– Operasyonel mod ve Konfigurasyon mod
ilk defa login oldugunuzda operasyonel mod da olacaksiniz ve ‘?’ yazarsiniz kullanabiliceginiz bütün komutlari görebilirsiniz:
[email protected]:~$ ?
add delete ping6 reset terminal
clear disconnect reboot restart traceroute
configure generate release set traceroute6
connect initial-setup remove show undebug
copy no rename shutdown
debug ping renew telnet
[email protected]:~$ show ?
arp flow-accounting nat table
bridge hardware ntp tech-support
configuration history openvpn ubnt
date host pppoe-server users
debugging incoming queueing version
dhcp interfaces reboot vpn
dhcpv6 ip route-map vrrp
disk ipv6 shutdown webproxy
dns lldp snmp zebra
file log switch
firewall login system
[email protected]:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 - u/u
eth1 - u/D
eth2 - u/D
eth3 - u/D
eth4 - u/D
eth5 - u/D
eth6 - u/D
lo 127.0.0.1/8 u/u
Konfigurasyonu degistirmek icin konfigurasyon moda giris yapmalisiniz.
[email protected]:~$ configure
[email protected]#
‘?’ veya tab ile kullanabileceginiz komutlari görebilirsiniz:
[email protected]# show ?
interfaces service system
[email protected]# show ?
Possible completions:
interfaces Network interfaces
service Services
system System parameters
eth0 üzerinde ip adresini duzenlemek:
[email protected]# set interfaces ethernet eth0 address ?
Possible completions:
IP address and prefix length
IPv6 address and prefix length
dhcp Dynamic Host Configuration Protocol
dhcpv6 Dynamic Host Configuration Protocol for IPv6
[email protected]# set interfaces ethernet eth0 address 10.1.1.80/23
[email protected]# set interfaces ethernet eth0 description "production LAN"
Bu degisikler sadece “calisan” konfigurasyonda etkilidir, ama “aktif” konfigurasyonda degisiklikler etkin degildir. Bu ikisi arasindaki farkliliklari gormek icin “compare” komutunu kullanabilirsiniz:
[email protected]# compare
+address 10.1.1.2/24
+description "production LAN"
Ve hersey yolunda ise degisiklikleri aktif etmek icin “commit” komutunu kullanin:
[email protected]# commit
commit komutundan sonra hata almadiginizi varsayiyorum, artik degisikler etkin haldedir. Ama save komutunu kullanmazsaniz yeniden basladiginizda aktif olan konfigurasyonunuzu kaybedersiniz.Bunun icin “save” komutunu kullanin ve boota konfigurasyonu yazdirin.
[email protected]# save
Saving configuration to '/config/config.boot'...
Done
[email protected]# exit
exit
[email protected]:~$
[email protected]:~$ show interfaces
Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down
Interface IP Address S/L Description
--------- ---------- --- -----------
eth0 10.1.1.80/23 u/u production LAN
eth1 - u/D
eth2 - u/D
eth3 - u/D
eth4 - u/D
eth5 - u/D
eth6 - u/D
lo 127.0.0.1/8 u/u
::1/128
[email protected]:~$ ping 10.1.0.1
PING 10.1.0.1 (10.1.0.1) 56(84) bytes of data.
64 bytes from 10.1.0.1: icmp_req=1 ttl=64 time=0.460 ms
64 bytes from 10.1.0.1: icmp_req=2 ttl=64 time=0.407 ms
^C
--- 10.1.0.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 999ms
rtt min/avg/max/mdev = 0.407/0.433/0.460/0.033 ms
–
edit,
up,
top,
discard,
copy,
rename Komutlarini Kullanmak
Ilk olarak gerekli set komutu ile bir firewall kurali olusturacagiz.
[email protected]# set firewall name TEST default-action drop
[email protected]# set firewall name TEST enable-default-log
[email protected]# set firewall name TEST rule 10 description "allow icmp"
[email protected]# set firewall name TEST rule 10 action accept
[email protected]# set firewall name TEST rule 10 protocol icmp
commit yazmadan once kurali gorebiliriz compare:
[email protected]# compare
+name TEST {
+ default-action drop
+ enable-default-log
+ rule 10 {
+ action accept
+ description "allow icmp"
+ protocol icmp
+ }
+}
Simdi discard komutu ile yazdigimiz firewall kuralini geri alalim ve edit komutu ile firewall kurali yazalim.
[email protected]# discard
Changes have been discarded
[email protected]# compare
No changes between working and active configurations
Eger farkettiyseniz ayricalikli modda calisirken # ile bu modda oldugunuzu anlayabilirsiniz yani en ust seviye modundasiniz. Simdi edit seviyesi ile firewall kuralimizi olusturmak icin devam edelim.
[email protected]# edit firewall name TEST
[email protected]# set default-action drop
[email protected]# set enable-default-log
Simdi edit(düzenlemek istedigimiz zaman kullandigimiz komut) rule 10
[email protected]# edit rule 10
Using the “?” or tab completion will just show options for the given edit level
[email protected]# set ?
action disable ipsec p2p source time
description fragment limit protocol state
destination icmp log recent tcp
[email protected]# set description "allow icmp"
[email protected]# set action accept
[email protected]# set protocol icmp
Simdi compare komutu size edit seviyesindeki karsilastirmalari gosterecektir.
[email protected]# compare
+action accept
+description "allow icmp"
+protocol icmp
up komutu ile edit seviyesinin uzerine cikabilirsiniz.
[email protected]# up
[email protected]# compare
+default-action drop
+enable-default-log
+rule 10 {
+ action accept
+ description "allow icmp"
+ protocol icmp
+}
[email protected]# up
[email protected]# compare
+name TEST {
+ default-action drop
+ enable-default-log
+ rule 10 {
+ action accept
+ description "allow icmp"
+ protocol icmp
+ }
+}
Herhangi bir duzenleme seviyesinden en ust seviyeyi gormek icin top komutunu kullanabilirsiniz.
[email protected]# top
[email protected]# compare
+name TEST {
+ default-action drop
+ enable-default-log
+ rule 10 {
+ action accept
+ description "allow icmp"
+ protocol icmp
+ }
+}
En kullanisli komutlar edit , copy ve rename “dir.Diyelimki asagidaki gibi bir frewall kuralimiz var ve biz bunda kopyalayarak bir degisiklik yapmak istiyoruz.
[email protected]# show firewall
name WAN1_LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}
[email protected]# edit firewall
[email protected]# copy name WAN1_LOCAL to name WAN2_LOCAL
[email protected]# commit
[email protected]# top
[email protected]# show firewall
name WAN1_LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}
name WAN2_LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}
rename komutu da edit komutu ile ayni sekilde calisir.
[email protected]# edit firewall
[email protected]# rename name W
WAN1_LOCAL WAN2_LOCAL
[email protected]# rename name WAN2_LOCAL to name WAN2_IN
[email protected]# commit
[email protected]# top
[email protected]# show firewall name
name WAN1_LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}
name WAN2_IN {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}
[email protected]#
– Config yönetimini kullanmak:
Yukarida anlattigim gibi save ile diske yazdirirsiniz, Ama ayni zamanda uzak bir sunucuya config dosyanizin yedegini alabilirsiniz.Su sekilde(tftp servisinin uzak sunucuya kurulu oldugunu varsiyorum):
[email protected]# save ?
Possible completions:
Save to system config file
Save to file on local machine
scp://:@/ Save to file on remote machine
ftp://:@/ Save to file on remote machine
tftp:/// Save to file on remote machine
[email protected]# save tftp://10.1.0.15/rtr-config.boot
Saving configuration to 'tftp://10.1.0.15/rtr-config.boot'...
######################################################################## 100.0%
Done
Ama bu sadece yedek konfigurasyon. Eger yeniden baslatirsam hala /config/config.boot acilacaktir.
Peki otomatik olarak her commit komutundan sonra uzak sunucuya yedeklemesini istersem ne yapmaliyim?
[email protected]# set system config-management commit-archive location ?
Possible completions:
Uniform Resource Identifier
Detailed information:
"scp://:@/
“
“ftp://:@/“
“tftp:///“
[email protected]# set system config-management commit-archive location tftp://10.1.0.15/RTR
[email protected]# commit
Archiving config...
tftp://10.1.0.15/RTR OK
Uzak tftp sunucusunda her commit icin ayri ayri olarak bir kopyanin kaydedildigini ve bunlarin farkli router ismi & tarihi oldugunu göreceksiniz:
[email protected]:/tftpboot/RTR$ ls -l
total 8
-rw------- 1 nobody nogroup 908 Aug 17 17:19 config.boot-RTR.20120817_171932
-rw------- 1 nobody nogroup 874 Aug 17 17:20 config.boot-RTR.20120818_002046
– commit-revisions
Ama uzak sunucuya yedekleme yerine config dosyasinin yerel diskte birden fazla revizyonlari saklamakta isteyebilirsiniz:
[email protected]# set system config-management commit-revisions 50
[email protected]# commit
Example:
[email protected]# set system login user joe authentication plaintext-password secret
[email protected]# commit
[email protected]# save; exit
Saving configuration to '/config/config.boot'...
Done
exit
[email protected]:~$ show system commit
0 2012-08-17 18:32:13 by ubnt via cli
commit
1 2012-08-17 18:31:52 by ubnt via cli
commit
2 2012-08-17 18:31:51 by root via init
commit
Simdi revizyon 0″da neler degistigine göz atalim:
[email protected]:~$ show system commit diff 0
+user joe {
+ authentication {
+ encrypted-password $1$CWVzYggs$NyJXxC3S572rfm6pY8ZMO.
+ plaintext-password ""
+ }
+ level admin
+}
Eger revizyon 0″daki butun konfigurasyonu görmek isterseniz:
[email protected]:~$ show system commit file 0
Peki commit komutlarima yorum /bilgi ekleyebilirmiyim?
[email protected]# set system login user joe level operator
[email protected]# commit comment "change joe from admin to op"
[email protected]# save; exit
Saving configuration to '/config/config.boot'...
Done
exit
Simdi “show system commit ile bilgi/yorumlari da görebiliriz.
[email protected]R:~$ show system commit
0 2012-08-17 18:44:41 by ubnt via cli
change joe from admin to op
1 2012-08-17 18:34:01 by ubnt via cli
commit
2 2012-08-17 18:32:13 by ubnt via cli
commit
3 2012-08-17 18:31:52 by ubnt via cli
commit
4 2012-08-17 18:31:51 by root via init
commit
– commit-confirm
Router üzerinde uzaktan calisirken, bazi degisikler yaparken (mesela firewall kurali veya nat kurali) baglantimiz kopabilir.Bu durumlarda yaptiginiz konfigurasyonun siz onay verene kadar etkin olmamasi cok da yerinde bir fikirdir.Mesela su sekilde:
[email protected]:~$ configure
[email protected]# set firewall name WAN_IN rule 50 action drop
[email protected]# set firewall name WAN_IN rule 50 destination address 172.16.0.0/16
[email protected]# commit-confirm
commit confirm will be automatically reboot in 10 minutes unless confirmed
Proceed?
Simdi hersey yolunda ise:
[email protected]# confirm
Kac dakika beklemesini gerektigini de yazabilirsiniz, Ama confirm komutunu yazmayi unutursaniz kötü süprizlerle karsilsabilirsiniz:
[email protected]# commit-confirm 1
commit confirm will be automatically reboot in 1 minutes unless confirmed
Proceed?
[email protected]#
Broadcast message from [email protected] (Mon Aug 20 14:00:06 2012):
The system is going down for reboot NOW!
INIT: Switching to runlevel: 6
INIT: Stopping routing services...zebra...done.
Removing all Quagga Routes.