1FIREWALL-OFFLINE-C(1) firewall-offline-cmd FIREWALL-OFFLINE-C(1)
2
3
4
6 firewall-offline-cmd - firewalld offline command line client
7
9 firewall-offline-cmd [OPTIONS...]
10
12 firewall-offline-cmd is an offline command line client of the firewalld
13 daemon. It should be used only if the firewalld service is not running.
14 For example to migrate from system-config-firewall/lokkit or in the
15 install environment to configure firewall settings with kickstart.
16
17 Some lokkit options can not be automatically converted for firewalld,
18 they will result in an error or warning message. This tool tries to
19 convert as much as possible, but there are limitations for example with
20 custom rules, modules and masquerading.
21
22 Check the firewall configuration after using this tool.
23
25 If no options are given, configuration from
26 /etc/sysconfig/system-config-firewall will be migrated.
27
28 Sequence options are the options that can be specified multiple times,
29 the exit code is 0 if there is at least one item that succeeded. The
30 ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
31 errors are treated as succeeded. If there are issues while parsing the
32 items, then these are treated as warnings and will not change the
33 result as long as there is a succeeded one. Without any succeeded item,
34 the exit code will depend on the error codes. If there is exactly one
35 error code, then this is used. If there are more than one then
36 UNKNOWN_ERROR (254) will be used.
37
38 The following options are supported:
39
40 General Options
41 -h, --help
42 Prints a short help text and exists.
43
44 -V, --version
45 Prints the version string of firewalld and exits.
46
47 -q, --quiet
48 Do not print status messages.
49
50 --default-config
51 Path to firewalld default configuration. This usually defaults to
52 /usr/lib/firewalld.
53
54 --system-config
55 Path to firewalld system (user) configuration. This usually
56 defaults to /etc/firewalld.
57
58 Status Options
59 --enabled
60 Enable the firewall. This option is a default option and will
61 activate the firewall if not already enabled as long as the option
62 --disabled is not given.
63
64 --disabled
65 Disable the firewall by disabling the firewalld service.
66
67 --check-config
68 Run checks on the permanent (default and system) configuration.
69 This includes XML validity and semantics.
70
71 This is may be used with --system-config to check the validity of
72 handwritten configuration files before copying them to the standard
73 location.
74
75 Lokkit Compatibility Options
76 These options are nearly identical to the options of lokkit.
77
78 --migrate-system-config-firewall=file
79 Migrate system-config-firewall configuration from the given file.
80 No further
81
82 --addmodule=module
83 This option will result in a warning message and will be ignored.
84
85 Handling of netfilter helpers has been merged into services
86 completely. Adding or removing netfilter helpers outside of
87 services is therefore not needed anymore. For more information on
88 handling netfilter helpers in services, please have a look at
89 firewalld.zone(5).
90
91 --removemodule
92 This option will result in a warning message and will be ignored.
93
94 Handling of netfilter helpers has been merged into services
95 completely. Adding or removing netfilter helpers outside of
96 services is therefore not needed anymore. For more information on
97 handling netfilter helpers in services, please have a look at
98 firewalld.zone(5).
99
100 --remove-service=service
101 Remove a service from the default zone. This option can be
102 specified multiple times.
103
104 The service is one of the firewalld provided services. To get a
105 list of the supported services, use firewall-cmd --get-services.
106
107 -s service, --service=service
108 Add a service to the default zone. This option can be specified
109 multiple times.
110
111 The service is one of the firewalld provided services. To get a
112 list of the supported services, use firewall-cmd --get-services.
113
114 -p portid[-portid]:protocol, --port=portid[-portid]:protocol
115 Add the port to the default zone. This option can be specified
116 multiple times.
117
118 The port can either be a single port number or a port range
119 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
120
121 -t interface, --trust=interface
122 This option will result in a warning message.
123
124 Mark an interface as trusted. This option can be specified multiple
125 times. The interface will be bound to the trusted zone.
126
127 If the interface is used in a NetworkManager managed connection or
128 if there is an ifcfg file for this interface, the zone will be
129 changed to the zone defined in the configuration as soon as it gets
130 activated. To change the zone of a connection use
131 nm-connection-editor and set the zone to trusted, for an ifcfg
132 file, use an editor and add "ZONE=trusted". If the zone is not
133 defined in the ifcfg file, the firewalld default zone will be used.
134
135 -m interface, --masq=interface
136 This option will result in a warning message.
137
138 Masquerading will be enabled in the default zone. The interface
139 argument will be ignored. This is for IPv4 only.
140
141 --custom-rules=[type:][table:]filename
142 This option will result in a warning message and will be ignored.
143
144 Custom rule files are not supported by firewalld.
145
146 --forward-port=if=interface:port=port:proto=protocol[:toport=destination
147 port:][:toaddr=destination address]
148 This option will result in a warning message.
149
150 Add the IPv4 forward port in the default zone. This option can be
151 specified multiple times.
152
153 The port can either be a single port number portid or a port range
154 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
155 The destination address is an IP address.
156
157 --block-icmp=icmptype
158 This option will result in a warning message.
159
160 Add an ICMP block for icmptype in the default zone. This option can
161 be specified multiple times.
162
163 The icmptype is the one of the icmp types firewalld supports. To
164 get a listing of supported icmp types: firewall-cmd --get-icmptypes
165
166 Log Denied Options
167 --get-log-denied
168 Print the log denied setting.
169
170 --set-log-denied=value
171 Add logging rules right before reject and drop rules in the INPUT,
172 FORWARD and OUTPUT chains for the default rules and also final
173 reject and drop rules in zones for the configured link-layer packet
174 type. The possible values are: all, unicast, broadcast, multicast
175 and off. The default setting is off, which disables the logging.
176
177 This is a runtime and permanent change and will also reload the
178 firewall to be able to add the logging rules.
179
180 Zone Options
181 --get-default-zone
182 Print default zone for connections and interfaces.
183
184 --set-default-zone=zone
185 Set default zone for connections and interfaces where no zone has
186 been selected. Setting the default zone changes the zone for the
187 connections or interfaces, that are using the default zone.
188
189 --get-zones
190 Print predefined zones as a space separated list.
191
192 --get-services
193 Print predefined services as a space separated list.
194
195 --get-icmptypes
196 Print predefined icmptypes as a space separated list.
197
198 --get-zone-of-interface=interface
199 Print the name of the zone the interface is bound to or no zone.
200
201 --get-zone-of-source=source[/mask]|MAC|ipset:ipset
202 Print the name of the zone the source is bound to or no zone.
203
204 --info-zone=zone
205 Print information about the zone zone. The output format is:
206
207 zone
208 interfaces: interface1 ..
209 sources: source1 ..
210 services: service1 ..
211 ports: port1 ..
212 protocols: protocol1 ..
213 forward-ports:
214 forward-port1
215 ..
216 source-ports: source-port1 ..
217 icmp-blocks: icmp-type1 ..
218 rich rules:
219 rich-rule1
220 ..
221
222
223
224 --list-all-zones
225 List everything added for or enabled in all zones. The output
226 format is:
227
228 zone1
229 interfaces: interface1 ..
230 sources: source1 ..
231 services: service1 ..
232 ports: port1 ..
233 protocols: protocol1 ..
234 forward-ports:
235 forward-port1
236 ..
237 source-ports: source-port1 ..
238 icmp-blocks: icmp-type1 ..
239 rich rules:
240 rich-rule1
241 ..
242 ..
243
244
245
246 --new-zone=zone
247 Add a new permanent zone.
248
249 Zone names must be alphanumeric and may additionally include
250 characters: '_' and '-'.
251
252 --new-zone-from-file=filename [--name=zone]
253 Add a new permanent zone from a prepared zone file with an optional
254 name override.
255
256 --path-zone=zone
257 Print path of the zone configuration file.
258
259 --delete-zone=zone
260 Delete an existing permanent zone.
261
262 Policy Options
263 --get-policies
264 Print predefined policies as a space separated list.
265
266 --info-policy=policy
267 Print information about the policy policy.
268
269 --list-all-policies
270 List everything added for or enabled in all policies.
271
272 --new-policy=policy
273 Add a new permanent policy.
274
275 Policy names must be alphanumeric and may additionally include
276 characters: '_' and '-'.
277
278 --new-policy-from-file=filename [--name=policy]
279 Add a new permanent policy from a prepared policy file with an
280 optional name override.
281
282 --path-policy=policy
283 Print path of the policy configuration file.
284
285 --delete-policy=policy
286 Delete an existing permanent policy.
287
288 --load-policy-defaults=policy
289 Load the shipped defaults for a policy. Only applies to policies
290 shipped with firewalld. Does not apply to user defined policies.
291
292 Options to Adapt and Query Zones and Policies
293 Options in this section affect only one particular zone or policy. If
294 used with --zone=zone or --policy=policy option, they affect the
295 specified zone or policy. If both options are omitted, they affect
296 default zone (see --get-default-zone).
297
298 [--zone=zone] [--policy=policy] --list-all
299 List everything added or enabled.
300
301 [--zone=zone] [--policy=policy] --get-target
302 Get the target.
303
304 [--zone=zone] [--policy=policy] --set-target=target
305 Set the target.
306
307 For zones target is one of: default, ACCEPT, DROP, REJECT
308
309 For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
310
311 default is similar to REJECT, but it implicitly allows ICMP
312 packets.
313
314 [--zone=zone] [--policy=policy] --set-description=description
315 Set description.
316
317 [--zone=zone] [--policy=policy] --get-description
318 Print description.
319
320 [--zone=zone] [--policy=policy] --set-short=description
321 Set short description.
322
323 [--zone=zone] [--policy=policy] --get-short
324 Print short description.
325
326 [--zone=zone] [--policy=policy] --list-services
327 List services added as a space separated list.
328
329 [--zone=zone] [--policy=policy] --add-service=service
330 Add a service. This option can be specified multiple times.
331
332 The service is one of the firewalld provided services. To get a
333 list of the supported services, use firewall-cmd --get-services.
334
335 Note: Some services define connection tracking helpers. Helpers
336 that may operate in client mode (e.g. tftp) must be added to an
337 outbound policy instead of a zone to take effect for clients.
338 Otherwise the helper will not be applied to the outbound traffic.
339 The related traffic, as defined by the connection tracking helper,
340 on the return path (ingress) will be allowed by the stateful
341 firewall rules.
342
343 An example of an outbound policy for connection tracking helpers:
344
345 # firewall-cmd --new-policy clientConntrack
346 # firewall-cmd --policy clientConntrack --add-ingress-zone HOST
347 # firewall-cmd --policy clientConntrack --add-egress-zone ANY
348 # firewall-cmd --policy clientConntrack --add-service tftp
349
350
351
352 [--zone=zone] --remove-service-from-zone=service
353 Remove a service from zone. This option can be specified multiple
354 times. If zone is omitted, default zone will be used.
355
356 [--policy=policy] --remove-service-from-policy=service
357 Remove a service from policy. This option can be specified multiple
358 times.
359
360 [--zone=zone] [--policy=policy] --query-service=service
361 Return whether service has been added. Returns 0 if true, 1
362 otherwise.
363
364 [--zone=zone] [--policy=policy] --list-ports
365 List ports added as a space separated list. A port is of the form
366 portid[-portid]/protocol, it can be either a port and protocol pair
367 or a port range with a protocol.
368
369 [--zone=zone] [--policy=policy] --add-port=portid[-portid]/protocol
370 Add the port. This option can be specified multiple times.
371
372 The port can either be a single port number or a port range
373 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
374
375 [--zone=zone] [--policy=policy] --remove-port=portid[-portid]/protocol
376 Remove the port. This option can be specified multiple times.
377
378 [--zone=zone] [--policy=policy] --query-port=portid[-portid]/protocol
379 Return whether the port has been added. Returns 0 if true, 1
380 otherwise.
381
382 [--zone=zone] [--policy=policy] --list-protocols
383 List protocols added as a space separated list.
384
385 [--zone=zone] [--policy=policy] --add-protocol=protocol
386 Add the protocol. This option can be specified multiple times.
387 timeval is either a number (of seconds) or number followed by one
388 of characters s (seconds), m (minutes), h (hours), for example 20m
389 or 1h.
390
391 The protocol can be any protocol supported by the system. Please
392 have a look at /etc/protocols for supported protocols.
393
394 [--zone=zone] [--policy=policy] --remove-protocol=protocol
395 Remove the protocol. This option can be specified multiple times.
396
397 [--zone=zone] [--policy=policy] --query-protocol=protocol
398 Return whether the protocol has been added. Returns 0 if true, 1
399 otherwise.
400
401 [--zone=zone] [--policy=policy] --list-icmp-blocks
402 List Internet Control Message Protocol (ICMP) type blocks added as
403 a space separated list.
404
405 [--zone=zone] [--policy=policy] --add-icmp-block=icmptype
406 Add an ICMP block for icmptype. This option can be specified
407 multiple times.
408
409 The icmptype is the one of the icmp types firewalld supports. To
410 get a listing of supported icmp types: firewall-cmd --get-icmptypes
411
412 [--zone=zone] [--policy=policy] --remove-icmp-block=icmptype
413 Remove the ICMP block for icmptype. This option can be specified
414 multiple times.
415
416 [--zone=zone] [--policy=policy] --query-icmp-block=icmptype
417 Return whether an ICMP block for icmptype has been added. Returns 0
418 if true, 1 otherwise.
419
420 [--zone=zone] [--policy=policy] --list-forward-ports
421 List IPv4 forward ports added as a space separated list.
422
423 For IPv6 forward ports, please use the rich language.
424
425 [--zone=zone] [--policy=policy]
426 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
427 Add the IPv4 forward port. This option can be specified multiple
428 times.
429
430 The port can either be a single port number portid or a port range
431 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
432 The destination address is a simple IP address.
433
434 For IPv6 forward ports, please use the rich language.
435
436 Note: IP forwarding will be implicitly enabled if toaddr is
437 specified.
438
439 [--zone=zone] [--policy=policy]
440 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
441 Remove the IPv4 forward port. This option can be specified multiple
442 times.
443
444 For IPv6 forward ports, please use the rich language.
445
446 [--zone=zone] [--policy=policy]
447 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
448 Return whether the IPv4 forward port has been added. Returns 0 if
449 true, 1 otherwise.
450
451 For IPv6 forward ports, please use the rich language.
452
453 [--zone=zone] [--policy=policy] --list-source-ports
454 List source ports added as a space separated list. A port is of the
455 form portid[-portid]/protocol.
456
457 [--zone=zone] [--policy=policy]
458 --add-source-port=portid[-portid]/protocol
459 Add the source port. This option can be specified multiple times.
460
461 The port can either be a single port number or a port range
462 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
463
464 [--zone=zone] [--policy=policy]
465 --remove-source-port=portid[-portid]/protocol
466 Remove the source port. This option can be specified multiple
467 times.
468
469 [--zone=zone] [--policy=policy]
470 --query-source-port=portid[-portid]/protocol
471 Return whether the source port has been added. Returns 0 if true, 1
472 otherwise.
473
474 [--zone=zone] [--policy=policy] --add-masquerade
475 Enable IPv4 masquerade. Masquerading is useful if the machine is a
476 router and machines connected over an interface in another zone
477 should be able to use the first connection.
478
479 For IPv6 masquerading, please use the rich language.
480
481 Note: IP forwarding will be implicitly enabled.
482
483 [--zone=zone] [--policy=policy] --remove-masquerade
484 Disable IPv4 masquerade.
485
486 For IPv6 masquerading, please use the rich language.
487
488 [--zone=zone] [--policy=policy] --query-masquerade
489 Return whether IPv4 masquerading has been enabled. Returns 0 if
490 true, 1 otherwise.
491
492 For IPv6 masquerading, please use the rich language.
493
494 [--zone=zone] [--policy=policy] --list-rich-rules
495 List rich language rules added as a newline separated list.
496
497 [--zone=zone] [--policy=policy] --add-rich-rule='rule'
498 Add rich language rule 'rule'. This option can be specified
499 multiple times.
500
501 For the rich language rule syntax, please have a look at
502 firewalld.richlanguage(5).
503
504 [--zone=zone] [--policy=policy] --remove-rich-rule='rule'
505 Remove rich language rule 'rule'. This option can be specified
506 multiple times.
507
508 For the rich language rule syntax, please have a look at
509 firewalld.richlanguage(5).
510
511 [--zone=zone] [--policy=policy] --query-rich-rule='rule'
512 Return whether a rich language rule 'rule' has been added. Returns
513 0 if true, 1 otherwise.
514
515 For the rich language rule syntax, please have a look at
516 firewalld.richlanguage(5).
517
518 Options to Adapt and Query Zones
519 Options in this section affect only one particular zone. If used with
520 --zone=zone option, they affect the specified zone. If the option is
521 omitted, they affect the default zone (see --get-default-zone).
522
523 [--zone=zone] --add-icmp-block-inversion
524 Enable ICMP block inversion.
525
526 [--zone=zone] --remove-icmp-block-inversion
527 Disable ICMP block inversion.
528
529 [--zone=zone] --query-icmp-block-inversion
530 Return whether ICMP block inversion is enabled. Returns 0 if true,
531 1 otherwise.
532
533 [--zone=zone] --add-forward
534 Enable intra zone forwarding.
535
536 [--zone=zone] --remove-forward
537 Disable intra zone forwarding.
538
539 [--zone=zone] --query-forward
540 Return whether intra zone forwarding is enabled. Returns 0 if true,
541 1 otherwise.
542
543 Options to Adapt and Query Policies
544 Options in this section affect only one particular policy. It's
545 required to specify --policy=policy with these options.
546
547 --policy=policy --get-priority
548 Get the priority.
549
550 --policy=policy --set-prioritypriority
551 Set the priority. The priority determines the relative ordering of
552 policies. This is an integer value between -32768 and 32767 where
553 -1 is the default value for new policies and 0 is reserved for
554 internal use.
555
556 If a priority is < 0, then the policy's rules will execute before
557 all rules in all zones.
558
559 If a priority is > 0, then the policy's rules will execute after
560 all rules in all zones.
561
562 --policy=policy --list-ingress-zones
563 List ingress zones added as a space separated list.
564
565 --policy=policy --add-ingress-zone=zone
566 Add an ingress zone. This option can be specified multiple times.
567
568 The ingress zone is one of the firewalld provided zones or one of
569 the pseudo-zones: HOST, ANY.
570
571 HOST is used for traffic originating from the host machine, i.e.
572 the host running firewalld.
573
574 ANY is used for traffic originating from any zone. This can be
575 thought of as a wild card for zones. However it does not include
576 traffic originating from the host machine - use HOST for that.
577
578 --policy=policy --remove-ingress-zone=zone
579 Remove an ingress zone. This option can be specified multiple
580 times.
581
582 --policy=policy --query-ingress-zone=zone
583 Return whether zone has been added. Returns 0 if true, 1 otherwise.
584
585 --policy=policy --list-egress-zones
586 List egress zones added as a space separated list.
587
588 --policy=policy --add-egress-zone=zone
589 Add an egress zone. This option can be specified multiple times.
590
591 The egress zone is one of the firewalld provided zones or one of
592 the pseudo-zones: HOST, ANY.
593
594 For clarification on HOST and ANY see option --add-ingress-zone.
595
596 --policy=policy --remove-egress-zone=zone
597 Remove an egress zone. This option can be specified multiple times.
598
599 --policy=policy --query-egress-zone=zone
600 Return whether zone has been added. Returns 0 if true, 1 otherwise.
601
602 Options to Handle Bindings of Interfaces
603 Binding an interface to a zone means that this zone settings are used
604 to restrict traffic via the interface.
605
606 Options in this section affect only one particular zone. If used with
607 --zone=zone option, they affect the zone zone. If the option is
608 omitted, they affect default zone (see --get-default-zone).
609
610 For a list of predefined zones use firewall-cmd --get-zones.
611
612 An interface name is a string up to 16 characters long, that may not
613 contain ' ', '/', '!' and '*'.
614
615 [--zone=zone] --list-interfaces
616 List interfaces that are bound to zone zone as a space separated
617 list. If zone is omitted, default zone will be used.
618
619 [--zone=zone] --add-interface=interface
620 Bind interface interface to zone zone. If zone is omitted, default
621 zone will be used.
622
623 [--zone=zone] --change-interface=interface
624 Change zone the interface interface is bound to to zone zone. If
625 zone is omitted, default zone will be used. If old and new zone are
626 the same, the call will be ignored without an error. If the
627 interface has not been bound to a zone before, it will behave like
628 --add-interface.
629
630 [--zone=zone] --query-interface=interface
631 Query whether interface interface is bound to zone zone. Returns 0
632 if true, 1 otherwise.
633
634 [--zone=zone] --remove-interface=interface
635 Remove binding of interface interface from zone zone. If zone is
636 omitted, default zone will be used.
637
638 Options to Handle Bindings of Sources
639 Binding a source to a zone means that this zone settings will be used
640 to restrict traffic from this source.
641
642 A source address or address range is either an IP address or a network
643 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
644 with the ipset: prefix. For IPv4, the mask can be a network mask or a
645 plain number. For IPv6 the mask is a plain number. The use of host
646 names is not supported.
647
648 Options in this section affect only one particular zone. If used with
649 --zone=zone option, they affect the zone zone. If the option is
650 omitted, they affect default zone (see --get-default-zone).
651
652 For a list of predefined zones use firewall-cmd --get-zones.
653
654 [--zone=zone] --list-sources
655 List sources that are bound to zone zone as a space separated list.
656 If zone is omitted, default zone will be used.
657
658 [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
659 Bind the source to zone zone. If zone is omitted, default zone will
660 be used.
661
662 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
663 Change zone the source is bound to to zone zone. If zone is
664 omitted, default zone will be used. If old and new zone are the
665 same, the call will be ignored without an error. If the source has
666 not been bound to a zone before, it will behave like --add-source.
667
668 [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
669 Query whether the source is bound to the zone zone. Returns 0 if
670 true, 1 otherwise.
671
672 [--zone=zone] --remove-source=source[/mask]|MAC|ipset:ipset
673 Remove binding of the source from zone zone. If zone is omitted,
674 default zone will be used.
675
676 IPSet Options
677 --new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
678 Add a new permanent ipset with specifying the type and optional
679 options.
680
681 ipset names must be alphanumeric and may additionally include
682 characters: '_' and '-'.
683
684 --new-ipset-from-file=filename [--name=ipset]
685 Add a new permanent ipset from a prepared ipset file with an
686 optional name override.
687
688 --delete-ipset=ipset
689 Delete an existing permanent ipset.
690
691 --info-ipset=ipset
692 Print information about the ipset ipset. The output format is:
693
694 ipset
695 type: type
696 options: option1[=value1] ..
697 entries: entry1 ..
698
699
700
701 --get-ipsets
702 Print predefined ipsets as a space separated list.
703
704 --ipset=ipset --add-entry=entry
705 Add a new entry to the ipset.
706
707 --ipset=ipset --remove-entry=entry
708 Remove an entry from the ipset.
709
710 --ipset=ipset --query-entry=entry
711 Return whether the entry has been added to an ipset. Returns 0 if
712 true, 1 otherwise.
713
714 --ipset=ipset --get-entries
715 List all entries of the ipset.
716
717 --ipset=ipset --add-entries-from-file=filename
718 Add a new entries to the ipset from the file. For all entries that
719 are listed in the file but already in the ipset, a warning will be
720 printed.
721
722 The file should contain an entry per line. Lines starting with an
723 hash or semicolon are ignored. Also empty lines.
724
725 --ipset=ipset --remove-entries-from-file=filename
726 Remove existing entries from the ipset from the file. For all
727 entries that are listed in the file but not in the ipset, a warning
728 will be printed.
729
730 The file should contain an entry per line. Lines starting with an
731 hash or semicolon are ignored. Also empty lines.
732
733 --ipset=ipset --set-description=description
734 Set new description to ipset
735
736 --ipset=ipset --get-description
737 Print description for ipset
738
739 --ipset=ipset --set-short=description
740 Set new short description to ipset
741
742 --ipset=ipset --get-short
743 Print short description for ipset
744
745 --path-ipset=ipset
746 Print path of the ipset configuration file.
747
748 Service Options
749 --info-service=service
750 Print information about the service service. The output format is:
751
752 service
753 ports: port1 ..
754 protocols: protocol1 ..
755 source-ports: source-port1 ..
756 helpers: helper1 ..
757 destination: ipv1:address1 ..
758
759
760
761 --new-service=service
762 Add a new permanent service.
763
764 Service names must be alphanumeric and may additionally include
765 characters: '_' and '-'.
766
767 --new-service-from-file=filename [--name=service]
768 Add a new permanent service from a prepared service file with an
769 optional name override.
770
771 --delete-service=service
772 Delete an existing permanent service.
773
774 --path-service=service
775 Print path of the service configuration file.
776
777 --service=service --set-description=description
778 Set new description to service
779
780 --service=service --get-description
781 Print description for service
782
783 --service=service --set-short=description
784 Set short description to service
785
786 --service=service --get-short
787 Print short description for service
788
789 --service=service --add-port=portid[-portid]/protocol
790 Add a new port to the permanent service.
791
792 --service=service --remove-port=portid[-portid]/protocol
793 Remove a port from the permanent service.
794
795 --service=service --query-port=portid[-portid]/protocol
796 Return whether the port has been added to the permanent service.
797
798 --service=service --get-ports
799 List ports added to the permanent service.
800
801 --service=service --add-protocol=protocol
802 Add a new protocol to the permanent service.
803
804 --service=service --remove-protocol=protocol
805 Remove a protocol from the permanent service.
806
807 --service=service --query-protocol=protocol
808 Return whether the protocol has been added to the permanent
809 service.
810
811 --service=service --get-protocols
812 List protocols added to the permanent service.
813
814 --service=service --add-source-port=portid[-portid]/protocol
815 Add a new source port to the permanent service.
816
817 --service=service --remove-source-port=portid[-portid]/protocol
818 Remove a source port from the permanent service.
819
820 --service=service --query-source-port=portid[-portid]/protocol
821 Return whether the source port has been added to the permanent
822 service.
823
824 --service=service --get-source-ports
825 List source ports added to the permanent service.
826
827 --service=service --add-helper=helper
828 Add a new helper to the permanent service.
829
830 --service=service --remove-helper=helper
831 Remove a helper from the permanent service.
832
833 --service=service --query-helper=helper
834 Return whether the helper has been added to the permanent service.
835
836 --service=service --get-service-helpers
837 List helpers added to the permanent service.
838
839 --service=service --set-destination=ipv:address[/mask]
840 Set destination for ipv to address[/mask] in the permanent service.
841
842 --service=service --remove-destination=ipv
843 Remove the destination for ipv from the permanent service.
844
845 --service=service --query-destination=ipv:address[/mask]
846 Return whether the destination ipv to address[/mask] has been set
847 in the permanent service.
848
849 --service=service --get-destinations
850 List destinations added to the permanent service.
851
852 --service=service --add-include=service
853 Add a new include to the permanent service.
854
855 --service=service --remove-include=service
856 Remove a include from the permanent service.
857
858 --service=service --query-include=service
859 Return whether the include has been added to the permanent service.
860
861 --service=service --get-includes
862 List includes added to the permanent service.
863
864 Helper Options
865 Options in this section affect only one particular helper.
866
867 --info-helper=helper
868 Print information about the helper helper. The output format is:
869
870 helper
871 family: family
872 module: module
873 ports: port1 ..
874
875
876
877 The following options are only usable in the permanent configuration.
878
879 --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
880 Add a new permanent helper with module and optionally family
881 defined.
882
883 Helper names must be alphanumeric and may additionally include
884 characters: '-'.
885
886 --new-helper-from-file=filename [--name=helper]
887 Add a new permanent helper from a prepared helper file with an
888 optional name override.
889
890 --delete-helper=helper
891 Delete an existing permanent helper.
892
893 --load-helper-defaults=helper
894 Load helper default settings or report NO_DEFAULTS error.
895
896 --path-helper=helper
897 Print path of the helper configuration file.
898
899 --get-helpers
900 Print predefined helpers as a space separated list.
901
902 --helper=helper --set-description=description
903 Set new description to helper
904
905 --helper=helper --get-description
906 Print description for helper
907
908 --helper=helper --set-short=description
909 Set short description to helper
910
911 --helper=helper --get-short
912 Print short description for helper
913
914 --helper=helper --add-port=portid[-portid]/protocol
915 Add a new port to the permanent helper.
916
917 --helper=helper --remove-port=portid[-portid]/protocol
918 Remove a port from the permanent helper.
919
920 --helper=helper --query-port=portid[-portid]/protocol
921 Return whether the port has been added to the permanent helper.
922
923 --helper=helper --get-ports
924 List ports added to the permanent helper.
925
926 --helper=helper --set-module=description
927 Set module description for helper
928
929 --helper=helper --get-module
930 Print module description for helper
931
932 --helper=helper --set-family=description
933 Set family description for helper
934
935 --helper=helper --get-family
936 Print family description of helper
937
938 Internet Control Message Protocol (ICMP) type Options
939 --info-icmptype=icmptype
940 Print information about the icmptype icmptype. The output format
941 is:
942
943 icmptype
944 destination: ipv1 ..
945
946
947
948 --new-icmptype=icmptype
949 Add a new permanent icmptype.
950
951 ICMP type names must be alphanumeric and may additionally include
952 characters: '_' and '-'.
953
954 --new-icmptype-from-file=filename [--name=icmptype]
955 Add a new permanent icmptype from a prepared icmptype file with an
956 optional name override.
957
958 --delete-icmptype=icmptype
959 Delete an existing permanent icmptype.
960
961 --icmptype=icmptype --set-description=description
962 Set new description to icmptype
963
964 --icmptype=icmptype --get-description
965 Print description for icmptype
966
967 --icmptype=icmptype --set-short=description
968 Set short description to icmptype
969
970 --icmptype=icmptype --get-short
971 Print short description for icmptype
972
973 --icmptype=icmptype --add-destination=ipv
974 Enable destination for ipv in permanent icmptype. ipv is one of
975 ipv4 or ipv6.
976
977 --icmptype=icmptype --remove-destination=ipv
978 Disable destination for ipv in permanent icmptype. ipv is one of
979 ipv4 or ipv6.
980
981 --icmptype=icmptype --query-destination=ipv
982 Return whether destination for ipv is enabled in permanent
983 icmptype. ipv is one of ipv4 or ipv6.
984
985 --icmptype=icmptype --get-destinations
986 List destinations in permanent icmptype.
987
988 --path-icmptype=icmptype
989 Print path of the icmptype configuration file.
990
991 Direct Options
992 DEPRECATED
993 The direct interface has been deprecated. It will be removed in a
994 future release. It is superseded by policies, see
995 firewalld.policies(5).
996
997 The direct options give a more direct access to the firewall. These
998 options require user to know basic iptables concepts, i.e. table
999 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
1000 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
1001 (ACCEPT/DROP/REJECT/...).
1002
1003 Direct options should be used only as a last resort when it's not
1004 possible to use for example --add-service=service or
1005 --add-rich-rule='rule'.
1006
1007 Warning: Direct rules behavior is different depending on the value of
1008 FirewallBackend. See CAVEATS in firewalld.direct(5).
1009
1010 The first argument of each option has to be ipv4 or ipv6 or eb. With
1011 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1012 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1013
1014 --direct --get-all-chains
1015 Get all chains added to all tables.
1016
1017 This option concerns only chains previously added with --direct
1018 --add-chain.
1019
1020 --direct --get-chains { ipv4 | ipv6 | eb } table
1021 Get all chains added to table table as a space separated list.
1022
1023 This option concerns only chains previously added with --direct
1024 --add-chain.
1025
1026 --direct --add-chain { ipv4 | ipv6 | eb } table chain
1027 Add a new chain with name chain to table table.
1028
1029 There already exist basic chains to use with direct options, for
1030 example INPUT_direct chain (see iptables-save | grep direct output
1031 for all of them). These chains are jumped into before chains for
1032 zones, i.e. every rule put into INPUT_direct will be checked before
1033 rules in zones.
1034
1035 --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1036 Remove the chain with name chain from table table.
1037
1038 --direct --query-chain { ipv4 | ipv6 | eb } table chain
1039 Return whether a chain with name chain exists in table table.
1040 Returns 0 if true, 1 otherwise.
1041
1042 This option concerns only chains previously added with --direct
1043 --add-chain.
1044
1045 --direct --get-all-rules
1046 Get all rules added to all chains in all tables as a newline
1047 separated list of the priority and arguments.
1048
1049 --direct --get-rules { ipv4 | ipv6 | eb } table chain
1050 Get all rules added to chain chain in table table as a newline
1051 separated list of the priority and arguments.
1052
1053 --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
1054 Add a rule with the arguments args to chain chain in table table
1055 with priority priority.
1056
1057 The priority is used to order rules. Priority 0 means add rule on
1058 top of the chain, with a higher priority the rule will be added
1059 further down. Rules with the same priority are on the same level
1060 and the order of these rules is not fixed and may change. If you
1061 want to make sure that a rule will be added after another one, use
1062 a low priority for the first and a higher for the following.
1063
1064 --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
1065 Remove a rule with priority and the arguments args from chain chain
1066 in table table.
1067
1068 --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1069 Remove all rules in the chain with name chain exists in table
1070 table.
1071
1072 This option concerns only rules previously added with --direct
1073 --add-rule in this chain.
1074
1075 --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
1076 Return whether a rule with priority and the arguments args exists
1077 in chain chain in table table. Returns 0 if true, 1 otherwise.
1078
1079 --direct --get-all-passthroughs
1080 Get all permanent passthrough as a newline separated list of the
1081 ipv value and arguments.
1082
1083 --direct --get-passthroughs { ipv4 | ipv6 | eb }
1084 Get all permanent passthrough rules for the ipv value as a newline
1085 separated list of the priority and arguments.
1086
1087 --direct --add-passthrough { ipv4 | ipv6 | eb } args
1088 Add a permanent passthrough rule with the arguments args for the
1089 ipv value.
1090
1091 --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1092 Remove a permanent passthrough rule with the arguments args for the
1093 ipv value.
1094
1095 --direct --query-passthrough { ipv4 | ipv6 | eb } args
1096 Return whether a permanent passthrough rule with the arguments args
1097 exists for the ipv value. Returns 0 if true, 1 otherwise.
1098
1099 Lockdown Options
1100 Local applications or services are able to change the firewall
1101 configuration if they are running as root (example: libvirt) or are
1102 authenticated using PolicyKit. With this feature administrators can
1103 lock the firewall configuration so that only applications on lockdown
1104 whitelist are able to request firewall changes.
1105
1106 The lockdown access check limits D-Bus methods that are changing
1107 firewall rules. Query, list and get methods are not limited.
1108
1109 The lockdown feature is a very light version of user and application
1110 policies for firewalld and is turned off by default.
1111
1112 --lockdown-on
1113 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1114 whitelist when you enable lockdown you won't be able to disable it
1115 again with firewall-cmd, you would need to edit firewalld.conf.
1116
1117 --lockdown-off
1118 Disable lockdown.
1119
1120 --query-lockdown
1121 Query whether lockdown is enabled. Returns 0 if lockdown is
1122 enabled, 1 otherwise.
1123
1124 Lockdown Whitelist Options
1125 The lockdown whitelist can contain commands, contexts, users and user
1126 ids.
1127
1128 If a command entry on the whitelist ends with an asterisk '*', then all
1129 command lines starting with the command will match. If the '*' is not
1130 there the absolute command inclusive arguments must match.
1131
1132 Commands for user root and others is not always the same. Example: As
1133 root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1134 is be used on Fedora.
1135
1136 The context is the security (SELinux) context of a running application
1137 or service. To get the context of a running application use ps -e
1138 --context.
1139
1140 Warning: If the context is unconfined, then this will open access for
1141 more than the desired application.
1142
1143 The lockdown whitelist entries are checked in the following order:
1144 1. context
1145 2. uid
1146 3. user
1147 4. command
1148
1149 --list-lockdown-whitelist-commands
1150 List all command lines that are on the whitelist.
1151
1152 --add-lockdown-whitelist-command=command
1153 Add the command to the whitelist.
1154
1155 --remove-lockdown-whitelist-command=command
1156 Remove the command from the whitelist.
1157
1158 --query-lockdown-whitelist-command=command
1159 Query whether the command is on the whitelist. Returns 0 if true, 1
1160 otherwise.
1161
1162 --list-lockdown-whitelist-contexts
1163 List all contexts that are on the whitelist.
1164
1165 --add-lockdown-whitelist-context=context
1166 Add the context context to the whitelist.
1167
1168 --remove-lockdown-whitelist-context=context
1169 Remove the context from the whitelist.
1170
1171 --query-lockdown-whitelist-context=context
1172 Query whether the context is on the whitelist. Returns 0 if true, 1
1173 otherwise.
1174
1175 --list-lockdown-whitelist-uids
1176 List all user ids that are on the whitelist.
1177
1178 --add-lockdown-whitelist-uid=uid
1179 Add the user id uid to the whitelist.
1180
1181 --remove-lockdown-whitelist-uid=uid
1182 Remove the user id uid from the whitelist.
1183
1184 --query-lockdown-whitelist-uid=uid
1185 Query whether the user id uid is on the whitelist. Returns 0 if
1186 true, 1 otherwise.
1187
1188 --list-lockdown-whitelist-users
1189 List all user names that are on the whitelist.
1190
1191 --add-lockdown-whitelist-user=user
1192 Add the user name user to the whitelist.
1193
1194 --remove-lockdown-whitelist-user=user
1195 Remove the user name user from the whitelist.
1196
1197 --query-lockdown-whitelist-user=user
1198 Query whether the user name user is on the whitelist. Returns 0 if
1199 true, 1 otherwise.
1200
1201 Policy Options
1202 --policy-server
1203 Change Polkit actions to 'server' (more restricted)
1204
1205 --policy-desktop
1206 Change Polkit actions to 'desktop' (less restricted)
1207
1209 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1210 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1211 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1212 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1213 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
1214 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
1215
1217 firewalld home page:
1218 http://firewalld.org
1219
1220 More documentation with examples:
1221 http://fedoraproject.org/wiki/FirewallD
1222
1224 Thomas Woerner <twoerner@redhat.com>
1225 Developer
1226
1227 Jiri Popelka <jpopelka@redhat.com>
1228 Developer
1229
1230 Eric Garver <eric@garver.life>
1231 Developer
1232
1233
1234
1235firewalld 1.0.5 FIREWALL-OFFLINE-C(1)