一,firewalld的rich规则执行逻辑如下:
1,日志规则
2,drop/reject规则
3,accept规则
二,例子:验证是否先匹配reject规则
1,添加两条规则:
第一条允许指定ip访问22端口
第二条禁止同一个ip访问
[root@blog ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="13.17.12.210" port port="22" protocol="tcp" accept'
success
[root@blog ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="13.17.12.210" reject'
success
列出现有的富规则
[root@blog ~]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="13.17.12.210" port port="22" protocol="tcp" accept
rule family="ipv4" source address="13.17.12.210" reject
2,在指定ip13.17.12.210的机器上实际测试:
[lhdop@base ~]$ ssh -p 22 [email protected]
ssh: connect to host 30.45.57.47 port 22: Connection refused
可以看到,先匹配到的,是reject规则,
三,给规则指定优先级顺序:
1, 指定priority值即可
需要使用priority参数来设置规则优先级区间(-32767至32767)
数字越小规则优先级越高
默认不填的话priority都是0
2, 把之前添加的规则删除掉,
重新添加:
[root@blog ~]# firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="13.17.12.210" port port="22" protocol="tcp" accept'
success
[root@blog ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="13.17.12.210" reject'
success
查看效果:
[root@blog ~]# firewall-cmd --list-rich-rules
rule priority="-100" family="ipv4" source address="13.17.12.210" port port="22" protocol="tcp" accept
rule family="ipv4" source address="13.17.12.210" reject
3, 在指定ip13.17.12.210的机器上测试效果:
[lhdop@base ~]$ ssh -p 22 [email protected]
[email protected]'s password:
标签:顺序,优先级,22,family,firewalld,rule,address,12.210,port From: https://www.cnblogs.com/architectforest/p/18382336