1FIREWALLD.DIRECT(5) firewalld.direct FIREWALLD.DIRECT(5)
2
6 firewalld.direct - firewalld direct configuration file
7
9 /etc/firewalld/direct.xml
10
14 Direct configuration gives a more direct access to the firewall. It
15 requires user to know basic ip(6)tables/ebtables concepts, i.e. table
16 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
17 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
18 (ACCEPT/DROP/REJECT/...). Direct configuration should be used only as a
19 last resort when it's not possible to use firewalld.zone(5). See also
20 Direct Options in firewall-cmd(1).
21 A firewalld direct configuration file contains informations about
23 permanent direct chains, rules and passthrough ...
24 This is the structure of a direct configuration file:
26 <?xml version="1.0" encoding="utf-8"?>
28 <direct>
29 [ <chain ipv="ipv4|ipv6|eb" table="table" chain="chain"/> ]
30 [ <rule ipv="ipv4|ipv6|eb" table="table" chain="chain" priority="priority"> args </rule> ]
31 [ <passthrough ipv="ipv4|ipv6|eb"> args </passthrough> ]
32 </direct>
33 direct
37 The mandatory direct start and end tag defines the direct. This tag can
38 only be used once in a direct configuration file. There are no
39 attributes for direct.
40 chain
42 Is an optional empty-element tag and can be used several times. It can
43 be used to define names for additional chains. A chain entry has
44 exactly three attributes:
45 ipv="ipv4|ipv6|eb"
47 The IP family where the chain will be created. This can be either
48 ipv4, ipv6 or eb.
49 table="table"
51 The table name where the chain will be created. This can be one of
52 the tables that can be used for iptables, ip6tables or ebtables.
53 For the possible values, see TABLES section in the iptables,
54 ip6tables or ebtables man pages.
55 chain="chain"
57 The name of the chain, that will be created. Please make sure that
58 there is no other chain with this name already.
59 Please remember to add a rule or passthrough rule with an --jump or
61 --goto option to connect the chain to another one.
62 rule
64 Is an optional element tag and can be used several times. It can be
65 used to add rules to a built-in or added chain. A rule entry has
66 exactly four attributes:
67 ipv="ipv4|ipv6|eb"
69 The IP family where the rule will be added. This can be either
70 ipv4, ipv6 or eb.
71 table="table"
73 The table name where the rule will be added. This can be one of the
74 tables that can be used for iptables, ip6tables or ebtables. For
75 the possible values, see TABLES section in the iptables, ip6tables
76 or ebtables man pages.
77 chain="chain"
79 The name of the chain where the rule will be added. This can be
80 either a built-in chain or a chain that has been created with the
81 chain tag. If the chain name is a built-in chain, then the rule
82 will be added to chain_direct, else the supplied chain name is
83 used. chain_direct is created internally for all built-in chains
84 to make sure that the added rules do not conflict with the rules
85 created by firewalld.
86 priority="priority"
88 The priority is used to order rules. Priority 0 means add rule on
89 top of the chain, with a higher priority the rule will be added
90 further down. Rules with the same priority are on the same level
91 and the order of these rules is not fixed and may change. If you
92 want to make sure that a rule will be added after another one, use
93 a low priority for the first and a higher for the following.
94 The args can be any arguments of iptables or ip6tables, that do not
96 conflict with the table or chain attributes.
97 passthrough
99 Is an optional element tag and can be used several times. It can be
100 used to add rules to a built-in or added chain. A rule entry has
101 exactly one attribute:
102 ipv="ipv4|ipv6|eb"
104 The IP family where the passthrough rule will be added. This can be
105 either ipv4, ipv6 or eb.
106 The args can be any arguments of iptables or ip6tables.
108 The passthrough rule will be added to the chain directly. There is no
110 mechanism like for the direct rule above. The user of the passthrough
111 rule has to make sure that there will be no conflict with the rules
112 created by firewalld.
113
115 Blacklisting of the networks 192.168.1.0/24 and 192.168.5.0/24 with
116 logging and dropping early in the raw table:
117 <?xml version="1.0" encoding="utf-8"?>
119 <direct>
120 <chain ipv="ipv4" table="raw" chain="blacklist"/>
121 <rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0">-s 192.168.1.0/24 -j blacklist</rule>
122 <rule ipv="ipv4" table="raw" chain="PREROUTING" priority="1">-s 192.168.5.0/24 -j blacklist</rule>
123 <rule ipv="ipv4" table="raw" chain="blacklist" priority="0">-m limit --limit 1/min -j LOG --log-prefix "blacklisted: "</rule>
124 <rule ipv="ipv4" table="raw" chain="blacklist" priority="1">-j DROP</rule>
125 </direct>
126
130 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
131 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
132 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
133 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
134 firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
135 firewalld.helper(5)
136
138 firewalld home page:
139 http://firewalld.org
140 More documentation with examples:
142 http://fedoraproject.org/wiki/FirewallD
143
145 Thomas Woerner <twoerner@redhat.com>
146 Developer
147 Jiri Popelka <jpopelka@redhat.com>
149 Developer
150firewalld 0.6.3 FIREWALLD.DIRECT(5)