red_hat的firewalld：富规则编辑

更新：这样做会导致全部IP被禁止。经查发现防火墙版本太低没有优先级参数配置(lll￢ω￢)

用区域配置来解决需求：

firewall-cmd --permanent --zone=trusted --add-source=《WAF地址》

查询结果：

[root@149 ~]# firewall-cmd --get-active-zones
drop
  interfaces: ens33
trusted
  sources: 《WAF地址》
完成。

————————————————————————————————————————

添加允许WAF访问443端口

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="《WAF地址》" port protocol="tcp" port="443" accept'

添加拒绝所有ip访问443端口

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port protocol="tcp" port="443" reject'

添加允许WAF访问80端口
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="《WAF地址》" port protocol="tcp" port="80" accept'

添加拒绝所有ip访问80端口
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port protocol="tcp" port="80" reject'

重启防火墙以应用
firewall-cmd --reload

查询防火墙信息：

[root@149 ~]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: ens33
  sources:
  services: dhcpv6-client http https ssh
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:
    rule family="ipv4" source address="x.x.x.x" port port="443" protocol="tcp" accept
    rule family="ipv4" port port="443" protocol="tcp" reje
    rule family="ipv4" source address="x.x.x.x" port port="80" protocol="tcp" accept
    rule family="ipv4" port port="80" protocol="tcp" reject