1FIREWALLD.POLICY(5)            firewalld.policy            FIREWALLD.POLICY(5)
2
3
4

NAME

6       firewalld.policy - firewalld policy configuration files
7

SYNOPSIS

9       /etc/firewalld/policies/policy.xml
10
11       /usr/lib/firewalld/policies/policy.xml
12

DESCRIPTION

14       A firewalld policy configuration file contains the information for a
15       policy. These are the policy descriptions, services, ports, protocols,
16       icmp-blocks, masquerade, forward-ports and rich language rules in an
17       XML file format. The file name has to be policy_name.xml where length
18       of policy_name is currently limited to 17 chars.
19
20       This is the structure of a policy configuration file:
21
22           <?xml version="1.0" encoding="utf-8"?>
23           <policy [version="versionstring"] [target="CONTINUE|ACCEPT|REJECT|DROP"] [priority="priority"]>
24               [ <ingress-zone name="zone"/> ]
25               [ <egress-zone name="zone"/> ]
26
27
28
29
30
31               [ <short>short description</short> ]
32               [ <description>description</description> ]
33               [ <service name="string"/> ]
34               [ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
35               [ <protocol value="protocol"/> ]
36               [ <icmp-block name="string"/> ]
37               [ <masquerade/> ]
38               [ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="IP address"]/> ]
39               [ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
40               [
41                   <rule [family="ipv4|ipv6"]>
42                       [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
43                       [ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
44                       [
45                           <service name="string"/> |
46                           <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
47                           <protocol value="protocol"/> |
48                           <icmp-block name="icmptype"/> |
49                           <icmp-type name="icmptype"/> |
50                           <masquerade/> |
51                           <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/>
52                       ]
53                       [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> ]
54                       [ <audit> [<limit value="rate/duration"/>] </audit> ]
55                       [
56                           <accept> [<limit value="rate/duration"/>] </accept> |
57                           <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
58                           <drop> [<limit value="rate/duration"/>] </drop> |
59                           <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
60                       ]
61                   </rule>
62               ]
63
64
65           </policy>
66
67
68       The config can contain these tags and attributes. Some of them are
69       mandatory, others optional.
70
71   policy
72       The mandatory policy start and end tag defines the policy. This tag can
73       only be used once in a policy configuration file. There are optional
74       attributes for policy:
75
76       version="string"
77           To give the policy a version.
78
79       target="CONTINUE|ACCEPT|REJECT|DROP"
80           Can be used to accept, reject or drop every packet that doesn't
81           match any rule (port, service, etc.). The CONTINUE is the default
82           and used for policies that are non-terminal.
83
84   ingress-zone
85       An optional element that can be used several times. It can be the name
86       of a firewalld zone or one of the symbolic zones: HOST, ANY. See
87       firewalld.policies(5) for information about symbolic zones.
88
89   egress-zone
90       An optional element that can be used several times. It can be the name
91       of a firewalld zone or one of the symbolic zones: HOST, ANY. See
92       firewalld.policies(5) for information about symbolic zones.
93
94   short
95       Is an optional start and end tag and is used to give a more readable
96       name.
97
98   description
99       Is an optional start and end tag to have a description.
100
101   service
102       Is an optional empty-element tag and can be used several times to have
103       more than one service entry enabled. A service entry has exactly one
104       attribute:
105
106       name="string"
107           The name of the service to be enabled. To get a list of valid
108           service names firewall-cmd --get-services can be used.
109
110   port
111       Is an optional empty-element tag and can be used several times to have
112       more than one port entry. All attributes of a port entry are mandatory:
113
114       port="portid[-portid]"
115           The port can either be a single port number portid or a port range
116           portid-portid.
117
118       protocol="tcp|udp|sctp|dccp"
119           The protocol can either be tcp, udp, sctp or dccp.
120
121   protocol
122       Is an optional empty-element tag and can be used several times to have
123       more than one protocol entry. All protocol has exactly one attribute:
124
125       value="string"
126           The protocol can be any protocol supported by the system. Please
127           have a look at /etc/protocols for supported protocols.
128
129   icmp-block
130       Is an optional empty-element tag and can be used several times to have
131       more than one icmp-block entry. Each icmp-block tag has exactly one
132       mandatory attribute:
133
134       name="string"
135           The name of the Internet Control Message Protocol (ICMP) type to be
136           blocked. To get a list of valid ICMP types firewall-cmd
137           --get-icmptypes can be used.
138
139   tcp-mss-clamp
140       Is an optional empty-element tag and can be used several times. If left
141       empty maximum segment size is set to 'pmtu'. This tag has exactly one
142       optional attribute:
143
144       value="string"
145           Value can set maximum segment size to 'pmtu' (Path Maximum
146           Transmission Unit) or a user-defined value that is greater than or
147           equal to 536.
148
149   masquerade
150       Is an optional empty-element tag. It can be used only once. If it's
151       present masquerading is enabled.
152
153   forward-port
154       Is an optional empty-element tag and can be used several times to have
155       more than one port or packet forward entry. There are mandatory and
156       also optional attributes for forward ports:
157
158       Mandatory attributes:
159           The local port and protocol to be forwarded.
160
161           port="portid[-portid]"
162               The port can either be a single port number portid or a port
163               range portid-portid.
164
165           protocol="tcp|udp|sctp|dccp"
166               The protocol can either be tcp, udp, sctp or dccp.
167
168       Optional attributes:
169           The destination of the forward. For local forwarding add to-port
170           only. For remote forwarding add to-addr and use to-port optionally
171           if the destination port on the destination machine should be
172           different.
173
174           to-port="portid[-portid]"
175               The destination port or port range to forward to. If omitted,
176               the value of the port= attribute will be used altogether with
177               the to-addr attribute.
178
179           to-addr="address"
180               The destination IP address either for IPv4 or IPv6.
181
182   source-port
183       Is an optional empty-element tag and can be used several times to have
184       more than one source port entry. All attributes of a source port entry
185       are mandatory:
186
187       port="portid[-portid]"
188           The port can either be a single port number portid or a port range
189           portid-portid.
190
191       protocol="tcp|udp|sctp|dccp"
192           The protocol can either be tcp, udp, sctp or dccp.
193
194   rule
195       Is an optional element tag and can be used several times to have more
196       than one rich language rule entry.
197
198       The general rule structure:
199
200           <rule [family="ipv4|ipv6"]>
201               [ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
202               [ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
203               [
204                   <service name="string"/> |
205                   <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
206                   <protocol value="protocol"/> |
207                   <icmp-block name="icmptype"/> |
208                   <icmp-type name="icmptype"/> |
209                   <masquerade/> |
210                   <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> |
211                   <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
212               ]
213               [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
214               [ <audit> [<limit value="rate/duration"/>] </audit> ]
215               [
216                   <accept> [<limit value="rate/duration"/>] </accept> |
217                   <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
218                   <drop> [<limit value="rate/duration"/>] </drop> |
219                   <mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
220               ]
221           </rule>
222
223
224       Rule structure for source black or white listing:
225
226           <rule [family="ipv4|ipv6"]>
227               <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/>
228               [ <log [prefix="prefixtext"] [level="emerg|alert|crit|err|warn|notice|info|debug"]/> [<limit value="rate/duration"/>] </log> ]
229               [ <audit> [<limit value="rate/duration"/>] </audit> ]
230               <accept> [<limit value="rate/duration"/>] </accept> |
231               <reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
232               <drop> [<limit value="rate/duration"/>] </drop>
233           </rule>
234
235
236       For a full description on rich language rules, please have a look at
237       firewalld.richlanguage(5).
238

SEE ALSO

240       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
241       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
242       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
243       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
244       firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
245       firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
246

NOTES

248       firewalld home page:
249           http://firewalld.org
250
251       More documentation with examples:
252           http://fedoraproject.org/wiki/FirewallD
253

AUTHORS

255       Thomas Woerner <twoerner@redhat.com>
256           Developer
257
258       Jiri Popelka <jpopelka@redhat.com>
259           Developer
260
261       Eric Garver <eric@garver.life>
262           Developer
263
264
265
266firewalld 1.0.5                                            FIREWALLD.POLICY(5)
Impressum