powerdns系列记录

March 5, 2020 Linux YY.K Permalink 
mysqlrootpwd=`openssl rand 6 -base64`
yum -y install epel-releas 
yum -y install mysql mysql-server pdns pdns-backend-mysql
yum -y install httpd php php-devel php-gd php-imap php-ldap php-mysql php-odbc php-pear php-xml php-xmlrpc php-mbstring php-mcrypt php-mhash 
yum -y install php-pear-DB php-pear-MDB2-Driver-mysql
chkconfig --levels 235 httpd on
chkconfig --levels 235 mysqld on
chkconfig --levels 235 pdns on

#mysqladmin -u root password  $mysqlrootpwd
mysqladmin create powerdns
mysql -Bse "create user 'powerdns'@'localhost' identified by '$mysqlrootpwd'"
mysql -Bse "grant all privileges on powerdns.* to 'powerdns'@'localhost'"
mysql -Bse "GRANT ALL ON powerdns.* TO 'powerdns'@'108.171.205.98' IDENTIFIED BY '$mysqlrootpwd'"

wget http://files.soluslabs.com/solusvm/pdns/pdns.sql
mysql --user=powerdns --password=$mysqlrootpwd < pdns.sql
cat>/etc/pdns/pdns.conf<<EOF
launch=gmysql
gmysql-host=127.0.0.1
gmysql-user=powerdns
gmysql-password=$mysqlrootpwd
gmysql-dbname=powerdns  
EOF

/etc/init.d/mysqld restart
/etc/init.d/httpd restart
/etc/init.d/httpd start
/etc/init.d/pdns restart
wget -c https://github.com/poweradmin/poweradmin/tarball/master -O poweradmin.tar.gz
tar zxf poweradmin.tar.gz
mv poweradmin-* /var/www/html/poweradmin
chown -R apache:apache /var/www/html/poweradmin/


pdns

ESXI无法登陆问题

February 25, 2020 Linux YY.K Permalink

新装系统的esxi密码正确无法登陆, 在几年前就遇上过用,在shell下操作重置解决的, 但时间太久忘记了, 然后最近又遇上了几次像无头苍蝇一样,特此记录一下.
主要原因是ssh端口被爆破错误次数过多,导致锁死的问题.
新装系统,登陆上管理页面后在“管理”->"高级设置"里面搜索把Security.AccountLockFailures设置成0或者是关闭ssh服务

Security.AccountLockFailures
Security.AccountUnlockTime

也可以在设置成ssh key登陆, 对root账户进行重置解决

authorized_keys路径

/etc/ssh/keys-root/authorized_keys

重置命令

pam_tally2 --user root
pam_tally2 --user root --reset


如果新装系统已经被锁死还没设置key登陆, 则需要到ipmi下操作.
在Troubleshooting mode options项目下选择Restart Management Agents进行重置, 之后就可以再用web或者客户端进行登陆设置了.

ESXI, 虚拟化

nfsen-blackhole

February 11, 2020 Linux YY.K Permalink

记录

yum -y -q install monit tcsh  perl-Net-BGP
git clone https://github.com/zhecho/nfsen-blackhole 
cd nfsen-blackhole 
sed  -i "s#/usr/local/var/nfsen#/opt/nfsen/var/run#g" *
sed  -i "s#/usr/local/libexec/nfsen/plugins#/opt/nfsen/plugins#g" *
                          
install bgp_simple_restart.sh /opt/nfsen/plugins/
install blackHole.pm   /opt/nfsen/plugins/
install bgp_simple.pl  /opt/nfsen/plugins/
install blackHole.php  /opt/nfsen/www/plugins/
touch /opt/nfsen/var/run/{blackhole-pref.td2,blackHole.plugin.log}
chown nobody:nobody /opt/nfsen/var/run/{blackhole-pref.td2,blackHole.plugin.log}


nfsen

WANsensor和WANconsole 安装

February 11, 2020 Linux YY.K Permalink

配置记录

yum install -y -q http://www.andrisoft.com/files/redhat7/WANrepo-7.2-0.noarch.rpm
yum install -y -q WANsensor
systemctl start ntpd
systemctl enable ntpd
/opt/andrisoft/bin/install_supervisor
systemctl start WANsupervisor
systemctl enable WANsupervisor
yum install -y -q http://www.andrisoft.com/files/redhat7/WANrepo-7.2-0.noarch.rpm
yum install -y -q  WANconsole 
yum install -y -q epel-release
yum install -y -q php-pecl-radius

其他

max_allowed_packet=64M
 max_connections=1000
 open_files_limit=5000
 skip-name-resolve
         
nano /etc/my.cnf #set max_allowed_packet=64M, max_connections=1000, open_files_limit=5000 and add skip-name-resolve in the [mysqld] section
systemctl start mariadb
mysql_secure_installation
systemctl start mariadb
systemctl enable mariadb
         
         
nano /etc/php.ini #set date.timezone in the [Date] section, according to http://php.net/manual/en/timezones.php
systemctl enable httpd
systemctl restart httpd
         
firewall-cmd --permanent --add-service=mysql
firewall-cmd --permanent --add-service=http
firewall-cmd --permanent --add-service=https
systemctl restart firewalld
         
/opt/andrisoft/bin/install_console
/opt/andrisoft/bin/install_supervisor
         
systemctl start WANsupervisor
systemctl enable WANsupervisor
         
         
yum install -y -q https://dl.influxdata.com/influxdb/releases/influxdb-1.7.9.x86_64.rpm
[[email protected] ~]# nano /etc/influxdb/influxdb.conf 
[data] 
index-version=”tsi1”
max-seriesper-database=0
max-values-per-tag=0
[retention]
enabled=true
[http] 
enabled=true
log-enabled=false
max-row_limit=0
max-body-size=0
[logging] 
level=”warn”
[continuous_queries]
enabled=true
systemctl restart influxdb


sflow-rt安装

February 11, 2020 Linux YY.K Permalink

sflow-rt这玩意挺方便, 可以用JS进行二次开发写APP

官方下载连接 https://sflow-rt.com/download.php


yum install java -y
yum install -y -q https://inmon.com/products/sFlow-RT/sflow-rt-3.0-1451.noarch.rpm 
/usr/local/sflow-rt/get-app.sh sflow-rt top-flows
/usr/local/sflow-rt/get-app.sh sflow-rt dashboard-example
/usr/local/sflow-rt/get-app.sh sflow-rt ddos-blackhole
/usr/local/sflow-rt/get-app.sh sflow-rt sflow-test
/usr/local/sflow-rt/get-app.sh sflow-rt ddos-protect
systemctl start sflow-rt
systemctl enable sflow-rt


firewall-cmd --zone=public --add-masquerade --permanent
firewall-cmd --zone=public --add-forward-port=port=179:proto=tcp:toport=1179 --permanent
firewall-cmd --zone=public --add-port=179/tcp --permanent
firewall-cmd --zone=public --add-port=6343/udp --permanent
firewall-cmd --reload
firewall-cmd --zone=public --list-ports


如果要用179端口做bgp需要在服务器启动文件加入authbind的命令

yum install -y https://s3.amazonaws.com/aaronsilber/public/authbind-2.1.1-0.1.x86_64.rpm
touch /etc/authbind/byport/179
chmod 755 /etc/authbind/byport/179


在 /etc/init.d/sflow-rt文件内找到START这一行

START='authbind --deep /usr/local/sflow-rt/bin/run-rt'



librenms简便安装

February 11, 2020 Linux YY.K Permalink

和observium很像,开源软件.

file bison mlocate flex diffutils
yum -y install cronie fping git ImageMagick whois mtr  net-snmp net-snmp-utils nmap  python-memcached rrdtool
useradd librenms -d /opt/librenms -M -r
cd /opt
git clone https://github.com/librenms/librenms.git
chown -R librenms:librenms /opt/librenms
chmod 770 /opt/librenms
setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs /opt/librenms/bootstrap/cache/ /opt/librenms/storage/
runuser -l  librenms -c '/opt/php7/bin/php /opt/librenms/scripts/composer_wrapper.php install --no-dev'

nginx配置

server {
    listen 80;
    root /opt/observium;
    index index.php;
    server_name observium.example.com;
                                                               
    error_log /var/log/nginx/observium.error.log ;
    access_log /var/log/nginx/observium.log ;
                                                               
    location / {
    location ~ .php$ {
        try_files $uri = 404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/dev/shm/php-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $request_filename;
        fastcgi_read_timeout 300;
    }
        }
                                                               
    location ~/\.ht {
        deny all;
    }
}
                                                               
server {
 listen      80;
 server_name librenms.example.com;
 root        /opt/librenms/html;
 index       index.php;
 location / {
  try_files $uri $uri/ /index.php?$query_string;
 }
 location /api/v0 {
  try_files $uri $uri/ /api_v0.php?$query_string;
 }
 location ~ \.php {
  include fastcgi.conf;
  fastcgi_split_path_info ^(.+\.php)(/.+)$;
  fastcgi_pass unix:/dev/shm/php-fpm.sock;
 }
 location ~ /\.ht {
  deny all;
 }
}

FPM配置文件

[librenms]
user = $pool
group = $pool
listen = /dev/shm/$pool.sock
listen.mode = 0666
pm = dynamic
pm.max_children = 15
pm.start_servers = 5
pm.min_spare_servers = 3
pm.max_spare_servers = 5
chdir = /opt/bgpto
security.limit_extensions = .php .php3 .php4 .php5 .php7
env[HOSTNAME] = $pool.hostname
env[PATH] = /usr/local/bin:/usr/bin:/bin:/opt/php7/bin
env[TMP] = /tmp
env[TMPDIR] = /tmp
env[TEMP] = /tmp
php_admin_value[error_log] = /var/log/fpm-php.$pool.log
php_admin_value[memory_limit] = 256M


observium, librenms

VMware ESXi安装ipmitool

January 8, 2020 Linux YY.K Permalink 
wget  dl.kvm.la/tools/esxi_ipmitool-1.8.15-1.vib -O  /var/log/vmware/ipmitool-1.8.15-1.vib
esxcli software acceptance set --level=CommunitySupported
esxcli software vib install -v ipmitool-1.8.15-1.vib
/opt/ipmitool/bin/ipmitool mc reset cold


VMware, ESXI, ipmitool

编译安装 nfdump

December 28, 2019 Linux YY.K Permalink 
yum -y -q  install nss curl  git libtool m4 automake  bzip2-devel
git clone https://github.com/phaag/nfdump
cd nfdump
./autogen.sh
./configure --enable-nfprofile --enable-nftrack --with-rrdpath=/usr/local/rrdtool
make
make install
install -p -m 644 bin/nftrack /usr/bin/
nfdump

Centos7 nfsen基础安装

December 28, 2019 Linux YY.K Permalink 
yum -y -qinstall epel-release wget 
yum -y -q install nss curl  git nfdump perl gcc make libpcap-devel fprobe-ulog  rrdtool-devel rrdtool-perl  flex byacc perl 
yum -y -q install perl-MailTools perl-Socket6 perl-Sys-Syslog 'perl(Data::Dumper)' perl-DBD-MySQL
wget https://sourceforge.net/projects/nfsen/files/stable/nfsen-1.3.8/nfsen-1.3.8.tar.gz/download  -O -|tar xz
cd nfsen-1.3.8
#cat   etc/nfsen-dist.conf |grep -v ^#|grep -v ^$ >etc/nfsen.conf
wget dl.kvm.la/conf/nfsen/nfsen.conf -O  etc/nfsen.conf
perl install.pl etc/nfsen.conf
ln -s /opt/nfsen/bin/nfsen /usr/bin/
#安装PortTracker插件
install contrib/PortTracker/PortTracker.pm   /opt/nfsen/plugins/
install contrib/PortTracker/PortTracker.php  /opt/nfsen/plugins/
mkdir -p  /data/ports-db
chown -R nobody:nobody /data/ports-db  /opt/nfsen
sudo -u nobody nftrack -I -d /data/ports-db
wget dl.kvm.la/conf/nfsen/nfsen.init -O /etc/init.d/nfsen
chmod 755 /etc/init.d/nfsen
chkconfig nfsen on

#安装PortTracker插件

#安装PortTracker插件
install contrib/PortTracker/PortTracker.pm   /opt/nfsen/plugins/
install contrib/PortTracker/PortTracker.php  /opt/nfsen/plugins/
mkdir -p  /data/ports-db
chown -R nobody:nobody /data/ports-db  /opt/nfsen
sudo -u nobody nftrack -I -d /data/ports-db

正常使用还要http和php进行支持, sflow数据发送到nfsen进行分析,等等.

nfsen

smartmontools 查看阵列磁盘健康状态

December 17, 2019 Linux YY.K Permalink 
yum install  smartmontools -y -q
smartctl -a -d megaraid,N  /dev/sdX

N代表硬盘的设备ID, 可以用storcli和MegaCli查找到.
X则代表存储设备的顺序ID. 第一个存储设备以a开始排列.
查看硬盘的设备ID方法如下:

用MegaCli

#第一种
#MegaCli -PDList -aAll|grep "Device Id"
Device Id: 0
Device Id: 1
Device Id: 2
Device Id: 3
Device Id: 4
Device Id: 5
Device Id: 6
Device Id: 7
Device Id: 8
Device Id: 9


#第二种(LSI ID就是设备ID)
#curl -sS http://dl.kvm.la/lsi/megaclisas-status | python
-- Controller information --
-- ID | H/W Model      | RAM    | Temp | BBU    | Firmware
c0    | PERC H710 Mini | 512MB  | 76C  | Good   | FW: 21.0.1-0132

-- Array information --
-- ID | Type    |    Size |  Strpsz | Flags | DskCache |   Status |  OS Path | CacheCade        |InProgress
c0u0  | RAID-10 |   5455G |  256 KB | RA,WB | Disabled |  Optimal |        0 | Type : Read Only |None

-- Disk information --
    -- ID    | Type | Drive Model                       | Size     | Status          | Speed    | Temp | Slot ID  | LSI ID
    c0u0s0p0 | HDD  | HGST HUC101212CSS600 A469KZJ0M2DG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:0]   | 0
    c0u0s0p1 | HDD  | HGST HUC101212CSS600 A469KZJ0LJRG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:1]   | 1
    c0u0s1p0 | HDD  | HGST HUC101212CSS600 A469KZHZX1ZG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:2]   | 2
    c0u0s1p1 | HDD  | HGST HUC101212CSS600 A469KZJ076SG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:3]   | 3
    c0u0s2p0 | HDD  | HGST HUC101212CSS600 A469KZJ0B6PG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:4]   | 4
    c0u0s2p1 | HDD  | HGST HUC101212CSS600 A469KZJ0WWJG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:5]   | 5
    c0u0s3p0 | HDD  | HGST HUC101212CSS600 A469KZJ0LT4G | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:6]   | 6
    c0u0s3p1 | HDD  | HGST HUC101212CSS600 A469KZJ0A5KG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:7]   | 7
    c0u0s4p0 | HDD  | HGST HUC101212CSS600 A469KZJ0LRLG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 30C  | [32:8]   | 8
    c0u0s4p1 | HDD  | HGST HUC101212CSS600 A469KZJ0DUGG | 1.090 TB | Online, Spun Up | 6.0Gb/s  | 31C  | [32:9]   | 9

基于storcli命令查找

#storcli /c0 /eall /sall show
----------------------------------------------------------------------------
EID:Slt DID State DG     Size Intf Med SED PI SeSz Model            Sp Type
----------------------------------------------------------------------------
252:0    14 Onln   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
252:1    16 Onln   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
252:2    15 Onln   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
252:3    17 Rbld   0 5.456 TB SAS  HDD N   N  512B ST6000NM0034     U  -
----------------------------------------------------------------------------

DID就是硬盘的设备ID

附:MegaCli和storcli安装

yum install -y -q http://dl.kvm.la/lsi/MegaCli_All_OS/Linux/MegaCli-8.07.06-1.noarch.rpm
ln -s /opt/MegaRAID/MegaCli/MegaCli64 /usr/bin/MegaCli

 yum -y -q install http://dl.kvm.la/lsi/storcli_All_OS/Linux/storcli-1.23.02-1.noarch.rpm
ln -s   /opt/MegaRAID/storcli/storcli64  /usr/bin/storcli
storcli, smartmontools

Centos7安装FRRouting

December 16, 2019 Linux YY.K Permalink

由于官方改动了一些文件位置,没有及时更新安装引导说明, 导致最后几步安装找不到文件,故自己抄写了一份.
原文地址http://docs.frrouting.org/projects/dev-guide/en/latest/building-frr-for-centos7.html

#yum安装基础环境
    yum install -y -q nss curl  git autoconf automake libtool make cmake readline-devel texinfo net-snmp-devel groff pkgconfig json-c-devel pam-devel bison flex pytest c-ares-devel python-devel systemd-devel python-sphinx libcap-devel 
    groupadd -g 92 frr
    groupadd -r -g 85 frrvty
    useradd -u 92 -g 92 -M -r -G frrvty -s /sbin/nologin  -c "FRR FRRouting suite" -d /var/run/frr frr

    #安装libyang
    #由于centos7没有
    cd /tmp
    git clone https://github.com/CESNET/libyang.git
    cd libyang
    mkdir build; cd build
    cmake -DENABLE_LYD_PRIV=ON -DCMAKE_INSTALL_PREFIX:PATH=/usr -D CMAKE_BUILD_TYPE:String="Release" ..
    make
    make install

    #安装frr
    cd /tmp
    git clone https://github.com/frrouting/frr.git frr
    cd frr
    ./bootstrap.sh
    ./configure \
        --bindir=/usr/bin \
        --sbindir=/usr/lib/frr \
        --sysconfdir=/etc/frr \
        --libdir=/usr/lib/frr \
        --libexecdir=/usr/lib/frr \
        --localstatedir=/var/run/frr \
        --with-moduledir=/usr/lib/frr/modules \
        --enable-snmp=agentx \
        --enable-multipath=64 \
        --enable-user=frr \
        --enable-group=frr \
        --enable-vty-group=frrvty \
        --enable-systemd=yes \
        --disable-exampledir \
        --disable-ldpd \
        --enable-fpm \
        --with-pkg-git-version \
        --with-pkg-extra-version=-MyOwnFRRVersion \
        SPHINXBUILD=/usr/bin/sphinx-build
    make
    make install
    install -p -m 644 ./tools/etc/frr/daemons /etc/frr/
    install -p -m 644 tools/frr.service  /usr/lib/systemd/system/frr.service
    install -p -m 644 tools/frrinit.sh.in  /usr/lib/frr/frr

    #创建FRR空白配置文件和权限
    mkdir /var/log/frr
    mkdir /etc/frr
    touch /etc/frr/zebra.conf
    touch /etc/frr/bgpd.conf
    touch /etc/frr/ospfd.conf
    touch /etc/frr/ospf6d.conf
    touch /etc/frr/isisd.conf
    touch /etc/frr/ripd.conf
    touch /etc/frr/ripngd.conf
    touch /etc/frr/pimd.conf
    touch /etc/frr/nhrpd.conf
    touch /etc/frr/eigrpd.conf
    touch /etc/frr/babeld.conf
    touch /etc/frr/vtysh.conf
    chown -R frr:frr /etc/frr/
    chown frr:frrvty /etc/frr/vtysh.conf
    chown frr:frr /etc/frr/daemons
    chmod 640 /etc/frr/*.conf
cat>/etc/sysctl.d/90-routing-sysctl.conf<<EOF
    net.ipv4.conf.all.forwarding=1
    net.ipv6.conf.all.forwarding=1
    EOF
    sysctl -p /etc/sysctl.d/90-routing-sysctl.conf

    #注册启用和启动FRR
    systemctl preset frr.service
    systemctl enable frr
    systemctl start frr

安装步骤到此结束
  需要配置zebra后再用telnet连接

zebra配置文件

#cat /etc/frr/zebra.conf
! Zebra configuration file
!
frr version 6.0
frr defaults traditional
!
hostname Router
password zebra
enable password zebra
!
log stdout
!
!

更多配置和指引参考官方引导文章  

   telnet 127.0.0.1 2601

 然后和思科的配置方式差不多  


Centos7, frr, Zebra

sflow

December 12, 2019 其他 YY.K Permalink

Juniper sflow配置:

set protocols sflow agent-id {agent IP地址}
set protocols sflow polling-interval 30
set protocols sflow sample-rate ingress 3000
set protocols sflow sample-rate egress 3000
set protocols sflow collector {接受数据的IP}
set protocols sflow interfaces {ge-0/1/1.0 指定端口}

H3C sflow配置:

sflow agent ip 10.193.1.1  !设置此设备的某端口地址为agent地址
 sflow source ip 10.193.1.1 !设置此设备的某端口地址为发送源地址
 sflow collector 1 vpn-instance mgmt ip 10.5.0.208 !设置collector1服务器地址,端口号默认6343
 
int te1/0/0/7 !进入需要采集的接口
 sflow flow collector 1 !与collector 1 绑定
 sflow sampling-rate 1000 !设置采样率
 sflow counter collector 1 !计数器绑定collector1
 sflow counter interval 60 !计数器间隔60s
!

Cisco Netflow设置

flow record yst  !配置netflow记录器yst
 match ipv4 source address !记录内容ipv4源地址
 match ipv4 destination address !记录目标地址
 collect counter bytes !计数器单位bytes
 collect counter packets !计数器单位packets
!
!
flow exporter yst !配置netflow输出器
 destination 10.5.0.208 !设置服务器地址
 source TenGigabitEthernet0/0/0 !设置发包源地址
 dscp 63 !设置qos dscp
 ttl 15 !设置ttl
 transport udp 6343 !配置端口号
 export-protocol netflow-v5 !配置版本为v5,各版本区别百度
 template data timeout 30 超时时间30
!
!
flow monitor yst !设置监视器yst
 exporter yst !绑定输出器yst
 record yst !绑定记录器yst

int gi1/0/1 !开启接口flow
ip flow monitor yst input
ip flow monitor yst output

centos安装ntop

December 12, 2019 Linux YY.K Permalink 
yum install -y  epel-release wget 
wget http://packages.ntop.org/centos/ntop.repo -O /etc/yum.repos.d/ntop.repo
yum install -y pfring-dkms n2disk nprobe ntopng cento
service redis start 
service ntopng start
ntop

bird+juniper BGP RTBH

December 10, 2019 Linux,其他 YY.K Permalink

bird实例

log syslog all;
debug protocols off;
debug commands 0;

router id 1.1.1.1;

protocol static rtbh {
	route 99.99.99.99/32 blackhole;
	route 88.88.88.88/32 blackhole;
}

filter export_rtbh_out {
	# Limit to static routes
	if (proto = "rtbh") then
	{
		# Limit to /32 host routes (for now)
		if net.len = 32 then
		{
			bgp_community.add((65001,9999));
			bgp_next_hop = 192.0.2.1;
			accept;
		}
	}
	reject;
}

protocol bgp ER3 {
	description "iBGP to Edge Router 3 for RTBH";
	debug { states, events };
	local 1.1.1.1 as 65001;
	neighbor 3.3.3.3 as 65001;
	import none;
	export filter export_rtbh_out;
}
protocol bgp ER4 {
	description "iBGP to Edge Router 4 for RTBH";
	debug { states, events };
	local 1.1.1.1 as 65001;
	neighbor 4.4.4.4 as 65001;
	import none;
	export filter export_rtbh_out;
}

JUNOS 配置实例

routing-options {
	static {
		route 192.0.2.1/32 discard;
	}
}

protocols {
	bgp {
		group RTBH {
			type internal;
			import import-from-rs;
			expor deny-all;
			neighbor 1.1.1.1;
		}
	}
}

policy-options {
	policy-statement deny-all {
		term 1 {
			then reject;
		}
	}
	policy-statement import-from-rs {
		term 1 {
			from {
				community RTBH;
				route-filter 0.0.0.0/0 prefix-length-range /32-/32;
			}
			then accept;
		}
		term reject {
			then reject;
		}
	}
	community RTBH members 65001:9999;
}

抄录自https://gist.github.com/floatingstatic/854aa504a92ab8bc3e044e434ec378c4

junos, juniper, bird, BGP, RTBH

[转载]CentOS 7 为firewalld添加开放端口及相关资料

November 7, 2019 Linux YY.K Permalink

1、运行、停止、禁用firewalld
启动:# systemctl start  firewalld
查看状态:# systemctl status firewalld 或者 firewall-cmd --state
停止:# systemctl disable firewalld
禁用:# systemctl stop firewalld 

查看firewall是否运行,下面两个命令都可以

systemctl status firewalld.servicefirewall-cmd --state

查看default zone和active zone

我们还没有做任何配置,default zone和active zone都应该是public

firewall-cmd --get-default-zonefirewall-cmd --get-active-zones

查看当前开了哪些端口

其实一个服务对应一个端口,每个服务对应/usr/lib/firewalld/services下面一个xml文件。

firewall-cmd --list-services

查看还有哪些服务可以打开

firewall-cmd --get-services

查看所有打开的端口:

firewall-cmd --zone=public --list-ports

更新防火墙规则:

firewall-cmd --reload

添加一个服务到firewalld

firewall-cmd --add-service=http //http换成想要开放的service

这样添加的service当前立刻生效,但系统下次启动就失效,可以测试使用。要永久开发一个service,加上 --permanent

firewall-cmd --permanent --add-service=http

如果要添加的端口并没有服务对应

就要新建一个服务,在/usr/lib/firewalld/services,随便拷贝一个xml文件到一个新名字,比如myservice.xml,把里面的

  <?xml version="1.0" encoding="utf-8"?>
<service>
<short>Transmission-client</short>
<description>Transmission is a lightweight GTK+ BitTorrent client.</description>
<port protocol="tcp" port="51413"/>
</service>

short改为想要名字(这个名字只是为了人来阅读,没有实际影响。重要的是修改 protocol和port。修改完保存。

我的经验是这是要重启firewalld服务,systemctl restart firewalld.service,否则可能提示找不到刚才新建的service。

然后把新建的service添加到firewalld

firewall-cmd --permanent --add-service=myservice

重启firewalld 生效



5分钟理解Centos7防火墙firewalld    http://www.cnblogs.com/stevenzeng/p/5152324.html  
-------------------------------------------------------------------------------------------------------------

1、firewalld的基本使用
启动: systemctl start firewalld
查看状态: systemctl status firewalld
停止: systemctl disable firewalld
禁用: systemctl stop firewalld
2.systemctl是CentOS7的服务管理工具中主要的工具,它融合之前service和chkconfig的功能于一体。
启动一个服务:systemctl start firewalld.service
关闭一个服务:systemctl stop firewalld.service
重启一个服务:systemctl restart firewalld.service
显示一个服务的状态:systemctl status firewalld.service
在开机时启用一个服务:systemctl enable firewalld.service
在开机时禁用一个服务:systemctl disable firewalld.service
查看服务是否开机启动:systemctl is-enabled firewalld.service
查看已启动的服务列表:systemctl list-unit-files|grep enabled
查看启动失败的服务列表:systemctl --failed
3.配置firewalld-cmd
查看版本: firewall-cmd --version
查看帮助: firewall-cmd --help
显示状态: firewall-cmd --state
查看所有打开的端口: firewall-cmd --zone=public --list-ports
更新防火墙规则: firewall-cmd --reload
查看区域信息:  firewall-cmd --get-active-zones
查看指定接口所属区域: firewall-cmd --get-zone-of-interface=eth0
拒绝所有包:firewall-cmd --panic-on
取消拒绝状态: firewall-cmd --panic-off
查看是否拒绝: firewall-cmd --query-panic
那怎么开启一个端口呢
添加
firewall-cmd --zone=public --add-port=80/tcp --permanent    (--permanent永久生效,没有此参数重启后失效)
重新载入
firewall-cmd --reload
查看
firewall-cmd --zone=public --query-port=80/tcp
删除
firewall-cmd --zone=public --remove-port=80/tcp --permanent

转载自:https://www.cnblogs.com/hubing/p/6058932.html

Centos7, firewalld, firewalld-cmd
  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. ...
  9. 51