Ubuntu ufw/firewallファイアウォール規則設定

102024 ワード

文書ディレクトリ

  • Ubuntuファイアウォール規則設定
  • ufw
  • インストール、有効化
  • コマンド概要
  • コマンド詳細
  • コード詳細
  • firewalld
  • インストール/有効化
  • コマンド説明
  • コマンド詳細
  • Ubuntuファイアウォール規則の設定


    ufw


    インストール、有効化

    sudo apt-get install ufw #  
    sudo ufw enable #  
    sudo ufw disable #  
    sudo ufw reload #    
    sudo ufw reset #       
    sudo ufw status #     
    

    コマンドの概要

    Commands:
     enable                          enables the firewall
     disable                         disables the firewall
     default ARG                     set default policy
     logging LEVEL                   set logging to LEVEL
     allow ARGS                      add allow rule
     deny ARGS                       add deny rule
     reject ARGS                     add reject rule
     limit ARGS                      add limit rule
     delete RULE|NUM                 delete RULE
     insert NUM RULE                 insert RULE at NUM
     route RULE                      add route RULE
     route delete RULE|NUM           delete route RULE
     route insert NUM RULE           insert route RULE at NUM
     reload                          reload firewall
     reset                           reset firewall
     status                          show firewall status
     status numbered                 show firewall status as numbered list of RULES
     status verbose                  show verbose firewall status
     show ARG                        show firewall report
     version                         display version information
    
    Application profile commands:
     app list                        list application profiles
     app info PROFILE                show information on PROFILE
     app update PROFILE              update PROFILE
     app default ARG                 set default application policy
    

    コマンド詳細

  • ポートのオン/オフ
  • ufw allow|deny [service]
    
    ufw allow smtp #       IP     25/tcp (smtp)  
    ufw allow 22/tcp #       IP     22/tcp (ssh)  
    ufw allow 53 #      53  (tcp/udp)
    ufw allow from ip_address #   IP         
    ufw deny port #        
    
  • ネイティブポートの設定
  • ufw allow|deny to 172.26.106.87  #  |          IP
    ufw allow|deny to ip_address port 22,20,10:120 proto tcp|udp|ssh #  |          IP      
    ufw allow|deny in on virbr0 to ip_address port num proto udp|tcp #  |             virbr0   IP       
    
  • ターゲットポート設定
  • ufw allow|deny from 172.26.106.87  #  |     IP    
    ufw allow|deny from ip_address port 22,20,10:120 proto tcp|udp|ssh #  |     IP            IP
    ufw allow|deny out on virbr0 from ip_address port num proto udp|tcp #  |     ip      virbr0   IP            
    
    ufw allow in on virbr0 from 172.26.106.87 port 20,80,100:120 proto tcp to 172.26.106.103 port 80:100 #   172.26.106.87    20,80,100:120    TCP       172.26.106.103  80:100
    
  • コマンド詳細説明
  • ufw  [--dry-run]  [delete] [insert NUM] allow|deny|reject|limit [in|out on INTERFACE] [log|log-all] [proto protocol] [from ADDRESS [port PORT]] [to ADDRESS [port PORT]]
    #   [–   ][  ][  x     ]   |  |  |   [ |    “      ”] [   “  ”] [   “  ” [   “  ”]] [   “  ” [   “  ”]]
    

    コードの詳細

  • はヘッダファイル
  • を含む.
    #include 
    #include 
    #include 
    #include 
    
  • データ構造体
  • typedef struct {
        int type;       //1.del 2.add 3.  
        int direction;  // 0.   1.  
        int protocol;   // 1.tcp 2.udp 3.all
        int startPort;  //start Port
        int endPort;    //End Port
        std::string ip;     //ipAddress
    }ZoneInfo;
    
  • タイプ取得
  • std::string getType(int type)
    {
        if(type == 1)
            return std::string("delete allow ");
        else if(type == 2)
            return std::string("allow");
        else if(type == 3)
            return std::string("");
    }
    
  • ルーティング方向
  • std::string getDirection(int direction)
    {
        if(direction == 0)
            return std::string("in on enp1s0 ");
        else if(direction == 1)
            return std::string("out on enp1s0 ");
    }
    
  • プロトコル規則
  • std::string getProtocol(int protocol)
    {
        if(protocol == 1)
            return std::string("proto tcp");
        else if(protocol == 2)
            return std::string("proto udp");
        else
            return std::string("");
    }
    
  • ポート
  • std::string getPort(int startPort, int endPort)
    {
        if(startPort == endPort)
            return std::string("port ") + std::to_string(startPort);
        else if(startPort < endPort)
            return std::string("port ") + std::to_string(startPort) + std::string(":") + std::to_string(endPort);
    }
    
  • IP
  • std::string getIpAddress(std::string ip)
    {
        return ip;
    }
    
  • 個別ルール
  • を設定する.
    std::string setSecurity(ZoneInfo zoneInfo , std::string localIp)
    {
        std::string cmd ;
        cmd += std::string("ufw ");
        cmd += getType(zoneInfo.type) + std::string(" ");
        cmd += getDirection(zoneInfo.direction) + std::string(" ");
        cmd += getProtocol(zoneInfo.protocol) + std::string(" ");
        if(zoneInfo.direction == 0)
        {
            cmd += std::string("from ") + getIpAddress(zoneInfo.ip) + std::string(" ");
            cmd += std::string("to ") + localIp + std::string(" ");
            cmd += getPort(zoneInfo.startPort,zoneInfo.endPort) + std::string(" ");
        }
        else if(zoneInfo.direction == 1)
        {
            cmd += std::string("from ") + localIp + std::string(" ");
            cmd += getPort(zoneInfo.startPort,zoneInfo.endPort) + std::string(" ");
            cmd += std::string("to ") + getIpAddress(zoneInfo.ip) ;
        }
        return cmd;
    }
    
  • ファイアウォール規則
  • リセット
    bool resetSafeGroup()
    {
        if(std::system("ufw --force reset") != 0)
        {
            std::cout  << "ufw reset fail!" << std::endl;
            return false;
        }
        
        if(std::system("ufw enable") != 0 )
        {
            std::cout  << "ufw enable fail!" << std::endl;
            return false;
        }
        return true;
    }
    
  • main
  • int main()
    {
        ZoneInfo zoneInfo = {1, 1, 2, 2222, 2225, std::string("192.168.0.1")};
        std::string cmd = setSecurity(zoneInfo ,std::string("192.168.0.0/24"));
        std::cout << cmd << std::endl;
        int ret = std::system(cmd.c_str());
        std::cout << "ret:" << ret << std::endl;
        std::cout << "ret:"<< resetSafeGroup() << std::endl;
        return 0;
    }
    
  • コンパイル
  • g++ SecurityGroupPolicy.cpp -o run
    
  • 実行結果
  • ufw delete allow  out on enp1s0  proto udp from 172.26.106.105 port 2222:2225 to 172.26.106.87
    Could not delete non-existent rule
    ret:0
    Backing up 'user.rules' to '/etc/ufw/user.rules.20200714_140214'
    Backing up 'before.rules' to '/etc/ufw/before.rules.20200714_140214'
    Backing up 'after.rules' to '/etc/ufw/after.rules.20200714_140214'
    Backing up 'user6.rules' to '/etc/ufw/user6.rules.20200714_140214'
    Backing up 'before6.rules' to '/etc/ufw/before6.rules.20200714_140214'
    Backing up 'after6.rules' to '/etc/ufw/after6.rules.20200714_140214'
    
    Firewall is active and enabled on system startup
    ret:1
    

    firewalld


    インストール/有効化

    apt-get install firewalld #  
    systemctl enable firewalld.service #  -    
    systemctl status firewalld.service #    
    

    コマンドの説明

    Usage: firewall-cmd [OPTIONS...]
    
    General Options
      -h, --help           Prints a short help text and exists
      -V, --version        Print the version string of firewalld
      -q, --quiet          Do not print status messages
    
    Status Options
      --state              Return and print firewalld state
      --reload             Reload firewall and keep state information
      --complete-reload    Reload firewall and lose state information
      --runtime-to-permanent
                           Create permanent from runtime configuration
    
    Log Denied Options
      --get-log-denied     Print the log denied value
      --set-log-denied=<value>
                           Set log denied value
    
    Automatic Helpers Options
      --get-automatic-helpers
                           Print the automatic helpers value
      --set-automatic-helpers=<value>
                           Set automatic helpers value
    
    Permanent Options
      --permanent          Set an option permanently
                           Usable for options marked with [P]
    
    Zone Options
      --get-default-zone   Print default zone for connections and interfaces
      --set-default-zone=<zone>
                           Set default zone
      --get-active-zones   Print currently active zones
      --get-zones          Print predefined zones [P]
      --get-services       Print predefined services [P]
      --get-icmptypes      Print predefined icmptypes [P]
      --get-zone-of-interface=<interface>
                           Print name of the zone the interface is bound to [P]
      --get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                           Print name of the zone the source is bound to [P]
      --list-all-zones     List everything added for or enabled in all zones [P]
      --new-zone=<zone>    Add a new zone [P only]
      --new-zone-from-file=<filename> [--name=<zone>]
                           Add a new zone from file with optional name [P only]
      --delete-zone=<zone> Delete an existing zone [P only]
      --load-zone-defaults=<zone>
                           Load zone default settings [P only] [Z]
      --zone=<zone>        Use this zone to set or query options, else default zone
                           Usable for options marked with [Z]
      --get-target         Get the zone target [P only] [Z]
      --set-target=<target>
                           Set the zone target [P only] [Z]
      --info-zone=<zone>   Print information about a zone
      --path-zone=<zone>   Print file path of a zone [P only]
    
    IPSet Options
      --get-ipset-types    Print the supported ipset types
      --new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]]..
                           Add a new ipset [P only]
      --new-ipset-from-file=<filename> [--name=<ipset>]
                           Add a new ipset from file with optional name [P only]
      --delete-ipset=<ipset>
                           Delete an existing ipset [P only]
      --load-ipset-defaults=<ipset>
                           Load ipset default settings [P only]
      --info-ipset=<ipset> Print information about an ipset
      --path-ipset=<ipset> Print file path of an ipset [P only]
      --get-ipsets         Print predefined ipsets
      --ipset=<ipset> --set-description=<description>
                           Set new description to ipset [P only]
      --ipset=<ipset> --get-description
                           Print description for ipset [P only]
      --ipset=<ipset> --set-short=<description>
                           Set new short description to ipset [P only]
      --ipset=<ipset> --get-short
                           Print short description for ipset [P only]
      --ipset=<ipset> --add-entry=<entry>
                           Add a new entry to an ipset [P]
      --ipset=<ipset> --remove-entry=<entry>
                           Remove an entry from an ipset [P]
      --ipset=<ipset> --query-entry=<entry>
                           Return whether ipset has an entry [P]
      --ipset=<ipset> --get-entries
                           List entries of an ipset [P]
      --ipset=<ipset> --add-entries-from-file=<entry>
                           Add a new entries to an ipset [P]
      --ipset=<ipset> --remove-entries-from-file=<entry>
                           Remove entries from an ipset [P]
    
    IcmpType Options
      --new-icmptype=<icmptype>
                           Add a new icmptype [P only]
      --new-icmptype-from-file=<filename> [--name=<icmptype>]
                           Add a new icmptype from file with optional name [P only]
      --delete-icmptype=<icmptype>
                           Delete an existing icmptype [P only]
      --load-icmptype-defaults=<icmptype>
                           Load icmptype default settings [P only]
      --info-icmptype=<icmptype>
                           Print information about an icmptype
      --path-icmptype=<icmptype>
                           Print file path of an icmptype [P only]
      --icmptype=<icmptype> --set-description=<description>
                           Set new description to icmptype [P only]
      --icmptype=<icmptype> --get-description
                           Print description for icmptype [P only]
      --icmptype=<icmptype> --set-short=<description>
                           Set new short description to icmptype [P only]
      --icmptype=<icmptype> --get-short
                           Print short description for icmptype [P only]
      --icmptype=<icmptype> --add-destination=<ipv>
                           Enable destination for ipv in icmptype [P only]
      --icmptype=<icmptype> --remove-destination=<ipv>
                           Disable destination for ipv in icmptype [P only]
      --icmptype=<icmptype> --query-destination=<ipv>
                           Return whether destination ipv is enabled in icmptype [P only]
      --icmptype=<icmptype> --get-destinations
                           List destinations in icmptype [P only]
    
    Service Options
      --new-service=<service>
                           Add a new service [P only]
      --new-service-from-file=<filename> [--name=<service>]
                           Add a new service from file with optional name [P only]
      --delete-service=<service>
                           Delete an existing service [P only]
      --load-service-defaults=<service>
                           Load icmptype default settings [P only]
      --info-service=<service>
                           Print information about a service
      --path-service=<service>
                           Print file path of a service [P only]
      --service=<service> --set-description=<description>
                           Set new description to service [P only]
      --service=<service> --get-description
                           Print description for service [P only]
      --service=<service> --set-short=<description>
                           Set new short description to service [P only]
      --service=<service> --get-short
                           Print short description for service [P only]
      --service=<service> --add-port=<portid>[-<portid>]/<protocol>
                           Add a new port to service [P only]
      --service=<service> --remove-port=<portid>[-<portid>]/<protocol>
                           Remove a port from service [P only]
      --service=<service> --query-port=<portid>[-<portid>]/<protocol>
                           Return whether the port has been added for service [P only]
      --service=<service> --get-ports
                           List ports of service [P only]
      --service=<service> --add-protocol=<protocol>
                           Add a new protocol to service [P only]
      --service=<service> --remove-protocol=<protocol>
                           Remove a protocol from service [P only]
      --service=<service> --query-protocol=<protocol>
                           Return whether the protocol has been added for service [P only]
      --service=<service> --get-protocols
                           List protocols of service [P only]
      --service=<service> --add-source-port=<portid>[-<portid>]/<protocol>
                           Add a new source port to service [P only]
      --service=<service> --remove-source-port=<portid>[-<portid>]/<protocol>
                           Remove a source port from service [P only]
      --service=<service> --query-source-port=<portid>[-<portid>]/<protocol>
                           Return whether the source port has been added for service [P only]
      --service=<service> --get-source-ports
                           List source ports of service [P only]
      --service=<service> --add-module=<module>
                           Add a new module to service [P only]
      --service=<service> --remove-module=<module>
                           Remove a module from service [P only]
      --service=<service> --query-module=<module>
                           Return whether the module has been added for service [P only]
      --service=<service> --get-modules
                           List modules of service [P only]
      --service=<service> --set-destination=<ipv>:<address>[/<mask>]
                           Set destination for ipv to address in service [P only]
      --service=<service> --remove-destination=<ipv>
                           Disable destination for ipv i service [P only]
      --service=<service> --query-destination=<ipv>:<address>[/<mask>]
                           Return whether destination ipv is set for service [P only]
      --service=<service> --get-destinations
                           List destinations in service [P only]
    
    Options to Adapt and Query Zones
      --list-all           List everything added for or enabled in a zone [P] [Z]
      --list-services      List services added for a zone [P] [Z]
      --timeout=<timeval>  Enable an option for timeval time, where timeval is
                           a number followed by one of letters 's' or 'm' or 'h'
                           Usable for options marked with [T]
      --set-description=<description>
                           Set new description to zone [P only] [Z]
      --get-description    Print description for zone [P only] [Z]
      --set-short=<description>
                           Set new short description to zone [P only] [Z]
      --get-short          Print short description for zone [P only] [Z]
      --add-service=<service>
                           Add a service for a zone [P] [Z] [T]
      --remove-service=<service>
                           Remove a service from a zone [P] [Z]
      --query-service=<service>
                           Return whether service has been added for a zone [P] [Z]
      --list-ports         List ports added for a zone [P] [Z]
      --add-port=<portid>[-<portid>]/<protocol>
                           Add the port for a zone [P] [Z] [T]
      --remove-port=<portid>[-<portid>]/<protocol>
                           Remove the port from a zone [P] [Z]
      --query-port=<portid>[-<portid>]/<protocol>
                           Return whether the port has been added for zone [P] [Z]
      --list-protocols     List protocols added for a zone [P] [Z]
      --add-protocol=<protocol>
                           Add the protocol for a zone [P] [Z] [T]
      --remove-protocol=<protocol>
                           Remove the protocol from a zone [P] [Z]
      --query-protocol=<protocol>
                           Return whether the protocol has been added for zone [P] [Z]
      --list-source-ports  List source ports added for a zone [P] [Z]
      --add-source-port=<portid>[-<portid>]/<protocol>
                           Add the source port for a zone [P] [Z] [T]
      --remove-source-port=<portid>[-<portid>]/<protocol>
                           Remove the source port from a zone [P] [Z]
      --query-source-port=<portid>[-<portid>]/<protocol>
                           Return whether the source port has been added for zone [P] [Z]
      --list-icmp-blocks   List Internet ICMP type blocks added for a zone [P] [Z]
      --add-icmp-block=<icmptype>
                           Add an ICMP block for a zone [P] [Z] [T]
      --remove-icmp-block=<icmptype>
                           Remove the ICMP block from a zone [P] [Z]
      --query-icmp-block=<icmptype>
                           Return whether an ICMP block has been added for a zone
                           [P] [Z]
      --add-icmp-block-inversion
                           Enable inversion of icmp blocks for a zone [P] [Z]
      --remove-icmp-block-inversion
                           Disable inversion of icmp blocks for a zone [P] [Z]
      --query-icmp-block-inversion
                           Return whether inversion of icmp blocks has been enabled
                           for a zone [P] [Z]
      --list-forward-ports List IPv4 forward ports added for a zone [P] [Z]
      --add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
                           Add the IPv4 forward port for a zone [P] [Z] [T]
      --remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
                           Remove the IPv4 forward port from a zone [P] [Z]
      --query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
                           Return whether the IPv4 forward port has been added for
                           a zone [P] [Z]
      --add-masquerade     Enable IPv4 masquerade for a zone [P] [Z] [T]
      --remove-masquerade  Disable IPv4 masquerade for a zone [P] [Z]
      --query-masquerade   Return whether IPv4 masquerading has been enabled for a
                           zone [P] [Z]
      --list-rich-rules    List rich language rules added for a zone [P] [Z]
      --add-rich-rule=<rule>
                           Add rich language rule 'rule' for a zone [P] [Z] [T]
      --remove-rich-rule=<rule>
                           Remove rich language rule 'rule' from a zone [P] [Z]
      --query-rich-rule=<rule>
                           Return whether a rich language rule 'rule' has been
                           added for a zone [P] [Z]
    
    Options to Handle Bindings of Interfaces
      --list-interfaces    List interfaces that are bound to a zone [P] [Z]
      --add-interface=<interface>
                           Bind the <interface> to a zone [P] [Z]
      --change-interface=<interface>
                           Change zone the <interface> is bound to [Z]
      --query-interface=<interface>
                           Query whether <interface> is bound to a zone [P] [Z]
      --remove-interface=<interface>
                           Remove binding of <interface> from a zone [P] [Z]
    
    Options to Handle Bindings of Sources
      --list-sources       List sources that are bound to a zone [P] [Z]
      --add-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                           Bind the source to a zone [P] [Z]
      --change-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                           Change zone the source is bound to [Z]
      --query-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                           Query whether the source is bound to a zone [P] [Z]
      --remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
                           Remove binding of the source from a zone [P] [Z]
    
    Helper Options
      --new-helper=<helper> --module=<module> [--family=<family>]
                           Add a new helper [P only]
      --new-helper-from-file=<filename> [--name=<helper>]
                           Add a new helper from file with optional name [P only]
      --delete-helper=<helper>
                           Delete an existing helper [P only]
      --load-helper-defaults=<helper>
                           Load helper default settings [P only]
      --info-helper=<helper> Print information about an helper
      --path-helper=<helper> Print file path of an helper [P only]
      --get-helpers         Print predefined helpers
      --helper=<helper> --set-description=<description>
                           Set new description to helper [P only]
      --helper=<helper> --get-description
                           Print description for helper [P only]
      --helper=<helper> --set-short=<description>
                           Set new short description to helper [P only]
      --helper=<helper> --get-short
                           Print short description for helper [P only]
      --helper=<helper> --add-port=<portid>[-<portid>]/<protocol>
                           Add a new port to helper [P only]
      --helper=<helper> --remove-port=<portid>[-<portid>]/<protocol>
                           Remove a port from helper [P only]
      --helper=<helper> --query-port=<portid>[-<portid>]/<protocol>
                           Return whether the port has been added for helper [P only]
      --helper=<helper> --get-ports
                           List ports of helper [P only]
      --helper=<helper> --set-module=<module>
                           Set module to helper [P only]
      --helper=<helper> --get-module
                           Get module from helper [P only]
      --helper=<helper> --set-family={ipv4|ipv6|}
                           Set family for helper [P only]
      --helper=<helper> --get-family
                           Get module from helper [P only]
    
    Direct Options
      --direct             First option for all direct options
      --get-all-chains
                           Get all chains [P]
      --get-chains {ipv4|ipv6|eb} <table>
                           Get all chains added to the table [P]
      --add-chain {ipv4|ipv6|eb} <table> <chain>
                           Add a new chain to the table [P]
      --remove-chain {ipv4|ipv6|eb} <table> <chain>
                           Remove the chain from the table [P]
      --query-chain {ipv4|ipv6|eb} <table> <chain>
                           Return whether the chain has been added to the table [P]
      --get-all-rules
                           Get all rules [P]
      --get-rules {ipv4|ipv6|eb} <table> <chain>
                           Get all rules added to chain in table [P]
      --add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
                           Add rule to chain in table [P]
      --remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
                           Remove rule with priority from chain in table [P]
      --remove-rules {ipv4|ipv6|eb} <table> <chain>
                           Remove rules from chain in table [P]
      --query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
                           Return whether a rule with priority has been added to
                           chain in table [P]
      --passthrough {ipv4|ipv6|eb} <arg>...
                           Pass a command through (untracked by firewalld)
      --get-all-passthroughs
                           Get all tracked passthrough rules [P]
      --get-passthroughs {ipv4|ipv6|eb} <arg>...
                           Get tracked passthrough rules [P]
      --add-passthrough {ipv4|ipv6|eb} <arg>...
                           Add a new tracked passthrough rule [P]
      --remove-passthrough {ipv4|ipv6|eb} <arg>...
                           Remove a tracked passthrough rule [P]
      --query-passthrough {ipv4|ipv6|eb} <arg>...
                           Return whether the tracked passthrough rule has been
                           added [P]
    
    Lockdown Options
      --lockdown-on        Enable lockdown.
      --lockdown-off       Disable lockdown.
      --query-lockdown     Query whether lockdown is enabled
    
    Lockdown Whitelist Options
      --list-lockdown-whitelist-commands
                           List all command lines that are on the whitelist [P]
      --add-lockdown-whitelist-command=<command>
                           Add the command to the whitelist [P]
      --remove-lockdown-whitelist-command=<command>
                           Remove the command from the whitelist [P]
      --query-lockdown-whitelist-command=<command>
                           Query whether the command is on the whitelist [P]
      --list-lockdown-whitelist-contexts
                           List all contexts that are on the whitelist [P]
      --add-lockdown-whitelist-context=<context>
                           Add the context context to the whitelist [P]
      --remove-lockdown-whitelist-context=<context>
                           Remove the context from the whitelist [P]
      --query-lockdown-whitelist-context=<context>
                           Query whether the context is on the whitelist [P]
      --list-lockdown-whitelist-uids
                           List all user ids that are on the whitelist [P]
      --add-lockdown-whitelist-uid=<uid>
                           Add the user id uid to the whitelist [P]
      --remove-lockdown-whitelist-uid=<uid>
                           Remove the user id uid from the whitelist [P]
      --query-lockdown-whitelist-uid=<uid>
                           Query whether the user id uid is on the whitelist [P]
      --list-lockdown-whitelist-users
                           List all user names that are on the whitelist [P]
      --add-lockdown-whitelist-user=<user>
                           Add the user name user to the whitelist [P]
      --remove-lockdown-whitelist-user=<user>
                           Remove the user name user from the whitelist [P]
      --query-lockdown-whitelist-user=<user>
                           Query whether the user name user is on the whitelist [P]
    
    Panic Options
      --panic-on           Enable panic mode
      --panic-off          Disable panic mode
      --query-panic        Query whether panic mode is enabled
    

    コマンド詳細


    主に使用するコマンドは
    --add-rich-rule #      
    
    man firewalld.richlanguage #  rich       
    
  • サンプル
  • Example 5
     Forward IPv6 port/packets receiving from 1:2:3:4:6:: on port 4011 with protocol tcp to 1::2:3:4:7 on port 4012
     	rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
    
    rule family="ipv4" source address="192.168.142.166" port port="10-20" protocol="tcp" accept   
    

    ist [P]
    Panic Options –panic-on Enable panic mode –panic-off Disable panic mode –query-panic Query whether panic mode is enabled
    
    ###     
    
            
    
    ````bash
    --add-rich-rule #      
    
    man firewalld.richlanguage #  rich       
    
  • サンプル
  • Example 5
     Forward IPv6 port/packets receiving from 1:2:3:4:6:: on port 4011 with protocol tcp to 1::2:3:4:7 on port 4012
     	rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
    
    rule family="ipv4" source address="192.168.142.166" port port="10-20" protocol="tcp" accept