ルールを追加すると、ファイアウォールは内部的にパケット状態をどのように処理しますか？

Question

--directコマンドでルールを使用できますfirewall-cmd。あなたの場合、実行するコマンドは次のとおりです。

# Check for existing firewalld direct rules
$ sudo firewall-cmd --direct --get-all-rules
# Now add your direct rule
$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport=80 -j ACCEPT -m state --state NEW
# Return traffic (ESTABLISHED for example) is automatically allowed due to firewalld's stateful nature
# Reload firewalld
$ sudo firewall-cmd --reload
# Check if your direct rule was successfully added
$ sudo firewall-cmd --direct --get-all-rules
# From server side create a listening port (if there is no service listening on TCP 80)
$ nc -vlt 80
# From client side, initiate a connection to server on port 80
# Where X.X.X.X is server IP or hostname (with a 3 seconds timeout)
$ nc -v -w 3 X.X.X.X 80

引用:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/using_the_direct_interface

Answer 1

--directコマンドでルールを使用できますfirewall-cmd。あなたの場合、実行するコマンドは次のとおりです。

# Check for existing firewalld direct rules
$ sudo firewall-cmd --direct --get-all-rules
# Now add your direct rule
$ sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport=80 -j ACCEPT -m state --state NEW
# Return traffic (ESTABLISHED for example) is automatically allowed due to firewalld's stateful nature
# Reload firewalld
$ sudo firewall-cmd --reload
# Check if your direct rule was successfully added
$ sudo firewall-cmd --direct --get-all-rules
# From server side create a listening port (if there is no service listening on TCP 80)
$ nc -vlt 80
# From client side, initiate a connection to server on port 80
# Where X.X.X.X is server IP or hostname (with a 3 seconds timeout)
$ nc -v -w 3 X.X.X.X 80

引用:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/using_the_direct_interface

ルールを追加すると、ファイアウォールは内部的にパケット状態をどのように処理しますか？

ベストアンサー1

おすすめ記事