.. _LMI-FirewalldRichRule: LMI_FirewalldRichRule --------------------- Class reference =============== Subclass of :ref:`LMI_FirewalldRule ` Firewalld Rich Rules allow more complex firewall rules to be created. The Rich Rules extends the zone configuration rules with additional source and destination addresses, logging, actions and limits for the logs and actions. Each Rich Rule can be extended by associating (via LMI_FirewalldRuleComponent) instances of following classes: LMI_FirewalldLogAction, LMI_FirewalldPort, LMI_FirewalldICMPType, LMI_FirewalldForwardPort, and LMI_FirewalldService. Use AddRuleComponent method to add rule to the Rich Rule. Key properties ^^^^^^^^^^^^^^ | :ref:`InstanceID ` Local properties ^^^^^^^^^^^^^^^^ .. _LMI-FirewalldRichRule-DestinationAddress: ``string`` **DestinationAddress** DestinationAddress can be used to manage the packets based on its destination address. Source address can be either IPv4/IPv6 address, or network address in which case the DestinationAddressPrefix might be specified. .. _LMI-FirewalldRichRule-DestinationAddressInvert: ``boolean`` **DestinationAddressInvert** If the DestinationAddressInvert property is true, the destination address will be inverted, meaning that all but used address with match. .. _LMI-FirewalldRichRule-Family: ``uint16`` **Family** Family can be used to limit the Rich Rule to IPv4 or IPv6 only. If the source or destination addresses are used, then the family must be provided. This is also the case for port/packet forwarding. ======== ====== ValueMap Values ======== ====== 0 IPv4 1 IPv6 2 Both ======== ====== .. _LMI-FirewalldRichRule-DestinationAddressPrefix: ``uint16`` **DestinationAddressPrefix** When DestinationAddress is network address this property can be use to specify the network address prefix. .. _LMI-FirewalldRichRule-SourceAddressInvert: ``boolean`` **SourceAddressInvert** If the SourceAddressInvert property is true, the source address will be inverted, meaning that all but used address with match. .. _LMI-FirewalldRichRule-RejectType: ``string`` **RejectType** When Action is Reject the reject type can be specified in this property. For valid reject types see --reject-with type in iptables-extensions(8) man page. Because the reject types are different for IPv4 and IPv6 you have to specify rule family when using reject type. .. _LMI-FirewalldRichRule-Action: ``uint16`` **Action** Action determines how will be the incoming packet handled. With Accept all new connection attempts will be granted. With Reject they will not be accepted and there source will get a reject message. The reject type can be set to use an other value using RejectType property. With Drop all packets will be dropped immediately, there is no information sent to the source. ======== ========= ValueMap Values ======== ========= 0 No Target 1 Accept 2 Reject 3 Drop ======== ========= .. _LMI-FirewalldRichRule-Masquarade: ``boolean`` **Masquarade** This property turns on masquerading in the rule. A source address can be provided to limit masquerading to this area, but not a destination address. .. _LMI-FirewalldRichRule-SourceAddress: ``string`` **SourceAddress** SourceAddress can be used to manage the packets based on its source address. Source address can be either IPv4/IPv6 address, or network address in which case the SourceAddressPrefix might be specified. .. _LMI-FirewalldRichRule-SourceAddressPrefix: ``uint16`` **SourceAddressPrefix** When SourceAddress is network address this property can be use to specify the network address prefix. Local methods ^^^^^^^^^^^^^ .. _LMI-FirewalldRichRule-AddService: ``uint32`` **AddService** (:ref:`LMI_FirewalldService ` Service) Manage given service in the Rich Rule. **Parameters** *IN* :ref:`LMI_FirewalldService ` **Service** Firewalld Service that that will be added to the Rich Rule. .. _LMI-FirewalldRichRule-AddICMPBlock: ``uint32`` **AddICMPBlock** (:ref:`LMI_FirewalldICMPType ` ICMPType) Manage blocking of ICMP packets in the Rich Rule. **Parameters** *IN* :ref:`LMI_FirewalldICMPType ` **ICMPType** Add Firewalld ICMP Type that that will be blocked by the Rich Rule. .. _LMI-FirewalldRichRule-AddPort: ``uint32`` **AddPort** (``string`` Port, ``uint16`` Protocol, :ref:`LMI_FirewalldPort ` FirewalldPort) Manage the traffic on given port (or range of ports) and protocol. **Parameters** *IN* ``string`` **Port** Port to be allowed in given Rich Rule. Allowed format is either plain port number as string or dash separated port range '1234-2345'. *IN* ``uint16`` **Protocol** Manage traffic using given protocol ======== ====== ValueMap Values ======== ====== 1 TCP 2 UDP ======== ====== *OUT* :ref:`LMI_FirewalldPort ` **FirewalldPort** Instance of LMI_FirewalldPort class that represents that given port (or range of ports) is managed by the Rich Rule. .. _LMI-FirewalldRichRule-AddForwardPort: ``uint32`` **AddForwardPort** (``string`` Port, ``uint16`` Protocol, ``string`` ToPort, ``string`` ToAddress, :ref:`LMI_FirewalldForwardPort ` ForwardPort) Manage port forwarding in the Rich Rule. **Parameters** *IN* ``string`` **Port** Port (or range of ports) to be forwarded. Allowed format is either plain port number as string or dash separated port range '1234-2345'. *IN* ``uint16`` **Protocol** Forward traffic on the given protocol ======== ====== ValueMap Values ======== ====== 1 TCP 2 UDP ======== ====== *IN* ``string`` **ToPort** Destination port (or port range) where should be the traffic forwarded. Allowed format is either plain port number as string or dash separated port range '1234-2345'. The range has to be the same size as `Port` parameter. This parameter can be also `null`, in that case destination ports are the same as source ports. *IN* ``string`` **ToAddress** The destination IPv4 address. Can be `null`. *OUT* :ref:`LMI_FirewalldForwardPort ` **ForwardPort** Instance of LMI_FirewalldForwardPort class that represents that given port (or range of ports) is allowed in the given Rich Rule. .. _LMI-FirewalldRichRule-AddLogAction: ``uint32`` **AddLogAction** (``string`` Prefix, ``uint16`` Level, ``uint32`` LimitRate, ``uint16`` LimitUnit, ``boolean`` Audit) Add logging of new connections to the Rich Rule. **Parameters** *IN* ``string`` **Prefix** Prefix that will be added to the log message. *IN* ``uint16`` **Level** Level that will be used when logging the message. Default value is "warning". ======== ========= ValueMap Values ======== ========= 0 Unknown 1 Emergency 2 Alert 3 Crititcal 4 Error 5 Warning 6 Notice 7 Info 8 Debug ======== ========= *IN* ``uint32`` **LimitRate** Limit property can be used to limit the logging. LimitRate and LimitUnit determine how often will be written new entry into the log. Maximal value is once per day. *IN* ``uint16`` **LimitUnit** Unit for limiting logging entries. ======== ======= ValueMap Values ======== ======= 0 Unknown 1 Seconds 2 Minutes 3 Hours 4 Days ======== ======= *IN* ``boolean`` **Audit** If the Audit property is set to True, logging entries will be sent to the auditd service instead of writing to syslog. Inherited properties ^^^^^^^^^^^^^^^^^^^^ | ``string`` :ref:`ConfigurationName ` | ``uint16`` :ref:`ChangeableType ` | ``string`` :ref:`InstanceID ` | ``string`` :ref:`ElementName ` | ``string`` :ref:`Caption ` | ``uint64`` :ref:`Generation ` | ``string`` :ref:`Description ` Inherited methods ^^^^^^^^^^^^^^^^^ *None*