1FIREWALL-OFFLINE-C(1) firewall-offline-cmd FIREWALL-OFFLINE-C(1)
2
6 firewall-offline-cmd - firewalld offline command line client
7
9 firewall-offline-cmd [OPTIONS...]
10
12 firewall-offline-cmd is an offline command line client of the firewalld
13 daemon. It should be used only if the firewalld service is not running.
14 For example to migrate from system-config-firewall/lokkit or in the
15 install environment to configure firewall settings with kickstart.
16 Some lokkit options can not be automatically converted for firewalld,
18 they will result in an error or warning message. This tool tries to
19 convert as much as possible, but there are limitations for example with
20 custom rules, modules and masquerading.
21 Check the firewall configuration after using this tool.
23
25 If no options are given, configuration from
26 /etc/sysconfig/system-config-firewall will be migrated.
27 For sequence options, this are the options that can be specified
29 multiple times, the exit code is 0 if there is at least one item that
30 succeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also
31 ZONE_ALREADY_SET (16) errors are treated as succeeded. If there are
32 issues while parsing the items, then these are treated as warnings and
33 will not change the result as long as there is a succeeded one. Without
34 any succeeded item, the exit code will depend on the error codes. If
35 there is exactly one error code, then this is used. If there are more
36 than one then UNKNOWN_ERROR (254) will be used.
37 The following options are supported:
39 General Options
41 -h, --help
42 Prints a short help text and exists.
43 -V, --version
45 Prints the version string of firewalld and exits.
46 -q, --quiet
48 Do not print status messages.
49 Status Options
51 --enabled
52 Enable the firewall. This option is a default option and will
53 activate the firewall if not already enabled as long as the option
54 --disabled is not given.
55 --disabled
57 Disable the firewall by disabling the firewalld service.
58 --check-config
60 Run checks on the permanent configuration. This includes XML
61 validity and semantics.
62 Lokkit Compatibility Options
64 These options are nearly identical to the options of lokkit.
65 --migrate-system-config-firewall=file
67 Migrate system-config-firewall configuration from the given file.
68 No further
69 --addmodule=module
71 This option will result in a warning message and will be ignored.
72 Handling of netfilter helpers has been merged into services
74 completely. Adding or removing netfilter helpers outside of
75 services is therefore not needed anymore. For more information on
76 handling netfilter helpers in services, please have a look at
77 firewalld.zone(5).
78 --removemodule
80 This option will result in a warning message and will be ignored.
81 Handling of netfilter helpers has been merged into services
83 completely. Adding or removing netfilter helpers outside of
84 services is therefore not needed anymore. For more information on
85 handling netfilter helpers in services, please have a look at
86 firewalld.zone(5).
87 --remove-service=service
89 Remove a service from the default zone. This option can be
90 specified multiple times.
91 The service is one of the firewalld provided services. To get a
93 list of the supported services, use firewall-cmd --get-services.
94 -s service, --service=service
96 Add a service to the default zone. This option can be specified
97 multiple times.
98 The service is one of the firewalld provided services. To get a
100 list of the supported services, use firewall-cmd --get-services.
101 -p portid[-portid]:protocol, --port=portid[-portid]:protocol
103 Add the port to the default zone. This option can be specified
104 multiple times.
105 The port can either be a single port number or a port range
107 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
108 -t interface, --trust=interface
110 This option will result in a warning message.
111 Mark an interface as trusted. This option can be specified multiple
113 times. The interface will be bound to the trusted zone.
114 If the interface is used in a NetworkManager managed connection or
116 if there is an ifcfg file for this interface, the zone will be
117 changed to the zone defined in the configuration as soon as it gets
118 activated. To change the zone of a connection use
119 nm-connection-editor and set the zone to trusted, for an ifcfg
120 file, use an editor and add "ZONE=trusted". If the zone is not
121 defined in the ifcfg file, the firewalld default zone will be used.
122 -m interface, --masq=interface
124 This option will result in a warning message.
125 Masquerading will be enabled in the default zone. The interface
127 argument will be ignored. This is for IPv4 only.
128 --custom-rules=[type:][table:]filename
130 This option will result in a warning message and will be ignored.
131 Custom rule files are not supported by firewalld.
133 --forward-port=if=interface:port=port:proto=protocol[:toport=destination
135 port:][:toaddr=destination address]
136 This option will result in a warning message.
137 Add the IPv4 forward port in the default zone. This option can be
139 specified multiple times.
140 The port can either be a single port number portid or a port range
142 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
143 The destination address is an IP address.
144 --block-icmp=icmptype
146 This option will result in a warning message.
147 Add an ICMP block for icmptype in the default zone. This option can
149 be specified multiple times.
150 The icmptype is the one of the icmp types firewalld supports. To
152 get a listing of supported icmp types: firewall-cmd --get-icmptypes
153 Log Denied Options
155 --get-log-denied
156 Print the log denied setting.
157 --set-log-denied=value
159 Add logging rules right before reject and drop rules in the INPUT,
160 FORWARD and OUTPUT chains for the default rules and also final
161 reject and drop rules in zones for the configured link-layer packet
162 type. The possible values are: all, unicast, broadcast, multicast
163 and off. The default setting is off, which disables the logging.
164 This is a runtime and permanent change and will also reload the
166 firewall to be able to add the logging rules.
167 Automatic Helpers Options
169 --get-automatic-helpers
170 Print the automatic helpers setting.
171 --set-automatic-helpers=value
173 For the secure use of iptables and connection tracking helpers it
174 is recommended to turn AutomaticHelpers off. But this might have
175 side effects on other services using the netfilter helpers as the
176 sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will
177 be changed. With the system setting, the default value set in the
178 kernel or with sysctl will be used. Possible values are: yes, no
179 and system. The default value is system.
180 This is a runtime and permanent change and will also reload the
182 firewall to be able to make the helpers usable.
183 Zone Options
185 --get-default-zone
186 Print default zone for connections and interfaces.
187 --set-default-zone=zone
189 Set default zone for connections and interfaces where no zone has
190 been selected. Setting the default zone changes the zone for the
191 connections or interfaces, that are using the default zone.
192 --get-zones
194 Print predefined zones as a space separated list.
195 --get-services
197 Print predefined services as a space separated list.
198 --get-icmptypes
200 Print predefined icmptypes as a space separated list.
201 --get-zone-of-interface=interface
203 Print the name of the zone the interface is bound to or no zone.
204 --get-zone-of-source=source[/mask]|MAC|ipset:ipset
206 Print the name of the zone the source is bound to or no zone.
207 --info-zone=zone
209 Print information about the zone zone. The output format is:
210 zone
212 interfaces: interface1 ..
213 sources: source1 ..
214 services: service1 ..
215 ports: port1 ..
216 protocols: protocol1 ..
217 forward-ports:
218 forward-port1
219 ..
220 source-ports: source-port1 ..
221 icmp-blocks: icmp-type1 ..
222 rich rules:
223 rich-rule1
224 ..
225 --list-all-zones
229 List everything added for or enabled in all zones. The output
230 format is:
231 zone1
233 interfaces: interface1 ..
234 sources: source1 ..
235 services: service1 ..
236 ports: port1 ..
237 protocols: protocol1 ..
238 forward-ports:
239 forward-port1
240 ..
241 source-ports: source-port1 ..
242 icmp-blocks: icmp-type1 ..
243 rich rules:
244 rich-rule1
245 ..
246 ..
247 --new-zone=zone
251 Add a new permanent zone.
252 --new-zone-from-file=filename [--name=zone]
254 Add a new permanent zone from a prepared zone file with an optional
255 name override.
256 --path-zone=zone
258 Print path of the zone configuration file.
259 --delete-zone=zone
261 Delete an existing permanent zone.
262 --zone=zone --set-description=description
264 Set new description to zone
265 --zone=zone --get-description
267 Print description for zone
268 --zone=zone --set-short=description
270 Set short description to zone
271 --zone=zone --get-short
273 Print short description for zone
274 --zone=zone --get-target
276 Get the target of a permanent zone.
277 --zone=zone --set-target=zone
279 Set the target of a permanent zone.
280 Options to Adapt and Query Zones
282 Options in this section affect only one particular zone. If used with
283 --zone=zone option, they affect the zone zone. If the option is
284 omitted, they affect default zone (see --get-default-zone).
285 [--zone=zone] --list-all
287 List everything added for or enabled in zone. If zone is omitted,
288 default zone will be used.
289 [--zone=zone] --list-services
291 List services added for zone as a space separated list. If zone is
292 omitted, default zone will be used.
293 [--zone=zone] --add-service=service
295 Add a service for zone. If zone is omitted, default zone will be
296 used. This option can be specified multiple times.
297 The service is one of the firewalld provided services. To get a
299 list of the supported services, use firewall-cmd --get-services.
300 [--zone=zone] --remove-service-from-zone=service
302 Remove a service from zone. This option can be specified multiple
303 times. If zone is omitted, default zone will be used.
304 [--zone=zone] --query-service=service
306 Return whether service has been added for zone. If zone is omitted,
307 default zone will be used. Returns 0 if true, 1 otherwise.
308 [--zone=zone] --list-ports
310 List ports added for zone as a space separated list. A port is of
311 the form portid[-portid]/protocol, it can be either a port and
312 protocol pair or a port range with a protocol. If zone is omitted,
313 default zone will be used.
314 [--zone=zone] --add-port=portid[-portid]/protocol
316 Add the port for zone. If zone is omitted, default zone will be
317 used. This option can be specified multiple times.
318 The port can either be a single port number or a port range
320 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
321 [--zone=zone] --remove-port=portid[-portid]/protocol
323 Remove the port from zone. If zone is omitted, default zone will be
324 used. This option can be specified multiple times.
325 [--zone=zone] --query-port=portid[-portid]/protocol
327 Return whether the port has been added for zone. If zone is
328 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
329 [--zone=zone] --list-protocols
331 List protocols added for zone as a space separated list. If zone is
332 omitted, default zone will be used.
333 [--zone=zone] --add-protocol=protocol
335 Add the protocol for zone. If zone is omitted, default zone will be
336 used. This option can be specified multiple times. If a timeout is
337 supplied, the rule will be active for the specified amount of time
338 and will be removed automatically afterwards. timeval is either a
339 number (of seconds) or number followed by one of characters s
340 (seconds), m (minutes), h (hours), for example 20m or 1h.
341 The protocol can be any protocol supported by the system. Please
343 have a look at /etc/protocols for supported protocols.
344 [--zone=zone] --remove-protocol=protocol
346 Remove the protocol from zone. If zone is omitted, default zone
347 will be used. This option can be specified multiple times.
348 [--zone=zone] --query-protocol=protocol
350 Return whether the protocol has been added for zone. If zone is
351 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
352 [--zone=zone] --list-icmp-blocks
354 List Internet Control Message Protocol (ICMP) type blocks added for
355 zone as a space separated list. If zone is omitted, default zone
356 will be used.
357 [--zone=zone] --add-icmp-block=icmptype
359 Add an ICMP block for icmptype for zone. If zone is omitted,
360 default zone will be used. This option can be specified multiple
361 times.
362 The icmptype is the one of the icmp types firewalld supports. To
364 get a listing of supported icmp types: firewall-cmd --get-icmptypes
365 [--zone=zone] --remove-icmp-block=icmptype
367 Remove the ICMP block for icmptype from zone. If zone is omitted,
368 default zone will be used. This option can be specified multiple
369 times.
370 [--zone=zone] --query-icmp-block=icmptype
372 Return whether an ICMP block for icmptype has been added for zone.
373 If zone is omitted, default zone will be used. Returns 0 if true, 1
374 otherwise.
375 [--zone=zone] --list-forward-ports
377 List IPv4 forward ports added for zone as a space separated list.
378 If zone is omitted, default zone will be used.
379 For IPv6 forward ports, please use the rich language.
381 [--zone=zone]
383 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
384 Add the IPv4 forward port for zone. If zone is omitted, default
385 zone will be used. This option can be specified multiple times.
386 The port can either be a single port number portid or a port range
388 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
389 The destination address is a simple IP address.
390 For IPv6 forward ports, please use the rich language.
392 Note: IP forwarding will be implicitly enabled if toaddr is
394 specified.
395 [--zone=zone]
397 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
398 Remove the IPv4 forward port from zone. If zone is omitted, default
399 zone will be used. This option can be specified multiple times.
400 For IPv6 forward ports, please use the rich language.
402 [--zone=zone]
404 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
405 Return whether the IPv4 forward port has been added for zone. If
406 zone is omitted, default zone will be used. Returns 0 if true, 1
407 otherwise.
408 For IPv6 forward ports, please use the rich language.
410 [--zone=zone] --list-source-ports
412 List source ports added for zone as a space separated list. A port
413 is of the form portid[-portid]/protocol. If zone is omitted,
414 default zone will be used.
415 [--zone=zone] --add-source-port=portid[-portid]/protocol
417 Add the source port for zone. If zone is omitted, default zone will
418 be used. This option can be specified multiple times. If a timeout
419 is supplied, the rule will be active for the specified amount of
420 time and will be removed automatically afterwards.
421 The port can either be a single port number or a port range
423 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
424 [--zone=zone] --remove-source-port=portid[-portid]/protocol
426 Remove the source port from zone. If zone is omitted, default zone
427 will be used. This option can be specified multiple times.
428 [--zone=zone] --query-source-port=portid[-portid]/protocol
430 Return whether the source port has been added for zone. If zone is
431 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
432 [--zone=zone] --add-masquerade
434 Enable IPv4 masquerade for zone. If zone is omitted, default zone
435 will be used. Masquerading is useful if the machine is a router and
436 machines connected over an interface in another zone should be able
437 to use the first connection.
438 For IPv6 masquerading, please use the rich language.
440 Note: IP forwarding will be implicitly enabled.
442 [--zone=zone] --remove-masquerade
444 Disable IPv4 masquerade for zone. If zone is omitted, default zone
445 will be used.
446 For IPv6 masquerading, please use the rich language.
448 [--zone=zone] --query-masquerade
450 Return whether IPv4 masquerading has been enabled for zone. If zone
451 is omitted, default zone will be used. Returns 0 if true, 1
452 otherwise.
453 For IPv6 masquerading, please use the rich language.
455 [--zone=zone] --list-rich-rules
457 List rich language rules added for zone as a newline separated
458 list. If zone is omitted, default zone will be used.
459 [--zone=zone] --add-rich-rule='rule'
461 Add rich language rule 'rule' for zone. This option can be
462 specified multiple times. If zone is omitted, default zone will be
463 used.
464 For the rich language rule syntax, please have a look at
466 firewalld.richlanguage(5).
467 [--zone=zone] --remove-rich-rule='rule'
469 Remove rich language rule 'rule' from zone. This option can be
470 specified multiple times. If zone is omitted, default zone will be
471 used.
472 For the rich language rule syntax, please have a look at
474 firewalld.richlanguage(5).
475 [--zone=zone] --query-rich-rule='rule'
477 Return whether a rich language rule 'rule' has been added for zone.
478 If zone is omitted, default zone will be used. Returns 0 if true, 1
479 otherwise.
480 For the rich language rule syntax, please have a look at
482 firewalld.richlanguage(5).
483 Options to Handle Bindings of Interfaces
485 Binding an interface to a zone means that this zone settings are used
486 to restrict traffic via the interface.
487 Options in this section affect only one particular zone. If used with
489 --zone=zone option, they affect the zone zone. If the option is
490 omitted, they affect default zone (see --get-default-zone).
491 For a list of predefined zones use firewall-cmd --get-zones.
493 An interface name is a string up to 16 characters long, that may not
495 contain ' ', '/', '!' and '*'.
496 [--zone=zone] --list-interfaces
498 List interfaces that are bound to zone zone as a space separated
499 list. If zone is omitted, default zone will be used.
500 [--zone=zone] --add-interface=interface
502 Bind interface interface to zone zone. If zone is omitted, default
503 zone will be used.
504 [--zone=zone] --change-interface=interface
506 Change zone the interface interface is bound to to zone zone. If
507 zone is omitted, default zone will be used. If old and new zone are
508 the same, the call will be ignored without an error. If the
509 interface has not been bound to a zone before, it will behave like
510 --add-interface.
511 [--zone=zone] --query-interface=interface
513 Query whether interface interface is bound to zone zone. Returns 0
514 if true, 1 otherwise.
515 [--zone=zone] --remove-interface=interface
517 Remove binding of interface interface from zone zone. If zone is
518 omitted, default zone will be used.
519 Options to Handle Bindings of Sources
521 Binding a source to a zone means that this zone settings will be used
522 to restrict traffic from this source.
523 A source address or address range is either an IP address or a network
525 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
526 with the ipset: prefix. For IPv4, the mask can be a network mask or a
527 plain number. For IPv6 the mask is a plain number. The use of host
528 names is not supported.
529 Options in this section affect only one particular zone. If used with
531 --zone=zone option, they affect the zone zone. If the option is
532 omitted, they affect default zone (see --get-default-zone).
533 For a list of predefined zones use firewall-cmd --get-zones.
535 [--zone=zone] --list-sources
537 List sources that are bound to zone zone as a space separated list.
538 If zone is omitted, default zone will be used.
539 [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
541 Bind the source to zone zone. If zone is omitted, default zone will
542 be used.
543 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
545 Change zone the source is bound to to zone zone. If zone is
546 omitted, default zone will be used. If old and new zone are the
547 same, the call will be ignored without an error. If the source has
548 not been bound to a zone before, it will behave like --add-source.
549 [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
551 Query whether the source is bound to the zone zone. Returns 0 if
552 true, 1 otherwise.
553 [--zone=zone] --remove-source=source[/mask]|MAC|ipset:ipset
555 Remove binding of the source from zone zone. If zone is omitted,
556 default zone will be used.
557 IPSet Options
559 --new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
560 Add a new permanent ipset with specifying the type and optional
561 options.
562 --new-ipset-from-file=filename [--name=ipset]
564 Add a new permanent ipset from a prepared ipset file with an
565 optional name override.
566 --delete-ipset=ipset
568 Delete an existing permanent ipset.
569 --info-ipset=ipset
571 Print information about the ipset ipset. The output format is:
572 ipset
574 type: type
575 options: option1[=value1] ..
576 entries: entry1 ..
577 --get-ipsets
581 Print predefined ipsets as a space separated list.
582 --ipset=ipset --add-entry=entry
584 Add a new entry to the ipset.
585 --ipset=ipset --remove-entry=entry
587 Remove an entry from the ipset.
588 --ipset=ipset --query-entry=entry
590 Return whether the entry has been added to an ipset. Returns 0 if
591 true, 1 otherwise.
592 --ipset=ipset --get-entries
594 List all entries of the ipset.
595 --ipset=ipset --add-entries-from-file=filename
597 Add a new entries to the ipset from the file. For all entries that
598 are listed in the file but already in the ipset, a warning will be
599 printed.
600 The file should contain an entry per line. Lines starting with an
602 hash or semicolon are ignored. Also empty lines.
603 --ipset=ipset --remove-entries-from-file=filename
605 Remove existing entries from the ipset from the file. For all
606 entries that are listed in the file but not in the ipset, a warning
607 will be printed.
608 The file should contain an entry per line. Lines starting with an
610 hash or semicolon are ignored. Also empty lines.
611 --ipset=ipset --set-description=description
613 Set new description to ipset
614 --ipset=ipset --get-description
616 Print description for ipset
617 --ipset=ipset --set-short=description
619 Set new short description to ipset
620 --ipset=ipset --get-short
622 Print short description for ipset
623 --path-ipset=ipset
625 Print path of the ipset configuration file.
626 Service Options
628 --info-service=service
629 Print information about the service service. The output format is:
630 service
632 ports: port1 ..
633 protocols: protocol1 ..
634 source-ports: source-port1 ..
635 modules: module1 ..
636 destination: ipv1:address1 ..
637 --new-service=service
641 Add a new permanent service.
642 --new-service-from-file=filename [--name=service]
644 Add a new permanent service from a prepared service file with an
645 optional name override.
646 --delete-service=service
648 Delete an existing permanent service.
649 --path-service=service
651 Print path of the service configuration file.
652 --service=service --set-description=description
654 Set new description to service
655 --service=service --get-description
657 Print description for service
658 --service=service --set-short=description
660 Set short description to service
661 --service=service --get-short
663 Print short description for service
664 --service=service --add-port=portid[-portid]/protocol
666 Add a new port to the permanent service.
667 --service=service --remove-port=portid[-portid]/protocol
669 Remove a port from the permanent service.
670 --service=service --query-port=portid[-portid]/protocol
672 Return wether the port has been added to the permanent service.
673 --service=service --get-ports
675 List ports added to the permanent service.
676 --service=service --add-protocol=protocol
678 Add a new protocol to the permanent service.
679 --service=service --remove-protocol=protocol
681 Remove a protocol from the permanent service.
682 --service=service --query-protocol=protocol
684 Return wether the protocol has been added to the permanent service.
685 --service=service --get-protocols
687 List protocols added to the permanent service.
688 --service=service --add-source-port=portid[-portid]/protocol
690 Add a new source port to the permanent service.
691 --service=service --remove-source-port=portid[-portid]/protocol
693 Remove a source port from the permanent service.
694 --service=service --query-source-port=portid[-portid]/protocol
696 Return wether the source port has been added to the permanent
697 service.
698 --service=service --get-source-ports
700 List source ports added to the permanent service.
701 --service=service --add-module=module
703 Add a new module to the permanent service.
704 --service=service --remove-module=module
706 Remove a module from the permanent service.
707 --service=service --query-module=module
709 Return wether the module has been added to the permanent service.
710 --service=service --get-modules
712 List modules added to the permanent service.
713 --service=service --set-destination=ipv:address[/mask]
715 Set destination for ipv to address[/mask] in the permanent service.
716 --service=service --remove-destination=ipv
718 Remove the destination for ipv from the permanent service.
719 --service=service --query-destination=ipv:address[/mask]
721 Return wether the destination ipv to address[/mask] has been set in
722 the permanent service.
723 --service=service --get-destinations
725 List destinations added to the permanent service.
726 Helper Options
728 Options in this section affect only one particular helper.
729 --info-helper=helper
731 Print information about the helper helper. The output format is:
732 helper
734 family: family
735 module: module
736 ports: port1 ..
737 The following options are only usable in the permanent configuration.
741 --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
743 Add a new permanent helper with module and optionally family
744 defined.
745 --new-helper-from-file=filename [--name=helper]
747 Add a new permanent helper from a prepared helper file with an
748 optional name override.
749 --delete-helper=helper
751 Delete an existing permanent helper.
752 --load-helper-defaults=helper
754 Load helper default settings or report NO_DEFAULTS error.
755 --path-helper=helper
757 Print path of the helper configuration file.
758 --get-helpers
760 Print predefined helpers as a space separated list.
761 --helper=helper --set-description=description
763 Set new description to helper
764 --helper=helper --get-description
766 Print description for helper
767 --helper=helper --set-short=description
769 Set short description to helper
770 --helper=helper --get-short
772 Print short description for helper
773 --helper=helper --add-port=portid[-portid]/protocol
775 Add a new port to the permanent helper.
776 --helper=helper --remove-port=portid[-portid]/protocol
778 Remove a port from the permanent helper.
779 --helper=helper --query-port=portid[-portid]/protocol
781 Return wether the port has been added to the permanent helper.
782 --helper=helper --get-ports
784 List ports added to the permanent helper.
785 --helper=helper --set-module=description
787 Set module description for helper
788 --helper=helper --get-module
790 Print module description for helper
791 --helper=helper --set-family=description
793 Set family description for helper
794 --helper=helper --get-family
796 Print family description of helper
797 Internet Control Message Protocol (ICMP) type Options
799 --info-icmptype=icmptype
800 Print information about the icmptype icmptype. The output format
801 is:
802 icmptype
804 destination: ipv1 ..
805 --new-icmptype=icmptype
809 Add a new permanent icmptype.
810 --new-icmptype-from-file=filename [--name=icmptype]
812 Add a new permanent icmptype from a prepared icmptype file with an
813 optional name override.
814 --delete-icmptype=icmptype
816 Delete an existing permanent icmptype.
817 --icmptype=icmptype --set-description=description
819 Set new description to icmptype
820 --icmptype=icmptype --get-description
822 Print description for icmptype
823 --icmptype=icmptype --set-short=description
825 Set short description to icmptype
826 --icmptype=icmptype --get-short
828 Print short description for icmptype
829 --icmptype=icmptype --add-destination=ipv
831 Enable destination for ipv in permanent icmptype. ipv is one of
832 ipv4 or ipv6.
833 --icmptype=icmptype --remove-destination=ipv
835 Disable destination for ipv in permanent icmptype. ipv is one of
836 ipv4 or ipv6.
837 --icmptype=icmptype --query-destination=ipv
839 Return whether destination for ipv is enabled in permanent
840 icmptype. ipv is one of ipv4 or ipv6.
841 --icmptype=icmptype --get-destinations
843 List destinations in permanent icmptype.
844 --path-icmptype=icmptype
846 Print path of the icmptype configuration file.
847 Direct Options
849 The direct options give a more direct access to the firewall. These
850 options require user to know basic iptables concepts, i.e. table
851 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
852 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
853 (ACCEPT/DROP/REJECT/...).
854 Direct options should be used only as a last resort when it's not
856 possible to use for example --add-service=service or
857 --add-rich-rule='rule'.
858 The first argument of each option has to be ipv4 or ipv6 or eb. With
860 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
861 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
862 --direct --get-all-chains
864 Get all chains added to all tables.
865 This option concerns only chains previously added with --direct
867 --add-chain.
868 --direct --get-chains { ipv4 | ipv6 | eb } table
870 Get all chains added to table table as a space separated list.
871 This option concerns only chains previously added with --direct
873 --add-chain.
874 --direct --add-chain { ipv4 | ipv6 | eb } table chain
876 Add a new chain with name chain to table table.
877 There already exist basic chains to use with direct options, for
879 example INPUT_direct chain (see iptables-save | grep direct output
880 for all of them). These chains are jumped into before chains for
881 zones, i.e. every rule put into INPUT_direct will be checked before
882 rules in zones.
883 --direct --remove-chain { ipv4 | ipv6 | eb } table chain
885 Remove the chain with name chain from table table.
886 --direct --query-chain { ipv4 | ipv6 | eb } table chain
888 Return whether a chain with name chain exists in table table.
889 Returns 0 if true, 1 otherwise.
890 This option concerns only chains previously added with --direct
892 --add-chain.
893 --direct --get-all-rules
895 Get all rules added to all chains in all tables as a newline
896 separated list of the priority and arguments.
897 --direct --get-rules { ipv4 | ipv6 | eb } table chain
899 Get all rules added to chain chain in table table as a newline
900 separated list of the priority and arguments.
901 --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
903 Add a rule with the arguments args to chain chain in table table
904 with priority priority.
905 The priority is used to order rules. Priority 0 means add rule on
907 top of the chain, with a higher priority the rule will be added
908 further down. Rules with the same priority are on the same level
909 and the order of these rules is not fixed and may change. If you
910 want to make sure that a rule will be added after another one, use
911 a low priority for the first and a higher for the following.
912 --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
914 Remove a rule with priority and the arguments args from chain chain
915 in table table.
916 --direct --remove-rules { ipv4 | ipv6 | eb } table chain
918 Remove all rules in the chain with name chain exists in table
919 table.
920 This option concerns only rules previously added with --direct
922 --add-rule in this chain.
923 --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
925 Return whether a rule with priority and the arguments args exists
926 in chain chain in table table. Returns 0 if true, 1 otherwise.
927 --direct --get-all-passthroughs
929 Get all permanent passthrough as a newline separated list of the
930 ipv value and arguments.
931 --direct --get-passthroughs { ipv4 | ipv6 | eb }
933 Get all permanent passthrough rules for the ipv value as a newline
934 separated list of the priority and arguments.
935 --direct --add-passthrough { ipv4 | ipv6 | eb } args
937 Add a permanent passthrough rule with the arguments args for the
938 ipv value.
939 --direct --remove-passthrough { ipv4 | ipv6 | eb } args
941 Remove a permanent passthrough rule with the arguments args for the
942 ipv value.
943 --direct --query-passthrough { ipv4 | ipv6 | eb } args
945 Return whether a permanent passthrough rule with the arguments args
946 exists for the ipv value. Returns 0 if true, 1 otherwise.
947 Lockdown Options
949 Local applications or services are able to change the firewall
950 configuration if they are running as root (example: libvirt) or are
951 authenticated using PolicyKit. With this feature administrators can
952 lock the firewall configuration so that only applications on lockdown
953 whitelist are able to request firewall changes.
954 The lockdown access check limits D-Bus methods that are changing
956 firewall rules. Query, list and get methods are not limited.
957 The lockdown feature is a very light version of user and application
959 policies for firewalld and is turned off by default.
960 --lockdown-on
962 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
963 whitelist when you enable lockdown you won't be able to disable it
964 again with firewall-cmd, you would need to edit firewalld.conf.
965 --lockdown-off
967 Disable lockdown.
968 --query-lockdown
970 Query whether lockdown is enabled. Returns 0 if lockdown is
971 enabled, 1 otherwise.
972 Lockdown Whitelist Options
974 The lockdown whitelist can contain commands, contexts, users and user
975 ids.
976 If a command entry on the whitelist ends with an asterisk '*', then all
978 command lines starting with the command will match. If the '*' is not
979 there the absolute command inclusive arguments must match.
980 Commands for user root and others is not always the same. Example: As
982 root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
983 is be used on Fedora.
984 The context is the security (SELinux) context of a running application
986 or service. To get the context of a running application use ps -e
987 --context.
988 Warning: If the context is unconfined, then this will open access for
990 more than the desired application.
991 The lockdown whitelist entries are checked in the following order:
993 1. context
994 2. uid
995 3. user
996 4. command
997 --list-lockdown-whitelist-commands
999 List all command lines that are on the whitelist.
1000 --add-lockdown-whitelist-command=command
1002 Add the command to the whitelist.
1003 --remove-lockdown-whitelist-command=command
1005 Remove the command from the whitelist.
1006 --query-lockdown-whitelist-command=command
1008 Query whether the command is on the whitelist. Returns 0 if true, 1
1009 otherwise.
1010 --list-lockdown-whitelist-contexts
1012 List all contexts that are on the whitelist.
1013 --add-lockdown-whitelist-context=context
1015 Add the context context to the whitelist.
1016 --remove-lockdown-whitelist-context=context
1018 Remove the context from the whitelist.
1019 --query-lockdown-whitelist-context=context
1021 Query whether the context is on the whitelist. Returns 0 if true, 1
1022 otherwise.
1023 --list-lockdown-whitelist-uids
1025 List all user ids that are on the whitelist.
1026 --add-lockdown-whitelist-uid=uid
1028 Add the user id uid to the whitelist.
1029 --remove-lockdown-whitelist-uid=uid
1031 Remove the user id uid from the whitelist.
1032 --query-lockdown-whitelist-uid=uid
1034 Query whether the user id uid is on the whitelist. Returns 0 if
1035 true, 1 otherwise.
1036 --list-lockdown-whitelist-users
1038 List all user names that are on the whitelist.
1039 --add-lockdown-whitelist-user=user
1041 Add the user name user to the whitelist.
1042 --remove-lockdown-whitelist-user=user
1044 Remove the user name user from the whitelist.
1045 --query-lockdown-whitelist-user=user
1047 Query whether the user name user is on the whitelist. Returns 0 if
1048 true, 1 otherwise.
1049 Policy Options
1051 --policy-server
1052 Change Polkit actions to 'server' (more restricted)
1053 --policy-desktop
1055 Change Polkit actions to 'desktop' (less restricted)
1056
1058 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1059 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1060 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1061 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1062 firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1063 firewalld.helper(5)
1064
1066 firewalld home page:
1067 http://firewalld.org
1068 More documentation with examples:
1070 http://fedoraproject.org/wiki/FirewallD
1071
1073 Thomas Woerner <twoerner@redhat.com>
1074 Developer
1075 Jiri Popelka <jpopelka@redhat.com>
1077 Developer
1078firewalld 0.6.4 FIREWALL-OFFLINE-C(1)