1FIREWALL-OFFLINE-C(1)        firewall-offline-cmd        FIREWALL-OFFLINE-C(1)
2
3
4

NAME

6       firewall-offline-cmd - firewalld offline command line client
7

SYNOPSIS

9       firewall-offline-cmd [OPTIONS...]
10

DESCRIPTION

12       firewall-offline-cmd is an offline command line client of the firewalld
13       daemon. It should be used only if the firewalld service is not running.
14       For example to migrate from system-config-firewall/lokkit or in the
15       install environment to configure firewall settings with kickstart.
16
17       Some lokkit options can not be automatically converted for firewalld,
18       they will result in an error or warning message. This tool tries to
19       convert as much as possible, but there are limitations for example with
20       custom rules, modules and masquerading.
21
22       Check the firewall configuration after using this tool.
23

OPTIONS

25       If no options are given, configuration from
26       /etc/sysconfig/system-config-firewall will be migrated.
27
28       Sequence options are the options that can be specified multiple times,
29       the exit code is 0 if there is at least one item that succeeded. The
30       ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
31       errors are treated as succeeded. If there are issues while parsing the
32       items, then these are treated as warnings and will not change the
33       result as long as there is a succeeded one. Without any succeeded item,
34       the exit code will depend on the error codes. If there is exactly one
35       error code, then this is used. If there are more than one then
36       UNKNOWN_ERROR (254) will be used.
37
38       The following options are supported:
39
40   General Options
41       -h, --help
42           Prints a short help text and exists.
43
44       -V, --version
45           Prints the version string of firewalld and exits.
46
47       -q, --quiet
48           Do not print status messages.
49
50       --default-config
51           Path to firewalld default configuration. This usually defaults to
52           /usr/lib/firewalld.
53
54       --system-config
55           Path to firewalld system (user) configuration. This usually
56           defaults to /etc/firewalld.
57
58   Status Options
59       --enabled
60           Enable the firewall. This option is a default option and will
61           activate the firewall if not already enabled as long as the option
62           --disabled is not given.
63
64       --disabled
65           Disable the firewall by disabling the firewalld service.
66
67       --check-config
68           Run checks on the permanent (default and system) configuration.
69           This includes XML validity and semantics.
70
71           This is may be used with --system-config to check the validity of
72           handwritten configuration files before copying them to the standard
73           location.
74
75   Lokkit Compatibility Options
76       These options are nearly identical to the options of lokkit.
77
78       --migrate-system-config-firewall=file
79           Migrate system-config-firewall configuration from the given file.
80           No further
81
82       --addmodule=module
83           This option will result in a warning message and will be ignored.
84
85           Handling of netfilter helpers has been merged into services
86           completely. Adding or removing netfilter helpers outside of
87           services is therefore not needed anymore. For more information on
88           handling netfilter helpers in services, please have a look at
89           firewalld.zone(5).
90
91       --removemodule
92           This option will result in a warning message and will be ignored.
93
94           Handling of netfilter helpers has been merged into services
95           completely. Adding or removing netfilter helpers outside of
96           services is therefore not needed anymore. For more information on
97           handling netfilter helpers in services, please have a look at
98           firewalld.zone(5).
99
100       --remove-service=service
101           Remove a service from the default zone. This option can be
102           specified multiple times.
103
104           The service is one of the firewalld provided services. To get a
105           list of the supported services, use firewall-cmd --get-services.
106
107       -s service, --service=service
108           Add a service to the default zone. This option can be specified
109           multiple times.
110
111           The service is one of the firewalld provided services. To get a
112           list of the supported services, use firewall-cmd --get-services.
113
114       -p portid[-portid]:protocol, --port=portid[-portid]:protocol
115           Add the port to the default zone. This option can be specified
116           multiple times.
117
118           The port can either be a single port number or a port range
119           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
120
121       -t interface, --trust=interface
122           This option will result in a warning message.
123
124           Mark an interface as trusted. This option can be specified multiple
125           times. The interface will be bound to the trusted zone.
126
127           If the interface is used in a NetworkManager managed connection or
128           if there is an ifcfg file for this interface, the zone will be
129           changed to the zone defined in the configuration as soon as it gets
130           activated. To change the zone of a connection use
131           nm-connection-editor and set the zone to trusted, for an ifcfg
132           file, use an editor and add "ZONE=trusted". If the zone is not
133           defined in the ifcfg file, the firewalld default zone will be used.
134
135       -m interface, --masq=interface
136           This option will result in a warning message.
137
138           Masquerading will be enabled in the default zone. The interface
139           argument will be ignored. This is for IPv4 only.
140
141       --custom-rules=[type:][table:]filename
142           This option will result in a warning message and will be ignored.
143
144           Custom rule files are not supported by firewalld.
145
146       --forward-port=if=interface:port=port:proto=protocol[:toport=destination
147       port:][:toaddr=destination address]
148           This option will result in a warning message.
149
150           Add the IPv4 forward port in the default zone. This option can be
151           specified multiple times.
152
153           The port can either be a single port number portid or a port range
154           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
155           The destination address is an IP address.
156
157       --block-icmp=icmptype
158           This option will result in a warning message.
159
160           Add an ICMP block for icmptype in the default zone. This option can
161           be specified multiple times.
162
163           The icmptype is the one of the icmp types firewalld supports. To
164           get a listing of supported icmp types: firewall-cmd --get-icmptypes
165
166   Log Denied Options
167       --get-log-denied
168           Print the log denied setting.
169
170       --set-log-denied=value
171           Add logging rules right before reject and drop rules in the INPUT,
172           FORWARD and OUTPUT chains for the default rules and also final
173           reject and drop rules in zones for the configured link-layer packet
174           type. The possible values are: all, unicast, broadcast, multicast
175           and off. The default setting is off, which disables the logging.
176
177           This is a runtime and permanent change and will also reload the
178           firewall to be able to add the logging rules.
179
180   Zone Options
181       --get-default-zone
182           Print default zone for connections and interfaces.
183
184       --set-default-zone=zone
185           Set default zone for connections and interfaces where no zone has
186           been selected. Setting the default zone changes the zone for the
187           connections or interfaces, that are using the default zone.
188
189       --get-zones
190           Print predefined zones as a space separated list.
191
192       --get-services
193           Print predefined services as a space separated list.
194
195       --get-icmptypes
196           Print predefined icmptypes as a space separated list.
197
198       --get-zone-of-interface=interface
199           Print the name of the zone the interface is bound to or no zone.
200
201       --get-zone-of-source=source[/mask]|MAC|ipset:ipset
202           Print the name of the zone the source is bound to or no zone.
203
204       --info-zone=zone
205           Print information about the zone zone. The output format is:
206
207               zone
208                 interfaces: interface1 ..
209                 sources: source1 ..
210                 services: service1 ..
211                 ports: port1 ..
212                 protocols: protocol1 ..
213                 forward-ports:
214                       forward-port1
215                       ..
216                 source-ports: source-port1 ..
217                 icmp-blocks: icmp-type1 ..
218                 rich rules:
219                       rich-rule1
220                       ..
221
222
223
224       --list-all-zones
225           List everything added for or enabled in all zones. The output
226           format is:
227
228               zone1
229                 interfaces: interface1 ..
230                 sources: source1 ..
231                 services: service1 ..
232                 ports: port1 ..
233                 protocols: protocol1 ..
234                 forward-ports:
235                       forward-port1
236                       ..
237                 source-ports: source-port1 ..
238                 icmp-blocks: icmp-type1 ..
239                 rich rules:
240                       rich-rule1
241                       ..
242               ..
243
244
245
246       --new-zone=zone
247           Add a new permanent zone.
248
249           Zone names must be alphanumeric and may additionally include
250           characters: '_' and '-'.
251
252       --new-zone-from-file=filename [--name=zone]
253           Add a new permanent zone from a prepared zone file with an optional
254           name override.
255
256       --path-zone=zone
257           Print path of the zone configuration file.
258
259       --delete-zone=zone
260           Delete an existing permanent zone.
261
262       --zone=zone --set-description=description
263           Set new description to zone
264
265       --zone=zone --get-description
266           Print description for zone
267
268       --zone=zone --set-short=description
269           Set short description to zone
270
271       --zone=zone --get-short
272           Print short description for zone
273
274       --zone=zone --get-target
275           Get the target of a permanent zone.
276
277       --zone=zone --set-target=zone
278           Set the target of a permanent zone.  target is one of: default,
279           ACCEPT, DROP, REJECT
280
281           default is similar to REJECT, but has special meaning in the
282           following scenarios:
283
284            1. ICMP explicitly allowed
285
286               At the end of the zone's ruleset ICMP packets are explicitly
287               allowed.
288
289            2. forwarded packets follow the target of the egress zone
290
291               In the case of forwarded packets, if the ingress zone uses
292               default then whether or not the packet will be allowed is
293               determined by the egress zone.
294
295               For a forwarded packet that ingresses zoneA and egresses zoneB:
296
297               ·   if zoneA's target is ACCEPT, DROP, or REJECT then the
298                   packet is accepted, dropped, or rejected respectively.
299
300               ·   if zoneA's target is default, then the packet is accepted,
301                   dropped, or rejected based on zoneB's target. If zoneB's
302                   target is also default, then the packet will be rejected by
303                   firewalld's catchall reject.
304
305            3. Zone drifting from source-based zone to interface-based zone
306
307               This only applies if AllowZoneDrifting is enabled. See
308               firewalld.conf(5).
309
310               If a packet ingresses a source-based zone with a target of
311               default, it may still enter an interface-based zone (including
312               the default zone).
313
314
315   Options to Adapt and Query Zones
316       Options in this section affect only one particular zone. If used with
317       --zone=zone option, they affect the zone zone. If the option is
318       omitted, they affect default zone (see --get-default-zone).
319
320       [--zone=zone] --list-all
321           List everything added for or enabled in zone. If zone is omitted,
322           default zone will be used.
323
324       [--zone=zone] --list-services
325           List services added for zone as a space separated list. If zone is
326           omitted, default zone will be used.
327
328       [--zone=zone] --add-service=service
329           Add a service for zone. If zone is omitted, default zone will be
330           used. This option can be specified multiple times.
331
332           The service is one of the firewalld provided services. To get a
333           list of the supported services, use firewall-cmd --get-services.
334
335       [--zone=zone] --remove-service-from-zone=service
336           Remove a service from zone. This option can be specified multiple
337           times. If zone is omitted, default zone will be used.
338
339       [--zone=zone] --query-service=service
340           Return whether service has been added for zone. If zone is omitted,
341           default zone will be used. Returns 0 if true, 1 otherwise.
342
343       [--zone=zone] --list-ports
344           List ports added for zone as a space separated list. A port is of
345           the form portid[-portid]/protocol, it can be either a port and
346           protocol pair or a port range with a protocol. If zone is omitted,
347           default zone will be used.
348
349       [--zone=zone] --add-port=portid[-portid]/protocol
350           Add the port for zone. If zone is omitted, default zone will be
351           used. This option can be specified multiple times.
352
353           The port can either be a single port number or a port range
354           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
355
356       [--zone=zone] --remove-port=portid[-portid]/protocol
357           Remove the port from zone. If zone is omitted, default zone will be
358           used. This option can be specified multiple times.
359
360       [--zone=zone] --query-port=portid[-portid]/protocol
361           Return whether the port has been added for zone. If zone is
362           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
363
364       [--zone=zone] --list-protocols
365           List protocols added for zone as a space separated list. If zone is
366           omitted, default zone will be used.
367
368       [--zone=zone] --add-protocol=protocol
369           Add the protocol for zone. If zone is omitted, default zone will be
370           used. This option can be specified multiple times. If a timeout is
371           supplied, the rule will be active for the specified amount of time
372           and will be removed automatically afterwards.  timeval is either a
373           number (of seconds) or number followed by one of characters s
374           (seconds), m (minutes), h (hours), for example 20m or 1h.
375
376           The protocol can be any protocol supported by the system. Please
377           have a look at /etc/protocols for supported protocols.
378
379       [--zone=zone] --remove-protocol=protocol
380           Remove the protocol from zone. If zone is omitted, default zone
381           will be used. This option can be specified multiple times.
382
383       [--zone=zone] --query-protocol=protocol
384           Return whether the protocol has been added for zone. If zone is
385           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
386
387       [--zone=zone] --list-icmp-blocks
388           List Internet Control Message Protocol (ICMP) type blocks added for
389           zone as a space separated list. If zone is omitted, default zone
390           will be used.
391
392       [--zone=zone] --add-icmp-block=icmptype
393           Add an ICMP block for icmptype for zone. If zone is omitted,
394           default zone will be used. This option can be specified multiple
395           times.
396
397           The icmptype is the one of the icmp types firewalld supports. To
398           get a listing of supported icmp types: firewall-cmd --get-icmptypes
399
400       [--zone=zone] --remove-icmp-block=icmptype
401           Remove the ICMP block for icmptype from zone. If zone is omitted,
402           default zone will be used. This option can be specified multiple
403           times.
404
405       [--zone=zone] --query-icmp-block=icmptype
406           Return whether an ICMP block for icmptype has been added for zone.
407           If zone is omitted, default zone will be used. Returns 0 if true, 1
408           otherwise.
409
410       [--zone=zone] --list-forward-ports
411           List IPv4 forward ports added for zone as a space separated list.
412           If zone is omitted, default zone will be used.
413
414           For IPv6 forward ports, please use the rich language.
415
416       [--zone=zone]
417       --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
418           Add the IPv4 forward port for zone. If zone is omitted, default
419           zone will be used. This option can be specified multiple times.
420
421           The port can either be a single port number portid or a port range
422           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
423           The destination address is a simple IP address.
424
425           For IPv6 forward ports, please use the rich language.
426
427           Note: IP forwarding will be implicitly enabled if toaddr is
428           specified.
429
430       [--zone=zone]
431       --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
432           Remove the IPv4 forward port from zone. If zone is omitted, default
433           zone will be used. This option can be specified multiple times.
434
435           For IPv6 forward ports, please use the rich language.
436
437       [--zone=zone]
438       --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
439           Return whether the IPv4 forward port has been added for zone. If
440           zone is omitted, default zone will be used. Returns 0 if true, 1
441           otherwise.
442
443           For IPv6 forward ports, please use the rich language.
444
445       [--zone=zone] --list-source-ports
446           List source ports added for zone as a space separated list. A port
447           is of the form portid[-portid]/protocol. If zone is omitted,
448           default zone will be used.
449
450       [--zone=zone] --add-source-port=portid[-portid]/protocol
451           Add the source port for zone. If zone is omitted, default zone will
452           be used. This option can be specified multiple times. If a timeout
453           is supplied, the rule will be active for the specified amount of
454           time and will be removed automatically afterwards.
455
456           The port can either be a single port number or a port range
457           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
458
459       [--zone=zone] --remove-source-port=portid[-portid]/protocol
460           Remove the source port from zone. If zone is omitted, default zone
461           will be used. This option can be specified multiple times.
462
463       [--zone=zone] --query-source-port=portid[-portid]/protocol
464           Return whether the source port has been added for zone. If zone is
465           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
466
467       [--zone=zone] --add-masquerade
468           Enable IPv4 masquerade for zone. If zone is omitted, default zone
469           will be used. Masquerading is useful if the machine is a router and
470           machines connected over an interface in another zone should be able
471           to use the first connection.
472
473           For IPv6 masquerading, please use the rich language.
474
475           Note: IP forwarding will be implicitly enabled.
476
477       [--zone=zone] --remove-masquerade
478           Disable IPv4 masquerade for zone. If zone is omitted, default zone
479           will be used.
480
481           For IPv6 masquerading, please use the rich language.
482
483       [--zone=zone] --query-masquerade
484           Return whether IPv4 masquerading has been enabled for zone. If zone
485           is omitted, default zone will be used. Returns 0 if true, 1
486           otherwise.
487
488           For IPv6 masquerading, please use the rich language.
489
490       [--zone=zone] --list-rich-rules
491           List rich language rules added for zone as a newline separated
492           list. If zone is omitted, default zone will be used.
493
494       [--zone=zone] --add-rich-rule='rule'
495           Add rich language rule 'rule' for zone. This option can be
496           specified multiple times. If zone is omitted, default zone will be
497           used.
498
499           For the rich language rule syntax, please have a look at
500           firewalld.richlanguage(5).
501
502       [--zone=zone] --remove-rich-rule='rule'
503           Remove rich language rule 'rule' from zone. This option can be
504           specified multiple times. If zone is omitted, default zone will be
505           used.
506
507           For the rich language rule syntax, please have a look at
508           firewalld.richlanguage(5).
509
510       [--zone=zone] --query-rich-rule='rule'
511           Return whether a rich language rule 'rule' has been added for zone.
512           If zone is omitted, default zone will be used. Returns 0 if true, 1
513           otherwise.
514
515           For the rich language rule syntax, please have a look at
516           firewalld.richlanguage(5).
517
518   Options to Handle Bindings of Interfaces
519       Binding an interface to a zone means that this zone settings are used
520       to restrict traffic via the interface.
521
522       Options in this section affect only one particular zone. If used with
523       --zone=zone option, they affect the zone zone. If the option is
524       omitted, they affect default zone (see --get-default-zone).
525
526       For a list of predefined zones use firewall-cmd --get-zones.
527
528       An interface name is a string up to 16 characters long, that may not
529       contain ' ', '/', '!' and '*'.
530
531       [--zone=zone] --list-interfaces
532           List interfaces that are bound to zone zone as a space separated
533           list. If zone is omitted, default zone will be used.
534
535       [--zone=zone] --add-interface=interface
536           Bind interface interface to zone zone. If zone is omitted, default
537           zone will be used.
538
539       [--zone=zone] --change-interface=interface
540           Change zone the interface interface is bound to to zone zone. If
541           zone is omitted, default zone will be used. If old and new zone are
542           the same, the call will be ignored without an error. If the
543           interface has not been bound to a zone before, it will behave like
544           --add-interface.
545
546       [--zone=zone] --query-interface=interface
547           Query whether interface interface is bound to zone zone. Returns 0
548           if true, 1 otherwise.
549
550       [--zone=zone] --remove-interface=interface
551           Remove binding of interface interface from zone zone. If zone is
552           omitted, default zone will be used.
553
554   Options to Handle Bindings of Sources
555       Binding a source to a zone means that this zone settings will be used
556       to restrict traffic from this source.
557
558       A source address or address range is either an IP address or a network
559       IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
560       with the ipset: prefix. For IPv4, the mask can be a network mask or a
561       plain number. For IPv6 the mask is a plain number. The use of host
562       names is not supported.
563
564       Options in this section affect only one particular zone. If used with
565       --zone=zone option, they affect the zone zone. If the option is
566       omitted, they affect default zone (see --get-default-zone).
567
568       For a list of predefined zones use firewall-cmd --get-zones.
569
570       [--zone=zone] --list-sources
571           List sources that are bound to zone zone as a space separated list.
572           If zone is omitted, default zone will be used.
573
574       [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
575           Bind the source to zone zone. If zone is omitted, default zone will
576           be used.
577
578       [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
579           Change zone the source is bound to to zone zone. If zone is
580           omitted, default zone will be used. If old and new zone are the
581           same, the call will be ignored without an error. If the source has
582           not been bound to a zone before, it will behave like --add-source.
583
584       [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
585           Query whether the source is bound to the zone zone. Returns 0 if
586           true, 1 otherwise.
587
588       [--zone=zone] --remove-source=source[/mask]|MAC|ipset:ipset
589           Remove binding of the source from zone zone. If zone is omitted,
590           default zone will be used.
591
592   IPSet Options
593       --new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
594           Add a new permanent ipset with specifying the type and optional
595           options.
596
597           ipset names must be alphanumeric and may additionally include
598           characters: '_' and '-'.
599
600       --new-ipset-from-file=filename [--name=ipset]
601           Add a new permanent ipset from a prepared ipset file with an
602           optional name override.
603
604       --delete-ipset=ipset
605           Delete an existing permanent ipset.
606
607       --info-ipset=ipset
608           Print information about the ipset ipset. The output format is:
609
610               ipset
611                 type: type
612                 options: option1[=value1] ..
613                 entries: entry1 ..
614
615
616
617       --get-ipsets
618           Print predefined ipsets as a space separated list.
619
620       --ipset=ipset --add-entry=entry
621           Add a new entry to the ipset.
622
623       --ipset=ipset --remove-entry=entry
624           Remove an entry from the ipset.
625
626       --ipset=ipset --query-entry=entry
627           Return whether the entry has been added to an ipset. Returns 0 if
628           true, 1 otherwise.
629
630       --ipset=ipset --get-entries
631           List all entries of the ipset.
632
633       --ipset=ipset --add-entries-from-file=filename
634           Add a new entries to the ipset from the file. For all entries that
635           are listed in the file but already in the ipset, a warning will be
636           printed.
637
638           The file should contain an entry per line. Lines starting with an
639           hash or semicolon are ignored. Also empty lines.
640
641       --ipset=ipset --remove-entries-from-file=filename
642           Remove existing entries from the ipset from the file. For all
643           entries that are listed in the file but not in the ipset, a warning
644           will be printed.
645
646           The file should contain an entry per line. Lines starting with an
647           hash or semicolon are ignored. Also empty lines.
648
649       --ipset=ipset --set-description=description
650           Set new description to ipset
651
652       --ipset=ipset --get-description
653           Print description for ipset
654
655       --ipset=ipset --set-short=description
656           Set new short description to ipset
657
658       --ipset=ipset --get-short
659           Print short description for ipset
660
661       --path-ipset=ipset
662           Print path of the ipset configuration file.
663
664   Service Options
665       --info-service=service
666           Print information about the service service. The output format is:
667
668               service
669                 ports: port1 ..
670                 protocols: protocol1 ..
671                 source-ports: source-port1 ..
672                 helpers: helper1 ..
673                 destination: ipv1:address1 ..
674
675
676
677       --new-service=service
678           Add a new permanent service.
679
680           Service names must be alphanumeric and may additionally include
681           characters: '_' and '-'.
682
683       --new-service-from-file=filename [--name=service]
684           Add a new permanent service from a prepared service file with an
685           optional name override.
686
687       --delete-service=service
688           Delete an existing permanent service.
689
690       --path-service=service
691           Print path of the service configuration file.
692
693       --service=service --set-description=description
694           Set new description to service
695
696       --service=service --get-description
697           Print description for service
698
699       --service=service --set-short=description
700           Set short description to service
701
702       --service=service --get-short
703           Print short description for service
704
705       --service=service --add-port=portid[-portid]/protocol
706           Add a new port to the permanent service.
707
708       --service=service --remove-port=portid[-portid]/protocol
709           Remove a port from the permanent service.
710
711       --service=service --query-port=portid[-portid]/protocol
712           Return wether the port has been added to the permanent service.
713
714       --service=service --get-ports
715           List ports added to the permanent service.
716
717       --service=service --add-protocol=protocol
718           Add a new protocol to the permanent service.
719
720       --service=service --remove-protocol=protocol
721           Remove a protocol from the permanent service.
722
723       --service=service --query-protocol=protocol
724           Return wether the protocol has been added to the permanent service.
725
726       --service=service --get-protocols
727           List protocols added to the permanent service.
728
729       --service=service --add-source-port=portid[-portid]/protocol
730           Add a new source port to the permanent service.
731
732       --service=service --remove-source-port=portid[-portid]/protocol
733           Remove a source port from the permanent service.
734
735       --service=service --query-source-port=portid[-portid]/protocol
736           Return wether the source port has been added to the permanent
737           service.
738
739       --service=service --get-source-ports
740           List source ports added to the permanent service.
741
742       --service=service --add-helper=helper
743           Add a new helper to the permanent service.
744
745       --service=service --remove-helper=helper
746           Remove a helper from the permanent service.
747
748       --service=service --query-helper=helper
749           Return wether the helper has been added to the permanent service.
750
751       --service=service --get-service-helpers
752           List helpers added to the permanent service.
753
754       --service=service --set-destination=ipv:address[/mask]
755           Set destination for ipv to address[/mask] in the permanent service.
756
757       --service=service --remove-destination=ipv
758           Remove the destination for ipv from the permanent service.
759
760       --service=service --query-destination=ipv:address[/mask]
761           Return wether the destination ipv to address[/mask] has been set in
762           the permanent service.
763
764       --service=service --get-destinations
765           List destinations added to the permanent service.
766
767       --service=service --add-include=service
768           Add a new include to the permanent service.
769
770       --service=service --remove-include=service
771           Remove a include from the permanent service.
772
773       --service=service --query-include=service
774           Return wether the include has been added to the permanent service.
775
776       --service=service --get-includes
777           List includes added to the permanent service.
778
779   Helper Options
780       Options in this section affect only one particular helper.
781
782       --info-helper=helper
783           Print information about the helper helper. The output format is:
784
785               helper
786                 family: family
787                 module: module
788                 ports: port1 ..
789
790
791
792       The following options are only usable in the permanent configuration.
793
794       --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
795           Add a new permanent helper with module and optionally family
796           defined.
797
798           Helper names must be alphanumeric and may additionally include
799           characters: '-'.
800
801       --new-helper-from-file=filename [--name=helper]
802           Add a new permanent helper from a prepared helper file with an
803           optional name override.
804
805       --delete-helper=helper
806           Delete an existing permanent helper.
807
808       --load-helper-defaults=helper
809           Load helper default settings or report NO_DEFAULTS error.
810
811       --path-helper=helper
812           Print path of the helper configuration file.
813
814       --get-helpers
815           Print predefined helpers as a space separated list.
816
817       --helper=helper --set-description=description
818           Set new description to helper
819
820       --helper=helper --get-description
821           Print description for helper
822
823       --helper=helper --set-short=description
824           Set short description to helper
825
826       --helper=helper --get-short
827           Print short description for helper
828
829       --helper=helper --add-port=portid[-portid]/protocol
830           Add a new port to the permanent helper.
831
832       --helper=helper --remove-port=portid[-portid]/protocol
833           Remove a port from the permanent helper.
834
835       --helper=helper --query-port=portid[-portid]/protocol
836           Return wether the port has been added to the permanent helper.
837
838       --helper=helper --get-ports
839           List ports added to the permanent helper.
840
841       --helper=helper --set-module=description
842           Set module description for helper
843
844       --helper=helper --get-module
845           Print module description for helper
846
847       --helper=helper --set-family=description
848           Set family description for helper
849
850       --helper=helper --get-family
851           Print family description of helper
852
853   Internet Control Message Protocol (ICMP) type Options
854       --info-icmptype=icmptype
855           Print information about the icmptype icmptype. The output format
856           is:
857
858               icmptype
859                 destination: ipv1 ..
860
861
862
863       --new-icmptype=icmptype
864           Add a new permanent icmptype.
865
866           ICMP type names must be alphanumeric and may additionally include
867           characters: '_' and '-'.
868
869       --new-icmptype-from-file=filename [--name=icmptype]
870           Add a new permanent icmptype from a prepared icmptype file with an
871           optional name override.
872
873       --delete-icmptype=icmptype
874           Delete an existing permanent icmptype.
875
876       --icmptype=icmptype --set-description=description
877           Set new description to icmptype
878
879       --icmptype=icmptype --get-description
880           Print description for icmptype
881
882       --icmptype=icmptype --set-short=description
883           Set short description to icmptype
884
885       --icmptype=icmptype --get-short
886           Print short description for icmptype
887
888       --icmptype=icmptype --add-destination=ipv
889           Enable destination for ipv in permanent icmptype. ipv is one of
890           ipv4 or ipv6.
891
892       --icmptype=icmptype --remove-destination=ipv
893           Disable destination for ipv in permanent icmptype. ipv is one of
894           ipv4 or ipv6.
895
896       --icmptype=icmptype --query-destination=ipv
897           Return whether destination for ipv is enabled in permanent
898           icmptype. ipv is one of ipv4 or ipv6.
899
900       --icmptype=icmptype --get-destinations
901           List destinations in permanent icmptype.
902
903       --path-icmptype=icmptype
904           Print path of the icmptype configuration file.
905
906   Direct Options
907       The direct options give a more direct access to the firewall. These
908       options require user to know basic iptables concepts, i.e.  table
909       (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
910       (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
911       (ACCEPT/DROP/REJECT/...).
912
913       Direct options should be used only as a last resort when it's not
914       possible to use for example --add-service=service or
915       --add-rich-rule='rule'.
916
917       Warning: Direct rules behavior is different depending on the value of
918       FirewallBackend. See CAVEATS in firewalld.direct(5).
919
920       The first argument of each option has to be ipv4 or ipv6 or eb. With
921       ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
922       (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
923
924       --direct --get-all-chains
925           Get all chains added to all tables.
926
927           This option concerns only chains previously added with --direct
928           --add-chain.
929
930       --direct --get-chains { ipv4 | ipv6 | eb } table
931           Get all chains added to table table as a space separated list.
932
933           This option concerns only chains previously added with --direct
934           --add-chain.
935
936       --direct --add-chain { ipv4 | ipv6 | eb } table chain
937           Add a new chain with name chain to table table.
938
939           There already exist basic chains to use with direct options, for
940           example INPUT_direct chain (see iptables-save | grep direct output
941           for all of them). These chains are jumped into before chains for
942           zones, i.e. every rule put into INPUT_direct will be checked before
943           rules in zones.
944
945       --direct --remove-chain { ipv4 | ipv6 | eb } table chain
946           Remove the chain with name chain from table table.
947
948       --direct --query-chain { ipv4 | ipv6 | eb } table chain
949           Return whether a chain with name chain exists in table table.
950           Returns 0 if true, 1 otherwise.
951
952           This option concerns only chains previously added with --direct
953           --add-chain.
954
955       --direct --get-all-rules
956           Get all rules added to all chains in all tables as a newline
957           separated list of the priority and arguments.
958
959       --direct --get-rules { ipv4 | ipv6 | eb } table chain
960           Get all rules added to chain chain in table table as a newline
961           separated list of the priority and arguments.
962
963       --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
964           Add a rule with the arguments args to chain chain in table table
965           with priority priority.
966
967           The priority is used to order rules. Priority 0 means add rule on
968           top of the chain, with a higher priority the rule will be added
969           further down. Rules with the same priority are on the same level
970           and the order of these rules is not fixed and may change. If you
971           want to make sure that a rule will be added after another one, use
972           a low priority for the first and a higher for the following.
973
974       --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
975           Remove a rule with priority and the arguments args from chain chain
976           in table table.
977
978       --direct --remove-rules { ipv4 | ipv6 | eb } table chain
979           Remove all rules in the chain with name chain exists in table
980           table.
981
982           This option concerns only rules previously added with --direct
983           --add-rule in this chain.
984
985       --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
986           Return whether a rule with priority and the arguments args exists
987           in chain chain in table table. Returns 0 if true, 1 otherwise.
988
989       --direct --get-all-passthroughs
990           Get all permanent passthrough as a newline separated list of the
991           ipv value and arguments.
992
993       --direct --get-passthroughs { ipv4 | ipv6 | eb }
994           Get all permanent passthrough rules for the ipv value as a newline
995           separated list of the priority and arguments.
996
997       --direct --add-passthrough { ipv4 | ipv6 | eb } args
998           Add a permanent passthrough rule with the arguments args for the
999           ipv value.
1000
1001       --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1002           Remove a permanent passthrough rule with the arguments args for the
1003           ipv value.
1004
1005       --direct --query-passthrough { ipv4 | ipv6 | eb } args
1006           Return whether a permanent passthrough rule with the arguments args
1007           exists for the ipv value. Returns 0 if true, 1 otherwise.
1008
1009   Lockdown Options
1010       Local applications or services are able to change the firewall
1011       configuration if they are running as root (example: libvirt) or are
1012       authenticated using PolicyKit. With this feature administrators can
1013       lock the firewall configuration so that only applications on lockdown
1014       whitelist are able to request firewall changes.
1015
1016       The lockdown access check limits D-Bus methods that are changing
1017       firewall rules. Query, list and get methods are not limited.
1018
1019       The lockdown feature is a very light version of user and application
1020       policies for firewalld and is turned off by default.
1021
1022       --lockdown-on
1023           Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1024           whitelist when you enable lockdown you won't be able to disable it
1025           again with firewall-cmd, you would need to edit firewalld.conf.
1026
1027       --lockdown-off
1028           Disable lockdown.
1029
1030       --query-lockdown
1031           Query whether lockdown is enabled. Returns 0 if lockdown is
1032           enabled, 1 otherwise.
1033
1034   Lockdown Whitelist Options
1035       The lockdown whitelist can contain commands, contexts, users and user
1036       ids.
1037
1038       If a command entry on the whitelist ends with an asterisk '*', then all
1039       command lines starting with the command will match. If the '*' is not
1040       there the absolute command inclusive arguments must match.
1041
1042       Commands for user root and others is not always the same. Example: As
1043       root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1044       is be used on Fedora.
1045
1046       The context is the security (SELinux) context of a running application
1047       or service. To get the context of a running application use ps -e
1048       --context.
1049
1050       Warning: If the context is unconfined, then this will open access for
1051       more than the desired application.
1052
1053       The lockdown whitelist entries are checked in the following order:
1054           1. context
1055           2. uid
1056           3. user
1057           4. command
1058
1059       --list-lockdown-whitelist-commands
1060           List all command lines that are on the whitelist.
1061
1062       --add-lockdown-whitelist-command=command
1063           Add the command to the whitelist.
1064
1065       --remove-lockdown-whitelist-command=command
1066           Remove the command from the whitelist.
1067
1068       --query-lockdown-whitelist-command=command
1069           Query whether the command is on the whitelist. Returns 0 if true, 1
1070           otherwise.
1071
1072       --list-lockdown-whitelist-contexts
1073           List all contexts that are on the whitelist.
1074
1075       --add-lockdown-whitelist-context=context
1076           Add the context context to the whitelist.
1077
1078       --remove-lockdown-whitelist-context=context
1079           Remove the context from the whitelist.
1080
1081       --query-lockdown-whitelist-context=context
1082           Query whether the context is on the whitelist. Returns 0 if true, 1
1083           otherwise.
1084
1085       --list-lockdown-whitelist-uids
1086           List all user ids that are on the whitelist.
1087
1088       --add-lockdown-whitelist-uid=uid
1089           Add the user id uid to the whitelist.
1090
1091       --remove-lockdown-whitelist-uid=uid
1092           Remove the user id uid from the whitelist.
1093
1094       --query-lockdown-whitelist-uid=uid
1095           Query whether the user id uid is on the whitelist. Returns 0 if
1096           true, 1 otherwise.
1097
1098       --list-lockdown-whitelist-users
1099           List all user names that are on the whitelist.
1100
1101       --add-lockdown-whitelist-user=user
1102           Add the user name user to the whitelist.
1103
1104       --remove-lockdown-whitelist-user=user
1105           Remove the user name user from the whitelist.
1106
1107       --query-lockdown-whitelist-user=user
1108           Query whether the user name user is on the whitelist. Returns 0 if
1109           true, 1 otherwise.
1110
1111   Policy Options
1112       --policy-server
1113           Change Polkit actions to 'server' (more restricted)
1114
1115       --policy-desktop
1116           Change Polkit actions to 'desktop' (less restricted)
1117

SEE ALSO

1119       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1120       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1121       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1122       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1123       firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1124       firewalld.helper(5)
1125

NOTES

1127       firewalld home page:
1128           http://firewalld.org
1129
1130       More documentation with examples:
1131           http://fedoraproject.org/wiki/FirewallD
1132

AUTHORS

1134       Thomas Woerner <twoerner@redhat.com>
1135           Developer
1136
1137       Jiri Popelka <jpopelka@redhat.com>
1138           Developer
1139
1140       Eric Garver <eric@garver.life>
1141           Developer
1142
1143
1144
1145firewalld 0.8.6                                          FIREWALL-OFFLINE-C(1)
Impressum