveur SSH s' | + | |
| - | * Sa clé hôte, | + | |
| - | * Sa clé serveur, | + | |
| - | * Une séquence aléatoire de huit octets à inclure dans les futures réponses du client, | + | |
| - | * Une liste de méthodes de chiffrage, compression et authentification, | + | |
| - | * Le client et le serveur produisent un identifiant identique, un haché MD5 long de 128 bits contenant la clé hôte, la clé serveur et la séquence aléatoire, | + | |
| - | * Le client génère sa clé de session symétrique et la chiffre deux fois de suite, une fois avec la clé hôte du serveur et la deuxième fois avec la clé serveur. Le client envoie cette clé au serveur accompagnée de la séquence aléatoire et un choix d' | + | |
| - | * Le serveur déchiffre la clé de session, | + | |
| - | * Le client et le serveur mettent en place le canal sécurisé. | + | |
| - | + | ||
| - | ==SSH-1== | + | |
| - | + | ||
| - | SSH-1 utilise une paire de clefs de type RSA1. Il assure l' | + | |
| - | + | ||
| - | Afin de s' | + | |
| - | + | ||
| - | * **Kerberos**, | + | |
| - | * **Rhosts**, | + | |
| - | * **%%RhostsRSA%%**, | + | |
| - | * Par **clef asymétrique**, | + | |
| - | * **TIS**, | + | |
| - | * Par **mot de passe**. | + | |
| - | + | ||
| - | ==SSH-2== | + | |
| - | + | ||
| - | SSH-2 utilise **DSA** ou **RSA**. Il assure l' | + | |
| - | + | ||
| - | * **SSH-TRANS** – Transport Layer Protocol, | + | |
| - | * **SSH-AUTH** – Authentification Protocol, | + | |
| - | * **SSH-CONN** – Connection Protocol. | + | |
| - | + | ||
| - | SSH-2 diffère de SSH-1 essentiellement dans la phase authentification. | + | |
| - | + | ||
| - | Trois méthodes d' | + | |
| - | + | ||
| - | * Par **clef asymétrique**, | + | |
| - | * Identique à SSH-1 sauf avec l' | + | |
| - | * **%%RhostsRSA%%**, | + | |
| - | * Par **mot de passe**. | + | |
| - | + | ||
| - | Les options de cette commande sont : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | unknown option -- - | + | |
| - | usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] | + | |
| - | [-b bind_address] [-c cipher_spec] [-D [bind_address: | + | |
| - | [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] | + | |
| - | [-i identity_file] [-J [user@]host[: | + | |
| - | [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] | + | |
| - | [-Q query_option] [-R address] [-S ctl_path] [-W host: | + | |
| - | [-w local_tun[: | + | |
| - | </ | + | |
| - | + | ||
| - | ===Authentification par mot de passe=== | + | |
| - | + | ||
| - | L' | + | |
| - | + | ||
| - | Avantage: | + | |
| - | * Aucune configuration de clef asymétrique n'est nécessaire. | + | |
| - | + | ||
| - | Inconvénients: | + | |
| - | * L' | + | |
| - | * Moins sécurisé qu'un système par clef asymétrique. | + | |
| - | + | ||
| - | ===Authentification par clef asymétrique=== | + | |
| - | + | ||
| - | * Le **client** envoie au serveur une requête d' | + | |
| - | * Le **serveur** recherche une correspondance pour ce module dans le fichier des clés autorisés **~/ | + | |
| - | * Dans le cas où une correspondance n'est pas trouvée, le serveur met fin à la communication, | + | |
| - | * Dans le cas contraire le serveur génère une chaîne aléatoire de 256 bits appelée un **challenge** et la chiffre avec la **clé publique du client**, | + | |
| - | * Le **client** reçoit le challenge et le décrypte avec la partie privée de sa clé. Il combine le challenge avec l' | + | |
| - | * Le **serveur** génère le même haché et le compare avec celui reçu du client. Si les deux hachés sont identiques, l' | + | |
| - | + | ||
| - | ===Configuration du Serveur=== | + | |
| - | + | ||
| - | La configuration du serveur s' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | # | + | |
| - | + | ||
| - | # This is the sshd server system-wide configuration file. See | + | |
| - | # sshd_config(5) for more information. | + | |
| - | + | ||
| - | # This sshd was compiled with PATH=/ | + | |
| - | + | ||
| - | # The strategy used for options in the default sshd_config shipped with | + | |
| - | # OpenSSH is to specify options with their default value where | + | |
| - | # possible, but leave them commented. | + | |
| - | # default value. | + | |
| - | + | ||
| - | Include / | + | |
| - | + | ||
| - | #Port 22 | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | + | ||
| - | #HostKey / | + | |
| - | #HostKey / | + | |
| - | #HostKey / | + | |
| - | + | ||
| - | # Ciphers and keying | + | |
| - | #RekeyLimit default none | + | |
| - | + | ||
| - | # Logging | + | |
| - | # | + | |
| - | #LogLevel INFO | + | |
| - | + | ||
| - | # Authentication: | + | |
| - | + | ||
| - | # | + | |
| - | PermitRootLogin yes | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | + | ||
| - | # | + | |
| - | + | ||
| - | # Expect .ssh/ | + | |
| - | # | + | |
| - | + | ||
| - | # | + | |
| - | + | ||
| - | # | + | |
| - | # | + | |
| - | + | ||
| - | # For this to work you will also need host keys in / | + | |
| - | # | + | |
| - | # Change to yes if you don't trust ~/ | + | |
| - | # HostbasedAuthentication | + | |
| - | # | + | |
| - | # Don't read the user's ~/.rhosts and ~/.shosts files | + | |
| - | # | + | |
| - | + | ||
| - | # To disable tunneled clear text passwords, change to no here! | + | |
| - | # | + | |
| - | # | + | |
| - | + | ||
| - | # Change to yes to enable challenge-response passwords (beware issues with | + | |
| - | # some PAM modules and threads) | + | |
| - | ChallengeResponseAuthentication no | + | |
| - | + | ||
| - | # Kerberos options | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | + | ||
| - | # GSSAPI options | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | + | ||
| - | # Set this to ' | + | |
| - | # and session processing. If this is enabled, PAM authentication will | + | |
| - | # be allowed through the ChallengeResponseAuthentication and | + | |
| - | # PasswordAuthentication. | + | |
| - | # PAM authentication via ChallengeResponseAuthentication may bypass | + | |
| - | # the setting of " | + | |
| - | # If you just want the PAM account and session checks to run without | + | |
| - | # PAM authentication, | + | |
| - | # and ChallengeResponseAuthentication to ' | + | |
| - | UsePAM yes | + | |
| - | + | ||
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | X11Forwarding yes | + | |
| - | # | + | |
| - | # | + | |
| - | #PermitTTY yes | + | |
| - | PrintMotd no | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | #UseDNS no | + | |
| - | #PidFile / | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | + | ||
| - | # no default banner path | + | |
| - | #Banner none | + | |
| - | + | ||
| - | # Allow client to pass locale environment variables | + | |
| - | AcceptEnv LANG LC_* | + | |
| - | + | ||
| - | # override default of no subsystems | + | |
| - | Subsystem | + | |
| - | + | ||
| - | # Example of overriding settings on a per-user basis | + | |
| - | #Match User anoncvs | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | </ | + | |
| - | + | ||
| - | Pour ôter les lignes de commentaires dans ce fichier, utilisez la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | root@debian11:/ | + | |
| - | Include / | + | |
| - | PermitRootLogin yes | + | |
| - | ChallengeResponseAuthentication no | + | |
| - | UsePAM yes | + | |
| - | X11Forwarding yes | + | |
| - | PrintMotd no | + | |
| - | AcceptEnv LANG LC_* | + | |
| - | Subsystem | + | |
| - | </ | + | |
| - | + | ||
| - | Pour sécuriser le serveur ssh, ajoutez ou modifiez les directives suivantes : | + | |
| - | + | ||
| - | < | + | |
| - | AllowGroups adm | + | |
| - | Banner / | + | |
| - | HostbasedAuthentication no | + | |
| - | IgnoreRhosts yes | + | |
| - | LoginGraceTime 60 | + | |
| - | LogLevel INFO | + | |
| - | PermitEmptyPasswords no | + | |
| - | PermitRootLogin no | + | |
| - | PrintLastLog yes | + | |
| - | Protocol 2 | + | |
| - | StrictModes yes | + | |
| - | X11Forwarding no | + | |
| - | </ | + | |
| - | + | ||
| - | Votre fichier ressemblera à celui-ci : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11:/ | + | |
| - | root@debian11:/ | + | |
| - | AllowGroups adm | + | |
| - | Banner / | + | |
| - | HostbasedAuthentication no | + | |
| - | IgnoreRhosts yes | + | |
| - | LoginGraceTime 60 | + | |
| - | LogLevel INFO | + | |
| - | PermitEmptyPasswords no | + | |
| - | PermitRootLogin no | + | |
| - | PrintLastLog yes | + | |
| - | Protocol 2 | + | |
| - | StrictModes yes | + | |
| - | X11Forwarding no | + | |
| - | Include / | + | |
| - | ChallengeResponseAuthentication no | + | |
| - | UsePAM yes | + | |
| - | PrintMotd no | + | |
| - | AcceptEnv LANG LC_* | + | |
| - | Subsystem | + | |
| - | </ | + | |
| - | + | ||
| - | Renommez le fichier **/ | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos11 tmp]# cp / | + | |
| - | </ | + | |
| - | + | ||
| - | Copiez le fichier **/ | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11:/ | + | |
| - | </ | + | |
| - | + | ||
| - | Redémarrez le service sshd : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11:/ | + | |
| - | root@debian11:/ | + | |
| - | ● ssh.service - OpenBSD Secure Shell server | + | |
| - | | + | |
| - | | + | |
| - | Docs: man: | + | |
| - | | + | |
| - | Process: 4885 ExecStartPre=/ | + | |
| - | Main PID: 4888 (sshd) | + | |
| - | Tasks: 1 (limit: 4632) | + | |
| - | | + | |
| - | CPU: 24ms | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | May 03 11:01:24 debian11.ittraining.loc sshd[4888]: Server listening on 0.0.0.0 port > | + | |
| - | May 03 11:01:24 debian11.ittraining.loc systemd[1]: Stopping OpenBSD Secure Shell ser> | + | |
| - | May 03 11:01:24 debian11.ittraining.loc sshd[4888]: Server listening on :: port 22. | + | |
| - | May 03 11:01:24 debian11.ittraining.loc systemd[1]: ssh.service: | + | |
| - | May 03 11:01:24 debian11.ittraining.loc systemd[1]: Stopped OpenBSD Secure Shell serv> | + | |
| - | May 03 11:01:24 debian11.ittraining.loc systemd[1]: Starting OpenBSD Secure Shell ser> | + | |
| - | May 03 11:01:24 debian11.ittraining.loc systemd[1]: Started OpenBSD Secure Shell serv> | + | |
| - | lines 1-20/20 (END) | + | |
| - | [q] | + | |
| - | </ | + | |
| - | + | ||
| - | Mettez l' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11:/ | + | |
| - | trainee : trainee cdrom floppy audio dip src video plugdev netdev lpadmin scanner | + | |
| - | root@debian11:/ | + | |
| - | root@debian11:/ | + | |
| - | trainee : trainee adm cdrom floppy audio dip src video plugdev netdev lpadmin scanner | + | |
| - | </ | + | |
| - | + | ||
| - | Pour générer les clefs du serveur, saisissez la commande suivante en tant que **root**. Notez que la passphrase doit être **vide**. | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11:/ | + | |
| - | Generating public/ | + | |
| - | Enter file in which to save the key (/ | + | |
| - | Enter passphrase (empty for no passphrase): | + | |
| - | Enter same passphrase again: | + | |
| - | Your identification has been saved in / | + | |
| - | Your public key has been saved in / | + | |
| - | The key fingerprint is: | + | |
| - | SHA256: | + | |
| - | The key's randomart image is: | + | |
| - | +---[DSA 1024]----+ | + | |
| - | | | + | |
| - | | | + | |
| - | | ..=..o . o.| | + | |
| - | | o+ =. . o..| | + | |
| - | | | + | |
| - | | ==+=o . | | + | |
| - | | o *==o.. . | | + | |
| - | | . ooo=o. o | | + | |
| - | | .o +o... | | + | |
| - | +----[SHA256]-----+ | + | |
| - | root@debian11:/ | + | |
| - | Generating public/ | + | |
| - | Enter file in which to save the key (/ | + | |
| - | / | + | |
| - | Overwrite (y/n)? y | + | |
| - | Enter passphrase (empty for no passphrase): | + | |
| - | Enter same passphrase again: | + | |
| - | Your identification has been saved in / | + | |
| - | Your public key has been saved in / | + | |
| - | The key fingerprint is: | + | |
| - | SHA256: | + | |
| - | The key's randomart image is: | + | |
| - | +---[RSA 3072]----+ | + | |
| - | | =+=+++oo | + | |
| - | | . *o+.o. . | | + | |
| - | | . + = o. ..| | + | |
| - | | o + *.o...| | + | |
| - | | S * =..+o| | + | |
| - | | . * + .+.o| | + | |
| - | | . * + o E | | + | |
| - | | = o o | | + | |
| - | | ... | | + | |
| - | +----[SHA256]-----+ | + | |
| - | root@debian11:/ | + | |
| - | Generating public/ | + | |
| - | Enter file in which to save the key (/ | + | |
| - | / | + | |
| - | Overwrite (y/n)? y | + | |
| - | Enter passphrase (empty for no passphrase): | + | |
| - | Enter same passphrase again: | + | |
| - | Your identification has been saved in / | + | |
| - | Your public key has been saved in / | + | |
| - | The key fingerprint is: | + | |
| - | SHA256: | + | |
| - | The key's randomart image is: | + | |
| - | +---[ECDSA 256]---+ | + | |
| - | | .o..o . ooo. | | + | |
| - | | . o. . o = + ...| | + | |
| - | |. . . + + o.| | + | |
| - | |... | + | |
| - | |.o . S . . | | + | |
| - | |. o + . = .. | | + | |
| - | | | + | |
| - | | = . . *B+.| | + | |
| - | |E... . o** | | + | |
| - | +----[SHA256]-----+ | + | |
| - | root@debian11:/ | + | |
| - | Generating public/ | + | |
| - | Enter file in which to save the key (/ | + | |
| - | / | + | |
| - | Overwrite (y/n)? y | + | |
| - | Enter passphrase (empty for no passphrase): | + | |
| - | Enter same passphrase again: | + | |
| - | Your identification has been saved in / | + | |
| - | Your public key has been saved in / | + | |
| - | The key fingerprint is: | + | |
| - | SHA256: | + | |
| - | The key's randomart image is: | + | |
| - | +--[ED25519 256]--+ | + | |
| - | |..+. .+*o.+oo | + | |
| - | |++ . . oo.o.+ o .| | + | |
| - | |o. o + o o + | | + | |
| - | | .. .. B . o .| | + | |
| - | | | + | |
| - | | ..oo =.=. | | + | |
| - | | .. o +..+ | | + | |
| - | | . .o . | | + | |
| - | | .o. | | + | |
| - | +----[SHA256]-----+ | + | |
| - | </ | + | |
| - | + | ||
| - | Les clefs publiques générées possèdent l' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11:/ | + | |
| - | moduli | + | |
| - | ssh_config | + | |
| - | ssh_config.d | + | |
| - | sshd_config | + | |
| - | </ | + | |
| - | + | ||
| - | Re-démarrez ensuite le service sshd : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11:/ | + | |
| - | root@debian11:/ | + | |
| - | ● ssh.service - OpenBSD Secure Shell server | + | |
| - | | + | |
| - | | + | |
| - | Docs: man: | + | |
| - | | + | |
| - | Process: 4942 ExecStartPre=/ | + | |
| - | Main PID: 4943 (sshd) | + | |
| - | Tasks: 1 (limit: 4632) | + | |
| - | | + | |
| - | CPU: 24ms | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | May 03 11:30:09 debian11.ittraining.loc systemd[1]: Starting OpenBSD Secure Shell ser> | + | |
| - | May 03 11:30:09 debian11.ittraining.loc sshd[4943]: Server listening on 0.0.0.0 port > | + | |
| - | May 03 11:30:09 debian11.ittraining.loc sshd[4943]: Server listening on :: port 22. | + | |
| - | May 03 11:30:09 debian11.ittraining.loc systemd[1]: Started OpenBSD Secure Shell serv> | + | |
| - | lines 1-17/17 (END) | + | |
| - | [q] | + | |
| - | </ | + | |
| - | + | ||
| - | ===Configuration du Client=== | + | |
| - | + | ||
| - | Saisissez maintenant les commandes suivantes en tant que **trainee** : | + | |
| - | + | ||
| - | <WRAP center round important 60%> | + | |
| - | **Important** - Lors de la génération des clefs, la passphrase doit être **vide**. | + | |
| - | </ | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11:/ | + | |
| - | logout | + | |
| - | trainee@debian11: | + | |
| - | Generating public/ | + | |
| - | Enter file in which to save the key (/ | + | |
| - | Created directory '/ | + | |
| - | Enter passphrase (empty for no passphrase): | + | |
| - | Enter same passphrase again: | + | |
| - | Your identification has been saved in / | + | |
| - | Your public key has been saved in / | + | |
| - | The key fingerprint is: | + | |
| - | SHA256: | + | |
| - | The key's randomart image is: | + | |
| - | +---[DSA 1024]----+ | + | |
| - | | | + | |
| - | | .+oo.B*o+ | + | |
| - | | . . +=.=+o | | + | |
| - | | . . o o +=.| | + | |
| - | | . . S+ ..o= .| | + | |
| - | | . o. o .+ ..| | + | |
| - | | . . ...| | + | |
| - | | . .E .| | + | |
| - | | | + | |
| - | +----[SHA256]-----+ | + | |
| - | trainee@debian11: | + | |
| - | Generating public/ | + | |
| - | Enter file in which to save the key (/ | + | |
| - | Enter passphrase (empty for no passphrase): | + | |
| - | Enter same passphrase again: | + | |
| - | Your identification has been saved in / | + | |
| - | Your public key has been saved in / | + | |
| - | The key fingerprint is: | + | |
| - | SHA256: | + | |
| - | The key's randomart image is: | + | |
| - | +---[RSA 3072]----+ | + | |
| - | | | + | |
| - | | = .. = + | | + | |
| - | | | + | |
| - | | E o X . | | + | |
| - | | | + | |
| - | | | + | |
| - | | . | + | |
| - | | + + + .oo*=| | + | |
| - | | =.= .. .XXB| | + | |
| - | +----[SHA256]-----+ | + | |
| - | trainee@debian11: | + | |
| - | Generating public/ | + | |
| - | Enter file in which to save the key (/ | + | |
| - | Enter passphrase (empty for no passphrase): | + | |
| - | Enter same passphrase again: | + | |
| - | Your identification has been saved in / | + | |
| - | Your public key has been saved in / | + | |
| - | The key fingerprint is: | + | |
| - | SHA256: | + | |
| - | The key's randomart image is: | + | |
| - | +---[ECDSA 256]---+ | + | |
| - | |..o+=o. | + | |
| - | |. +.. o . | | + | |
| - | | .. = o + | | + | |
| - | | .= + + o | | + | |
| - | | ..B | + | |
| - | | | + | |
| - | | oB.B | | + | |
| - | |o++@ . | | + | |
| - | |X+EoB. | + | |
| - | +----[SHA256]-----+ | + | |
| - | trainee@debian11: | + | |
| - | Generating public/ | + | |
| - | Enter file in which to save the key (/ | + | |
| - | Enter passphrase (empty for no passphrase): | + | |
| - | Enter same passphrase again: | + | |
| - | Your identification has been saved in / | + | |
| - | Your public key has been saved in / | + | |
| - | The key fingerprint is: | + | |
| - | SHA256: | + | |
| - | The key's randomart image is: | + | |
| - | +--[ED25519 256]--+ | + | |
| - | | | | + | |
| - | | . . | | + | |
| - | | o + | | + | |
| - | | .* = | + | |
| - | | | + | |
| - | | . ++oOE+ * * | | + | |
| - | | . +* =.= O .| | + | |
| - | | | + | |
| - | | | + | |
| - | +----[SHA256]-----+ | + | |
| - | </ | + | |
| - | + | ||
| - | Les clés générées seront placées dans le répertoire **~/.ssh/** : | + | |
| - | + | ||
| - | < | + | |
| - | trainee@debian11: | + | |
| - | id_dsa | + | |
| - | id_dsa.pub | + | |
| - | </ | + | |
| - | + | ||
| - | ===Tunnels SSH=== | + | |
| - | + | ||
| - | Le protocole SSH peut être utilisé pour sécuriser les protocoles tels telnet, pop3 etc.. En effet, on peut créer un //tunnel// SSH dans lequel passe les communications du protocole non-sécurisé. | + | |
| - | + | ||
| - | La commande pour créer un tunnel ssh prend la forme suivante : | + | |
| - | + | ||
| - | ssh -N -f compte@hôte -Lport-local: | + | |
| - | + | ||
| - | Dans votre cas, vous allez créer un tunnel dans votre propre VM entre le port 15023 et le port 23 : | + | |
| - | + | ||
| - | < | + | |
| - | trainee@debian11: | + | |
| - | Password: fenestros | + | |
| - | root@debian11: | + | |
| - | The authenticity of host ' | + | |
| - | ECDSA key fingerprint is SHA256: | + | |
| - | Are you sure you want to continue connecting (yes/ | + | |
| - | Warning: Permanently added ' | + | |
| - | Debian GNU/Linux 11 | + | |
| - | trainee@localhost' | + | |
| - | </ | + | |
| - | + | ||
| - | Installez maintenant le serveur telnet : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | </ | + | |
| - | + | ||
| - | Vérifiez que le service **inetd** est démarré : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | ● inetd.service - Internet superserver | + | |
| - | | + | |
| - | | + | |
| - | Docs: man: | + | |
| - | Main PID: 5110 (inetd) | + | |
| - | Tasks: 1 (limit: 4632) | + | |
| - | | + | |
| - | CPU: 7ms | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | May 03 11:55:27 debian11.ittraining.loc systemd[1]: Starting Internet superserver... | + | |
| - | May 03 11:55:27 debian11.ittraining.loc systemd[1]: Started Internet superserver. | + | |
| - | </ | + | |
| - | + | ||
| - | Connectez-vous ensuite via telnet sur le port 15023, vous constaterez que votre connexion n' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | Trying ::1... | + | |
| - | Connected to localhost. | + | |
| - | Escape character is ' | + | |
| - | Debian GNU/Linux 11 | + | |
| - | debian11.ittraining.loc login: trainee | + | |
| - | Password: trainee | + | |
| - | Linux debian11.ittraining.loc 5.17.0-1-amd64 #1 SMP PREEMPT Debian 5.17.3-1 (2022-04-18) x86_64 | + | |
| - | + | ||
| - | The programs included with the Debian GNU/Linux system are free software; | + | |
| - | the exact distribution terms for each program are described in the | + | |
| - | individual files in / | + | |
| - | + | ||
| - | Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent | + | |
| - | permitted by applicable law. | + | |
| - | Last login: Tue May 3 08:57:59 CEST 2022 from 10.0.2.1 on pts/0 | + | |
| - | + | ||
| - | trainee@debian11: | + | |
| - | trainee | + | |
| - | + | ||
| - | trainee@debian11: | + | |
| - | / | + | |
| - | + | ||
| - | trainee@debian11: | + | |
| - | logout | + | |
| - | Connection closed by foreign host. | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important 60%> | + | |
| - | **Important** - Notez bien que votre communication telnet passe par le tunnel SSH. | + | |
| - | </ | + | |
| - | + | ||
| - | ====3.5 - SCP==== | + | |
| - | + | ||
| - | ===Présentation=== | + | |
| - | + | ||
| - | La commande **scp** est le successeur et la remplaçante de la commande **rcp** de la famille des commandes **remote**. Il permet de faire des transferts sécurisés à partir d'une machine distante : | + | |
| - | + | ||
| - | $ scp compte@numero_ip(nom_de_machine):/ | + | |
| - | + | ||
| - | ou vers une machine distante : | + | |
| - | + | ||
| - | $ scp / | + | |
| - | + | ||
| - | ===Utilisation=== | + | |
| - | + | ||
| - | Nous allons maintenant utiliser **scp** pour chercher un fichier sur le << | + | |
| - | + | ||
| - | Créez le fichier **/ | + | |
| - | + | ||
| - | < | + | |
| - | [trainee@centos8 ~]$ touch scp-test | + | |
| - | [trainee@centos8 ~]$ exit | + | |
| - | logout | + | |
| - | Connection closed by foreign host. | + | |
| - | [root@centos8 ~]# | + | |
| - | </ | + | |
| - | + | ||
| - | Récupérez le fichier **scp_test** en utilisant scp : | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# scp trainee@127.0.0.1:/ | + | |
| - | The authenticity of host ' | + | |
| - | ECDSA key fingerprint is SHA256: | + | |
| - | Are you sure you want to continue connecting (yes/ | + | |
| - | Warning: Permanently added ' | + | |
| - | \S | + | |
| - | Kernel \r on an \m | + | |
| - | trainee@127.0.0.1' | + | |
| - | scp-test | + | |
| - | + | ||
| - | [root@centos8 ~]# ls -l | + | |
| - | total 32 | + | |
| - | -rw-------. 1 root root 1358 Jun 16 06:40 anaconda-ks.cfg | + | |
| - | drwxr-xr-x. 3 root root 21 Jun 16 06:39 home | + | |
| - | -rw-r--r--. 1 root root 1749 Aug 24 11:20 I2TCH.asc | + | |
| - | -rw-r--r--. 1 root root 1853 Jun 16 06:54 initial-setup-ks.cfg | + | |
| - | -rw-r--r--. 1 root root 31 Aug 24 11:22 message.txt | + | |
| - | -rw-r--r--. 1 root root 561 Aug 24 11:32 message.txt.asc | + | |
| - | -rw-r--r--. 1 root root 367 Aug 24 11:30 message.txt.gpg | + | |
| - | -rw-r--r--. 1 root root 329 Aug 24 11:23 message.txt.sig | + | |
| - | -rw-r--r--. 1 root root 0 Aug 30 03:55 scp-test | + | |
| - | -rw-r--r--. 1 root root 46 Aug 29 06:22 wget_file.txt | + | |
| - | </ | + | |
| - | + | ||
| - | ====3.6 - Mise en Place des Clefs Asymétriques==== | + | |
| - | + | ||
| - | Il convient maintenant de se connecter sur le << | + | |
| - | + | ||
| - | < | + | |
| - | [root@centos8 ~]# ssh -l trainee 127.0.0.1 | + | |
| - | \S | + | |
| - | Kernel \r on an \m | + | |
| - | trainee@127.0.0.1' | + | |
| - | Activate the web console with: systemctl enable --now cockpit.socket | + | |
| - | + | ||
| - | [trainee@centos8 ~]$ ls -la | grep .ssh | + | |
| - | drwx------. | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important 60%> | + | |
| - | **Important** - Si le dossier distant .ssh n' | + | |
| - | </ | + | |
| - | + | ||
| - | Ensuite, il convient de transférer le fichier local **.ssh/ | + | |
| - | + | ||
| - | < | + | |
| - | [trainee@centos8 ~]$ exit | + | |
| - | logout | + | |
| - | Connection to 127.0.0.1 closed. | + | |
| - | + | ||
| - | [root@centos8 ~]# exit | + | |
| - | logout | + | |
| - | + | ||
| - | [trainee@centos8 ~]$ scp .ssh/ | + | |
| - | The authenticity of host ' | + | |
| - | ECDSA key fingerprint is SHA256: | + | |
| - | Are you sure you want to continue connecting (yes/ | + | |
| - | Warning: Permanently added ' | + | |
| - | \S | + | |
| - | Kernel \r on an \m | + | |
| - | trainee@127.0.0.1' | + | |
| - | id_ecdsa.pub | + | |
| - | </ | + | |
| - | + | ||
| - | Connectez-vous via telnet : | + | |
| - | + | ||
| - | < | + | |
| - | [trainee@centos8 ~]$ ssh -l trainee localhost | + | |
| - | The authenticity of host ' | + | |
| - | ECDSA key fingerprint is SHA256: | + | |
| - | Are you sure you want to continue connecting (yes/ | + | |
| - | Warning: Permanently added ' | + | |
| - | \S | + | |
| - | Kernel \r on an \m | + | |
| - | Activate the web console with: systemctl enable --now cockpit.socket | + | |
| - | + | ||
| - | Last login: Mon Aug 30 03:57:14 2021 from 127.0.0.1 | + | |
| - | [trainee@centos8 ~]$ | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important 60%> | + | |
| - | **Important** - Lors de la connexion au serveur, l' | + | |
| - | </ | + | |
| - | + | ||
| - | Insérez maintenant les clefs publiques restantes dans le fichier .ssh/ | + | |
| - | + | ||
| - | < | + | |
| - | [trainee@centos8 ~]$ cd .ssh | + | |
| - | [trainee@centos8 .ssh]$ ls | + | |
| - | authorized_keys | + | |
| - | [trainee@centos8 .ssh]$ cat authorized_keys | + | |
| - | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHDrzSXP+Ecxf/ | + | |
| - | + | ||
| - | [trainee@centos8 .ssh]$ cat id_rsa.pub >> authorized_keys | + | |
| - | [trainee@centos8 .ssh]$ cat id_dsa.pub >> authorized_keys | + | |
| - | [trainee@centos8 .ssh]$ cat id_ed25519.pub >> authorized_keys | + | |
| - | + | ||
| - | [trainee@centos8 .ssh]$ cat authorized_keys | + | |
| - | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHDrzSXP+Ecxf/ | + | |
| - | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQD3ZSMn/ | + | |
| - | ssh-dss AAAAB3NzaC1kc3MAAACBALIdwEEqHrMWSUdzARm9ldsZK9ebbtZShtmwgdjphOk77fxymK0y6wV7QEmLL25LOcLb12uZ1F0LtRt/ | + | |
| - | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfFQULLU8IZyKiSU63D2Zz6yGLqyHcBHnCRdSR9JSmc trainee@centos8.ittraining.loc | + | |
| - | </ | + | |
| - | + | ||
| - | ====3.7 - Services réseaux ==== | + | |
| - | + | ||
| - | Quand un client émet une demande de connexion vers une application réseau sur un serveur, il utilise un socket attaché à un port local **supérieur à 1023**, alloué d'une manière dynamique. La requête contient le port de destination sur le serveur. Certaines applications serveurs se gèrent toutes seules, ce qui est la cas par exemple d' | + | |
| - | + | ||
| - | === inetd === | + | |
| - | + | ||
| - | Le programme inetd est configuré via le fichier **/ | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | # / | + | |
| - | # | + | |
| - | # Internet superserver configuration database | + | |
| - | # | + | |
| - | # | + | |
| - | # Lines starting with "#: | + | |
| - | # be changed unless you know what you are doing! | + | |
| - | # | + | |
| - | # If you want to disable an entry so it isn't touched during | + | |
| - | # package updates just comment it out with a single '#' | + | |
| - | # | + | |
| - | # Packages should modify this file by using update-inetd(8) | + | |
| - | # | + | |
| - | # < | + | |
| - | # | + | |
| - | #:INTERNAL: Internal services | + | |
| - | # | + | |
| - | # | + | |
| - | # | + | |
| - | #time | + | |
| - | + | ||
| - | #:STANDARD: These are standard services. | + | |
| - | telnet | + | |
| - | + | ||
| - | #:BSD: Shell, login, exec and talk are BSD protocols. | + | |
| - | + | ||
| - | #:MAIL: Mail, news and uucp services. | + | |
| - | + | ||
| - | #:INFO: Info services | + | |
| - | + | ||
| - | #:BOOT: TFTP service is provided primarily for booting. | + | |
| - | # run this only on machines acting as "boot servers." | + | |
| - | + | ||
| - | #:RPC: RPC based services | + | |
| - | + | ||
| - | #: | + | |
| - | + | ||
| - | #:OTHER: Other services | + | |
| - | </ | + | |
| - | + | ||
| - | Les lignes de configuration des serveurs ressemblent à : | + | |
| - | + | ||
| - | < | + | |
| - | telnet | + | |
| - | </ | + | |
| - | + | ||
| - | Le premier champs de la ligne identifie le nom du port qui identifie l' | + | |
| - | + | ||
| - | Le deuxième et le troisième champs définissent le type de protocole, à savoir: | + | |
| - | + | ||
| - | * stream tcp pour le tcp | + | |
| - | * dgram udp pour l' | + | |
| - | + | ||
| - | Le quatrième champs prend un de deux valeurs: | + | |
| - | + | ||
| - | * nowait | + | |
| - | * indique qu'il y aura un serveur par client | + | |
| - | * wait | + | |
| - | * indique qu'il y aura un seul serveur pour l' | + | |
| - | + | ||
| - | Le cinquième champs indique l' | + | |
| - | + | ||
| - | Le sixième champs indique l' | + | |
| - | + | ||
| - | Le septième champs indique les arguments de l' | + | |
| - | + | ||
| - | == TCP Wrapper == | + | |
| - | + | ||
| - | Lors de l' | + | |
| - | + | ||
| - | < | + | |
| - | telnet | + | |
| - | </ | + | |
| - | + | ||
| - | Quand une requête arrive pour le serveur telnet, inetd active le wrapper **tcpd** au lieu d' | + | |
| - | + | ||
| - | **tcpd** met à jour un journal et vérifie si le client a le droit d' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | # / | + | |
| - | # See the manual pages hosts_access(5) and hosts_options(5). | + | |
| - | # | + | |
| - | # Example: | + | |
| - | # ALL: .foobar.edu EXCEPT terminalserver.foobar.edu | + | |
| - | # | + | |
| - | # If you're going to protect the portmapper use the name " | + | |
| - | # daemon name. See rpcbind(8) and rpc.mountd(8) for further information. | + | |
| - | # | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | # / | + | |
| - | # See the manual pages hosts_access(5) and hosts_options(5). | + | |
| - | # | + | |
| - | # Example: | + | |
| - | # ALL EXCEPT in.fingerd: other.host.name, | + | |
| - | # | + | |
| - | # If you're going to protect the portmapper use the name " | + | |
| - | # daemon name. See rpcbind(8) and rpc.mountd(8) for further information. | + | |
| - | # | + | |
| - | # The PARANOID wildcard matches any host whose name does not match its | + | |
| - | # address. | + | |
| - | # | + | |
| - | # You may wish to enable this to ensure any programs that don' | + | |
| - | # validate looked up hostnames still leave understandable logs. In past | + | |
| - | # versions of Debian this has been the default. | + | |
| - | # ALL: PARANOID | + | |
| - | </ | + | |
| - | + | ||
| - | Il faut noter que si ces fichiers n' | + | |
| - | + | ||
| - | Le format d'une ligne dans un de ces deux fichiers est: | + | |
| - | + | ||
| - | < | + | |
| - | démon: liste_de_clients | + | |
| - | </ | + | |
| - | + | ||
| - | Par exemple dans le cas de notre serveur telnetd, une ligne dans le fichier **/ | + | |
| - | + | ||
| - | < | + | |
| - | in.telnetd: 192.168.1.10, | + | |
| - | </ | + | |
| - | + | ||
| - | implique que la machine dont le numéro IP est le 192.168.1.10 ainsi que les machines du domaine **fenestros.com** sont autorisées à utiliser le service. | + | |
| - | + | ||
| - | Le mot clef **ALL** peut être utilisé pour indiquer tout. Par exemple, **ALL:ALL** dans le fichier **/ | + | |
| - | + | ||
| - | =====LAB #4 - Le Parefeu Netfilter===== | + | |
| - | + | ||
| - | ====4.1 - Présentation==== | + | |
| - | + | ||
| - | **Netfilter** est composé de 5 //hooks// : | + | |
| - | + | ||
| - | * NF_IP_PRE_ROUTING | + | |
| - | * NF_IP_LOCAL_IN | + | |
| - | * NF_IP_LOCAL_OUT | + | |
| - | * NF_IP_FORWARD | + | |
| - | * NF_IP_POSTROUTING | + | |
| - | + | ||
| - | Ces hooks sont utilisés par deux branches, la première est celle concernée par les paquets qui entrent vers des services locaux : | + | |
| - | + | ||
| - | * NF_IP_PRE_ROUTING > NF_IP_LOCAL_IN > NF_IP_LOCAL_OUT > NF_IP_POSTROUTING | + | |
| - | + | ||
| - | tandis que la deuxième concerne les paquets qui traversent la passerelle: | + | |
| - | + | ||
| - | * NF_IP_PRE_ROUTING > NF_IP_FORWARD > NF_IP_POSTROUTING | + | |
| - | + | ||
| - | Si IPTABLES a été compilé en tant que module, son utilisation nécessite le chargement de plusieurs modules supplémentaires en fonction de la situation: | + | |
| - | + | ||
| - | * iptable_filter | + | |
| - | * iptable_mangle | + | |
| - | * iptable_net | + | |
| - | * etc | + | |
| - | + | ||
| - | Netfilter est organisé en **tables**. La commande **iptables** de netfilter permet d' | + | |
| - | + | ||
| - | * La table **FILTER** | + | |
| - | * La chaîne INPUT | + | |
| - | * Concerne les paquets entrants | + | |
| - | * Policies: ACCEPT, DROP, REJECT | + | |
| - | * La chaîne OUTPUT | + | |
| - | * Concerne les paquets sortants | + | |
| - | * Policies: ACCEPT, DROP, REJECT | + | |
| - | * La chaîne FORWARD | + | |
| - | * Concerne les paquets traversant le par-feu. | + | |
| - | * Policies: ACCEPT, DROP, REJECT | + | |
| - | + | ||
| - | Si aucune table n'est précisée, c'est la table FILTER qui s' | + | |
| - | + | ||
| - | * La table **NAT** | + | |
| - | * La chaîne PREROUTING | + | |
| - | * Permet de faire la translation d' | + | |
| - | * Cibles: SNAT, DNAT, MASQUERADE | + | |
| - | * La chaîne POSTROUTING | + | |
| - | * Permet de faire la translation d' | + | |
| - | * Cibles: SNAT, DNAT, MASQUERADE | + | |
| - | * Le cas spécifique OUTPUT | + | |
| - | * Permet la modification de la destination des paquets générés localement | + | |
| - | + | ||
| - | * La table **MANGLE** | + | |
| - | * Permet le marquage de paquets générés localement (OUTPUT) et entrants (PREROUTING) | + | |
| - | + | ||
| - | Les **policies** sont: | + | |
| - | + | ||
| - | * ACCEPT | + | |
| - | * Permet d' | + | |
| - | * DROP | + | |
| - | * Permet de rejeter le paquet concerné sans générer un message d' | + | |
| - | * REJECT | + | |
| - | * Permet de rejeter le paquet concerné en générant une message d' | + | |
| - | + | ||
| - | Les **cibles** sont: | + | |
| - | + | ||
| - | * SNAT | + | |
| - | * Permet de modifier l' | + | |
| - | * DNAT | + | |
| - | * Permet de modifier l' | + | |
| - | * MASQUERADE | + | |
| - | * Permet de remplacer l' | + | |
| - | + | ||
| - | ====4.2 - La Configuration de Netfilter par firewalld==== | + | |
| - | + | ||
| - | firewalld est à Netfilter ce que NetworkManager est au réseau. firewalld utilise des **zones** - des jeux de règles pré-définis dans lesquels sont placés les interfaces : | + | |
| - | + | ||
| - | * **trusted** - un réseau fiable. Dans ce cas tous les ports sont autorisés, | + | |
| - | * **work**, **home**, **internal** - un réseau partiellement fiable. Dans ce cas quelques ports sont autorisés, | + | |
| - | * **dmz**, **public**, **external** - un réseau non fiable. Dans ce cas peu de ports sont autorisés, | + | |
| - | * **block**, **drop** - tout est interdit. La zone drop n' | + | |
| - | + | ||
| - | <WRAP center round important> | + | |
| - | **Important** - Une interface ne peut être que dans une zone à la fois tandis que plusieurs interfaces peuvent être dans la même zone. | + | |
| - | </ | + | |
| - | + | ||
| - | Sous Debian 11, firewalld n'est pas installé par défaut : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | </ | + | |
| - | + | ||
| - | Le service firewalld est déjà lancé et activé : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | ● firewalld.service - firewalld - dynamic firewall daemon | + | |
| - | | + | |
| - | | + | |
| - | Docs: man: | + | |
| - | Main PID: 5695 (firewalld) | + | |
| - | Tasks: 2 (limit: 4632) | + | |
| - | | + | |
| - | CPU: 619ms | + | |
| - | | + | |
| - | | + | |
| - | + | ||
| - | May 03 15:17:02 debian11.ittraining.loc systemd[1]: Starting firewalld - dynamic fire> | + | |
| - | May 03 15:17:03 debian11.ittraining.loc systemd[1]: Started firewalld - dynamic firew> | + | |
| - | lines 1-13/13 (END) | + | |
| - | [q] | + | |
| - | </ | + | |
| - | + | ||
| - | ===La Configuration de Base de firewalld=== | + | |
| - | + | ||
| - | La configuration par défaut de firewalld se trouve dans **/ | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | / | + | |
| - | total 32 | + | |
| - | drwxr-xr-x 2 root root 4096 May 3 15:16 helpers | + | |
| - | drwxr-xr-x 2 root root 4096 May 3 15:16 icmptypes | + | |
| - | drwxr-xr-x 2 root root 4096 May 3 15:16 ipsets | + | |
| - | drwxr-xr-x 2 root root 4096 May 3 15:16 policies | + | |
| - | drwxr-xr-x 2 root root 12288 May 3 15:16 services | + | |
| - | drwxr-xr-x 2 root root 4096 May 3 15:16 zones | + | |
| - | + | ||
| - | / | + | |
| - | total 52 | + | |
| - | -rw-r--r-- 1 root root 125 Feb 1 2021 amanda.xml | + | |
| - | -rw-r--r-- 1 root root 119 Feb 1 2021 ftp.xml | + | |
| - | -rw-r--r-- 1 root root 85 Feb 1 2021 h323.xml | + | |
| - | -rw-r--r-- 1 root root 134 Feb 1 2021 irc.xml | + | |
| - | -rw-r--r-- 1 root root 141 Feb 1 2021 netbios-ns.xml | + | |
| - | -rw-r--r-- 1 root root 136 Feb 1 2021 pptp.xml | + | |
| - | -rw-r--r-- 1 root root 90 Feb 1 2021 proto-gre.xml | + | |
| - | -rw-r--r-- 1 root root 122 Feb 1 2021 Q.931.xml | + | |
| - | -rw-r--r-- 1 root root 122 Feb 1 2021 RAS.xml | + | |
| - | -rw-r--r-- 1 root root 122 Feb 1 2021 sane.xml | + | |
| - | -rw-r--r-- 1 root root 158 Feb 1 2021 sip.xml | + | |
| - | -rw-r--r-- 1 root root 135 Feb 1 2021 snmp.xml | + | |
| - | -rw-r--r-- 1 root root 120 Feb 1 2021 tftp.xml | + | |
| - | + | ||
| - | / | + | |
| - | total 180 | + | |
| - | -rw-r--r-- 1 root root 385 Feb 1 2021 address-unreachable.xml | + | |
| - | -rw-r--r-- 1 root root 258 Feb 1 2021 bad-header.xml | + | |
| - | -rw-r--r-- 1 root root 294 Feb 1 2021 beyond-scope.xml | + | |
| - | -rw-r--r-- 1 root root 279 Feb 1 2021 communication-prohibited.xml | + | |
| - | -rw-r--r-- 1 root root 222 Feb 1 2021 destination-unreachable.xml | + | |
| - | -rw-r--r-- 1 root root 173 Feb 1 2021 echo-reply.xml | + | |
| - | -rw-r--r-- 1 root root 210 Feb 1 2021 echo-request.xml | + | |
| - | -rw-r--r-- 1 root root 261 Feb 1 2021 failed-policy.xml | + | |
| - | -rw-r--r-- 1 root root 280 Feb 1 2021 fragmentation-needed.xml | + | |
| - | -rw-r--r-- 1 root root 266 Feb 1 2021 host-precedence-violation.xml | + | |
| - | -rw-r--r-- 1 root root 257 Feb 1 2021 host-prohibited.xml | + | |
| - | -rw-r--r-- 1 root root 242 Feb 1 2021 host-redirect.xml | + | |
| - | -rw-r--r-- 1 root root 239 Feb 1 2021 host-unknown.xml | + | |
| - | -rw-r--r-- 1 root root 247 Feb 1 2021 host-unreachable.xml | + | |
| - | -rw-r--r-- 1 root root 229 Feb 1 2021 ip-header-bad.xml | + | |
| - | -rw-r--r-- 1 root root 355 Feb 1 2021 neighbour-advertisement.xml | + | |
| - | -rw-r--r-- 1 root root 457 Feb 1 2021 neighbour-solicitation.xml | + | |
| - | -rw-r--r-- 1 root root 250 Feb 1 2021 network-prohibited.xml | + | |
| - | -rw-r--r-- 1 root root 248 Feb 1 2021 network-redirect.xml | + | |
| - | -rw-r--r-- 1 root root 239 Feb 1 2021 network-unknown.xml | + | |
| - | -rw-r--r-- 1 root root 247 Feb 1 2021 network-unreachable.xml | + | |
| - | -rw-r--r-- 1 root root 239 Feb 1 2021 no-route.xml | + | |
| - | -rw-r--r-- 1 root root 328 Feb 1 2021 packet-too-big.xml | + | |
| - | -rw-r--r-- 1 root root 225 Feb 1 2021 parameter-problem.xml | + | |
| - | -rw-r--r-- 1 root root 233 Feb 1 2021 port-unreachable.xml | + | |
| - | -rw-r--r-- 1 root root 256 Feb 1 2021 precedence-cutoff.xml | + | |
| - | -rw-r--r-- 1 root root 249 Feb 1 2021 protocol-unreachable.xml | + | |
| - | -rw-r--r-- 1 root root 185 Feb 1 2021 redirect.xml | + | |
| - | -rw-r--r-- 1 root root 244 Feb 1 2021 reject-route.xml | + | |
| - | -rw-r--r-- 1 root root 241 Feb 1 2021 required-option-missing.xml | + | |
| - | -rw-r--r-- 1 root root 227 Feb 1 2021 router-advertisement.xml | + | |
| - | -rw-r--r-- 1 root root 223 Feb 1 2021 router-solicitation.xml | + | |
| - | -rw-r--r-- 1 root root 248 Feb 1 2021 source-quench.xml | + | |
| - | -rw-r--r-- 1 root root 236 Feb 1 2021 source-route-failed.xml | + | |
| - | -rw-r--r-- 1 root root 253 Feb 1 2021 time-exceeded.xml | + | |
| - | -rw-r--r-- 1 root root 233 Feb 1 2021 timestamp-reply.xml | + | |
| - | -rw-r--r-- 1 root root 228 Feb 1 2021 timestamp-request.xml | + | |
| - | -rw-r--r-- 1 root root 258 Feb 1 2021 tos-host-redirect.xml | + | |
| - | -rw-r--r-- 1 root root 257 Feb 1 2021 tos-host-unreachable.xml | + | |
| - | -rw-r--r-- 1 root root 272 Feb 1 2021 tos-network-redirect.xml | + | |
| - | -rw-r--r-- 1 root root 269 Feb 1 2021 tos-network-unreachable.xml | + | |
| - | -rw-r--r-- 1 root root 293 Feb 1 2021 ttl-zero-during-reassembly.xml | + | |
| - | -rw-r--r-- 1 root root 256 Feb 1 2021 ttl-zero-during-transit.xml | + | |
| - | -rw-r--r-- 1 root root 259 Feb 1 2021 unknown-header-type.xml | + | |
| - | -rw-r--r-- 1 root root 249 Feb 1 2021 unknown-option.xml | + | |
| - | + | ||
| - | / | + | |
| - | total 4 | + | |
| - | -rw-r--r-- 1 root root 29 Feb 1 2021 README | + | |
| - | + | ||
| - | / | + | |
| - | total 4 | + | |
| - | -rw-r--r-- 1 root root 649 Feb 1 2021 allow-host-ipv6.xml | + | |
| - | + | ||
| - | / | + | |
| - | total 700 | + | |
| - | -rw-r--r-- 1 root root 399 Feb 1 2021 amanda-client.xml | + | |
| - | -rw-r--r-- 1 root root 427 Feb 1 2021 amanda-k5-client.xml | + | |
| - | -rw-r--r-- 1 root root 283 Feb 1 2021 amqps.xml | + | |
| - | -rw-r--r-- 1 root root 273 Feb 1 2021 amqp.xml | + | |
| - | -rw-r--r-- 1 root root 285 Feb 1 2021 apcupsd.xml | + | |
| - | -rw-r--r-- 1 root root 301 Feb 1 2021 audit.xml | + | |
| - | -rw-r--r-- 1 root root 320 Feb 1 2021 bacula-client.xml | + | |
| - | -rw-r--r-- 1 root root 346 Feb 1 2021 bacula.xml | + | |
| - | -rw-r--r-- 1 root root 429 Feb 1 2021 bb.xml | + | |
| - | -rw-r--r-- 1 root root 339 Feb 1 2021 bgp.xml | + | |
| - | -rw-r--r-- 1 root root 275 Feb 1 2021 bitcoin-rpc.xml | + | |
| - | -rw-r--r-- 1 root root 307 Feb 1 2021 bitcoin-testnet-rpc.xml | + | |
| - | -rw-r--r-- 1 root root 281 Feb 1 2021 bitcoin-testnet.xml | + | |
| - | -rw-r--r-- 1 root root 244 Feb 1 2021 bitcoin.xml | + | |
| - | -rw-r--r-- 1 root root 410 Feb 1 2021 bittorrent-lsd.xml | + | |
| - | -rw-r--r-- 1 root root 294 Feb 1 2021 ceph-mon.xml | + | |
| - | -rw-r--r-- 1 root root 329 Feb 1 2021 ceph.xml | + | |
| - | -rw-r--r-- 1 root root 168 Feb 1 2021 cfengine.xml | + | |
| - | -rw-r--r-- 1 root root 211 Feb 1 2021 cockpit.xml | + | |
| - | -rw-r--r-- 1 root root 296 Feb 1 2021 collectd.xml | + | |
| - | -rw-r--r-- 1 root root 260 Feb 1 2021 condor-collector.xml | + | |
| - | -rw-r--r-- 1 root root 296 Feb 1 2021 ctdb.xml | + | |
| - | -rw-r--r-- 1 root root 305 Feb 1 2021 dhcpv6-client.xml | + | |
| - | -rw-r--r-- 1 root root 234 Feb 1 2021 dhcpv6.xml | + | |
| - | -rw-r--r-- 1 root root 227 Feb 1 2021 dhcp.xml | + | |
| - | -rw-r--r-- 1 root root 205 Feb 1 2021 distcc.xml | + | |
| - | -rw-r--r-- 1 root root 318 Feb 1 2021 dns-over-tls.xml | + | |
| - | -rw-r--r-- 1 root root 346 Feb 1 2021 dns.xml | + | |
| - | -rw-r--r-- 1 root root 374 Feb 1 2021 docker-registry.xml | + | |
| - | -rw-r--r-- 1 root root 391 Feb 1 2021 docker-swarm.xml | + | |
| - | -rw-r--r-- 1 root root 228 Feb 1 2021 dropbox-lansync.xml | + | |
| - | -rw-r--r-- 1 root root 338 Feb 1 2021 elasticsearch.xml | + | |
| - | -rw-r--r-- 1 root root 304 Feb 1 2021 etcd-client.xml | + | |
| - | -rw-r--r-- 1 root root 304 Feb 1 2021 etcd-server.xml | + | |
| - | -rw-r--r-- 1 root root 224 Feb 1 2021 finger.xml | + | |
| - | -rw-r--r-- 1 root root 270 Feb 1 2021 foreman-proxy.xml | + | |
| - | -rw-r--r-- 1 root root 408 Feb 1 2021 foreman.xml | + | |
| - | -rw-r--r-- 1 root root 709 Feb 1 2021 freeipa-4.xml | + | |
| - | -rw-r--r-- 1 root root 489 Feb 1 2021 freeipa-ldaps.xml | + | |
| - | -rw-r--r-- 1 root root 488 Feb 1 2021 freeipa-ldap.xml | + | |
| - | -rw-r--r-- 1 root root 242 Feb 1 2021 freeipa-replication.xml | + | |
| - | -rw-r--r-- 1 root root 657 Feb 1 2021 freeipa-trust.xml | + | |
| - | -rw-r--r-- 1 root root 361 Feb 1 2021 ftp.xml | + | |
| - | -rw-r--r-- 1 root root 184 Feb 1 2021 ganglia-client.xml | + | |
| - | -rw-r--r-- 1 root root 176 Feb 1 2021 ganglia-master.xml | + | |
| - | -rw-r--r-- 1 root root 212 Feb 1 2021 git.xml | + | |
| - | -rw-r--r-- 1 root root 218 Feb 1 2021 grafana.xml | + | |
| - | -rw-r--r-- 1 root root 119 Feb 1 2021 gre.xml | + | |
| - | -rw-r--r-- 1 root root 608 Feb 1 2021 high-availability.xml | + | |
| - | -rw-r--r-- 1 root root 448 Feb 1 2021 https.xml | + | |
| - | -rw-r--r-- 1 root root 353 Feb 1 2021 http.xml | + | |
| - | -rw-r--r-- 1 root root 372 Feb 1 2021 imaps.xml | + | |
| - | -rw-r--r-- 1 root root 327 Feb 1 2021 imap.xml | + | |
| - | -rw-r--r-- 1 root root 454 Feb 1 2021 ipp-client.xml | + | |
| - | -rw-r--r-- 1 root root 427 Feb 1 2021 ipp.xml | + | |
| - | -rw-r--r-- 1 root root 894 Feb 1 2021 ipsec.xml | + | |
| - | -rw-r--r-- 1 root root 255 Feb 1 2021 ircs.xml | + | |
| - | -rw-r--r-- 1 root root 247 Feb 1 2021 irc.xml | + | |
| - | -rw-r--r-- 1 root root 264 Feb 1 2021 iscsi-target.xml | + | |
| - | -rw-r--r-- 1 root root 358 Feb 1 2021 isns.xml | + | |
| - | -rw-r--r-- 1 root root 213 Feb 1 2021 jenkins.xml | + | |
| - | -rw-r--r-- 1 root root 182 Feb 1 2021 kadmin.xml | + | |
| - | -rw-r--r-- 1 root root 272 Feb 1 2021 kdeconnect.xml | + | |
| - | -rw-r--r-- 1 root root 233 Feb 1 2021 kerberos.xml | + | |
| - | -rw-r--r-- 1 root root 384 Feb 1 2021 kibana.xml | + | |
| - | -rw-r--r-- 1 root root 249 Feb 1 2021 klogin.xml | + | |
| - | -rw-r--r-- 1 root root 221 Feb 1 2021 kpasswd.xml | + | |
| - | -rw-r--r-- 1 root root 182 Feb 1 2021 kprop.xml | + | |
| - | -rw-r--r-- 1 root root 242 Feb 1 2021 kshell.xml | + | |
| - | -rw-r--r-- 1 root root 308 Feb 1 2021 kube-apiserver.xml | + | |
| - | -rw-r--r-- 1 root root 232 Feb 1 2021 ldaps.xml | + | |
| - | -rw-r--r-- 1 root root 199 Feb 1 2021 ldap.xml | + | |
| - | -rw-r--r-- 1 root root 385 Feb 1 2021 libvirt-tls.xml | + | |
| - | -rw-r--r-- 1 root root 389 Feb 1 2021 libvirt.xml | + | |
| - | -rw-r--r-- 1 root root 269 Feb 1 2021 lightning-network.xml | + | |
| - | -rw-r--r-- 1 root root 324 Feb 1 2021 llmnr.xml | + | |
| - | -rw-r--r-- 1 root root 349 Feb 1 2021 managesieve.xml | + | |
| - | -rw-r--r-- 1 root root 432 Feb 1 2021 matrix.xml | + | |
| - | -rw-r--r-- 1 root root 424 Feb 1 2021 mdns.xml | + | |
| - | -rw-r--r-- 1 root root 245 Feb 1 2021 memcache.xml | + | |
| - | -rw-r--r-- 1 root root 343 Feb 1 2021 minidlna.xml | + | |
| - | -rw-r--r-- 1 root root 237 Feb 1 2021 mongodb.xml | + | |
| - | -rw-r--r-- 1 root root 473 Feb 1 2021 mosh.xml | + | |
| - | -rw-r--r-- 1 root root 211 Feb 1 2021 mountd.xml | + | |
| - | -rw-r--r-- 1 root root 296 Feb 1 2021 mqtt-tls.xml | + | |
| - | -rw-r--r-- 1 root root 287 Feb 1 2021 mqtt.xml | + | |
| - | -rw-r--r-- 1 root root 170 Feb 1 2021 mssql.xml | + | |
| - | -rw-r--r-- 1 root root 190 Feb 1 2021 ms-wbt.xml | + | |
| - | -rw-r--r-- 1 root root 242 Feb 1 2021 murmur.xml | + | |
| - | -rw-r--r-- 1 root root 171 Feb 1 2021 mysql.xml | + | |
| - | -rw-r--r-- 1 root root 250 Feb 1 2021 nbd.xml | + | |
| - | -rw-r--r-- 1 root root 342 Feb 1 2021 nfs3.xml | + | |
| - | -rw-r--r-- 1 root root 324 Feb 1 2021 nfs.xml | + | |
| - | -rw-r--r-- 1 root root 293 Feb 1 2021 nmea-0183.xml | + | |
| - | -rw-r--r-- 1 root root 247 Feb 1 2021 nrpe.xml | + | |
| - | -rw-r--r-- 1 root root 389 Feb 1 2021 ntp.xml | + | |
| - | -rw-r--r-- 1 root root 368 Feb 1 2021 nut.xml | + | |
| - | -rw-r--r-- 1 root root 335 Feb 1 2021 openvpn.xml | + | |
| - | -rw-r--r-- 1 root root 260 Feb 1 2021 ovirt-imageio.xml | + | |
| - | -rw-r--r-- 1 root root 343 Feb 1 2021 ovirt-storageconsole.xml | + | |
| - | -rw-r--r-- 1 root root 235 Feb 1 2021 ovirt-vmconsole.xml | + | |
| - | -rw-r--r-- 1 root root 1024 Feb 1 2021 plex.xml | + | |
| - | -rw-r--r-- 1 root root 433 Feb 1 2021 pmcd.xml | + | |
| - | -rw-r--r-- 1 root root 474 Feb 1 2021 pmproxy.xml | + | |
| - | -rw-r--r-- 1 root root 544 Feb 1 2021 pmwebapis.xml | + | |
| - | -rw-r--r-- 1 root root 460 Feb 1 2021 pmwebapi.xml | + | |
| - | -rw-r--r-- 1 root root 357 Feb 1 2021 pop3s.xml | + | |
| - | -rw-r--r-- 1 root root 348 Feb 1 2021 pop3.xml | + | |
| - | -rw-r--r-- 1 root root 181 Feb 1 2021 postgresql.xml | + | |
| - | -rw-r--r-- 1 root root 509 Feb 1 2021 privoxy.xml | + | |
| - | -rw-r--r-- 1 root root 213 Feb 1 2021 prometheus.xml | + | |
| - | -rw-r--r-- 1 root root 261 Feb 1 2021 proxy-dhcp.xml | + | |
| - | -rw-r--r-- 1 root root 424 Feb 1 2021 ptp.xml | + | |
| - | -rw-r--r-- 1 root root 414 Feb 1 2021 pulseaudio.xml | + | |
| - | -rw-r--r-- 1 root root 297 Feb 1 2021 puppetmaster.xml | + | |
| - | -rw-r--r-- 1 root root 273 Feb 1 2021 quassel.xml | + | |
| - | -rw-r--r-- 1 root root 520 Feb 1 2021 radius.xml | + | |
| - | -rw-r--r-- 1 root root 183 Feb 1 2021 rdp.xml | + | |
| - | -rw-r--r-- 1 root root 212 Feb 1 2021 redis-sentinel.xml | + | |
| - | -rw-r--r-- 1 root root 268 Feb 1 2021 redis.xml | + | |
| - | -rw-r--r-- 1 root root 381 Feb 1 2021 RH-Satellite-6-capsule.xml | + | |
| - | -rw-r--r-- 1 root root 556 Feb 1 2021 RH-Satellite-6.xml | + | |
| - | -rw-r--r-- 1 root root 214 Feb 1 2021 rpc-bind.xml | + | |
| - | -rw-r--r-- 1 root root 213 Feb 1 2021 rquotad.xml | + | |
| - | -rw-r--r-- 1 root root 310 Feb 1 2021 rsh.xml | + | |
| - | -rw-r--r-- 1 root root 311 Feb 1 2021 rsyncd.xml | + | |
| - | -rw-r--r-- 1 root root 350 Feb 1 2021 rtsp.xml | + | |
| - | -rw-r--r-- 1 root root 329 Feb 1 2021 salt-master.xml | + | |
| - | -rw-r--r-- 1 root root 371 Feb 1 2021 samba-client.xml | + | |
| - | -rw-r--r-- 1 root root 1298 Feb 1 2021 samba-dc.xml | + | |
| - | -rw-r--r-- 1 root root 448 Feb 1 2021 samba.xml | + | |
| - | -rw-r--r-- 1 root root 324 Feb 1 2021 sane.xml | + | |
| - | -rw-r--r-- 1 root root 283 Feb 1 2021 sips.xml | + | |
| - | -rw-r--r-- 1 root root 496 Feb 1 2021 sip.xml | + | |
| - | -rw-r--r-- 1 root root 299 Feb 1 2021 slp.xml | + | |
| - | -rw-r--r-- 1 root root 231 Feb 1 2021 smtp-submission.xml | + | |
| - | -rw-r--r-- 1 root root 577 Feb 1 2021 smtps.xml | + | |
| - | -rw-r--r-- 1 root root 550 Feb 1 2021 smtp.xml | + | |
| - | -rw-r--r-- 1 root root 308 Feb 1 2021 snmptrap.xml | + | |
| - | -rw-r--r-- 1 root root 342 Feb 1 2021 snmp.xml | + | |
| - | -rw-r--r-- 1 root root 405 Feb 1 2021 spideroak-lansync.xml | + | |
| - | -rw-r--r-- 1 root root 275 Feb 1 2021 spotify-sync.xml | + | |
| - | -rw-r--r-- 1 root root 173 Feb 1 2021 squid.xml | + | |
| - | -rw-r--r-- 1 root root 421 Feb 1 2021 ssdp.xml | + | |
| - | -rw-r--r-- 1 root root 463 Feb 1 2021 ssh.xml | + | |
| - | -rw-r--r-- 1 root root 631 Feb 1 2021 steam-streaming.xml | + | |
| - | -rw-r--r-- 1 root root 287 Feb 1 2021 svdrp.xml | + | |
| - | -rw-r--r-- 1 root root 231 Feb 1 2021 svn.xml | + | |
| - | -rw-r--r-- 1 root root 297 Feb 1 2021 syncthing-gui.xml | + | |
| - | -rw-r--r-- 1 root root 311 Feb 1 2021 syncthing.xml | + | |
| - | -rw-r--r-- 1 root root 496 Feb 1 2021 synergy.xml | + | |
| - | -rw-r--r-- 1 root root 444 Feb 1 2021 syslog-tls.xml | + | |
| - | -rw-r--r-- 1 root root 329 Feb 1 2021 syslog.xml | + | |
| - | -rw-r--r-- 1 root root 393 Feb 1 2021 telnet.xml | + | |
| - | -rw-r--r-- 1 root root 252 Feb 1 2021 tentacle.xml | + | |
| - | -rw-r--r-- 1 root root 288 Feb 1 2021 tftp-client.xml | + | |
| - | -rw-r--r-- 1 root root 424 Feb 1 2021 tftp.xml | + | |
| - | -rw-r--r-- 1 root root 221 Feb 1 2021 tile38.xml | + | |
| - | -rw-r--r-- 1 root root 336 Feb 1 2021 tinc.xml | + | |
| - | -rw-r--r-- 1 root root 771 Feb 1 2021 tor-socks.xml | + | |
| - | -rw-r--r-- 1 root root 244 Feb 1 2021 transmission-client.xml | + | |
| - | -rw-r--r-- 1 root root 264 Feb 1 2021 upnp-client.xml | + | |
| - | -rw-r--r-- 1 root root 593 Feb 1 2021 vdsm.xml | + | |
| - | -rw-r--r-- 1 root root 475 Feb 1 2021 vnc-server.xml | + | |
| - | -rw-r--r-- 1 root root 310 Feb 1 2021 wbem-https.xml | + | |
| - | -rw-r--r-- 1 root root 352 Feb 1 2021 wbem-http.xml | + | |
| - | -rw-r--r-- 1 root root 323 Feb 1 2021 wsmans.xml | + | |
| - | -rw-r--r-- 1 root root 316 Feb 1 2021 wsman.xml | + | |
| - | -rw-r--r-- 1 root root 329 Feb 1 2021 xdmcp.xml | + | |
| - | -rw-r--r-- 1 root root 509 Feb 1 2021 xmpp-bosh.xml | + | |
| - | -rw-r--r-- 1 root root 488 Feb 1 2021 xmpp-client.xml | + | |
| - | -rw-r--r-- 1 root root 264 Feb 1 2021 xmpp-local.xml | + | |
| - | -rw-r--r-- 1 root root 545 Feb 1 2021 xmpp-server.xml | + | |
| - | -rw-r--r-- 1 root root 314 Feb 1 2021 zabbix-agent.xml | + | |
| - | -rw-r--r-- 1 root root 315 Feb 1 2021 zabbix-server.xml | + | |
| - | + | ||
| - | / | + | |
| - | total 40 | + | |
| - | -rw-r--r-- 1 root root 299 Feb 1 2021 block.xml | + | |
| - | -rw-r--r-- 1 root root 293 Feb 1 2021 dmz.xml | + | |
| - | -rw-r--r-- 1 root root 291 Feb 1 2021 drop.xml | + | |
| - | -rw-r--r-- 1 root root 304 Feb 1 2021 external.xml | + | |
| - | -rw-r--r-- 1 root root 369 Feb 1 2021 home.xml | + | |
| - | -rw-r--r-- 1 root root 384 Feb 1 2021 internal.xml | + | |
| - | -rw-r--r-- 1 root root 729 Apr 12 2021 nm-shared.xml | + | |
| - | -rw-r--r-- 1 root root 315 Feb 1 2021 public.xml | + | |
| - | -rw-r--r-- 1 root root 162 Feb 1 2021 trusted.xml | + | |
| - | -rw-r--r-- 1 root root 311 Feb 1 2021 work.xml | + | |
| - | </ | + | |
| - | + | ||
| - | Ces fichiers sont au format **xml**, par exemple : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | < | + | |
| - | < | + | |
| - | < | + | |
| - | <service name=" | + | |
| - | <service name=" | + | |
| - | <service name=" | + | |
| - | <service name=" | + | |
| - | </ | + | |
| - | </ | + | |
| - | + | ||
| - | La configuration de firewalld ainsi que les définitions et règles personnalisées se trouvent dans **/ | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | / | + | |
| - | total 32 | + | |
| - | -rw-r--r-- 1 root root 2745 Feb 1 2021 firewalld.conf | + | |
| - | drwxr-xr-x 2 root root 4096 Feb 1 2021 helpers | + | |
| - | drwxr-xr-x 2 root root 4096 Feb 1 2021 icmptypes | + | |
| - | drwxr-xr-x 2 root root 4096 Feb 1 2021 ipsets | + | |
| - | -rw-r--r-- 1 root root 268 Feb 1 2021 lockdown-whitelist.xml | + | |
| - | drwxr-xr-x 2 root root 4096 Feb 1 2021 policies | + | |
| - | drwxr-xr-x 2 root root 4096 Feb 1 2021 services | + | |
| - | drwxr-xr-x 2 root root 4096 Feb 1 2021 zones | + | |
| - | + | ||
| - | / | + | |
| - | total 0 | + | |
| - | + | ||
| - | / | + | |
| - | total 0 | + | |
| - | + | ||
| - | / | + | |
| - | total 0 | + | |
| - | + | ||
| - | / | + | |
| - | total 0 | + | |
| - | + | ||
| - | / | + | |
| - | total 0 | + | |
| - | + | ||
| - | / | + | |
| - | total 0 | + | |
| - | </ | + | |
| - | + | ||
| - | Le fichier de configuration de firewalld est **/ | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | # firewalld config file | + | |
| - | + | ||
| - | # default zone | + | |
| - | # The default zone used if an empty zone string is used. | + | |
| - | # Default: public | + | |
| - | DefaultZone=public | + | |
| - | + | ||
| - | # Clean up on exit | + | |
| - | # If set to no or false the firewall configuration will not get cleaned up | + | |
| - | # on exit or stop of firewalld | + | |
| - | # Default: yes | + | |
| - | CleanupOnExit=yes | + | |
| - | + | ||
| - | # Lockdown | + | |
| - | # If set to enabled, firewall changes with the D-Bus interface will be limited | + | |
| - | # to applications that are listed in the lockdown whitelist. | + | |
| - | # The lockdown whitelist file is lockdown-whitelist.xml | + | |
| - | # Default: no | + | |
| - | Lockdown=no | + | |
| - | + | ||
| - | # IPv6_rpfilter | + | |
| - | # Performs a reverse path filter test on a packet for IPv6. If a reply to the | + | |
| - | # packet would be sent via the same interface that the packet arrived on, the | + | |
| - | # packet will match and be accepted, otherwise dropped. | + | |
| - | # The rp_filter for IPv4 is controlled using sysctl. | + | |
| - | # Default: yes | + | |
| - | IPv6_rpfilter=yes | + | |
| - | + | ||
| - | # IndividualCalls | + | |
| - | # Do not use combined -restore calls, but individual calls. This increases the | + | |
| - | # time that is needed to apply changes and to start the daemon, but is good for | + | |
| - | # debugging. | + | |
| - | # Default: no | + | |
| - | IndividualCalls=no | + | |
| - | + | ||
| - | # LogDenied | + | |
| - | # Add logging rules right before reject and drop rules in the INPUT, FORWARD | + | |
| - | # and OUTPUT chains for the default rules and also final reject and drop rules | + | |
| - | # in zones. Possible values are: all, unicast, broadcast, multicast and off. | + | |
| - | # Default: off | + | |
| - | LogDenied=off | + | |
| - | + | ||
| - | # FirewallBackend | + | |
| - | # Selects the firewall backend implementation. | + | |
| - | # Choices are: | + | |
| - | # - nftables (default) | + | |
| - | # - iptables (iptables, ip6tables, ebtables and ipset) | + | |
| - | FirewallBackend=nftables | + | |
| - | + | ||
| - | # FlushAllOnReload | + | |
| - | # Flush all runtime rules on a reload. In previous releases some runtime | + | |
| - | # configuration was retained during a reload, namely; interface to zone | + | |
| - | # assignment, and direct rules. This was confusing to users. To get the old | + | |
| - | # behavior set this to " | + | |
| - | # Default: yes | + | |
| - | FlushAllOnReload=yes | + | |
| - | + | ||
| - | # RFC3964_IPv4 | + | |
| - | # As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that | + | |
| - | # correspond to IPv4 addresses that should not be routed over the public | + | |
| - | # internet. | + | |
| - | # Defaults to " | + | |
| - | RFC3964_IPv4=yes | + | |
| - | + | ||
| - | # AllowZoneDrifting | + | |
| - | # Older versions of firewalld had undocumented behavior known as " | + | |
| - | # drifting" | + | |
| - | # violation of zone based firewalls. However, some users rely on this behavior | + | |
| - | # to have a " | + | |
| - | # desire such behavior. It's disabled by default for security reasons. | + | |
| - | # Note: If " | + | |
| - | # based zones (including the default zone). Packets never drift from interface | + | |
| - | # based zones to other interfaces based zones (including the default zone). | + | |
| - | # Possible values; " | + | |
| - | AllowZoneDrifting=no | + | |
| - | </ | + | |
| - | + | ||
| - | ===La Commande firewall-cmd=== | + | |
| - | + | ||
| - | firewalld s' | + | |
| - | + | ||
| - | <WRAP center round important> | + | |
| - | **Important** - firewall-cmd est le front-end de firewalld en ligne de commande. Il existe aussi la commande **firewall-config** qui lance un outil de configuration graphique. | + | |
| - | </ | + | |
| - | + | ||
| - | Pour obtenir la liste de toutes les zones prédéfinies, | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | block dmz drop external home internal nm-shared public trusted work | + | |
| - | </ | + | |
| - | + | ||
| - | Pour obtenir la liste de toutes les services prédéfinis, | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit collectd condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server | + | |
| - | </ | + | |
| - | + | ||
| - | Pour obtenir la liste de toutes les types ICMP prédéfinis, | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | address-unreachable bad-header beyond-scope communication-prohibited destination-unreachable echo-reply echo-request failed-policy fragmentation-needed host-precedence-violation host-prohibited host-redirect host-unknown host-unreachable ip-header-bad neighbour-advertisement neighbour-solicitation network-prohibited network-redirect network-unknown network-unreachable no-route packet-too-big parameter-problem port-unreachable precedence-cutoff protocol-unreachable redirect reject-route required-option-missing router-advertisement router-solicitation source-quench source-route-failed time-exceeded timestamp-reply timestamp-request tos-host-redirect tos-host-unreachable tos-network-redirect tos-network-unreachable ttl-zero-during-reassembly ttl-zero-during-transit unknown-header-type unknown-option | + | |
| - | </ | + | |
| - | + | ||
| - | Pour obtenir la liste des zones de la configuration courante, utilisez la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | public | + | |
| - | interfaces: ens18 | + | |
| - | </ | + | |
| - | + | ||
| - | Pour obtenir la liste des zones de la configuration courante pour une interface spécifique, | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | public | + | |
| - | </ | + | |
| - | + | ||
| - | Pour obtenir la liste des services autorisés pour la zone public, utilisez la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | dhcpv6-client ssh | + | |
| - | </ | + | |
| - | + | ||
| - | Pour obtenir toute la configuration pour la zone public, utilisez la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | public (active) | + | |
| - | target: default | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: ens18 | + | |
| - | sources: | + | |
| - | services: dhcpv6-client ssh | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | </ | + | |
| - | + | ||
| - | Pour obtenir la liste complète de toutes les zones et leurs configurations, | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | block | + | |
| - | target: %%REJECT%% | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: | + | |
| - | sources: | + | |
| - | services: | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | + | ||
| - | dmz | + | |
| - | target: default | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: | + | |
| - | sources: | + | |
| - | services: ssh | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | + | ||
| - | drop | + | |
| - | target: DROP | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: | + | |
| - | sources: | + | |
| - | services: | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | + | ||
| - | external | + | |
| - | target: default | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: | + | |
| - | sources: | + | |
| - | services: ssh | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: yes | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | + | ||
| - | home | + | |
| - | target: default | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: | + | |
| - | sources: | + | |
| - | services: dhcpv6-client mdns samba-client ssh | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | + | ||
| - | internal | + | |
| - | target: default | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: | + | |
| - | sources: | + | |
| - | services: dhcpv6-client mdns samba-client ssh | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | + | ||
| - | nm-shared | + | |
| - | target: ACCEPT | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: | + | |
| - | sources: | + | |
| - | services: dhcp dns ssh | + | |
| - | ports: | + | |
| - | protocols: icmp ipv6-icmp | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | rule priority=" | + | |
| - | + | ||
| - | public (active) | + | |
| - | target: default | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: ens18 | + | |
| - | sources: | + | |
| - | services: dhcpv6-client ssh | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | + | ||
| - | trusted | + | |
| - | target: ACCEPT | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: | + | |
| - | sources: | + | |
| - | services: | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | + | ||
| - | work | + | |
| - | target: default | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: | + | |
| - | sources: | + | |
| - | services: dhcpv6-client ssh | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | + | ||
| - | </ | + | |
| - | + | ||
| - | Pour changer la zone par défaut de public à work, utilisez la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | success | + | |
| - | root@debian11: | + | |
| - | work | + | |
| - | interfaces: ens18 | + | |
| - | </ | + | |
| - | + | ||
| - | HERE | + | |
| - | + | ||
| - | Pour ajouter l' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | success | + | |
| - | root@debian11: | + | |
| - | work | + | |
| - | interfaces: ens18 ip_fixe | + | |
| - | </ | + | |
| - | + | ||
| - | Pour supprimer l' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | success | + | |
| - | root@debian11: | + | |
| - | work | + | |
| - | interfaces: ens18 | + | |
| - | </ | + | |
| - | + | ||
| - | Pour ajouter le service **http** à la zone **work**, utilisez la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | success | + | |
| - | root@debian11: | + | |
| - | dhcpv6-client http ssh | + | |
| - | </ | + | |
| - | + | ||
| - | Pour supprimer le service **http** de la zone **work**, utilisez la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | success | + | |
| - | root@debian11: | + | |
| - | dhcpv6-client ssh | + | |
| - | </ | + | |
| - | + | ||
| - | Pour ajouter un nouveau bloc ICMP, utilisez la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | success | + | |
| - | root@debian11: | + | |
| - | echo-reply | + | |
| - | </ | + | |
| - | + | ||
| - | Pour supprimer un bloc ICMP, utilisez la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | success | + | |
| - | root@debian11: | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | </ | + | |
| - | + | ||
| - | Pour ajouter le port 591/tcp à la zone work, utilisez la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | success | + | |
| - | root@debian11: | + | |
| - | 591/tcp | + | |
| - | </ | + | |
| - | + | ||
| - | Pour supprimer le port 591/tcp à la zone work, utilisez la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | success | + | |
| - | root@debian11: | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | </ | + | |
| - | + | ||
| - | Pour créer un nouveau service, il convient de : | + | |
| - | + | ||
| - | * copier un fichier existant se trouvant dans le répertoire **/ | + | |
| - | * modifier le fichier, | + | |
| - | * recharger la configuration de firewalld, | + | |
| - | * vérifier que firewalld voit le nouveau service. | + | |
| - | + | ||
| - | Par exemple : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | <?xml version=" | + | |
| - | < | + | |
| - | < | + | |
| - | < | + | |
| - | <port protocol=" | + | |
| - | </ | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | <?xml version=" | + | |
| - | < | + | |
| - | < | + | |
| - | < | + | |
| - | <port protocol=" | + | |
| - | </ | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | success | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | RH-Satellite-6 RH-Satellite-6-capsule amanda-client amanda-k5-client amqp amqps apcupsd audit bacula bacula-client bb bgp bitcoin bitcoin-rpc bitcoin-testnet bitcoin-testnet-rpc bittorrent-lsd ceph ceph-mon cfengine cockpit collectd condor-collector ctdb dhcp dhcpv6 dhcpv6-client distcc dns dns-over-tls docker-registry docker-swarm dropbox-lansync elasticsearch etcd-client etcd-server filemaker finger foreman foreman-proxy freeipa-4 freeipa-ldap freeipa-ldaps freeipa-replication freeipa-trust ftp ganglia-client ganglia-master git grafana gre high-availability http https imap imaps ipp ipp-client ipsec irc ircs iscsi-target isns jenkins kadmin kdeconnect kerberos kibana klogin kpasswd kprop kshell kube-apiserver ldap ldaps libvirt libvirt-tls lightning-network llmnr managesieve matrix mdns memcache minidlna mongodb mosh mountd mqtt mqtt-tls ms-wbt mssql murmur mysql nbd nfs nfs3 nmea-0183 nrpe ntp nut openvpn ovirt-imageio ovirt-storageconsole ovirt-vmconsole plex pmcd pmproxy pmwebapi pmwebapis pop3 pop3s postgresql privoxy prometheus proxy-dhcp ptp pulseaudio puppetmaster quassel radius rdp redis redis-sentinel rpc-bind rquotad rsh rsyncd rtsp salt-master samba samba-client samba-dc sane sip sips slp smtp smtp-submission smtps snmp snmptrap spideroak-lansync spotify-sync squid ssdp ssh steam-streaming svdrp svn syncthing syncthing-gui synergy syslog syslog-tls telnet tentacle tftp tftp-client tile38 tinc tor-socks transmission-client upnp-client vdsm vnc-server wbem-http wbem-https wsman wsmans xdmcp xmpp-bosh xmpp-client xmpp-local xmpp-server zabbix-agent zabbix-server | + | |
| - | </ | + | |
| - | + | ||
| - | ===La Configuration Avancée de firewalld=== | + | |
| - | + | ||
| - | La configuration de base de firewalld ne permet que la configuration des zones, services, blocs ICMP et les ports non-standard. Cependant firewalld peut également être configuré avec des **Rich Rules** ou **//Règles Riches//**. Rich Rules ou Règles Riches évaluent des **critères** pour ensuite entreprendre une **action**. | + | |
| - | + | ||
| - | Les **Critères** sont : | + | |
| - | + | ||
| - | * **source address="< | + | |
| - | * **destination address="< | + | |
| - | * **rule port port="< | + | |
| - | * **service name=< | + | |
| - | + | ||
| - | Les **Actions** sont : | + | |
| - | + | ||
| - | * **accept**, | + | |
| - | * **reject**, | + | |
| - | * une Action reject peut être associée avec un message d' | + | |
| - | * **drop**. | + | |
| - | + | ||
| - | Saisissez la commande suivante pour ouvrir le port 80 : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | success | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important 50%> | + | |
| - | **Important** - Notez que la Rich Rule doit être entourée de caractères **'**. | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important 50%> | + | |
| - | **Important** - Notez que la Rich Rule a créé deux règles, une pour IPv4 et une deuxième pour IPv6. Une règle peut être créée pour IPv4 seul en incluant le Critère **family=ipv4**. De la même façon, une règle peut être créée pour IPv6 seul en incluant le Critère **family=ipv6**. | + | |
| - | </ | + | |
| - | + | ||
| - | Cette nouvelle règle est écrite en mémoire mais non pas sur disque. Pour l' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | success | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | <?xml version=" | + | |
| - | < | + | |
| - | < | + | |
| - | < | + | |
| - | <service name=" | + | |
| - | <service name=" | + | |
| - | < | + | |
| - | <port port=" | + | |
| - | < | + | |
| - | </ | + | |
| - | </ | + | |
| - | </ | + | |
| - | + | ||
| - | <WRAP center round important 50%> | + | |
| - | **Important** - Attention ! La règle ajoutée avec l' | + | |
| - | </ | + | |
| - | + | ||
| - | Pour visualiser cette règle dans la configuration de firewalld, il convient de saisir la commande suivante : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | success | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | work (active) | + | |
| - | target: default | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: ens18 | + | |
| - | sources: | + | |
| - | services: dhcpv6-client ssh | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | rule port port=" | + | |
| - | + | ||
| - | </ | + | |
| - | + | ||
| - | Notez que la Rich Rule est créée dans la Zone par Défaut. Il est possible de créer une Rich Rule dans une autre zone en utilisant l' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | success | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | success | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | public | + | |
| - | target: default | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: | + | |
| - | sources: | + | |
| - | services: dhcpv6-client ssh | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | success | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | public | + | |
| - | target: default | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: | + | |
| - | sources: | + | |
| - | services: dhcpv6-client ssh | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | success | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | public | + | |
| - | target: default | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: | + | |
| - | sources: | + | |
| - | services: dhcpv6-client ssh | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | rule port port=" | + | |
| - | </ | + | |
| - | + | ||
| - | + | ||
| - | Pour supprimer une Rich Rule, il faut copier la ligne entière la concernant qui se trouve dans la sortie de la commande **firewall-cmd --list-all-zones** : | + | |
| - | + | ||
| - | < | + | |
| - | root@debian11: | + | |
| - | success | + | |
| - | + | ||
| - | root@debian11: | + | |
| - | public | + | |
| - | target: default | + | |
| - | icmp-block-inversion: | + | |
| - | interfaces: | + | |
| - | sources: | + | |
| - | services: dhcpv6-client ssh | + | |
| - | ports: | + | |
| - | protocols: | + | |
| - | forward: no | + | |
| - | masquerade: no | + | |
| - | forward-ports: | + | |
| - | source-ports: | + | |
| - | icmp-blocks: | + | |
| - | rich rules: | + | |
| - | </ | + | |
| - | + | ||
| - | ===Le mode Panic de firewalld=== | + | |
| - | + | ||
| - | Le mode Panic de firewalld permet de bloquer tout le trafic avec une seule commande. Pour connaître l' | + | |
| - | + | ||
| - | < | + | |
| - | root@debian8: | + | |
| - | no | + | |
| - | </ | + | |
| - | + | ||
| - | Pour activer le mode Panic, il convient | + | |
| - | < | + | =====Validation des Acquis===== |
| - | # firewall-cmd --panic-on | + | |
| - | </ | + | |
| - | Pour désactiver le mode Panic, il convient | + | Veuillez passer la Validation Globale des Acquis |
| - | < | + | =====Évaluation de la Formation===== |
| - | # firewall-cmd --panic-off | + | |
| - | </ | + | |
| + | Afin de valider votre formation, veuillez compléter l’Évaluation de la Formation. | ||
| ----- | ----- | ||
| - | Copyright © 2022 Hugh Norris. | + | Copyright © 2023 Hugh Norris. Document non-contractuel. Le programme peut être modifié sans préavis. |
