firewall-cmd --list-rich-rule
firewall-cmd --query-rich-rule='rule'
firewall-cmd --add-rich-rule='rule'
firewall-cmd --remove-rich-rule='rule'
rich rule语法:
rule [family="rule family"]
[ source [NOT] [address="address"] [mac="mac-address"] [ipset="ipset"] ]
[ destination [NOT] address="address" ]
[ element ]
[ log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"] ]
[ audit ]
[ action ]
element字段只能是一下的一种类型:service, port, protocol, masquerade, icmp-block, forward-port, source-port
service name=${service_name}
port port=${port} protocol=${protocol}
protocol value=${protocol_name_or_ID},名字可以参考/etc/protocols文件
masquerade
forward-port port=${port} protocol=${protocol} to-port=${to-port} to-addr=${to-addr}
log: 新的连接会被记录到内核日志中。
audit: 使用auditd记录日志。
action: 可选值有accept/reject/drop/mark。