深入浅出:掌握银河麒麟桌面操作系统的防火墙管理艺术
在很多人印象里,防火墙似乎是服务器管理员才需要操心的高深技术,个人桌面用户完全可以“裸奔”。这种想法在万物互联的时代真的过时了!想象一下: 你正在咖啡店用公共Wi-Fi处理重要文档,手机通过家庭共享访问着家里的NAS设备,甚至只是日常浏览网页、下载软件——这些看似平常的操作,都可能让未经防护的电脑暴露在风险之中。 防火墙就像你家小区的门禁系统,它默默守护着你的“数字家门”,决定哪些“访客”(网络数据包)可以进出,哪些需要被拒之门外。作为优秀的国产操作系统代表,银河麒麟桌面操作系统(Kylin Desktop OS)内置了一套强大且易于管理的防火墙工具。今天,我们就来好好聊聊它。
一、 防火墙?你的桌面电脑真的需要它吗?
破除误区: “我又不是服务器,谁会攻击我的个人电脑?” 这是最常见的误解。现实是:
- 自动化扫描无处不在: 互联网上充斥着大量自动化工具,24小时不间断扫描随机IP地址,寻找任何未加防护的端口和服务。
- 恶意软件主动“外联”: 如果不小心安装了恶意软件,它会尝试连接外部服务器上传数据或接收指令。防火墙能阻止这种“非法出境”。
- 内部网络并非绝对安全: 即使是家庭或办公内网,也存在设备间相互访问的需求(如共享打印机、文件),也可能存在感染了病毒的设备。防火墙可以精细控制内网设备对你的访问权限。
- 保护本地服务: 你可能开启了远程桌面(VNC/RDP)、文件共享(Samba/NFS)、开发调试端口等本地服务。防火墙能确保只有你信任的设备或IP才能访问它们。
结论: 防火墙是桌面操作系统安全的基础防线,不可或缺。 银河麒麟的防火墙正是为此而生。
三、 图形化操作:麒麟防火墙管理实战(核心)
麒麟通常将防火墙管理集成在 “开始界面” -> “安全中心” 或 “系统设置” -> “安全中心” -> “防火墙” 中(具体路径可能因版本略有差异,搜索“防火墙”一般能找到)。我们以典型界面为例:
1. 查看状态与开关麒麟防火墙
①在麒麟的开始界面搜索"安全中心",双击打开
②左边选择“防火墙与网络保护”
③开放麒麟防火墙
④关闭麒麟防火墙
2.麒麟防火墙端口管理 - 精准控制特定端口
①开放麒麟防火墙端口
防火墙端口未开放之前:
点击"配置防火墙规则":
点击" + "按钮:
输入名称、端口号、协议等配置信息确定即可,如下:
开放防火墙之后:
②关闭端口
在已开放的端口列表中,选中某个端口条目,右击鼠标之后点击 “删除” 按钮。
四、 命令行:kylin-firewall
虽然图形界面能满足大部分需求,但了解一些核心命令在调试或脚本自动化时非常有用(在终端中使用)。
1.查看麒麟防火墙状态
①命令:
sudo kylin-firewall -g
②示例:
$ sudo kylin-firewall -g
kylin firewall status:public mode -------- onprivate mode -------- on
2.开启麒麟防火墙
①命令:
sudo kylin-firewall -s on
③示例:
$ sudo kylin-firewall -g
kylin firewall status:public mode -------- offprivate mode -------- off
$ sudo kylin-firewall -s on
$ sudo kylin-firewall -g
kylin firewall status:public mode -------- onprivate mode -------- on
3.获取所有kylin-firewall规则
①命令:
sudo kylin-firewall -S
③示例:
$ sudo kylin-firewall -S
rule_name | program | direction | mode | proto | local-IP | local-ports | remote-IP | remote-ports | action | status
Dhclient all all all udp all 68 all all allow on
Remote-Ports all all all tcp all all all 80,443,59546 allow on
APT-P2P all all all all all 9977 all all allow on
Avahi-Daemon all all all udp all 5353 all all allow on
Remote-Desktop all all private tcp all 3350,3389,5900 all all allow on
Remote-Monitor all all all tcp all 39275,39276,45623 all all allow on
SNMP all all private udp all all all 161 allow on
icmp all all private icmp all all all all allow on
SSHD all all private tcp all 22 all all allow on
System-Activation all all all all all all all 7070,17070 allow on
Other-Service2 all all private udp all 500,1701,4500 all all allow on
feige all all all all all 2425 all all allow on
Kylin-Ipmsg all all all all all 39900,39901 all all allow on
Other-Service1 all all private tcp all 25,7250,8668,8750,10080 all all allow on
CUPSD all all private tcp all 631 all all allow on
Systemd-Resolve all all private all all 53 all all allow on
Risk-Ports all all public all all 21,23,25,111,427,631 all all deny on
Wireless-Projection all all all all all 1991,24605 all all allow on
Kylin-Connectivity all all all all all 27180,27181,27182,27185:27198 all all allow on
4.添加麒麟防火墙规则
①命令:
sudo kylin-firewall -A
# 常用参数如下
-A, --add-rule RULE_NAME[-c, --command COMM] [-d, --direction DIRECTION] [-m, --mode MODE][-p, --protocol PROTO] [-l, --local-ip ADDR] [-L, --local-ports PORTS][-r, --remote-ip 地址] [-R, --remote-ports 端口] [-a, --action 操作]
②示例:
$ sudo kylin-firewall -A nginx-server -m public -p tcp -L 80 -a allow
$ sudo kylin-firewall -S
rule_name | program | direction | mode | proto | local-IP | local-ports | remote-IP | remote-ports | action | status
nginx-server all all public tcp all 80 all all allow on
sshd sshd all all all all all all all allow on
Dhclient all all all udp all 68 all all allow on
Remote-Ports all all all tcp all all all 80,443,59546 allow on
APT-P2P all all all all all 9977 all all allow on
Avahi-Daemon all all all udp all 5353 all all allow on
Remote-Desktop all all private tcp all 3350,3389,5900 all all allow on
Remote-Monitor all all all tcp all 39275,39276,45623 all all allow on
SNMP all all private udp all all all 161 allow on
icmp all all private icmp all all all all allow on
SSHD all all private tcp all 22 all all allow on
System-Activation all all all all all all all 7070,17070 allow on
Other-Service2 all all private udp all 500,1701,4500 all all allow on
feige all all all all all 2425 all all allow on
Kylin-Ipmsg all all all all all 39900,39901 all all allow on
Other-Service1 all all private tcp all 25,7250,8668,8750,10080 all all allow on
CUPSD all all private tcp all 631 all all allow on
Systemd-Resolve all all private all all 53 all all allow on
Risk-Ports all all public all all 21,23,25,111,427,631 all all deny on
Wireless-Projection all all all all all 1991,24605 all all allow on
Kylin-Connectivity all all all all all 27180,27181,27182,27185:27198 all all allow on
5.删除麒麟防火墙规则
①命令:
sudo kylin-firewall -D 规则名称
②示例:
$ sudo kylin-firewall -S
rule_name | program | direction | mode | proto | local-IP | local-ports | remote-IP | remote-ports | action | status
nginx-server all all public tcp all 80 all all allow on
sshd sshd all all all all all all all allow on
Dhclient all all all udp all 68 all all allow on
Remote-Ports all all all tcp all all all 80,443,59546 allow on
APT-P2P all all all all all 9977 all all allow on
Avahi-Daemon all all all udp all 5353 all all allow on
Remote-Desktop all all private tcp all 3350,3389,5900 all all allow on
Remote-Monitor all all all tcp all 39275,39276,45623 all all allow on
SNMP all all private udp all all all 161 allow on
icmp all all private icmp all all all all allow on
SSHD all all private tcp all 22 all all allow on
System-Activation all all all all all all all 7070,17070 allow on
Other-Service2 all all private udp all 500,1701,4500 all all allow on
feige all all all all all 2425 all all allow on
Kylin-Ipmsg all all all all all 39900,39901 all all allow on
Other-Service1 all all private tcp all 25,7250,8668,8750,10080 all all allow on
CUPSD all all private tcp all 631 all all allow on
Systemd-Resolve all all private all all 53 all all allow on
Risk-Ports all all public all all 21,23,25,111,427,631 all all deny on
Wireless-Projection all all all all all 1991,24605 all all allow on
Kylin-Connectivity all all all all all 27180,27181,27182,27185:27198 all all allow on
$ sudo kylin-firewall -D nginx-server
$ sudo kylin-firewall -S
rule_name | program | direction | mode | proto | local-IP | local-ports | remote-IP | remote-ports | action | status
sshd sshd all all all all all all all allow on
Dhclient all all all udp all 68 all all allow on
Remote-Ports all all all tcp all all all 80,443,59546 allow on
APT-P2P all all all all all 9977 all all allow on
Avahi-Daemon all all all udp all 5353 all all allow on
Remote-Desktop all all private tcp all 3350,3389,5900 all all allow on
Remote-Monitor all all all tcp all 39275,39276,45623 all all allow on
SNMP all all private udp all all all 161 allow on
icmp all all private icmp all all all all allow on
SSHD all all private tcp all 22 all all allow on
System-Activation all all all all all all all 7070,17070 allow on
Other-Service2 all all private udp all 500,1701,4500 all all allow on
feige all all all all all 2425 all all allow on
Kylin-Ipmsg all all all all all 39900,39901 all all allow on
Other-Service1 all all private tcp all 25,7250,8668,8750,10080 all all allow on
CUPSD all all private tcp all 631 all all allow on
Systemd-Resolve all all private all all 53 all all allow on
Risk-Ports all all public all all 21,23,25,111,427,631 all all deny on
Wireless-Projection all all all all all 1991,24605 all all allow on
Kylin-Connectivity all all all all all 27180,27181,27182,27185:27198 all all allow on
结语:安全始于足下,防火墙是基石
银河麒麟桌面操作系统提供的这套基于 firewalld 的防火墙管理方案,成功地在强大功能与用户友好性之间找到了平衡点。无论你是普通用户,只需要在图形界面点点鼠标开关几个常用服务(如文件共享或远程桌面),还是进阶用户,需要配置复杂的富规则或端口转发,它都能胜任。
请务必重视你桌面电脑的防火墙! 它绝不是后台一个无关紧要的进程。理解区域、服务、端口这些核心概念,熟练运用图形化管理工具,再辅以必要的命令行知识进行调试和高级配置,你就能为自己的银河麒麟系统筑起一道坚固且智能的网络安全防线。安全无小事,从管理好你的防火墙开始吧!