1FIREWALL-OFFLINE-C(1)        firewall-offline-cmd        FIREWALL-OFFLINE-C(1)
2
3
4

NAME

6       firewall-offline-cmd - firewalld offline command line client
7

SYNOPSIS

9       firewall-offline-cmd [OPTIONS...]
10

DESCRIPTION

12       firewall-offline-cmd is an offline command line client of the firewalld
13       daemon. It should be used only if the firewalld service is not running.
14       For example to migrate from system-config-firewall/lokkit or in the
15       install environment to configure firewall settings with kickstart.
16
17       Some lokkit options can not be automatically converted for firewalld,
18       they will result in an error or warning message. This tool tries to
19       convert as much as possible, but there are limitations for example with
20       custom rules, modules and masquerading.
21
22       Check the firewall configuration after using this tool.
23

OPTIONS

25       If no options are given, configuration from
26       /etc/sysconfig/system-config-firewall will be migrated.
27
28       Sequence options are the options that can be specified multiple times,
29       the exit code is 0 if there is at least one item that succeeded. The
30       ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
31       errors are treated as succeeded. If there are issues while parsing the
32       items, then these are treated as warnings and will not change the
33       result as long as there is a succeeded one. Without any succeeded item,
34       the exit code will depend on the error codes. If there is exactly one
35       error code, then this is used. If there are more than one then
36       UNKNOWN_ERROR (254) will be used.
37
38       The following options are supported:
39
40   General Options
41       -h, --help
42           Prints a short help text and exists.
43
44       -V, --version
45           Prints the version string of firewalld and exits.
46
47       -q, --quiet
48           Do not print status messages.
49
50       --default-config
51           Path to firewalld default configuration. This usually defaults to
52           /usr/lib/firewalld.
53
54       --system-config
55           Path to firewalld system (user) configuration. This usually
56           defaults to /etc/firewalld.
57
58   Status Options
59       --enabled
60           Enable the firewall. This option is a default option and will
61           activate the firewall if not already enabled as long as the option
62           --disabled is not given.
63
64       --disabled
65           Disable the firewall by disabling the firewalld service.
66
67       --check-config
68           Run checks on the permanent (default and system) configuration.
69           This includes XML validity and semantics.
70
71           This is may be used with --system-config to check the validity of
72           handwritten configuration files before copying them to the standard
73           location.
74
75   Lokkit Compatibility Options
76       These options are nearly identical to the options of lokkit.
77
78       --migrate-system-config-firewall=file
79           Migrate system-config-firewall configuration from the given file.
80           No further
81
82       --addmodule=module
83           This option will result in a warning message and will be ignored.
84
85           Handling of netfilter helpers has been merged into services
86           completely. Adding or removing netfilter helpers outside of
87           services is therefore not needed anymore. For more information on
88           handling netfilter helpers in services, please have a look at
89           firewalld.zone(5).
90
91       --removemodule
92           This option will result in a warning message and will be ignored.
93
94           Handling of netfilter helpers has been merged into services
95           completely. Adding or removing netfilter helpers outside of
96           services is therefore not needed anymore. For more information on
97           handling netfilter helpers in services, please have a look at
98           firewalld.zone(5).
99
100       --remove-service=service
101           Remove a service from the default zone. This option can be
102           specified multiple times.
103
104           The service is one of the firewalld provided services. To get a
105           list of the supported services, use firewall-cmd --get-services.
106
107       -s service, --service=service
108           Add a service to the default zone. This option can be specified
109           multiple times.
110
111           The service is one of the firewalld provided services. To get a
112           list of the supported services, use firewall-cmd --get-services.
113
114       -p portid[-portid]:protocol, --port=portid[-portid]:protocol
115           Add the port to the default zone. This option can be specified
116           multiple times.
117
118           The port can either be a single port number or a port range
119           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
120
121       -t interface, --trust=interface
122           This option will result in a warning message.
123
124           Mark an interface as trusted. This option can be specified multiple
125           times. The interface will be bound to the trusted zone.
126
127           If the interface is used in a NetworkManager managed connection or
128           if there is an ifcfg file for this interface, the zone will be
129           changed to the zone defined in the configuration as soon as it gets
130           activated. To change the zone of a connection use
131           nm-connection-editor and set the zone to trusted, for an ifcfg
132           file, use an editor and add "ZONE=trusted". If the zone is not
133           defined in the ifcfg file, the firewalld default zone will be used.
134
135       -m interface, --masq=interface
136           This option will result in a warning message.
137
138           Masquerading will be enabled in the default zone. The interface
139           argument will be ignored. This is for IPv4 only.
140
141       --custom-rules=[type:][table:]filename
142           This option will result in a warning message and will be ignored.
143
144           Custom rule files are not supported by firewalld.
145
146       --forward-port=if=interface:port=port:proto=protocol[:toport=destination
147       port:][:toaddr=destination address]
148           This option will result in a warning message.
149
150           Add the IPv4 forward port in the default zone. This option can be
151           specified multiple times.
152
153           The port can either be a single port number portid or a port range
154           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
155           The destination address is an IP address.
156
157       --block-icmp=icmptype
158           This option will result in a warning message.
159
160           Add an ICMP block for icmptype in the default zone. This option can
161           be specified multiple times.
162
163           The icmptype is the one of the icmp types firewalld supports. To
164           get a listing of supported icmp types: firewall-cmd --get-icmptypes
165
166   Log Denied Options
167       --get-log-denied
168           Print the log denied setting.
169
170       --set-log-denied=value
171           Add logging rules right before reject and drop rules in the INPUT,
172           FORWARD and OUTPUT chains for the default rules and also final
173           reject and drop rules in zones for the configured link-layer packet
174           type. The possible values are: all, unicast, broadcast, multicast
175           and off. The default setting is off, which disables the logging.
176
177           This is a runtime and permanent change and will also reload the
178           firewall to be able to add the logging rules.
179
180   Zone Options
181       --get-default-zone
182           Print default zone for connections and interfaces.
183
184       --set-default-zone=zone
185           Set default zone for connections and interfaces where no zone has
186           been selected. Setting the default zone changes the zone for the
187           connections or interfaces, that are using the default zone.
188
189       --get-zones
190           Print predefined zones as a space separated list.
191
192       --get-services
193           Print predefined services as a space separated list.
194
195       --get-icmptypes
196           Print predefined icmptypes as a space separated list.
197
198       --get-zone-of-interface=interface
199           Print the name of the zone the interface is bound to or no zone.
200
201       --get-zone-of-source=source[/mask]|MAC|ipset:ipset
202           Print the name of the zone the source is bound to or no zone.
203
204       --info-zone=zone
205           Print information about the zone zone. The output format is:
206
207               zone
208                 interfaces: interface1 ..
209                 sources: source1 ..
210                 services: service1 ..
211                 ports: port1 ..
212                 protocols: protocol1 ..
213                 forward-ports:
214                       forward-port1
215                       ..
216                 source-ports: source-port1 ..
217                 icmp-blocks: icmp-type1 ..
218                 rich rules:
219                       rich-rule1
220                       ..
221
222
223
224       --list-all-zones
225           List everything added for or enabled in all zones. The output
226           format is:
227
228               zone1
229                 interfaces: interface1 ..
230                 sources: source1 ..
231                 services: service1 ..
232                 ports: port1 ..
233                 protocols: protocol1 ..
234                 forward-ports:
235                       forward-port1
236                       ..
237                 source-ports: source-port1 ..
238                 icmp-blocks: icmp-type1 ..
239                 rich rules:
240                       rich-rule1
241                       ..
242               ..
243
244
245
246       --new-zone=zone
247           Add a new permanent zone.
248
249           Zone names must be alphanumeric and may additionally include
250           characters: '_' and '-'.
251
252       --new-zone-from-file=filename [--name=zone]
253           Add a new permanent zone from a prepared zone file with an optional
254           name override.
255
256       --path-zone=zone
257           Print path of the zone configuration file.
258
259       --delete-zone=zone
260           Delete an existing permanent zone.
261
262   Policy Options
263       --get-policies
264           Print predefined policies as a space separated list.
265
266       --info-policy=policy
267           Print information about the policy policy.
268
269       --list-all-policies
270           List everything added for or enabled in all policies.
271
272       --new-policy=policy
273           Add a new permanent policy.
274
275           Policy names must be alphanumeric and may additionally include
276           characters: '_' and '-'.
277
278       --new-policy-from-file=filename [--name=policy]
279           Add a new permanent policy from a prepared policy file with an
280           optional name override.
281
282       --path-policy=policy
283           Print path of the policy configuration file.
284
285       --delete-policy=policy
286           Delete an existing permanent policy.
287
288       --load-policy-defaults=policy
289           Load the shipped defaults for a policy. Only applies to policies
290           shipped with firewalld. Does not apply to user defined policies.
291
292   Options to Adapt and Query Zones and Policies
293       Options in this section affect only one particular zone or policy. If
294       used with --zone=zone or --policy=policy option, they affect the
295       specified zone or policy. If both options are omitted, they affect
296       default zone (see --get-default-zone).
297
298       [--zone=zone] [--policy=policy] --list-all
299           List everything added or enabled.
300
301       [--zone=zone] [--policy=policy] --get-target
302           Get the target.
303
304       [--zone=zone] [--policy=policy] --set-target=zone
305           Set the target.
306
307           For zones target is one of: default, ACCEPT, DROP, REJECT
308
309           For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
310
311           default is similar to REJECT, but it implicitly allows ICMP
312           packets.
313
314       [--zone=zone] [--policy=policy] --set-description=description
315           Set description.
316
317       [--zone=zone] [--policy=policy] --get-description
318           Print description.
319
320       [--zone=zone] [--policy=policy] --set-short=description
321           Set short description.
322
323       [--zone=zone] [--policy=policy] --get-short
324           Print short description.
325
326       [--zone=zone] [--policy=policy] --list-services
327           List services added as a space separated list.
328
329       [--zone=zone] [--policy=policy] --add-service=service
330           Add a service. This option can be specified multiple times.
331
332           The service is one of the firewalld provided services. To get a
333           list of the supported services, use firewall-cmd --get-services.
334
335           Note: Some services define connection tracking helpers. Helpers
336           that may operate in client mode (e.g. tftp) must be added to an
337           outbound policy instead of a zone to take effect for clients.
338           Otherwise the helper will not be applied to the outbound traffic.
339           The related traffic, as defined by the connection tracking helper,
340           on the return path (ingress) will be allowed by the stateful
341           firewall rules.
342
343           An example of an outbound policy for connection tracking helpers:
344
345               # firewall-cmd --new-policy clientConntrack
346               # firewall-cmd --policy clientConntrack --add-ingress-zone HOST
347               # firewall-cmd --policy clientConntrack --add-egress-zone ANY
348               # firewall-cmd --policy clientConntrack --add-service tftp
349
350
351
352       [--zone=zone] --remove-service-from-zone=service
353           Remove a service from zone. This option can be specified multiple
354           times. If zone is omitted, default zone will be used.
355
356       [--policy=policy] --remove-service-from-policy=service
357           Remove a service from policy. This option can be specified multiple
358           times.
359
360       [--zone=zone] [--policy=policy] --query-service=service
361           Return whether service has been added. Returns 0 if true, 1
362           otherwise.
363
364       [--zone=zone] [--policy=policy] --list-ports
365           List ports added as a space separated list. A port is of the form
366           portid[-portid]/protocol, it can be either a port and protocol pair
367           or a port range with a protocol.
368
369       [--zone=zone] [--policy=policy] --add-port=portid[-portid]/protocol
370           Add the port. This option can be specified multiple times.
371
372           The port can either be a single port number or a port range
373           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
374
375       [--zone=zone] [--policy=policy] --remove-port=portid[-portid]/protocol
376           Remove the port. This option can be specified multiple times.
377
378       [--zone=zone] [--policy=policy] --query-port=portid[-portid]/protocol
379           Return whether the port has been added. Returns 0 if true, 1
380           otherwise.
381
382       [--zone=zone] [--policy=policy] --list-protocols
383           List protocols added as a space separated list.
384
385       [--zone=zone] [--policy=policy] --add-protocol=protocol
386           Add the protocol. This option can be specified multiple times.
387           timeval is either a number (of seconds) or number followed by one
388           of characters s (seconds), m (minutes), h (hours), for example 20m
389           or 1h.
390
391           The protocol can be any protocol supported by the system. Please
392           have a look at /etc/protocols for supported protocols.
393
394       [--zone=zone] [--policy=policy] --remove-protocol=protocol
395           Remove the protocol. This option can be specified multiple times.
396
397       [--zone=zone] [--policy=policy] --query-protocol=protocol
398           Return whether the protocol has been added. Returns 0 if true, 1
399           otherwise.
400
401       [--zone=zone] [--policy=policy] --list-icmp-blocks
402           List Internet Control Message Protocol (ICMP) type blocks added as
403           a space separated list.
404
405       [--zone=zone] [--policy=policy] --add-icmp-block=icmptype
406           Add an ICMP block for icmptype. This option can be specified
407           multiple times.
408
409           The icmptype is the one of the icmp types firewalld supports. To
410           get a listing of supported icmp types: firewall-cmd --get-icmptypes
411
412       [--zone=zone] [--policy=policy] --remove-icmp-block=icmptype
413           Remove the ICMP block for icmptype. This option can be specified
414           multiple times.
415
416       [--zone=zone] [--policy=policy] --query-icmp-block=icmptype
417           Return whether an ICMP block for icmptype has been added. Returns 0
418           if true, 1 otherwise.
419
420       [--zone=zone] [--policy=policy] --list-forward-ports
421           List IPv4 forward ports added as a space separated list.
422
423           For IPv6 forward ports, please use the rich language.
424
425       [--zone=zone] [--policy=policy]
426       --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
427           Add the IPv4 forward port. This option can be specified multiple
428           times.
429
430           The port can either be a single port number portid or a port range
431           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
432           The destination address is a simple IP address.
433
434           For IPv6 forward ports, please use the rich language.
435
436           Note: IP forwarding will be implicitly enabled if toaddr is
437           specified.
438
439       [--zone=zone] [--policy=policy]
440       --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
441           Remove the IPv4 forward port. This option can be specified multiple
442           times.
443
444           For IPv6 forward ports, please use the rich language.
445
446       [--zone=zone] [--policy=policy]
447       --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
448           Return whether the IPv4 forward port has been added. Returns 0 if
449           true, 1 otherwise.
450
451           For IPv6 forward ports, please use the rich language.
452
453       [--zone=zone] [--policy=policy] --list-source-ports
454           List source ports added as a space separated list. A port is of the
455           form portid[-portid]/protocol.
456
457       [--zone=zone] [--policy=policy]
458       --add-source-port=portid[-portid]/protocol
459           Add the source port. This option can be specified multiple times.
460
461           The port can either be a single port number or a port range
462           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
463
464       [--zone=zone] [--policy=policy]
465       --remove-source-port=portid[-portid]/protocol
466           Remove the source port. This option can be specified multiple
467           times.
468
469       [--zone=zone] [--policy=policy]
470       --query-source-port=portid[-portid]/protocol
471           Return whether the source port has been added. Returns 0 if true, 1
472           otherwise.
473
474       [--zone=zone] [--policy=policy] --add-masquerade
475           Enable IPv4 masquerade. Masquerading is useful if the machine is a
476           router and machines connected over an interface in another zone
477           should be able to use the first connection.
478
479           For IPv6 masquerading, please use the rich language.
480
481           Note: IP forwarding will be implicitly enabled.
482
483       [--zone=zone] [--policy=policy] --remove-masquerade
484           Disable IPv4 masquerade.
485
486           For IPv6 masquerading, please use the rich language.
487
488       [--zone=zone] [--policy=policy] --query-masquerade
489           Return whether IPv4 masquerading has been enabled. Returns 0 if
490           true, 1 otherwise.
491
492           For IPv6 masquerading, please use the rich language.
493
494       [--zone=zone] [--policy=policy] --list-rich-rules
495           List rich language rules added as a newline separated list.
496
497       [--zone=zone] [--policy=policy] --add-rich-rule='rule'
498           Add rich language rule 'rule'. This option can be specified
499           multiple times.
500
501           For the rich language rule syntax, please have a look at
502           firewalld.richlanguage(5).
503
504       [--zone=zone] [--policy=policy] --remove-rich-rule='rule'
505           Remove rich language rule 'rule'. This option can be specified
506           multiple times.
507
508           For the rich language rule syntax, please have a look at
509           firewalld.richlanguage(5).
510
511       [--zone=zone] [--policy=policy] --query-rich-rule='rule'
512           Return whether a rich language rule 'rule' has been added. Returns
513           0 if true, 1 otherwise.
514
515           For the rich language rule syntax, please have a look at
516           firewalld.richlanguage(5).
517
518   Options to Adapt and Query Zones
519       Options in this section affect only one particular zone. If used with
520       --zone=zone option, they affect the specified zone. If the option is
521       omitted, they affect the default zone (see --get-default-zone).
522
523       [--zone=zone] --add-icmp-block-inversion
524           Enable ICMP block inversion.
525
526       [--zone=zone] --remove-icmp-block-inversion
527           Disable ICMP block inversion.
528
529       [--zone=zone] --query-icmp-block-inversion
530           Return whether ICMP block inversion is enabled. Returns 0 if true,
531           1 otherwise.
532
533       [--zone=zone] --add-forward
534           Enable intra zone forwarding.
535
536       [--zone=zone] --remove-forward
537           Disable intra zone forwarding.
538
539       [--zone=zone] --query-forward
540           Return whether intra zone forwarding is enabled. Returns 0 if true,
541           1 otherwise.
542
543   Options to Adapt and Query Policies
544       Options in this section affect only one particular policy. It's
545       required to specify --policy=policy with these options.
546
547       --policy=policy --get-priority
548           Get the priority.
549
550       --policy=policy --set-prioritypriority
551           Set the priority. The priority determines the relative ordering of
552           policies. This is an integer value between -32768 and 32767 where
553           -1 is the default value for new policies and 0 is reserved for
554           internal use.
555
556           If a priority is < 0, then the policy's rules will execute before
557           all rules in all zones.
558
559           If a priority is > 0, then the policy's rules will execute after
560           all rules in all zones.
561
562       --policy=policy --list-ingress-zones
563           List ingress zones added as a space separated list.
564
565       --policy=policy --add-ingress-zone=zone
566           Add an ingress zone. This option can be specified multiple times.
567
568           The ingress zone is one of the firewalld provided zones or one of
569           the pseudo-zones: HOST, ANY.
570
571           HOST is used for traffic originating from the host machine, i.e.
572           the host running firewalld.
573
574           ANY is used for traffic originating from any zone. This can be
575           thought of as a wild card for zones. However it does not include
576           traffic originating from the host machine - use HOST for that.
577
578       --policy=policy --remove-ingress-zone=zone
579           Remove an ingress zone. This option can be specified multiple
580           times.
581
582       --policy=policy --query-ingress-zone=zone
583           Return whether zone has been added. Returns 0 if true, 1 otherwise.
584
585       --policy=policy --list-egress-zones
586           List egress zones added as a space separated list.
587
588       --policy=policy --add-egress-zone=zone
589           Add an egress zone. This option can be specified multiple times.
590
591           The egress zone is one of the firewalld provided zones or one of
592           the pseudo-zones: HOST, ANY.
593
594           For clarification on HOST and ANY see option --add-ingress-zone.
595
596       --policy=policy --remove-egress-zone=zone
597           Remove an egress zone. This option can be specified multiple times.
598
599       --policy=policy --query-egress-zone=zone
600           Return whether zone has been added. Returns 0 if true, 1 otherwise.
601
602   Options to Handle Bindings of Interfaces
603       Binding an interface to a zone means that this zone settings are used
604       to restrict traffic via the interface.
605
606       Options in this section affect only one particular zone. If used with
607       --zone=zone option, they affect the zone zone. If the option is
608       omitted, they affect default zone (see --get-default-zone).
609
610       For a list of predefined zones use firewall-cmd --get-zones.
611
612       An interface name is a string up to 16 characters long, that may not
613       contain ' ', '/', '!' and '*'.
614
615       [--zone=zone] --list-interfaces
616           List interfaces that are bound to zone zone as a space separated
617           list. If zone is omitted, default zone will be used.
618
619       [--zone=zone] --add-interface=interface
620           Bind interface interface to zone zone. If zone is omitted, default
621           zone will be used.
622
623       [--zone=zone] --change-interface=interface
624           Change zone the interface interface is bound to to zone zone. If
625           zone is omitted, default zone will be used. If old and new zone are
626           the same, the call will be ignored without an error. If the
627           interface has not been bound to a zone before, it will behave like
628           --add-interface.
629
630       [--zone=zone] --query-interface=interface
631           Query whether interface interface is bound to zone zone. Returns 0
632           if true, 1 otherwise.
633
634       [--zone=zone] --remove-interface=interface
635           Remove binding of interface interface from zone zone. If zone is
636           omitted, default zone will be used.
637
638   Options to Handle Bindings of Sources
639       Binding a source to a zone means that this zone settings will be used
640       to restrict traffic from this source.
641
642       A source address or address range is either an IP address or a network
643       IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
644       with the ipset: prefix. For IPv4, the mask can be a network mask or a
645       plain number. For IPv6 the mask is a plain number. The use of host
646       names is not supported.
647
648       Options in this section affect only one particular zone. If used with
649       --zone=zone option, they affect the zone zone. If the option is
650       omitted, they affect default zone (see --get-default-zone).
651
652       For a list of predefined zones use firewall-cmd --get-zones.
653
654       [--zone=zone] --list-sources
655           List sources that are bound to zone zone as a space separated list.
656           If zone is omitted, default zone will be used.
657
658       [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
659           Bind the source to zone zone. If zone is omitted, default zone will
660           be used.
661
662       [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
663           Change zone the source is bound to to zone zone. If zone is
664           omitted, default zone will be used. If old and new zone are the
665           same, the call will be ignored without an error. If the source has
666           not been bound to a zone before, it will behave like --add-source.
667
668       [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
669           Query whether the source is bound to the zone zone. Returns 0 if
670           true, 1 otherwise.
671
672       [--zone=zone] --remove-source=source[/mask]|MAC|ipset:ipset
673           Remove binding of the source from zone zone. If zone is omitted,
674           default zone will be used.
675
676   IPSet Options
677       --new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
678           Add a new permanent ipset with specifying the type and optional
679           options.
680
681           ipset names must be alphanumeric and may additionally include
682           characters: '_' and '-'.
683
684       --new-ipset-from-file=filename [--name=ipset]
685           Add a new permanent ipset from a prepared ipset file with an
686           optional name override.
687
688       --delete-ipset=ipset
689           Delete an existing permanent ipset.
690
691       --info-ipset=ipset
692           Print information about the ipset ipset. The output format is:
693
694               ipset
695                 type: type
696                 options: option1[=value1] ..
697                 entries: entry1 ..
698
699
700
701       --get-ipsets
702           Print predefined ipsets as a space separated list.
703
704       --ipset=ipset --add-entry=entry
705           Add a new entry to the ipset.
706
707       --ipset=ipset --remove-entry=entry
708           Remove an entry from the ipset.
709
710       --ipset=ipset --query-entry=entry
711           Return whether the entry has been added to an ipset. Returns 0 if
712           true, 1 otherwise.
713
714       --ipset=ipset --get-entries
715           List all entries of the ipset.
716
717       --ipset=ipset --add-entries-from-file=filename
718           Add a new entries to the ipset from the file. For all entries that
719           are listed in the file but already in the ipset, a warning will be
720           printed.
721
722           The file should contain an entry per line. Lines starting with an
723           hash or semicolon are ignored. Also empty lines.
724
725       --ipset=ipset --remove-entries-from-file=filename
726           Remove existing entries from the ipset from the file. For all
727           entries that are listed in the file but not in the ipset, a warning
728           will be printed.
729
730           The file should contain an entry per line. Lines starting with an
731           hash or semicolon are ignored. Also empty lines.
732
733       --ipset=ipset --set-description=description
734           Set new description to ipset
735
736       --ipset=ipset --get-description
737           Print description for ipset
738
739       --ipset=ipset --set-short=description
740           Set new short description to ipset
741
742       --ipset=ipset --get-short
743           Print short description for ipset
744
745       --path-ipset=ipset
746           Print path of the ipset configuration file.
747
748   Service Options
749       --info-service=service
750           Print information about the service service. The output format is:
751
752               service
753                 ports: port1 ..
754                 protocols: protocol1 ..
755                 source-ports: source-port1 ..
756                 helpers: helper1 ..
757                 destination: ipv1:address1 ..
758
759
760
761       --new-service=service
762           Add a new permanent service.
763
764           Service names must be alphanumeric and may additionally include
765           characters: '_' and '-'.
766
767       --new-service-from-file=filename [--name=service]
768           Add a new permanent service from a prepared service file with an
769           optional name override.
770
771       --delete-service=service
772           Delete an existing permanent service.
773
774       --path-service=service
775           Print path of the service configuration file.
776
777       --service=service --set-description=description
778           Set new description to service
779
780       --service=service --get-description
781           Print description for service
782
783       --service=service --set-short=description
784           Set short description to service
785
786       --service=service --get-short
787           Print short description for service
788
789       --service=service --add-port=portid[-portid]/protocol
790           Add a new port to the permanent service.
791
792       --service=service --remove-port=portid[-portid]/protocol
793           Remove a port from the permanent service.
794
795       --service=service --query-port=portid[-portid]/protocol
796           Return wether the port has been added to the permanent service.
797
798       --service=service --get-ports
799           List ports added to the permanent service.
800
801       --service=service --add-protocol=protocol
802           Add a new protocol to the permanent service.
803
804       --service=service --remove-protocol=protocol
805           Remove a protocol from the permanent service.
806
807       --service=service --query-protocol=protocol
808           Return wether the protocol has been added to the permanent service.
809
810       --service=service --get-protocols
811           List protocols added to the permanent service.
812
813       --service=service --add-source-port=portid[-portid]/protocol
814           Add a new source port to the permanent service.
815
816       --service=service --remove-source-port=portid[-portid]/protocol
817           Remove a source port from the permanent service.
818
819       --service=service --query-source-port=portid[-portid]/protocol
820           Return wether the source port has been added to the permanent
821           service.
822
823       --service=service --get-source-ports
824           List source ports added to the permanent service.
825
826       --service=service --add-helper=helper
827           Add a new helper to the permanent service.
828
829       --service=service --remove-helper=helper
830           Remove a helper from the permanent service.
831
832       --service=service --query-helper=helper
833           Return wether the helper has been added to the permanent service.
834
835       --service=service --get-service-helpers
836           List helpers added to the permanent service.
837
838       --service=service --set-destination=ipv:address[/mask]
839           Set destination for ipv to address[/mask] in the permanent service.
840
841       --service=service --remove-destination=ipv
842           Remove the destination for ipv from the permanent service.
843
844       --service=service --query-destination=ipv:address[/mask]
845           Return wether the destination ipv to address[/mask] has been set in
846           the permanent service.
847
848       --service=service --get-destinations
849           List destinations added to the permanent service.
850
851       --service=service --add-include=service
852           Add a new include to the permanent service.
853
854       --service=service --remove-include=service
855           Remove a include from the permanent service.
856
857       --service=service --query-include=service
858           Return wether the include has been added to the permanent service.
859
860       --service=service --get-includes
861           List includes added to the permanent service.
862
863   Helper Options
864       Options in this section affect only one particular helper.
865
866       --info-helper=helper
867           Print information about the helper helper. The output format is:
868
869               helper
870                 family: family
871                 module: module
872                 ports: port1 ..
873
874
875
876       The following options are only usable in the permanent configuration.
877
878       --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
879           Add a new permanent helper with module and optionally family
880           defined.
881
882           Helper names must be alphanumeric and may additionally include
883           characters: '-'.
884
885       --new-helper-from-file=filename [--name=helper]
886           Add a new permanent helper from a prepared helper file with an
887           optional name override.
888
889       --delete-helper=helper
890           Delete an existing permanent helper.
891
892       --load-helper-defaults=helper
893           Load helper default settings or report NO_DEFAULTS error.
894
895       --path-helper=helper
896           Print path of the helper configuration file.
897
898       --get-helpers
899           Print predefined helpers as a space separated list.
900
901       --helper=helper --set-description=description
902           Set new description to helper
903
904       --helper=helper --get-description
905           Print description for helper
906
907       --helper=helper --set-short=description
908           Set short description to helper
909
910       --helper=helper --get-short
911           Print short description for helper
912
913       --helper=helper --add-port=portid[-portid]/protocol
914           Add a new port to the permanent helper.
915
916       --helper=helper --remove-port=portid[-portid]/protocol
917           Remove a port from the permanent helper.
918
919       --helper=helper --query-port=portid[-portid]/protocol
920           Return wether the port has been added to the permanent helper.
921
922       --helper=helper --get-ports
923           List ports added to the permanent helper.
924
925       --helper=helper --set-module=description
926           Set module description for helper
927
928       --helper=helper --get-module
929           Print module description for helper
930
931       --helper=helper --set-family=description
932           Set family description for helper
933
934       --helper=helper --get-family
935           Print family description of helper
936
937   Internet Control Message Protocol (ICMP) type Options
938       --info-icmptype=icmptype
939           Print information about the icmptype icmptype. The output format
940           is:
941
942               icmptype
943                 destination: ipv1 ..
944
945
946
947       --new-icmptype=icmptype
948           Add a new permanent icmptype.
949
950           ICMP type names must be alphanumeric and may additionally include
951           characters: '_' and '-'.
952
953       --new-icmptype-from-file=filename [--name=icmptype]
954           Add a new permanent icmptype from a prepared icmptype file with an
955           optional name override.
956
957       --delete-icmptype=icmptype
958           Delete an existing permanent icmptype.
959
960       --icmptype=icmptype --set-description=description
961           Set new description to icmptype
962
963       --icmptype=icmptype --get-description
964           Print description for icmptype
965
966       --icmptype=icmptype --set-short=description
967           Set short description to icmptype
968
969       --icmptype=icmptype --get-short
970           Print short description for icmptype
971
972       --icmptype=icmptype --add-destination=ipv
973           Enable destination for ipv in permanent icmptype. ipv is one of
974           ipv4 or ipv6.
975
976       --icmptype=icmptype --remove-destination=ipv
977           Disable destination for ipv in permanent icmptype. ipv is one of
978           ipv4 or ipv6.
979
980       --icmptype=icmptype --query-destination=ipv
981           Return whether destination for ipv is enabled in permanent
982           icmptype. ipv is one of ipv4 or ipv6.
983
984       --icmptype=icmptype --get-destinations
985           List destinations in permanent icmptype.
986
987       --path-icmptype=icmptype
988           Print path of the icmptype configuration file.
989
990   Direct Options
991       DEPRECATED
992           The direct interface has been deprecated. It will be removed in a
993           future release. It is superseded by policies, see
994           firewalld.policies(5).
995
996       The direct options give a more direct access to the firewall. These
997       options require user to know basic iptables concepts, i.e.  table
998       (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
999       (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
1000       (ACCEPT/DROP/REJECT/...).
1001
1002       Direct options should be used only as a last resort when it's not
1003       possible to use for example --add-service=service or
1004       --add-rich-rule='rule'.
1005
1006       Warning: Direct rules behavior is different depending on the value of
1007       FirewallBackend. See CAVEATS in firewalld.direct(5).
1008
1009       The first argument of each option has to be ipv4 or ipv6 or eb. With
1010       ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1011       (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1012
1013       --direct --get-all-chains
1014           Get all chains added to all tables.
1015
1016           This option concerns only chains previously added with --direct
1017           --add-chain.
1018
1019       --direct --get-chains { ipv4 | ipv6 | eb } table
1020           Get all chains added to table table as a space separated list.
1021
1022           This option concerns only chains previously added with --direct
1023           --add-chain.
1024
1025       --direct --add-chain { ipv4 | ipv6 | eb } table chain
1026           Add a new chain with name chain to table table.
1027
1028           There already exist basic chains to use with direct options, for
1029           example INPUT_direct chain (see iptables-save | grep direct output
1030           for all of them). These chains are jumped into before chains for
1031           zones, i.e. every rule put into INPUT_direct will be checked before
1032           rules in zones.
1033
1034       --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1035           Remove the chain with name chain from table table.
1036
1037       --direct --query-chain { ipv4 | ipv6 | eb } table chain
1038           Return whether a chain with name chain exists in table table.
1039           Returns 0 if true, 1 otherwise.
1040
1041           This option concerns only chains previously added with --direct
1042           --add-chain.
1043
1044       --direct --get-all-rules
1045           Get all rules added to all chains in all tables as a newline
1046           separated list of the priority and arguments.
1047
1048       --direct --get-rules { ipv4 | ipv6 | eb } table chain
1049           Get all rules added to chain chain in table table as a newline
1050           separated list of the priority and arguments.
1051
1052       --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
1053           Add a rule with the arguments args to chain chain in table table
1054           with priority priority.
1055
1056           The priority is used to order rules. Priority 0 means add rule on
1057           top of the chain, with a higher priority the rule will be added
1058           further down. Rules with the same priority are on the same level
1059           and the order of these rules is not fixed and may change. If you
1060           want to make sure that a rule will be added after another one, use
1061           a low priority for the first and a higher for the following.
1062
1063       --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
1064           Remove a rule with priority and the arguments args from chain chain
1065           in table table.
1066
1067       --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1068           Remove all rules in the chain with name chain exists in table
1069           table.
1070
1071           This option concerns only rules previously added with --direct
1072           --add-rule in this chain.
1073
1074       --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
1075           Return whether a rule with priority and the arguments args exists
1076           in chain chain in table table. Returns 0 if true, 1 otherwise.
1077
1078       --direct --get-all-passthroughs
1079           Get all permanent passthrough as a newline separated list of the
1080           ipv value and arguments.
1081
1082       --direct --get-passthroughs { ipv4 | ipv6 | eb }
1083           Get all permanent passthrough rules for the ipv value as a newline
1084           separated list of the priority and arguments.
1085
1086       --direct --add-passthrough { ipv4 | ipv6 | eb } args
1087           Add a permanent passthrough rule with the arguments args for the
1088           ipv value.
1089
1090       --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1091           Remove a permanent passthrough rule with the arguments args for the
1092           ipv value.
1093
1094       --direct --query-passthrough { ipv4 | ipv6 | eb } args
1095           Return whether a permanent passthrough rule with the arguments args
1096           exists for the ipv value. Returns 0 if true, 1 otherwise.
1097
1098   Lockdown Options
1099       Local applications or services are able to change the firewall
1100       configuration if they are running as root (example: libvirt) or are
1101       authenticated using PolicyKit. With this feature administrators can
1102       lock the firewall configuration so that only applications on lockdown
1103       whitelist are able to request firewall changes.
1104
1105       The lockdown access check limits D-Bus methods that are changing
1106       firewall rules. Query, list and get methods are not limited.
1107
1108       The lockdown feature is a very light version of user and application
1109       policies for firewalld and is turned off by default.
1110
1111       --lockdown-on
1112           Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1113           whitelist when you enable lockdown you won't be able to disable it
1114           again with firewall-cmd, you would need to edit firewalld.conf.
1115
1116       --lockdown-off
1117           Disable lockdown.
1118
1119       --query-lockdown
1120           Query whether lockdown is enabled. Returns 0 if lockdown is
1121           enabled, 1 otherwise.
1122
1123   Lockdown Whitelist Options
1124       The lockdown whitelist can contain commands, contexts, users and user
1125       ids.
1126
1127       If a command entry on the whitelist ends with an asterisk '*', then all
1128       command lines starting with the command will match. If the '*' is not
1129       there the absolute command inclusive arguments must match.
1130
1131       Commands for user root and others is not always the same. Example: As
1132       root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1133       is be used on Fedora.
1134
1135       The context is the security (SELinux) context of a running application
1136       or service. To get the context of a running application use ps -e
1137       --context.
1138
1139       Warning: If the context is unconfined, then this will open access for
1140       more than the desired application.
1141
1142       The lockdown whitelist entries are checked in the following order:
1143           1. context
1144           2. uid
1145           3. user
1146           4. command
1147
1148       --list-lockdown-whitelist-commands
1149           List all command lines that are on the whitelist.
1150
1151       --add-lockdown-whitelist-command=command
1152           Add the command to the whitelist.
1153
1154       --remove-lockdown-whitelist-command=command
1155           Remove the command from the whitelist.
1156
1157       --query-lockdown-whitelist-command=command
1158           Query whether the command is on the whitelist. Returns 0 if true, 1
1159           otherwise.
1160
1161       --list-lockdown-whitelist-contexts
1162           List all contexts that are on the whitelist.
1163
1164       --add-lockdown-whitelist-context=context
1165           Add the context context to the whitelist.
1166
1167       --remove-lockdown-whitelist-context=context
1168           Remove the context from the whitelist.
1169
1170       --query-lockdown-whitelist-context=context
1171           Query whether the context is on the whitelist. Returns 0 if true, 1
1172           otherwise.
1173
1174       --list-lockdown-whitelist-uids
1175           List all user ids that are on the whitelist.
1176
1177       --add-lockdown-whitelist-uid=uid
1178           Add the user id uid to the whitelist.
1179
1180       --remove-lockdown-whitelist-uid=uid
1181           Remove the user id uid from the whitelist.
1182
1183       --query-lockdown-whitelist-uid=uid
1184           Query whether the user id uid is on the whitelist. Returns 0 if
1185           true, 1 otherwise.
1186
1187       --list-lockdown-whitelist-users
1188           List all user names that are on the whitelist.
1189
1190       --add-lockdown-whitelist-user=user
1191           Add the user name user to the whitelist.
1192
1193       --remove-lockdown-whitelist-user=user
1194           Remove the user name user from the whitelist.
1195
1196       --query-lockdown-whitelist-user=user
1197           Query whether the user name user is on the whitelist. Returns 0 if
1198           true, 1 otherwise.
1199
1200   Policy Options
1201       --policy-server
1202           Change Polkit actions to 'server' (more restricted)
1203
1204       --policy-desktop
1205           Change Polkit actions to 'desktop' (less restricted)
1206

SEE ALSO

1208       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1209       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1210       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1211       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1212       firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
1213       firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
1214

NOTES

1216       firewalld home page:
1217           http://firewalld.org
1218
1219       More documentation with examples:
1220           http://fedoraproject.org/wiki/FirewallD
1221

AUTHORS

1223       Thomas Woerner <twoerner@redhat.com>
1224           Developer
1225
1226       Jiri Popelka <jpopelka@redhat.com>
1227           Developer
1228
1229       Eric Garver <eric@garver.life>
1230           Developer
1231
1232
1233
1234firewalld 1.0.1                                          FIREWALL-OFFLINE-C(1)
Impressum