1FIREWALLD.CONF(5)               firewalld.conf               FIREWALLD.CONF(5)
2
3
4

NAME

6       firewalld.conf - firewalld configuration file
7

SYNOPSIS

9       /etc/firewalld/firewalld.conf
10
11
12

DESCRIPTION

14       firewalld.conf is loaded by firewalld during the initialization
15       process. The file contains the basic configuration options for
16       firewalld.
17

OPTIONS

19       These are the options that can be set in the config file:
20
21       DefaultZone
22           This sets the default zone for connections or interfaces if the
23           zone is not selected or specified by NetworkManager, initscripts or
24           command line tool. The default zone is public.
25
26       MinimalMark
27           For some firewall settings several rules are needed in different
28           tables to be able to handle packets in the correct way. To achieve
29           that these packets are marked using the MARK target iptables(8) and
30           ip6tables(8). With the MinimalMark option a block of marks can be
31           reserved for private use; only marks over this value are used. The
32           default MinimalMark value is 100.
33
34       CleanupOnExit
35           If firewalld stops, it cleans up all firewall rules. Setting this
36           option to no or false leaves the current firewall rules untouched.
37           The default value is yes or true.
38
39       Lockdown
40           If this option is enabled, firewall changes with the D-Bus
41           interface will be limited to applications that are listed in the
42           lockdown whitelist (see firewalld.lockdown-whitelist(5)). The
43           default value is no or false.
44
45       IPv6_rpfilter
46           If this option is enabled (it is by default), reverse path filter
47           test on a packet for IPv6 is performed. If a reply to the packet
48           would be sent via the same interface that the packet arrived on,
49           the packet will match and be accepted, otherwise dropped. For IPv4
50           the rp_filter is controlled using sysctl.
51
52       IndividualCalls
53           If this option is disabled (it is by default), combined -restore
54           calls are used and not individual calls to apply changes to the
55           firewall. The use of individiual calls increases the time that is
56           needed to apply changes and to start the daemon, but is good for
57           debugging as error messages are more specific.
58
59       LogDenied
60           Add logging rules right before reject and drop rules in the INPUT,
61           FORWARD and OUTPUT chains for the default rules and also final
62           reject and drop rules in zones for the configured link-layer packet
63           type. The possible values are: all, unicast, broadcast, multicast
64           and off. The default setting is off, which disables the logging.
65
66       AutomaticHelpers
67           For the secure use of iptables and connection tracking helpers it
68           is recommended to turn AutomaticHelpers off. But this might have
69           side effects on other services using the netfilter helpers as the
70           sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will
71           be changed. With the system setting, the default value set in the
72           kernel or with sysctl will be used. Possible values are: yes, no
73           and system. The default setting is system.
74
75       FirewallBackend
76           Selects the firewall backend implementation. Possible values are;
77           nftables (default), or iptables. This applies to all firewalld
78           primitives. The only exception is direct and passthrough rules
79           which always use the traditional iptables, ip6tables, and ebtables
80           backends.
81
82       FlushAllOnReload
83           Flush all runtime rules on a reload. In previous releases some
84           runtime configuration was retained during a reload, namely;
85           interface to zone assignment, and direct rules. This was confusing
86           to users. To get the old behavior set this to "no". Defaults to
87           "yes".
88
89       RFC3964_IPv4
90           As per RFC 3964, filter IPv6 traffic with 6to4 destination
91           addresses that correspond to IPv4 addresses that should not be
92           routed over the public internet. Defaults to "yes".
93

SEE ALSO

95       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
96       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
97       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
98       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
99       firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
100       firewalld.helper(5)
101

NOTES

103       firewalld home page:
104           http://firewalld.org
105
106       More documentation with examples:
107           http://fedoraproject.org/wiki/FirewallD
108

AUTHORS

110       Thomas Woerner <twoerner@redhat.com>
111           Developer
112
113       Jiri Popelka <jpopelka@redhat.com>
114           Developer
115
116
117
118firewalld 0.6.3                                              FIREWALLD.CONF(5)
Impressum