firewalld:富规则的优先级顺序

一,firewalld的rich规则执行逻辑如下: 

1,日志规则
2,drop/reject规则
3,accept规则

二,例子:验证是否先匹配reject规则

1,添加两条规则:
第一条允许指定ip访问22端口
第二条禁止同一个ip访问

[root@blog ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="13.17.12.210" port port="22" protocol="tcp" accept'
success
[root@blog ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="13.17.12.210" reject'
success

列出现有的富规则

[root@blog ~]# firewall-cmd --list-rich-rules
rule family="ipv4" source address="13.17.12.210" port port="22" protocol="tcp" accept
rule family="ipv4" source address="13.17.12.210" reject

2,在指定ip13.17.12.210的机器上实际测试:

[lhdop@base ~]$ ssh -p 22 lhdop@30.45.57.47
ssh: connect to host 30.45.57.47 port 22: Connection refused

可以看到,先匹配到的,是reject规则,

三,给规则指定优先级顺序:

1, 指定priority值即可

需要使用priority参数来设置规则优先级区间(-3276732767

数字越小规则优先级越高

默认不填的话priority都是0

2, 把之前添加的规则删除掉,
重新添加:

[root@blog ~]# firewall-cmd --add-rich-rule='rule priority="-100" family="ipv4" source address="13.17.12.210" port port="22" protocol="tcp" accept'
success
[root@blog ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="13.17.12.210" reject'
success

查看效果:

[root@blog ~]# firewall-cmd --list-rich-rules
rule priority="-100" family="ipv4" source address="13.17.12.210" port port="22" protocol="tcp" accept
rule family="ipv4" source address="13.17.12.210" reject

3, 在指定ip13.17.12.210的机器上测试效果:

[lhdop@base ~]$ ssh -p 22 lhdop@30.45.57.47
lhdop@30.45.57.47's password:

 

posted @ 2024-08-27 14:32  刘宏缔的架构森林  阅读(394)  评论(0编辑  收藏  举报