1FIREWALL-OFFLINE-C(1) firewall-offline-cmd FIREWALL-OFFLINE-C(1)
2
6 firewall-offline-cmd - firewalld offline command line client
7
9 firewall-offline-cmd [OPTIONS...]
10
12 firewall-offline-cmd is an offline command line client of the firewalld
13 daemon. It should be used only if the firewalld service is not running.
14 For example to migrate from system-config-firewall/lokkit or in the
15 install environment to configure firewall settings with kickstart.
16 Some lokkit options can not be automatically converted for firewalld,
18 they will result in an error or warning message. This tool tries to
19 convert as much as possible, but there are limitations for example with
20 custom rules, modules and masquerading.
21 Check the firewall configuration after using this tool.
23
25 If no options are given, configuration from
26 /etc/sysconfig/system-config-firewall will be migrated.
27 Sequence options are the options that can be specified multiple times,
29 the exit code is 0 if there is at least one item that succeeded. The
30 ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
31 errors are treated as succeeded. If there are issues while parsing the
32 items, then these are treated as warnings and will not change the
33 result as long as there is a succeeded one. Without any succeeded item,
34 the exit code will depend on the error codes. If there is exactly one
35 error code, then this is used. If there are more than one then
36 UNKNOWN_ERROR (254) will be used.
37 The following options are supported:
39 General Options
41 -h, --help
42 Prints a short help text and exits.
43 -V, --version
45 Prints the version string of firewalld and exits.
46 -q, --quiet
48 Do not print status messages.
49 --default-config
51 Path to firewalld default configuration. This usually defaults to
52 /usr/lib/firewalld.
53 --system-config
55 Path to firewalld system (user) configuration. This usually
56 defaults to /etc/firewalld.
57 Status Options
59 --enabled
60 Enable the firewall. This option is a default option and will
61 activate the firewall if not already enabled as long as the option
62 --disabled is not given.
63 --disabled
65 Disable the firewall by disabling the firewalld service.
66 --check-config
68 Run checks on the permanent (default and system) configuration.
69 This includes XML validity and semantics.
70 This is may be used with --system-config to check the validity of
72 handwritten configuration files before copying them to the standard
73 location.
74 --reset-to-defaults
76 Reset configuration to firewalld's default configuration
77 Lokkit Compatibility Options
79 These options are nearly identical to the options of lokkit.
80 --migrate-system-config-firewall=file
82 Migrate system-config-firewall configuration from the given file.
83 No further
84 --addmodule=module
86 This option will result in a warning message and will be ignored.
87 Handling of netfilter helpers has been merged into services
89 completely. Adding or removing netfilter helpers outside of
90 services is therefore not needed anymore. For more information on
91 handling netfilter helpers in services, please have a look at
92 firewalld.zone(5).
93 --removemodule
95 This option will result in a warning message and will be ignored.
96 Handling of netfilter helpers has been merged into services
98 completely. Adding or removing netfilter helpers outside of
99 services is therefore not needed anymore. For more information on
100 handling netfilter helpers in services, please have a look at
101 firewalld.zone(5).
102 --remove-service=service
104 Remove a service from the default zone. This option can be
105 specified multiple times.
106 The service is one of the firewalld provided services. To get a
108 list of the supported services, use firewall-cmd --get-services.
109 -s service, --service=service
111 Add a service to the default zone. This option can be specified
112 multiple times.
113 The service is one of the firewalld provided services. To get a
115 list of the supported services, use firewall-cmd --get-services.
116 -p portid[-portid]:protocol, --port=portid[-portid]:protocol
118 Add the port to the default zone. This option can be specified
119 multiple times.
120 The port can either be a single port number or a port range
122 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
123 -t interface, --trust=interface
125 This option will result in a warning message.
126 Mark an interface as trusted. This option can be specified multiple
128 times. The interface will be bound to the trusted zone.
129 If the interface is used in a NetworkManager managed connection or
131 if there is an ifcfg file for this interface, the zone will be
132 changed to the zone defined in the configuration as soon as it gets
133 activated. To change the zone of a connection use
134 nm-connection-editor and set the zone to trusted, for an ifcfg
135 file, use an editor and add "ZONE=trusted". If the zone is not
136 defined in the ifcfg file, the firewalld default zone will be used.
137 -m interface, --masq=interface
139 This option will result in a warning message.
140 Masquerading will be enabled in the default zone. The interface
142 argument will be ignored. This is for IPv4 only.
143 --custom-rules=[type:][table:]filename
145 This option will result in a warning message and will be ignored.
146 Custom rule files are not supported by firewalld.
148 --forward-port=if=interface:port=port:proto=protocol[:toport=destination
150 port:][:toaddr=destination address]
151 This option will result in a warning message.
152 Add the IPv4 forward port in the default zone. This option can be
154 specified multiple times.
155 The port can either be a single port number portid or a port range
157 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
158 The destination address is an IP address.
159 --block-icmp=icmptype
161 This option will result in a warning message.
162 Add an ICMP block for icmptype in the default zone. This option can
164 be specified multiple times.
165 The icmptype is the one of the icmp types firewalld supports. To
167 get a listing of supported icmp types: firewall-cmd --get-icmptypes
168 Log Denied Options
170 --get-log-denied
171 Print the log denied setting.
172 --set-log-denied=value
174 Add logging rules right before reject and drop rules in the INPUT,
175 FORWARD and OUTPUT chains for the default rules and also final
176 reject and drop rules in zones for the configured link-layer packet
177 type. The possible values are: all, unicast, broadcast, multicast
178 and off. The default setting is off, which disables the logging.
179 This is a runtime and permanent change and will also reload the
181 firewall to be able to add the logging rules.
182 Zone Options
184 --get-default-zone
185 Print default zone for connections and interfaces.
186 --set-default-zone=zone
188 Set default zone for connections and interfaces where no zone has
189 been selected. Setting the default zone changes the zone for the
190 connections or interfaces, that are using the default zone.
191 --get-zones
193 Print predefined zones as a space separated list.
194 --get-services
196 Print predefined services as a space separated list.
197 --get-icmptypes
199 Print predefined icmptypes as a space separated list.
200 --get-zone-of-interface=interface
202 Print the name of the zone the interface is bound to or no zone.
203 --get-zone-of-source=source[/mask]|MAC|ipset:ipset
205 Print the name of the zone the source is bound to or no zone.
206 --info-zone=zone
208 Print information about the zone zone. The output format is:
209 zone
211 interfaces: interface1 ..
212 sources: source1 ..
213 services: service1 ..
214 ports: port1 ..
215 protocols: protocol1 ..
216 forward-ports:
217 forward-port1
218 ..
219 source-ports: source-port1 ..
220 icmp-blocks: icmp-type1 ..
221 rich rules:
222 rich-rule1
223 ..
224 --list-all-zones
228 List everything added for or enabled in all zones. The output
229 format is:
230 zone1
232 interfaces: interface1 ..
233 sources: source1 ..
234 services: service1 ..
235 ports: port1 ..
236 protocols: protocol1 ..
237 forward-ports:
238 forward-port1
239 ..
240 source-ports: source-port1 ..
241 icmp-blocks: icmp-type1 ..
242 rich rules:
243 rich-rule1
244 ..
245 ..
246 --new-zone=zone
250 Add a new permanent zone.
251 Zone names must be alphanumeric and may additionally include
253 characters: '_' and '-'.
254 --new-zone-from-file=filename [--name=zone]
256 Add a new permanent zone from a prepared zone file with an optional
257 name override.
258 --path-zone=zone
260 Print path of the zone configuration file.
261 --delete-zone=zone
263 Delete an existing permanent zone.
264 Policy Options
266 --get-policies
267 Print predefined policies as a space separated list.
268 --info-policy=policy
270 Print information about the policy policy.
271 --list-all-policies
273 List everything added for or enabled in all policies.
274 --new-policy=policy
276 Add a new permanent policy.
277 Policy names must be alphanumeric and may additionally include
279 characters: '_' and '-'.
280 --new-policy-from-file=filename [--name=policy]
282 Add a new permanent policy from a prepared policy file with an
283 optional name override.
284 --path-policy=policy
286 Print path of the policy configuration file.
287 --delete-policy=policy
289 Delete an existing permanent policy.
290 --load-policy-defaults=policy
292 Load the shipped defaults for a policy. Only applies to policies
293 shipped with firewalld. Does not apply to user defined policies.
294 Options to Adapt and Query Zones and Policies
296 Options in this section affect only one particular zone or policy. If
297 used with --zone=zone or --policy=policy option, they affect the
298 specified zone or policy. If both options are omitted, they affect
299 default zone (see --get-default-zone).
300 [--zone=zone] [--policy=policy] --list-all
302 List everything added or enabled.
303 [--zone=zone] [--policy=policy] --get-target
305 Get the target.
306 [--zone=zone] [--policy=policy] --set-target=target
308 Set the target.
309 For zones target is one of: default, ACCEPT, DROP, REJECT
311 For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
313 default is similar to REJECT, but it implicitly allows ICMP
315 packets.
316 [--zone=zone] [--policy=policy] --set-description=description
318 Set description.
319 [--zone=zone] [--policy=policy] --get-description
321 Print description.
322 [--zone=zone] [--policy=policy] --set-short=description
324 Set short description.
325 [--zone=zone] [--policy=policy] --get-short
327 Print short description.
328 [--zone=zone] [--policy=policy] --list-services
330 List services added as a space separated list.
331 [--zone=zone] [--policy=policy] --add-service=service
333 Add a service. This option can be specified multiple times.
334 The service is one of the firewalld provided services. To get a
336 list of the supported services, use firewall-cmd --get-services.
337 Note: Some services define connection tracking helpers. Helpers
339 that may operate in client mode (e.g. tftp) must be added to an
340 outbound policy instead of a zone to take effect for clients.
341 Otherwise the helper will not be applied to the outbound traffic.
342 The related traffic, as defined by the connection tracking helper,
343 on the return path (ingress) will be allowed by the stateful
344 firewall rules.
345 An example of an outbound policy for connection tracking helpers:
347 # firewall-cmd --new-policy clientConntrack
349 # firewall-cmd --policy clientConntrack --add-ingress-zone HOST
350 # firewall-cmd --policy clientConntrack --add-egress-zone ANY
351 # firewall-cmd --policy clientConntrack --add-service tftp
352 [--zone=zone] --remove-service-from-zone=service
356 Remove a service from zone. This option can be specified multiple
357 times. If zone is omitted, default zone will be used.
358 [--policy=policy] --remove-service-from-policy=service
360 Remove a service from policy. This option can be specified multiple
361 times.
362 [--zone=zone] [--policy=policy] --query-service=service
364 Return whether service has been added. Returns 0 if true, 1
365 otherwise.
366 [--zone=zone] [--policy=policy] --list-ports
368 List ports added as a space separated list. A port is of the form
369 portid[-portid]/protocol, it can be either a port and protocol pair
370 or a port range with a protocol.
371 [--zone=zone] [--policy=policy] --add-port=portid[-portid]/protocol
373 Add the port. This option can be specified multiple times.
374 The port can either be a single port number or a port range
376 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
377 [--zone=zone] [--policy=policy] --remove-port=portid[-portid]/protocol
379 Remove the port. This option can be specified multiple times.
380 [--zone=zone] [--policy=policy] --query-port=portid[-portid]/protocol
382 Return whether the port has been added. Returns 0 if true, 1
383 otherwise.
384 [--zone=zone] [--policy=policy] --list-protocols
386 List protocols added as a space separated list.
387 [--zone=zone] [--policy=policy] --add-protocol=protocol
389 Add the protocol. This option can be specified multiple times.
390 timeval is either a number (of seconds) or number followed by one
391 of characters s (seconds), m (minutes), h (hours), for example 20m
392 or 1h.
393 The protocol can be any protocol supported by the system. Please
395 have a look at /etc/protocols for supported protocols.
396 [--zone=zone] [--policy=policy] --remove-protocol=protocol
398 Remove the protocol. This option can be specified multiple times.
399 [--zone=zone] [--policy=policy] --query-protocol=protocol
401 Return whether the protocol has been added. Returns 0 if true, 1
402 otherwise.
403 [--zone=zone] [--policy=policy] --list-icmp-blocks
405 List Internet Control Message Protocol (ICMP) type blocks added as
406 a space separated list.
407 [--zone=zone] [--policy=policy] --add-icmp-block=icmptype
409 Add an ICMP block for icmptype. This option can be specified
410 multiple times.
411 The icmptype is the one of the icmp types firewalld supports. To
413 get a listing of supported icmp types: firewall-cmd --get-icmptypes
414 [--zone=zone] [--policy=policy] --remove-icmp-block=icmptype
416 Remove the ICMP block for icmptype. This option can be specified
417 multiple times.
418 [--zone=zone] [--policy=policy] --query-icmp-block=icmptype
420 Return whether an ICMP block for icmptype has been added. Returns 0
421 if true, 1 otherwise.
422 [--zone=zone] [--policy=policy] --list-forward-ports
424 List IPv4 forward ports added as a space separated list.
425 For IPv6 forward ports, please use the rich language.
427 [--zone=zone] [--policy=policy]
429 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
430 Add the IPv4 forward port. This option can be specified multiple
431 times.
432 The port can either be a single port number portid or a port range
434 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
435 The destination address is a simple IP address.
436 For IPv6 forward ports, please use the rich language.
438 Note: IP forwarding will be implicitly enabled if toaddr is
440 specified.
441 [--zone=zone] [--policy=policy]
443 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
444 Remove the IPv4 forward port. This option can be specified multiple
445 times.
446 For IPv6 forward ports, please use the rich language.
448 [--zone=zone] [--policy=policy]
450 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
451 Return whether the IPv4 forward port has been added. Returns 0 if
452 true, 1 otherwise.
453 For IPv6 forward ports, please use the rich language.
455 [--zone=zone] [--policy=policy] --list-source-ports
457 List source ports added as a space separated list. A port is of the
458 form portid[-portid]/protocol.
459 [--zone=zone] [--policy=policy]
461 --add-source-port=portid[-portid]/protocol
462 Add the source port. This option can be specified multiple times.
463 The port can either be a single port number or a port range
465 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
466 [--zone=zone] [--policy=policy]
468 --remove-source-port=portid[-portid]/protocol
469 Remove the source port. This option can be specified multiple
470 times.
471 [--zone=zone] [--policy=policy]
473 --query-source-port=portid[-portid]/protocol
474 Return whether the source port has been added. Returns 0 if true, 1
475 otherwise.
476 [--zone=zone] [--policy=policy] --add-masquerade
478 Enable IPv4 masquerade. Masquerading is useful if the machine is a
479 router and machines connected over an interface in another zone
480 should be able to use the first connection.
481 For IPv6 masquerading, please use the rich language.
483 Note: IP forwarding will be implicitly enabled.
485 [--zone=zone] [--policy=policy] --remove-masquerade
487 Disable IPv4 masquerade.
488 For IPv6 masquerading, please use the rich language.
490 [--zone=zone] [--policy=policy] --query-masquerade
492 Return whether IPv4 masquerading has been enabled. Returns 0 if
493 true, 1 otherwise.
494 For IPv6 masquerading, please use the rich language.
496 [--zone=zone] [--policy=policy] --list-rich-rules
498 List rich language rules added as a newline separated list.
499 [--zone=zone] [--policy=policy] --add-rich-rule='rule'
501 Add rich language rule 'rule'. This option can be specified
502 multiple times.
503 For the rich language rule syntax, please have a look at
505 firewalld.richlanguage(5).
506 [--zone=zone] [--policy=policy] --remove-rich-rule='rule'
508 Remove rich language rule 'rule'. This option can be specified
509 multiple times.
510 For the rich language rule syntax, please have a look at
512 firewalld.richlanguage(5).
513 [--zone=zone] [--policy=policy] --query-rich-rule='rule'
515 Return whether a rich language rule 'rule' has been added. Returns
516 0 if true, 1 otherwise.
517 For the rich language rule syntax, please have a look at
519 firewalld.richlanguage(5).
520 Options to Adapt and Query Zones
522 Options in this section affect only one particular zone. If used with
523 --zone=zone option, they affect the specified zone. If the option is
524 omitted, they affect the default zone (see --get-default-zone).
525 [--zone=zone] --add-icmp-block-inversion
527 Enable ICMP block inversion.
528 [--zone=zone] --remove-icmp-block-inversion
530 Disable ICMP block inversion.
531 [--zone=zone] --query-icmp-block-inversion
533 Return whether ICMP block inversion is enabled. Returns 0 if true,
534 1 otherwise.
535 [--zone=zone] --add-forward
537 Enable intra zone forwarding.
538 [--zone=zone] --remove-forward
540 Disable intra zone forwarding.
541 [--zone=zone] --query-forward
543 Return whether intra zone forwarding is enabled. Returns 0 if true,
544 1 otherwise.
545 [--zone=zone] --get-priority
547 Get the priority of the zone.
548 [--zone=zone] --set-priority
550 Set the zone's priority for packet classification. This will set
551 both the ingress and egress priority.
552 [--zone=zone] --get-ingress-priority
554 Get the ingress priority of the zone.
555 [--zone=zone] --set-ingress-priority
557 Set the zone's ingress priority for packet classification.
558 [--zone=zone] --get-egress-priority
560 Get the egress priority of the zone.
561 [--zone=zone] --set-egress-priority
563 Set the zone's egress priority for packet classification.
564 Options to Adapt and Query Policies
566 Options in this section affect only one particular policy. It's
567 required to specify --policy=policy with these options.
568 --policy=policy --get-priority
570 Get the priority.
571 --policy=policy --set-prioritypriority
573 Set the priority. The priority determines the relative ordering of
574 policies. This is an integer value between -32768 and 32767 where
575 -1 is the default value for new policies and 0 is reserved for
576 internal use.
577 If a priority is < 0, then the policy's rules will execute before
579 all rules in all zones.
580 If a priority is > 0, then the policy's rules will execute after
582 all rules in all zones.
583 --policy=policy --list-ingress-zones
585 List ingress zones added as a space separated list.
586 --policy=policy --add-ingress-zone=zone
588 Add an ingress zone. This option can be specified multiple times.
589 The ingress zone is one of the firewalld provided zones or one of
591 the pseudo-zones: HOST, ANY.
592 HOST is used for traffic originating from the host machine, i.e.
594 the host running firewalld.
595 ANY is used for traffic originating from any zone. This can be
597 thought of as a wild card for zones. However it does not include
598 traffic originating from the host machine - use HOST for that.
599 --policy=policy --remove-ingress-zone=zone
601 Remove an ingress zone. This option can be specified multiple
602 times.
603 --policy=policy --query-ingress-zone=zone
605 Return whether zone has been added. Returns 0 if true, 1 otherwise.
606 --policy=policy --list-egress-zones
608 List egress zones added as a space separated list.
609 --policy=policy --add-egress-zone=zone
611 Add an egress zone. This option can be specified multiple times.
612 The egress zone is one of the firewalld provided zones or one of
614 the pseudo-zones: HOST, ANY.
615 For clarification on HOST and ANY see option --add-ingress-zone.
617 --policy=policy --remove-egress-zone=zone
619 Remove an egress zone. This option can be specified multiple times.
620 --policy=policy --query-egress-zone=zone
622 Return whether zone has been added. Returns 0 if true, 1 otherwise.
623 Options to Handle Bindings of Interfaces
625 Binding an interface to a zone means that this zone settings are used
626 to restrict traffic via the interface.
627 Options in this section affect only one particular zone. If used with
629 --zone=zone option, they affect the zone zone. If the option is
630 omitted, they affect default zone (see --get-default-zone).
631 For a list of predefined zones use firewall-cmd --get-zones.
633 An interface name is a string up to 16 characters long, that may not
635 contain ' ', '/', '!' and '*'.
636 [--zone=zone] --list-interfaces
638 List interfaces that are bound to zone zone as a space separated
639 list. If zone is omitted, default zone will be used.
640 [--zone=zone] --add-interface=interface
642 Bind interface interface to zone zone. If zone is omitted, default
643 zone will be used.
644 [--zone=zone] --change-interface=interface
646 Change zone the interface interface is bound to to zone zone. If
647 zone is omitted, default zone will be used. If old and new zone are
648 the same, the call will be ignored without an error. If the
649 interface has not been bound to a zone before, it will behave like
650 --add-interface.
651 [--zone=zone] --query-interface=interface
653 Query whether interface interface is bound to zone zone. Returns 0
654 if true, 1 otherwise.
655 [--zone=zone] --remove-interface=interface
657 Remove binding of interface interface from zone zone. If zone is
658 omitted, default zone will be used.
659 Options to Handle Bindings of Sources
661 Binding a source to a zone means that this zone settings will be used
662 to restrict traffic from this source.
663 A source address or address range is either an IP address or a network
665 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
666 with the ipset: prefix. For IPv4, the mask can be a network mask or a
667 plain number. For IPv6 the mask is a plain number. The use of host
668 names is not supported.
669 Options in this section affect only one particular zone. If used with
671 --zone=zone option, they affect the zone zone. If the option is
672 omitted, they affect default zone (see --get-default-zone).
673 For a list of predefined zones use firewall-cmd --get-zones.
675 [--zone=zone] --list-sources
677 List sources that are bound to zone zone as a space separated list.
678 If zone is omitted, default zone will be used.
679 [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
681 Bind the source to zone zone. If zone is omitted, default zone will
682 be used.
683 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
685 Change zone the source is bound to to zone zone. If zone is
686 omitted, default zone will be used. If old and new zone are the
687 same, the call will be ignored without an error. If the source has
688 not been bound to a zone before, it will behave like --add-source.
689 [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
691 Query whether the source is bound to the zone zone. Returns 0 if
692 true, 1 otherwise.
693 [--zone=zone] --remove-source=source[/mask]|MAC|ipset:ipset
695 Remove binding of the source from zone zone. If zone is omitted,
696 default zone will be used.
697 IPSet Options
699 --new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
700 Add a new permanent ipset with specifying the type and optional
701 options.
702 ipset names must be alphanumeric and may additionally include
704 characters: '_' and '-'.
705 --new-ipset-from-file=filename [--name=ipset]
707 Add a new permanent ipset from a prepared ipset file with an
708 optional name override.
709 --delete-ipset=ipset
711 Delete an existing permanent ipset.
712 --info-ipset=ipset
714 Print information about the ipset ipset. The output format is:
715 ipset
717 type: type
718 options: option1[=value1] ..
719 entries: entry1 ..
720 --get-ipsets
724 Print predefined ipsets as a space separated list.
725 --ipset=ipset --add-entry=entry
727 Add a new entry to the ipset.
728 --ipset=ipset --remove-entry=entry
730 Remove an entry from the ipset.
731 --ipset=ipset --query-entry=entry
733 Return whether the entry has been added to an ipset. Returns 0 if
734 true, 1 otherwise.
735 --ipset=ipset --get-entries
737 List all entries of the ipset.
738 --ipset=ipset --add-entries-from-file=filename
740 Add a new entries to the ipset from the file. For all entries that
741 are listed in the file but already in the ipset, a warning will be
742 printed.
743 The file should contain an entry per line. Lines starting with an
745 hash or semicolon are ignored. Also empty lines.
746 --ipset=ipset --remove-entries-from-file=filename
748 Remove existing entries from the ipset from the file. For all
749 entries that are listed in the file but not in the ipset, a warning
750 will be printed.
751 The file should contain an entry per line. Lines starting with an
753 hash or semicolon are ignored. Also empty lines.
754 --ipset=ipset --set-description=description
756 Set new description to ipset
757 --ipset=ipset --get-description
759 Print description for ipset
760 --ipset=ipset --set-short=description
762 Set new short description to ipset
763 --ipset=ipset --get-short
765 Print short description for ipset
766 --path-ipset=ipset
768 Print path of the ipset configuration file.
769 Service Options
771 --info-service=service
772 Print information about the service service. The output format is:
773 service
775 ports: port1 ..
776 protocols: protocol1 ..
777 source-ports: source-port1 ..
778 helpers: helper1 ..
779 destination: ipv1:address1 ..
780 --new-service=service
784 Add a new permanent service.
785 Service names must be alphanumeric and may additionally include
787 characters: '_' and '-'.
788 --new-service-from-file=filename [--name=service]
790 Add a new permanent service from a prepared service file with an
791 optional name override.
792 --delete-service=service
794 Delete an existing permanent service.
795 --path-service=service
797 Print path of the service configuration file.
798 --service=service --set-description=description
800 Set new description to service
801 --service=service --get-description
803 Print description for service
804 --service=service --set-short=description
806 Set short description to service
807 --service=service --get-short
809 Print short description for service
810 --service=service --add-port=portid[-portid]/protocol
812 Add a new port to the permanent service.
813 --service=service --remove-port=portid[-portid]/protocol
815 Remove a port from the permanent service.
816 --service=service --query-port=portid[-portid]/protocol
818 Return whether the port has been added to the permanent service.
819 --service=service --get-ports
821 List ports added to the permanent service.
822 --service=service --add-protocol=protocol
824 Add a new protocol to the permanent service.
825 --service=service --remove-protocol=protocol
827 Remove a protocol from the permanent service.
828 --service=service --query-protocol=protocol
830 Return whether the protocol has been added to the permanent
831 service.
832 --service=service --get-protocols
834 List protocols added to the permanent service.
835 --service=service --add-source-port=portid[-portid]/protocol
837 Add a new source port to the permanent service.
838 --service=service --remove-source-port=portid[-portid]/protocol
840 Remove a source port from the permanent service.
841 --service=service --query-source-port=portid[-portid]/protocol
843 Return whether the source port has been added to the permanent
844 service.
845 --service=service --get-source-ports
847 List source ports added to the permanent service.
848 --service=service --add-helper=helper
850 Add a new helper to the permanent service.
851 --service=service --remove-helper=helper
853 Remove a helper from the permanent service.
854 --service=service --query-helper=helper
856 Return whether the helper has been added to the permanent service.
857 --service=service --get-service-helpers
859 List helpers added to the permanent service.
860 --service=service --set-destination=ipv:address[/mask]
862 Set destination for ipv to address[/mask] in the permanent service.
863 --service=service --remove-destination=ipv
865 Remove the destination for ipv from the permanent service.
866 --service=service --query-destination=ipv:address[/mask]
868 Return whether the destination ipv to address[/mask] has been set
869 in the permanent service.
870 --service=service --get-destinations
872 List destinations added to the permanent service.
873 --service=service --add-include=service
875 Add a new include to the permanent service.
876 --service=service --remove-include=service
878 Remove a include from the permanent service.
879 --service=service --query-include=service
881 Return whether the include has been added to the permanent service.
882 --service=service --get-includes
884 List includes added to the permanent service.
885 Helper Options
887 Options in this section affect only one particular helper.
888 --info-helper=helper
890 Print information about the helper helper. The output format is:
891 helper
893 family: family
894 module: module
895 ports: port1 ..
896 The following options are only usable in the permanent configuration.
900 --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
902 Add a new permanent helper with module and optionally family
903 defined.
904 Helper names must be alphanumeric and may additionally include
906 characters: '-'.
907 --new-helper-from-file=filename [--name=helper]
909 Add a new permanent helper from a prepared helper file with an
910 optional name override.
911 --delete-helper=helper
913 Delete an existing permanent helper.
914 --load-helper-defaults=helper
916 Load helper default settings or report NO_DEFAULTS error.
917 --path-helper=helper
919 Print path of the helper configuration file.
920 --get-helpers
922 Print predefined helpers as a space separated list.
923 --helper=helper --set-description=description
925 Set new description to helper
926 --helper=helper --get-description
928 Print description for helper
929 --helper=helper --set-short=description
931 Set short description to helper
932 --helper=helper --get-short
934 Print short description for helper
935 --helper=helper --add-port=portid[-portid]/protocol
937 Add a new port to the permanent helper.
938 --helper=helper --remove-port=portid[-portid]/protocol
940 Remove a port from the permanent helper.
941 --helper=helper --query-port=portid[-portid]/protocol
943 Return whether the port has been added to the permanent helper.
944 --helper=helper --get-ports
946 List ports added to the permanent helper.
947 --helper=helper --set-module=description
949 Set module description for helper
950 --helper=helper --get-module
952 Print module description for helper
953 --helper=helper --set-family=description
955 Set family description for helper
956 --helper=helper --get-family
958 Print family description of helper
959 Internet Control Message Protocol (ICMP) type Options
961 --info-icmptype=icmptype
962 Print information about the icmptype icmptype. The output format
963 is:
964 icmptype
966 destination: ipv1 ..
967 --new-icmptype=icmptype
971 Add a new permanent icmptype.
972 ICMP type names must be alphanumeric and may additionally include
974 characters: '_' and '-'.
975 --new-icmptype-from-file=filename [--name=icmptype]
977 Add a new permanent icmptype from a prepared icmptype file with an
978 optional name override.
979 --delete-icmptype=icmptype
981 Delete an existing permanent icmptype.
982 --icmptype=icmptype --set-description=description
984 Set new description to icmptype
985 --icmptype=icmptype --get-description
987 Print description for icmptype
988 --icmptype=icmptype --set-short=description
990 Set short description to icmptype
991 --icmptype=icmptype --get-short
993 Print short description for icmptype
994 --icmptype=icmptype --add-destination=ipv
996 Enable destination for ipv in permanent icmptype. ipv is one of
997 ipv4 or ipv6.
998 --icmptype=icmptype --remove-destination=ipv
1000 Disable destination for ipv in permanent icmptype. ipv is one of
1001 ipv4 or ipv6.
1002 --icmptype=icmptype --query-destination=ipv
1004 Return whether destination for ipv is enabled in permanent
1005 icmptype. ipv is one of ipv4 or ipv6.
1006 --icmptype=icmptype --get-destinations
1008 List destinations in permanent icmptype.
1009 --path-icmptype=icmptype
1011 Print path of the icmptype configuration file.
1012 Direct Options
1014 DEPRECATED
1015 The direct interface has been deprecated. It will be removed in a
1016 future release. It is superseded by policies, see
1017 firewalld.policies(5).
1018 The direct options give a more direct access to the firewall. These
1020 options require user to know basic iptables concepts, i.e. table
1021 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
1022 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
1023 (ACCEPT/DROP/REJECT/...).
1024 Direct options should be used only as a last resort when it's not
1026 possible to use for example --add-service=service or
1027 --add-rich-rule='rule'.
1028 Warning: Direct rules behavior is different depending on the value of
1030 FirewallBackend. See CAVEATS in firewalld.direct(5).
1031 The first argument of each option has to be ipv4 or ipv6 or eb. With
1033 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1034 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1035 --direct --get-all-chains
1037 Get all chains added to all tables.
1038 This option concerns only chains previously added with --direct
1040 --add-chain.
1041 --direct --get-chains { ipv4 | ipv6 | eb } table
1043 Get all chains added to table table as a space separated list.
1044 This option concerns only chains previously added with --direct
1046 --add-chain.
1047 --direct --add-chain { ipv4 | ipv6 | eb } table chain
1049 Add a new chain with name chain to table table.
1050 There already exist basic chains to use with direct options, for
1052 example INPUT_direct chain (see iptables-save | grep direct output
1053 for all of them). These chains are jumped into before chains for
1054 zones, i.e. every rule put into INPUT_direct will be checked before
1055 rules in zones.
1056 --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1058 Remove the chain with name chain from table table.
1059 --direct --query-chain { ipv4 | ipv6 | eb } table chain
1061 Return whether a chain with name chain exists in table table.
1062 Returns 0 if true, 1 otherwise.
1063 This option concerns only chains previously added with --direct
1065 --add-chain.
1066 --direct --get-all-rules
1068 Get all rules added to all chains in all tables as a newline
1069 separated list of the priority and arguments.
1070 --direct --get-rules { ipv4 | ipv6 | eb } table chain
1072 Get all rules added to chain chain in table table as a newline
1073 separated list of the priority and arguments.
1074 --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
1076 Add a rule with the arguments args to chain chain in table table
1077 with priority priority.
1078 The priority is used to order rules. Priority 0 means add rule on
1080 top of the chain, with a higher priority the rule will be added
1081 further down. Rules with the same priority are on the same level
1082 and the order of these rules is not fixed and may change. If you
1083 want to make sure that a rule will be added after another one, use
1084 a low priority for the first and a higher for the following.
1085 --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
1087 Remove a rule with priority and the arguments args from chain chain
1088 in table table.
1089 --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1091 Remove all rules in the chain with name chain exists in table
1092 table.
1093 This option concerns only rules previously added with --direct
1095 --add-rule in this chain.
1096 --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
1098 Return whether a rule with priority and the arguments args exists
1099 in chain chain in table table. Returns 0 if true, 1 otherwise.
1100 --direct --get-all-passthroughs
1102 Get all permanent passthrough as a newline separated list of the
1103 ipv value and arguments.
1104 --direct --get-passthroughs { ipv4 | ipv6 | eb }
1106 Get all permanent passthrough rules for the ipv value as a newline
1107 separated list of the priority and arguments.
1108 --direct --add-passthrough { ipv4 | ipv6 | eb } args
1110 Add a permanent passthrough rule with the arguments args for the
1111 ipv value.
1112 --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1114 Remove a permanent passthrough rule with the arguments args for the
1115 ipv value.
1116 --direct --query-passthrough { ipv4 | ipv6 | eb } args
1118 Return whether a permanent passthrough rule with the arguments args
1119 exists for the ipv value. Returns 0 if true, 1 otherwise.
1120 Lockdown Options
1122 Local applications or services are able to change the firewall
1123 configuration if they are running as root (example: libvirt) or are
1124 authenticated using PolicyKit. With this feature administrators can
1125 lock the firewall configuration so that only applications on lockdown
1126 whitelist are able to request firewall changes.
1127 The lockdown access check limits D-Bus methods that are changing
1129 firewall rules. Query, list and get methods are not limited.
1130 The lockdown feature is a very light version of user and application
1132 policies for firewalld and is turned off by default.
1133 --lockdown-on
1135 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1136 whitelist when you enable lockdown you won't be able to disable it
1137 again with firewall-cmd, you would need to edit firewalld.conf.
1138 --lockdown-off
1140 Disable lockdown.
1141 --query-lockdown
1143 Query whether lockdown is enabled. Returns 0 if lockdown is
1144 enabled, 1 otherwise.
1145 Lockdown Whitelist Options
1147 The lockdown whitelist can contain commands, contexts, users and user
1148 ids.
1149 If a command entry on the whitelist ends with an asterisk '*', then all
1151 command lines starting with the command will match. If the '*' is not
1152 there the absolute command inclusive arguments must match.
1153 Commands for user root and others is not always the same. Example: As
1155 root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1156 is be used on Fedora.
1157 The context is the security (SELinux) context of a running application
1159 or service. To get the context of a running application use ps -e
1160 --context.
1161 Warning: If the context is unconfined, then this will open access for
1163 more than the desired application.
1164 The lockdown whitelist entries are checked in the following order:
1166 1. context
1167 2. uid
1168 3. user
1169 4. command
1170 --list-lockdown-whitelist-commands
1172 List all command lines that are on the whitelist.
1173 --add-lockdown-whitelist-command=command
1175 Add the command to the whitelist.
1176 --remove-lockdown-whitelist-command=command
1178 Remove the command from the whitelist.
1179 --query-lockdown-whitelist-command=command
1181 Query whether the command is on the whitelist. Returns 0 if true, 1
1182 otherwise.
1183 --list-lockdown-whitelist-contexts
1185 List all contexts that are on the whitelist.
1186 --add-lockdown-whitelist-context=context
1188 Add the context context to the whitelist.
1189 --remove-lockdown-whitelist-context=context
1191 Remove the context from the whitelist.
1192 --query-lockdown-whitelist-context=context
1194 Query whether the context is on the whitelist. Returns 0 if true, 1
1195 otherwise.
1196 --list-lockdown-whitelist-uids
1198 List all user ids that are on the whitelist.
1199 --add-lockdown-whitelist-uid=uid
1201 Add the user id uid to the whitelist.
1202 --remove-lockdown-whitelist-uid=uid
1204 Remove the user id uid from the whitelist.
1205 --query-lockdown-whitelist-uid=uid
1207 Query whether the user id uid is on the whitelist. Returns 0 if
1208 true, 1 otherwise.
1209 --list-lockdown-whitelist-users
1211 List all user names that are on the whitelist.
1212 --add-lockdown-whitelist-user=user
1214 Add the user name user to the whitelist.
1215 --remove-lockdown-whitelist-user=user
1217 Remove the user name user from the whitelist.
1218 --query-lockdown-whitelist-user=user
1220 Query whether the user name user is on the whitelist. Returns 0 if
1221 true, 1 otherwise.
1222 Policy Options
1224 --policy-server
1225 Change Polkit actions to 'server' (more restricted)
1226 --policy-desktop
1228 Change Polkit actions to 'desktop' (less restricted)
1229
1231 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1232 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1233 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1234 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1235 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
1236 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
1237
1239 firewalld home page:
1240 http://firewalld.org
1241 More documentation with examples:
1243 http://fedoraproject.org/wiki/FirewallD
1244
1246 Thomas Woerner <twoerner@redhat.com>
1247 Developer
1248 Jiri Popelka <jpopelka@redhat.com>
1250 Developer
1251 Eric Garver <eric@garver.life>
1253 Developer
1254firewalld 2.0.2 FIREWALL-OFFLINE-C(1)