{"id":188,"date":"2023-07-01T09:01:10","date_gmt":"2023-07-01T01:01:10","guid":{"rendered":"https:\/\/127.0.0.1\/?p=188"},"modified":"2023-11-17T14:19:12","modified_gmt":"2023-11-17T06:19:12","slug":"allowzonedrifting%e7%a6%81%e7%94%a8","status":"publish","type":"post","link":"https:\/\/silky.cn\/?p=188","title":{"rendered":"AllowZoneDrifting\u7981\u7528"},"content":{"rendered":"\r\n<p>red hat 8.5 Web\u63a7\u5236\u53f0\u754c\u9762<\/p>\r\n\r\n\r\n\r\n<p>\u5728\u65e5\u5fd7\u63d0\u793a\u201cWARNING: AllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.\u201d<\/p>\r\n\r\n\r\n\r\n<p>\u8b66\u544a\uff1aAllowZoneDrifting\u5df2\u542f\u7528\u3002\u800c\u8fd9\u88ab\u8ba4\u4e3a\u662f\uff0c\u4e0d\u5b89\u5168\u7684\u914d\u7f6e\u9009\u9879\uff0c\u5b83\u5c06\u5728\u5c06\u6765\u7684\u7248\u672c\u4e2d\u5220\u9664\uff0c\u8bf7\u8003\u8651\u7acb\u5373\u7981\u7528\u3002<\/p>\r\n\r\n\r\n\r\n<p>\u5728\u6587\u4ef6\u76ee\u5f55\u627e\u5230\u00a0\/etc\/firewalld\/firewalld.conf<\/p>\r\n\r\n\r\n\r\n<ul>\r\n<li>#vim \/etc\/firewalld\/firewalld.conf<\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>\u6253\u5f00firewalld.conf \u6587\u4ef6\uff0c\u627e\u5230\u4e0b\u9762\u7684\u5185\u5bb9\u3002<\/p>\r\n\r\n\r\n\r\n<p>\u4fee\u6539AllowZoneDrifting=yes\uff0c\u4e3aAllowZoneDrifting=no<\/p>\r\n\r\n\r\n\r\n<p>\u4fee\u6539\u524d\u5185\u5bb9\uff1a<\/p>\r\n\r\n\r\n\r\n<ul>\r\n<li># AllowZoneDrifting<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># Older versions of firewalld had undocumented behavior known as &#8220;zone<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># drifting&#8221;. This allowed packets to ingress multiple zones &#8211; this is a<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># violation of zone based firewalls. However, some users rely on this behavior<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># to have a &#8220;catch-all&#8221; zone, e.g. the default zone. You can enable this if you<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># desire such behavior. It&#8217;s disabled by default for security reasons.<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># Note: If &#8220;yes&#8221; packets will only drift from source based zones to interface<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># based zones (including the default zone). Packets never drift from interface<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># based zones to other interfaces based zones (including the default zone).<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># Possible values; &#8220;yes&#8221;, &#8220;no&#8221;. Defaults to &#8220;yes&#8221;.<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li><strong>AllowZoneDrifting=yes<\/strong><\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>\u4fee\u6539\u540e\u5185\u5bb9\uff1a<\/p>\r\n\r\n\r\n\r\n<ul>\r\n<li># AllowZoneDrifting<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># Older versions of firewalld had undocumented behavior known as &#8220;zone<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># drifting&#8221;. This allowed packets to ingress multiple zones &#8211; this is a<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># violation of zone based firewalls. However, some users rely on this behavior<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># to have a &#8220;catch-all&#8221; zone, e.g. the default zone. You can enable this if you<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># desire such behavior. It&#8217;s disabled by default for security reasons.<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># Note: If &#8220;yes&#8221; packets will only drift from source based zones to interface<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># based zones (including the default zone). Packets never drift from interface<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># based zones to other interfaces based zones (including the default zone).<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li># Possible values; &#8220;yes&#8221;, &#8220;no&#8221;. Defaults to &#8220;yes&#8221;.<\/li>\r\n<li>\r\n\r\n<\/li>\r\n<li><strong>AllowZoneDrifting=no<\/strong><\/li>\r\n<\/ul>\r\n\r\n\r\n\r\n<p>\u7136\u540e\uff0c\u9700\u8981\u91cd\u542ffirewalld<\/p>\r\n\r\n\r\n\r\n<p>\u8f93\u5165\u547d\u4ee4\u91cd\u542ffirewalld<\/p>\r\n\r\n\r\n\r\n<ul>\r\n<li># systemctl restart firewalld\u00a0<\/li>\r\n<\/ul>\r\n","protected":false},"excerpt":{"rendered":"<p><span itemprop=\"description\">red hat 8.5 Web\u63a7\u5236\u53f0\u754c\u9762 \u5728\u65e5\u5fd7\u63d0\u793a\u201cWAR\u2026 <a class=\"read-more-candy\" href=\"https:\/\/silky.cn\/?p=188\">\ud83c\udf6c \u56bc\u4e00\u56bc<\/a><\/span><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22],"tags":[56],"class_list":["post-188","post","type-post","status-publish","format-standard","hentry","category-essay","tag-red-hat"],"_links":{"self":[{"href":"https:\/\/silky.cn\/index.php?rest_route=\/wp\/v2\/posts\/188","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/silky.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/silky.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/silky.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/silky.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=188"}],"version-history":[{"count":2,"href":"https:\/\/silky.cn\/index.php?rest_route=\/wp\/v2\/posts\/188\/revisions"}],"predecessor-version":[{"id":466,"href":"https:\/\/silky.cn\/index.php?rest_route=\/wp\/v2\/posts\/188\/revisions\/466"}],"wp:attachment":[{"href":"https:\/\/silky.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=188"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/silky.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=188"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/silky.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=188"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}