Ubuntu ufw/firewall 防火墙规则设置
【摘要】
文章目录
Ubuntu 防火墙规则设置ufw安装、启用命令简介命令详解代码详解 firewalld安装/启用命令说明命令详解
Ubuntu 防火墙规则设置
ufw
安装、启用
sudo apt-get install ufw #安装
sudo ufw enable #启动
sudo ufw disable #禁用
sudo ufw relo...
Ubuntu 防火墙规则设置
ufw
安装、启用
sudo apt-get install ufw #安装
sudo ufw enable #启动
sudo ufw disable #禁用
sudo ufw reload #重新载入
sudo ufw reset #回复初始化设置
sudo ufw status #防火墙状态
- 1
- 2
- 3
- 4
- 5
- 6
命令简介
Commands:
enable enables the firewall
disable disables the firewall
default ARG set default policy
logging LEVEL set logging to LEVEL
allow ARGS add allow rule
deny ARGS add deny rule
reject ARGS add reject rule
limit ARGS add limit rule
delete RULE|NUM delete RULE
insert NUM RULE insert RULE at NUM
route RULE add route RULE
route delete RULE|NUM delete route RULE
route insert NUM RULE insert route RULE at NUM
reload reload firewall
reset reset firewall
status show firewall status
status numbered show firewall status as numbered list of RULES
status verbose show verbose firewall status
show ARG show firewall report
version display version information
Application profile commands:
app list list application profiles
app info PROFILE show information on PROFILE
app update PROFILE update PROFILE
app default ARG set default application policy
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
命令详解
- 打开/关闭某个端口
ufw allow|deny [service]
- 1
ufw allow smtp #允许所有的外部IP访问本机的25/tcp (smtp)端口
ufw allow 22/tcp #允许所有的外部IP访问本机的22/tcp (ssh)端口
ufw allow 53 #允许外部访问53端口(tcp/udp)
ufw allow from ip_address #允许此IP访问所有的本机端口
ufw deny port #拒绝访问本机端口
- 1
- 2
- 3
- 4
- 5
- 本机端口的设置
ufw allow|deny to 172.26.106.87 #允许|禁止本地端口访问此 IP
ufw allow|deny to ip_address port 22,20,10:120 proto tcp|udp|ssh #允许|禁止 本地访问 指定IP 的某些端口
ufw allow|deny in on virbr0 to ip_address port num proto udp|tcp #允许|禁止 本地访问 指定网卡 virbr0 指定IP 的 特定端口
- 1
- 2
- 3
- 目标端口设置
ufw allow|deny from 172.26.106.87 #允许|禁止 指定IP访问本地
ufw allow|deny from ip_address port 22,20,10:120 proto tcp|udp|ssh #允许|禁止 指定IP 的某些端口 访问 本地IP
ufw allow|deny out on virbr0 from ip_address port num proto udp|tcp #允许|禁止 指定ip 指定网卡 virbr0 指定IP 的 特定端口 访问本地
- 1
- 2
- 3
ufw allow in on virbr0 from 172.26.106.87 port 20,80,100:120 proto tcp to 172.26.106.103 port 80:100 #允许 172.26.106.87 端口 20,80,100:120 通过 TCP 协议 访问 172.26.106.103端口80:100
- 1
- 命令详细说明
ufw [--dry-run] [delete] [insert NUM] allow|deny|reject|limit [in|out on INTERFACE] [log|log-all] [proto protocol] [from ADDRESS [port PORT]] [to ADDRESS [port PORT]]
#命令 [–试运行][删除][插到x号规则之前] 允许|阻止|拒绝|限制 [进|出 基于“什么网络设备”] [协议 “协议”] [来源 “地址” [端口 “端口”]] [目标 “地址” [端口 “端口”]]
- 1
- 2
代码详解
- 包含头文件
#include <iostream>
#include <string>
#include <sys/types.h>
#include <sys/stat.h>
- 1
- 2
- 3
- 4
- 数据结构体
typedef struct { int type; //1.del 2.add 3.扩张 int direction; // 0.入口 1.出口 int protocol; // 1.tcp 2.udp 3.all int startPort; //start Port int endPort; //End Port std::string ip; //ipAddress
}ZoneInfo;
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 类型获取
std::string getType(int type)
{ if(type == 1) return std::string("delete allow "); else if(type == 2) return std::string("allow"); else if(type == 3) return std::string("");
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 路由方向
std::string getDirection(int direction)
{ if(direction == 0) return std::string("in on enp1s0 "); else if(direction == 1) return std::string("out on enp1s0 ");
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 协议规则
std::string getProtocol(int protocol)
{ if(protocol == 1) return std::string("proto tcp"); else if(protocol == 2) return std::string("proto udp"); else return std::string("");
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 端口
std::string getPort(int startPort, int endPort)
{ if(startPort == endPort) return std::string("port ") + std::to_string(startPort); else if(startPort < endPort) return std::string("port ") + std::to_string(startPort) + std::string(":") + std::to_string(endPort);
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- IP
std::string getIpAddress(std::string ip)
{ return ip;
}
- 1
- 2
- 3
- 4
- 设置单独规则
std::string setSecurity(ZoneInfo zoneInfo , std::string localIp)
{ std::string cmd ; cmd += std::string("ufw "); cmd += getType(zoneInfo.type) + std::string(" "); cmd += getDirection(zoneInfo.direction) + std::string(" "); cmd += getProtocol(zoneInfo.protocol) + std::string(" "); if(zoneInfo.direction == 0) { cmd += std::string("from ") + getIpAddress(zoneInfo.ip) + std::string(" "); cmd += std::string("to ") + localIp + std::string(" "); cmd += getPort(zoneInfo.startPort,zoneInfo.endPort) + std::string(" "); } else if(zoneInfo.direction == 1) { cmd += std::string("from ") + localIp + std::string(" "); cmd += getPort(zoneInfo.startPort,zoneInfo.endPort) + std::string(" "); cmd += std::string("to ") + getIpAddress(zoneInfo.ip) ; } return cmd;
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 防火墙规则重置
bool resetSafeGroup()
{ if(std::system("ufw --force reset") != 0) { std::cout << "ufw reset fail!" << std::endl; return false; } if(std::system("ufw enable") != 0 ) { std::cout << "ufw enable fail!" << std::endl; return false; } return true;
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- main
int main()
{ ZoneInfo zoneInfo = {1, 1, 2, 2222, 2225, std::string("192.168.0.1")}; std::string cmd = setSecurity(zoneInfo ,std::string("192.168.0.0/24")); std::cout << cmd << std::endl; int ret = std::system(cmd.c_str()); std::cout << "ret:" << ret << std::endl; std::cout << "ret:"<< resetSafeGroup() << std::endl; return 0;
}
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 编译
g++ SecurityGroupPolicy.cpp -o run
- 1
- 执行结果
ufw delete allow out on enp1s0 proto udp from 172.26.106.105 port 2222:2225 to 172.26.106.87
Could not delete non-existent rule
ret:0
Backing up 'user.rules' to '/etc/ufw/user.rules.20200714_140214'
Backing up 'before.rules' to '/etc/ufw/before.rules.20200714_140214'
Backing up 'after.rules' to '/etc/ufw/after.rules.20200714_140214'
Backing up 'user6.rules' to '/etc/ufw/user6.rules.20200714_140214'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20200714_140214'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20200714_140214'
Firewall is active and enabled on system startup
ret:1
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
firewalld
安装/启用
apt-get install firewalld #安装
systemctl enable firewalld.service #启用-开机自启
systemctl status firewalld.service #状态查看
- 1
- 2
- 3
命令说明
Usage: firewall-cmd [OPTIONS...]
General Options
-h, --help Prints a short help text and exists
-V, --version Print the version string of firewalld
-q, --quiet Do not print status messages
Status Options
--state Return and print firewalld state
--reload Reload firewall and keep state information
--complete-reload Reload firewall and lose state information
--runtime-to-permanent Create permanent from runtime configuration
Log Denied Options
--get-log-denied Print the log denied value
--set-log-denied=<value> Set log denied value
Automatic Helpers Options
--get-automatic-helpers Print the automatic helpers value
--set-automatic-helpers=<value> Set automatic helpers value
Permanent Options
--permanent Set an option permanently Usable for options marked with [P]
Zone Options
--get-default-zone Print default zone for connections and interfaces
--set-default-zone=<zone> Set default zone
--get-active-zones Print currently active zones
--get-zones Print predefined zones [P]
--get-services Print predefined services [P]
--get-icmptypes Print predefined icmptypes [P]
--get-zone-of-interface=<interface> Print name of the zone the interface is bound to [P]
--get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset> Print name of the zone the source is bound to [P]
--list-all-zones List everything added for or enabled in all zones [P]
--new-zone=<zone> Add a new zone [P only]
--new-zone-from-file=<filename> [--name=<zone>] Add a new zone from file with optional name [P only]
--delete-zone=<zone> Delete an existing zone [P only]
--load-zone-defaults=<zone> Load zone default settings [P only] [Z]
--zone=<zone> Use this zone to set or query options, else default zone Usable for options marked with [Z]
--get-target Get the zone target [P only] [Z]
--set-target=<target> Set the zone target [P only] [Z]
--info-zone=<zone> Print information about a zone
--path-zone=<zone> Print file path of a zone [P only]
IPSet Options
--get-ipset-types Print the supported ipset types
--new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]].. Add a new ipset [P only]
--new-ipset-from-file=<filename> [--name=<ipset>] Add a new ipset from file with optional name [P only]
--delete-ipset=<ipset> Delete an existing ipset [P only]
--load-ipset-defaults=<ipset> Load ipset default settings [P only]
--info-ipset=<ipset> Print information about an ipset
--path-ipset=<ipset> Print file path of an ipset [P only]
--get-ipsets Print predefined ipsets
--ipset=<ipset> --set-description=<description> Set new description to ipset [P only]
--ipset=<ipset> --get-description Print description for ipset [P only]
--ipset=<ipset> --set-short=<description> Set new short description to ipset [P only]
--ipset=<ipset> --get-short Print short description for ipset [P only]
--ipset=<ipset> --add-entry=<entry> Add a new entry to an ipset [P]
--ipset=<ipset> --remove-entry=<entry> Remove an entry from an ipset [P]
--ipset=<ipset> --query-entry=<entry> Return whether ipset has an entry [P]
--ipset=<ipset> --get-entries List entries of an ipset [P]
--ipset=<ipset> --add-entries-from-file=<entry> Add a new entries to an ipset [P]
--ipset=<ipset> --remove-entries-from-file=<entry> Remove entries from an ipset [P]
IcmpType Options
--new-icmptype=<icmptype> Add a new icmptype [P only]
--new-icmptype-from-file=<filename> [--name=<icmptype>] Add a new icmptype from file with optional name [P only]
--delete-icmptype=<icmptype> Delete an existing icmptype [P only]
--load-icmptype-defaults=<icmptype> Load icmptype default settings [P only]
--info-icmptype=<icmptype> Print information about an icmptype
--path-icmptype=<icmptype> Print file path of an icmptype [P only]
--icmptype=<icmptype> --set-description=<description> Set new description to icmptype [P only]
--icmptype=<icmptype> --get-description Print description for icmptype [P only]
--icmptype=<icmptype> --set-short=<description> Set new short description to icmptype [P only]
--icmptype=<icmptype> --get-short Print short description for icmptype [P only]
--icmptype=<icmptype> --add-destination=<ipv> Enable destination for ipv in icmptype [P only]
--icmptype=<icmptype> --remove-destination=<ipv> Disable destination for ipv in icmptype [P only]
--icmptype=<icmptype> --query-destination=<ipv> Return whether destination ipv is enabled in icmptype [P only]
--icmptype=<icmptype> --get-destinations List destinations in icmptype [P only]
Service Options
--new-service=<service> Add a new service [P only]
--new-service-from-file=<filename> [--name=<service>] Add a new service from file with optional name [P only]
--delete-service=<service> Delete an existing service [P only]
--load-service-defaults=<service> Load icmptype default settings [P only]
--info-service=<service> Print information about a service
--path-service=<service> Print file path of a service [P only]
--service=<service> --set-description=<description> Set new description to service [P only]
--service=<service> --get-description Print description for service [P only]
--service=<service> --set-short=<description> Set new short description to service [P only]
--service=<service> --get-short Print short description for service [P only]
--service=<service> --add-port=<portid>[-<portid>]/<protocol> Add a new port to service [P only]
--service=<service> --remove-port=<portid>[-<portid>]/<protocol> Remove a port from service [P only]
--service=<service> --query-port=<portid>[-<portid>]/<protocol> Return whether the port has been added for service [P only]
--service=<service> --get-ports List ports of service [P only]
--service=<service> --add-protocol=<protocol> Add a new protocol to service [P only]
--service=<service> --remove-protocol=<protocol> Remove a protocol from service [P only]
--service=<service> --query-protocol=<protocol> Return whether the protocol has been added for service [P only]
--service=<service> --get-protocols List protocols of service [P only]
--service=<service> --add-source-port=<portid>[-<portid>]/<protocol> Add a new source port to service [P only]
--service=<service> --remove-source-port=<portid>[-<portid>]/<protocol> Remove a source port from service [P only]
--service=<service> --query-source-port=<portid>[-<portid>]/<protocol> Return whether the source port has been added for service [P only]
--service=<service> --get-source-ports List source ports of service [P only]
--service=<service> --add-module=<module> Add a new module to service [P only]
--service=<service> --remove-module=<module> Remove a module from service [P only]
--service=<service> --query-module=<module> Return whether the module has been added for service [P only]
--service=<service> --get-modules List modules of service [P only]
--service=<service> --set-destination=<ipv>:<address>[/<mask>] Set destination for ipv to address in service [P only]
--service=<service> --remove-destination=<ipv> Disable destination for ipv i service [P only]
--service=<service> --query-destination=<ipv>:<address>[/<mask>] Return whether destination ipv is set for service [P only]
--service=<service> --get-destinations List destinations in service [P only]
Options to Adapt and Query Zones
--list-all List everything added for or enabled in a zone [P] [Z]
--list-services List services added for a zone [P] [Z]
--timeout=<timeval> Enable an option for timeval time, where timeval is a number followed by one of letters 's' or 'm' or 'h' Usable for options marked with [T]
--set-description=<description> Set new description to zone [P only] [Z]
--get-description Print description for zone [P only] [Z]
--set-short=<description> Set new short description to zone [P only] [Z]
--get-short Print short description for zone [P only] [Z]
--add-service=<service> Add a service for a zone [P] [Z] [T]
--remove-service=<service> Remove a service from a zone [P] [Z]
--query-service=<service> Return whether service has been added for a zone [P] [Z]
--list-ports List ports added for a zone [P] [Z]
--add-port=<portid>[-<portid>]/<protocol> Add the port for a zone [P] [Z] [T]
--remove-port=<portid>[-<portid>]/<protocol> Remove the port from a zone [P] [Z]
--query-port=<portid>[-<portid>]/<protocol> Return whether the port has been added for zone [P] [Z]
--list-protocols List protocols added for a zone [P] [Z]
--add-protocol=<protocol> Add the protocol for a zone [P] [Z] [T]
--remove-protocol=<protocol> Remove the protocol from a zone [P] [Z]
--query-protocol=<protocol> Return whether the protocol has been added for zone [P] [Z]
--list-source-ports List source ports added for a zone [P] [Z]
--add-source-port=<portid>[-<portid>]/<protocol> Add the source port for a zone [P] [Z] [T]
--remove-source-port=<portid>[-<portid>]/<protocol> Remove the source port from a zone [P] [Z]
--query-source-port=<portid>[-<portid>]/<protocol> Return whether the source port has been added for zone [P] [Z]
--list-icmp-blocks List Internet ICMP type blocks added for a zone [P] [Z]
--add-icmp-block=<icmptype> Add an ICMP block for a zone [P] [Z] [T]
--remove-icmp-block=<icmptype> Remove the ICMP block from a zone [P] [Z]
--query-icmp-block=<icmptype> Return whether an ICMP block has been added for a zone [P] [Z]
--add-icmp-block-inversion Enable inversion of icmp blocks for a zone [P] [Z]
--remove-icmp-block-inversion Disable inversion of icmp blocks for a zone [P] [Z]
--query-icmp-block-inversion Return whether inversion of icmp blocks has been enabled for a zone [P] [Z]
--list-forward-ports List IPv4 forward ports added for a zone [P] [Z]
--add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] Add the IPv4 forward port for a zone [P] [Z] [T]
--remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] Remove the IPv4 forward port from a zone [P] [Z]
--query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] Return whether the IPv4 forward port has been added for a zone [P] [Z]
--add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T]
--remove-masquerade Disable IPv4 masquerade for a zone [P] [Z]
--query-masquerade Return whether IPv4 masquerading has been enabled for a zone [P] [Z]
--list-rich-rules List rich language rules added for a zone [P] [Z]
--add-rich-rule=<rule> Add rich language rule 'rule' for a zone [P] [Z] [T]
--remove-rich-rule=<rule> Remove rich language rule 'rule' from a zone [P] [Z]
--query-rich-rule=<rule> Return whether a rich language rule 'rule' has been added for a zone [P] [Z]
Options to Handle Bindings of Interfaces
--list-interfaces List interfaces that are bound to a zone [P] [Z]
--add-interface=<interface> Bind the <interface> to a zone [P] [Z]
--change-interface=<interface> Change zone the <interface> is bound to [Z]
--query-interface=<interface> Query whether <interface> is bound to a zone [P] [Z]
--remove-interface=<interface> Remove binding of <interface> from a zone [P] [Z]
Options to Handle Bindings of Sources
--list-sources List sources that are bound to a zone [P] [Z]
--add-source=<source>[/<mask>]|<MAC>|ipset:<ipset> Bind the source to a zone [P] [Z]
--change-source=<source>[/<mask>]|<MAC>|ipset:<ipset> Change zone the source is bound to [Z]
--query-source=<source>[/<mask>]|<MAC>|ipset:<ipset> Query whether the source is bound to a zone [P] [Z]
--remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset> Remove binding of the source from a zone [P] [Z]
Helper Options
--new-helper=<helper> --module=<module> [--family=<family>] Add a new helper [P only]
--new-helper-from-file=<filename> [--name=<helper>] Add a new helper from file with optional name [P only]
--delete-helper=<helper> Delete an existing helper [P only]
--load-helper-defaults=<helper> Load helper default settings [P only]
--info-helper=<helper> Print information about an helper
--path-helper=<helper> Print file path of an helper [P only]
--get-helpers Print predefined helpers
--helper=<helper> --set-description=<description> Set new description to helper [P only]
--helper=<helper> --get-description Print description for helper [P only]
--helper=<helper> --set-short=<description> Set new short description to helper [P only]
--helper=<helper> --get-short Print short description for helper [P only]
--helper=<helper> --add-port=<portid>[-<portid>]/<protocol> Add a new port to helper [P only]
--helper=<helper> --remove-port=<portid>[-<portid>]/<protocol> Remove a port from helper [P only]
--helper=<helper> --query-port=<portid>[-<portid>]/<protocol> Return whether the port has been added for helper [P only]
--helper=<helper> --get-ports List ports of helper [P only]
--helper=<helper> --set-module=<module> Set module to helper [P only]
--helper=<helper> --get-module Get module from helper [P only]
--helper=<helper> --set-family={ipv4|ipv6|} Set family for helper [P only]
--helper=<helper> --get-family Get module from helper [P only]
Direct Options
--direct First option for all direct options
--get-all-chains Get all chains [P]
--get-chains {ipv4|ipv6|eb} <table> Get all chains added to the table [P]
--add-chain {ipv4|ipv6|eb} <table> <chain> Add a new chain to the table [P]
--remove-chain {ipv4|ipv6|eb} <table> <chain> Remove the chain from the table [P]
--query-chain {ipv4|ipv6|eb} <table> <chain> Return whether the chain has been added to the table [P]
--get-all-rules Get all rules [P]
--get-rules {ipv4|ipv6|eb} <table> <chain> Get all rules added to chain in table [P]
--add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Add rule to chain in table [P]
--remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Remove rule with priority from chain in table [P]
--remove-rules {ipv4|ipv6|eb} <table> <chain> Remove rules from chain in table [P]
--query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Return whether a rule with priority has been added to chain in table [P]
--passthrough {ipv4|ipv6|eb} <arg>... Pass a command through (untracked by firewalld)
--get-all-passthroughs Get all tracked passthrough rules [P]
--get-passthroughs {ipv4|ipv6|eb} <arg>... Get tracked passthrough rules [P]
--add-passthrough {ipv4|ipv6|eb} <arg>... Add a new tracked passthrough rule [P]
--remove-passthrough {ipv4|ipv6|eb} <arg>... Remove a tracked passthrough rule [P]
--query-passthrough {ipv4|ipv6|eb} <arg>... Return whether the tracked passthrough rule has been added [P]
Lockdown Options
--lockdown-on Enable lockdown.
--lockdown-off Disable lockdown.
--query-lockdown Query whether lockdown is enabled
Lockdown Whitelist Options
--list-lockdown-whitelist-commands List all command lines that are on the whitelist [P]
--add-lockdown-whitelist-command=<command> Add the command to the whitelist [P]
--remove-lockdown-whitelist-command=<command> Remove the command from the whitelist [P]
--query-lockdown-whitelist-command=<command> Query whether the command is on the whitelist [P]
--list-lockdown-whitelist-contexts List all contexts that are on the whitelist [P]
--add-lockdown-whitelist-context=<context> Add the context context to the whitelist [P]
--remove-lockdown-whitelist-context=<context> Remove the context from the whitelist [P]
--query-lockdown-whitelist-context=<context> Query whether the context is on the whitelist [P]
--list-lockdown-whitelist-uids List all user ids that are on the whitelist [P]
--add-lockdown-whitelist-uid=<uid> Add the user id uid to the whitelist [P]
--remove-lockdown-whitelist-uid=<uid> Remove the user id uid from the whitelist [P]
--query-lockdown-whitelist-uid=<uid> Query whether the user id uid is on the whitelist [P]
--list-lockdown-whitelist-users List all user names that are on the whitelist [P]
--add-lockdown-whitelist-user=<user> Add the user name user to the whitelist [P]
--remove-lockdown-whitelist-user=<user> Remove the user name user from the whitelist [P]
--query-lockdown-whitelist-user=<user> Query whether the user name user is on the whitelist [P]
Panic Options
--panic-on Enable panic mode
--panic-off Disable panic mode
--query-panic Query whether panic mode is enabled
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
- 191
- 192
- 193
- 194
- 195
- 196
- 197
- 198
- 199
- 200
- 201
- 202
- 203
- 204
- 205
- 206
- 207
- 208
- 209
- 210
- 211
- 212
- 213
- 214
- 215
- 216
- 217
- 218
- 219
- 220
- 221
- 222
- 223
- 224
- 225
- 226
- 227
- 228
- 229
- 230
- 231
- 232
- 233
- 234
- 235
- 236
- 237
- 238
- 239
- 240
- 241
- 242
- 243
- 244
- 245
- 246
- 247
- 248
- 249
- 250
- 251
- 252
- 253
- 254
- 255
- 256
- 257
- 258
- 259
- 260
- 261
- 262
- 263
- 264
- 265
- 266
- 267
- 268
- 269
- 270
- 271
- 272
- 273
- 274
- 275
- 276
- 277
- 278
- 279
- 280
- 281
- 282
- 283
- 284
- 285
- 286
- 287
- 288
- 289
- 290
- 291
- 292
- 293
- 294
- 295
- 296
- 297
- 298
- 299
- 300
- 301
- 302
- 303
- 304
- 305
- 306
- 307
- 308
- 309
- 310
- 311
- 312
- 313
- 314
- 315
- 316
- 317
- 318
- 319
- 320
- 321
- 322
- 323
- 324
- 325
- 326
- 327
- 328
- 329
- 330
- 331
- 332
- 333
- 334
- 335
- 336
- 337
- 338
- 339
- 340
- 341
- 342
- 343
- 344
- 345
- 346
- 347
- 348
- 349
- 350
- 351
- 352
- 353
- 354
- 355
- 356
- 357
- 358
- 359
- 360
- 361
- 362
- 363
- 364
- 365
- 366
- 367
- 368
- 369
- 370
- 371
- 372
- 373
- 374
- 375
- 376
- 377
- 378
- 379
- 380
- 381
- 382
- 383
- 384
- 385
- 386
- 387
- 388
- 389
- 390
- 391
- 392
- 393
- 394
- 395
- 396
- 397
- 398
命令详解
主要使用的命令为
--add-rich-rule #添加访问规则
- 1
man firewalld.richlanguage #查看rich 语法详细说明
- 1
- 样例
Example 5
Forward IPv6 port/packets receiving from 1:2:3:4:6:: on port 4011 with protocol tcp to 1::2:3:4:7 on port 4012
rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
- 1
- 2
- 3
rule family="ipv4" source address="192.168.142.166" port port="10-20" protocol="tcp" accept
- 1
ist [P]
Panic Options
–panic-on Enable panic mode
–panic-off Disable panic mode
–query-panic Query whether panic mode is enabled
### 命令详解
主要使用的命令为
````bash
--add-rich-rule #添加访问规则
- 1
- 2
- 3
- 4
- 5
- 6
- 7
man firewalld.richlanguage #查看rich 语法详细说明
- 1
- 样例
Example 5
Forward IPv6 port/packets receiving from 1:2:3:4:6:: on port 4011 with protocol tcp to 1::2:3:4:7 on port 4012
rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
- 1
- 2
- 3
rule family="ipv4" source address="192.168.142.166" port port="10-20" protocol="tcp" accept
- 1
文章来源: blog.csdn.net,作者:何其不顾四月天,版权归原作者所有,如需转载,请联系作者。
原文链接:blog.csdn.net/u011218356/article/details/107338612
【版权声明】本文为华为云社区用户转载文章,如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱:
cloudbbs@huaweicloud.com
- 点赞
- 收藏
- 关注作者
评论(0)