Firewalld : Use Rich Rule |
This is how to set more detailed rules using Firewalld rich rules. | |
| [1] | For example, add a setting to allow specific IP addresses to SSH, which is denied by default. |
[root@dlp ~]# firewall-cmd --list-service cockpit dhcpv6-client http https # family=[ipv4|ipv6] # - if family is omitted, it will be set for both. # # service name=[service name] # - defined service names can be checked with [firewall-cmd --get-services] # or # port port=[port number] protocol=[protocol] # - if both service and port are omitted, it will be set for all ports # # source address=[source address] # - to specify a group of networks, for example, specify [10.0.0.0/24] # # action # - accept : permit # - reject : reject (notify the source) # - drop : reject (no notification) # - mark : marked with the specified mark and optional mask [root@dlp ~]# firewall-cmd --add-rich-rule='rule family="ipv4" service name="ssh" source address="10.0.0.212" accept' success # show settings [root@dlp ~]# firewall-cmd --list-rich-rules rule family="ipv4" source address="10.0.0.212" service name="ssh" accept |
| [2] | For example, add a setting to deny specific IP addresses to the default allowed HTTP. |
[root@dlp ~]# firewall-cmd --list-service cockpit dhcpv6-client http https [root@dlp ~]# [root@dlp ~]# firewall-cmd --add-rich-rule='rule family="ipv4" service name="http" source address="10.0.10.0/24" drop' [root@dlp ~]# firewall-cmd --add-rich-rule='rule family="ipv4" service name="https" source address="10.0.10.0/24" drop' success firewall-cmd --list-rich-rules rule family="ipv4" source address="10.0.10.0/24" service name="http" drop rule family="ipv4" source address="10.0.0.212" service name="ssh" accept rule family="ipv4" source address="10.0.10.0/24" service name="https" drop |
| [3] | For example, add a setting to allow a specific IP address for a specific port that is denied by default. |
[root@dlp ~]# firewall-cmd --list-ports [root@dlp ~]# [root@dlp ~]# firewall-cmd --add-rich-rule='rule family="ipv4" port port="514" protocol="udp" source address="10.0.0.0/24" accept' success firewall-cmd --list-rich-rules rule family="ipv4" source address="10.0.10.0/24" service name="http" drop rule family="ipv4" source address="10.0.0.212" service name="ssh" accept rule family="ipv4" source address="10.0.0.0/24" port port="514" protocol="udp" accept rule family="ipv4" source address="10.0.10.0/24" service name="https" drop |
No comments:
Post a Comment