1FIREWALL-OFFLINE-C(1) firewall-offline-cmd FIREWALL-OFFLINE-C(1)
2
6 firewall-offline-cmd - firewalld offline command line client
7
9 firewall-offline-cmd [OPTIONS...]
10
12 firewall-offline-cmd is an offline command line client of the firewalld
13 daemon. It should be used only if the firewalld service is not running.
14 For example to migrate from system-config-firewall/lokkit or in the
15 install environment to configure firewall settings with kickstart.
16 Some lokkit options can not be automatically converted for firewalld,
18 they will result in an error or warning message. This tool tries to
19 convert as much as possible, but there are limitations for example with
20 custom rules, modules and masquerading.
21 Check the firewall configuration after using this tool.
23
25 If no options are given, configuration from
26 /etc/sysconfig/system-config-firewall will be migrated.
27 For sequence options, this are the options that can be specified
29 multiple times, the exit code is 0 if there is at least one item that
30 succeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also
31 ZONE_ALREADY_SET (16) errors are treated as succeeded. If there are
32 issues while parsing the items, then these are treated as warnings and
33 will not change the result as long as there is a succeeded one. Without
34 any succeeded item, the exit code will depend on the error codes. If
35 there is exactly one error code, then this is used. If there are more
36 than one then UNKNOWN_ERROR (254) will be used.
37 The following options are supported:
39 General Options
41 -h, --help
42 Prints a short help text and exists.
43 -V, --version
45 Prints the version string of firewalld and exits.
46 -q, --quiet
48 Do not print status messages.
49 Status Options
51 --enabled
52 Enable the firewall. This option is a default option and will
53 activate the firewall if not already enabled as long as the option
54 --disabled is not given.
55 --disabled
57 Disable the firewall by disabling the firewalld service.
58 Lokkit Compatibility Options
60 These options are nearly identical to the options of lokkit.
61 --migrate-system-config-firewall=file
63 Migrate system-config-firewall configuration from the given file.
64 No further
65 --addmodule=module
67 This option will result in a warning message and will be ignored.
68 Handling of netfilter helpers has been merged into services
70 completely. Adding or removing netfilter helpers outside of
71 services is therefore not needed anymore. For more information on
72 handling netfilter helpers in services, please have a look at
73 firewalld.zone(5).
74 --removemodule
76 This option will result in a warning message and will be ignored.
77 Handling of netfilter helpers has been merged into services
79 completely. Adding or removing netfilter helpers outside of
80 services is therefore not needed anymore. For more information on
81 handling netfilter helpers in services, please have a look at
82 firewalld.zone(5).
83 --remove-service=service
85 Remove a service from the default zone. This option can be
86 specified multiple times.
87 The service is one of the firewalld provided services. To get a
89 list of the supported services, use firewall-cmd --get-services.
90 -s service, --service=service
92 Add a service to the default zone. This option can be specified
93 multiple times.
94 The service is one of the firewalld provided services. To get a
96 list of the supported services, use firewall-cmd --get-services.
97 -p portid[-portid]:protocol, --port=portid[-portid]:protocol
99 Add the port to the default zone. This option can be specified
100 multiple times.
101 The port can either be a single port number or a port range
103 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
104 -t interface, --trust=interface
106 This option will result in a warning message.
107 Mark an interface as trusted. This option can be specified multiple
109 times. The interface will be bound to the trusted zone.
110 If the interface is used in a NetworkManager managed connection or
112 if there is an ifcfg file for this interface, the zone will be
113 changed to the zone defined in the configuration as soon as it gets
114 activated. To change the zone of a connection use
115 nm-connection-editor and set the zone to trusted, for an ifcfg
116 file, use an editor and add "ZONE=trusted". If the zone is not
117 defined in the ifcfg file, the firewalld default zone will be used.
118 -m interface, --masq=interface
120 This option will result in a warning message.
121 Masquerading will be enabled in the default zone. The interface
123 argument will be ignored. This is for IPv4 only.
124 --custom-rules=[type:][table:]filename
126 This option will result in a warning message and will be ignored.
127 Custom rule files are not supported by firewalld.
129 --forward-port=if=interface:port=port:proto=protocol[:toport=destination
131 port:][:toaddr=destination address]
132 This option will result in a warning message.
133 Add the IPv4 forward port in the default zone. This option can be
135 specified multiple times.
136 The port can either be a single port number portid or a port range
138 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
139 The destination address is an IP address.
140 --block-icmp=icmptype
142 This option will result in a warning message.
143 Add an ICMP block for icmptype in the default zone. This option can
145 be specified multiple times.
146 The icmptype is the one of the icmp types firewalld supports. To
148 get a listing of supported icmp types: firewall-cmd --get-icmptypes
149 Log Denied Options
151 --get-log-denied
152 Print the log denied setting.
153 --set-log-denied=value
155 Add logging rules right before reject and drop rules in the INPUT,
156 FORWARD and OUTPUT chains for the default rules and also final
157 reject and drop rules in zones for the configured link-layer packet
158 type. The possible values are: all, unicast, broadcast, multicast
159 and off. The default setting is off, which disables the logging.
160 This is a runtime and permanent change and will also reload the
162 firewall to be able to add the logging rules.
163 Automatic Helpers Options
165 --get-automatic-helpers
166 Print the automatic helpers setting.
167 --set-automatic-helpers=value
169 For the secure use of iptables and connection tracking helpers it
170 is recommended to turn AutomaticHelpers off. But this might have
171 side effects on other services using the netfilter helpers as the
172 sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will
173 be changed. With the system setting, the default value set in the
174 kernel or with sysctl will be used. Possible values are: yes, no
175 and system. The default value is system.
176 This is a runtime and permanent change and will also reload the
178 firewall to be able to make the helpers usable.
179 Zone Options
181 --get-default-zone
182 Print default zone for connections and interfaces.
183 --set-default-zone=zone
185 Set default zone for connections and interfaces where no zone has
186 been selected. Setting the default zone changes the zone for the
187 connections or interfaces, that are using the default zone.
188 --get-zones
190 Print predefined zones as a space separated list.
191 --get-services
193 Print predefined services as a space separated list.
194 --get-icmptypes
196 Print predefined icmptypes as a space separated list.
197 --get-zone-of-interface=interface
199 Print the name of the zone the interface is bound to or no zone.
200 --get-zone-of-source=source[/mask]|MAC|ipset:ipset
202 Print the name of the zone the source is bound to or no zone.
203 --info-zone=zone
205 Print information about the zone zone. The output format is:
206 zone
208 interfaces: interface1 ..
209 sources: source1 ..
210 services: service1 ..
211 ports: port1 ..
212 protocols: protocol1 ..
213 forward-ports:
214 forward-port1
215 ..
216 source-ports: source-port1 ..
217 icmp-blocks: icmp-type1 ..
218 rich rules:
219 rich-rule1
220 ..
221 --list-all-zones
225 List everything added for or enabled in all zones. The output
226 format is:
227 zone1
229 interfaces: interface1 ..
230 sources: source1 ..
231 services: service1 ..
232 ports: port1 ..
233 protocols: protocol1 ..
234 forward-ports:
235 forward-port1
236 ..
237 source-ports: source-port1 ..
238 icmp-blocks: icmp-type1 ..
239 rich rules:
240 rich-rule1
241 ..
242 ..
243 --new-zone=zone
247 Add a new permanent zone.
248 --new-zone-from-file=filename [--name=zone]
250 Add a new permanent zone from a prepared zone file with an optional
251 name override.
252 --path-zone=zone
254 Print path of the zone configuration file.
255 --delete-zone=zone
257 Delete an existing permanent zone.
258 --zone=zone --set-description=description
260 Set new description to zone
261 --zone=zone --get-description
263 Print description for zone
264 --zone=zone --set-short=description
266 Set short description to zone
267 --zone=zone --get-short
269 Print short description for zone
270 --zone=zone --get-target
272 Get the target of a permanent zone.
273 --zone=zone --set-target=zone
275 Set the target of a permanent zone.
276 Options to Adapt and Query Zones
278 Options in this section affect only one particular zone. If used with
279 --zone=zone option, they affect the zone zone. If the option is
280 omitted, they affect default zone (see --get-default-zone).
281 [--zone=zone] --list-all
283 List everything added for or enabled in zone. If zone is omitted,
284 default zone will be used.
285 [--zone=zone] --list-services
287 List services added for zone as a space separated list. If zone is
288 omitted, default zone will be used.
289 [--zone=zone] --add-service=service
291 Add a service for zone. If zone is omitted, default zone will be
292 used. This option can be specified multiple times.
293 The service is one of the firewalld provided services. To get a
295 list of the supported services, use firewall-cmd --get-services.
296 [--zone=zone] --remove-service-from-zone=service
298 Remove a service from zone. This option can be specified multiple
299 times. If zone is omitted, default zone will be used.
300 [--zone=zone] --query-service=service
302 Return whether service has been added for zone. If zone is omitted,
303 default zone will be used. Returns 0 if true, 1 otherwise.
304 [--zone=zone] --list-ports
306 List ports added for zone as a space separated list. A port is of
307 the form portid[-portid]/protocol, it can be either a port and
308 protocol pair or a port range with a protocol. If zone is omitted,
309 default zone will be used.
310 [--zone=zone] --add-port=portid[-portid]/protocol
312 Add the port for zone. If zone is omitted, default zone will be
313 used. This option can be specified multiple times.
314 The port can either be a single port number or a port range
316 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
317 [--zone=zone] --remove-port=portid[-portid]/protocol
319 Remove the port from zone. If zone is omitted, default zone will be
320 used. This option can be specified multiple times.
321 [--zone=zone] --query-port=portid[-portid]/protocol
323 Return whether the port has been added for zone. If zone is
324 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
325 [--zone=zone] --list-protocols
327 List protocols added for zone as a space separated list. If zone is
328 omitted, default zone will be used.
329 [--zone=zone] --add-protocol=protocol
331 Add the protocol for zone. If zone is omitted, default zone will be
332 used. This option can be specified multiple times. If a timeout is
333 supplied, the rule will be active for the specified amount of time
334 and will be removed automatically afterwards. timeval is either a
335 number (of seconds) or number followed by one of characters s
336 (seconds), m (minutes), h (hours), for example 20m or 1h.
337 The protocol can be any protocol supported by the system. Please
339 have a look at /etc/protocols for supported protocols.
340 [--zone=zone] --remove-protocol=protocol
342 Remove the protocol from zone. If zone is omitted, default zone
343 will be used. This option can be specified multiple times.
344 [--zone=zone] --query-protocol=protocol
346 Return whether the protocol has been added for zone. If zone is
347 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
348 [--zone=zone] --list-icmp-blocks
350 List Internet Control Message Protocol (ICMP) type blocks added for
351 zone as a space separated list. If zone is omitted, default zone
352 will be used.
353 [--zone=zone] --add-icmp-block=icmptype
355 Add an ICMP block for icmptype for zone. If zone is omitted,
356 default zone will be used. This option can be specified multiple
357 times.
358 The icmptype is the one of the icmp types firewalld supports. To
360 get a listing of supported icmp types: firewall-cmd --get-icmptypes
361 [--zone=zone] --remove-icmp-block=icmptype
363 Remove the ICMP block for icmptype from zone. If zone is omitted,
364 default zone will be used. This option can be specified multiple
365 times.
366 [--zone=zone] --query-icmp-block=icmptype
368 Return whether an ICMP block for icmptype has been added for zone.
369 If zone is omitted, default zone will be used. Returns 0 if true, 1
370 otherwise.
371 [--zone=zone] --list-forward-ports
373 List IPv4 forward ports added for zone as a space separated list.
374 If zone is omitted, default zone will be used.
375 For IPv6 forward ports, please use the rich language.
377 [--zone=zone]
379 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
380 Add the IPv4 forward port for zone. If zone is omitted, default
381 zone will be used. This option can be specified multiple times.
382 The port can either be a single port number portid or a port range
384 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
385 The destination address is a simple IP address.
386 For IPv6 forward ports, please use the rich language.
388 [--zone=zone]
390 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
391 Remove the IPv4 forward port from zone. If zone is omitted, default
392 zone will be used. This option can be specified multiple times.
393 For IPv6 forward ports, please use the rich language.
395 [--zone=zone]
397 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
398 Return whether the IPv4 forward port has been added for zone. If
399 zone is omitted, default zone will be used. Returns 0 if true, 1
400 otherwise.
401 For IPv6 forward ports, please use the rich language.
403 [--zone=zone] --list-source-ports
405 List source ports added for zone as a space separated list. A port
406 is of the form portid[-portid]/protocol. If zone is omitted,
407 default zone will be used.
408 [--zone=zone] --add-source-port=portid[-portid]/protocol
410 Add the source port for zone. If zone is omitted, default zone will
411 be used. This option can be specified multiple times. If a timeout
412 is supplied, the rule will be active for the specified amount of
413 time and will be removed automatically afterwards.
414 The port can either be a single port number or a port range
416 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
417 [--zone=zone] --remove-source-port=portid[-portid]/protocol
419 Remove the source port from zone. If zone is omitted, default zone
420 will be used. This option can be specified multiple times.
421 [--zone=zone] --query-source-port=portid[-portid]/protocol
423 Return whether the source port has been added for zone. If zone is
424 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
425 [--zone=zone] --add-masquerade
427 Enable IPv4 masquerade for zone. If zone is omitted, default zone
428 will be used. Masquerading is useful if the machine is a router and
429 machines connected over an interface in another zone should be able
430 to use the first connection.
431 For IPv6 masquerading, please use the rich language.
433 [--zone=zone] --remove-masquerade
435 Disable IPv4 masquerade for zone. If zone is omitted, default zone
436 will be used.
437 For IPv6 masquerading, please use the rich language.
439 [--zone=zone] --query-masquerade
441 Return whether IPv4 masquerading has been enabled for zone. If zone
442 is omitted, default zone will be used. Returns 0 if true, 1
443 otherwise.
444 For IPv6 masquerading, please use the rich language.
446 [--zone=zone] --list-rich-rules
448 List rich language rules added for zone as a newline separated
449 list. If zone is omitted, default zone will be used.
450 [--zone=zone] --add-rich-rule='rule'
452 Add rich language rule 'rule' for zone. This option can be
453 specified multiple times. If zone is omitted, default zone will be
454 used.
455 For the rich language rule syntax, please have a look at
457 firewalld.richlanguage(5).
458 [--zone=zone] --remove-rich-rule='rule'
460 Remove rich language rule 'rule' from zone. This option can be
461 specified multiple times. If zone is omitted, default zone will be
462 used.
463 For the rich language rule syntax, please have a look at
465 firewalld.richlanguage(5).
466 [--zone=zone] --query-rich-rule='rule'
468 Return whether a rich language rule 'rule' has been added for zone.
469 If zone is omitted, default zone will be used. Returns 0 if true, 1
470 otherwise.
471 For the rich language rule syntax, please have a look at
473 firewalld.richlanguage(5).
474 Options to Handle Bindings of Interfaces
476 Binding an interface to a zone means that this zone settings are used
477 to restrict traffic via the interface.
478 Options in this section affect only one particular zone. If used with
480 --zone=zone option, they affect the zone zone. If the option is
481 omitted, they affect default zone (see --get-default-zone).
482 For a list of predefined zones use firewall-cmd --get-zones.
484 An interface name is a string up to 16 characters long, that may not
486 contain ' ', '/', '!' and '*'.
487 [--zone=zone] --list-interfaces
489 List interfaces that are bound to zone zone as a space separated
490 list. If zone is omitted, default zone will be used.
491 [--zone=zone] --add-interface=interface
493 Bind interface interface to zone zone. If zone is omitted, default
494 zone will be used.
495 [--zone=zone] --change-interface=interface
497 Change zone the interface interface is bound to to zone zone. If
498 zone is omitted, default zone will be used. If old and new zone are
499 the same, the call will be ignored without an error. If the
500 interface has not been bound to a zone before, it will behave like
501 --add-interface.
502 [--zone=zone] --query-interface=interface
504 Query whether interface interface is bound to zone zone. Returns 0
505 if true, 1 otherwise.
506 [--zone=zone] --remove-interface=interface
508 Remove binding of interface interface from zone zone. If zone is
509 omitted, default zone will be used.
510 Options to Handle Bindings of Sources
512 Binding a source to a zone means that this zone settings will be used
513 to restrict traffic from this source.
514 A source address or address range is either an IP address or a network
516 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
517 with the ipset: prefix. For IPv4, the mask can be a network mask or a
518 plain number. For IPv6 the mask is a plain number. The use of host
519 names is not supported.
520 Options in this section affect only one particular zone. If used with
522 --zone=zone option, they affect the zone zone. If the option is
523 omitted, they affect default zone (see --get-default-zone).
524 For a list of predefined zones use firewall-cmd --get-zones.
526 [--zone=zone] --list-sources
528 List sources that are bound to zone zone as a space separated list.
529 If zone is omitted, default zone will be used.
530 [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
532 Bind the source to zone zone. If zone is omitted, default zone will
533 be used.
534 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
536 Change zone the source is bound to to zone zone. If zone is
537 omitted, default zone will be used. If old and new zone are the
538 same, the call will be ignored without an error. If the source has
539 not been bound to a zone before, it will behave like --add-source.
540 [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
542 Query whether the source is bound to the zone zone. Returns 0 if
543 true, 1 otherwise.
544 [--zone=zone] --remove-source=source[/mask]|MAC|ipset:ipset
546 Remove binding of the source from zone zone. If zone is omitted,
547 default zone will be used.
548 IPSet Options
550 --new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
551 Add a new permanent ipset with specifying the type and optional
552 options.
553 --new-ipset-from-file=filename [--name=ipset]
555 Add a new permanent ipset from a prepared ipset file with an
556 optional name override.
557 --delete-ipset=ipset
559 Delete an existing permanent ipset.
560 --info-ipset=ipset
562 Print information about the ipset ipset. The output format is:
563 ipset
565 type: type
566 options: option1[=value1] ..
567 entries: entry1 ..
568 --get-ipsets
572 Print predefined ipsets as a space separated list.
573 --ipset=ipset --add-entry=entry
575 Add a new entry to the ipset.
576 --ipset=ipset --remove-entry=entry
578 Remove an entry from the ipset.
579 --ipset=ipset --query-entry=entry
581 Return whether the entry has been added to an ipset. Returns 0 if
582 true, 1 otherwise.
583 --ipset=ipset --get-entries
585 List all entries of the ipset.
586 --ipset=ipset --add-entries-from-file=filename
588 Add a new entries to the ipset from the file. For all entries that
589 are listed in the file but already in the ipset, a warning will be
590 printed.
591 The file should contain an entry per line. Lines starting with an
593 hash or semicolon are ignored. Also empty lines.
594 --ipset=ipset --remove-entries-from-file=filename
596 Remove existing entries from the ipset from the file. For all
597 entries that are listed in the file but not in the ipset, a warning
598 will be printed.
599 The file should contain an entry per line. Lines starting with an
601 hash or semicolon are ignored. Also empty lines.
602 --ipset=ipset --set-description=description
604 Set new description to ipset
605 --ipset=ipset --get-description
607 Print description for ipset
608 --ipset=ipset --set-short=description
610 Set new short description to ipset
611 --ipset=ipset --get-short
613 Print short description for ipset
614 --path-ipset=ipset
616 Print path of the ipset configuration file.
617 Service Options
619 --info-service=service
620 Print information about the service service. The output format is:
621 service
623 ports: port1 ..
624 protocols: protocol1 ..
625 source-ports: source-port1 ..
626 modules: module1 ..
627 destination: ipv1:address1 ..
628 --new-service=service
632 Add a new permanent service.
633 --new-service-from-file=filename [--name=service]
635 Add a new permanent service from a prepared service file with an
636 optional name override.
637 --delete-service=service
639 Delete an existing permanent service.
640 --path-service=service
642 Print path of the service configuration file.
643 --service=service --set-description=description
645 Set new description to service
646 --service=service --get-description
648 Print description for service
649 --service=service --set-short=description
651 Set short description to service
652 --service=service --get-short
654 Print short description for service
655 --service=service --add-port=portid[-portid]/protocol
657 Add a new port to the permanent service.
658 --service=service --remove-port=portid[-portid]/protocol
660 Remove a port from the permanent service.
661 --service=service --query-port=portid[-portid]/protocol
663 Return wether the port has been added to the permanent service.
664 --service=service --get-ports
666 List ports added to the permanent service.
667 --service=service --add-protocol=protocol
669 Add a new protocol to the permanent service.
670 --service=service --remove-protocol=protocol
672 Remove a protocol from the permanent service.
673 --service=service --query-protocol=protocol
675 Return wether the protocol has been added to the permanent service.
676 --service=service --get-protocols
678 List protocols added to the permanent service.
679 --service=service --add-source-port=portid[-portid]/protocol
681 Add a new source port to the permanent service.
682 --service=service --remove-source-port=portid[-portid]/protocol
684 Remove a source port from the permanent service.
685 --service=service --query-source-port=portid[-portid]/protocol
687 Return wether the source port has been added to the permanent
688 service.
689 --service=service --get-source-ports
691 List source ports added to the permanent service.
692 --service=service --add-module=module
694 Add a new module to the permanent service.
695 --service=service --remove-module=module
697 Remove a module from the permanent service.
698 --service=service --query-module=module
700 Return wether the module has been added to the permanent service.
701 --service=service --get-modules
703 List modules added to the permanent service.
704 --service=service --set-destination=ipv:address[/mask]
706 Set destination for ipv to address[/mask] in the permanent service.
707 --service=service --remove-destination=ipv
709 Remove the destination for ipv from the permanent service.
710 --service=service --query-destination=ipv:address[/mask]
712 Return wether the destination ipv to address[/mask] has been set in
713 the permanent service.
714 --service=service --get-destinations
716 List destinations added to the permanent service.
717 Helper Options
719 Options in this section affect only one particular helper.
720 --info-helper=helper
722 Print information about the helper helper. The output format is:
723 helper
725 family: family
726 module: module
727 ports: port1 ..
728 The following options are only usable in the permanent configuration.
732 --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
734 Add a new permanent helper with module and optionally family
735 defined.
736 --new-helper-from-file=filename [--name=helper]
738 Add a new permanent helper from a prepared helper file with an
739 optional name override.
740 --delete-helper=helper
742 Delete an existing permanent helper.
743 --load-helper-defaults=helper
745 Load helper default settings or report NO_DEFAULTS error.
746 --path-helper=helper
748 Print path of the helper configuration file.
749 --get-helpers
751 Print predefined helpers as a space separated list.
752 --helper=helper --set-description=description
754 Set new description to helper
755 --helper=helper --get-description
757 Print description for helper
758 --helper=helper --set-short=description
760 Set short description to helper
761 --helper=helper --get-short
763 Print short description for helper
764 --helper=helper --add-port=portid[-portid]/protocol
766 Add a new port to the permanent helper.
767 --helper=helper --remove-port=portid[-portid]/protocol
769 Remove a port from the permanent helper.
770 --helper=helper --query-port=portid[-portid]/protocol
772 Return wether the port has been added to the permanent helper.
773 --helper=helper --get-ports
775 List ports added to the permanent helper.
776 --helper=helper --set-module=description
778 Set module description for helper
779 --helper=helper --get-module
781 Print module description for helper
782 --helper=helper --set-family=description
784 Set family description for helper
785 --helper=helper --get-family
787 Print family description of helper
788 Internet Control Message Protocol (ICMP) type Options
790 --info-icmptype=icmptype
791 Print information about the icmptype icmptype. The output format
792 is:
793 icmptype
795 destination: ipv1 ..
796 --new-icmptype=icmptype
800 Add a new permanent icmptype.
801 --new-icmptype-from-file=filename [--name=icmptype]
803 Add a new permanent icmptype from a prepared icmptype file with an
804 optional name override.
805 --delete-icmptype=icmptype
807 Delete an existing permanent icmptype.
808 --icmptype=icmptype --set-description=description
810 Set new description to icmptype
811 --icmptype=icmptype --get-description
813 Print description for icmptype
814 --icmptype=icmptype --set-short=description
816 Set short description to icmptype
817 --icmptype=icmptype --get-short
819 Print short description for icmptype
820 --icmptype=icmptype --add-destination=ipv
822 Enable destination for ipv in permanent icmptype. ipv is one of
823 ipv4 or ipv6.
824 --icmptype=icmptype --remove-destination=ipv
826 Disable destination for ipv in permanent icmptype. ipv is one of
827 ipv4 or ipv6.
828 --icmptype=icmptype --query-destination=ipv
830 Return whether destination for ipv is enabled in permanent
831 icmptype. ipv is one of ipv4 or ipv6.
832 --icmptype=icmptype --get-destinations
834 List destinations in permanent icmptype.
835 --path-icmptype=icmptype
837 Print path of the icmptype configuration file.
838 Direct Options
840 The direct options give a more direct access to the firewall. These
841 options require user to know basic iptables concepts, i.e. table
842 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
843 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
844 (ACCEPT/DROP/REJECT/...).
845 Direct options should be used only as a last resort when it's not
847 possible to use for example --add-service=service or
848 --add-rich-rule='rule'.
849 The first argument of each option has to be ipv4 or ipv6 or eb. With
851 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
852 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
853 --direct --get-all-chains
855 Get all chains added to all tables.
856 This option concerns only chains previously added with --direct
858 --add-chain.
859 --direct --get-chains { ipv4 | ipv6 | eb } table
861 Get all chains added to table table as a space separated list.
862 This option concerns only chains previously added with --direct
864 --add-chain.
865 --direct --add-chain { ipv4 | ipv6 | eb } table chain
867 Add a new chain with name chain to table table.
868 There already exist basic chains to use with direct options, for
870 example INPUT_direct chain (see iptables-save | grep direct output
871 for all of them). These chains are jumped into before chains for
872 zones, i.e. every rule put into INPUT_direct will be checked before
873 rules in zones.
874 --direct --remove-chain { ipv4 | ipv6 | eb } table chain
876 Remove the chain with name chain from table table.
877 --direct --query-chain { ipv4 | ipv6 | eb } table chain
879 Return whether a chain with name chain exists in table table.
880 Returns 0 if true, 1 otherwise.
881 This option concerns only chains previously added with --direct
883 --add-chain.
884 --direct --get-all-rules
886 Get all rules added to all chains in all tables as a newline
887 separated list of the priority and arguments.
888 --direct --get-rules { ipv4 | ipv6 | eb } table chain
890 Get all rules added to chain chain in table table as a newline
891 separated list of the priority and arguments.
892 --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
894 Add a rule with the arguments args to chain chain in table table
895 with priority priority.
896 The priority is used to order rules. Priority 0 means add rule on
898 top of the chain, with a higher priority the rule will be added
899 further down. Rules with the same priority are on the same level
900 and the order of these rules is not fixed and may change. If you
901 want to make sure that a rule will be added after another one, use
902 a low priority for the first and a higher for the following.
903 --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
905 Remove a rule with priority and the arguments args from chain chain
906 in table table.
907 --direct --remove-rules { ipv4 | ipv6 | eb } table chain
909 Remove all rules in the chain with name chain exists in table
910 table.
911 This option concerns only rules previously added with --direct
913 --add-rule in this chain.
914 --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
916 Return whether a rule with priority and the arguments args exists
917 in chain chain in table table. Returns 0 if true, 1 otherwise.
918 --direct --get-all-passthroughs
920 Get all permanent passthrough as a newline separated list of the
921 ipv value and arguments.
922 --direct --get-passthroughs { ipv4 | ipv6 | eb }
924 Get all permanent passthrough rules for the ipv value as a newline
925 separated list of the priority and arguments.
926 --direct --add-passthrough { ipv4 | ipv6 | eb } args
928 Add a permanent passthrough rule with the arguments args for the
929 ipv value.
930 --direct --remove-passthrough { ipv4 | ipv6 | eb } args
932 Remove a permanent passthrough rule with the arguments args for the
933 ipv value.
934 --direct --query-passthrough { ipv4 | ipv6 | eb } args
936 Return whether a permanent passthrough rule with the arguments args
937 exists for the ipv value. Returns 0 if true, 1 otherwise.
938 Lockdown Options
940 Local applications or services are able to change the firewall
941 configuration if they are running as root (example: libvirt) or are
942 authenticated using PolicyKit. With this feature administrators can
943 lock the firewall configuration so that only applications on lockdown
944 whitelist are able to request firewall changes.
945 The lockdown access check limits D-Bus methods that are changing
947 firewall rules. Query, list and get methods are not limited.
948 The lockdown feature is a very light version of user and application
950 policies for firewalld and is turned off by default.
951 --lockdown-on
953 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
954 whitelist when you enable lockdown you won't be able to disable it
955 again with firewall-cmd, you would need to edit firewalld.conf.
956 --lockdown-off
958 Disable lockdown.
959 --query-lockdown
961 Query whether lockdown is enabled. Returns 0 if lockdown is
962 enabled, 1 otherwise.
963 Lockdown Whitelist Options
965 The lockdown whitelist can contain commands, contexts, users and user
966 ids.
967 If a command entry on the whitelist ends with an asterisk '*', then all
969 command lines starting with the command will match. If the '*' is not
970 there the absolute command inclusive arguments must match.
971 Commands for user root and others is not always the same. Example: As
973 root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
974 is be used on Fedora.
975 The context is the security (SELinux) context of a running application
977 or service. To get the context of a running application use ps -e
978 --context.
979 Warning: If the context is unconfined, then this will open access for
981 more than the desired application.
982 The lockdown whitelist entries are checked in the following order:
984 1. context
985 2. uid
986 3. user
987 4. command
988 --list-lockdown-whitelist-commands
990 List all command lines that are on the whitelist.
991 --add-lockdown-whitelist-command=command
993 Add the command to the whitelist.
994 --remove-lockdown-whitelist-command=command
996 Remove the command from the whitelist.
997 --query-lockdown-whitelist-command=command
999 Query whether the command is on the whitelist. Returns 0 if true, 1
1000 otherwise.
1001 --list-lockdown-whitelist-contexts
1003 List all contexts that are on the whitelist.
1004 --add-lockdown-whitelist-context=context
1006 Add the context context to the whitelist.
1007 --remove-lockdown-whitelist-context=context
1009 Remove the context from the whitelist.
1010 --query-lockdown-whitelist-context=context
1012 Query whether the context is on the whitelist. Returns 0 if true, 1
1013 otherwise.
1014 --list-lockdown-whitelist-uids
1016 List all user ids that are on the whitelist.
1017 --add-lockdown-whitelist-uid=uid
1019 Add the user id uid to the whitelist.
1020 --remove-lockdown-whitelist-uid=uid
1022 Remove the user id uid from the whitelist.
1023 --query-lockdown-whitelist-uid=uid
1025 Query whether the user id uid is on the whitelist. Returns 0 if
1026 true, 1 otherwise.
1027 --list-lockdown-whitelist-users
1029 List all user names that are on the whitelist.
1030 --add-lockdown-whitelist-user=user
1032 Add the user name user to the whitelist.
1033 --remove-lockdown-whitelist-user=user
1035 Remove the user name user from the whitelist.
1036 --query-lockdown-whitelist-user=user
1038 Query whether the user name user is on the whitelist. Returns 0 if
1039 true, 1 otherwise.
1040 Policy Options
1042 --policy-server
1043 Change Polkit actions to 'server' (more restricted)
1044 --policy-desktop
1046 Change Polkit actions to 'desktop' (less restricted)
1047
1049 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1050 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1051 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1052 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1053 firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1054 firewalld.helper(5)
1055
1057 firewalld home page:
1058 http://firewalld.org
1059 More documentation with examples:
1061 http://fedoraproject.org/wiki/FirewallD
1062
1064 Thomas Woerner <twoerner@redhat.com>
1065 Developer
1066 Jiri Popelka <jpopelka@redhat.com>
1068 Developer
1069firewalld 0.6.3 FIREWALL-OFFLINE-C(1)