1FIREWALL-OFFLINE-C(1)        firewall-offline-cmd        FIREWALL-OFFLINE-C(1)
2
3
4

NAME

6       firewall-offline-cmd - firewalld offline command line client
7

SYNOPSIS

9       firewall-offline-cmd [OPTIONS...]
10

DESCRIPTION

12       firewall-offline-cmd is an offline command line client of the firewalld
13       daemon. It should be used only if the firewalld service is not running.
14       For example to migrate from system-config-firewall/lokkit or in the
15       install environment to configure firewall settings with kickstart.
16
17       Some lokkit options can not be automatically converted for firewalld,
18       they will result in an error or warning message. This tool tries to
19       convert as much as possible, but there are limitations for example with
20       custom rules, modules and masquerading.
21
22       Check the firewall configuration after using this tool.
23

OPTIONS

25       If no options are given, configuration from
26       /etc/sysconfig/system-config-firewall will be migrated.
27
28       Sequence options are the options that can be specified multiple times,
29       the exit code is 0 if there is at least one item that succeeded. The
30       ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
31       errors are treated as succeeded. If there are issues while parsing the
32       items, then these are treated as warnings and will not change the
33       result as long as there is a succeeded one. Without any succeeded item,
34       the exit code will depend on the error codes. If there is exactly one
35       error code, then this is used. If there are more than one then
36       UNKNOWN_ERROR (254) will be used.
37
38       The following options are supported:
39
40   General Options
41       -h, --help
42           Prints a short help text and exists.
43
44       -V, --version
45           Prints the version string of firewalld and exits.
46
47       -q, --quiet
48           Do not print status messages.
49
50       --default-config
51           Path to firewalld default configuration. This usually defaults to
52           /usr/lib/firewalld.
53
54       --system-config
55           Path to firewalld system (user) configuration. This usually
56           defaults to /etc/firewalld.
57
58   Status Options
59       --enabled
60           Enable the firewall. This option is a default option and will
61           activate the firewall if not already enabled as long as the option
62           --disabled is not given.
63
64       --disabled
65           Disable the firewall by disabling the firewalld service.
66
67       --check-config
68           Run checks on the permanent (default and system) configuration.
69           This includes XML validity and semantics.
70
71           This is may be used with --system-config to check the validity of
72           handwritten configuration files before copying them to the standard
73           location.
74
75   Lokkit Compatibility Options
76       These options are nearly identical to the options of lokkit.
77
78       --migrate-system-config-firewall=file
79           Migrate system-config-firewall configuration from the given file.
80           No further
81
82       --addmodule=module
83           This option will result in a warning message and will be ignored.
84
85           Handling of netfilter helpers has been merged into services
86           completely. Adding or removing netfilter helpers outside of
87           services is therefore not needed anymore. For more information on
88           handling netfilter helpers in services, please have a look at
89           firewalld.zone(5).
90
91       --removemodule
92           This option will result in a warning message and will be ignored.
93
94           Handling of netfilter helpers has been merged into services
95           completely. Adding or removing netfilter helpers outside of
96           services is therefore not needed anymore. For more information on
97           handling netfilter helpers in services, please have a look at
98           firewalld.zone(5).
99
100       --remove-service=service
101           Remove a service from the default zone. This option can be
102           specified multiple times.
103
104           The service is one of the firewalld provided services. To get a
105           list of the supported services, use firewall-cmd --get-services.
106
107       -s service, --service=service
108           Add a service to the default zone. This option can be specified
109           multiple times.
110
111           The service is one of the firewalld provided services. To get a
112           list of the supported services, use firewall-cmd --get-services.
113
114       -p portid[-portid]:protocol, --port=portid[-portid]:protocol
115           Add the port to the default zone. This option can be specified
116           multiple times.
117
118           The port can either be a single port number or a port range
119           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
120
121       -t interface, --trust=interface
122           This option will result in a warning message.
123
124           Mark an interface as trusted. This option can be specified multiple
125           times. The interface will be bound to the trusted zone.
126
127           If the interface is used in a NetworkManager managed connection or
128           if there is an ifcfg file for this interface, the zone will be
129           changed to the zone defined in the configuration as soon as it gets
130           activated. To change the zone of a connection use
131           nm-connection-editor and set the zone to trusted, for an ifcfg
132           file, use an editor and add "ZONE=trusted". If the zone is not
133           defined in the ifcfg file, the firewalld default zone will be used.
134
135       -m interface, --masq=interface
136           This option will result in a warning message.
137
138           Masquerading will be enabled in the default zone. The interface
139           argument will be ignored. This is for IPv4 only.
140
141       --custom-rules=[type:][table:]filename
142           This option will result in a warning message and will be ignored.
143
144           Custom rule files are not supported by firewalld.
145
146       --forward-port=if=interface:port=port:proto=protocol[:toport=destination
147       port:][:toaddr=destination address]
148           This option will result in a warning message.
149
150           Add the IPv4 forward port in the default zone. This option can be
151           specified multiple times.
152
153           The port can either be a single port number portid or a port range
154           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
155           The destination address is an IP address.
156
157       --block-icmp=icmptype
158           This option will result in a warning message.
159
160           Add an ICMP block for icmptype in the default zone. This option can
161           be specified multiple times.
162
163           The icmptype is the one of the icmp types firewalld supports. To
164           get a listing of supported icmp types: firewall-cmd --get-icmptypes
165
166   Log Denied Options
167       --get-log-denied
168           Print the log denied setting.
169
170       --set-log-denied=value
171           Add logging rules right before reject and drop rules in the INPUT,
172           FORWARD and OUTPUT chains for the default rules and also final
173           reject and drop rules in zones for the configured link-layer packet
174           type. The possible values are: all, unicast, broadcast, multicast
175           and off. The default setting is off, which disables the logging.
176
177           This is a runtime and permanent change and will also reload the
178           firewall to be able to add the logging rules.
179
180   Zone Options
181       --get-default-zone
182           Print default zone for connections and interfaces.
183
184       --set-default-zone=zone
185           Set default zone for connections and interfaces where no zone has
186           been selected. Setting the default zone changes the zone for the
187           connections or interfaces, that are using the default zone.
188
189       --get-zones
190           Print predefined zones as a space separated list.
191
192       --get-services
193           Print predefined services as a space separated list.
194
195       --get-icmptypes
196           Print predefined icmptypes as a space separated list.
197
198       --get-zone-of-interface=interface
199           Print the name of the zone the interface is bound to or no zone.
200
201       --get-zone-of-source=source[/mask]|MAC|ipset:ipset
202           Print the name of the zone the source is bound to or no zone.
203
204       --info-zone=zone
205           Print information about the zone zone. The output format is:
206
207               zone
208                 interfaces: interface1 ..
209                 sources: source1 ..
210                 services: service1 ..
211                 ports: port1 ..
212                 protocols: protocol1 ..
213                 forward-ports:
214                       forward-port1
215                       ..
216                 source-ports: source-port1 ..
217                 icmp-blocks: icmp-type1 ..
218                 rich rules:
219                       rich-rule1
220                       ..
221
222
223
224       --list-all-zones
225           List everything added for or enabled in all zones. The output
226           format is:
227
228               zone1
229                 interfaces: interface1 ..
230                 sources: source1 ..
231                 services: service1 ..
232                 ports: port1 ..
233                 protocols: protocol1 ..
234                 forward-ports:
235                       forward-port1
236                       ..
237                 source-ports: source-port1 ..
238                 icmp-blocks: icmp-type1 ..
239                 rich rules:
240                       rich-rule1
241                       ..
242               ..
243
244
245
246       --new-zone=zone
247           Add a new permanent zone.
248
249           Zone names must be alphanumeric and may additionally include
250           characters: '_' and '-'.
251
252       --new-zone-from-file=filename [--name=zone]
253           Add a new permanent zone from a prepared zone file with an optional
254           name override.
255
256       --path-zone=zone
257           Print path of the zone configuration file.
258
259       --delete-zone=zone
260           Delete an existing permanent zone.
261
262   Policy Options
263       --get-policies
264           Print predefined policies as a space separated list.
265
266       --info-policy=policy
267           Print information about the policy policy.
268
269       --list-all-policies
270           List everything added for or enabled in all policies.
271
272       --new-policy=policy
273           Add a new permanent policy.
274
275           Policy names must be alphanumeric and may additionally include
276           characters: '_' and '-'.
277
278       --new-policy-from-file=filename [--name=policy]
279           Add a new permanent policy from a prepared policy file with an
280           optional name override.
281
282       --path-policy=policy
283           Print path of the policy configuration file.
284
285       --delete-policy=policy
286           Delete an existing permanent policy.
287
288       --load-policy-defaults=policy
289           Load the shipped defaults for a policy. Only applies to policies
290           shipped with firewalld. Does not apply to user defined policies.
291
292   Options to Adapt and Query Zones and Policies
293       Options in this section affect only one particular zone or policy. If
294       used with --zone=zone or --policy=policy option, they affect the
295       specified zone or policy. If both options are omitted, they affect
296       default zone (see --get-default-zone).
297
298       [--zone=zone] [--policy=policy] --list-all
299           List everything added or enabled.
300
301       [--zone=zone] [--policy=policy] --get-target
302           Get the target.
303
304       [--zone=zone] [--policy=policy] --set-target=zone
305           Set the target.
306
307           For zones target is one of: default, ACCEPT, DROP, REJECT
308
309           For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
310
311           default is similar to REJECT, but has special meaning in the
312           following scenarios:
313
314            1. ICMP explicitly allowed
315
316               At the end of the zone's ruleset ICMP packets are explicitly
317               allowed.
318
319            2. forwarded packets follow the target of the egress zone
320
321               In the case of forwarded packets, if the ingress zone uses
322               default then whether or not the packet will be allowed is
323               determined by the egress zone.
324
325               For a forwarded packet that ingresses zoneA and egresses zoneB:
326
327               •   if zoneA's target is ACCEPT, DROP, or REJECT then the
328                   packet is accepted, dropped, or rejected respectively.
329
330               •   if zoneA's target is default, then the packet is accepted,
331                   dropped, or rejected based on zoneB's target. If zoneB's
332                   target is also default, then the packet will be rejected by
333                   firewalld's catchall reject.
334
335            3. Zone drifting from source-based zone to interface-based zone
336
337               This only applies if AllowZoneDrifting is enabled. See
338               firewalld.conf(5).
339
340               If a packet ingresses a source-based zone with a target of
341               default, it may still enter an interface-based zone (including
342               the default zone).
343
344
345       [--zone=zone] [--policy=policy] --set-description=description
346           Set description.
347
348       [--zone=zone] [--policy=policy] --get-description
349           Print description.
350
351       [--zone=zone] [--policy=policy] --set-short=description
352           Set short description.
353
354       [--zone=zone] [--policy=policy] --get-short
355           Print short description.
356
357       [--zone=zone] [--policy=policy] --list-services
358           List services added as a space separated list.
359
360       [--zone=zone] [--policy=policy] --add-service=service
361           Add a service. This option can be specified multiple times.
362
363           The service is one of the firewalld provided services. To get a
364           list of the supported services, use firewall-cmd --get-services.
365
366       [--zone=zone] --remove-service-from-zone=service
367           Remove a service from zone. This option can be specified multiple
368           times. If zone is omitted, default zone will be used.
369
370       [--policy=policy] --remove-service-from-policy=service
371           Remove a service from policy. This option can be specified multiple
372           times.
373
374       [--zone=zone] [--policy=policy] --query-service=service
375           Return whether service has been added. Returns 0 if true, 1
376           otherwise.
377
378       [--zone=zone] [--policy=policy] --list-ports
379           List ports added as a space separated list. A port is of the form
380           portid[-portid]/protocol, it can be either a port and protocol pair
381           or a port range with a protocol.
382
383       [--zone=zone] [--policy=policy] --add-port=portid[-portid]/protocol
384           Add the port. This option can be specified multiple times.
385
386           The port can either be a single port number or a port range
387           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
388
389       [--zone=zone] [--policy=policy] --remove-port=portid[-portid]/protocol
390           Remove the port. This option can be specified multiple times.
391
392       [--zone=zone] [--policy=policy] --query-port=portid[-portid]/protocol
393           Return whether the port has been added. Returns 0 if true, 1
394           otherwise.
395
396       [--zone=zone] [--policy=policy] --list-protocols
397           List protocols added as a space separated list.
398
399       [--zone=zone] [--policy=policy] --add-protocol=protocol
400           Add the protocol. This option can be specified multiple times.
401           timeval is either a number (of seconds) or number followed by one
402           of characters s (seconds), m (minutes), h (hours), for example 20m
403           or 1h.
404
405           The protocol can be any protocol supported by the system. Please
406           have a look at /etc/protocols for supported protocols.
407
408       [--zone=zone] [--policy=policy] --remove-protocol=protocol
409           Remove the protocol. This option can be specified multiple times.
410
411       [--zone=zone] [--policy=policy] --query-protocol=protocol
412           Return whether the protocol has been added. Returns 0 if true, 1
413           otherwise.
414
415       [--zone=zone] [--policy=policy] --list-icmp-blocks
416           List Internet Control Message Protocol (ICMP) type blocks added as
417           a space separated list.
418
419       [--zone=zone] [--policy=policy] --add-icmp-block=icmptype
420           Add an ICMP block for icmptype. This option can be specified
421           multiple times.
422
423           The icmptype is the one of the icmp types firewalld supports. To
424           get a listing of supported icmp types: firewall-cmd --get-icmptypes
425
426       [--zone=zone] [--policy=policy] --remove-icmp-block=icmptype
427           Remove the ICMP block for icmptype. This option can be specified
428           multiple times.
429
430       [--zone=zone] [--policy=policy] --query-icmp-block=icmptype
431           Return whether an ICMP block for icmptype has been added. Returns 0
432           if true, 1 otherwise.
433
434       [--zone=zone] [--policy=policy] --list-forward-ports
435           List IPv4 forward ports added as a space separated list.
436
437           For IPv6 forward ports, please use the rich language.
438
439       [--zone=zone] [--policy=policy]
440       --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
441           Add the IPv4 forward port. This option can be specified multiple
442           times.
443
444           The port can either be a single port number portid or a port range
445           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
446           The destination address is a simple IP address.
447
448           For IPv6 forward ports, please use the rich language.
449
450           Note: IP forwarding will be implicitly enabled if toaddr is
451           specified.
452
453       [--zone=zone] [--policy=policy]
454       --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
455           Remove the IPv4 forward port. This option can be specified multiple
456           times.
457
458           For IPv6 forward ports, please use the rich language.
459
460       [--zone=zone] [--policy=policy]
461       --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
462           Return whether the IPv4 forward port has been added. Returns 0 if
463           true, 1 otherwise.
464
465           For IPv6 forward ports, please use the rich language.
466
467       [--zone=zone] [--policy=policy] --list-source-ports
468           List source ports added as a space separated list. A port is of the
469           form portid[-portid]/protocol.
470
471       [--zone=zone] [--policy=policy]
472       --add-source-port=portid[-portid]/protocol
473           Add the source port. This option can be specified multiple times.
474
475           The port can either be a single port number or a port range
476           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
477
478       [--zone=zone] [--policy=policy]
479       --remove-source-port=portid[-portid]/protocol
480           Remove the source port. This option can be specified multiple
481           times.
482
483       [--zone=zone] [--policy=policy]
484       --query-source-port=portid[-portid]/protocol
485           Return whether the source port has been added. Returns 0 if true, 1
486           otherwise.
487
488       [--zone=zone] [--policy=policy] --add-masquerade
489           Enable IPv4 masquerade. Masquerading is useful if the machine is a
490           router and machines connected over an interface in another zone
491           should be able to use the first connection.
492
493           For IPv6 masquerading, please use the rich language.
494
495           Note: IP forwarding will be implicitly enabled.
496
497       [--zone=zone] [--policy=policy] --remove-masquerade
498           Disable IPv4 masquerade.
499
500           For IPv6 masquerading, please use the rich language.
501
502       [--zone=zone] [--policy=policy] --query-masquerade
503           Return whether IPv4 masquerading has been enabled. Returns 0 if
504           true, 1 otherwise.
505
506           For IPv6 masquerading, please use the rich language.
507
508       [--zone=zone] [--policy=policy] --list-rich-rules
509           List rich language rules added as a newline separated list.
510
511       [--zone=zone] [--policy=policy] --add-rich-rule='rule'
512           Add rich language rule 'rule'. This option can be specified
513           multiple times.
514
515           For the rich language rule syntax, please have a look at
516           firewalld.richlanguage(5).
517
518       [--zone=zone] [--policy=policy] --remove-rich-rule='rule'
519           Remove rich language rule 'rule'. This option can be specified
520           multiple times.
521
522           For the rich language rule syntax, please have a look at
523           firewalld.richlanguage(5).
524
525       [--zone=zone] [--policy=policy] --query-rich-rule='rule'
526           Return whether a rich language rule 'rule' has been added. Returns
527           0 if true, 1 otherwise.
528
529           For the rich language rule syntax, please have a look at
530           firewalld.richlanguage(5).
531
532   Options to Adapt and Query Zones
533       Options in this section affect only one particular zone. If used with
534       --zone=zone option, they affect the specified zone. If the option is
535       omitted, they affect the default zone (see --get-default-zone).
536
537       [--zone=zone] --add-icmp-block-inversion
538           Enable ICMP block inversion.
539
540       [--zone=zone] --remove-icmp-block-inversion
541           Disable ICMP block inversion.
542
543       [--zone=zone] --query-icmp-block-inversion
544           Return whether ICMP block inversion is enabled. Returns 0 if true,
545           1 otherwise.
546
547       [--zone=zone] --add-forward
548           Enable intra zone forwarding.
549
550       [--zone=zone] --remove-forward
551           Disable intra zone forwarding.
552
553       [--zone=zone] --query-forward
554           Return whether intra zone forwarding is enabled. Returns 0 if true,
555           1 otherwise.
556
557   Options to Adapt and Query Policies
558       Options in this section affect only one particular policy. It's
559       required to specify --policy=policy with these options.
560
561       --policy=policy --get-priority
562           Get the priority.
563
564       --policy=policy --set-prioritypriority
565           Set the priority. The priority determines the relative ordering of
566           policies. This is an integer value between -32768 and 32767 where
567           -1 is the default value for new policies and 0 is reserved for
568           internal use.
569
570           If a priority is < 0, then the policy's rules will execute before
571           all rules in all zones.
572
573           If a priority is > 0, then the policy's rules will execute after
574           all rules in all zones.
575
576       --policy=policy --list-ingress-zones
577           List ingress zones added as a space separated list.
578
579       --policy=policy --add-ingress-zone=zone
580           Add an ingress zone. This option can be specified multiple times.
581
582           The ingress zone is one of the firewalld provided zones or one of
583           the pseudo-zones: HOST, ANY.
584
585           HOST is used for traffic originating from the host machine, i.e.
586           the host running firewalld.
587
588           ANY is used for traffic originating from any zone. This can be
589           thought of as a wild card for zones. However it does not include
590           traffic originating from the host machine - use HOST for that.
591
592       --policy=policy --remove-ingress-zone=zone
593           Remove an ingress zone. This option can be specified multiple
594           times.
595
596       --policy=policy --query-ingress-zone=zone
597           Return whether zone has been added. Returns 0 if true, 1 otherwise.
598
599       --policy=policy --list-egress-zones
600           List egress zones added as a space separated list.
601
602       --policy=policy --add-egress-zone=zone
603           Add an egress zone. This option can be specified multiple times.
604
605           The egress zone is one of the firewalld provided zones or one of
606           the pseudo-zones: HOST, ANY.
607
608           For clarification on HOST and ANY see option --add-ingress-zone.
609
610       --policy=policy --remove-egress-zone=zone
611           Remove an egress zone. This option can be specified multiple times.
612
613       --policy=policy --query-egress-zone=zone
614           Return whether zone has been added. Returns 0 if true, 1 otherwise.
615
616   Options to Handle Bindings of Interfaces
617       Binding an interface to a zone means that this zone settings are used
618       to restrict traffic via the interface.
619
620       Options in this section affect only one particular zone. If used with
621       --zone=zone option, they affect the zone zone. If the option is
622       omitted, they affect default zone (see --get-default-zone).
623
624       For a list of predefined zones use firewall-cmd --get-zones.
625
626       An interface name is a string up to 16 characters long, that may not
627       contain ' ', '/', '!' and '*'.
628
629       [--zone=zone] --list-interfaces
630           List interfaces that are bound to zone zone as a space separated
631           list. If zone is omitted, default zone will be used.
632
633       [--zone=zone] --add-interface=interface
634           Bind interface interface to zone zone. If zone is omitted, default
635           zone will be used.
636
637       [--zone=zone] --change-interface=interface
638           Change zone the interface interface is bound to to zone zone. If
639           zone is omitted, default zone will be used. If old and new zone are
640           the same, the call will be ignored without an error. If the
641           interface has not been bound to a zone before, it will behave like
642           --add-interface.
643
644       [--zone=zone] --query-interface=interface
645           Query whether interface interface is bound to zone zone. Returns 0
646           if true, 1 otherwise.
647
648       [--zone=zone] --remove-interface=interface
649           Remove binding of interface interface from zone zone. If zone is
650           omitted, default zone will be used.
651
652   Options to Handle Bindings of Sources
653       Binding a source to a zone means that this zone settings will be used
654       to restrict traffic from this source.
655
656       A source address or address range is either an IP address or a network
657       IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
658       with the ipset: prefix. For IPv4, the mask can be a network mask or a
659       plain number. For IPv6 the mask is a plain number. The use of host
660       names is not supported.
661
662       Options in this section affect only one particular zone. If used with
663       --zone=zone option, they affect the zone zone. If the option is
664       omitted, they affect default zone (see --get-default-zone).
665
666       For a list of predefined zones use firewall-cmd --get-zones.
667
668       [--zone=zone] --list-sources
669           List sources that are bound to zone zone as a space separated list.
670           If zone is omitted, default zone will be used.
671
672       [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
673           Bind the source to zone zone. If zone is omitted, default zone will
674           be used.
675
676       [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
677           Change zone the source is bound to to zone zone. If zone is
678           omitted, default zone will be used. If old and new zone are the
679           same, the call will be ignored without an error. If the source has
680           not been bound to a zone before, it will behave like --add-source.
681
682       [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
683           Query whether the source is bound to the zone zone. Returns 0 if
684           true, 1 otherwise.
685
686       [--zone=zone] --remove-source=source[/mask]|MAC|ipset:ipset
687           Remove binding of the source from zone zone. If zone is omitted,
688           default zone will be used.
689
690   IPSet Options
691       --new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
692           Add a new permanent ipset with specifying the type and optional
693           options.
694
695           ipset names must be alphanumeric and may additionally include
696           characters: '_' and '-'.
697
698       --new-ipset-from-file=filename [--name=ipset]
699           Add a new permanent ipset from a prepared ipset file with an
700           optional name override.
701
702       --delete-ipset=ipset
703           Delete an existing permanent ipset.
704
705       --info-ipset=ipset
706           Print information about the ipset ipset. The output format is:
707
708               ipset
709                 type: type
710                 options: option1[=value1] ..
711                 entries: entry1 ..
712
713
714
715       --get-ipsets
716           Print predefined ipsets as a space separated list.
717
718       --ipset=ipset --add-entry=entry
719           Add a new entry to the ipset.
720
721       --ipset=ipset --remove-entry=entry
722           Remove an entry from the ipset.
723
724       --ipset=ipset --query-entry=entry
725           Return whether the entry has been added to an ipset. Returns 0 if
726           true, 1 otherwise.
727
728       --ipset=ipset --get-entries
729           List all entries of the ipset.
730
731       --ipset=ipset --add-entries-from-file=filename
732           Add a new entries to the ipset from the file. For all entries that
733           are listed in the file but already in the ipset, a warning will be
734           printed.
735
736           The file should contain an entry per line. Lines starting with an
737           hash or semicolon are ignored. Also empty lines.
738
739       --ipset=ipset --remove-entries-from-file=filename
740           Remove existing entries from the ipset from the file. For all
741           entries that are listed in the file but not in the ipset, a warning
742           will be printed.
743
744           The file should contain an entry per line. Lines starting with an
745           hash or semicolon are ignored. Also empty lines.
746
747       --ipset=ipset --set-description=description
748           Set new description to ipset
749
750       --ipset=ipset --get-description
751           Print description for ipset
752
753       --ipset=ipset --set-short=description
754           Set new short description to ipset
755
756       --ipset=ipset --get-short
757           Print short description for ipset
758
759       --path-ipset=ipset
760           Print path of the ipset configuration file.
761
762   Service Options
763       --info-service=service
764           Print information about the service service. The output format is:
765
766               service
767                 ports: port1 ..
768                 protocols: protocol1 ..
769                 source-ports: source-port1 ..
770                 helpers: helper1 ..
771                 destination: ipv1:address1 ..
772
773
774
775       --new-service=service
776           Add a new permanent service.
777
778           Service names must be alphanumeric and may additionally include
779           characters: '_' and '-'.
780
781       --new-service-from-file=filename [--name=service]
782           Add a new permanent service from a prepared service file with an
783           optional name override.
784
785       --delete-service=service
786           Delete an existing permanent service.
787
788       --path-service=service
789           Print path of the service configuration file.
790
791       --service=service --set-description=description
792           Set new description to service
793
794       --service=service --get-description
795           Print description for service
796
797       --service=service --set-short=description
798           Set short description to service
799
800       --service=service --get-short
801           Print short description for service
802
803       --service=service --add-port=portid[-portid]/protocol
804           Add a new port to the permanent service.
805
806       --service=service --remove-port=portid[-portid]/protocol
807           Remove a port from the permanent service.
808
809       --service=service --query-port=portid[-portid]/protocol
810           Return wether the port has been added to the permanent service.
811
812       --service=service --get-ports
813           List ports added to the permanent service.
814
815       --service=service --add-protocol=protocol
816           Add a new protocol to the permanent service.
817
818       --service=service --remove-protocol=protocol
819           Remove a protocol from the permanent service.
820
821       --service=service --query-protocol=protocol
822           Return wether the protocol has been added to the permanent service.
823
824       --service=service --get-protocols
825           List protocols added to the permanent service.
826
827       --service=service --add-source-port=portid[-portid]/protocol
828           Add a new source port to the permanent service.
829
830       --service=service --remove-source-port=portid[-portid]/protocol
831           Remove a source port from the permanent service.
832
833       --service=service --query-source-port=portid[-portid]/protocol
834           Return wether the source port has been added to the permanent
835           service.
836
837       --service=service --get-source-ports
838           List source ports added to the permanent service.
839
840       --service=service --add-helper=helper
841           Add a new helper to the permanent service.
842
843       --service=service --remove-helper=helper
844           Remove a helper from the permanent service.
845
846       --service=service --query-helper=helper
847           Return wether the helper has been added to the permanent service.
848
849       --service=service --get-service-helpers
850           List helpers added to the permanent service.
851
852       --service=service --set-destination=ipv:address[/mask]
853           Set destination for ipv to address[/mask] in the permanent service.
854
855       --service=service --remove-destination=ipv
856           Remove the destination for ipv from the permanent service.
857
858       --service=service --query-destination=ipv:address[/mask]
859           Return wether the destination ipv to address[/mask] has been set in
860           the permanent service.
861
862       --service=service --get-destinations
863           List destinations added to the permanent service.
864
865       --service=service --add-include=service
866           Add a new include to the permanent service.
867
868       --service=service --remove-include=service
869           Remove a include from the permanent service.
870
871       --service=service --query-include=service
872           Return wether the include has been added to the permanent service.
873
874       --service=service --get-includes
875           List includes added to the permanent service.
876
877   Helper Options
878       Options in this section affect only one particular helper.
879
880       --info-helper=helper
881           Print information about the helper helper. The output format is:
882
883               helper
884                 family: family
885                 module: module
886                 ports: port1 ..
887
888
889
890       The following options are only usable in the permanent configuration.
891
892       --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
893           Add a new permanent helper with module and optionally family
894           defined.
895
896           Helper names must be alphanumeric and may additionally include
897           characters: '-'.
898
899       --new-helper-from-file=filename [--name=helper]
900           Add a new permanent helper from a prepared helper file with an
901           optional name override.
902
903       --delete-helper=helper
904           Delete an existing permanent helper.
905
906       --load-helper-defaults=helper
907           Load helper default settings or report NO_DEFAULTS error.
908
909       --path-helper=helper
910           Print path of the helper configuration file.
911
912       --get-helpers
913           Print predefined helpers as a space separated list.
914
915       --helper=helper --set-description=description
916           Set new description to helper
917
918       --helper=helper --get-description
919           Print description for helper
920
921       --helper=helper --set-short=description
922           Set short description to helper
923
924       --helper=helper --get-short
925           Print short description for helper
926
927       --helper=helper --add-port=portid[-portid]/protocol
928           Add a new port to the permanent helper.
929
930       --helper=helper --remove-port=portid[-portid]/protocol
931           Remove a port from the permanent helper.
932
933       --helper=helper --query-port=portid[-portid]/protocol
934           Return wether the port has been added to the permanent helper.
935
936       --helper=helper --get-ports
937           List ports added to the permanent helper.
938
939       --helper=helper --set-module=description
940           Set module description for helper
941
942       --helper=helper --get-module
943           Print module description for helper
944
945       --helper=helper --set-family=description
946           Set family description for helper
947
948       --helper=helper --get-family
949           Print family description of helper
950
951   Internet Control Message Protocol (ICMP) type Options
952       --info-icmptype=icmptype
953           Print information about the icmptype icmptype. The output format
954           is:
955
956               icmptype
957                 destination: ipv1 ..
958
959
960
961       --new-icmptype=icmptype
962           Add a new permanent icmptype.
963
964           ICMP type names must be alphanumeric and may additionally include
965           characters: '_' and '-'.
966
967       --new-icmptype-from-file=filename [--name=icmptype]
968           Add a new permanent icmptype from a prepared icmptype file with an
969           optional name override.
970
971       --delete-icmptype=icmptype
972           Delete an existing permanent icmptype.
973
974       --icmptype=icmptype --set-description=description
975           Set new description to icmptype
976
977       --icmptype=icmptype --get-description
978           Print description for icmptype
979
980       --icmptype=icmptype --set-short=description
981           Set short description to icmptype
982
983       --icmptype=icmptype --get-short
984           Print short description for icmptype
985
986       --icmptype=icmptype --add-destination=ipv
987           Enable destination for ipv in permanent icmptype. ipv is one of
988           ipv4 or ipv6.
989
990       --icmptype=icmptype --remove-destination=ipv
991           Disable destination for ipv in permanent icmptype. ipv is one of
992           ipv4 or ipv6.
993
994       --icmptype=icmptype --query-destination=ipv
995           Return whether destination for ipv is enabled in permanent
996           icmptype. ipv is one of ipv4 or ipv6.
997
998       --icmptype=icmptype --get-destinations
999           List destinations in permanent icmptype.
1000
1001       --path-icmptype=icmptype
1002           Print path of the icmptype configuration file.
1003
1004   Direct Options
1005       The direct options give a more direct access to the firewall. These
1006       options require user to know basic iptables concepts, i.e.  table
1007       (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
1008       (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
1009       (ACCEPT/DROP/REJECT/...).
1010
1011       Direct options should be used only as a last resort when it's not
1012       possible to use for example --add-service=service or
1013       --add-rich-rule='rule'.
1014
1015       Warning: Direct rules behavior is different depending on the value of
1016       FirewallBackend. See CAVEATS in firewalld.direct(5).
1017
1018       The first argument of each option has to be ipv4 or ipv6 or eb. With
1019       ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1020       (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1021
1022       --direct --get-all-chains
1023           Get all chains added to all tables.
1024
1025           This option concerns only chains previously added with --direct
1026           --add-chain.
1027
1028       --direct --get-chains { ipv4 | ipv6 | eb } table
1029           Get all chains added to table table as a space separated list.
1030
1031           This option concerns only chains previously added with --direct
1032           --add-chain.
1033
1034       --direct --add-chain { ipv4 | ipv6 | eb } table chain
1035           Add a new chain with name chain to table table.
1036
1037           There already exist basic chains to use with direct options, for
1038           example INPUT_direct chain (see iptables-save | grep direct output
1039           for all of them). These chains are jumped into before chains for
1040           zones, i.e. every rule put into INPUT_direct will be checked before
1041           rules in zones.
1042
1043       --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1044           Remove the chain with name chain from table table.
1045
1046       --direct --query-chain { ipv4 | ipv6 | eb } table chain
1047           Return whether a chain with name chain exists in table table.
1048           Returns 0 if true, 1 otherwise.
1049
1050           This option concerns only chains previously added with --direct
1051           --add-chain.
1052
1053       --direct --get-all-rules
1054           Get all rules added to all chains in all tables as a newline
1055           separated list of the priority and arguments.
1056
1057       --direct --get-rules { ipv4 | ipv6 | eb } table chain
1058           Get all rules added to chain chain in table table as a newline
1059           separated list of the priority and arguments.
1060
1061       --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
1062           Add a rule with the arguments args to chain chain in table table
1063           with priority priority.
1064
1065           The priority is used to order rules. Priority 0 means add rule on
1066           top of the chain, with a higher priority the rule will be added
1067           further down. Rules with the same priority are on the same level
1068           and the order of these rules is not fixed and may change. If you
1069           want to make sure that a rule will be added after another one, use
1070           a low priority for the first and a higher for the following.
1071
1072       --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
1073           Remove a rule with priority and the arguments args from chain chain
1074           in table table.
1075
1076       --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1077           Remove all rules in the chain with name chain exists in table
1078           table.
1079
1080           This option concerns only rules previously added with --direct
1081           --add-rule in this chain.
1082
1083       --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
1084           Return whether a rule with priority and the arguments args exists
1085           in chain chain in table table. Returns 0 if true, 1 otherwise.
1086
1087       --direct --get-all-passthroughs
1088           Get all permanent passthrough as a newline separated list of the
1089           ipv value and arguments.
1090
1091       --direct --get-passthroughs { ipv4 | ipv6 | eb }
1092           Get all permanent passthrough rules for the ipv value as a newline
1093           separated list of the priority and arguments.
1094
1095       --direct --add-passthrough { ipv4 | ipv6 | eb } args
1096           Add a permanent passthrough rule with the arguments args for the
1097           ipv value.
1098
1099       --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1100           Remove a permanent passthrough rule with the arguments args for the
1101           ipv value.
1102
1103       --direct --query-passthrough { ipv4 | ipv6 | eb } args
1104           Return whether a permanent passthrough rule with the arguments args
1105           exists for the ipv value. Returns 0 if true, 1 otherwise.
1106
1107   Lockdown Options
1108       Local applications or services are able to change the firewall
1109       configuration if they are running as root (example: libvirt) or are
1110       authenticated using PolicyKit. With this feature administrators can
1111       lock the firewall configuration so that only applications on lockdown
1112       whitelist are able to request firewall changes.
1113
1114       The lockdown access check limits D-Bus methods that are changing
1115       firewall rules. Query, list and get methods are not limited.
1116
1117       The lockdown feature is a very light version of user and application
1118       policies for firewalld and is turned off by default.
1119
1120       --lockdown-on
1121           Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1122           whitelist when you enable lockdown you won't be able to disable it
1123           again with firewall-cmd, you would need to edit firewalld.conf.
1124
1125       --lockdown-off
1126           Disable lockdown.
1127
1128       --query-lockdown
1129           Query whether lockdown is enabled. Returns 0 if lockdown is
1130           enabled, 1 otherwise.
1131
1132   Lockdown Whitelist Options
1133       The lockdown whitelist can contain commands, contexts, users and user
1134       ids.
1135
1136       If a command entry on the whitelist ends with an asterisk '*', then all
1137       command lines starting with the command will match. If the '*' is not
1138       there the absolute command inclusive arguments must match.
1139
1140       Commands for user root and others is not always the same. Example: As
1141       root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1142       is be used on Fedora.
1143
1144       The context is the security (SELinux) context of a running application
1145       or service. To get the context of a running application use ps -e
1146       --context.
1147
1148       Warning: If the context is unconfined, then this will open access for
1149       more than the desired application.
1150
1151       The lockdown whitelist entries are checked in the following order:
1152           1. context
1153           2. uid
1154           3. user
1155           4. command
1156
1157       --list-lockdown-whitelist-commands
1158           List all command lines that are on the whitelist.
1159
1160       --add-lockdown-whitelist-command=command
1161           Add the command to the whitelist.
1162
1163       --remove-lockdown-whitelist-command=command
1164           Remove the command from the whitelist.
1165
1166       --query-lockdown-whitelist-command=command
1167           Query whether the command is on the whitelist. Returns 0 if true, 1
1168           otherwise.
1169
1170       --list-lockdown-whitelist-contexts
1171           List all contexts that are on the whitelist.
1172
1173       --add-lockdown-whitelist-context=context
1174           Add the context context to the whitelist.
1175
1176       --remove-lockdown-whitelist-context=context
1177           Remove the context from the whitelist.
1178
1179       --query-lockdown-whitelist-context=context
1180           Query whether the context is on the whitelist. Returns 0 if true, 1
1181           otherwise.
1182
1183       --list-lockdown-whitelist-uids
1184           List all user ids that are on the whitelist.
1185
1186       --add-lockdown-whitelist-uid=uid
1187           Add the user id uid to the whitelist.
1188
1189       --remove-lockdown-whitelist-uid=uid
1190           Remove the user id uid from the whitelist.
1191
1192       --query-lockdown-whitelist-uid=uid
1193           Query whether the user id uid is on the whitelist. Returns 0 if
1194           true, 1 otherwise.
1195
1196       --list-lockdown-whitelist-users
1197           List all user names that are on the whitelist.
1198
1199       --add-lockdown-whitelist-user=user
1200           Add the user name user to the whitelist.
1201
1202       --remove-lockdown-whitelist-user=user
1203           Remove the user name user from the whitelist.
1204
1205       --query-lockdown-whitelist-user=user
1206           Query whether the user name user is on the whitelist. Returns 0 if
1207           true, 1 otherwise.
1208
1209   Policy Options
1210       --policy-server
1211           Change Polkit actions to 'server' (more restricted)
1212
1213       --policy-desktop
1214           Change Polkit actions to 'desktop' (less restricted)
1215

SEE ALSO

1217       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1218       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1219       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1220       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1221       firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
1222       firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
1223

NOTES

1225       firewalld home page:
1226           http://firewalld.org
1227
1228       More documentation with examples:
1229           http://fedoraproject.org/wiki/FirewallD
1230

AUTHORS

1232       Thomas Woerner <twoerner@redhat.com>
1233           Developer
1234
1235       Jiri Popelka <jpopelka@redhat.com>
1236           Developer
1237
1238       Eric Garver <eric@garver.life>
1239           Developer
1240
1241
1242
1243firewalld 0.9.3                                          FIREWALL-OFFLINE-C(1)
Impressum