1FIREWALLD.CONF(5)               firewalld.conf               FIREWALLD.CONF(5)
2
3
4

NAME

6       firewalld.conf - firewalld configuration file
7

SYNOPSIS

9       /etc/firewalld/firewalld.conf
10
11
12

DESCRIPTION

14       firewalld.conf is loaded by firewalld during the initialization
15       process. The file contains the basic configuration options for
16       firewalld.
17

OPTIONS

19       These are the options that can be set in the config file:
20
21       DefaultZone
22           This sets the default zone for connections or interfaces if the
23           zone is not selected or specified by NetworkManager, initscripts or
24           command line tool. The default zone is public.
25
26       MinimalMark
27           Deprecated. This option is ignored and no longer used. Marks are no
28           longer used internally.
29
30       CleanupModulesOnExit
31           Setting this option to yes or true unloads all firewall-related
32           kernel modules when firewalld is stopped. The default value is no
33           or false.
34
35       CleanupOnExit
36           If firewalld stops, it cleans up all firewall rules. Setting this
37           option to no or false leaves the current firewall rules untouched.
38           The default value is yes or true.
39
40       Lockdown
41           If this option is enabled, firewall changes with the D-Bus
42           interface will be limited to applications that are listed in the
43           lockdown whitelist (see firewalld.lockdown-whitelist(5)). The
44           default value is no or false.
45
46       IPv6_rpfilter
47           If this option is enabled (it is by default), reverse path filter
48           test on a packet for IPv6 is performed. If a reply to the packet
49           would be sent via the same interface that the packet arrived on,
50           the packet will match and be accepted, otherwise dropped. For IPv4
51           the rp_filter is controlled using sysctl.
52
53           Note: This feature has a performance impact. In most cases the
54           impact is not enough to cause a noticeable difference. It requires
55           route lookups and its execution occurs before the established
56           connections fast path. As such it can have a significant
57           performance impact if there is a lot of traffic. It's enabled by
58           default for security, but can be disabled if performance is a
59           concern.
60
61       IndividualCalls
62           If this option is disabled (it is by default), combined -restore
63           calls are used and not individual calls to apply changes to the
64           firewall. The use of individual calls increases the time that is
65           needed to apply changes and to start the daemon, but is good for
66           debugging as error messages are more specific.
67
68       LogDenied
69           Add logging rules right before reject and drop rules in the INPUT,
70           FORWARD and OUTPUT chains for the default rules and also final
71           reject and drop rules in zones for the configured link-layer packet
72           type. The possible values are: all, unicast, broadcast, multicast
73           and off. The default setting is off, which disables the logging.
74
75       AutomaticHelpers
76           Deprecated. This option is ignored and no longer used.
77
78       FirewallBackend
79           Selects the firewall backend implementation. Possible values are;
80           nftables (default), or iptables. This applies to all firewalld
81           primitives. The only exception is direct and passthrough rules
82           which always use the traditional iptables, ip6tables, and ebtables
83           backends.
84
85           Note: The iptables backend is deprecated. It will be removed in a
86           future release.
87
88       FlushAllOnReload
89           Flush all runtime rules on a reload. In previous releases some
90           runtime configuration was retained during a reload, namely;
91           interface to zone assignment, and direct rules. This was confusing
92           to users. To get the old behavior set this to "no". Defaults to
93           "yes".
94
95       RFC3964_IPv4
96           As per RFC 3964, filter IPv6 traffic with 6to4 destination
97           addresses that correspond to IPv4 addresses that should not be
98           routed over the public internet. Defaults to "yes".
99
100       AllowZoneDrifting
101           Deprecated. This option is ignored and no longer used.
102
103       NftablesFlowtable
104           This may improve forwarded traffic throughput by enabling nftables
105           flowtable. It is a software fastpath and avoids calling nftables
106           rule evaluation for data packets. Its value is a space separate
107           list of interfaces. Example value "eth0 eth1". Defaults to "off".
108
109       NftablesCounters
110           If set to yes, add a counter to every nftables rule. This is useful
111           for debugging and comes with a small performance cost. Defaults to
112           "no".
113

SEE ALSO

115       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
116       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
117       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
118       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
119       firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
120       firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
121

NOTES

123       firewalld home page:
124           http://firewalld.org
125
126       More documentation with examples:
127           http://fedoraproject.org/wiki/FirewallD
128

AUTHORS

130       Thomas Woerner <twoerner@redhat.com>
131           Developer
132
133       Jiri Popelka <jpopelka@redhat.com>
134           Developer
135
136       Eric Garver <eric@garver.life>
137           Developer
138
139
140
141firewalld 2.0.2                                              FIREWALLD.CONF(5)
Impressum