1FIREWALL-OFFLINE-C(1) firewall-offline-cmd FIREWALL-OFFLINE-C(1)
2
6 firewall-offline-cmd - firewalld offline command line client
7
9 firewall-offline-cmd [OPTIONS...]
10
12 firewall-offline-cmd is an offline command line client of the firewalld
13 daemon. It should be used only if the firewalld service is not running.
14 For example to migrate from system-config-firewall/lokkit or in the
15 install environment to configure firewall settings with kickstart.
16 Some lokkit options can not be automatically converted for firewalld,
18 they will result in an error or warning message. This tool tries to
19 convert as much as possible, but there are limitations for example with
20 custom rules, modules and masquerading.
21 Check the firewall configuration after using this tool.
23
25 If no options are given, configuration from
26 /etc/sysconfig/system-config-firewall will be migrated.
27 Sequence options are the options that can be specified multiple times,
29 the exit code is 0 if there is at least one item that succeeded. The
30 ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
31 errors are treated as succeeded. If there are issues while parsing the
32 items, then these are treated as warnings and will not change the
33 result as long as there is a succeeded one. Without any succeeded item,
34 the exit code will depend on the error codes. If there is exactly one
35 error code, then this is used. If there are more than one then
36 UNKNOWN_ERROR (254) will be used.
37 The following options are supported:
39 General Options
41 -h, --help
42 Prints a short help text and exists.
43 -V, --version
45 Prints the version string of firewalld and exits.
46 -q, --quiet
48 Do not print status messages.
49 --default-config
51 Path to firewalld default configuration. This usually defaults to
52 /usr/lib/firewalld.
53 --system-config
55 Path to firewalld system (user) configuration. This usually
56 defaults to /etc/firewalld.
57 Status Options
59 --enabled
60 Enable the firewall. This option is a default option and will
61 activate the firewall if not already enabled as long as the option
62 --disabled is not given.
63 --disabled
65 Disable the firewall by disabling the firewalld service.
66 --check-config
68 Run checks on the permanent (default and system) configuration.
69 This includes XML validity and semantics.
70 This is may be used with --system-config to check the validity of
72 handwritten configuration files before copying them to the standard
73 location.
74 Lokkit Compatibility Options
76 These options are nearly identical to the options of lokkit.
77 --migrate-system-config-firewall=file
79 Migrate system-config-firewall configuration from the given file.
80 No further
81 --addmodule=module
83 This option will result in a warning message and will be ignored.
84 Handling of netfilter helpers has been merged into services
86 completely. Adding or removing netfilter helpers outside of
87 services is therefore not needed anymore. For more information on
88 handling netfilter helpers in services, please have a look at
89 firewalld.zone(5).
90 --removemodule
92 This option will result in a warning message and will be ignored.
93 Handling of netfilter helpers has been merged into services
95 completely. Adding or removing netfilter helpers outside of
96 services is therefore not needed anymore. For more information on
97 handling netfilter helpers in services, please have a look at
98 firewalld.zone(5).
99 --remove-service=service
101 Remove a service from the default zone. This option can be
102 specified multiple times.
103 The service is one of the firewalld provided services. To get a
105 list of the supported services, use firewall-cmd --get-services.
106 -s service, --service=service
108 Add a service to the default zone. This option can be specified
109 multiple times.
110 The service is one of the firewalld provided services. To get a
112 list of the supported services, use firewall-cmd --get-services.
113 -p portid[-portid]:protocol, --port=portid[-portid]:protocol
115 Add the port to the default zone. This option can be specified
116 multiple times.
117 The port can either be a single port number or a port range
119 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
120 -t interface, --trust=interface
122 This option will result in a warning message.
123 Mark an interface as trusted. This option can be specified multiple
125 times. The interface will be bound to the trusted zone.
126 If the interface is used in a NetworkManager managed connection or
128 if there is an ifcfg file for this interface, the zone will be
129 changed to the zone defined in the configuration as soon as it gets
130 activated. To change the zone of a connection use
131 nm-connection-editor and set the zone to trusted, for an ifcfg
132 file, use an editor and add "ZONE=trusted". If the zone is not
133 defined in the ifcfg file, the firewalld default zone will be used.
134 -m interface, --masq=interface
136 This option will result in a warning message.
137 Masquerading will be enabled in the default zone. The interface
139 argument will be ignored. This is for IPv4 only.
140 --custom-rules=[type:][table:]filename
142 This option will result in a warning message and will be ignored.
143 Custom rule files are not supported by firewalld.
145 --forward-port=if=interface:port=port:proto=protocol[:toport=destination
147 port:][:toaddr=destination address]
148 This option will result in a warning message.
149 Add the IPv4 forward port in the default zone. This option can be
151 specified multiple times.
152 The port can either be a single port number portid or a port range
154 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
155 The destination address is an IP address.
156 --block-icmp=icmptype
158 This option will result in a warning message.
159 Add an ICMP block for icmptype in the default zone. This option can
161 be specified multiple times.
162 The icmptype is the one of the icmp types firewalld supports. To
164 get a listing of supported icmp types: firewall-cmd --get-icmptypes
165 Log Denied Options
167 --get-log-denied
168 Print the log denied setting.
169 --set-log-denied=value
171 Add logging rules right before reject and drop rules in the INPUT,
172 FORWARD and OUTPUT chains for the default rules and also final
173 reject and drop rules in zones for the configured link-layer packet
174 type. The possible values are: all, unicast, broadcast, multicast
175 and off. The default setting is off, which disables the logging.
176 This is a runtime and permanent change and will also reload the
178 firewall to be able to add the logging rules.
179 Automatic Helpers Options
181 --get-automatic-helpers
182 Print the automatic helpers setting.
183 --set-automatic-helpers=value
185 For the secure use of iptables and connection tracking helpers it
186 is recommended to turn AutomaticHelpers off. But this might have
187 side effects on other services using the netfilter helpers as the
188 sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will
189 be changed. With the system setting, the default value set in the
190 kernel or with sysctl will be used. Possible values are: yes, no
191 and system. The default value is system.
192 This is a runtime and permanent change and will also reload the
194 firewall to be able to make the helpers usable.
195 Zone Options
197 --get-default-zone
198 Print default zone for connections and interfaces.
199 --set-default-zone=zone
201 Set default zone for connections and interfaces where no zone has
202 been selected. Setting the default zone changes the zone for the
203 connections or interfaces, that are using the default zone.
204 --get-zones
206 Print predefined zones as a space separated list.
207 --get-services
209 Print predefined services as a space separated list.
210 --get-icmptypes
212 Print predefined icmptypes as a space separated list.
213 --get-zone-of-interface=interface
215 Print the name of the zone the interface is bound to or no zone.
216 --get-zone-of-source=source[/mask]|MAC|ipset:ipset
218 Print the name of the zone the source is bound to or no zone.
219 --info-zone=zone
221 Print information about the zone zone. The output format is:
222 zone
224 interfaces: interface1 ..
225 sources: source1 ..
226 services: service1 ..
227 ports: port1 ..
228 protocols: protocol1 ..
229 forward-ports:
230 forward-port1
231 ..
232 source-ports: source-port1 ..
233 icmp-blocks: icmp-type1 ..
234 rich rules:
235 rich-rule1
236 ..
237 --list-all-zones
241 List everything added for or enabled in all zones. The output
242 format is:
243 zone1
245 interfaces: interface1 ..
246 sources: source1 ..
247 services: service1 ..
248 ports: port1 ..
249 protocols: protocol1 ..
250 forward-ports:
251 forward-port1
252 ..
253 source-ports: source-port1 ..
254 icmp-blocks: icmp-type1 ..
255 rich rules:
256 rich-rule1
257 ..
258 ..
259 --new-zone=zone
263 Add a new permanent zone.
264 --new-zone-from-file=filename [--name=zone]
266 Add a new permanent zone from a prepared zone file with an optional
267 name override.
268 --path-zone=zone
270 Print path of the zone configuration file.
271 --delete-zone=zone
273 Delete an existing permanent zone.
274 --zone=zone --set-description=description
276 Set new description to zone
277 --zone=zone --get-description
279 Print description for zone
280 --zone=zone --set-short=description
282 Set short description to zone
283 --zone=zone --get-short
285 Print short description for zone
286 --zone=zone --get-target
288 Get the target of a permanent zone.
289 --zone=zone --set-target=zone
291 Set the target of a permanent zone.
292 Options to Adapt and Query Zones
294 Options in this section affect only one particular zone. If used with
295 --zone=zone option, they affect the zone zone. If the option is
296 omitted, they affect default zone (see --get-default-zone).
297 [--zone=zone] --list-all
299 List everything added for or enabled in zone. If zone is omitted,
300 default zone will be used.
301 [--zone=zone] --list-services
303 List services added for zone as a space separated list. If zone is
304 omitted, default zone will be used.
305 [--zone=zone] --add-service=service
307 Add a service for zone. If zone is omitted, default zone will be
308 used. This option can be specified multiple times.
309 The service is one of the firewalld provided services. To get a
311 list of the supported services, use firewall-cmd --get-services.
312 [--zone=zone] --remove-service-from-zone=service
314 Remove a service from zone. This option can be specified multiple
315 times. If zone is omitted, default zone will be used.
316 [--zone=zone] --query-service=service
318 Return whether service has been added for zone. If zone is omitted,
319 default zone will be used. Returns 0 if true, 1 otherwise.
320 [--zone=zone] --list-ports
322 List ports added for zone as a space separated list. A port is of
323 the form portid[-portid]/protocol, it can be either a port and
324 protocol pair or a port range with a protocol. If zone is omitted,
325 default zone will be used.
326 [--zone=zone] --add-port=portid[-portid]/protocol
328 Add the port for zone. If zone is omitted, default zone will be
329 used. This option can be specified multiple times.
330 The port can either be a single port number or a port range
332 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
333 [--zone=zone] --remove-port=portid[-portid]/protocol
335 Remove the port from zone. If zone is omitted, default zone will be
336 used. This option can be specified multiple times.
337 [--zone=zone] --query-port=portid[-portid]/protocol
339 Return whether the port has been added for zone. If zone is
340 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
341 [--zone=zone] --list-protocols
343 List protocols added for zone as a space separated list. If zone is
344 omitted, default zone will be used.
345 [--zone=zone] --add-protocol=protocol
347 Add the protocol for zone. If zone is omitted, default zone will be
348 used. This option can be specified multiple times. If a timeout is
349 supplied, the rule will be active for the specified amount of time
350 and will be removed automatically afterwards. timeval is either a
351 number (of seconds) or number followed by one of characters s
352 (seconds), m (minutes), h (hours), for example 20m or 1h.
353 The protocol can be any protocol supported by the system. Please
355 have a look at /etc/protocols for supported protocols.
356 [--zone=zone] --remove-protocol=protocol
358 Remove the protocol from zone. If zone is omitted, default zone
359 will be used. This option can be specified multiple times.
360 [--zone=zone] --query-protocol=protocol
362 Return whether the protocol has been added for zone. If zone is
363 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
364 [--zone=zone] --list-icmp-blocks
366 List Internet Control Message Protocol (ICMP) type blocks added for
367 zone as a space separated list. If zone is omitted, default zone
368 will be used.
369 [--zone=zone] --add-icmp-block=icmptype
371 Add an ICMP block for icmptype for zone. If zone is omitted,
372 default zone will be used. This option can be specified multiple
373 times.
374 The icmptype is the one of the icmp types firewalld supports. To
376 get a listing of supported icmp types: firewall-cmd --get-icmptypes
377 [--zone=zone] --remove-icmp-block=icmptype
379 Remove the ICMP block for icmptype from zone. If zone is omitted,
380 default zone will be used. This option can be specified multiple
381 times.
382 [--zone=zone] --query-icmp-block=icmptype
384 Return whether an ICMP block for icmptype has been added for zone.
385 If zone is omitted, default zone will be used. Returns 0 if true, 1
386 otherwise.
387 [--zone=zone] --list-forward-ports
389 List IPv4 forward ports added for zone as a space separated list.
390 If zone is omitted, default zone will be used.
391 For IPv6 forward ports, please use the rich language.
393 [--zone=zone]
395 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
396 Add the IPv4 forward port for zone. If zone is omitted, default
397 zone will be used. This option can be specified multiple times.
398 The port can either be a single port number portid or a port range
400 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
401 The destination address is a simple IP address.
402 For IPv6 forward ports, please use the rich language.
404 Note: IP forwarding will be implicitly enabled if toaddr is
406 specified.
407 [--zone=zone]
409 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
410 Remove the IPv4 forward port from zone. If zone is omitted, default
411 zone will be used. This option can be specified multiple times.
412 For IPv6 forward ports, please use the rich language.
414 [--zone=zone]
416 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
417 Return whether the IPv4 forward port has been added for zone. If
418 zone is omitted, default zone will be used. Returns 0 if true, 1
419 otherwise.
420 For IPv6 forward ports, please use the rich language.
422 [--zone=zone] --list-source-ports
424 List source ports added for zone as a space separated list. A port
425 is of the form portid[-portid]/protocol. If zone is omitted,
426 default zone will be used.
427 [--zone=zone] --add-source-port=portid[-portid]/protocol
429 Add the source port for zone. If zone is omitted, default zone will
430 be used. This option can be specified multiple times. If a timeout
431 is supplied, the rule will be active for the specified amount of
432 time and will be removed automatically afterwards.
433 The port can either be a single port number or a port range
435 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
436 [--zone=zone] --remove-source-port=portid[-portid]/protocol
438 Remove the source port from zone. If zone is omitted, default zone
439 will be used. This option can be specified multiple times.
440 [--zone=zone] --query-source-port=portid[-portid]/protocol
442 Return whether the source port has been added for zone. If zone is
443 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
444 [--zone=zone] --add-masquerade
446 Enable IPv4 masquerade for zone. If zone is omitted, default zone
447 will be used. Masquerading is useful if the machine is a router and
448 machines connected over an interface in another zone should be able
449 to use the first connection.
450 For IPv6 masquerading, please use the rich language.
452 Note: IP forwarding will be implicitly enabled.
454 [--zone=zone] --remove-masquerade
456 Disable IPv4 masquerade for zone. If zone is omitted, default zone
457 will be used.
458 For IPv6 masquerading, please use the rich language.
460 [--zone=zone] --query-masquerade
462 Return whether IPv4 masquerading has been enabled for zone. If zone
463 is omitted, default zone will be used. Returns 0 if true, 1
464 otherwise.
465 For IPv6 masquerading, please use the rich language.
467 [--zone=zone] --list-rich-rules
469 List rich language rules added for zone as a newline separated
470 list. If zone is omitted, default zone will be used.
471 [--zone=zone] --add-rich-rule='rule'
473 Add rich language rule 'rule' for zone. This option can be
474 specified multiple times. If zone is omitted, default zone will be
475 used.
476 For the rich language rule syntax, please have a look at
478 firewalld.richlanguage(5).
479 [--zone=zone] --remove-rich-rule='rule'
481 Remove rich language rule 'rule' from zone. This option can be
482 specified multiple times. If zone is omitted, default zone will be
483 used.
484 For the rich language rule syntax, please have a look at
486 firewalld.richlanguage(5).
487 [--zone=zone] --query-rich-rule='rule'
489 Return whether a rich language rule 'rule' has been added for zone.
490 If zone is omitted, default zone will be used. Returns 0 if true, 1
491 otherwise.
492 For the rich language rule syntax, please have a look at
494 firewalld.richlanguage(5).
495 Options to Handle Bindings of Interfaces
497 Binding an interface to a zone means that this zone settings are used
498 to restrict traffic via the interface.
499 Options in this section affect only one particular zone. If used with
501 --zone=zone option, they affect the zone zone. If the option is
502 omitted, they affect default zone (see --get-default-zone).
503 For a list of predefined zones use firewall-cmd --get-zones.
505 An interface name is a string up to 16 characters long, that may not
507 contain ' ', '/', '!' and '*'.
508 [--zone=zone] --list-interfaces
510 List interfaces that are bound to zone zone as a space separated
511 list. If zone is omitted, default zone will be used.
512 [--zone=zone] --add-interface=interface
514 Bind interface interface to zone zone. If zone is omitted, default
515 zone will be used.
516 [--zone=zone] --change-interface=interface
518 Change zone the interface interface is bound to to zone zone. If
519 zone is omitted, default zone will be used. If old and new zone are
520 the same, the call will be ignored without an error. If the
521 interface has not been bound to a zone before, it will behave like
522 --add-interface.
523 [--zone=zone] --query-interface=interface
525 Query whether interface interface is bound to zone zone. Returns 0
526 if true, 1 otherwise.
527 [--zone=zone] --remove-interface=interface
529 Remove binding of interface interface from zone zone. If zone is
530 omitted, default zone will be used.
531 Options to Handle Bindings of Sources
533 Binding a source to a zone means that this zone settings will be used
534 to restrict traffic from this source.
535 A source address or address range is either an IP address or a network
537 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
538 with the ipset: prefix. For IPv4, the mask can be a network mask or a
539 plain number. For IPv6 the mask is a plain number. The use of host
540 names is not supported.
541 Options in this section affect only one particular zone. If used with
543 --zone=zone option, they affect the zone zone. If the option is
544 omitted, they affect default zone (see --get-default-zone).
545 For a list of predefined zones use firewall-cmd --get-zones.
547 [--zone=zone] --list-sources
549 List sources that are bound to zone zone as a space separated list.
550 If zone is omitted, default zone will be used.
551 [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
553 Bind the source to zone zone. If zone is omitted, default zone will
554 be used.
555 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
557 Change zone the source is bound to to zone zone. If zone is
558 omitted, default zone will be used. If old and new zone are the
559 same, the call will be ignored without an error. If the source has
560 not been bound to a zone before, it will behave like --add-source.
561 [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
563 Query whether the source is bound to the zone zone. Returns 0 if
564 true, 1 otherwise.
565 [--zone=zone] --remove-source=source[/mask]|MAC|ipset:ipset
567 Remove binding of the source from zone zone. If zone is omitted,
568 default zone will be used.
569 IPSet Options
571 --new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
572 Add a new permanent ipset with specifying the type and optional
573 options.
574 --new-ipset-from-file=filename [--name=ipset]
576 Add a new permanent ipset from a prepared ipset file with an
577 optional name override.
578 --delete-ipset=ipset
580 Delete an existing permanent ipset.
581 --info-ipset=ipset
583 Print information about the ipset ipset. The output format is:
584 ipset
586 type: type
587 options: option1[=value1] ..
588 entries: entry1 ..
589 --get-ipsets
593 Print predefined ipsets as a space separated list.
594 --ipset=ipset --add-entry=entry
596 Add a new entry to the ipset.
597 --ipset=ipset --remove-entry=entry
599 Remove an entry from the ipset.
600 --ipset=ipset --query-entry=entry
602 Return whether the entry has been added to an ipset. Returns 0 if
603 true, 1 otherwise.
604 --ipset=ipset --get-entries
606 List all entries of the ipset.
607 --ipset=ipset --add-entries-from-file=filename
609 Add a new entries to the ipset from the file. For all entries that
610 are listed in the file but already in the ipset, a warning will be
611 printed.
612 The file should contain an entry per line. Lines starting with an
614 hash or semicolon are ignored. Also empty lines.
615 --ipset=ipset --remove-entries-from-file=filename
617 Remove existing entries from the ipset from the file. For all
618 entries that are listed in the file but not in the ipset, a warning
619 will be printed.
620 The file should contain an entry per line. Lines starting with an
622 hash or semicolon are ignored. Also empty lines.
623 --ipset=ipset --set-description=description
625 Set new description to ipset
626 --ipset=ipset --get-description
628 Print description for ipset
629 --ipset=ipset --set-short=description
631 Set new short description to ipset
632 --ipset=ipset --get-short
634 Print short description for ipset
635 --path-ipset=ipset
637 Print path of the ipset configuration file.
638 Service Options
640 --info-service=service
641 Print information about the service service. The output format is:
642 service
644 ports: port1 ..
645 protocols: protocol1 ..
646 source-ports: source-port1 ..
647 modules: module1 ..
648 destination: ipv1:address1 ..
649 --new-service=service
653 Add a new permanent service.
654 --new-service-from-file=filename [--name=service]
656 Add a new permanent service from a prepared service file with an
657 optional name override.
658 --delete-service=service
660 Delete an existing permanent service.
661 --path-service=service
663 Print path of the service configuration file.
664 --service=service --set-description=description
666 Set new description to service
667 --service=service --get-description
669 Print description for service
670 --service=service --set-short=description
672 Set short description to service
673 --service=service --get-short
675 Print short description for service
676 --service=service --add-port=portid[-portid]/protocol
678 Add a new port to the permanent service.
679 --service=service --remove-port=portid[-portid]/protocol
681 Remove a port from the permanent service.
682 --service=service --query-port=portid[-portid]/protocol
684 Return wether the port has been added to the permanent service.
685 --service=service --get-ports
687 List ports added to the permanent service.
688 --service=service --add-protocol=protocol
690 Add a new protocol to the permanent service.
691 --service=service --remove-protocol=protocol
693 Remove a protocol from the permanent service.
694 --service=service --query-protocol=protocol
696 Return wether the protocol has been added to the permanent service.
697 --service=service --get-protocols
699 List protocols added to the permanent service.
700 --service=service --add-source-port=portid[-portid]/protocol
702 Add a new source port to the permanent service.
703 --service=service --remove-source-port=portid[-portid]/protocol
705 Remove a source port from the permanent service.
706 --service=service --query-source-port=portid[-portid]/protocol
708 Return wether the source port has been added to the permanent
709 service.
710 --service=service --get-source-ports
712 List source ports added to the permanent service.
713 --service=service --add-module=module
715 Add a new module to the permanent service.
716 --service=service --remove-module=module
718 Remove a module from the permanent service.
719 --service=service --query-module=module
721 Return wether the module has been added to the permanent service.
722 --service=service --get-modules
724 List modules added to the permanent service.
725 --service=service --set-destination=ipv:address[/mask]
727 Set destination for ipv to address[/mask] in the permanent service.
728 --service=service --remove-destination=ipv
730 Remove the destination for ipv from the permanent service.
731 --service=service --query-destination=ipv:address[/mask]
733 Return wether the destination ipv to address[/mask] has been set in
734 the permanent service.
735 --service=service --get-destinations
737 List destinations added to the permanent service.
738 --service=service --add-include=service
740 Add a new include to the permanent service.
741 --service=service --remove-include=service
743 Remove a include from the permanent service.
744 --service=service --query-include=service
746 Return wether the include has been added to the permanent service.
747 --service=service --get-includes
749 List includes added to the permanent service.
750 Helper Options
752 Options in this section affect only one particular helper.
753 --info-helper=helper
755 Print information about the helper helper. The output format is:
756 helper
758 family: family
759 module: module
760 ports: port1 ..
761 The following options are only usable in the permanent configuration.
765 --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
767 Add a new permanent helper with module and optionally family
768 defined.
769 --new-helper-from-file=filename [--name=helper]
771 Add a new permanent helper from a prepared helper file with an
772 optional name override.
773 --delete-helper=helper
775 Delete an existing permanent helper.
776 --load-helper-defaults=helper
778 Load helper default settings or report NO_DEFAULTS error.
779 --path-helper=helper
781 Print path of the helper configuration file.
782 --get-helpers
784 Print predefined helpers as a space separated list.
785 --helper=helper --set-description=description
787 Set new description to helper
788 --helper=helper --get-description
790 Print description for helper
791 --helper=helper --set-short=description
793 Set short description to helper
794 --helper=helper --get-short
796 Print short description for helper
797 --helper=helper --add-port=portid[-portid]/protocol
799 Add a new port to the permanent helper.
800 --helper=helper --remove-port=portid[-portid]/protocol
802 Remove a port from the permanent helper.
803 --helper=helper --query-port=portid[-portid]/protocol
805 Return wether the port has been added to the permanent helper.
806 --helper=helper --get-ports
808 List ports added to the permanent helper.
809 --helper=helper --set-module=description
811 Set module description for helper
812 --helper=helper --get-module
814 Print module description for helper
815 --helper=helper --set-family=description
817 Set family description for helper
818 --helper=helper --get-family
820 Print family description of helper
821 Internet Control Message Protocol (ICMP) type Options
823 --info-icmptype=icmptype
824 Print information about the icmptype icmptype. The output format
825 is:
826 icmptype
828 destination: ipv1 ..
829 --new-icmptype=icmptype
833 Add a new permanent icmptype.
834 --new-icmptype-from-file=filename [--name=icmptype]
836 Add a new permanent icmptype from a prepared icmptype file with an
837 optional name override.
838 --delete-icmptype=icmptype
840 Delete an existing permanent icmptype.
841 --icmptype=icmptype --set-description=description
843 Set new description to icmptype
844 --icmptype=icmptype --get-description
846 Print description for icmptype
847 --icmptype=icmptype --set-short=description
849 Set short description to icmptype
850 --icmptype=icmptype --get-short
852 Print short description for icmptype
853 --icmptype=icmptype --add-destination=ipv
855 Enable destination for ipv in permanent icmptype. ipv is one of
856 ipv4 or ipv6.
857 --icmptype=icmptype --remove-destination=ipv
859 Disable destination for ipv in permanent icmptype. ipv is one of
860 ipv4 or ipv6.
861 --icmptype=icmptype --query-destination=ipv
863 Return whether destination for ipv is enabled in permanent
864 icmptype. ipv is one of ipv4 or ipv6.
865 --icmptype=icmptype --get-destinations
867 List destinations in permanent icmptype.
868 --path-icmptype=icmptype
870 Print path of the icmptype configuration file.
871 Direct Options
873 The direct options give a more direct access to the firewall. These
874 options require user to know basic iptables concepts, i.e. table
875 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
876 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
877 (ACCEPT/DROP/REJECT/...).
878 Direct options should be used only as a last resort when it's not
880 possible to use for example --add-service=service or
881 --add-rich-rule='rule'.
882 The first argument of each option has to be ipv4 or ipv6 or eb. With
884 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
885 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
886 --direct --get-all-chains
888 Get all chains added to all tables.
889 This option concerns only chains previously added with --direct
891 --add-chain.
892 --direct --get-chains { ipv4 | ipv6 | eb } table
894 Get all chains added to table table as a space separated list.
895 This option concerns only chains previously added with --direct
897 --add-chain.
898 --direct --add-chain { ipv4 | ipv6 | eb } table chain
900 Add a new chain with name chain to table table.
901 There already exist basic chains to use with direct options, for
903 example INPUT_direct chain (see iptables-save | grep direct output
904 for all of them). These chains are jumped into before chains for
905 zones, i.e. every rule put into INPUT_direct will be checked before
906 rules in zones.
907 --direct --remove-chain { ipv4 | ipv6 | eb } table chain
909 Remove the chain with name chain from table table.
910 --direct --query-chain { ipv4 | ipv6 | eb } table chain
912 Return whether a chain with name chain exists in table table.
913 Returns 0 if true, 1 otherwise.
914 This option concerns only chains previously added with --direct
916 --add-chain.
917 --direct --get-all-rules
919 Get all rules added to all chains in all tables as a newline
920 separated list of the priority and arguments.
921 --direct --get-rules { ipv4 | ipv6 | eb } table chain
923 Get all rules added to chain chain in table table as a newline
924 separated list of the priority and arguments.
925 --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
927 Add a rule with the arguments args to chain chain in table table
928 with priority priority.
929 The priority is used to order rules. Priority 0 means add rule on
931 top of the chain, with a higher priority the rule will be added
932 further down. Rules with the same priority are on the same level
933 and the order of these rules is not fixed and may change. If you
934 want to make sure that a rule will be added after another one, use
935 a low priority for the first and a higher for the following.
936 --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
938 Remove a rule with priority and the arguments args from chain chain
939 in table table.
940 --direct --remove-rules { ipv4 | ipv6 | eb } table chain
942 Remove all rules in the chain with name chain exists in table
943 table.
944 This option concerns only rules previously added with --direct
946 --add-rule in this chain.
947 --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
949 Return whether a rule with priority and the arguments args exists
950 in chain chain in table table. Returns 0 if true, 1 otherwise.
951 --direct --get-all-passthroughs
953 Get all permanent passthrough as a newline separated list of the
954 ipv value and arguments.
955 --direct --get-passthroughs { ipv4 | ipv6 | eb }
957 Get all permanent passthrough rules for the ipv value as a newline
958 separated list of the priority and arguments.
959 --direct --add-passthrough { ipv4 | ipv6 | eb } args
961 Add a permanent passthrough rule with the arguments args for the
962 ipv value.
963 --direct --remove-passthrough { ipv4 | ipv6 | eb } args
965 Remove a permanent passthrough rule with the arguments args for the
966 ipv value.
967 --direct --query-passthrough { ipv4 | ipv6 | eb } args
969 Return whether a permanent passthrough rule with the arguments args
970 exists for the ipv value. Returns 0 if true, 1 otherwise.
971 Lockdown Options
973 Local applications or services are able to change the firewall
974 configuration if they are running as root (example: libvirt) or are
975 authenticated using PolicyKit. With this feature administrators can
976 lock the firewall configuration so that only applications on lockdown
977 whitelist are able to request firewall changes.
978 The lockdown access check limits D-Bus methods that are changing
980 firewall rules. Query, list and get methods are not limited.
981 The lockdown feature is a very light version of user and application
983 policies for firewalld and is turned off by default.
984 --lockdown-on
986 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
987 whitelist when you enable lockdown you won't be able to disable it
988 again with firewall-cmd, you would need to edit firewalld.conf.
989 --lockdown-off
991 Disable lockdown.
992 --query-lockdown
994 Query whether lockdown is enabled. Returns 0 if lockdown is
995 enabled, 1 otherwise.
996 Lockdown Whitelist Options
998 The lockdown whitelist can contain commands, contexts, users and user
999 ids.
1000 If a command entry on the whitelist ends with an asterisk '*', then all
1002 command lines starting with the command will match. If the '*' is not
1003 there the absolute command inclusive arguments must match.
1004 Commands for user root and others is not always the same. Example: As
1006 root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1007 is be used on Fedora.
1008 The context is the security (SELinux) context of a running application
1010 or service. To get the context of a running application use ps -e
1011 --context.
1012 Warning: If the context is unconfined, then this will open access for
1014 more than the desired application.
1015 The lockdown whitelist entries are checked in the following order:
1017 1. context
1018 2. uid
1019 3. user
1020 4. command
1021 --list-lockdown-whitelist-commands
1023 List all command lines that are on the whitelist.
1024 --add-lockdown-whitelist-command=command
1026 Add the command to the whitelist.
1027 --remove-lockdown-whitelist-command=command
1029 Remove the command from the whitelist.
1030 --query-lockdown-whitelist-command=command
1032 Query whether the command is on the whitelist. Returns 0 if true, 1
1033 otherwise.
1034 --list-lockdown-whitelist-contexts
1036 List all contexts that are on the whitelist.
1037 --add-lockdown-whitelist-context=context
1039 Add the context context to the whitelist.
1040 --remove-lockdown-whitelist-context=context
1042 Remove the context from the whitelist.
1043 --query-lockdown-whitelist-context=context
1045 Query whether the context is on the whitelist. Returns 0 if true, 1
1046 otherwise.
1047 --list-lockdown-whitelist-uids
1049 List all user ids that are on the whitelist.
1050 --add-lockdown-whitelist-uid=uid
1052 Add the user id uid to the whitelist.
1053 --remove-lockdown-whitelist-uid=uid
1055 Remove the user id uid from the whitelist.
1056 --query-lockdown-whitelist-uid=uid
1058 Query whether the user id uid is on the whitelist. Returns 0 if
1059 true, 1 otherwise.
1060 --list-lockdown-whitelist-users
1062 List all user names that are on the whitelist.
1063 --add-lockdown-whitelist-user=user
1065 Add the user name user to the whitelist.
1066 --remove-lockdown-whitelist-user=user
1068 Remove the user name user from the whitelist.
1069 --query-lockdown-whitelist-user=user
1071 Query whether the user name user is on the whitelist. Returns 0 if
1072 true, 1 otherwise.
1073 Policy Options
1075 --policy-server
1076 Change Polkit actions to 'server' (more restricted)
1077 --policy-desktop
1079 Change Polkit actions to 'desktop' (less restricted)
1080
1082 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1083 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1084 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1085 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1086 firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1087 firewalld.helper(5)
1088
1090 firewalld home page:
1091 http://firewalld.org
1092 More documentation with examples:
1094 http://fedoraproject.org/wiki/FirewallD
1095
1097 Thomas Woerner <twoerner@redhat.com>
1098 Developer
1099 Jiri Popelka <jpopelka@redhat.com>
1101 Developer
1102firewalld 0.7.2 FIREWALL-OFFLINE-C(1)