1FIREWALLD.DIRECT(5)            firewalld.direct            FIREWALLD.DIRECT(5)
2
3
4

NAME

6       firewalld.direct - firewalld direct configuration file
7

SYNOPSIS

9       /etc/firewalld/direct.xml
10
11
12

DESCRIPTION

14       Direct configuration gives a more direct access to the firewall. It
15       requires user to know basic ip(6)tables/ebtables concepts, i.e.  table
16       (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
17       (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
18       (ACCEPT/DROP/REJECT/...). Direct configuration should be used only as a
19       last resort when it's not possible to use firewalld.zone(5). See also
20       Direct Options in firewall-cmd(1).
21
22       A firewalld direct configuration file contains informations about
23       permanent direct chains, rules and passthrough ...
24
25       This is the structure of a direct configuration file:
26
27           <?xml version="1.0" encoding="utf-8"?>
28           <direct>
29             [ <chain ipv="ipv4|ipv6|eb" table="table" chain="chain"/> ]
30             [ <rule ipv="ipv4|ipv6|eb" table="table" chain="chain" priority="priority"> args </rule> ]
31             [ <passthrough ipv="ipv4|ipv6|eb"> args </passthrough> ]
32           </direct>
33
34
35
36   direct
37       The mandatory direct start and end tag defines the direct. This tag can
38       only be used once in a direct configuration file. There are no
39       attributes for direct.
40
41   chain
42       Is an optional empty-element tag and can be used several times. It can
43       be used to define names for additional chains. A chain entry has
44       exactly three attributes:
45
46       ipv="ipv4|ipv6|eb"
47           The IP family where the chain will be created. This can be either
48           ipv4, ipv6 or eb.
49
50       table="table"
51           The table name where the chain will be created. This can be one of
52           the tables that can be used for iptables, ip6tables or ebtables.
53           For the possible values, see TABLES section in the iptables,
54           ip6tables or ebtables man pages.
55
56       chain="chain"
57           The name of the chain, that will be created. Please make sure that
58           there is no other chain with this name already.
59
60       Please remember to add a rule or passthrough rule with an --jump or
61       --goto option to connect the chain to another one.
62
63   rule
64       Is an optional element tag and can be used several times. It can be
65       used to add rules to a built-in or added chain. A rule entry has
66       exactly four attributes:
67
68       ipv="ipv4|ipv6|eb"
69           The IP family where the rule will be added. This can be either
70           ipv4, ipv6 or eb.
71
72       table="table"
73           The table name where the rule will be added. This can be one of the
74           tables that can be used for iptables, ip6tables or ebtables. For
75           the possible values, see TABLES section in the iptables, ip6tables
76           or ebtables man pages.
77
78       chain="chain"
79           The name of the chain where the rule will be added. This can be
80           either a built-in chain or a chain that has been created with the
81           chain tag. If the chain name is a built-in chain, then the rule
82           will be added to chain_direct, else the supplied chain name is
83           used.  chain_direct is created internally for all built-in chains
84           to make sure that the added rules do not conflict with the rules
85           created by firewalld.
86
87       priority="priority"
88           The priority is used to order rules. Priority 0 means add rule on
89           top of the chain, with a higher priority the rule will be added
90           further down. Rules with the same priority are on the same level
91           and the order of these rules is not fixed and may change. If you
92           want to make sure that a rule will be added after another one, use
93           a low priority for the first and a higher for the following.
94
95       The args can be any arguments of iptables or ip6tables, that do not
96       conflict with the table or chain attributes.
97
98   passthrough
99       Is an optional element tag and can be used several times. It can be
100       used to add rules to a built-in or added chain. A rule entry has
101       exactly one attribute:
102
103       ipv="ipv4|ipv6|eb"
104           The IP family where the passthrough rule will be added. This can be
105           either ipv4, ipv6 or eb.
106
107       The args can be any arguments of iptables or ip6tables.
108
109       The passthrough rule will be added to the chain directly. There is no
110       mechanism like for the direct rule above. The user of the passthrough
111       rule has to make sure that there will be no conflict with the rules
112       created by firewalld.
113

EXAMPLE

115       Blacklisting of the networks 192.168.1.0/24 and 192.168.5.0/24 with
116       logging and dropping early in the raw table:
117
118           <?xml version="1.0" encoding="utf-8"?>
119           <direct>
120             <chain ipv="ipv4" table="raw" chain="blacklist"/>
121             <rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0">-s 192.168.1.0/24 -j blacklist</rule>
122             <rule ipv="ipv4" table="raw" chain="PREROUTING" priority="1">-s 192.168.5.0/24 -j blacklist</rule>
123             <rule ipv="ipv4" table="raw" chain="blacklist" priority="0">-m limit --limit 1/min -j LOG --log-prefix "blacklisted: "</rule>
124             <rule ipv="ipv4" table="raw" chain="blacklist" priority="1">-j DROP</rule>
125           </direct>
126
127
128

SEE ALSO

130       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
131       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
132       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
133       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
134       firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
135       firewalld.helper(5)
136

NOTES

138       firewalld home page:
139           http://firewalld.org
140
141       More documentation with examples:
142           http://fedoraproject.org/wiki/FirewallD
143

AUTHORS

145       Thomas Woerner <twoerner@redhat.com>
146           Developer
147
148       Jiri Popelka <jpopelka@redhat.com>
149           Developer
150
151
152
153firewalld 0.6.3                                            FIREWALLD.DIRECT(5)
Impressum