Ubuntu ufw/firewall 防火墙规则设置

2023-03-10 13:21:53 浏览数 (1)

文章目录

  • Ubuntu 防火墙规则设置
    • ufw
      • 安装、启用
      • 命令简介
      • 命令详解
      • 代码详解
    • firewalld
      • 安装/启用
      • 命令说明
      • 命令详解

Ubuntu 防火墙规则设置

ufw

安装、启用

代码语言:javascript复制
sudo apt-get install ufw #安装
sudo ufw enable #启动
sudo ufw disable #禁用
sudo ufw reload #重新载入
sudo ufw reset #回复初始化设置
sudo ufw status #防火墙状态

命令简介

代码语言:javascript复制
Commands:
 enable                          enables the firewall
 disable                         disables the firewall
 default ARG                     set default policy
 logging LEVEL                   set logging to LEVEL
 allow ARGS                      add allow rule
 deny ARGS                       add deny rule
 reject ARGS                     add reject rule
 limit ARGS                      add limit rule
 delete RULE|NUM                 delete RULE
 insert NUM RULE                 insert RULE at NUM
 route RULE                      add route RULE
 route delete RULE|NUM           delete route RULE
 route insert NUM RULE           insert route RULE at NUM
 reload                          reload firewall
 reset                           reset firewall
 status                          show firewall status
 status numbered                 show firewall status as numbered list of RULES
 status verbose                  show verbose firewall status
 show ARG                        show firewall report
 version                         display version information

Application profile commands:
 app list                        list application profiles
 app info PROFILE                show information on PROFILE
 app update PROFILE              update PROFILE
 app default ARG                 set default application policy

命令详解

  • 打开/关闭某个端口
代码语言:javascript复制
ufw allow|deny [service]
代码语言:javascript复制
ufw allow smtp #允许所有的外部IP访问本机的25/tcp (smtp)端口
ufw allow 22/tcp #允许所有的外部IP访问本机的22/tcp (ssh)端口
ufw allow 53 #允许外部访问53端口(tcp/udp)
ufw allow from ip_address #允许此IP访问所有的本机端口
ufw deny port #拒绝访问本机端口
  • 本机端口的设置
代码语言:javascript复制
ufw allow|deny to 172.26.106.87  #允许|禁止本地端口访问此 IP
ufw allow|deny to ip_address port 22,20,10:120 proto tcp|udp|ssh #允许|禁止 本地访问 指定IP 的某些端口
ufw allow|deny in on virbr0 to ip_address port num proto udp|tcp #允许|禁止 本地访问 指定网卡 virbr0 指定IP 的 特定端口
  • 目标端口设置
代码语言:javascript复制
ufw allow|deny from 172.26.106.87  #允许|禁止 指定IP访问本地
ufw allow|deny from ip_address port 22,20,10:120 proto tcp|udp|ssh #允许|禁止 指定IP 的某些端口 访问 本地IP
ufw allow|deny out on virbr0 from ip_address port num proto udp|tcp #允许|禁止 指定ip 指定网卡 virbr0 指定IP 的 特定端口 访问本地
代码语言:javascript复制
ufw allow in on virbr0 from 172.26.106.87 port 20,80,100:120 proto tcp to 172.26.106.103 port 80:100 #允许 172.26.106.87 端口 20,80,100:120 通过 TCP 协议 访问 172.26.106.103端口80:100
  • 命令详细说明
代码语言:javascript复制
ufw  [--dry-run]  [delete] [insert NUM] allow|deny|reject|limit [in|out on INTERFACE] [log|log-all] [proto protocol] [from ADDRESS [port PORT]] [to ADDRESS [port PORT]]
#命令 [–试运行][删除][插到x号规则之前] 允许|阻止|拒绝|限制 [进|出 基于“什么网络设备”] [协议 “协议”] [来源 “地址” [端口 “端口”]] [目标 “地址” [端口 “端口”]]

代码详解

  • 包含头文件
代码语言:javascript复制
#include <iostream>
#include <string>
#include <sys/types.h>
#include <sys/stat.h>
  • 数据结构体
代码语言:javascript复制
typedef struct {
    int type;       //1.del 2.add 3.扩张
    int direction;  // 0.入口 1.出口
    int protocol;   // 1.tcp 2.udp 3.all
    int startPort;  //start Port
    int endPort;    //End Port
    std::string ip;     //ipAddress
}ZoneInfo;
  • 类型获取
代码语言:javascript复制
std::string getType(int type)
{
    if(type == 1)
        return std::string("delete allow ");
    else if(type == 2)
        return std::string("allow");
    else if(type == 3)
        return std::string("");
}
  • 路由方向
代码语言:javascript复制
std::string getDirection(int direction)
{
    if(direction == 0)
        return std::string("in on enp1s0 ");
    else if(direction == 1)
        return std::string("out on enp1s0 ");
}
  • 协议规则
代码语言:javascript复制
std::string getProtocol(int protocol)
{
    if(protocol == 1)
        return std::string("proto tcp");
    else if(protocol == 2)
        return std::string("proto udp");
    else
        return std::string("");
}
  • 端口
代码语言:javascript复制
std::string getPort(int startPort, int endPort)
{
    if(startPort == endPort)
        return std::string("port ")   std::to_string(startPort);
    else if(startPort < endPort)
        return std::string("port ")   std::to_string(startPort)   std::string(":")   std::to_string(endPort);
}
  • IP
代码语言:javascript复制
std::string getIpAddress(std::string ip)
{
    return ip;
}
  • 设置单独规则
代码语言:javascript复制
std::string setSecurity(ZoneInfo zoneInfo , std::string localIp)
{
    std::string cmd ;
    cmd  = std::string("ufw ");
    cmd  = getType(zoneInfo.type)   std::string(" ");
    cmd  = getDirection(zoneInfo.direction)   std::string(" ");
    cmd  = getProtocol(zoneInfo.protocol)   std::string(" ");
    if(zoneInfo.direction == 0)
    {
        cmd  = std::string("from ")   getIpAddress(zoneInfo.ip)   std::string(" ");
        cmd  = std::string("to ")   localIp   std::string(" ");
        cmd  = getPort(zoneInfo.startPort,zoneInfo.endPort)   std::string(" ");
    }
    else if(zoneInfo.direction == 1)
    {
        cmd  = std::string("from ")   localIp   std::string(" ");
        cmd  = getPort(zoneInfo.startPort,zoneInfo.endPort)   std::string(" ");
        cmd  = std::string("to ")   getIpAddress(zoneInfo.ip) ;
    }
    return cmd;
}
  • 防火墙规则重置
代码语言:javascript复制
bool resetSafeGroup()
{
    if(std::system("ufw --force reset") != 0)
    {
        std::cout  << "ufw reset fail!" << std::endl;
        return false;
    }
    
    if(std::system("ufw enable") != 0 )
    {
        std::cout  << "ufw enable fail!" << std::endl;
        return false;
    }
    return true;
}
  • main
代码语言:javascript复制
int main()
{
    ZoneInfo zoneInfo = {1, 1, 2, 2222, 2225, std::string("192.168.0.1")};
    std::string cmd = setSecurity(zoneInfo ,std::string("192.168.0.0/24"));
    std::cout << cmd << std::endl;
    int ret = std::system(cmd.c_str());
    std::cout << "ret:" << ret << std::endl;
    std::cout << "ret:"<< resetSafeGroup() << std::endl;
    return 0;
}
  • 编译
代码语言:javascript复制
g   SecurityGroupPolicy.cpp -o run
  • 执行结果
代码语言:javascript复制
ufw delete allow  out on enp1s0  proto udp from 172.26.106.105 port 2222:2225 to 172.26.106.87
Could not delete non-existent rule
ret:0
Backing up 'user.rules' to '/etc/ufw/user.rules.20200714_140214'
Backing up 'before.rules' to '/etc/ufw/before.rules.20200714_140214'
Backing up 'after.rules' to '/etc/ufw/after.rules.20200714_140214'
Backing up 'user6.rules' to '/etc/ufw/user6.rules.20200714_140214'
Backing up 'before6.rules' to '/etc/ufw/before6.rules.20200714_140214'
Backing up 'after6.rules' to '/etc/ufw/after6.rules.20200714_140214'

Firewall is active and enabled on system startup
ret:1

firewalld

安装/启用

代码语言:javascript复制
apt-get install firewalld #安装
systemctl enable firewalld.service #启用-开机自启
systemctl status firewalld.service #状态查看

命令说明

代码语言:javascript复制
Usage: firewall-cmd [OPTIONS...]

General Options
  -h, --help           Prints a short help text and exists
  -V, --version        Print the version string of firewalld
  -q, --quiet          Do not print status messages

Status Options
  --state              Return and print firewalld state
  --reload             Reload firewall and keep state information
  --complete-reload    Reload firewall and lose state information
  --runtime-to-permanent
                       Create permanent from runtime configuration

Log Denied Options
  --get-log-denied     Print the log denied value
  --set-log-denied=<value>
                       Set log denied value

Automatic Helpers Options
  --get-automatic-helpers
                       Print the automatic helpers value
  --set-automatic-helpers=<value>
                       Set automatic helpers value

Permanent Options
  --permanent          Set an option permanently
                       Usable for options marked with [P]

Zone Options
  --get-default-zone   Print default zone for connections and interfaces
  --set-default-zone=<zone>
                       Set default zone
  --get-active-zones   Print currently active zones
  --get-zones          Print predefined zones [P]
  --get-services       Print predefined services [P]
  --get-icmptypes      Print predefined icmptypes [P]
  --get-zone-of-interface=<interface>
                       Print name of the zone the interface is bound to [P]
  --get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                       Print name of the zone the source is bound to [P]
  --list-all-zones     List everything added for or enabled in all zones [P]
  --new-zone=<zone>    Add a new zone [P only]
  --new-zone-from-file=<filename> [--name=<zone>]
                       Add a new zone from file with optional name [P only]
  --delete-zone=<zone> Delete an existing zone [P only]
  --load-zone-defaults=<zone>
                       Load zone default settings [P only] [Z]
  --zone=<zone>        Use this zone to set or query options, else default zone
                       Usable for options marked with [Z]
  --get-target         Get the zone target [P only] [Z]
  --set-target=<target>
                       Set the zone target [P only] [Z]
  --info-zone=<zone>   Print information about a zone
  --path-zone=<zone>   Print file path of a zone [P only]

IPSet Options
  --get-ipset-types    Print the supported ipset types
  --new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]]..
                       Add a new ipset [P only]
  --new-ipset-from-file=<filename> [--name=<ipset>]
                       Add a new ipset from file with optional name [P only]
  --delete-ipset=<ipset>
                       Delete an existing ipset [P only]
  --load-ipset-defaults=<ipset>
                       Load ipset default settings [P only]
  --info-ipset=<ipset> Print information about an ipset
  --path-ipset=<ipset> Print file path of an ipset [P only]
  --get-ipsets         Print predefined ipsets
  --ipset=<ipset> --set-description=<description>
                       Set new description to ipset [P only]
  --ipset=<ipset> --get-description
                       Print description for ipset [P only]
  --ipset=<ipset> --set-short=<description>
                       Set new short description to ipset [P only]
  --ipset=<ipset> --get-short
                       Print short description for ipset [P only]
  --ipset=<ipset> --add-entry=<entry>
                       Add a new entry to an ipset [P]
  --ipset=<ipset> --remove-entry=<entry>
                       Remove an entry from an ipset [P]
  --ipset=<ipset> --query-entry=<entry>
                       Return whether ipset has an entry [P]
  --ipset=<ipset> --get-entries
                       List entries of an ipset [P]
  --ipset=<ipset> --add-entries-from-file=<entry>
                       Add a new entries to an ipset [P]
  --ipset=<ipset> --remove-entries-from-file=<entry>
                       Remove entries from an ipset [P]

IcmpType Options
  --new-icmptype=<icmptype>
                       Add a new icmptype [P only]
  --new-icmptype-from-file=<filename> [--name=<icmptype>]
                       Add a new icmptype from file with optional name [P only]
  --delete-icmptype=<icmptype>
                       Delete an existing icmptype [P only]
  --load-icmptype-defaults=<icmptype>
                       Load icmptype default settings [P only]
  --info-icmptype=<icmptype>
                       Print information about an icmptype
  --path-icmptype=<icmptype>
                       Print file path of an icmptype [P only]
  --icmptype=<icmptype> --set-description=<description>
                       Set new description to icmptype [P only]
  --icmptype=<icmptype> --get-description
                       Print description for icmptype [P only]
  --icmptype=<icmptype> --set-short=<description>
                       Set new short description to icmptype [P only]
  --icmptype=<icmptype> --get-short
                       Print short description for icmptype [P only]
  --icmptype=<icmptype> --add-destination=<ipv>
                       Enable destination for ipv in icmptype [P only]
  --icmptype=<icmptype> --remove-destination=<ipv>
                       Disable destination for ipv in icmptype [P only]
  --icmptype=<icmptype> --query-destination=<ipv>
                       Return whether destination ipv is enabled in icmptype [P only]
  --icmptype=<icmptype> --get-destinations
                       List destinations in icmptype [P only]

Service Options
  --new-service=<service>
                       Add a new service [P only]
  --new-service-from-file=<filename> [--name=<service>]
                       Add a new service from file with optional name [P only]
  --delete-service=<service>
                       Delete an existing service [P only]
  --load-service-defaults=<service>
                       Load icmptype default settings [P only]
  --info-service=<service>
                       Print information about a service
  --path-service=<service>
                       Print file path of a service [P only]
  --service=<service> --set-description=<description>
                       Set new description to service [P only]
  --service=<service> --get-description
                       Print description for service [P only]
  --service=<service> --set-short=<description>
                       Set new short description to service [P only]
  --service=<service> --get-short
                       Print short description for service [P only]
  --service=<service> --add-port=<portid>[-<portid>]/<protocol>
                       Add a new port to service [P only]
  --service=<service> --remove-port=<portid>[-<portid>]/<protocol>
                       Remove a port from service [P only]
  --service=<service> --query-port=<portid>[-<portid>]/<protocol>
                       Return whether the port has been added for service [P only]
  --service=<service> --get-ports
                       List ports of service [P only]
  --service=<service> --add-protocol=<protocol>
                       Add a new protocol to service [P only]
  --service=<service> --remove-protocol=<protocol>
                       Remove a protocol from service [P only]
  --service=<service> --query-protocol=<protocol>
                       Return whether the protocol has been added for service [P only]
  --service=<service> --get-protocols
                       List protocols of service [P only]
  --service=<service> --add-source-port=<portid>[-<portid>]/<protocol>
                       Add a new source port to service [P only]
  --service=<service> --remove-source-port=<portid>[-<portid>]/<protocol>
                       Remove a source port from service [P only]
  --service=<service> --query-source-port=<portid>[-<portid>]/<protocol>
                       Return whether the source port has been added for service [P only]
  --service=<service> --get-source-ports
                       List source ports of service [P only]
  --service=<service> --add-module=<module>
                       Add a new module to service [P only]
  --service=<service> --remove-module=<module>
                       Remove a module from service [P only]
  --service=<service> --query-module=<module>
                       Return whether the module has been added for service [P only]
  --service=<service> --get-modules
                       List modules of service [P only]
  --service=<service> --set-destination=<ipv>:<address>[/<mask>]
                       Set destination for ipv to address in service [P only]
  --service=<service> --remove-destination=<ipv>
                       Disable destination for ipv i service [P only]
  --service=<service> --query-destination=<ipv>:<address>[/<mask>]
                       Return whether destination ipv is set for service [P only]
  --service=<service> --get-destinations
                       List destinations in service [P only]

Options to Adapt and Query Zones
  --list-all           List everything added for or enabled in a zone [P] [Z]
  --list-services      List services added for a zone [P] [Z]
  --timeout=<timeval>  Enable an option for timeval time, where timeval is
                       a number followed by one of letters 's' or 'm' or 'h'
                       Usable for options marked with [T]
  --set-description=<description>
                       Set new description to zone [P only] [Z]
  --get-description    Print description for zone [P only] [Z]
  --set-short=<description>
                       Set new short description to zone [P only] [Z]
  --get-short          Print short description for zone [P only] [Z]
  --add-service=<service>
                       Add a service for a zone [P] [Z] [T]
  --remove-service=<service>
                       Remove a service from a zone [P] [Z]
  --query-service=<service>
                       Return whether service has been added for a zone [P] [Z]
  --list-ports         List ports added for a zone [P] [Z]
  --add-port=<portid>[-<portid>]/<protocol>
                       Add the port for a zone [P] [Z] [T]
  --remove-port=<portid>[-<portid>]/<protocol>
                       Remove the port from a zone [P] [Z]
  --query-port=<portid>[-<portid>]/<protocol>
                       Return whether the port has been added for zone [P] [Z]
  --list-protocols     List protocols added for a zone [P] [Z]
  --add-protocol=<protocol>
                       Add the protocol for a zone [P] [Z] [T]
  --remove-protocol=<protocol>
                       Remove the protocol from a zone [P] [Z]
  --query-protocol=<protocol>
                       Return whether the protocol has been added for zone [P] [Z]
  --list-source-ports  List source ports added for a zone [P] [Z]
  --add-source-port=<portid>[-<portid>]/<protocol>
                       Add the source port for a zone [P] [Z] [T]
  --remove-source-port=<portid>[-<portid>]/<protocol>
                       Remove the source port from a zone [P] [Z]
  --query-source-port=<portid>[-<portid>]/<protocol>
                       Return whether the source port has been added for zone [P] [Z]
  --list-icmp-blocks   List Internet ICMP type blocks added for a zone [P] [Z]
  --add-icmp-block=<icmptype>
                       Add an ICMP block for a zone [P] [Z] [T]
  --remove-icmp-block=<icmptype>
                       Remove the ICMP block from a zone [P] [Z]
  --query-icmp-block=<icmptype>
                       Return whether an ICMP block has been added for a zone
                       [P] [Z]
  --add-icmp-block-inversion
                       Enable inversion of icmp blocks for a zone [P] [Z]
  --remove-icmp-block-inversion
                       Disable inversion of icmp blocks for a zone [P] [Z]
  --query-icmp-block-inversion
                       Return whether inversion of icmp blocks has been enabled
                       for a zone [P] [Z]
  --list-forward-ports List IPv4 forward ports added for a zone [P] [Z]
  --add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
                       Add the IPv4 forward port for a zone [P] [Z] [T]
  --remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
                       Remove the IPv4 forward port from a zone [P] [Z]
  --query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
                       Return whether the IPv4 forward port has been added for
                       a zone [P] [Z]
  --add-masquerade     Enable IPv4 masquerade for a zone [P] [Z] [T]
  --remove-masquerade  Disable IPv4 masquerade for a zone [P] [Z]
  --query-masquerade   Return whether IPv4 masquerading has been enabled for a
                       zone [P] [Z]
  --list-rich-rules    List rich language rules added for a zone [P] [Z]
  --add-rich-rule=<rule>
                       Add rich language rule 'rule' for a zone [P] [Z] [T]
  --remove-rich-rule=<rule>
                       Remove rich language rule 'rule' from a zone [P] [Z]
  --query-rich-rule=<rule>
                       Return whether a rich language rule 'rule' has been
                       added for a zone [P] [Z]

Options to Handle Bindings of Interfaces
  --list-interfaces    List interfaces that are bound to a zone [P] [Z]
  --add-interface=<interface>
                       Bind the <interface> to a zone [P] [Z]
  --change-interface=<interface>
                       Change zone the <interface> is bound to [Z]
  --query-interface=<interface>
                       Query whether <interface> is bound to a zone [P] [Z]
  --remove-interface=<interface>
                       Remove binding of <interface> from a zone [P] [Z]

Options to Handle Bindings of Sources
  --list-sources       List sources that are bound to a zone [P] [Z]
  --add-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                       Bind the source to a zone [P] [Z]
  --change-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                       Change zone the source is bound to [Z]
  --query-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                       Query whether the source is bound to a zone [P] [Z]
  --remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                       Remove binding of the source from a zone [P] [Z]

Helper Options
  --new-helper=<helper> --module=<module> [--family=<family>]
                       Add a new helper [P only]
  --new-helper-from-file=<filename> [--name=<helper>]
                       Add a new helper from file with optional name [P only]
  --delete-helper=<helper>
                       Delete an existing helper [P only]
  --load-helper-defaults=<helper>
                       Load helper default settings [P only]
  --info-helper=<helper> Print information about an helper
  --path-helper=<helper> Print file path of an helper [P only]
  --get-helpers         Print predefined helpers
  --helper=<helper> --set-description=<description>
                       Set new description to helper [P only]
  --helper=<helper> --get-description
                       Print description for helper [P only]
  --helper=<helper> --set-short=<description>
                       Set new short description to helper [P only]
  --helper=<helper> --get-short
                       Print short description for helper [P only]
  --helper=<helper> --add-port=<portid>[-<portid>]/<protocol>
                       Add a new port to helper [P only]
  --helper=<helper> --remove-port=<portid>[-<portid>]/<protocol>
                       Remove a port from helper [P only]
  --helper=<helper> --query-port=<portid>[-<portid>]/<protocol>
                       Return whether the port has been added for helper [P only]
  --helper=<helper> --get-ports
                       List ports of helper [P only]
  --helper=<helper> --set-module=<module>
                       Set module to helper [P only]
  --helper=<helper> --get-module
                       Get module from helper [P only]
  --helper=<helper> --set-family={ipv4|ipv6|}
                       Set family for helper [P only]
  --helper=<helper> --get-family
                       Get module from helper [P only]

Direct Options
  --direct             First option for all direct options
  --get-all-chains
                       Get all chains [P]
  --get-chains {ipv4|ipv6|eb} <table>
                       Get all chains added to the table [P]
  --add-chain {ipv4|ipv6|eb} <table> <chain>
                       Add a new chain to the table [P]
  --remove-chain {ipv4|ipv6|eb} <table> <chain>
                       Remove the chain from the table [P]
  --query-chain {ipv4|ipv6|eb} <table> <chain>
                       Return whether the chain has been added to the table [P]
  --get-all-rules
                       Get all rules [P]
  --get-rules {ipv4|ipv6|eb} <table> <chain>
                       Get all rules added to chain in table [P]
  --add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
                       Add rule to chain in table [P]
  --remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
                       Remove rule with priority from chain in table [P]
  --remove-rules {ipv4|ipv6|eb} <table> <chain>
                       Remove rules from chain in table [P]
  --query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
                       Return whether a rule with priority has been added to
                       chain in table [P]
  --passthrough {ipv4|ipv6|eb} <arg>...
                       Pass a command through (untracked by firewalld)
  --get-all-passthroughs
                       Get all tracked passthrough rules [P]
  --get-passthroughs {ipv4|ipv6|eb} <arg>...
                       Get tracked passthrough rules [P]
  --add-passthrough {ipv4|ipv6|eb} <arg>...
                       Add a new tracked passthrough rule [P]
  --remove-passthrough {ipv4|ipv6|eb} <arg>...
                       Remove a tracked passthrough rule [P]
  --query-passthrough {ipv4|ipv6|eb} <arg>...
                       Return whether the tracked passthrough rule has been
                       added [P]

Lockdown Options
  --lockdown-on        Enable lockdown.
  --lockdown-off       Disable lockdown.
  --query-lockdown     Query whether lockdown is enabled

Lockdown Whitelist Options
  --list-lockdown-whitelist-commands
                       List all command lines that are on the whitelist [P]
  --add-lockdown-whitelist-command=<command>
                       Add the command to the whitelist [P]
  --remove-lockdown-whitelist-command=<command>
                       Remove the command from the whitelist [P]
  --query-lockdown-whitelist-command=<command>
                       Query whether the command is on the whitelist [P]
  --list-lockdown-whitelist-contexts
                       List all contexts that are on the whitelist [P]
  --add-lockdown-whitelist-context=<context>
                       Add the context context to the whitelist [P]
  --remove-lockdown-whitelist-context=<context>
                       Remove the context from the whitelist [P]
  --query-lockdown-whitelist-context=<context>
                       Query whether the context is on the whitelist [P]
  --list-lockdown-whitelist-uids
                       List all user ids that are on the whitelist [P]
  --add-lockdown-whitelist-uid=<uid>
                       Add the user id uid to the whitelist [P]
  --remove-lockdown-whitelist-uid=<uid>
                       Remove the user id uid from the whitelist [P]
  --query-lockdown-whitelist-uid=<uid>
                       Query whether the user id uid is on the whitelist [P]
  --list-lockdown-whitelist-users
                       List all user names that are on the whitelist [P]
  --add-lockdown-whitelist-user=<user>
                       Add the user name user to the whitelist [P]
  --remove-lockdown-whitelist-user=<user>
                       Remove the user name user from the whitelist [P]
  --query-lockdown-whitelist-user=<user>
                       Query whether the user name user is on the whitelist [P]

Panic Options
  --panic-on           Enable panic mode
  --panic-off          Disable panic mode
  --query-panic        Query whether panic mode is enabled

命令详解

主要使用的命令为

代码语言:javascript复制
--add-rich-rule #添加访问规则
代码语言:javascript复制
man firewalld.richlanguage #查看rich 语法详细说明
  • 样例
代码语言:javascript复制
Example 5
 Forward IPv6 port/packets receiving from 1:2:3:4:6:: on port 4011 with protocol tcp to 1::2:3:4:7 on port 4012
 	rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
代码语言:javascript复制
rule family="ipv4" source address="192.168.142.166" port port="10-20" protocol="tcp" accept   

ist [P]

Panic Options –panic-on Enable panic mode –panic-off Disable panic mode –query-panic Query whether panic mode is enabled

代码语言:javascript复制
### 命令详解

主要使用的命令为

````bash
--add-rich-rule #添加访问规则
代码语言:javascript复制
man firewalld.richlanguage #查看rich 语法详细说明
  • 样例
代码语言:javascript复制
Example 5
 Forward IPv6 port/packets receiving from 1:2:3:4:6:: on port 4011 with protocol tcp to 1::2:3:4:7 on port 4012
 	rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
代码语言:javascript复制
rule family="ipv4" source address="192.168.142.166" port port="10-20" protocol="tcp" accept   

0 人点赞