1FIREWALL-OFFLINE-C(1) firewall-offline-cmd FIREWALL-OFFLINE-C(1)
2
3
4
6 firewall-offline-cmd - firewalld offline command line client
7
9 firewall-offline-cmd [OPTIONS...]
10
12 firewall-offline-cmd is an offline command line client of the firewalld
13 daemon. It should be used only if the firewalld service is not running.
14 For example to migrate from system-config-firewall/lokkit or in the
15 install environment to configure firewall settings with kickstart.
16
17 Some lokkit options can not be automatically converted for firewalld,
18 they will result in an error or warning message. This tool tries to
19 convert as much as possible, but there are limitations for example with
20 custom rules, modules and masquerading.
21
22 Check the firewall configuration after using this tool.
23
25 If no options are given, configuration from
26 /etc/sysconfig/system-config-firewall will be migrated.
27
28 For sequence options, this are the options that can be specified
29 multiple times, the exit code is 0 if there is at least one item that
30 succeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also
31 ZONE_ALREADY_SET (16) errors are treated as succeeded. If there are
32 issues while parsing the items, then these are treated as warnings and
33 will not change the result as long as there is a succeeded one. Without
34 any succeeded item, the exit code will depend on the error codes. If
35 there is exactly one error code, then this is used. If there are more
36 than one then UNKNOWN_ERROR (254) will be used.
37
38 The following options are supported:
39
40 General Options
41 -h, --help
42 Prints a short help text and exists.
43
44 -V, --version
45 Prints the version string of firewalld and exits.
46
47 -q, --quiet
48 Do not print status messages.
49
50 Status Options
51 --enabled
52 Enable the firewall. This option is a default option and will
53 activate the firewall if not already enabled as long as the option
54 --disabled is not given.
55
56 --disabled
57 Disable the firewall by disabling the firewalld service.
58
59 Lokkit Compatibility Options
60 These options are nearly identical to the options of lokkit.
61
62 --migrate-system-config-firewall=file
63 Migrate system-config-firewall configuration from the given file.
64 No further
65
66 --addmodule=module
67 This option will result in a warning message and will be ignored.
68
69 Handling of netfilter helpers has been merged into services
70 completely. Adding or removing netfilter helpers outside of
71 services is therefore not needed anymore. For more information on
72 handling netfilter helpers in services, please have a look at
73 firewalld.zone(5).
74
75 --removemodule
76 This option will result in a warning message and will be ignored.
77
78 Handling of netfilter helpers has been merged into services
79 completely. Adding or removing netfilter helpers outside of
80 services is therefore not needed anymore. For more information on
81 handling netfilter helpers in services, please have a look at
82 firewalld.zone(5).
83
84 --remove-service=service
85 Remove a service from the default zone. This option can be
86 specified multiple times.
87
88 The service is one of the firewalld provided services. To get a
89 list of the supported services, use firewall-cmd --get-services.
90
91 -s service, --service=service
92 Add a service to the default zone. This option can be specified
93 multiple times.
94
95 The service is one of the firewalld provided services. To get a
96 list of the supported services, use firewall-cmd --get-services.
97
98 -p portid[-portid]:protocol, --port=portid[-portid]:protocol
99 Add the port to the default zone. This option can be specified
100 multiple times.
101
102 The port can either be a single port number or a port range
103 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
104
105 -t interface, --trust=interface
106 This option will result in a warning message.
107
108 Mark an interface as trusted. This option can be specified multiple
109 times. The interface will be bound to the trusted zone.
110
111 If the interface is used in a NetworkManager managed connection or
112 if there is an ifcfg file for this interface, the zone will be
113 changed to the zone defined in the configuration as soon as it gets
114 activated. To change the zone of a connection use
115 nm-connection-editor and set the zone to trusted, for an ifcfg
116 file, use an editor and add "ZONE=trusted". If the zone is not
117 defined in the ifcfg file, the firewalld default zone will be used.
118
119 -m interface, --masq=interface
120 This option will result in a warning message.
121
122 Masquerading will be enabled in the default zone. The interface
123 argument will be ignored. This is for IPv4 only.
124
125 --custom-rules=[type:][table:]filename
126 This option will result in a warning message and will be ignored.
127
128 Custom rule files are not supported by firewalld.
129
130 --forward-port=if=interface:port=port:proto=protocol[:toport=destination
131 port:][:toaddr=destination address]
132 This option will result in a warning message.
133
134 Add the IPv4 forward port in the default zone. This option can be
135 specified multiple times.
136
137 The port can either be a single port number portid or a port range
138 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
139 The destination address is an IP address.
140
141 --block-icmp=icmptype
142 This option will result in a warning message.
143
144 Add an ICMP block for icmptype in the default zone. This option can
145 be specified multiple times.
146
147 The icmptype is the one of the icmp types firewalld supports. To
148 get a listing of supported icmp types: firewall-cmd --get-icmptypes
149
150 Log Denied Options
151 --get-log-denied
152 Print the log denied setting.
153
154 --set-log-denied=value
155 Add logging rules right before reject and drop rules in the INPUT,
156 FORWARD and OUTPUT chains for the default rules and also final
157 reject and drop rules in zones for the configured link-layer packet
158 type. The possible values are: all, unicast, broadcast, multicast
159 and off. The default setting is off, which disables the logging.
160
161 This is a runtime and permanent change and will also reload the
162 firewall to be able to add the logging rules.
163
164 Automatic Helpers Options
165 --get-automatic-helpers
166 Print the automatic helpers setting.
167
168 --set-automatic-helpers=value
169 For the secure use of iptables and connection tracking helpers it
170 is recommended to turn AutomaticHelpers off. But this might have
171 side effects on other services using the netfilter helpers as the
172 sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will
173 be changed. With the system setting, the default value set in the
174 kernel or with sysctl will be used. Possible values are: yes, no
175 and system. The default value is system.
176
177 This is a runtime and permanent change and will also reload the
178 firewall to be able to make the helpers usable.
179
180 Zone Options
181 --get-default-zone
182 Print default zone for connections and interfaces.
183
184 --set-default-zone=zone
185 Set default zone for connections and interfaces where no zone has
186 been selected. Setting the default zone changes the zone for the
187 connections or interfaces, that are using the default zone.
188
189 --get-zones
190 Print predefined zones as a space separated list.
191
192 --get-services
193 Print predefined services as a space separated list.
194
195 --get-icmptypes
196 Print predefined icmptypes as a space separated list.
197
198 --get-zone-of-interface=interface
199 Print the name of the zone the interface is bound to or no zone.
200
201 --get-zone-of-source=source[/mask]|MAC|ipset:ipset
202 Print the name of the zone the source is bound to or no zone.
203
204 --info-zone=zone
205 Print information about the zone zone. The output format is:
206
207 zone
208 interfaces: interface1 ..
209 sources: source1 ..
210 services: service1 ..
211 ports: port1 ..
212 protocols: protocol1 ..
213 forward-ports:
214 forward-port1
215 ..
216 source-ports: source-port1 ..
217 icmp-blocks: icmp-type1 ..
218 rich rules:
219 rich-rule1
220 ..
221
222
223
224 --list-all-zones
225 List everything added for or enabled in all zones. The output
226 format is:
227
228 zone1
229 interfaces: interface1 ..
230 sources: source1 ..
231 services: service1 ..
232 ports: port1 ..
233 protocols: protocol1 ..
234 forward-ports:
235 forward-port1
236 ..
237 source-ports: source-port1 ..
238 icmp-blocks: icmp-type1 ..
239 rich rules:
240 rich-rule1
241 ..
242 ..
243
244
245
246 --new-zone=zone
247 Add a new permanent zone.
248
249 --new-zone-from-file=filename [--name=zone]
250 Add a new permanent zone from a prepared zone file with an optional
251 name override.
252
253 --path-zone=zone
254 Print path of the zone configuration file.
255
256 --delete-zone=zone
257 Delete an existing permanent zone.
258
259 --zone=zone --set-description=description
260 Set new description to zone
261
262 --zone=zone --get-description
263 Print description for zone
264
265 --zone=zone --set-short=description
266 Set short description to zone
267
268 --zone=zone --get-short
269 Print short description for zone
270
271 --zone=zone --get-target
272 Get the target of a permanent zone.
273
274 --zone=zone --set-target=zone
275 Set the target of a permanent zone.
276
277 Options to Adapt and Query Zones
278 Options in this section affect only one particular zone. If used with
279 --zone=zone option, they affect the zone zone. If the option is
280 omitted, they affect default zone (see --get-default-zone).
281
282 [--zone=zone] --list-all
283 List everything added for or enabled in zone. If zone is omitted,
284 default zone will be used.
285
286 [--zone=zone] --list-services
287 List services added for zone as a space separated list. If zone is
288 omitted, default zone will be used.
289
290 [--zone=zone] --add-service=service
291 Add a service for zone. If zone is omitted, default zone will be
292 used. This option can be specified multiple times.
293
294 The service is one of the firewalld provided services. To get a
295 list of the supported services, use firewall-cmd --get-services.
296
297 [--zone=zone] --remove-service-from-zone=service
298 Remove a service from zone. This option can be specified multiple
299 times. If zone is omitted, default zone will be used.
300
301 [--zone=zone] --query-service=service
302 Return whether service has been added for zone. If zone is omitted,
303 default zone will be used. Returns 0 if true, 1 otherwise.
304
305 [--zone=zone] --list-ports
306 List ports added for zone as a space separated list. A port is of
307 the form portid[-portid]/protocol, it can be either a port and
308 protocol pair or a port range with a protocol. If zone is omitted,
309 default zone will be used.
310
311 [--zone=zone] --add-port=portid[-portid]/protocol
312 Add the port for zone. If zone is omitted, default zone will be
313 used. This option can be specified multiple times.
314
315 The port can either be a single port number or a port range
316 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
317
318 [--zone=zone] --remove-port=portid[-portid]/protocol
319 Remove the port from zone. If zone is omitted, default zone will be
320 used. This option can be specified multiple times.
321
322 [--zone=zone] --query-port=portid[-portid]/protocol
323 Return whether the port has been added for zone. If zone is
324 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
325
326 [--zone=zone] --list-protocols
327 List protocols added for zone as a space separated list. If zone is
328 omitted, default zone will be used.
329
330 [--zone=zone] --add-protocol=protocol
331 Add the protocol for zone. If zone is omitted, default zone will be
332 used. This option can be specified multiple times. If a timeout is
333 supplied, the rule will be active for the specified amount of time
334 and will be removed automatically afterwards. timeval is either a
335 number (of seconds) or number followed by one of characters s
336 (seconds), m (minutes), h (hours), for example 20m or 1h.
337
338 The protocol can be any protocol supported by the system. Please
339 have a look at /etc/protocols for supported protocols.
340
341 [--zone=zone] --remove-protocol=protocol
342 Remove the protocol from zone. If zone is omitted, default zone
343 will be used. This option can be specified multiple times.
344
345 [--zone=zone] --query-protocol=protocol
346 Return whether the protocol has been added for zone. If zone is
347 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
348
349 [--zone=zone] --list-icmp-blocks
350 List Internet Control Message Protocol (ICMP) type blocks added for
351 zone as a space separated list. If zone is omitted, default zone
352 will be used.
353
354 [--zone=zone] --add-icmp-block=icmptype
355 Add an ICMP block for icmptype for zone. If zone is omitted,
356 default zone will be used. This option can be specified multiple
357 times.
358
359 The icmptype is the one of the icmp types firewalld supports. To
360 get a listing of supported icmp types: firewall-cmd --get-icmptypes
361
362 [--zone=zone] --remove-icmp-block=icmptype
363 Remove the ICMP block for icmptype from zone. If zone is omitted,
364 default zone will be used. This option can be specified multiple
365 times.
366
367 [--zone=zone] --query-icmp-block=icmptype
368 Return whether an ICMP block for icmptype has been added for zone.
369 If zone is omitted, default zone will be used. Returns 0 if true, 1
370 otherwise.
371
372 [--zone=zone] --list-forward-ports
373 List IPv4 forward ports added for zone as a space separated list.
374 If zone is omitted, default zone will be used.
375
376 For IPv6 forward ports, please use the rich language.
377
378 [--zone=zone]
379 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
380 Add the IPv4 forward port for zone. If zone is omitted, default
381 zone will be used. This option can be specified multiple times.
382
383 The port can either be a single port number portid or a port range
384 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
385 The destination address is a simple IP address.
386
387 For IPv6 forward ports, please use the rich language.
388
389 [--zone=zone]
390 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
391 Remove the IPv4 forward port from zone. If zone is omitted, default
392 zone will be used. This option can be specified multiple times.
393
394 For IPv6 forward ports, please use the rich language.
395
396 [--zone=zone]
397 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
398 Return whether the IPv4 forward port has been added for zone. If
399 zone is omitted, default zone will be used. Returns 0 if true, 1
400 otherwise.
401
402 For IPv6 forward ports, please use the rich language.
403
404 [--zone=zone] --list-source-ports
405 List source ports added for zone as a space separated list. A port
406 is of the form portid[-portid]/protocol. If zone is omitted,
407 default zone will be used.
408
409 [--zone=zone] --add-source-port=portid[-portid]/protocol
410 Add the source port for zone. If zone is omitted, default zone will
411 be used. This option can be specified multiple times. If a timeout
412 is supplied, the rule will be active for the specified amount of
413 time and will be removed automatically afterwards.
414
415 The port can either be a single port number or a port range
416 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
417
418 [--zone=zone] --remove-source-port=portid[-portid]/protocol
419 Remove the source port from zone. If zone is omitted, default zone
420 will be used. This option can be specified multiple times.
421
422 [--zone=zone] --query-source-port=portid[-portid]/protocol
423 Return whether the source port has been added for zone. If zone is
424 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
425
426 [--zone=zone] --add-masquerade
427 Enable IPv4 masquerade for zone. If zone is omitted, default zone
428 will be used. Masquerading is useful if the machine is a router and
429 machines connected over an interface in another zone should be able
430 to use the first connection.
431
432 For IPv6 masquerading, please use the rich language.
433
434 [--zone=zone] --remove-masquerade
435 Disable IPv4 masquerade for zone. If zone is omitted, default zone
436 will be used.
437
438 For IPv6 masquerading, please use the rich language.
439
440 [--zone=zone] --query-masquerade
441 Return whether IPv4 masquerading has been enabled for zone. If zone
442 is omitted, default zone will be used. Returns 0 if true, 1
443 otherwise.
444
445 For IPv6 masquerading, please use the rich language.
446
447 [--zone=zone] --list-rich-rules
448 List rich language rules added for zone as a newline separated
449 list. If zone is omitted, default zone will be used.
450
451 [--zone=zone] --add-rich-rule='rule'
452 Add rich language rule 'rule' for zone. This option can be
453 specified multiple times. If zone is omitted, default zone will be
454 used.
455
456 For the rich language rule syntax, please have a look at
457 firewalld.richlanguage(5).
458
459 [--zone=zone] --remove-rich-rule='rule'
460 Remove rich language rule 'rule' from zone. This option can be
461 specified multiple times. If zone is omitted, default zone will be
462 used.
463
464 For the rich language rule syntax, please have a look at
465 firewalld.richlanguage(5).
466
467 [--zone=zone] --query-rich-rule='rule'
468 Return whether a rich language rule 'rule' has been added for zone.
469 If zone is omitted, default zone will be used. Returns 0 if true, 1
470 otherwise.
471
472 For the rich language rule syntax, please have a look at
473 firewalld.richlanguage(5).
474
475 Options to Handle Bindings of Interfaces
476 Binding an interface to a zone means that this zone settings are used
477 to restrict traffic via the interface.
478
479 Options in this section affect only one particular zone. If used with
480 --zone=zone option, they affect the zone zone. If the option is
481 omitted, they affect default zone (see --get-default-zone).
482
483 For a list of predefined zones use firewall-cmd --get-zones.
484
485 An interface name is a string up to 16 characters long, that may not
486 contain ' ', '/', '!' and '*'.
487
488 [--zone=zone] --list-interfaces
489 List interfaces that are bound to zone zone as a space separated
490 list. If zone is omitted, default zone will be used.
491
492 [--zone=zone] --add-interface=interface
493 Bind interface interface to zone zone. If zone is omitted, default
494 zone will be used.
495
496 [--zone=zone] --change-interface=interface
497 Change zone the interface interface is bound to to zone zone. If
498 zone is omitted, default zone will be used. If old and new zone are
499 the same, the call will be ignored without an error. If the
500 interface has not been bound to a zone before, it will behave like
501 --add-interface.
502
503 [--zone=zone] --query-interface=interface
504 Query whether interface interface is bound to zone zone. Returns 0
505 if true, 1 otherwise.
506
507 [--zone=zone] --remove-interface=interface
508 Remove binding of interface interface from zone zone. If zone is
509 omitted, default zone will be used.
510
511 Options to Handle Bindings of Sources
512 Binding a source to a zone means that this zone settings will be used
513 to restrict traffic from this source.
514
515 A source address or address range is either an IP address or a network
516 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
517 with the ipset: prefix. For IPv4, the mask can be a network mask or a
518 plain number. For IPv6 the mask is a plain number. The use of host
519 names is not supported.
520
521 Options in this section affect only one particular zone. If used with
522 --zone=zone option, they affect the zone zone. If the option is
523 omitted, they affect default zone (see --get-default-zone).
524
525 For a list of predefined zones use firewall-cmd --get-zones.
526
527 [--zone=zone] --list-sources
528 List sources that are bound to zone zone as a space separated list.
529 If zone is omitted, default zone will be used.
530
531 [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
532 Bind the source to zone zone. If zone is omitted, default zone will
533 be used.
534
535 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
536 Change zone the source is bound to to zone zone. If zone is
537 omitted, default zone will be used. If old and new zone are the
538 same, the call will be ignored without an error. If the source has
539 not been bound to a zone before, it will behave like --add-source.
540
541 [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
542 Query whether the source is bound to the zone zone. Returns 0 if
543 true, 1 otherwise.
544
545 [--zone=zone] --remove-source=source[/mask]|MAC|ipset:ipset
546 Remove binding of the source from zone zone. If zone is omitted,
547 default zone will be used.
548
549 IPSet Options
550 --new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
551 Add a new permanent ipset with specifying the type and optional
552 options.
553
554 --new-ipset-from-file=filename [--name=ipset]
555 Add a new permanent ipset from a prepared ipset file with an
556 optional name override.
557
558 --delete-ipset=ipset
559 Delete an existing permanent ipset.
560
561 --info-ipset=ipset
562 Print information about the ipset ipset. The output format is:
563
564 ipset
565 type: type
566 options: option1[=value1] ..
567 entries: entry1 ..
568
569
570
571 --get-ipsets
572 Print predefined ipsets as a space separated list.
573
574 --ipset=ipset --add-entry=entry
575 Add a new entry to the ipset.
576
577 --ipset=ipset --remove-entry=entry
578 Remove an entry from the ipset.
579
580 --ipset=ipset --query-entry=entry
581 Return whether the entry has been added to an ipset. Returns 0 if
582 true, 1 otherwise.
583
584 --ipset=ipset --get-entries
585 List all entries of the ipset.
586
587 --ipset=ipset --add-entries-from-file=filename
588 Add a new entries to the ipset from the file. For all entries that
589 are listed in the file but already in the ipset, a warning will be
590 printed.
591
592 The file should contain an entry per line. Lines starting with an
593 hash or semicolon are ignored. Also empty lines.
594
595 --ipset=ipset --remove-entries-from-file=filename
596 Remove existing entries from the ipset from the file. For all
597 entries that are listed in the file but not in the ipset, a warning
598 will be printed.
599
600 The file should contain an entry per line. Lines starting with an
601 hash or semicolon are ignored. Also empty lines.
602
603 --ipset=ipset --set-description=description
604 Set new description to ipset
605
606 --ipset=ipset --get-description
607 Print description for ipset
608
609 --ipset=ipset --set-short=description
610 Set new short description to ipset
611
612 --ipset=ipset --get-short
613 Print short description for ipset
614
615 --path-ipset=ipset
616 Print path of the ipset configuration file.
617
618 Service Options
619 --info-service=service
620 Print information about the service service. The output format is:
621
622 service
623 ports: port1 ..
624 protocols: protocol1 ..
625 source-ports: source-port1 ..
626 modules: module1 ..
627 destination: ipv1:address1 ..
628
629
630
631 --new-service=service
632 Add a new permanent service.
633
634 --new-service-from-file=filename [--name=service]
635 Add a new permanent service from a prepared service file with an
636 optional name override.
637
638 --delete-service=service
639 Delete an existing permanent service.
640
641 --path-service=service
642 Print path of the service configuration file.
643
644 --service=service --set-description=description
645 Set new description to service
646
647 --service=service --get-description
648 Print description for service
649
650 --service=service --set-short=description
651 Set short description to service
652
653 --service=service --get-short
654 Print short description for service
655
656 --service=service --add-port=portid[-portid]/protocol
657 Add a new port to the permanent service.
658
659 --service=service --remove-port=portid[-portid]/protocol
660 Remove a port from the permanent service.
661
662 --service=service --query-port=portid[-portid]/protocol
663 Return wether the port has been added to the permanent service.
664
665 --service=service --get-ports
666 List ports added to the permanent service.
667
668 --service=service --add-protocol=protocol
669 Add a new protocol to the permanent service.
670
671 --service=service --remove-protocol=protocol
672 Remove a protocol from the permanent service.
673
674 --service=service --query-protocol=protocol
675 Return wether the protocol has been added to the permanent service.
676
677 --service=service --get-protocols
678 List protocols added to the permanent service.
679
680 --service=service --add-source-port=portid[-portid]/protocol
681 Add a new source port to the permanent service.
682
683 --service=service --remove-source-port=portid[-portid]/protocol
684 Remove a source port from the permanent service.
685
686 --service=service --query-source-port=portid[-portid]/protocol
687 Return wether the source port has been added to the permanent
688 service.
689
690 --service=service --get-source-ports
691 List source ports added to the permanent service.
692
693 --service=service --add-module=module
694 Add a new module to the permanent service.
695
696 --service=service --remove-module=module
697 Remove a module from the permanent service.
698
699 --service=service --query-module=module
700 Return wether the module has been added to the permanent service.
701
702 --service=service --get-modules
703 List modules added to the permanent service.
704
705 --service=service --set-destination=ipv:address[/mask]
706 Set destination for ipv to address[/mask] in the permanent service.
707
708 --service=service --remove-destination=ipv
709 Remove the destination for ipv from the permanent service.
710
711 --service=service --query-destination=ipv:address[/mask]
712 Return wether the destination ipv to address[/mask] has been set in
713 the permanent service.
714
715 --service=service --get-destinations
716 List destinations added to the permanent service.
717
718 Helper Options
719 Options in this section affect only one particular helper.
720
721 --info-helper=helper
722 Print information about the helper helper. The output format is:
723
724 helper
725 family: family
726 module: module
727 ports: port1 ..
728
729
730
731 The following options are only usable in the permanent configuration.
732
733 --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
734 Add a new permanent helper with module and optionally family
735 defined.
736
737 --new-helper-from-file=filename [--name=helper]
738 Add a new permanent helper from a prepared helper file with an
739 optional name override.
740
741 --delete-helper=helper
742 Delete an existing permanent helper.
743
744 --load-helper-defaults=helper
745 Load helper default settings or report NO_DEFAULTS error.
746
747 --path-helper=helper
748 Print path of the helper configuration file.
749
750 --get-helpers
751 Print predefined helpers as a space separated list.
752
753 --helper=helper --set-description=description
754 Set new description to helper
755
756 --helper=helper --get-description
757 Print description for helper
758
759 --helper=helper --set-short=description
760 Set short description to helper
761
762 --helper=helper --get-short
763 Print short description for helper
764
765 --helper=helper --add-port=portid[-portid]/protocol
766 Add a new port to the permanent helper.
767
768 --helper=helper --remove-port=portid[-portid]/protocol
769 Remove a port from the permanent helper.
770
771 --helper=helper --query-port=portid[-portid]/protocol
772 Return wether the port has been added to the permanent helper.
773
774 --helper=helper --get-ports
775 List ports added to the permanent helper.
776
777 --helper=helper --set-module=description
778 Set module description for helper
779
780 --helper=helper --get-module
781 Print module description for helper
782
783 --helper=helper --set-family=description
784 Set family description for helper
785
786 --helper=helper --get-family
787 Print family description of helper
788
789 Internet Control Message Protocol (ICMP) type Options
790 --info-icmptype=icmptype
791 Print information about the icmptype icmptype. The output format
792 is:
793
794 icmptype
795 destination: ipv1 ..
796
797
798
799 --new-icmptype=icmptype
800 Add a new permanent icmptype.
801
802 --new-icmptype-from-file=filename [--name=icmptype]
803 Add a new permanent icmptype from a prepared icmptype file with an
804 optional name override.
805
806 --delete-icmptype=icmptype
807 Delete an existing permanent icmptype.
808
809 --icmptype=icmptype --set-description=description
810 Set new description to icmptype
811
812 --icmptype=icmptype --get-description
813 Print description for icmptype
814
815 --icmptype=icmptype --set-short=description
816 Set short description to icmptype
817
818 --icmptype=icmptype --get-short
819 Print short description for icmptype
820
821 --icmptype=icmptype --add-destination=ipv
822 Enable destination for ipv in permanent icmptype. ipv is one of
823 ipv4 or ipv6.
824
825 --icmptype=icmptype --remove-destination=ipv
826 Disable destination for ipv in permanent icmptype. ipv is one of
827 ipv4 or ipv6.
828
829 --icmptype=icmptype --query-destination=ipv
830 Return whether destination for ipv is enabled in permanent
831 icmptype. ipv is one of ipv4 or ipv6.
832
833 --icmptype=icmptype --get-destinations
834 List destinations in permanent icmptype.
835
836 --path-icmptype=icmptype
837 Print path of the icmptype configuration file.
838
839 Direct Options
840 The direct options give a more direct access to the firewall. These
841 options require user to know basic iptables concepts, i.e. table
842 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
843 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
844 (ACCEPT/DROP/REJECT/...).
845
846 Direct options should be used only as a last resort when it's not
847 possible to use for example --add-service=service or
848 --add-rich-rule='rule'.
849
850 The first argument of each option has to be ipv4 or ipv6 or eb. With
851 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
852 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
853
854 --direct --get-all-chains
855 Get all chains added to all tables.
856
857 This option concerns only chains previously added with --direct
858 --add-chain.
859
860 --direct --get-chains { ipv4 | ipv6 | eb } table
861 Get all chains added to table table as a space separated list.
862
863 This option concerns only chains previously added with --direct
864 --add-chain.
865
866 --direct --add-chain { ipv4 | ipv6 | eb } table chain
867 Add a new chain with name chain to table table.
868
869 There already exist basic chains to use with direct options, for
870 example INPUT_direct chain (see iptables-save | grep direct output
871 for all of them). These chains are jumped into before chains for
872 zones, i.e. every rule put into INPUT_direct will be checked before
873 rules in zones.
874
875 --direct --remove-chain { ipv4 | ipv6 | eb } table chain
876 Remove the chain with name chain from table table.
877
878 --direct --query-chain { ipv4 | ipv6 | eb } table chain
879 Return whether a chain with name chain exists in table table.
880 Returns 0 if true, 1 otherwise.
881
882 This option concerns only chains previously added with --direct
883 --add-chain.
884
885 --direct --get-all-rules
886 Get all rules added to all chains in all tables as a newline
887 separated list of the priority and arguments.
888
889 --direct --get-rules { ipv4 | ipv6 | eb } table chain
890 Get all rules added to chain chain in table table as a newline
891 separated list of the priority and arguments.
892
893 --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
894 Add a rule with the arguments args to chain chain in table table
895 with priority priority.
896
897 The priority is used to order rules. Priority 0 means add rule on
898 top of the chain, with a higher priority the rule will be added
899 further down. Rules with the same priority are on the same level
900 and the order of these rules is not fixed and may change. If you
901 want to make sure that a rule will be added after another one, use
902 a low priority for the first and a higher for the following.
903
904 --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
905 Remove a rule with priority and the arguments args from chain chain
906 in table table.
907
908 --direct --remove-rules { ipv4 | ipv6 | eb } table chain
909 Remove all rules in the chain with name chain exists in table
910 table.
911
912 This option concerns only rules previously added with --direct
913 --add-rule in this chain.
914
915 --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
916 Return whether a rule with priority and the arguments args exists
917 in chain chain in table table. Returns 0 if true, 1 otherwise.
918
919 --direct --get-all-passthroughs
920 Get all permanent passthrough as a newline separated list of the
921 ipv value and arguments.
922
923 --direct --get-passthroughs { ipv4 | ipv6 | eb }
924 Get all permanent passthrough rules for the ipv value as a newline
925 separated list of the priority and arguments.
926
927 --direct --add-passthrough { ipv4 | ipv6 | eb } args
928 Add a permanent passthrough rule with the arguments args for the
929 ipv value.
930
931 --direct --remove-passthrough { ipv4 | ipv6 | eb } args
932 Remove a permanent passthrough rule with the arguments args for the
933 ipv value.
934
935 --direct --query-passthrough { ipv4 | ipv6 | eb } args
936 Return whether a permanent passthrough rule with the arguments args
937 exists for the ipv value. Returns 0 if true, 1 otherwise.
938
939 Lockdown Options
940 Local applications or services are able to change the firewall
941 configuration if they are running as root (example: libvirt) or are
942 authenticated using PolicyKit. With this feature administrators can
943 lock the firewall configuration so that only applications on lockdown
944 whitelist are able to request firewall changes.
945
946 The lockdown access check limits D-Bus methods that are changing
947 firewall rules. Query, list and get methods are not limited.
948
949 The lockdown feature is a very light version of user and application
950 policies for firewalld and is turned off by default.
951
952 --lockdown-on
953 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
954 whitelist when you enable lockdown you won't be able to disable it
955 again with firewall-cmd, you would need to edit firewalld.conf.
956
957 --lockdown-off
958 Disable lockdown.
959
960 --query-lockdown
961 Query whether lockdown is enabled. Returns 0 if lockdown is
962 enabled, 1 otherwise.
963
964 Lockdown Whitelist Options
965 The lockdown whitelist can contain commands, contexts, users and user
966 ids.
967
968 If a command entry on the whitelist ends with an asterisk '*', then all
969 command lines starting with the command will match. If the '*' is not
970 there the absolute command inclusive arguments must match.
971
972 Commands for user root and others is not always the same. Example: As
973 root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
974 is be used on Fedora.
975
976 The context is the security (SELinux) context of a running application
977 or service. To get the context of a running application use ps -e
978 --context.
979
980 Warning: If the context is unconfined, then this will open access for
981 more than the desired application.
982
983 The lockdown whitelist entries are checked in the following order:
984 1. context
985 2. uid
986 3. user
987 4. command
988
989 --list-lockdown-whitelist-commands
990 List all command lines that are on the whitelist.
991
992 --add-lockdown-whitelist-command=command
993 Add the command to the whitelist.
994
995 --remove-lockdown-whitelist-command=command
996 Remove the command from the whitelist.
997
998 --query-lockdown-whitelist-command=command
999 Query whether the command is on the whitelist. Returns 0 if true, 1
1000 otherwise.
1001
1002 --list-lockdown-whitelist-contexts
1003 List all contexts that are on the whitelist.
1004
1005 --add-lockdown-whitelist-context=context
1006 Add the context context to the whitelist.
1007
1008 --remove-lockdown-whitelist-context=context
1009 Remove the context from the whitelist.
1010
1011 --query-lockdown-whitelist-context=context
1012 Query whether the context is on the whitelist. Returns 0 if true, 1
1013 otherwise.
1014
1015 --list-lockdown-whitelist-uids
1016 List all user ids that are on the whitelist.
1017
1018 --add-lockdown-whitelist-uid=uid
1019 Add the user id uid to the whitelist.
1020
1021 --remove-lockdown-whitelist-uid=uid
1022 Remove the user id uid from the whitelist.
1023
1024 --query-lockdown-whitelist-uid=uid
1025 Query whether the user id uid is on the whitelist. Returns 0 if
1026 true, 1 otherwise.
1027
1028 --list-lockdown-whitelist-users
1029 List all user names that are on the whitelist.
1030
1031 --add-lockdown-whitelist-user=user
1032 Add the user name user to the whitelist.
1033
1034 --remove-lockdown-whitelist-user=user
1035 Remove the user name user from the whitelist.
1036
1037 --query-lockdown-whitelist-user=user
1038 Query whether the user name user is on the whitelist. Returns 0 if
1039 true, 1 otherwise.
1040
1041 Policy Options
1042 --policy-server
1043 Change Polkit actions to 'server' (more restricted)
1044
1045 --policy-desktop
1046 Change Polkit actions to 'desktop' (less restricted)
1047
1049 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1050 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1051 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1052 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1053 firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1054 firewalld.helper(5)
1055
1057 firewalld home page:
1058 http://www.firewalld.org
1059
1060 More documentation with examples:
1061 http://fedoraproject.org/wiki/FirewallD
1062
1064 Thomas Woerner <twoerner@redhat.com>
1065 Developer
1066
1067 Jiri Popelka <jpopelka@redhat.com>
1068 Developer
1069
1070
1071
1072firewalld 0.5.3 FIREWALL-OFFLINE-C(1)