1FIREWALL-OFFLINE-C(1) firewall-offline-cmd FIREWALL-OFFLINE-C(1)
2
6 firewall-offline-cmd - firewalld offline command line client
7
9 firewall-offline-cmd [OPTIONS...]
10
12 firewall-offline-cmd is an offline command line client of the firewalld
13 daemon. It should be used only if the firewalld service is not running.
14 For example to migrate from system-config-firewall/lokkit or in the
15 install environment to configure firewall settings with kickstart.
16 Some lokkit options can not be automatically converted for firewalld,
18 they will result in an error or warning message. This tool tries to
19 convert as much as possible, but there are limitations for example with
20 custom rules, modules and masquerading.
21 Check the firewall configuration after using this tool.
23
25 If no options are given, configuration from
26 /etc/sysconfig/system-config-firewall will be migrated.
27 Sequence options are the options that can be specified multiple times,
29 the exit code is 0 if there is at least one item that succeeded. The
30 ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
31 errors are treated as succeeded. If there are issues while parsing the
32 items, then these are treated as warnings and will not change the
33 result as long as there is a succeeded one. Without any succeeded item,
34 the exit code will depend on the error codes. If there is exactly one
35 error code, then this is used. If there are more than one then
36 UNKNOWN_ERROR (254) will be used.
37 The following options are supported:
39 General Options
41 -h, --help
42 Prints a short help text and exits.
43 -V, --version
45 Prints the version string of firewalld and exits.
46 -q, --quiet
48 Do not print status messages.
49 --default-config
51 Path to firewalld default configuration. This usually defaults to
52 /usr/lib/firewalld.
53 --system-config
55 Path to firewalld system (user) configuration. This usually
56 defaults to /etc/firewalld.
57 Status Options
59 --enabled
60 Enable the firewall. This option is a default option and will
61 activate the firewall if not already enabled as long as the option
62 --disabled is not given.
63 --disabled
65 Disable the firewall by disabling the firewalld service.
66 --check-config
68 Run checks on the permanent (default and system) configuration.
69 This includes XML validity and semantics.
70 This is may be used with --system-config to check the validity of
72 handwritten configuration files before copying them to the standard
73 location.
74 --reset-to-defaults
76 Reset configuration to firewalld's default configuration
77 Lokkit Compatibility Options
79 These options are nearly identical to the options of lokkit.
80 --migrate-system-config-firewall=file
82 Migrate system-config-firewall configuration from the given file.
83 No further
84 --addmodule=module
86 This option will result in a warning message and will be ignored.
87 Handling of netfilter helpers has been merged into services
89 completely. Adding or removing netfilter helpers outside of
90 services is therefore not needed anymore. For more information on
91 handling netfilter helpers in services, please have a look at
92 firewalld.zone(5).
93 --removemodule
95 This option will result in a warning message and will be ignored.
96 Handling of netfilter helpers has been merged into services
98 completely. Adding or removing netfilter helpers outside of
99 services is therefore not needed anymore. For more information on
100 handling netfilter helpers in services, please have a look at
101 firewalld.zone(5).
102 --remove-service=service
104 Remove a service from the default zone. This option can be
105 specified multiple times.
106 The service is one of the firewalld provided services. To get a
108 list of the supported services, use firewall-cmd --get-services.
109 -s service, --service=service
111 Add a service to the default zone. This option can be specified
112 multiple times.
113 The service is one of the firewalld provided services. To get a
115 list of the supported services, use firewall-cmd --get-services.
116 -p portid[-portid]:protocol, --port=portid[-portid]:protocol
118 Add the port to the default zone. This option can be specified
119 multiple times.
120 The port can either be a single port number or a port range
122 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
123 -t interface, --trust=interface
125 This option will result in a warning message.
126 Mark an interface as trusted. This option can be specified multiple
128 times. The interface will be bound to the trusted zone.
129 If the interface is used in a NetworkManager managed connection or
131 if there is an ifcfg file for this interface, the zone will be
132 changed to the zone defined in the configuration as soon as it gets
133 activated. To change the zone of a connection use
134 nm-connection-editor and set the zone to trusted, for an ifcfg
135 file, use an editor and add "ZONE=trusted". If the zone is not
136 defined in the ifcfg file, the firewalld default zone will be used.
137 -m interface, --masq=interface
139 This option will result in a warning message.
140 Masquerading will be enabled in the default zone. The interface
142 argument will be ignored. This is for IPv4 only.
143 --custom-rules=[type:][table:]filename
145 This option will result in a warning message and will be ignored.
146 Custom rule files are not supported by firewalld.
148 --forward-port=if=interface:port=port:proto=protocol[:toport=destination
150 port:][:toaddr=destination address]
151 This option will result in a warning message.
152 Add the IPv4 forward port in the default zone. This option can be
154 specified multiple times.
155 The port can either be a single port number portid or a port range
157 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
158 The destination address is an IP address.
159 --block-icmp=icmptype
161 This option will result in a warning message.
162 Add an ICMP block for icmptype in the default zone. This option can
164 be specified multiple times.
165 The icmptype is the one of the icmp types firewalld supports. To
167 get a listing of supported icmp types: firewall-cmd --get-icmptypes
168 Log Denied Options
170 --get-log-denied
171 Print the log denied setting.
172 --set-log-denied=value
174 Add logging rules right before reject and drop rules in the INPUT,
175 FORWARD and OUTPUT chains for the default rules and also final
176 reject and drop rules in zones for the configured link-layer packet
177 type. The possible values are: all, unicast, broadcast, multicast
178 and off. The default setting is off, which disables the logging.
179 This is a runtime and permanent change and will also reload the
181 firewall to be able to add the logging rules.
182 Zone Options
184 --get-default-zone
185 Print default zone for connections and interfaces.
186 --set-default-zone=zone
188 Set default zone for connections and interfaces where no zone has
189 been selected. Setting the default zone changes the zone for the
190 connections or interfaces, that are using the default zone.
191 --get-zones
193 Print predefined zones as a space separated list.
194 --get-services
196 Print predefined services as a space separated list.
197 --get-icmptypes
199 Print predefined icmptypes as a space separated list.
200 --get-zone-of-interface=interface
202 Print the name of the zone the interface is bound to or no zone.
203 --get-zone-of-source=source[/mask]|MAC|ipset:ipset
205 Print the name of the zone the source is bound to or no zone.
206 --info-zone=zone
208 Print information about the zone zone. The output format is:
209 zone
211 interfaces: interface1 ..
212 sources: source1 ..
213 services: service1 ..
214 ports: port1 ..
215 protocols: protocol1 ..
216 forward-ports:
217 forward-port1
218 ..
219 source-ports: source-port1 ..
220 icmp-blocks: icmp-type1 ..
221 rich rules:
222 rich-rule1
223 ..
224 --list-all-zones
228 List everything added for or enabled in all zones. The output
229 format is:
230 zone1
232 interfaces: interface1 ..
233 sources: source1 ..
234 services: service1 ..
235 ports: port1 ..
236 protocols: protocol1 ..
237 forward-ports:
238 forward-port1
239 ..
240 source-ports: source-port1 ..
241 icmp-blocks: icmp-type1 ..
242 rich rules:
243 rich-rule1
244 ..
245 ..
246 --new-zone=zone
250 Add a new permanent zone.
251 Zone names must be alphanumeric and may additionally include
253 characters: '_' and '-'.
254 --new-zone-from-file=filename [--name=zone]
256 Add a new permanent zone from a prepared zone file with an optional
257 name override.
258 --path-zone=zone
260 Print path of the zone configuration file.
261 --delete-zone=zone
263 Delete an existing permanent zone.
264 Policy Options
266 --get-policies
267 Print predefined policies as a space separated list.
268 --info-policy=policy
270 Print information about the policy policy.
271 --list-all-policies
273 List everything added for or enabled in all policies.
274 --new-policy=policy
276 Add a new permanent policy.
277 Policy names must be alphanumeric and may additionally include
279 characters: '_' and '-'.
280 --new-policy-from-file=filename [--name=policy]
282 Add a new permanent policy from a prepared policy file with an
283 optional name override.
284 --path-policy=policy
286 Print path of the policy configuration file.
287 --delete-policy=policy
289 Delete an existing permanent policy.
290 --load-policy-defaults=policy
292 Load the shipped defaults for a policy. Only applies to policies
293 shipped with firewalld. Does not apply to user defined policies.
294 Options to Adapt and Query Zones and Policies
296 Options in this section affect only one particular zone or policy. If
297 used with --zone=zone or --policy=policy option, they affect the
298 specified zone or policy. If both options are omitted, they affect
299 default zone (see --get-default-zone).
300 [--zone=zone] [--policy=policy] --list-all
302 List everything added or enabled.
303 [--zone=zone] [--policy=policy] --get-target
305 Get the target.
306 [--zone=zone] [--policy=policy] --set-target=target
308 Set the target.
309 For zones target is one of: default, ACCEPT, DROP, REJECT
311 For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
313 default is similar to REJECT, but it implicitly allows ICMP
315 packets.
316 [--zone=zone] [--policy=policy] --set-description=description
318 Set description.
319 [--zone=zone] [--policy=policy] --get-description
321 Print description.
322 [--zone=zone] [--policy=policy] --set-short=description
324 Set short description.
325 [--zone=zone] [--policy=policy] --get-short
327 Print short description.
328 [--zone=zone] [--policy=policy] --list-services
330 List services added as a space separated list.
331 [--zone=zone] [--policy=policy] --add-service=service
333 Add a service. This option can be specified multiple times.
334 The service is one of the firewalld provided services. To get a
336 list of the supported services, use firewall-cmd --get-services.
337 Note: Some services define connection tracking helpers. Helpers
339 that may operate in client mode (e.g. tftp) must be added to an
340 outbound policy instead of a zone to take effect for clients.
341 Otherwise the helper will not be applied to the outbound traffic.
342 The related traffic, as defined by the connection tracking helper,
343 on the return path (ingress) will be allowed by the stateful
344 firewall rules.
345 An example of an outbound policy for connection tracking helpers:
347 # firewall-cmd --new-policy clientConntrack
349 # firewall-cmd --policy clientConntrack --add-ingress-zone HOST
350 # firewall-cmd --policy clientConntrack --add-egress-zone ANY
351 # firewall-cmd --policy clientConntrack --add-service tftp
352 [--zone=zone] --remove-service-from-zone=service
356 Remove a service from zone. This option can be specified multiple
357 times. If zone is omitted, default zone will be used.
358 [--policy=policy] --remove-service-from-policy=service
360 Remove a service from policy. This option can be specified multiple
361 times.
362 [--zone=zone] [--policy=policy] --query-service=service
364 Return whether service has been added. Returns 0 if true, 1
365 otherwise.
366 [--zone=zone] [--policy=policy] --list-ports
368 List ports added as a space separated list. A port is of the form
369 portid[-portid]/protocol, it can be either a port and protocol pair
370 or a port range with a protocol.
371 [--zone=zone] [--policy=policy] --add-port=portid[-portid]/protocol
373 Add the port. This option can be specified multiple times.
374 The port can either be a single port number or a port range
376 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
377 [--zone=zone] [--policy=policy] --remove-port=portid[-portid]/protocol
379 Remove the port. This option can be specified multiple times.
380 [--zone=zone] [--policy=policy] --query-port=portid[-portid]/protocol
382 Return whether the port has been added. Returns 0 if true, 1
383 otherwise.
384 [--zone=zone] [--policy=policy] --list-protocols
386 List protocols added as a space separated list.
387 [--zone=zone] [--policy=policy] --add-protocol=protocol
389 Add the protocol. This option can be specified multiple times.
390 timeval is either a number (of seconds) or number followed by one
391 of characters s (seconds), m (minutes), h (hours), for example 20m
392 or 1h.
393 The protocol can be any protocol supported by the system. Please
395 have a look at /etc/protocols for supported protocols.
396 [--zone=zone] [--policy=policy] --remove-protocol=protocol
398 Remove the protocol. This option can be specified multiple times.
399 [--zone=zone] [--policy=policy] --query-protocol=protocol
401 Return whether the protocol has been added. Returns 0 if true, 1
402 otherwise.
403 [--zone=zone] [--policy=policy] --list-icmp-blocks
405 List Internet Control Message Protocol (ICMP) type blocks added as
406 a space separated list.
407 [--zone=zone] [--policy=policy] --add-icmp-block=icmptype
409 Add an ICMP block for icmptype. This option can be specified
410 multiple times.
411 The icmptype is the one of the icmp types firewalld supports. To
413 get a listing of supported icmp types: firewall-cmd --get-icmptypes
414 [--zone=zone] [--policy=policy] --remove-icmp-block=icmptype
416 Remove the ICMP block for icmptype. This option can be specified
417 multiple times.
418 [--zone=zone] [--policy=policy] --query-icmp-block=icmptype
420 Return whether an ICMP block for icmptype has been added. Returns 0
421 if true, 1 otherwise.
422 [--zone=zone] [--policy=policy] --list-forward-ports
424 List IPv4 forward ports added as a space separated list.
425 For IPv6 forward ports, please use the rich language.
427 [--zone=zone] [--policy=policy]
429 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
430 Add the IPv4 forward port. This option can be specified multiple
431 times.
432 The port can either be a single port number portid or a port range
434 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
435 The destination address is a simple IP address.
436 For IPv6 forward ports, please use the rich language.
438 Note: IP forwarding will be implicitly enabled if toaddr is
440 specified.
441 [--zone=zone] [--policy=policy]
443 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
444 Remove the IPv4 forward port. This option can be specified multiple
445 times.
446 For IPv6 forward ports, please use the rich language.
448 [--zone=zone] [--policy=policy]
450 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
451 Return whether the IPv4 forward port has been added. Returns 0 if
452 true, 1 otherwise.
453 For IPv6 forward ports, please use the rich language.
455 [--zone=zone] [--policy=policy] --list-source-ports
457 List source ports added as a space separated list. A port is of the
458 form portid[-portid]/protocol.
459 [--zone=zone] [--policy=policy]
461 --add-source-port=portid[-portid]/protocol
462 Add the source port. This option can be specified multiple times.
463 The port can either be a single port number or a port range
465 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
466 [--zone=zone] [--policy=policy]
468 --remove-source-port=portid[-portid]/protocol
469 Remove the source port. This option can be specified multiple
470 times.
471 [--zone=zone] [--policy=policy]
473 --query-source-port=portid[-portid]/protocol
474 Return whether the source port has been added. Returns 0 if true, 1
475 otherwise.
476 [--zone=zone] [--policy=policy] --add-masquerade
478 Enable IPv4 masquerade. Masquerading is useful if the machine is a
479 router and machines connected over an interface in another zone
480 should be able to use the first connection.
481 For IPv6 masquerading, please use the rich language.
483 Note: IP forwarding will be implicitly enabled.
485 [--zone=zone] [--policy=policy] --remove-masquerade
487 Disable IPv4 masquerade.
488 For IPv6 masquerading, please use the rich language.
490 [--zone=zone] [--policy=policy] --query-masquerade
492 Return whether IPv4 masquerading has been enabled. Returns 0 if
493 true, 1 otherwise.
494 For IPv6 masquerading, please use the rich language.
496 [--zone=zone] [--policy=policy] --list-rich-rules
498 List rich language rules added as a newline separated list.
499 [--zone=zone] [--policy=policy] --add-rich-rule='rule'
501 Add rich language rule 'rule'. This option can be specified
502 multiple times.
503 For the rich language rule syntax, please have a look at
505 firewalld.richlanguage(5).
506 [--zone=zone] [--policy=policy] --remove-rich-rule='rule'
508 Remove rich language rule 'rule'. This option can be specified
509 multiple times.
510 For the rich language rule syntax, please have a look at
512 firewalld.richlanguage(5).
513 [--zone=zone] [--policy=policy] --query-rich-rule='rule'
515 Return whether a rich language rule 'rule' has been added. Returns
516 0 if true, 1 otherwise.
517 For the rich language rule syntax, please have a look at
519 firewalld.richlanguage(5).
520 Options to Adapt and Query Zones
522 Options in this section affect only one particular zone. If used with
523 --zone=zone option, they affect the specified zone. If the option is
524 omitted, they affect the default zone (see --get-default-zone).
525 [--zone=zone] --add-icmp-block-inversion
527 Enable ICMP block inversion.
528 [--zone=zone] --remove-icmp-block-inversion
530 Disable ICMP block inversion.
531 [--zone=zone] --query-icmp-block-inversion
533 Return whether ICMP block inversion is enabled. Returns 0 if true,
534 1 otherwise.
535 [--zone=zone] --add-forward
537 Enable intra zone forwarding.
538 [--zone=zone] --remove-forward
540 Disable intra zone forwarding.
541 [--zone=zone] --query-forward
543 Return whether intra zone forwarding is enabled. Returns 0 if true,
544 1 otherwise.
545 Options to Adapt and Query Policies
547 Options in this section affect only one particular policy. It's
548 required to specify --policy=policy with these options.
549 --policy=policy --get-priority
551 Get the priority.
552 --policy=policy --set-prioritypriority
554 Set the priority. The priority determines the relative ordering of
555 policies. This is an integer value between -32768 and 32767 where
556 -1 is the default value for new policies and 0 is reserved for
557 internal use.
558 If a priority is < 0, then the policy's rules will execute before
560 all rules in all zones.
561 If a priority is > 0, then the policy's rules will execute after
563 all rules in all zones.
564 --policy=policy --list-ingress-zones
566 List ingress zones added as a space separated list.
567 --policy=policy --add-ingress-zone=zone
569 Add an ingress zone. This option can be specified multiple times.
570 The ingress zone is one of the firewalld provided zones or one of
572 the pseudo-zones: HOST, ANY.
573 HOST is used for traffic originating from the host machine, i.e.
575 the host running firewalld.
576 ANY is used for traffic originating from any zone. This can be
578 thought of as a wild card for zones. However it does not include
579 traffic originating from the host machine - use HOST for that.
580 --policy=policy --remove-ingress-zone=zone
582 Remove an ingress zone. This option can be specified multiple
583 times.
584 --policy=policy --query-ingress-zone=zone
586 Return whether zone has been added. Returns 0 if true, 1 otherwise.
587 --policy=policy --list-egress-zones
589 List egress zones added as a space separated list.
590 --policy=policy --add-egress-zone=zone
592 Add an egress zone. This option can be specified multiple times.
593 The egress zone is one of the firewalld provided zones or one of
595 the pseudo-zones: HOST, ANY.
596 For clarification on HOST and ANY see option --add-ingress-zone.
598 --policy=policy --remove-egress-zone=zone
600 Remove an egress zone. This option can be specified multiple times.
601 --policy=policy --query-egress-zone=zone
603 Return whether zone has been added. Returns 0 if true, 1 otherwise.
604 Options to Handle Bindings of Interfaces
606 Binding an interface to a zone means that this zone settings are used
607 to restrict traffic via the interface.
608 Options in this section affect only one particular zone. If used with
610 --zone=zone option, they affect the zone zone. If the option is
611 omitted, they affect default zone (see --get-default-zone).
612 For a list of predefined zones use firewall-cmd --get-zones.
614 An interface name is a string up to 16 characters long, that may not
616 contain ' ', '/', '!' and '*'.
617 [--zone=zone] --list-interfaces
619 List interfaces that are bound to zone zone as a space separated
620 list. If zone is omitted, default zone will be used.
621 [--zone=zone] --add-interface=interface
623 Bind interface interface to zone zone. If zone is omitted, default
624 zone will be used.
625 [--zone=zone] --change-interface=interface
627 Change zone the interface interface is bound to to zone zone. If
628 zone is omitted, default zone will be used. If old and new zone are
629 the same, the call will be ignored without an error. If the
630 interface has not been bound to a zone before, it will behave like
631 --add-interface.
632 [--zone=zone] --query-interface=interface
634 Query whether interface interface is bound to zone zone. Returns 0
635 if true, 1 otherwise.
636 [--zone=zone] --remove-interface=interface
638 Remove binding of interface interface from zone zone. If zone is
639 omitted, default zone will be used.
640 Options to Handle Bindings of Sources
642 Binding a source to a zone means that this zone settings will be used
643 to restrict traffic from this source.
644 A source address or address range is either an IP address or a network
646 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
647 with the ipset: prefix. For IPv4, the mask can be a network mask or a
648 plain number. For IPv6 the mask is a plain number. The use of host
649 names is not supported.
650 Options in this section affect only one particular zone. If used with
652 --zone=zone option, they affect the zone zone. If the option is
653 omitted, they affect default zone (see --get-default-zone).
654 For a list of predefined zones use firewall-cmd --get-zones.
656 [--zone=zone] --list-sources
658 List sources that are bound to zone zone as a space separated list.
659 If zone is omitted, default zone will be used.
660 [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
662 Bind the source to zone zone. If zone is omitted, default zone will
663 be used.
664 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
666 Change zone the source is bound to to zone zone. If zone is
667 omitted, default zone will be used. If old and new zone are the
668 same, the call will be ignored without an error. If the source has
669 not been bound to a zone before, it will behave like --add-source.
670 [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
672 Query whether the source is bound to the zone zone. Returns 0 if
673 true, 1 otherwise.
674 [--zone=zone] --remove-source=source[/mask]|MAC|ipset:ipset
676 Remove binding of the source from zone zone. If zone is omitted,
677 default zone will be used.
678 IPSet Options
680 --new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
681 Add a new permanent ipset with specifying the type and optional
682 options.
683 ipset names must be alphanumeric and may additionally include
685 characters: '_' and '-'.
686 --new-ipset-from-file=filename [--name=ipset]
688 Add a new permanent ipset from a prepared ipset file with an
689 optional name override.
690 --delete-ipset=ipset
692 Delete an existing permanent ipset.
693 --info-ipset=ipset
695 Print information about the ipset ipset. The output format is:
696 ipset
698 type: type
699 options: option1[=value1] ..
700 entries: entry1 ..
701 --get-ipsets
705 Print predefined ipsets as a space separated list.
706 --ipset=ipset --add-entry=entry
708 Add a new entry to the ipset.
709 --ipset=ipset --remove-entry=entry
711 Remove an entry from the ipset.
712 --ipset=ipset --query-entry=entry
714 Return whether the entry has been added to an ipset. Returns 0 if
715 true, 1 otherwise.
716 --ipset=ipset --get-entries
718 List all entries of the ipset.
719 --ipset=ipset --add-entries-from-file=filename
721 Add a new entries to the ipset from the file. For all entries that
722 are listed in the file but already in the ipset, a warning will be
723 printed.
724 The file should contain an entry per line. Lines starting with an
726 hash or semicolon are ignored. Also empty lines.
727 --ipset=ipset --remove-entries-from-file=filename
729 Remove existing entries from the ipset from the file. For all
730 entries that are listed in the file but not in the ipset, a warning
731 will be printed.
732 The file should contain an entry per line. Lines starting with an
734 hash or semicolon are ignored. Also empty lines.
735 --ipset=ipset --set-description=description
737 Set new description to ipset
738 --ipset=ipset --get-description
740 Print description for ipset
741 --ipset=ipset --set-short=description
743 Set new short description to ipset
744 --ipset=ipset --get-short
746 Print short description for ipset
747 --path-ipset=ipset
749 Print path of the ipset configuration file.
750 Service Options
752 --info-service=service
753 Print information about the service service. The output format is:
754 service
756 ports: port1 ..
757 protocols: protocol1 ..
758 source-ports: source-port1 ..
759 helpers: helper1 ..
760 destination: ipv1:address1 ..
761 --new-service=service
765 Add a new permanent service.
766 Service names must be alphanumeric and may additionally include
768 characters: '_' and '-'.
769 --new-service-from-file=filename [--name=service]
771 Add a new permanent service from a prepared service file with an
772 optional name override.
773 --delete-service=service
775 Delete an existing permanent service.
776 --path-service=service
778 Print path of the service configuration file.
779 --service=service --set-description=description
781 Set new description to service
782 --service=service --get-description
784 Print description for service
785 --service=service --set-short=description
787 Set short description to service
788 --service=service --get-short
790 Print short description for service
791 --service=service --add-port=portid[-portid]/protocol
793 Add a new port to the permanent service.
794 --service=service --remove-port=portid[-portid]/protocol
796 Remove a port from the permanent service.
797 --service=service --query-port=portid[-portid]/protocol
799 Return whether the port has been added to the permanent service.
800 --service=service --get-ports
802 List ports added to the permanent service.
803 --service=service --add-protocol=protocol
805 Add a new protocol to the permanent service.
806 --service=service --remove-protocol=protocol
808 Remove a protocol from the permanent service.
809 --service=service --query-protocol=protocol
811 Return whether the protocol has been added to the permanent
812 service.
813 --service=service --get-protocols
815 List protocols added to the permanent service.
816 --service=service --add-source-port=portid[-portid]/protocol
818 Add a new source port to the permanent service.
819 --service=service --remove-source-port=portid[-portid]/protocol
821 Remove a source port from the permanent service.
822 --service=service --query-source-port=portid[-portid]/protocol
824 Return whether the source port has been added to the permanent
825 service.
826 --service=service --get-source-ports
828 List source ports added to the permanent service.
829 --service=service --add-helper=helper
831 Add a new helper to the permanent service.
832 --service=service --remove-helper=helper
834 Remove a helper from the permanent service.
835 --service=service --query-helper=helper
837 Return whether the helper has been added to the permanent service.
838 --service=service --get-service-helpers
840 List helpers added to the permanent service.
841 --service=service --set-destination=ipv:address[/mask]
843 Set destination for ipv to address[/mask] in the permanent service.
844 --service=service --remove-destination=ipv
846 Remove the destination for ipv from the permanent service.
847 --service=service --query-destination=ipv:address[/mask]
849 Return whether the destination ipv to address[/mask] has been set
850 in the permanent service.
851 --service=service --get-destinations
853 List destinations added to the permanent service.
854 --service=service --add-include=service
856 Add a new include to the permanent service.
857 --service=service --remove-include=service
859 Remove a include from the permanent service.
860 --service=service --query-include=service
862 Return whether the include has been added to the permanent service.
863 --service=service --get-includes
865 List includes added to the permanent service.
866 Helper Options
868 Options in this section affect only one particular helper.
869 --info-helper=helper
871 Print information about the helper helper. The output format is:
872 helper
874 family: family
875 module: module
876 ports: port1 ..
877 The following options are only usable in the permanent configuration.
881 --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
883 Add a new permanent helper with module and optionally family
884 defined.
885 Helper names must be alphanumeric and may additionally include
887 characters: '-'.
888 --new-helper-from-file=filename [--name=helper]
890 Add a new permanent helper from a prepared helper file with an
891 optional name override.
892 --delete-helper=helper
894 Delete an existing permanent helper.
895 --load-helper-defaults=helper
897 Load helper default settings or report NO_DEFAULTS error.
898 --path-helper=helper
900 Print path of the helper configuration file.
901 --get-helpers
903 Print predefined helpers as a space separated list.
904 --helper=helper --set-description=description
906 Set new description to helper
907 --helper=helper --get-description
909 Print description for helper
910 --helper=helper --set-short=description
912 Set short description to helper
913 --helper=helper --get-short
915 Print short description for helper
916 --helper=helper --add-port=portid[-portid]/protocol
918 Add a new port to the permanent helper.
919 --helper=helper --remove-port=portid[-portid]/protocol
921 Remove a port from the permanent helper.
922 --helper=helper --query-port=portid[-portid]/protocol
924 Return whether the port has been added to the permanent helper.
925 --helper=helper --get-ports
927 List ports added to the permanent helper.
928 --helper=helper --set-module=description
930 Set module description for helper
931 --helper=helper --get-module
933 Print module description for helper
934 --helper=helper --set-family=description
936 Set family description for helper
937 --helper=helper --get-family
939 Print family description of helper
940 Internet Control Message Protocol (ICMP) type Options
942 --info-icmptype=icmptype
943 Print information about the icmptype icmptype. The output format
944 is:
945 icmptype
947 destination: ipv1 ..
948 --new-icmptype=icmptype
952 Add a new permanent icmptype.
953 ICMP type names must be alphanumeric and may additionally include
955 characters: '_' and '-'.
956 --new-icmptype-from-file=filename [--name=icmptype]
958 Add a new permanent icmptype from a prepared icmptype file with an
959 optional name override.
960 --delete-icmptype=icmptype
962 Delete an existing permanent icmptype.
963 --icmptype=icmptype --set-description=description
965 Set new description to icmptype
966 --icmptype=icmptype --get-description
968 Print description for icmptype
969 --icmptype=icmptype --set-short=description
971 Set short description to icmptype
972 --icmptype=icmptype --get-short
974 Print short description for icmptype
975 --icmptype=icmptype --add-destination=ipv
977 Enable destination for ipv in permanent icmptype. ipv is one of
978 ipv4 or ipv6.
979 --icmptype=icmptype --remove-destination=ipv
981 Disable destination for ipv in permanent icmptype. ipv is one of
982 ipv4 or ipv6.
983 --icmptype=icmptype --query-destination=ipv
985 Return whether destination for ipv is enabled in permanent
986 icmptype. ipv is one of ipv4 or ipv6.
987 --icmptype=icmptype --get-destinations
989 List destinations in permanent icmptype.
990 --path-icmptype=icmptype
992 Print path of the icmptype configuration file.
993 Direct Options
995 DEPRECATED
996 The direct interface has been deprecated. It will be removed in a
997 future release. It is superseded by policies, see
998 firewalld.policies(5).
999 The direct options give a more direct access to the firewall. These
1001 options require user to know basic iptables concepts, i.e. table
1002 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
1003 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
1004 (ACCEPT/DROP/REJECT/...).
1005 Direct options should be used only as a last resort when it's not
1007 possible to use for example --add-service=service or
1008 --add-rich-rule='rule'.
1009 Warning: Direct rules behavior is different depending on the value of
1011 FirewallBackend. See CAVEATS in firewalld.direct(5).
1012 The first argument of each option has to be ipv4 or ipv6 or eb. With
1014 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1015 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1016 --direct --get-all-chains
1018 Get all chains added to all tables.
1019 This option concerns only chains previously added with --direct
1021 --add-chain.
1022 --direct --get-chains { ipv4 | ipv6 | eb } table
1024 Get all chains added to table table as a space separated list.
1025 This option concerns only chains previously added with --direct
1027 --add-chain.
1028 --direct --add-chain { ipv4 | ipv6 | eb } table chain
1030 Add a new chain with name chain to table table.
1031 There already exist basic chains to use with direct options, for
1033 example INPUT_direct chain (see iptables-save | grep direct output
1034 for all of them). These chains are jumped into before chains for
1035 zones, i.e. every rule put into INPUT_direct will be checked before
1036 rules in zones.
1037 --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1039 Remove the chain with name chain from table table.
1040 --direct --query-chain { ipv4 | ipv6 | eb } table chain
1042 Return whether a chain with name chain exists in table table.
1043 Returns 0 if true, 1 otherwise.
1044 This option concerns only chains previously added with --direct
1046 --add-chain.
1047 --direct --get-all-rules
1049 Get all rules added to all chains in all tables as a newline
1050 separated list of the priority and arguments.
1051 --direct --get-rules { ipv4 | ipv6 | eb } table chain
1053 Get all rules added to chain chain in table table as a newline
1054 separated list of the priority and arguments.
1055 --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
1057 Add a rule with the arguments args to chain chain in table table
1058 with priority priority.
1059 The priority is used to order rules. Priority 0 means add rule on
1061 top of the chain, with a higher priority the rule will be added
1062 further down. Rules with the same priority are on the same level
1063 and the order of these rules is not fixed and may change. If you
1064 want to make sure that a rule will be added after another one, use
1065 a low priority for the first and a higher for the following.
1066 --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
1068 Remove a rule with priority and the arguments args from chain chain
1069 in table table.
1070 --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1072 Remove all rules in the chain with name chain exists in table
1073 table.
1074 This option concerns only rules previously added with --direct
1076 --add-rule in this chain.
1077 --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
1079 Return whether a rule with priority and the arguments args exists
1080 in chain chain in table table. Returns 0 if true, 1 otherwise.
1081 --direct --get-all-passthroughs
1083 Get all permanent passthrough as a newline separated list of the
1084 ipv value and arguments.
1085 --direct --get-passthroughs { ipv4 | ipv6 | eb }
1087 Get all permanent passthrough rules for the ipv value as a newline
1088 separated list of the priority and arguments.
1089 --direct --add-passthrough { ipv4 | ipv6 | eb } args
1091 Add a permanent passthrough rule with the arguments args for the
1092 ipv value.
1093 --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1095 Remove a permanent passthrough rule with the arguments args for the
1096 ipv value.
1097 --direct --query-passthrough { ipv4 | ipv6 | eb } args
1099 Return whether a permanent passthrough rule with the arguments args
1100 exists for the ipv value. Returns 0 if true, 1 otherwise.
1101 Lockdown Options
1103 Local applications or services are able to change the firewall
1104 configuration if they are running as root (example: libvirt) or are
1105 authenticated using PolicyKit. With this feature administrators can
1106 lock the firewall configuration so that only applications on lockdown
1107 whitelist are able to request firewall changes.
1108 The lockdown access check limits D-Bus methods that are changing
1110 firewall rules. Query, list and get methods are not limited.
1111 The lockdown feature is a very light version of user and application
1113 policies for firewalld and is turned off by default.
1114 --lockdown-on
1116 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1117 whitelist when you enable lockdown you won't be able to disable it
1118 again with firewall-cmd, you would need to edit firewalld.conf.
1119 --lockdown-off
1121 Disable lockdown.
1122 --query-lockdown
1124 Query whether lockdown is enabled. Returns 0 if lockdown is
1125 enabled, 1 otherwise.
1126 Lockdown Whitelist Options
1128 The lockdown whitelist can contain commands, contexts, users and user
1129 ids.
1130 If a command entry on the whitelist ends with an asterisk '*', then all
1132 command lines starting with the command will match. If the '*' is not
1133 there the absolute command inclusive arguments must match.
1134 Commands for user root and others is not always the same. Example: As
1136 root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1137 is be used on Fedora.
1138 The context is the security (SELinux) context of a running application
1140 or service. To get the context of a running application use ps -e
1141 --context.
1142 Warning: If the context is unconfined, then this will open access for
1144 more than the desired application.
1145 The lockdown whitelist entries are checked in the following order:
1147 1. context
1148 2. uid
1149 3. user
1150 4. command
1151 --list-lockdown-whitelist-commands
1153 List all command lines that are on the whitelist.
1154 --add-lockdown-whitelist-command=command
1156 Add the command to the whitelist.
1157 --remove-lockdown-whitelist-command=command
1159 Remove the command from the whitelist.
1160 --query-lockdown-whitelist-command=command
1162 Query whether the command is on the whitelist. Returns 0 if true, 1
1163 otherwise.
1164 --list-lockdown-whitelist-contexts
1166 List all contexts that are on the whitelist.
1167 --add-lockdown-whitelist-context=context
1169 Add the context context to the whitelist.
1170 --remove-lockdown-whitelist-context=context
1172 Remove the context from the whitelist.
1173 --query-lockdown-whitelist-context=context
1175 Query whether the context is on the whitelist. Returns 0 if true, 1
1176 otherwise.
1177 --list-lockdown-whitelist-uids
1179 List all user ids that are on the whitelist.
1180 --add-lockdown-whitelist-uid=uid
1182 Add the user id uid to the whitelist.
1183 --remove-lockdown-whitelist-uid=uid
1185 Remove the user id uid from the whitelist.
1186 --query-lockdown-whitelist-uid=uid
1188 Query whether the user id uid is on the whitelist. Returns 0 if
1189 true, 1 otherwise.
1190 --list-lockdown-whitelist-users
1192 List all user names that are on the whitelist.
1193 --add-lockdown-whitelist-user=user
1195 Add the user name user to the whitelist.
1196 --remove-lockdown-whitelist-user=user
1198 Remove the user name user from the whitelist.
1199 --query-lockdown-whitelist-user=user
1201 Query whether the user name user is on the whitelist. Returns 0 if
1202 true, 1 otherwise.
1203 Policy Options
1205 --policy-server
1206 Change Polkit actions to 'server' (more restricted)
1207 --policy-desktop
1209 Change Polkit actions to 'desktop' (less restricted)
1210
1212 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1213 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1214 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1215 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1216 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
1217 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
1218
1220 firewalld home page:
1221 http://firewalld.org
1222 More documentation with examples:
1224 http://fedoraproject.org/wiki/FirewallD
1225
1227 Thomas Woerner <twoerner@redhat.com>
1228 Developer
1229 Jiri Popelka <jpopelka@redhat.com>
1231 Developer
1232 Eric Garver <eric@garver.life>
1234 Developer
1235firewalld 1.3.4 FIREWALL-OFFLINE-C(1)