# huaweicloud-cfw-acl-rule-java
**Repository Path**: HuaweiCloudDeveloper/huaweicloud-cfw-acl-rule-java
## Basic Information
- **Project Name**: huaweicloud-cfw-acl-rule-java
- **Description**: 云防火墙服务(Cloud Firewall)是新一代的云原生SaaS化防火墙,提供云上互联网边界和VPC边界的防护,包括:实时入侵检测与防御,全局统一访问控制,全流量分析可视化,日志审计与溯源分析等,同时支持按需弹性扩容,是用户业务上云的网络安全防护基础服务。
本仓库演示了如何如何使用防火墙acl rule功能。
- **Primary Language**: Unknown
- **License**: Not specified
- **Default Branch**: master-dev
- **Homepage**: None
- **GVP Project**: No
## Statistics
- **Stars**: 0
- **Forks**: 0
- **Created**: 2022-12-07
- **Last Updated**: 2025-06-16
## Categories & Tags
**Categories**: Uncategorized
**Tags**: None
## README
## 0.版本说明
本示例基于华为云SDK V3.0版本开发。
## 1.简介
华为云提供了CFW服务端SDK,您可以直接集成服务端SDK来调用CFW的相关API,从而实现对CFW的快速操作。
该示例展示如何通过CFW服务对已防护的eip采用访问控制进行防护,并通过增删改查的方式操作访问控制策略,同时查询因此生成的访问控制日志
## 2.开发前准备
- 已 [注册](https://id1.cloud.huawei.com/UnifiedIDMPortal/portal/userRegister/regbyphone.html?themeName=red&access_type=offline&clientID=103493351&loginChannel=88000000&loginUrl=https%3A%2F%2Fauth.huaweicloud.com%2Fauthui%2Flogin.html%23&casLoginUrl=https%3A%2F%2Fauth.huaweicloud.com%2Fauthui%2FcasLogin&service=https%3A%2F%2Fauth.huaweicloud.com%2Fauthui%2FcasLogin&countryCode=cn&scope=https%3A%2F%2Fwww.huawei.com%2Fauth%2Faccount%2Funified.profile+https%3A%2F%2Fwww.huawei.com%2Fauth%2Faccount%2Frisk.idstate&reqClientType=88&state=94fc0f9f861b4f30a85ec1f463d35609&lang=zh-cn) 华为云,并完成 [实名认证](https://account.huaweicloud.com/usercenter/?region=cn-north-4#/accountindex/realNameAuth) 。
- 已具备开发环境 ,支持Java JDK 1.8及其以上版本。
- 已获取华为云账号对应的Access Key(AK)和Secret Access Key(SK)。请在华为云控制台“我的凭证 > 访问密钥”页面上创建和查看您的AK/SK。具体请参见 [访问秘钥](https://support.huaweicloud.com/usermanual-ca/zh-cn_topic_0046606340.html)
- 已获取对应区域的项目,请在华为云控制台“我的凭证 > API凭证 > 项目列表”页面上查看项目,例如:cn-north-4。具体请参见 [API凭证](https://support.huaweicloud.com/usermanual-ca/ca_01_0002.html) 。
- 需要在 [云防火墙](https://console.huaweicloud.com/console/?region=cn-north-4#/cfw/overview) 购买防火墙,并且在 [弹性云服务器](https://console.huaweicloud.com/ecm/?region=cn-north-4#/ecs/createVm) 购买弹性云服务器。
- 通过调用[API Explorer 查询防火墙实例](https://apiexplorer.developer.huaweicloud.com/apiexplorer/doc?product=CFW&api=ListFirewallUsingGet) 获取防火墙id(FirewallInstanceId)、防护对象id(ObjectId),详见5.FAQ
- 通过弹性云服务器模拟访问控制流量。
## 3.安装sdk
您可以通过Maven方式获取和安装SDK,首先需要在您的操作系统中下载并安装Maven ,安装完成后您只需要在Java项目的pom.xml文件中加入相应的依赖项即可。
使用服务端SDK前,您需要安装“huaweicloud-sdk-cfw”,具体的SDK版本号请参见 [SDK开发中心](https://sdkcenter.developer.huaweicloud.com/?language=Java) 。
```xml
com.huaweicloud.sdk
huaweicloud-sdk-cfw
3.1.14
```
## 4.开始使用
### 4.1 导入依赖模块
```java
import com.huaweicloud.sdk.cfw.v1.CfwClient;
import com.huaweicloud.sdk.cfw.v1.model.AddRuleAclDto;
import com.huaweicloud.sdk.cfw.v1.model.AddRuleAclDtoRules;
import com.huaweicloud.sdk.cfw.v1.model.AddRuleAclUsingPostRequest;
import com.huaweicloud.sdk.cfw.v1.model.AddRuleAclUsingPostResponse;
import com.huaweicloud.sdk.cfw.v1.model.DeleteRuleAclUsingDeleteRequest;
import com.huaweicloud.sdk.cfw.v1.model.DeleteRuleAclUsingDeleteResponse;
import com.huaweicloud.sdk.cfw.v1.model.EipResource;
import com.huaweicloud.sdk.cfw.v1.model.ListAccessControlLogsRequest;
import com.huaweicloud.sdk.cfw.v1.model.ListAccessControlLogsResponse;
import com.huaweicloud.sdk.cfw.v1.model.ListEipResourcesRequest;
import com.huaweicloud.sdk.cfw.v1.model.ListEipResourcesResponse;
import com.huaweicloud.sdk.cfw.v1.model.ListRuleAclsUsingGetRequest;
import com.huaweicloud.sdk.cfw.v1.model.ListRuleAclsUsingGetResponse;
import com.huaweicloud.sdk.cfw.v1.model.OrderRuleAclDto;
import com.huaweicloud.sdk.cfw.v1.model.RuleAddressDto;
import com.huaweicloud.sdk.cfw.v1.model.RuleServiceDto;
import com.huaweicloud.sdk.cfw.v1.model.UpdateRuleAclDto;
import com.huaweicloud.sdk.cfw.v1.model.UpdateRuleAclUsingPutRequest;
import com.huaweicloud.sdk.cfw.v1.model.UpdateRuleAclUsingPutResponse;
import com.huaweicloud.sdk.cfw.v1.region.CfwRegion;
import com.huaweicloud.sdk.core.auth.BasicCredentials;
import com.huaweicloud.sdk.core.exception.ConnectionException;
import com.huaweicloud.sdk.core.exception.RequestTimeoutException;
import com.huaweicloud.sdk.core.exception.ServiceResponseException;
import com.huaweicloud.sdk.core.utils.JsonUtils;
import java.util.ArrayList;
import java.util.List;
```
### 4.2 初始化认证信息
```java
BasicCredentials auth = new BasicCredentials().withAk(ak).withSk(sk);
```
### 4.3 初始化防火墙客户端
```java
CfwClient client = CfwClient.newBuilder().withCredential(auth).withRegion(CfwRegion.valueOf("")).build();
```
### 4.4 创建acl规则并使用
此节4.4.1-4.4.8示范了在console界面上如何操作,4.4.9示范了代码如何实现上述操作。
#### 4.4.1 通过查询防护eip列表查询到一条防护eip的地址
#### 4.4.2 添加一条acl规则,方向为外到内、名称为ceshi、源地址为0.0.0.0/0、目的地址类型为ip地址、目的地址为防护eip、服务类型为服务、协议类型为TCP、源端口为0-65535、目的端口为0-65535、不支持长连接、动作为阻断、启用状态为打开
#### 4.4.3 通过acl列表获取规则id
#### 4.4.4 查询访问控制日志,获得阻断的访问控制日志
#### 4.4.5 查询规则id访问次数,获得访问规则规则击中次数
#### 4.4.6 设置规则为置顶
#### 4.4.7 更新acl规则为一个非防护eip的值,其余不变
#### 4.4.8 删除acl规则
#### 4.4.9 示例代码
```java
public static void main(String[] args) {
String ak = "";
String sk = "";
BasicCredentials auth = new BasicCredentials().withAk(ak).withSk(sk);
CfwClient client = CfwClient.newBuilder().withCredential(auth).withRegion(CfwRegion.valueOf("")).build();
try {
/* 4.4.1 通过查询防护eip列表查询到一条防护eip的地址 */
String publicEIp = queryEip(client);
/* 4.4.2 添加一条acl规则,方向为外到内、名称为ceshi、源地址为0.0.0.0/0、目的地址类型为ip地址、目的地址为防护eip、服务类型为服务、协议类型为TCP、源端口为0-65535、目的端口为0-65535、不支持长连接、动作为阻断、启用状态为打开 */
String id = addAcl(client,publicEIp);
/* 4.4.3 通过acl列表获取规则id */
queryRuleId(client);
/* 4.4.4 查询访问控制日志,获得阻断的访问控制日志 */
queryAccessLog(client,publicEIp);
/* 4.4.5 查询acl规则的击中次数 */
queryRuleHitCount(client,id);
/* 4.4.6 将acl规则置顶 */
orderRule(client,id);
/* 4.4.7 更新acl规则为一个非防护eip的值,其余不变 */
updateAcl(client,id);
/* 4.4.8 删除acl规则 */
deleteAcl(client,id);
} catch (ConnectionException e) {
System.out.println(e.getMessage());
} catch (RequestTimeoutException e) {
System.out.println(e.getMessage());
} catch (ServiceResponseException e) {
System.out.println(e.getHttpStatusCode());
System.out.println(e.getErrorCode());
System.out.println(e.getErrorMsg());
}
}
private static void orderRule(CfwClient client, String ruleId) {
ListRuleAclUsingPutRequest listRuleAclUsingPutRequest = new ListRuleAclUsingPutRequest();
OrderRuleAclDto orderRuleAclDto = new OrderRuleAclDto();
orderRuleAclDto.setTop(1);
listRuleAclUsingPutRequest.setAclRuleId(ruleId);
listRuleAclUsingPutRequest.setBody(orderRuleAclDto);
client.listRuleAclUsingPut(listRuleAclUsingPutRequest);
}
private static void queryRuleHitCount(CfwClient client, String ruleId) {
ListRuleHitCountRequest listRuleHitCountRequest = new ListRuleHitCountRequest();
ListRuleHitCountDto listRuleHitCountDto = new ListRuleHitCountDto();
List ruleIds = new ArrayList<>();
ruleIds.add(ruleId);
listRuleHitCountDto.setRuleIds(ruleIds);
ListRuleHitCountResponse listRuleHitCountResponse = client.listRuleHitCount(listRuleHitCountRequest);
System.out.println(listRuleHitCountResponse.toString());
}
private static void deleteAcl(CfwClient client, String id) {
DeleteRuleAclUsingDeleteRequest deleteRuleAclUsingDeleteRequest = new DeleteRuleAclUsingDeleteRequest();
deleteRuleAclUsingDeleteRequest.setAclRuleId(id);
DeleteRuleAclUsingDeleteResponse deleteRuleAclUsingDeleteResponse = client.deleteRuleAclUsingDelete(deleteRuleAclUsingDeleteRequest);
System.out.println(deleteRuleAclUsingDeleteResponse.toString());
}
private static void updateAcl(CfwClient client, String id) {
UpdateRuleAclUsingPutRequest updateRuleAclUsingPutRequest = new UpdateRuleAclUsingPutRequest();
updateRuleAclUsingPutRequest.setAclRuleId(id);
UpdateRuleAclDto updateRuleAclDto = new UpdateRuleAclDto();
updateRuleAclDto.setActionType(UpdateRuleAclDto.ActionTypeEnum.NUMBER_1);
updateRuleAclDto.setAddressType(UpdateRuleAclDto.AddressTypeEnum.NUMBER_0);
updateRuleAclDto.setDescription("");
RuleAddressDto newDestination = new RuleAddressDto();
newDestination.setAddress("1.1.1.1");
newDestination.setType(0);
updateRuleAclDto.setDestination(newDestination);
updateRuleAclDto.setDirection(UpdateRuleAclDto.DirectionEnum.NUMBER_0);
updateRuleAclDto.setLongConnectEnable(UpdateRuleAclDto.LongConnectEnableEnum.NUMBER_0);
updateRuleAclDto.setName("ceshiAcl");
RuleServiceDto ruleServiceDto = new RuleServiceDto();
ruleServiceDto.setDestPort("0-65535");
ruleServiceDto.setSourcePort("0-65535");
ruleServiceDto.setProtocol(6);
ruleServiceDto.setType(0);
updateRuleAclDto.setService(ruleServiceDto);
RuleAddressDto source = new RuleAddressDto();
source.setAddress("0.0.0.0/0");
source.setType(0);
updateRuleAclDto.setSource(source);
updateRuleAclDto.setStatus(1);
updateRuleAclDto.setType(UpdateRuleAclDto.TypeEnum.NUMBER_0);
updateRuleAclUsingPutRequest.setBody(updateRuleAclDto);
System.out.println(JsonUtils.toJSON(updateRuleAclUsingPutRequest));
UpdateRuleAclUsingPutResponse updateRuleAclUsingPutResponse = client.updateRuleAclUsingPut(updateRuleAclUsingPutRequest);
System.out.println(updateRuleAclUsingPutResponse.toString());
}
private static void queryAccessLog(CfwClient client, String publicEIp) {
ListAccessControlLogsRequest listAccessControlLogsRequest = new ListAccessControlLogsRequest();
listAccessControlLogsRequest.setDstIp(publicEIp);
listAccessControlLogsRequest.setFwInstanceId("");
listAccessControlLogsRequest.setStartTime(1670427589817L);
listAccessControlLogsRequest.setEndTime(1670431189817L);
listAccessControlLogsRequest.setLimit(10);
ListAccessControlLogsResponse listAccessControlLogsResponse = client.listAccessControlLogs(listAccessControlLogsRequest);
System.out.println(listAccessControlLogsResponse.toString());
}
private static String queryRuleId(CfwClient client) {
ListRuleAclsUsingGetRequest listRuleAclsUsingGetRequest = new ListRuleAclsUsingGetRequest();
listRuleAclsUsingGetRequest.setObjectId("");
listRuleAclsUsingGetRequest.setLimit(10);
listRuleAclsUsingGetRequest.setOffset(0);
ListRuleAclsUsingGetResponse listRuleAclsUsingGetResponse = client.listRuleAclsUsingGet(listRuleAclsUsingGetRequest);
String ruleId = listRuleAclsUsingGetResponse.getData().getRecords().get(0).getRuleId();
System.out.println(ruleId);
return ruleId;
}
private static String addAcl(CfwClient client, String publicEIp) {
AddRuleAclUsingPostRequest addRuleAclUsingPostRequest = new AddRuleAclUsingPostRequest();
AddRuleAclDto addRuleAclDto = new AddRuleAclDto();
addRuleAclDto.setObjectId("");
List addRuleAclDtoRulesList = new ArrayList<>();
AddRuleAclDtoRules addRuleAclDtoRules = new AddRuleAclDtoRules();
addRuleAclDtoRules.setActionType(1);
addRuleAclDtoRules.setAddressType(AddRuleAclDtoRules.AddressTypeEnum.NUMBER_0);
addRuleAclDtoRules.setDescription("");
RuleAddressDto destination = new RuleAddressDto();
destination.setAddress(publicEIp);
destination.setType(0);
addRuleAclDtoRules.setDestination(destination);
addRuleAclDtoRules.setDirection(AddRuleAclDtoRules.DirectionEnum.NUMBER_0);
addRuleAclDtoRules.setLongConnectEnable(AddRuleAclDtoRules.LongConnectEnableEnum.NUMBER_0);
addRuleAclDtoRules.setName("ceshiAcl");
OrderRuleAclDto orderRuleAclDto = new OrderRuleAclDto();
orderRuleAclDto.setTop(1);
addRuleAclDtoRules.setSequence(orderRuleAclDto);
RuleServiceDto ruleServiceDto = new RuleServiceDto();
ruleServiceDto.setDestPort("0-65535");
ruleServiceDto.setSourcePort("0-65535");
ruleServiceDto.setProtocol(6);
ruleServiceDto.setType(0);
addRuleAclDtoRules.setService(ruleServiceDto);
RuleAddressDto source = new RuleAddressDto();
source.setAddress("0.0.0.0/0");
source.setType(0);
addRuleAclDtoRules.setSource(source);
addRuleAclDtoRules.setStatus(AddRuleAclDtoRules.StatusEnum.NUMBER_1);
addRuleAclDtoRulesList.add(addRuleAclDtoRules);
addRuleAclDto.setRules(addRuleAclDtoRulesList);
addRuleAclDto.setType(AddRuleAclDto.TypeEnum.NUMBER_0);
addRuleAclUsingPostRequest.setBody(addRuleAclDto);
AddRuleAclUsingPostResponse addRuleAclUsingPostResponse = client.addRuleAclUsingPost(addRuleAclUsingPostRequest);
String id = addRuleAclUsingPostResponse.getData().getRules().get(0).getId();
System.out.println(id);
return id;
}
private static String queryEip(CfwClient client) {
ListEipResourcesRequest listEipResourcesRequest = new ListEipResourcesRequest();
listEipResourcesRequest.setObjectId("");
listEipResourcesRequest.setLimit(10);
listEipResourcesRequest.setOffset(0);
listEipResourcesRequest.setSync(ListEipResourcesRequest.SyncEnum.NUMBER_1);
ListEipResourcesResponse listEipResourcesResponse = client.listEipResources(listEipResourcesRequest);
EipResource eipResource = listEipResourcesResponse.getData().getRecords().get(0);
String publicEIp = eipResource.getPublicIp();
System.out.println(publicEIp);
return publicEIp;
}
```
## 5.FAQ
### 5.1 ObjectId是什么,如何获取
ObjectId是创建云防火墙后用于区分互联网边界防护和VPC边界防护的标志id,可通过调用[API Explorer 查询防火墙实例](https://apiexplorer.developer.huaweicloud.com/apiexplorer/doc?product=CFW&api=ListFirewallUsingGet) 获取防护对象id(ObjectId),注意type为0的为互联网边界防护,type为1的为VPC边界防护。
### 5.2 FirewallInstanceId是什么,如何获取
FirewallInstanceId是创建云防火墙后用于标志防火墙由系统自动生成的标志id,可通过调用[API Explorer 查询防火墙实例](https://apiexplorer.developer.huaweicloud.com/apiexplorer/doc?product=CFW&api=ListFirewallUsingGet) 获取防火墙id(FirewallInstanceId)
## 6.参考
更多信息请参考[API Explorer](https://apiexplorer.developer.huaweicloud.com/apiexplorer/doc?product=CFW&api=ListDnsServers)
## 7.修订记录
| 发布日期 | 文档版本 | 修订说明 |
| :--------: | :------: | :----------: |
| 2022-12-1 | 1.0 | 文档首次发布 |