1FIREWALL-OFFLINE-C(1) firewall-offline-cmd FIREWALL-OFFLINE-C(1)
2
6 firewall-offline-cmd - firewalld offline command line client
7
9 firewall-offline-cmd [OPTIONS...]
10
12 firewall-offline-cmd is an offline command line client of the firewalld
13 daemon. It should be used only if the firewalld service is not running.
14 For example to migrate from system-config-firewall/lokkit or in the
15 install environment to configure firewall settings with kickstart.
16 Some lokkit options can not be automatically converted for firewalld,
18 they will result in an error or warning message. This tool tries to
19 convert as much as possible, but there are limitations for example with
20 custom rules, modules and masquerading.
21 Check the firewall configuration after using this tool.
23
25 If no options are given, configuration from
26 /etc/sysconfig/system-config-firewall will be migrated.
27 Sequence options are the options that can be specified multiple times,
29 the exit code is 0 if there is at least one item that succeeded. The
30 ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
31 errors are treated as succeeded. If there are issues while parsing the
32 items, then these are treated as warnings and will not change the
33 result as long as there is a succeeded one. Without any succeeded item,
34 the exit code will depend on the error codes. If there is exactly one
35 error code, then this is used. If there are more than one then
36 UNKNOWN_ERROR (254) will be used.
37 The following options are supported:
39 General Options
41 -h, --help
42 Prints a short help text and exists.
43 -V, --version
45 Prints the version string of firewalld and exits.
46 -q, --quiet
48 Do not print status messages.
49 --default-config
51 Path to firewalld default configuration. This usually defaults to
52 /usr/lib/firewalld.
53 --system-config
55 Path to firewalld system (user) configuration. This usually
56 defaults to /etc/firewalld.
57 Status Options
59 --enabled
60 Enable the firewall. This option is a default option and will
61 activate the firewall if not already enabled as long as the option
62 --disabled is not given.
63 --disabled
65 Disable the firewall by disabling the firewalld service.
66 --check-config
68 Run checks on the permanent (default and system) configuration.
69 This includes XML validity and semantics.
70 This is may be used with --system-config to check the validity of
72 handwritten configuration files before copying them to the standard
73 location.
74 Lokkit Compatibility Options
76 These options are nearly identical to the options of lokkit.
77 --migrate-system-config-firewall=file
79 Migrate system-config-firewall configuration from the given file.
80 No further
81 --addmodule=module
83 This option will result in a warning message and will be ignored.
84 Handling of netfilter helpers has been merged into services
86 completely. Adding or removing netfilter helpers outside of
87 services is therefore not needed anymore. For more information on
88 handling netfilter helpers in services, please have a look at
89 firewalld.zone(5).
90 --removemodule
92 This option will result in a warning message and will be ignored.
93 Handling of netfilter helpers has been merged into services
95 completely. Adding or removing netfilter helpers outside of
96 services is therefore not needed anymore. For more information on
97 handling netfilter helpers in services, please have a look at
98 firewalld.zone(5).
99 --remove-service=service
101 Remove a service from the default zone. This option can be
102 specified multiple times.
103 The service is one of the firewalld provided services. To get a
105 list of the supported services, use firewall-cmd --get-services.
106 -s service, --service=service
108 Add a service to the default zone. This option can be specified
109 multiple times.
110 The service is one of the firewalld provided services. To get a
112 list of the supported services, use firewall-cmd --get-services.
113 -p portid[-portid]:protocol, --port=portid[-portid]:protocol
115 Add the port to the default zone. This option can be specified
116 multiple times.
117 The port can either be a single port number or a port range
119 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
120 -t interface, --trust=interface
122 This option will result in a warning message.
123 Mark an interface as trusted. This option can be specified multiple
125 times. The interface will be bound to the trusted zone.
126 If the interface is used in a NetworkManager managed connection or
128 if there is an ifcfg file for this interface, the zone will be
129 changed to the zone defined in the configuration as soon as it gets
130 activated. To change the zone of a connection use
131 nm-connection-editor and set the zone to trusted, for an ifcfg
132 file, use an editor and add "ZONE=trusted". If the zone is not
133 defined in the ifcfg file, the firewalld default zone will be used.
134 -m interface, --masq=interface
136 This option will result in a warning message.
137 Masquerading will be enabled in the default zone. The interface
139 argument will be ignored. This is for IPv4 only.
140 --custom-rules=[type:][table:]filename
142 This option will result in a warning message and will be ignored.
143 Custom rule files are not supported by firewalld.
145 --forward-port=if=interface:port=port:proto=protocol[:toport=destination
147 port:][:toaddr=destination address]
148 This option will result in a warning message.
149 Add the IPv4 forward port in the default zone. This option can be
151 specified multiple times.
152 The port can either be a single port number portid or a port range
154 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
155 The destination address is an IP address.
156 --block-icmp=icmptype
158 This option will result in a warning message.
159 Add an ICMP block for icmptype in the default zone. This option can
161 be specified multiple times.
162 The icmptype is the one of the icmp types firewalld supports. To
164 get a listing of supported icmp types: firewall-cmd --get-icmptypes
165 Log Denied Options
167 --get-log-denied
168 Print the log denied setting.
169 --set-log-denied=value
171 Add logging rules right before reject and drop rules in the INPUT,
172 FORWARD and OUTPUT chains for the default rules and also final
173 reject and drop rules in zones for the configured link-layer packet
174 type. The possible values are: all, unicast, broadcast, multicast
175 and off. The default setting is off, which disables the logging.
176 This is a runtime and permanent change and will also reload the
178 firewall to be able to add the logging rules.
179 Zone Options
181 --get-default-zone
182 Print default zone for connections and interfaces.
183 --set-default-zone=zone
185 Set default zone for connections and interfaces where no zone has
186 been selected. Setting the default zone changes the zone for the
187 connections or interfaces, that are using the default zone.
188 --get-zones
190 Print predefined zones as a space separated list.
191 --get-services
193 Print predefined services as a space separated list.
194 --get-icmptypes
196 Print predefined icmptypes as a space separated list.
197 --get-zone-of-interface=interface
199 Print the name of the zone the interface is bound to or no zone.
200 --get-zone-of-source=source[/mask]|MAC|ipset:ipset
202 Print the name of the zone the source is bound to or no zone.
203 --info-zone=zone
205 Print information about the zone zone. The output format is:
206 zone
208 interfaces: interface1 ..
209 sources: source1 ..
210 services: service1 ..
211 ports: port1 ..
212 protocols: protocol1 ..
213 forward-ports:
214 forward-port1
215 ..
216 source-ports: source-port1 ..
217 icmp-blocks: icmp-type1 ..
218 rich rules:
219 rich-rule1
220 ..
221 --list-all-zones
225 List everything added for or enabled in all zones. The output
226 format is:
227 zone1
229 interfaces: interface1 ..
230 sources: source1 ..
231 services: service1 ..
232 ports: port1 ..
233 protocols: protocol1 ..
234 forward-ports:
235 forward-port1
236 ..
237 source-ports: source-port1 ..
238 icmp-blocks: icmp-type1 ..
239 rich rules:
240 rich-rule1
241 ..
242 ..
243 --new-zone=zone
247 Add a new permanent zone.
248 Zone names must be alphanumeric and may additionally include
250 characters: '_' and '-'.
251 --new-zone-from-file=filename [--name=zone]
253 Add a new permanent zone from a prepared zone file with an optional
254 name override.
255 --path-zone=zone
257 Print path of the zone configuration file.
258 --delete-zone=zone
260 Delete an existing permanent zone.
261 Policy Options
263 --get-policies
264 Print predefined policies as a space separated list.
265 --info-policy=policy
267 Print information about the policy policy.
268 --list-all-policies
270 List everything added for or enabled in all policies.
271 --new-policy=policy
273 Add a new permanent policy.
274 Policy names must be alphanumeric and may additionally include
276 characters: '_' and '-'.
277 --new-policy-from-file=filename [--name=policy]
279 Add a new permanent policy from a prepared policy file with an
280 optional name override.
281 --path-policy=policy
283 Print path of the policy configuration file.
284 --delete-policy=policy
286 Delete an existing permanent policy.
287 --load-policy-defaults=policy
289 Load the shipped defaults for a policy. Only applies to policies
290 shipped with firewalld. Does not apply to user defined policies.
291 Options to Adapt and Query Zones and Policies
293 Options in this section affect only one particular zone or policy. If
294 used with --zone=zone or --policy=policy option, they affect the
295 specified zone or policy. If both options are omitted, they affect
296 default zone (see --get-default-zone).
297 [--zone=zone] [--policy=policy] --list-all
299 List everything added or enabled.
300 [--zone=zone] [--policy=policy] --get-target
302 Get the target.
303 [--zone=zone] [--policy=policy] --set-target=zone
305 Set the target.
306 For zones target is one of: default, ACCEPT, DROP, REJECT
308 For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
310 default is similar to REJECT, but has special meaning in the
312 following scenarios:
313 1. ICMP explicitly allowed
315 At the end of the zone's ruleset ICMP packets are explicitly
317 allowed.
318 2. forwarded packets follow the target of the egress zone
320 In the case of forwarded packets, if the ingress zone uses
322 default then whether or not the packet will be allowed is
323 determined by the egress zone.
324 For a forwarded packet that ingresses zoneA and egresses zoneB:
326 • if zoneA's target is ACCEPT, DROP, or REJECT then the
328 packet is accepted, dropped, or rejected respectively.
329 • if zoneA's target is default, then the packet is accepted,
331 dropped, or rejected based on zoneB's target. If zoneB's
332 target is also default, then the packet will be rejected by
333 firewalld's catchall reject.
334 3. Zone drifting from source-based zone to interface-based zone
336 This only applies if AllowZoneDrifting is enabled. See
338 firewalld.conf(5).
339 If a packet ingresses a source-based zone with a target of
341 default, it may still enter an interface-based zone (including
342 the default zone).
343 [--zone=zone] [--policy=policy] --set-description=description
346 Set description.
347 [--zone=zone] [--policy=policy] --get-description
349 Print description.
350 [--zone=zone] [--policy=policy] --set-short=description
352 Set short description.
353 [--zone=zone] [--policy=policy] --get-short
355 Print short description.
356 [--zone=zone] [--policy=policy] --list-services
358 List services added as a space separated list.
359 [--zone=zone] [--policy=policy] --add-service=service
361 Add a service. This option can be specified multiple times.
362 The service is one of the firewalld provided services. To get a
364 list of the supported services, use firewall-cmd --get-services.
365 [--zone=zone] --remove-service-from-zone=service
367 Remove a service from zone. This option can be specified multiple
368 times. If zone is omitted, default zone will be used.
369 [--policy=policy] --remove-service-from-policy=service
371 Remove a service from policy. This option can be specified multiple
372 times.
373 [--zone=zone] [--policy=policy] --query-service=service
375 Return whether service has been added. Returns 0 if true, 1
376 otherwise.
377 [--zone=zone] [--policy=policy] --list-ports
379 List ports added as a space separated list. A port is of the form
380 portid[-portid]/protocol, it can be either a port and protocol pair
381 or a port range with a protocol.
382 [--zone=zone] [--policy=policy] --add-port=portid[-portid]/protocol
384 Add the port. This option can be specified multiple times.
385 The port can either be a single port number or a port range
387 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
388 [--zone=zone] [--policy=policy] --remove-port=portid[-portid]/protocol
390 Remove the port. This option can be specified multiple times.
391 [--zone=zone] [--policy=policy] --query-port=portid[-portid]/protocol
393 Return whether the port has been added. Returns 0 if true, 1
394 otherwise.
395 [--zone=zone] [--policy=policy] --list-protocols
397 List protocols added as a space separated list.
398 [--zone=zone] [--policy=policy] --add-protocol=protocol
400 Add the protocol. This option can be specified multiple times.
401 timeval is either a number (of seconds) or number followed by one
402 of characters s (seconds), m (minutes), h (hours), for example 20m
403 or 1h.
404 The protocol can be any protocol supported by the system. Please
406 have a look at /etc/protocols for supported protocols.
407 [--zone=zone] [--policy=policy] --remove-protocol=protocol
409 Remove the protocol. This option can be specified multiple times.
410 [--zone=zone] [--policy=policy] --query-protocol=protocol
412 Return whether the protocol has been added. Returns 0 if true, 1
413 otherwise.
414 [--zone=zone] [--policy=policy] --list-icmp-blocks
416 List Internet Control Message Protocol (ICMP) type blocks added as
417 a space separated list.
418 [--zone=zone] [--policy=policy] --add-icmp-block=icmptype
420 Add an ICMP block for icmptype. This option can be specified
421 multiple times.
422 The icmptype is the one of the icmp types firewalld supports. To
424 get a listing of supported icmp types: firewall-cmd --get-icmptypes
425 [--zone=zone] [--policy=policy] --remove-icmp-block=icmptype
427 Remove the ICMP block for icmptype. This option can be specified
428 multiple times.
429 [--zone=zone] [--policy=policy] --query-icmp-block=icmptype
431 Return whether an ICMP block for icmptype has been added. Returns 0
432 if true, 1 otherwise.
433 [--zone=zone] [--policy=policy] --list-forward-ports
435 List IPv4 forward ports added as a space separated list.
436 For IPv6 forward ports, please use the rich language.
438 [--zone=zone] [--policy=policy]
440 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
441 Add the IPv4 forward port. This option can be specified multiple
442 times.
443 The port can either be a single port number portid or a port range
445 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
446 The destination address is a simple IP address.
447 For IPv6 forward ports, please use the rich language.
449 Note: IP forwarding will be implicitly enabled if toaddr is
451 specified.
452 [--zone=zone] [--policy=policy]
454 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
455 Remove the IPv4 forward port. This option can be specified multiple
456 times.
457 For IPv6 forward ports, please use the rich language.
459 [--zone=zone] [--policy=policy]
461 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
462 Return whether the IPv4 forward port has been added. Returns 0 if
463 true, 1 otherwise.
464 For IPv6 forward ports, please use the rich language.
466 [--zone=zone] [--policy=policy] --list-source-ports
468 List source ports added as a space separated list. A port is of the
469 form portid[-portid]/protocol.
470 [--zone=zone] [--policy=policy]
472 --add-source-port=portid[-portid]/protocol
473 Add the source port. This option can be specified multiple times.
474 The port can either be a single port number or a port range
476 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
477 [--zone=zone] [--policy=policy]
479 --remove-source-port=portid[-portid]/protocol
480 Remove the source port. This option can be specified multiple
481 times.
482 [--zone=zone] [--policy=policy]
484 --query-source-port=portid[-portid]/protocol
485 Return whether the source port has been added. Returns 0 if true, 1
486 otherwise.
487 [--zone=zone] [--policy=policy] --add-masquerade
489 Enable IPv4 masquerade. Masquerading is useful if the machine is a
490 router and machines connected over an interface in another zone
491 should be able to use the first connection.
492 For IPv6 masquerading, please use the rich language.
494 Note: IP forwarding will be implicitly enabled.
496 [--zone=zone] [--policy=policy] --remove-masquerade
498 Disable IPv4 masquerade.
499 For IPv6 masquerading, please use the rich language.
501 [--zone=zone] [--policy=policy] --query-masquerade
503 Return whether IPv4 masquerading has been enabled. Returns 0 if
504 true, 1 otherwise.
505 For IPv6 masquerading, please use the rich language.
507 [--zone=zone] [--policy=policy] --list-rich-rules
509 List rich language rules added as a newline separated list.
510 [--zone=zone] [--policy=policy] --add-rich-rule='rule'
512 Add rich language rule 'rule'. This option can be specified
513 multiple times.
514 For the rich language rule syntax, please have a look at
516 firewalld.richlanguage(5).
517 [--zone=zone] [--policy=policy] --remove-rich-rule='rule'
519 Remove rich language rule 'rule'. This option can be specified
520 multiple times.
521 For the rich language rule syntax, please have a look at
523 firewalld.richlanguage(5).
524 [--zone=zone] [--policy=policy] --query-rich-rule='rule'
526 Return whether a rich language rule 'rule' has been added. Returns
527 0 if true, 1 otherwise.
528 For the rich language rule syntax, please have a look at
530 firewalld.richlanguage(5).
531 Options to Adapt and Query Zones
533 Options in this section affect only one particular zone. If used with
534 --zone=zone option, they affect the specified zone. If the option is
535 omitted, they affect the default zone (see --get-default-zone).
536 [--zone=zone] --add-icmp-block-inversion
538 Enable ICMP block inversion.
539 [--zone=zone] --remove-icmp-block-inversion
541 Disable ICMP block inversion.
542 [--zone=zone] --query-icmp-block-inversion
544 Return whether ICMP block inversion is enabled. Returns 0 if true,
545 1 otherwise.
546 [--zone=zone] --add-forward
548 Enable intra zone forwarding.
549 [--zone=zone] --remove-forward
551 Disable intra zone forwarding.
552 [--zone=zone] --query-forward
554 Return whether intra zone forwarding is enabled. Returns 0 if true,
555 1 otherwise.
556 Options to Adapt and Query Policies
558 Options in this section affect only one particular policy. It's
559 required to specify --policy=policy with these options.
560 --policy=policy --get-priority
562 Get the priority.
563 --policy=policy --set-prioritypriority
565 Set the priority. The priority determines the relative ordering of
566 policies. This is an integer value between -32768 and 32767 where
567 -1 is the default value for new policies and 0 is reserved for
568 internal use.
569 If a priority is < 0, then the policy's rules will execute before
571 all rules in all zones.
572 If a priority is > 0, then the policy's rules will execute after
574 all rules in all zones.
575 --policy=policy --list-ingress-zones
577 List ingress zones added as a space separated list.
578 --policy=policy --add-ingress-zone=zone
580 Add an ingress zone. This option can be specified multiple times.
581 The ingress zone is one of the firewalld provided zones or one of
583 the pseudo-zones: HOST, ANY.
584 HOST is used for traffic originating from the host machine, i.e.
586 the host running firewalld.
587 ANY is used for traffic originating from any zone. This can be
589 thought of as a wild card for zones. However it does not include
590 traffic originating from the host machine - use HOST for that.
591 --policy=policy --remove-ingress-zone=zone
593 Remove an ingress zone. This option can be specified multiple
594 times.
595 --policy=policy --query-ingress-zone=zone
597 Return whether zone has been added. Returns 0 if true, 1 otherwise.
598 --policy=policy --list-egress-zones
600 List egress zones added as a space separated list.
601 --policy=policy --add-egress-zone=zone
603 Add an egress zone. This option can be specified multiple times.
604 The egress zone is one of the firewalld provided zones or one of
606 the pseudo-zones: HOST, ANY.
607 For clarification on HOST and ANY see option --add-ingress-zone.
609 --policy=policy --remove-egress-zone=zone
611 Remove an egress zone. This option can be specified multiple times.
612 --policy=policy --query-egress-zone=zone
614 Return whether zone has been added. Returns 0 if true, 1 otherwise.
615 Options to Handle Bindings of Interfaces
617 Binding an interface to a zone means that this zone settings are used
618 to restrict traffic via the interface.
619 Options in this section affect only one particular zone. If used with
621 --zone=zone option, they affect the zone zone. If the option is
622 omitted, they affect default zone (see --get-default-zone).
623 For a list of predefined zones use firewall-cmd --get-zones.
625 An interface name is a string up to 16 characters long, that may not
627 contain ' ', '/', '!' and '*'.
628 [--zone=zone] --list-interfaces
630 List interfaces that are bound to zone zone as a space separated
631 list. If zone is omitted, default zone will be used.
632 [--zone=zone] --add-interface=interface
634 Bind interface interface to zone zone. If zone is omitted, default
635 zone will be used.
636 [--zone=zone] --change-interface=interface
638 Change zone the interface interface is bound to to zone zone. If
639 zone is omitted, default zone will be used. If old and new zone are
640 the same, the call will be ignored without an error. If the
641 interface has not been bound to a zone before, it will behave like
642 --add-interface.
643 [--zone=zone] --query-interface=interface
645 Query whether interface interface is bound to zone zone. Returns 0
646 if true, 1 otherwise.
647 [--zone=zone] --remove-interface=interface
649 Remove binding of interface interface from zone zone. If zone is
650 omitted, default zone will be used.
651 Options to Handle Bindings of Sources
653 Binding a source to a zone means that this zone settings will be used
654 to restrict traffic from this source.
655 A source address or address range is either an IP address or a network
657 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
658 with the ipset: prefix. For IPv4, the mask can be a network mask or a
659 plain number. For IPv6 the mask is a plain number. The use of host
660 names is not supported.
661 Options in this section affect only one particular zone. If used with
663 --zone=zone option, they affect the zone zone. If the option is
664 omitted, they affect default zone (see --get-default-zone).
665 For a list of predefined zones use firewall-cmd --get-zones.
667 [--zone=zone] --list-sources
669 List sources that are bound to zone zone as a space separated list.
670 If zone is omitted, default zone will be used.
671 [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
673 Bind the source to zone zone. If zone is omitted, default zone will
674 be used.
675 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
677 Change zone the source is bound to to zone zone. If zone is
678 omitted, default zone will be used. If old and new zone are the
679 same, the call will be ignored without an error. If the source has
680 not been bound to a zone before, it will behave like --add-source.
681 [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
683 Query whether the source is bound to the zone zone. Returns 0 if
684 true, 1 otherwise.
685 [--zone=zone] --remove-source=source[/mask]|MAC|ipset:ipset
687 Remove binding of the source from zone zone. If zone is omitted,
688 default zone will be used.
689 IPSet Options
691 --new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
692 Add a new permanent ipset with specifying the type and optional
693 options.
694 ipset names must be alphanumeric and may additionally include
696 characters: '_' and '-'.
697 --new-ipset-from-file=filename [--name=ipset]
699 Add a new permanent ipset from a prepared ipset file with an
700 optional name override.
701 --delete-ipset=ipset
703 Delete an existing permanent ipset.
704 --info-ipset=ipset
706 Print information about the ipset ipset. The output format is:
707 ipset
709 type: type
710 options: option1[=value1] ..
711 entries: entry1 ..
712 --get-ipsets
716 Print predefined ipsets as a space separated list.
717 --ipset=ipset --add-entry=entry
719 Add a new entry to the ipset.
720 --ipset=ipset --remove-entry=entry
722 Remove an entry from the ipset.
723 --ipset=ipset --query-entry=entry
725 Return whether the entry has been added to an ipset. Returns 0 if
726 true, 1 otherwise.
727 --ipset=ipset --get-entries
729 List all entries of the ipset.
730 --ipset=ipset --add-entries-from-file=filename
732 Add a new entries to the ipset from the file. For all entries that
733 are listed in the file but already in the ipset, a warning will be
734 printed.
735 The file should contain an entry per line. Lines starting with an
737 hash or semicolon are ignored. Also empty lines.
738 --ipset=ipset --remove-entries-from-file=filename
740 Remove existing entries from the ipset from the file. For all
741 entries that are listed in the file but not in the ipset, a warning
742 will be printed.
743 The file should contain an entry per line. Lines starting with an
745 hash or semicolon are ignored. Also empty lines.
746 --ipset=ipset --set-description=description
748 Set new description to ipset
749 --ipset=ipset --get-description
751 Print description for ipset
752 --ipset=ipset --set-short=description
754 Set new short description to ipset
755 --ipset=ipset --get-short
757 Print short description for ipset
758 --path-ipset=ipset
760 Print path of the ipset configuration file.
761 Service Options
763 --info-service=service
764 Print information about the service service. The output format is:
765 service
767 ports: port1 ..
768 protocols: protocol1 ..
769 source-ports: source-port1 ..
770 helpers: helper1 ..
771 destination: ipv1:address1 ..
772 --new-service=service
776 Add a new permanent service.
777 Service names must be alphanumeric and may additionally include
779 characters: '_' and '-'.
780 --new-service-from-file=filename [--name=service]
782 Add a new permanent service from a prepared service file with an
783 optional name override.
784 --delete-service=service
786 Delete an existing permanent service.
787 --path-service=service
789 Print path of the service configuration file.
790 --service=service --set-description=description
792 Set new description to service
793 --service=service --get-description
795 Print description for service
796 --service=service --set-short=description
798 Set short description to service
799 --service=service --get-short
801 Print short description for service
802 --service=service --add-port=portid[-portid]/protocol
804 Add a new port to the permanent service.
805 --service=service --remove-port=portid[-portid]/protocol
807 Remove a port from the permanent service.
808 --service=service --query-port=portid[-portid]/protocol
810 Return wether the port has been added to the permanent service.
811 --service=service --get-ports
813 List ports added to the permanent service.
814 --service=service --add-protocol=protocol
816 Add a new protocol to the permanent service.
817 --service=service --remove-protocol=protocol
819 Remove a protocol from the permanent service.
820 --service=service --query-protocol=protocol
822 Return wether the protocol has been added to the permanent service.
823 --service=service --get-protocols
825 List protocols added to the permanent service.
826 --service=service --add-source-port=portid[-portid]/protocol
828 Add a new source port to the permanent service.
829 --service=service --remove-source-port=portid[-portid]/protocol
831 Remove a source port from the permanent service.
832 --service=service --query-source-port=portid[-portid]/protocol
834 Return wether the source port has been added to the permanent
835 service.
836 --service=service --get-source-ports
838 List source ports added to the permanent service.
839 --service=service --add-helper=helper
841 Add a new helper to the permanent service.
842 --service=service --remove-helper=helper
844 Remove a helper from the permanent service.
845 --service=service --query-helper=helper
847 Return wether the helper has been added to the permanent service.
848 --service=service --get-service-helpers
850 List helpers added to the permanent service.
851 --service=service --set-destination=ipv:address[/mask]
853 Set destination for ipv to address[/mask] in the permanent service.
854 --service=service --remove-destination=ipv
856 Remove the destination for ipv from the permanent service.
857 --service=service --query-destination=ipv:address[/mask]
859 Return wether the destination ipv to address[/mask] has been set in
860 the permanent service.
861 --service=service --get-destinations
863 List destinations added to the permanent service.
864 --service=service --add-include=service
866 Add a new include to the permanent service.
867 --service=service --remove-include=service
869 Remove a include from the permanent service.
870 --service=service --query-include=service
872 Return wether the include has been added to the permanent service.
873 --service=service --get-includes
875 List includes added to the permanent service.
876 Helper Options
878 Options in this section affect only one particular helper.
879 --info-helper=helper
881 Print information about the helper helper. The output format is:
882 helper
884 family: family
885 module: module
886 ports: port1 ..
887 The following options are only usable in the permanent configuration.
891 --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
893 Add a new permanent helper with module and optionally family
894 defined.
895 Helper names must be alphanumeric and may additionally include
897 characters: '-'.
898 --new-helper-from-file=filename [--name=helper]
900 Add a new permanent helper from a prepared helper file with an
901 optional name override.
902 --delete-helper=helper
904 Delete an existing permanent helper.
905 --load-helper-defaults=helper
907 Load helper default settings or report NO_DEFAULTS error.
908 --path-helper=helper
910 Print path of the helper configuration file.
911 --get-helpers
913 Print predefined helpers as a space separated list.
914 --helper=helper --set-description=description
916 Set new description to helper
917 --helper=helper --get-description
919 Print description for helper
920 --helper=helper --set-short=description
922 Set short description to helper
923 --helper=helper --get-short
925 Print short description for helper
926 --helper=helper --add-port=portid[-portid]/protocol
928 Add a new port to the permanent helper.
929 --helper=helper --remove-port=portid[-portid]/protocol
931 Remove a port from the permanent helper.
932 --helper=helper --query-port=portid[-portid]/protocol
934 Return wether the port has been added to the permanent helper.
935 --helper=helper --get-ports
937 List ports added to the permanent helper.
938 --helper=helper --set-module=description
940 Set module description for helper
941 --helper=helper --get-module
943 Print module description for helper
944 --helper=helper --set-family=description
946 Set family description for helper
947 --helper=helper --get-family
949 Print family description of helper
950 Internet Control Message Protocol (ICMP) type Options
952 --info-icmptype=icmptype
953 Print information about the icmptype icmptype. The output format
954 is:
955 icmptype
957 destination: ipv1 ..
958 --new-icmptype=icmptype
962 Add a new permanent icmptype.
963 ICMP type names must be alphanumeric and may additionally include
965 characters: '_' and '-'.
966 --new-icmptype-from-file=filename [--name=icmptype]
968 Add a new permanent icmptype from a prepared icmptype file with an
969 optional name override.
970 --delete-icmptype=icmptype
972 Delete an existing permanent icmptype.
973 --icmptype=icmptype --set-description=description
975 Set new description to icmptype
976 --icmptype=icmptype --get-description
978 Print description for icmptype
979 --icmptype=icmptype --set-short=description
981 Set short description to icmptype
982 --icmptype=icmptype --get-short
984 Print short description for icmptype
985 --icmptype=icmptype --add-destination=ipv
987 Enable destination for ipv in permanent icmptype. ipv is one of
988 ipv4 or ipv6.
989 --icmptype=icmptype --remove-destination=ipv
991 Disable destination for ipv in permanent icmptype. ipv is one of
992 ipv4 or ipv6.
993 --icmptype=icmptype --query-destination=ipv
995 Return whether destination for ipv is enabled in permanent
996 icmptype. ipv is one of ipv4 or ipv6.
997 --icmptype=icmptype --get-destinations
999 List destinations in permanent icmptype.
1000 --path-icmptype=icmptype
1002 Print path of the icmptype configuration file.
1003 Direct Options
1005 The direct options give a more direct access to the firewall. These
1006 options require user to know basic iptables concepts, i.e. table
1007 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
1008 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
1009 (ACCEPT/DROP/REJECT/...).
1010 Direct options should be used only as a last resort when it's not
1012 possible to use for example --add-service=service or
1013 --add-rich-rule='rule'.
1014 Warning: Direct rules behavior is different depending on the value of
1016 FirewallBackend. See CAVEATS in firewalld.direct(5).
1017 The first argument of each option has to be ipv4 or ipv6 or eb. With
1019 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1020 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1021 --direct --get-all-chains
1023 Get all chains added to all tables.
1024 This option concerns only chains previously added with --direct
1026 --add-chain.
1027 --direct --get-chains { ipv4 | ipv6 | eb } table
1029 Get all chains added to table table as a space separated list.
1030 This option concerns only chains previously added with --direct
1032 --add-chain.
1033 --direct --add-chain { ipv4 | ipv6 | eb } table chain
1035 Add a new chain with name chain to table table.
1036 There already exist basic chains to use with direct options, for
1038 example INPUT_direct chain (see iptables-save | grep direct output
1039 for all of them). These chains are jumped into before chains for
1040 zones, i.e. every rule put into INPUT_direct will be checked before
1041 rules in zones.
1042 --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1044 Remove the chain with name chain from table table.
1045 --direct --query-chain { ipv4 | ipv6 | eb } table chain
1047 Return whether a chain with name chain exists in table table.
1048 Returns 0 if true, 1 otherwise.
1049 This option concerns only chains previously added with --direct
1051 --add-chain.
1052 --direct --get-all-rules
1054 Get all rules added to all chains in all tables as a newline
1055 separated list of the priority and arguments.
1056 --direct --get-rules { ipv4 | ipv6 | eb } table chain
1058 Get all rules added to chain chain in table table as a newline
1059 separated list of the priority and arguments.
1060 --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
1062 Add a rule with the arguments args to chain chain in table table
1063 with priority priority.
1064 The priority is used to order rules. Priority 0 means add rule on
1066 top of the chain, with a higher priority the rule will be added
1067 further down. Rules with the same priority are on the same level
1068 and the order of these rules is not fixed and may change. If you
1069 want to make sure that a rule will be added after another one, use
1070 a low priority for the first and a higher for the following.
1071 --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
1073 Remove a rule with priority and the arguments args from chain chain
1074 in table table.
1075 --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1077 Remove all rules in the chain with name chain exists in table
1078 table.
1079 This option concerns only rules previously added with --direct
1081 --add-rule in this chain.
1082 --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
1084 Return whether a rule with priority and the arguments args exists
1085 in chain chain in table table. Returns 0 if true, 1 otherwise.
1086 --direct --get-all-passthroughs
1088 Get all permanent passthrough as a newline separated list of the
1089 ipv value and arguments.
1090 --direct --get-passthroughs { ipv4 | ipv6 | eb }
1092 Get all permanent passthrough rules for the ipv value as a newline
1093 separated list of the priority and arguments.
1094 --direct --add-passthrough { ipv4 | ipv6 | eb } args
1096 Add a permanent passthrough rule with the arguments args for the
1097 ipv value.
1098 --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1100 Remove a permanent passthrough rule with the arguments args for the
1101 ipv value.
1102 --direct --query-passthrough { ipv4 | ipv6 | eb } args
1104 Return whether a permanent passthrough rule with the arguments args
1105 exists for the ipv value. Returns 0 if true, 1 otherwise.
1106 Lockdown Options
1108 Local applications or services are able to change the firewall
1109 configuration if they are running as root (example: libvirt) or are
1110 authenticated using PolicyKit. With this feature administrators can
1111 lock the firewall configuration so that only applications on lockdown
1112 whitelist are able to request firewall changes.
1113 The lockdown access check limits D-Bus methods that are changing
1115 firewall rules. Query, list and get methods are not limited.
1116 The lockdown feature is a very light version of user and application
1118 policies for firewalld and is turned off by default.
1119 --lockdown-on
1121 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1122 whitelist when you enable lockdown you won't be able to disable it
1123 again with firewall-cmd, you would need to edit firewalld.conf.
1124 --lockdown-off
1126 Disable lockdown.
1127 --query-lockdown
1129 Query whether lockdown is enabled. Returns 0 if lockdown is
1130 enabled, 1 otherwise.
1131 Lockdown Whitelist Options
1133 The lockdown whitelist can contain commands, contexts, users and user
1134 ids.
1135 If a command entry on the whitelist ends with an asterisk '*', then all
1137 command lines starting with the command will match. If the '*' is not
1138 there the absolute command inclusive arguments must match.
1139 Commands for user root and others is not always the same. Example: As
1141 root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1142 is be used on Fedora.
1143 The context is the security (SELinux) context of a running application
1145 or service. To get the context of a running application use ps -e
1146 --context.
1147 Warning: If the context is unconfined, then this will open access for
1149 more than the desired application.
1150 The lockdown whitelist entries are checked in the following order:
1152 1. context
1153 2. uid
1154 3. user
1155 4. command
1156 --list-lockdown-whitelist-commands
1158 List all command lines that are on the whitelist.
1159 --add-lockdown-whitelist-command=command
1161 Add the command to the whitelist.
1162 --remove-lockdown-whitelist-command=command
1164 Remove the command from the whitelist.
1165 --query-lockdown-whitelist-command=command
1167 Query whether the command is on the whitelist. Returns 0 if true, 1
1168 otherwise.
1169 --list-lockdown-whitelist-contexts
1171 List all contexts that are on the whitelist.
1172 --add-lockdown-whitelist-context=context
1174 Add the context context to the whitelist.
1175 --remove-lockdown-whitelist-context=context
1177 Remove the context from the whitelist.
1178 --query-lockdown-whitelist-context=context
1180 Query whether the context is on the whitelist. Returns 0 if true, 1
1181 otherwise.
1182 --list-lockdown-whitelist-uids
1184 List all user ids that are on the whitelist.
1185 --add-lockdown-whitelist-uid=uid
1187 Add the user id uid to the whitelist.
1188 --remove-lockdown-whitelist-uid=uid
1190 Remove the user id uid from the whitelist.
1191 --query-lockdown-whitelist-uid=uid
1193 Query whether the user id uid is on the whitelist. Returns 0 if
1194 true, 1 otherwise.
1195 --list-lockdown-whitelist-users
1197 List all user names that are on the whitelist.
1198 --add-lockdown-whitelist-user=user
1200 Add the user name user to the whitelist.
1201 --remove-lockdown-whitelist-user=user
1203 Remove the user name user from the whitelist.
1204 --query-lockdown-whitelist-user=user
1206 Query whether the user name user is on the whitelist. Returns 0 if
1207 true, 1 otherwise.
1208 Policy Options
1210 --policy-server
1211 Change Polkit actions to 'server' (more restricted)
1212 --policy-desktop
1214 Change Polkit actions to 'desktop' (less restricted)
1215
1217 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1218 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1219 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1220 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1221 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
1222 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
1223
1225 firewalld home page:
1226 http://firewalld.org
1227 More documentation with examples:
1229 http://fedoraproject.org/wiki/FirewallD
1230
1232 Thomas Woerner <twoerner@redhat.com>
1233 Developer
1234 Jiri Popelka <jpopelka@redhat.com>
1236 Developer
1237 Eric Garver <eric@garver.life>
1239 Developer
1240firewalld 0.9.3 FIREWALL-OFFLINE-C(1)