Arch Linux - Paketfilter auf Basis firewalld und nftables einrichten und nutzen
Zur Sicherung vor unerwünschten Netzwerkzugriffen eines einzelnen Host-Rechners, Host einer Schutzzone oder ganzer IT-Netzwerke kommen Firewalls zum Einsatz. Eine Firewall ermöglicht es IT-Administratoren oder Benutzern, den eingehenden Netzwerkverkehr auf Host-Rechnern zu steuern, indem sie eine Reihe von Firewall-Regeln definieren. Diese Regelwerke dienen dazu, den ein- und|oder ausgehenden bzw. Transit-Datenverkehr zu sortieren und ihn entweder zu blockieren oder durchzulassen und auch zu protokollieren.
firewalld ist das standardmäßige Tool zur Firewall-Verwaltung, das in modernen Linux-Distributionen vor allem in der Fedora-Welt, welches eine dynamisch anpassbare, hostbasierte Firewall mit einer D-Bus-Schnittstelle bereitstellt. Da der firewalld dynamisch aufgebaut und betrieben wird, ermöglicht es das Erstellen, Ändern und Löschen der Regeln, ohne dass der Firewall-Daemon bei jeder Regeländerung neu gestartet werden muss, was bedeutet, dass bestehende Netzwerkverbindungen bei Änderungen an den Regeln unterbrechungsfrei bleiben. Wie auch schon früher bei CentOS ab Release 7 bzw. den nachfolgenden Release-Kandidaten Stream von RHEL nutzen wir auch unter Arch Linux diesen dynamischen firewalld Service.
Beim firewalld werden Konzepte von Zonen, Diensten und Policies verwendet was insgesamt das Datenverkehrsmanagement sehr vereinfacht. Unter Zonen versteht man vordefinierte Regelsätze, denen Netzwerkschnittstellen und Quellen zugewiesen werden können. Der erlaubte Traffic hängt jeweils vom Netzwerk ab, mit dem der Knoten verbunden ist, sowie von der Sicherheitsstufe, die diesem Netzwerk zugewiesen worden ist. Firewall-Dienste sind vordefinierte Regeln, die alle notwendigen Einstellungen abdecken, um eingehenden Datenverkehr für einen bestimmten Dienst zuzulassen, und sie gelten innerhalb einer Zone. Ferner unterstützt der firewalld soganannte Policy (Richtlinien). Eine Policy ist äußerst flexibel und beschreibt alle Arten von Datenverkehrsströme. Vor allem auf Borderfiltern die z.B. einzelne Schutzzonen sichern können mit Hilfe einer Policy die Verkehrsrichtungen beschreiben wesentlich vereinfacht konfiguriert werden.
Dokumentation
Viele hilfreiche Informationen findet man zur Einrichtung und Nutzung des firewalld auf den RedHat-Dokumentationsseiten oder auf der firewalld-Projektseite.
Man-Pages
firewalld
Was uns der firewalld bietet und welche Optionen beim Aufruf der Daemon bietet offenbart uns die betreffende Man-Page des Programms.
# man firewalld
FIREWALLD(1) firewalld FIREWALLD(1)
NAME
firewalld - Dynamic Firewall Manager
SYNOPSIS
firewalld [OPTIONS...]
DESCRIPTION
firewalld provides a dynamically managed firewall with support for network/firewall zones to define the
trust level of network connections or interfaces. It has support for IPv4, IPv6 firewall settings and
for ethernet bridges and has a separation of runtime and permanent configuration options. It also sup‐
ports an interface for services or applications to add firewall rules directly.
OPTIONS
These are the command line options of firewalld:
-h, --help
Prints a short help text and exits.
--default-config
Path to firewalld default configuration. This usually defaults to /usr/lib/firewalld.
--debug[=level]
Set the debug level for firewalld to level. The range of the debug level is 1 (lowest level) to 10
(highest level). The debug output will be written to the firewalld log file specified by --log-file.
--debug-gc
Print garbage collector leak information. The collector runs every 10 seconds and if there are
leaks, it prints information about the leaks.
--log-target
Define the output target to which log messages are written. In mixed mode, Firewalld writes
info-level log messages to syslog. Debug messages are written to a file (see the --log-file parame‐
ter). Info messages also go to stdout and stderr. The syslog, file or console modes write all mes‐
sages to the one configured target only.
--log-file
Define the file where debug messages are written to. The default file is /var/log/firewalld.
--nofork
Turn off daemon forking. Force firewalld to run as a foreground process instead of as a daemon in
the background.
--nopid
Disable writing pid file. By default the program will write a pid file. If the program is invoked
with this option it will not check for an existing server process.
--system-config
Path to firewalld system (user) configuration. This usually defaults to /etc/firewalld.
CONCEPTS
firewalld has a D-Bus interface for firewall configuration of services and applications. It also has a
command line client for the user. Services or applications already using D-Bus can request changes to
the firewall with the D-Bus interface directly. For more information on the firewalld D-Bus interface,
please have a look at firewalld.dbus(5).
firewalld provides support for zones, predefined services and ICMP types and has a separation of runtime
and permanent configuration options. Permanent configuration is loaded from XML files in /usr/lib/fire‐
walld (--default-config) or /etc/firewalld (--system-config) (see the section called “DIRECTORIES”).
If NetworkManager is not in use and firewalld gets started after the network is already up, the connec‐
tions and manually created interfaces are not bound to the zone specified in the ifcfg file. The inter‐
faces will automatically be handled by the default zone. firewalld will also not get notified about net‐
work device renames. All this also applies to interfaces that are not controlled by NetworkManager if
NM_CONTROLLED=no is set.
You can add these interfaces to a zone with firewall-cmd [--permanent] --zone=zone --add-interface=in‐
terface. If there is a /etc/sysconfig/network-scripts/ifcfg-interface file, firewalld tries to change
the ZONE=zone setting in this file.
If firewalld gets reloaded, it will restore the interface bindings that were in place before reloading
to keep interface bindings stable in the case of NetworkManager uncontrolled interfaces. This mechanism
is not possible in the case of a firewalld service restart.
It is essential to keep the ZONE= setting in the ifcfg file consistent to the binding in firewalld in
the case of NetworkManager uncontrolled interfaces.
Zones
A network or firewall zone defines the trust level of the interface used for a connection. There are
several pre-defined zones provided by firewalld. Zone configuration options and generic information
about zones are described in firewalld.zone(5)
Services
A service can be a list of local ports, protocols and destinations and additionally also a list of fire‐
wall helper modules automatically loaded if a service is enabled. Service configuration options and
generic information about services are described in firewalld.service(5). The use of predefined services
makes it easier for the user to enable and disable access to a service.
ICMP types
The Internet Control Message Protocol (ICMP) is used to exchange information and also error messages in
the Internet Protocol (IP). ICMP types can be used in firewalld to limit the exchange of these messages.
For more information, please have a look at firewalld.icmptype(5).
Runtime configuration
Runtime configuration is the actual active configuration and is not permanent. After reload/restart of
the service or a system reboot, runtime settings will be gone if they haven't been also in permanent
configuration.
Permanent configuration
The permanent configuration is stored in config files and will be loaded and become new runtime configu‐
ration with every machine boot or service reload/restart.
Direct interface
DEPRECATED
The direct interface has been deprecated. It will be removed in a future release. It is superseded
by policies, see firewalld.policies(5).
The direct interface is mainly used by services or applications to add specific firewall rules. It re‐
quires basic knowledge of ip(6)tables concepts (tables, chains, commands, parameters, targets).
DIRECTORIES
firewalld supports two configuration directories:
Default/Fallback configuration in /usr/lib/firewalld (--default-config)
This directory contains the default and fallback configuration provided by firewalld for icmptypes, ser‐
vices and zones. The files provided with the firewalld package should not get changed and the changes
are gone with an update of the firewalld package. Additional icmptypes, services and zones can be pro‐
vided with packages or by creating files.
System configuration settings in /etc/firewalld (--system-config)
The system or user configuration stored here is either created by the system administrator or by cus‐
tomization with the configuration interface of firewalld or by hand. The files will overload the default
configuration files.
To manually change settings of pre-defined icmptypes, zones or services, copy the file from the default
configuration directory to the corresponding directory in the system configuration directory and change
it accordingly.
For more information on icmptypes, please have a look at the firewalld.icmptype(5) man page, for ser‐
vices at firewalld.service(5) and for zones at firewalld.zone(5).
SIGNALS
Currently only SIGHUP is supported.
SIGHUP
Reloads the complete firewall configuration. You can also use firewall-cmd --reload. All runtime config‐
uration settings will be restored. Permanent configuration will change according to options defined in
the configuration files.
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD(1)
firewall-cmd
Für die Administration des firewalld steht uns mit dem Befehlssatz firewall-cmd ein umfangreiches Tool zur Verfügung.
# man firewall-cmd
FIREWALL-CMD(1) firewall-cmd FIREWALL-CMD(1)
NAME
firewall-cmd - firewalld command line client
SYNOPSIS
firewall-cmd [OPTIONS...]
DESCRIPTION
firewall-cmd is the command line client of the firewalld daemon. It provides an interface to manage the
runtime and permanent configurations.
The runtime configuration in firewalld is separated from the permanent configuration. This means that
things can get changed in the runtime or permanent configuration.
OPTIONS
Sequence options are the options that can be specified multiple times, the exit code is 0 if there is at
least one item that succeeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
errors are treated as succeeded. If there are issues while parsing the items, then these are treated as
warnings and will not change the result as long as there is a succeeded one. Without any succeeded item,
the exit code will depend on the error codes. If there is exactly one error code, then this is used. If
there are more than one then UNKNOWN_ERROR (254) will be used.
The following options are supported:
General Options
-h, --help
Prints a short help text and exits.
-V, --version
Print the version string of firewalld. This option is not combinable with other options.
-q, --quiet
Do not print status messages.
Status Options
--state
Check whether the firewalld daemon is active (i.e. running). Returns an exit code 0 if it is active,
RUNNING_BUT_FAILED if failure occurred on startup, NOT_RUNNING otherwise. See the section called
“EXIT CODES”. This will also print the state to STDOUT.
--reload
Reload firewall rules and keep state information. Current permanent configuration will become new
runtime configuration, i.e. all runtime only changes done until reload are lost with reload if they
have not been also in permanent configuration.
Note: If FlushAllOnReload=no, runtime changes applied via the direct interface are not affected and
will therefore stay in place until firewalld daemon is restarted completely. For FlushAllOnReload,
see firewalld.conf(5).
--complete-reload
Reload firewall completely, even netfilter kernel modules. This will most likely terminate active
connections, because state information is lost. This option should only be used in case of severe
firewall problems. For example if there are state information problems that no connection can be es‐
tablished with correct firewall rules.
Note: If FlushAllOnReload=no, runtime changes applied via the direct interface are not affected and
will therefore stay in place until firewalld daemon is restarted completely. For FlushAllOnReload,
see firewalld.conf(5).
--runtime-to-permanent
Save active runtime configuration and overwrite permanent configuration with it. The way this is
supposed to work is that when configuring firewalld you do runtime changes only and once you're
happy with the configuration and you tested that it works the way you want, you save the configura‐
tion to disk.
--check-config
Run checks on the permanent configuration. This includes XML validity and semantics.
--reset-to-defaults
Reset configuration to firewalld's default configuration.
Log Denied Options
--get-log-denied
Print the log denied setting.
--set-log-denied=value
Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the
default rules and also final reject and drop rules in zones for the configured link-layer packet
type. The possible values are: all, unicast, broadcast, multicast and off. The default setting is
off, which disables the logging.
This is a runtime and permanent change and will also reload the firewall to be able to add the log‐
ging rules.
Permanent Options
--permanent
The permanent option --permanent can be used to set options permanently. These changes are not ef‐
fective immediately, only after service restart/reload or system reboot. Without the --permanent op‐
tion, a change will only be part of the runtime configuration.
If you want to make a change in runtime and permanent configuration, use the same call with and
without the --permanent option.
The --permanent option can be optionally added to all options further down where it is supported.
Zone Options
--get-default-zone
Print default zone for connections and interfaces.
--set-default-zone=zone
Set default zone for connections and interfaces where no zone has been selected. Setting the default
zone changes the zone for the connections or interfaces, that are using the default zone.
This is a runtime and permanent change.
--get-active-zones
Print currently active zones altogether with interfaces and sources used in these zones. Active
zones are zones, that have a binding to an interface or source. The output format is:
zone1
interfaces: interface1 interface2 ..
sources: source1 ..
zone2
interfaces: interface3 ..
zone3
sources: source2 ..
If there are no interfaces or sources bound to the zone, the corresponding line will be omitted.
[--permanent] --get-zones
Print predefined zones as a space separated list.
[--permanent] --get-services
Print predefined services as a space separated list.
[--permanent] --get-icmptypes
Print predefined icmptypes as a space separated list.
[--permanent] --get-zone-of-interface=interface
Print the name of the zone the interface is bound to or no zone.
[--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
Print the name of the zone the source is bound to or no zone.
[--permanent] --info-zone=zone
Print information about the zone zone. The output format is:
zone
interfaces: interface1 ..
sources: source1 ..
services: service1 ..
ports: port1 ..
protocols: protocol1 ..
forward-ports:
forward-port1
..
source-ports: source-port1 ..
icmp-blocks: icmp-type1 ..
rich rules:
rich-rule1
..
[--permanent] --list-all-zones
List everything added for or enabled in all zones. The output format is:
zone1
interfaces: interface1 ..
sources: source1 ..
services: service1 ..
ports: port1 ..
protocols: protocol1 ..
forward-ports:
forward-port1
..
icmp-blocks: icmp-type1 ..
rich rules:
rich-rule1
..
..
--permanent --new-zone=zone
Add a new permanent and empty zone.
Zone names must be alphanumeric and may additionally include characters: '_' and '-'.
--permanent --new-zone-from-file=filename [--name=zone]
Add a new permanent zone from a prepared zone file with an optional name override.
--permanent --delete-zone=zone
Delete an existing permanent zone.
--permanent --load-zone-defaults=zone
Load zone default settings or report NO_DEFAULTS error.
--permanent --path-zone=zone
Print path of the zone configuration file.
Policy Options
[--permanent] --get-policies
Print predefined policies as a space separated list.
[--permanent] --info-policy=policy
Print information about the policy policy.
[--permanent] --list-all-policies
List everything added for or enabled in all policies.
--permanent --new-policy=policy
Add a new permanent policy.
Policy names must be alphanumeric and may additionally include characters: '_' and '-'.
--permanent --new-policy-from-file=filename [--name=policy]
Add a new permanent policy from a prepared policy file with an optional name override.
--permanent --path-policy=policy
Print path of the policy configuration file.
--permanent --delete-policy=policy
Delete an existing permanent policy.
--permanent --load-policy-defaults=policy
Load the shipped defaults for a policy. Only applies to policies shipped with firewalld. Does not
apply to user defined policies.
Options to Adapt and Query Zones and Policies
Options in this section affect only one particular zone or policy. If used with --zone=zone or --pol‐
icy=policy option, they affect the specified zone or policy. If both options are omitted, they affect
the default zone (see --get-default-zone).
[--permanent] [--zone=zone] [--policy=policy] --list-all
List everything added or enabled.
--permanent [--zone=zone] [--policy=policy] --get-target
Get the target.
--permanent [--zone=zone] [--policy=policy] --set-target=target
Set the target.
For zones target is one of: default, ACCEPT, DROP, REJECT
For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
default is similar to REJECT, but it implicitly allows ICMP packets.
ACCEPT allows traffic to be forwarded from the zone, either to the same zone or other zones.
--permanent [--zone=zone] [--policy=policy] --set-description=description
Set description.
--permanent [--zone=zone] [--policy=policy] --get-description
Print description.
--permanent [--zone=zone] [--policy=policy] --set-short=description
Set short description.
--permanent [--zone=zone] [--policy=policy] --get-short
Print short description.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --list-services
List services added as a space separated list.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-service=service [--timeout=timeval]
Add a service. This option can be specified multiple times. If a timeout is supplied, the rule will
be active for the specified amount of time and will be removed automatically afterwards. timeval is
either a number (of seconds) or number followed by one of characters s (seconds), m (minutes), h
(hours), for example 20m or 1h.
The service is one of the firewalld provided services. To get a list of the supported services, use
firewall-cmd --get-services.
The --timeout option is not combinable with the --permanent option.
Note: Some services define connection tracking helpers. Helpers that may operate in client mode
(e.g. tftp) must be added to an outbound policy instead of a zone to take effect for clients. Other‐
wise the helper will not be applied to the outbound traffic. The related traffic, as defined by the
connection tracking helper, on the return path (ingress) will be allowed by the stateful firewall
rules.
An example of an outbound policy for connection tracking helpers:
# firewall-cmd --permanent --new-policy clientConntrack
# firewall-cmd --permanent --policy clientConntrack --add-ingress-zone HOST
# firewall-cmd --permanent --policy clientConntrack --add-egress-zone ANY
# firewall-cmd --permanent --policy clientConntrack --add-service tftp
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-service=service
Remove a service. This option can be specified multiple times.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-service=service
Return whether service has been added. Returns 0 if true, 1 otherwise.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --list-ports
List ports added as a space separated list. A port is of the form portid[-portid]/protocol, it can
be either a port and protocol pair or a port range with a protocol.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-port=portid[-portid]/protocol [--time‐
out=timeval]
Add the port. This option can be specified multiple times. If a timeout is supplied, the rule will
be active for the specified amount of time and will be removed automatically afterwards. timeval is
either a number (of seconds) or number followed by one of characters s (seconds), m (minutes), h
(hours), for example 20m or 1h.
The port can either be a single port number or a port range portid-portid. The protocol can either
be tcp, udp, sctp or dccp.
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-port=portid[-portid]/protocol
Remove the port. This option can be specified multiple times.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-port=portid[-portid]/protocol
Return whether the port has been added. Returns 0 if true, 1 otherwise.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --list-protocols
List protocols added as a space separated list.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-protocol=protocol [--timeout=timeval]
Add the protocol. This option can be specified multiple times. If a timeout is supplied, the rule
will be active for the specified amount of time and will be removed automatically afterwards.
timeval is either a number (of seconds) or number followed by one of characters s (seconds), m (min‐
utes), h (hours), for example 20m or 1h.
The protocol can be any protocol supported by the system. Please have a look at /etc/protocols for
supported protocols.
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-protocol=protocol
Remove the protocol. This option can be specified multiple times.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-protocol=protocol
Return whether the protocol has been added. Returns 0 if true, 1 otherwise.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --list-source-ports
List source ports added as a space separated list. A port is of the form portid[-portid]/protocol.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-source-port=portid[-portid]/protocol
[--timeout=timeval]
Add the source port. This option can be specified multiple times. If a timeout is supplied, the rule
will be active for the specified amount of time and will be removed automatically afterwards.
timeval is either a number (of seconds) or number followed by one of characters s (seconds), m (min‐
utes), h (hours), for example 20m or 1h.
The port can either be a single port number or a port range portid-portid. The protocol can either
be tcp, udp, sctp or dccp.
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-source-port=portid[-portid]/proto‐
col
Remove the source port. This option can be specified multiple times.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-source-port=portid[-portid]/protocol
Return whether the source port has been added. Returns 0 if true, 1 otherwise.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --list-icmp-blocks
List Internet Control Message Protocol (ICMP) type blocks added as a space separated list.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-icmp-block=icmptype [--time‐
out=timeval]
Add an ICMP block for icmptype. This option can be specified multiple times. If a timeout is sup‐
plied, the rule will be active for the specified amount of time and will be removed automatically
afterwards. timeval is either a number (of seconds) or number followed by one of characters s (sec‐
onds), m (minutes), h (hours), for example 20m or 1h.
The icmptype is the one of the icmp types firewalld supports. To get a listing of supported icmp
types: firewall-cmd --get-icmptypes
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-icmp-block=icmptype
Remove the ICMP block for icmptype. This option can be specified multiple times.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-icmp-block=icmptype
Return whether an ICMP block for icmptype has been added. Returns 0 if true, 1 otherwise.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --list-forward-ports
List IPv4 forward ports added as a space separated list.
For IPv6 forward ports, please use the rich language.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-forward-port=port=portid[-por‐
tid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]] [--timeout=timeval]
Add the IPv4 forward port. This option can be specified multiple times. If a timeout is supplied,
the rule will be active for the specified amount of time and will be removed automatically after‐
wards. timeval is either a number (of seconds) or number followed by one of characters s (seconds),
m (minutes), h (hours), for example 20m or 1h.
The port can either be a single port number portid or a port range portid-portid. The protocol can
either be tcp, udp, sctp or dccp. The destination address is a simple IP address.
The --timeout option is not combinable with the --permanent option.
For IPv6 forward ports, please use the rich language.
Note: IP forwarding will be implicitly enabled if toaddr is specified.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-forward-port=port=portid[-por‐
tid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
Remove the IPv4 forward port. This option can be specified multiple times.
For IPv6 forward ports, please use the rich language.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-forward-port=port=portid[-por‐
tid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
Return whether the IPv4 forward port has been added. Returns 0 if true, 1 otherwise.
For IPv6 forward ports, please use the rich language.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-masquerade [--timeout=timeval]
Enable IPv4 masquerade. If a timeout is supplied, masquerading will be active for the specified
amount of time. timeval is either a number (of seconds) or number followed by one of characters s
(seconds), m (minutes), h (hours), for example 20m or 1h. Masquerading is useful if the machine is a
router and machines connected over an interface in another zone should be able to use the first con‐
nection.
The --timeout option is not combinable with the --permanent option.
For IPv6 masquerading, please use the rich language.
Note: IP forwarding will be implicitly enabled.
Note (Linux < 5.5): For the iptables backend, a policy may not enable masquerade if an ingress zone
has assigned interfaces. This restriction does not exist for the nftables backend, but does require
Linux v5.5+ to function properly; otherwise it will silently fail.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-masquerade
Disable IPv4 masquerade. If the masquerading was enabled with a timeout, it will be disabled also.
For IPv6 masquerading, please use the rich language.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-masquerade
Return whether IPv4 masquerading has been enabled. Returns 0 if true, 1 otherwise.
For IPv6 masquerading, please use the rich language.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --list-rich-rules
List rich language rules added as a newline separated list.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-rich-rule='rule' [--timeout=timeval]
Add rich language rule 'rule'. This option can be specified multiple times. If a timeout is sup‐
plied, the rule will be active for the specified amount of time and will be removed automatically
afterwards. timeval is either a number (of seconds) or number followed by one of characters s (sec‐
onds), m (minutes), h (hours), for example 20m or 1h.
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-rich-rule='rule'
Remove rich language rule 'rule'. This option can be specified multiple times.
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-rich-rule='rule'
Return whether a rich language rule 'rule' has been added. Returns 0 if true, 1 otherwise.
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
Options to Adapt and Query Zones
Options in this section affect only one particular zone. If used with --zone=zone option, they affect
the specified zone. If the option is omitted, they affect default zone (see --get-default-zone).
[--permanent] [--zone=zone] --add-icmp-block-inversion
Enable ICMP block inversion.
[--permanent] [--zone=zone] --remove-icmp-block-inversion
Disable ICMP block inversion.
[--permanent] [--zone=zone] --query-icmp-block-inversion
Return whether ICMP block inversion is enabled. Returns 0 if true, 1 otherwise.
[--permanent] [--zone=zone] --add-forward
Enable intra zone forwarding.
[--permanent] [--zone=zone] --remove-forward
Disable intra zone forwarding.
[--permanent] [--zone=zone] --query-forward
Return whether intra zone forwarding is enabled. Returns 0 if true, 1 otherwise.
--permanent [--zone=zone] --get-priority
Get the priority of the zone.
--permanent [--zone=zone] --set-priority
Set the zone's priority for packet classification. This will set both the ingress and egress prior‐
ity.
--permanent [--zone=zone] --get-ingress-priority
Get the ingress priority of the zone.
--permanent [--zone=zone] --set-ingress-priority
Set the zone's ingress priority for packet classification.
--permanent [--zone=zone] --get-egress-priority
Get the egress priority of the zone.
--permanent [--zone=zone] --set-egress-priority
Set the zone's egress priority for packet classification.
Options to Adapt and Query Policies
Options in this section affect only one particular policy. It's required to specify --policy=policy with
these options.
--permanent --policy=policy --get-priority
Get the priority.
--permanent --policy=policy --set-priority=priority
Set the priority. The priority determines the relative ordering of policies. This is an integer
value between -32768 and 32767 where -1 is the default value for new policies and 0 is reserved for
internal use.
If a priority is < 0, then the policy's rules will execute before all rules in all zones.
If a priority is > 0, then the policy's rules will execute after all rules in all zones.
[--permanent] --policy=policy --list-ingress-zones
List ingress zones added as a space separated list.
[--permanent] --policy=policy --add-ingress-zone=zone
Add an ingress zone. This option can be specified multiple times.
The ingress zone is one of the firewalld provided zones or one of the pseudo-zones: HOST, ANY.
HOST is used for traffic originating from the host machine, i.e. the host running firewalld.
ANY is used for traffic originating from any zone. This can be thought of as a wild card for zones.
However it does not include traffic originating from the host machine - use HOST for that.
[--permanent] --policy=policy --remove-ingress-zone=zone
Remove an ingress zone. This option can be specified multiple times.
[--permanent] --policy=policy --query-ingress-zone=zone
Return whether zone has been added. Returns 0 if true, 1 otherwise.
[--permanent] --policy=policy --list-egress-zones
List egress zones added as a space separated list.
[--permanent] --policy=policy --add-egress-zone=zone
Add an egress zone. This option can be specified multiple times.
The egress zone is one of the firewalld provided zones or one of the pseudo-zones: HOST, ANY.
For clarification on HOST and ANY see option --add-ingress-zone.
[--permanent] --policy=policy --remove-egress-zone=zone
Remove an egress zone. This option can be specified multiple times.
[--permanent] --policy=policy --query-egress-zone=zone
Return whether zone has been added. Returns 0 if true, 1 otherwise.
[--permanent] --policy=policy|--policy-set=policy-set --add-disable
Administratively disable a policy. A disabled policy will not activate.
[--permanent] --policy=policy|--policy-set=policy-set --remove-disable
Remove the administratively disable from a policy. Allows a policy to activate.
[--permanent] --policy=policy --query-disable
Return if the policy is administratively disabled.
Options to Handle Bindings of Interfaces
Binding an interface to a zone means that this zone settings are used to restrict traffic via the inter‐
face.
Options in this section affect only one particular zone. If used with --zone=zone option, they affect
the zone zone. If the option is omitted, they affect default zone (see --get-default-zone).
For a list of predefined zones use firewall-cmd --get-zones.
An interface name is a string up to 16 characters long, that may not contain ' ', '/', '!' and '*'.
[--permanent] [--zone=zone] --list-interfaces
List interfaces that are bound to zone zone as a space separated list. If zone is omitted, default
zone will be used.
[--permanent] [--zone=zone] --add-interface=interface
Bind interface interface to zone zone. If zone is omitted, default zone will be used.
If the interface is under control of NetworkManager, it is at first connected to change the zone for
the connection that is using the interface. If this fails, the zone binding is created in firewalld
and the limitations below apply. For interfaces that are not under control of NetworkManager, fire‐
walld tries to change the ZONE setting in the ifcfg file, if the file exists.
As a end user you don't need this in most cases, because NetworkManager (or legacy network service)
adds interfaces into zones automatically (according to ZONE= option from ifcfg-interface file) if
NM_CONTROLLED=no is not set. You should do it only if there's no /etc/sysconfig/net‐
work-scripts/ifcfg-interface file. If there is such file and you add interface to zone with this
--add-interface option, make sure the zone is the same in both cases, otherwise the behavior would
be undefined. Please also have a look at the firewalld(1) man page in the Concepts section. For per‐
manent association of interface with a zone, see also 'How to set or change a zone for a connec‐
tion?' in firewalld.zones(5).
[--permanent] [--zone=zone] --change-interface=interface
If the interface is under control of NetworkManager, it is at first connected to change the zone for
the connection that is using the interface. If this fails, the zone binding is created in firewalld
and the limitations below apply. For interfaces that are not under control of NetworkManager, fire‐
walld tries to change the ZONE setting in the ifcfg file, if the file exists.
Change zone the interface interface is bound to to zone zone. It's basically --remove-interface fol‐
lowed by --add-interface. If the interface has not been bound to a zone before, it behaves like
--add-interface. If zone is omitted, default zone will be used.
[--permanent] [--zone=zone] --query-interface=interface
Query whether interface interface is bound to zone zone. Returns 0 if true, 1 otherwise.
[--permanent] --remove-interface=interface
If the interface is under control of NetworkManager, it is at first connected to change the zone for
the connection that is using the interface. If this fails, the zone binding is created in firewalld
and the limitations below apply.
For the addition or change of interfaces that are not under control of NetworkManager: firewalld
tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the inter‐
face.
Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not
trying to change the ZONE setting in the ifcfg file. This is needed to make sure that an ifdown of
the interface will not result in a reset of the zone setting to the default zone. Only the zone
binding is then removed in firewalld then.
Remove binding of interface interface from zone it was previously added to.
Options to Handle Bindings of Sources
Binding a source to a zone means that this zone settings will be used to restrict traffic from this
source.
A source address or address range is either an IP address or a network IP address with a mask for IPv4
or IPv6 or a MAC address or an ipset with the ipset: prefix. For IPv4, the mask can be a network mask or
a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
Options in this section affect only one particular zone. If used with --zone=zone option, they affect
the zone zone. If the option is omitted, they affect default zone (see --get-default-zone).
For a list of predefined zones use firewall-cmd [--permanent] --get-zones.
[--permanent] [--zone=zone] --list-sources
List sources that are bound to zone zone as a space separated list. If zone is omitted, default zone
will be used.
[--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
Bind the source to zone zone. If zone is omitted, default zone will be used.
[--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
Change zone the source is bound to to zone zone. It's basically --remove-source followed by
--add-source. If the source has not been bound to a zone before, it behaves like --add-source. If
zone is omitted, default zone will be used.
[--permanent] [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
Query whether the source is bound to the zone zone. Returns 0 if true, 1 otherwise.
[--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
Remove binding of the source from zone it was previously added to.
IPSet Options
--get-ipset-types
Print the supported ipset types.
--permanent --new-ipset=ipset --type=type [--family=inet|inet6] [--option=key[=value]]
Add a new permanent and empty ipset with specifying the type and optional the family and options
like timeout, hashsize and maxelem. For more information please have a look at ipset(8) man page.
ipset names must be alphanumeric and may additionally include characters: '_' and '-'.
--permanent --new-ipset-from-file=filename [--name=ipset]
Add a new permanent ipset from a prepared ipset file with an optional name override.
--permanent --delete-ipset=ipset
Delete an existing permanent ipset.
--permanent --load-ipset-defaults=ipset
Load ipset default settings or report NO_DEFAULTS error.
[--permanent] --info-ipset=ipset
Print information about the ipset ipset. The output format is:
ipset
type: type
options: option1[=value1] ..
entries: entry1 ..
[--permanent] --get-ipsets
Print predefined ipsets as a space separated list.
--permanent --ipset=ipset --set-description=description
Set new description to ipset
--permanent --ipset=ipset --get-description
Print description for ipset
--permanent --ipset=ipset --set-short=description
Set short description to ipset
--permanent --ipset=ipset --get-short
Print short description for ipset
[--permanent] --ipset=ipset --add-entry=entry
Add a new entry to the ipset.
Adding an entry to an ipset with option timeout is permitted, but these entries are not tracked by
firewalld.
[--permanent] --ipset=ipset --remove-entry=entry
Remove an entry from the ipset.
[--permanent] --ipset=ipset --query-entry=entry
Return whether the entry has been added to an ipset. Returns 0 if true, 1 otherwise.
Querying an ipset with a timeout will yield an error. Entries are not tracked for ipsets with a
timeout.
[--permanent] --ipset=ipset --get-entries
List all entries of the ipset.
[--permanent] --ipset=ipset --add-entries-from-file=filename
Add a new entries to the ipset from the file. For all entries that are listed in the file but al‐
ready in the ipset, a warning will be printed.
The file should contain an entry per line. Lines starting with an hash or semicolon are ignored.
Also empty lines.
[--permanent] --ipset=ipset --remove-entries-from-file=filename
Remove existing entries from the ipset from the file. For all entries that are listed in the file
but not in the ipset, a warning will be printed.
The file should contain an entry per line. Lines starting with an hash or semicolon are ignored.
Also empty lines.
--permanent --path-ipset=ipset
Print path of the ipset configuration file.
Service Options
Options in this section affect only one particular service.
[--permanent] --info-service=service
Print information about the service service. The output format is:
service
ports: port1 ..
protocols: protocol1 ..
source-ports: source-port1 ..
helpers: helper1 ..
destination: ipv1:address1 ..
The following options are only usable in the permanent configuration.
--permanent --new-service=service
Add a new permanent and empty service.
Service names must be alphanumeric and may additionally include characters: '_' and '-'.
--permanent --new-service-from-file=filename [--name=service]
Add a new permanent service from a prepared service file with an optional name override.
--permanent --delete-service=service
Delete an existing permanent service.
--permanent --load-service-defaults=service
Load service default settings or report NO_DEFAULTS error.
--permanent --path-service=service
Print path of the service configuration file.
--permanent --service=service --set-description=description
Set new description to service
--permanent --service=service --get-description
Print description for service
--permanent --service=service --set-short=description
Set short description to service
--permanent --service=service --get-short
Print short description for service
--permanent --service=service --add-port=portid[-portid]/protocol
Add a new port to the permanent service.
--permanent --service=service --remove-port=portid[-portid]/protocol
Remove a port from the permanent service.
--permanent --service=service --query-port=portid[-portid]/protocol
Return whether the port has been added to the permanent service.
--permanent --service=service --get-ports
List ports added to the permanent service.
--permanent --service=service --add-protocol=protocol
Add a new protocol to the permanent service.
--permanent --service=service --remove-protocol=protocol
Remove a protocol from the permanent service.
--permanent --service=service --query-protocol=protocol
Return whether the protocol has been added to the permanent service.
--permanent --service=service --get-protocols
List protocols added to the permanent service.
--permanent --service=service --add-source-port=portid[-portid]/protocol
Add a new source port to the permanent service.
--permanent --service=service --remove-source-port=portid[-portid]/protocol
Remove a source port from the permanent service.
--permanent --service=service --query-source-port=portid[-portid]/protocol
Return whether the source port has been added to the permanent service.
--permanent --service=service --get-source-ports
List source ports added to the permanent service.
--permanent --service=service --add-helper=helper
Add a new helper to the permanent service.
--permanent --service=service --remove-helper=helper
Remove a helper from the permanent service.
--permanent --service=service --query-helper=helper
Return whether the helper has been added to the permanent service.
--permanent --service=service --get-service-helpers
List helpers added to the permanent service.
--permanent --service=service --set-destination=ipv:address[/mask]
Set destination for ipv to address[/mask] in the permanent service.
--permanent --service=service --remove-destination=ipv
Remove the destination for ipv from the permanent service.
--permanent --service=service --query-destination=ipv:address[/mask]
Return whether the destination ipv to address[/mask] has been set in the permanent service.
--permanent --service=service --get-destinations
List destinations added to the permanent service.
--permanent --service=service --add-include=service
Add a new include to the permanent service.
--permanent --service=service --remove-include=service
Remove a include from the permanent service.
--permanent --service=service --query-include=service
Return whether the include has been added to the permanent service.
--permanent --service=service --get-includes
List includes added to the permanent service.
Helper Options
Options in this section affect only one particular helper.
[--permanent] --info-helper=helper
Print information about the helper helper. The output format is:
helper
family: family
module: module
ports: port1 ..
The following options are only usable in the permanent configuration.
--permanent --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
Add a new permanent helper with module and optionally family defined.
Helper names must be alphanumeric and may additionally include characters: '-'.
--permanent --new-helper-from-file=filename [--name=helper]
Add a new permanent helper from a prepared helper file with an optional name override.
--permanent --delete-helper=helper
Delete an existing permanent helper.
--permanent --load-helper-defaults=helper
Load helper default settings or report NO_DEFAULTS error.
--permanent --path-helper=helper
Print path of the helper configuration file.
[--permanent] --get-helpers
Print predefined helpers as a space separated list.
--permanent --helper=helper --set-description=description
Set new description to helper
--permanent --helper=helper --get-description
Print description for helper
--permanent --helper=helper --set-short=description
Set short description to helper
--permanent --helper=helper --get-short
Print short description for helper
--permanent --helper=helper --add-port=portid[-portid]/protocol
Add a new port to the permanent helper.
--permanent --helper=helper --remove-port=portid[-portid]/protocol
Remove a port from the permanent helper.
--permanent --helper=helper --query-port=portid[-portid]/protocol
Return whether the port has been added to the permanent helper.
--permanent --helper=helper --get-ports
List ports added to the permanent helper.
--permanent --helper=helper --set-module=description
Set module description for helper
--permanent --helper=helper --get-module
Print module description for helper
--permanent --helper=helper --set-family=description
Set family description for helper
--permanent --helper=helper --get-family
Print family description of helper
Internet Control Message Protocol (ICMP) type Options
Options in this section affect only one particular icmptype.
[--permanent] --info-icmptype=icmptype
Print information about the icmptype icmptype. The output format is:
icmptype
destination: ipv1 ..
The following options are only usable in the permanent configuration.
--permanent --new-icmptype=icmptype
Add a new permanent and empty icmptype.
ICMP type names must be alphanumeric and may additionally include characters: '_' and '-'.
--permanent --new-icmptype-from-file=filename [--name=icmptype]
Add a new permanent icmptype from a prepared icmptype file with an optional name override.
--permanent --delete-icmptype=icmptype
Delete an existing permanent icmptype.
--permanent --load-icmptype-defaults=icmptype
Load icmptype default settings or report NO_DEFAULTS error.
--permanent --icmptype=icmptype --set-description=description
Set new description to icmptype
--permanent --icmptype=icmptype --get-description
Print description for icmptype
--permanent --icmptype=icmptype --set-short=description
Set short description to icmptype
--permanent --icmptype=icmptype --get-short
Print short description for icmptype
--permanent --icmptype=icmptype --add-destination=ipv
Enable destination for ipv in permanent icmptype. ipv is one of ipv4 or ipv6.
--permanent --icmptype=icmptype --remove-destination=ipv
Disable destination for ipv in permanent icmptype. ipv is one of ipv4 or ipv6.
--permanent --icmptype=icmptype --query-destination=ipv
Return whether destination for ipv is enabled in permanent icmptype. ipv is one of ipv4 or ipv6.
--permanent --icmptype=icmptype --get-destinations
List destinations in permanent icmptype.
--permanent --path-icmptype=icmptype
Print path of the icmptype configuration file.
Direct Options
DEPRECATED
The direct interface has been deprecated. It will be removed in a future release. It is superseded
by policies, see firewalld.policies(5).
The direct options give a more direct access to the firewall. These options require user to know basic
iptables concepts, i.e. table (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
(-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets (ACCEPT/DROP/REJECT/...).
Direct options should be used only as a last resort when it's not possible to use for example --add-ser‐
vice=service or --add-rich-rule='rule'.
Warning: Direct rules behavior is different depending on the value of FirewallBackend. See CAVEATS in
firewalld.direct(5).
The first argument of each option has to be ipv4 or ipv6 or eb. With ipv4 it will be for IPv4 (ipta‐
bles(8)), with ipv6 for IPv6 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
[--permanent] --direct --get-all-chains
Get all chains added to all tables. This option concerns only chains previously added with --direct
--add-chain.
[--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
Get all chains added to table table as a space separated list. This option concerns only chains pre‐
viously added with --direct --add-chain.
[--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
Add a new chain with name chain to table table. Make sure there's no other chain with this name al‐
ready.
There already exist basic chains to use with direct options, for example INPUT_direct chain (see
iptables-save | grep direct output for all of them). These chains are jumped into before chains for
zones, i.e. every rule put into INPUT_direct will be checked before rules in zones.
[--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
Remove chain with name chain from table table. Only chains previously added with --direct
--add-chain can be removed this way.
[--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
Return whether a chain with name chain exists in table table. Returns 0 if true, 1 otherwise. This
option concerns only chains previously added with --direct --add-chain.
[--permanent] --direct --get-all-rules
Get all rules added to all chains in all tables as a newline separated list of the priority and ar‐
guments. This option concerns only rules previously added with --direct --add-rule.
[--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
Get all rules added to chain chain in table table as a newline separated list of the priority and
arguments. This option concerns only rules previously added with --direct --add-rule.
[--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
Add a rule with the arguments args to chain chain in table table with priority priority.
The priority is used to order rules. Priority 0 means add rule on top of the chain, with a higher
priority the rule will be added further down. Rules with the same priority are on the same level and
the order of these rules is not fixed and may change. If you want to make sure that a rule will be
added after another one, use a low priority for the first and a higher for the following.
[--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
Remove a rule with priority and the arguments args from chain chain in table table. Only rules pre‐
viously added with --direct --add-rule can be removed this way.
[--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
Remove all rules in the chain with name chain exists in table table. This option concerns only rules
previously added with --direct --add-rule in this chain.
[--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
Return whether a rule with priority and the arguments args exists in chain chain in table table. Re‐
turns 0 if true, 1 otherwise. This option concerns only rules previously added with --direct
--add-rule.
--direct --passthrough { ipv4 | ipv6 | eb } args
Pass a command through to the firewall. args can be all iptables, ip6tables and ebtables command
line arguments. This command is untracked, which means that firewalld is not able to provide infor‐
mation about this command later on, also not a listing of the untracked passthoughs.
[--permanent] --direct --get-all-passthroughs
Get all passthrough rules as a newline separated list of the ipv value and arguments.
[--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
Get all passthrough rules for the ipv value as a newline separated list of the priority and argu‐
ments.
[--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
Add a passthrough rule with the arguments args for the ipv value.
[--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
Remove a passthrough rule with the arguments args for the ipv value.
[--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
Return whether a passthrough rule with the arguments args exists for the ipv value. Returns 0 if
true, 1 otherwise.
Panic Options
--panic-on
Enable panic mode. All incoming and outgoing packets are dropped, active connections will expire.
Enable this only if there are serious problems with your network environment. For example if the ma‐
chine is getting hacked in.
This is a runtime only change.
--panic-off
Disable panic mode. After disabling panic mode established connections might work again, if panic
mode was enabled for a short period of time.
This is a runtime only change.
--query-panic
Returns 0 if panic mode is enabled, 1 otherwise.
EXAMPLES
Example 1
Enable http service in default zone. This is runtime only change, i.e. effective until restart.
firewall-cmd --add-service=http
Example 2
Enable port 443/tcp immediately and permanently in default zone. To make the change effective immedi‐
ately and also after restart we need two commands. The first command makes the change in runtime config‐
uration, i.e. makes it effective immediately, until restart. The second command makes the change in per‐
manent configuration, i.e. makes it effective after restart.
firewall-cmd --add-port=443/tcp
firewall-cmd --permanent --add-port=443/tcp
EXIT CODES
On success 0 is returned. On failure the output is red colored and exit code is either 2 in case of
wrong command-line option usage or one of the following error codes in other cases:
┌─────────────────────┬──────┐
│ String │ Code │
├─────────────────────┼──────┤
│ ALREADY_ENABLED │ 11 │
├─────────────────────┼──────┤
│ NOT_ENABLED │ 12 │
├─────────────────────┼──────┤
│ COMMAND_FAILED │ 13 │
├─────────────────────┼──────┤
│ NO_IPV6_NAT │ 14 │
├─────────────────────┼──────┤
│ PANIC_MODE │ 15 │
├─────────────────────┼──────┤
│ ZONE_ALREADY_SET │ 16 │
├─────────────────────┼──────┤
│ UNKNOWN_INTERFACE │ 17 │
├─────────────────────┼──────┤
│ ZONE_CONFLICT │ 18 │
├─────────────────────┼──────┤
│ BUILTIN_CHAIN │ 19 │
├─────────────────────┼──────┤
│ EBTABLES_NO_REJECT │ 20 │
├─────────────────────┼──────┤
│ NOT_OVERLOADABLE │ 21 │
├─────────────────────┼──────┤
│ NO_DEFAULTS │ 22 │
├─────────────────────┼──────┤
│ BUILTIN_ZONE │ 23 │
├─────────────────────┼──────┤
│ BUILTIN_SERVICE │ 24 │
├─────────────────────┼──────┤
│ BUILTIN_ICMPTYPE │ 25 │
├─────────────────────┼──────┤
│ NAME_CONFLICT │ 26 │
├─────────────────────┼──────┤
│ NAME_MISMATCH │ 27 │
├─────────────────────┼──────┤
│ PARSE_ERROR │ 28 │
├─────────────────────┼──────┤
│ ACCESS_DENIED │ 29 │
├─────────────────────┼──────┤
│ UNKNOWN_SOURCE │ 30 │
├─────────────────────┼──────┤
│ RT_TO_PERM_FAILED │ 31 │
├─────────────────────┼──────┤
│ IPSET_WITH_TIMEOUT │ 32 │
├─────────────────────┼──────┤
│ BUILTIN_IPSET │ 33 │
├─────────────────────┼──────┤
│ ALREADY_SET │ 34 │
├─────────────────────┼──────┤
│ MISSING_IMPORT │ 35 │
├─────────────────────┼──────┤
│ DBUS_ERROR │ 36 │
├─────────────────────┼──────┤
│ BUILTIN_HELPER │ 37 │
├─────────────────────┼──────┤
│ NOT_APPLIED │ 38 │
├─────────────────────┼──────┤
│ INVALID_ACTION │ 100 │
├─────────────────────┼──────┤
│ INVALID_SERVICE │ 101 │
├─────────────────────┼──────┤
│ INVALID_PORT │ 102 │
├─────────────────────┼──────┤
│ INVALID_PROTOCOL │ 103 │
├─────────────────────┼──────┤
│ INVALID_INTERFACE │ 104 │
├─────────────────────┼──────┤
│ INVALID_ADDR │ 105 │
├─────────────────────┼──────┤
│ INVALID_FORWARD │ 106 │
├─────────────────────┼──────┤
│ INVALID_ICMPTYPE │ 107 │
├─────────────────────┼──────┤
│ INVALID_TABLE │ 108 │
├─────────────────────┼──────┤
│ INVALID_CHAIN │ 109 │
├─────────────────────┼──────┤
│ INVALID_TARGET │ 110 │
├─────────────────────┼──────┤
│ INVALID_IPV │ 111 │
├─────────────────────┼──────┤
│ INVALID_ZONE │ 112 │
├─────────────────────┼──────┤
│ INVALID_PROPERTY │ 113 │
├─────────────────────┼──────┤
│ INVALID_VALUE │ 114 │
├─────────────────────┼──────┤
│ INVALID_OBJECT │ 115 │
├─────────────────────┼──────┤
│ INVALID_NAME │ 116 │
├─────────────────────┼──────┤
│ INVALID_FILENAME │ 117 │
├─────────────────────┼──────┤
│ INVALID_DIRECTORY │ 118 │
├─────────────────────┼──────┤
│ INVALID_TYPE │ 119 │
├─────────────────────┼──────┤
│ INVALID_SETTING │ 120 │
├─────────────────────┼──────┤
│ INVALID_DESTINATION │ 121 │
├─────────────────────┼──────┤
│ INVALID_RULE │ 122 │
├─────────────────────┼──────┤
│ INVALID_LIMIT │ 123 │
├─────────────────────┼──────┤
│ INVALID_FAMILY │ 124 │
├─────────────────────┼──────┤
│ INVALID_LOG_LEVEL │ 125 │
├─────────────────────┼──────┤
│ INVALID_AUDIT_TYPE │ 126 │
├─────────────────────┼──────┤
│ INVALID_MARK │ 127 │
├─────────────────────┼──────┤
│ INVALID_CONTEXT │ 128 │
├─────────────────────┼──────┤
│ INVALID_COMMAND │ 129 │
├─────────────────────┼──────┤
│ INVALID_USER │ 130 │
├─────────────────────┼──────┤
│ INVALID_UID │ 131 │
├─────────────────────┼──────┤
│ INVALID_MODULE │ 132 │
├─────────────────────┼──────┤
│ INVALID_PASSTHROUGH │ 133 │
├─────────────────────┼──────┤
│ INVALID_MAC │ 134 │
├─────────────────────┼──────┤
│ INVALID_IPSET │ 135 │
├─────────────────────┼──────┤
│ INVALID_ENTRY │ 136 │
├─────────────────────┼──────┤
│ INVALID_OPTION │ 137 │
├─────────────────────┼──────┤
│ INVALID_HELPER │ 138 │
├─────────────────────┼──────┤
│ INVALID_PRIORITY │ 139 │
├─────────────────────┼──────┤
│ INVALID_POLICY │ 140 │
├─────────────────────┼──────┤
│ INVALID_LOG_PREFIX │ 141 │
├─────────────────────┼──────┤
│ INVALID_NFLOG_GROUP │ 142 │
├─────────────────────┼──────┤
│ INVALID_NFLOG_QUEUE │ 143 │
├─────────────────────┼──────┤
│ INVALID_SOURCE │ 144 │
├─────────────────────┼──────┤
│ MISSING_TABLE │ 200 │
├─────────────────────┼──────┤
│ MISSING_CHAIN │ 201 │
├─────────────────────┼──────┤
│ MISSING_PORT │ 202 │
├─────────────────────┼──────┤
│ MISSING_PROTOCOL │ 203 │
├─────────────────────┼──────┤
│ MISSING_ADDR │ 204 │
├─────────────────────┼──────┤
│ MISSING_NAME │ 205 │
├─────────────────────┼──────┤
│ MISSING_SETTING │ 206 │
├─────────────────────┼──────┤
│ MISSING_FAMILY │ 207 │
├─────────────────────┼──────┤
│ RUNNING_BUT_FAILED │ 251 │
├─────────────────────┼──────┤
│ NOT_RUNNING │ 252 │
├─────────────────────┼──────┤
│ NOT_AUTHORIZED │ 253 │
├─────────────────────┼──────┤
│ UNKNOWN_ERROR │ 254 │
└─────────────────────┴──────┘
Note that return codes of --query-* options are special: Successful queries return 0, unsuccessful ones
return 1 unless an error occurred in which case the table above applies.
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALL-CMD(1)
firewalld.conf
# man firewalld.conf
FIREWALLD.CONF(5) firewalld.conf FIREWALLD.CONF(5)
NAME
firewalld.conf - firewalld configuration file
SYNOPSIS
/etc/firewalld/firewalld.conf
DESCRIPTION
firewalld.conf is loaded by firewalld during the initialization process. The file contains the basic con‐
figuration options for firewalld.
OPTIONS
These are the options that can be set in the config file:
DefaultZone
This sets the default zone for connections or interfaces if the zone is not selected or specified by
NetworkManager, initscripts or command line tool. The default zone is public.
MinimalMark
Deprecated. This option is ignored and no longer used. Marks are no longer used internally.
CleanupModulesOnExit
Setting this option to yes or true unloads all firewall-related kernel modules when firewalld is
stopped. The default value is no or false.
CleanupOnExit
If firewalld stops, it cleans up all firewall rules. Setting this option to no or false leaves the
current firewall rules untouched. The default value is yes or true.
IPv6_rpfilter
Performs reverse path filtering (RPF) on IPv6 packets as per RFC 3704. Possible values: - strict:
Performs "strict" filtering as per RFC 3704. This check verifies that the in ingress interface is the
same interface that would be used to send a packet reply to the source. That is, ingress == egress. -
loose: Performs "loose" filtering as per RFC 3704. This check only verifies that there is a route
back to the source through any interface; even if it's not the same one on which the packet arrived.
- strict-forward: This is almost identical to "loose", but does not perform RPF for packets targeted
to the host (INPUT). - loose-forward: This is almost identical to "loose", but does not perform RPF
for packets targeted to the host (INPUT). - no: RPF is completely disabled. The rp_filter for IPv4 is
controlled using sysctl.
Note: This feature has a performance impact. In most cases the impact is not enough to cause a no‐
ticeable difference. It requires route lookups and its execution occurs before the established con‐
nections fast path. As such it can have a significant performance impact if there is a lot of traf‐
fic. It's enabled by default for security, but can be disabled if performance is a concern. Alterna‐
tively one of the variants that only does RPF on forwarded packets may be used.
IndividualCalls
If this option is disabled (it is by default), combined -restore calls are used and not individual
calls to apply changes to the firewall. The use of individual calls increases the time that is needed
to apply changes and to start the daemon, but is good for debugging as error messages are more spe‐
cific.
LogDenied
default rules and also final reject and drop rules in zones for the configured link-layer packet
type. The possible values are: all, unicast, broadcast, multicast and off. The default setting is
off, which disables the logging.
AutomaticHelpers
Deprecated. This option is ignored and no longer used.
FirewallBackend
Selects the firewall backend implementation. Possible values are; nftables (default), or iptables.
This applies to all firewalld primitives. The only exception is direct and passthrough rules which
always use the traditional iptables, ip6tables, and ebtables backends.
Note: The iptables backend is deprecated. It will be removed in a future release.
FlushAllOnReload
Flush all runtime rules on a reload. In previous releases some runtime configuration was retained
during a reload, namely; interface to zone assignment, and direct rules. This was confusing to users.
To get the old behavior set this to "no". Defaults to "yes".
ReloadPolicy
The policy during reload. By default, all traffic except established connections is dropped while re‐
loading the firewall rules. This can be overridden for INPUT, FORWARD and OUTPUT. The accepted values
are "DROP", "REJECT" and "ACCEPT", which then applies to all tables. Alternatively, the policy can be
specified per table, like "INPUT:REJECT,FORWARD:DROP,OUTPUT:ACCEPT". Defaults to "INPUT:DROP,FOR‐
WARD:DROP,OUTPUT:DROP".
RFC3964_IPv4
As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that correspond to IPv4 ad‐
dresses that should not be routed over the public internet. Defaults to "yes".
StrictForwardPorts
If set to yes, the generated destination NAT (DNAT) rules will NOT accept traffic that was DNAT'd by
other entities, e.g. docker. Firewalld will be strict and not allow published container ports until
they're explicitly allowed via firewalld. If set to no, then docker (and podman) integrates seam‐
lessly with firewalld. Published container ports are implicitly allowed. Defaults to "no".
AllowZoneDrifting
Deprecated. This option is ignored and no longer used.
NftablesFlowtable
This may improve forwarded traffic throughput by enabling nftables flowtable. It is a software fast‐
path and avoids calling nftables rule evaluation for data packets. Its value is a space separate list
of interfaces. Example value "eth0 eth1". Defaults to "off".
NftablesCounters
If set to yes, add a counter to every nftables rule. This is useful for debugging and comes with a
small performance cost. Defaults to "no".
NftablesTableOwner
If set to yes, the generated nftables rule set will be owned exclusively by firewalld. This prevents
other entities from mistakenly (or maliciously) modifying firewalld's rule set. If you intentionally
modify firewalld's rules, then you will have to set this to "no". Defaults to "yes".
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD.CONF(5)
firewalld.dbus
# man firewalld.dbus
FIREWALLD.DBUS(5) firewalld.dbus FIREWALLD.DBUS(5)
NAME
firewalld.dbus - firewalld D-Bus interface description
OBJECT PATHS
This is the basic firewalld object path structure. The used interfaces are explained below in the section
called “INTERFACES”.
/org/fedoraproject/FirewallD1
Interfaces
org.fedoraproject.FirewallD1
org.fedoraproject.FirewallD1.direct (deprecated)
org.fedoraproject.FirewallD1.ipset
org.fedoraproject.FirewallD1.policies (deprecated)
org.fedoraproject.FirewallD1.zone
org.freedesktop.DBus.Introspectable
org.freedesktop.DBus.Properties
/org/fedoraproject/FirewallD1/config
Interfaces
org.fedoraproject.FirewallD1.config
org.fedoraproject.FirewallD1.config.direct (deprecated)
org.fedoraproject.FirewallD1.config.policies (deprecated)
org.freedesktop.DBus.Introspectable
org.freedesktop.DBus.Properties
/org/fedoraproject/FirewallD1/config/zone/i
Interfaces
org.fedoraproject.FirewallD1.config.zone
org.freedesktop.DBus.Introspectable
org.freedesktop.DBus.Properties
/org/fedoraproject/FirewallD1/config/service/i
Interfaces:
org.fedoraproject.FirewallD1.config.service
org.freedesktop.DBus.Introspectable
org.freedesktop.DBus.Properties
/org/fedoraproject/FirewallD1/config/ipset/i
Interfaces
org.fedoraproject.FirewallD1.config.ipset
org.freedesktop.DBus.Introspectable
org.freedesktop.DBus.Properties
/org/fedoraproject/FirewallD1/config/icmptype/i
Interfaces
org.fedoraproject.FirewallD1.config.icmptype
org.freedesktop.DBus.Introspectable
org.freedesktop.DBus.Properties
INTERFACES
org.fedoraproject.FirewallD1
This interface contains general runtime operations, like: reloading, panic mode, default zone handling,
getting services and icmp types and their settings.
Methods
authorizeAll() → Nothing
Initiate authorization for the complete firewalld D-Bus interface. This method it mostly useful
for configuration applications.
completeReload() → Nothing
Reload firewall completely, even netfilter kernel modules. This will most likely terminate active
connections, because state information is lost. This option should only be used in case of severe
firewall problems. For example if there are state information problems that no connection can be
established with correct firewall rules.
disablePanicMode() → Nothing
resetToDefaults() → Nothing
Reset firewall to its default configuration, then reload firewall. This effects both runtime
and permanent configuration.
Disable panic mode. After disabling panic mode established connections might work again, if panic
mode was enabled for a short period of time.
Possible errors: NOT_ENABLED, COMMAND_FAILED
enablePanicMode() → Nothing
Enable panic mode. All incoming and outgoing packets are dropped, active connections will expire.
Enable this only if there are serious problems with your network environment.
Possible errors: ALREADY_ENABLED, COMMAND_FAILED
getAutomaticHelpers() → s
Deprecated. This always returns "no".
getDefaultZone() → s
Return default zone.
getHelperSettings(s: helper) → (sssssa(ss))
Return runtime settings of given helper. For getting permanent settings see org.fedorapro‐
ject.FirewallD1.config.helper.Methods.getSettings. Settings are in format: version, name, de‐
scription, family, module and array of ports.
version (s): see version attribute of helper tag in firewalld.helper(5).
name (s): see short tag in firewalld.helper(5).
description (s): see description tag in firewalld.helper(5).
family (s): see family tag in firewalld.helper(5).
module (s): see module tag in firewalld.helper(5).
ports (a(ss)): array of port and protocol pairs. See port tag in firewalld.helper(5).
Possible errors: INVALID_HELPER
getHelpers() → as
Return array of helper names (s) in runtime configuration. For permanent configuration see
org.fedoraproject.FirewallD1.config.Methods.listHelpers.
getIcmpTypeSettings(s: icmptype) → (sssas)
Return runtime settings of given icmptype. For getting permanent settings see org.fedorapro‐
ject.FirewallD1.config.icmptype.Methods.getSettings. Settings are in format: version, name, de‐
scription, array of destinations.
version (s): see version attribute of icmptype tag in firewalld.icmptype(5).
name (s): see short tag in firewalld.icmptype(5).
description (s): see description tag in firewalld.icmptype(5).
destinations (as): array, either empty or containing strings 'ipv4' or 'ipv6', see destination
tag in firewalld.icmptype(5).
Possible errors: INVALID_ICMPTYPE
getLogDenied() → s
Returns the LogDenied value. If LogDenied is enabled, then logging rules are added right before
reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also fi‐
nal reject and drop rules in zones. Possible values are: all, unicast, broadcast, multicast and
off. The default value is off
getServiceSettings(s: service) → (sssa(ss)asa{ss}asa(ss))
This function is deprecated, use org.fedoraproject.FirewallD1.Methods.getServiceSettings2 in‐
stead.
getServiceSettings2(s: service) → s{sv}
Return runtime settings of given service. For getting permanent settings see org.fedorapro‐
ject.FirewallD1.config.service.Methods.getSettings2. Settings are a dictionary indexed by key‐
words. For the type of each value see below. If the value is empty it may be omitted.
version (s): see version attribute of service tag in firewalld.service(5).
name (s): see short tag in firewalld.service(5).
description (s): see description tag in firewalld.service(5).
ports (a(ss)): array of port and protocol pairs. See port tag in firewalld.service(5).
module names (as): array of kernel netfilter helpers, see module tag in firewalld.service(5).
destinations (a{ss}): dictionary of {IP family : IP address} where 'IP family' key can be either
'ipv4' or 'ipv6'. See destination tag in firewalld.service(5).
protocols (as): array of protocols, see protocol tag in firewalld.service(5).
source_ports (a(ss)): array of port and protocol pairs. See source-port tag in firewalld.ser‐
vice(5).
includes (as): array of service includes, see include tag in firewalld.service(5).
helpers (as): array of service helpers, see helper tag in firewalld.service(5).
Possible errors: INVALID_SERVICE
getZoneSettings(s: zone) → (sssbsasa(ss)asba(ssss)asasasasa(ss)b)
This function is deprecated, use org.fedoraproject.FirewallD1.zone.Methods.getZoneSettings2 in‐
stead.
listIcmpTypes() → as
Return array of names (s) of icmp types in runtime configuration. For permanent configuration see
org.fedoraproject.FirewallD1.config.Methods.listIcmpTypes.
listServices() → as
Return array of service names (s) in runtime configuration. For permanent configuration see
org.fedoraproject.FirewallD1.config.Methods.listServices.
queryPanicMode() → b
Return true if panic mode is enabled, false otherwise. In panic mode all incoming and outgoing
packets are dropped.
reload() → Nothing
Reload firewall rules and keep state information. Current permanent configuration will become new
runtime configuration, i.e. all runtime only changes done until reload are lost with reload if
they have not been also in permanent configuration.
runtimeToPermanent() → Nothing
Make runtime settings permanent. Replaces permanent settings with runtime settings for zones,
policies, services, icmptypes, and direct (deprecated).
Possible errors: RT_TO_PERM_FAILED
checkPermanentConfig() → Nothing
Run checks on the permanent configuration. This is most useful if changes were made manually to
configuration files.
Possible errors: any
setDefaultZone(s: zone) → Nothing
Set default zone for connections and interfaces where no zone has been selected to zone. Setting
the default zone changes the zone for the connections or interfaces, that are using the default
zone. This is a runtime and permanent change.
Possible errors: ZONE_ALREADY_SET, COMMAND_FAILED
setLogDenied(s: value) → Nothing
Set LogDenied value to value. If LogDenied is enabled, then logging rules are added right before
reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also fi‐
nal reject and drop rules in zones. Possible values are: all, unicast, broadcast, multicast and
off. The default value is off This is a runtime and permanent change.
Possible errors: ALREADY_SET, INVALID_VALUE
Signals
DefaultZoneChanged(s: zone)
Emitted when default zone has been changed to zone.
LogDeniedChanged(s: value)
Emitted when LogDenied value has been changed.
PanicModeDisabled()
Emitted when panic mode has been deactivated.
PanicModeEnabled()
Emitted when panic mode has been activated.
Reloaded()
Emitted when firewalld has been reloaded. Also emitted for a complete reload.
Properties
BRIDGE - b - (ro)
Indicates whether the firewall has ethernet bridge support.
IPSet - b - (ro)
Indicates whether the firewall has IPSet support.
IPSetTypes - as - (ro)
The supported IPSet types by ipset and firewalld.
IPv4 - b - (ro)
Indicates whether the firewall has IPv4 support.
IPv4ICMPTypes - as - (ro)
The list of supported IPv4 ICMP types.
IPv6 - b - (ro)
Indicates whether the firewall has IPv6 support.
IPv6_rpfilter - b - (ro)
Indicates whether the reverse path filter test on a packet for IPv6 is enabled. If a reply to the
packet would be sent via the same interface that the packet arrived on, the packet will match and
be accepted, otherwise dropped.
IPv6ICMPTypes - as - (ro)
The list of supported IPv6 ICMP types.
nf_conntrach_helper_setting - b - (ro)
Deprecated. Always False.
nf_conntrack_helpers - a{sas} - (ro)
Deprecated. Always returns an empty dictionary.
nf_nat_helpers - a{sas} - (ro)
Deprecated. Always returns an empty dictionary.
interface_version - s - (ro)
firewalld D-Bus interface version string.
state - s - (ro)
firewalld state. This can be either INIT, FAILED, or RUNNING. In INIT state, firewalld is start‐
ing up and initializing. In FAILED state, firewalld completely started but experienced a failure.
version - s - (ro)
firewalld version string.
org.fedoraproject.FirewallD1.ipset
Operations in this interface allows one to get, add, remove and query runtime ipset settings. For perma‐
nent configuration see org.fedoraproject.FirewallD1.config.ipset interface.
Methods
addEntry(s: ipset, s: entry) → as
Add a new entry to ipset. The entry must match the type of the ipset. If the ipset is using the
timeout option, it is not possible to see the entries, as they are timing out automatically in
the kernel. For permanent operation see org.fedoraproject.FirewallD1.config.ipset.Methods.addEn‐
try.
Possible errors: INVALID_IPSET, IPSET_WITH_TIMEOUT
getEntries(s: ipset) → Nothing
Get all entries added to the ipset. If the ipset is using the timeout option, it is not possible
to see the entries, as they are timing out automatically in the kernel. Return value is a array
of entry. For permanent operation see org.fedoraproject.FirewallD1.config.ipset.Methods.getEn‐
tries.
Possible errors: INVALID_IPSET, IPSET_WITH_TIMEOUT
getIPSetSettings(s: ipset) → (ssssa{ss}as)
Return runtime settings of given ipset. For getting permanent settings see org.fedorapro‐
ject.FirewallD1.config.ipset.Methods.getSettings. Settings are in format: version, name, descrip‐
tion, type, dictionary of options and array of entries.
version (s): see version attribute of ipset tag in firewalld.ipset(5).
name (s): see short tag in firewalld.ipset(5).
description (s): see description tag in firewalld.ipset(5).
type (s): see type attribute of ipset tag in firewalld.ipset(5).
options (a{ss}): dictionary of {option : value} . See options tag in firewalld.ipset(5).
entries (as): array of entries, see entry tag in firewalld.ipset(5).
Possible errors: INVALID_IPSET
getIPSets() → as
Return array of ipset names (s) in runtime configuration. For permanent configuration see org.fe‐
doraproject.FirewallD1.config.Methods.listIPSets.
queryEntry(s: ipset, s: entry) → b
Return whether entry has been added to ipset. For permanent operation see org.fedoraproject.Fire‐
wallD1.config.ipset.Methods.queryEntry.
Possible errors: INVALID_IPSET
queryIPSet(s: ipset) → b
Return whether ipset is defined in runtime configuration.
removeEntry(s: ipset, s: entry) → as
Removes an entry from ipset. For permanent operation see org.fedoraproject.FirewallD1.con‐
fig.ipset.Methods.removeEntry.
Possible errors: INVALID_IPSET, IPSET_WITH_TIMEOUT
setEntries(as: entries) → Nothing
Permanently set list of entries to entries. For permanent operation see org.fedoraproject.Fire‐
wallD1.config.ipset.Methods.setEntries. See entry tag in firewalld.ipset(5).
Signals
EntryAdded(s: ipset, s: entry)
Emitted when entry has been added to ipset.
EntryRemoved(s: ipset, s: entry)
Emitted when entry has been removed from ipset.
org.fedoraproject.FirewallD1.direct
DEPRECATED
The direct interface has been deprecated. It will be removed in a future release. It is superseded by
policies, see firewalld.policies(5).
This interface enables more direct access to the firewall. It enables runtime manipulation with chains
and rules. For permanent configuration see org.fedoraproject.FirewallD1.config.direct interface.
Methods
addChain(s: ipv, s: table, s: chain) → Nothing
Add a new chain to table for ipv being either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebta‐
bles). Make sure there's no other chain with this name already. There already exist basic chains
to use with direct methods, for example INPUT_direct chain. These chains are jumped into before
chains for zones, i.e. every rule put into INPUT_direct will be checked before rules in zones.
For permanent operation see org.fedoraproject.FirewallD1.config.direct.Methods.addChain.
Possible errors: INVALID_IPV, INVALID_TABLE, ALREADY_ENABLED, COMMAND_FAILED
addPassthrough(s: ipv, as: args) → Nothing
Add a tracked passthrough rule with the arguments args for ipv being either ipv4 (iptables) or
ipv6 (ip6tables) or eb (ebtables). Valid commands in args are only -A/--append, -I/--insert and
-N/--new-chain. This method is (unlike passthrough method) tracked, i.e. firewalld remembers it.
It's useful with org.fedoraproject.FirewallD1.Methods.runtimeToPermanent For permanent operation
see org.fedoraproject.FirewallD1.config.direct.Methods.addPassthrough.
Possible errors: INVALID_IPV, ALREADY_ENABLED, COMMAND_FAILED
addRule(s: ipv, s: table, s: chain, i: priority, as: args) → Nothing
Add a rule with the arguments args to chain in table with priority for ipv being either ipv4
(iptables) or ipv6 (ip6tables) or eb (ebtables). The priority is used to order rules. Priority 0
means add rule on top of the chain, with a higher priority the rule will be added further down.
Rules with the same priority are on the same level and the order of these rules is not fixed and
may change. If you want to make sure that a rule will be added after another one, use a low pri‐
ority for the first and a higher for the following. For permanent operation see org.fedorapro‐
ject.FirewallD1.config.direct.Methods.addRule.
Possible errors: INVALID_IPV, INVALID_TABLE, ALREADY_ENABLED, COMMAND_FAILED
getAllChains() → a(sss)
Get all chains added to all tables in format: ipv, table, chain. This concerns only chains previ‐
ously added with addChain. Return value is a array of (ipv, table, chain). For permanent opera‐
tion see org.fedoraproject.FirewallD1.config.direct.Methods.getAllChains.
ipv (s): either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebtables).
table (s): one of filter, mangle, nat, raw, security
chain (s): name of a chain.
getAllPassthroughs() → a(sas)
Get all tracked passthrough rules added in all ipv types in format: ipv, rule. This concerns only
rules previously added with addPassthrough. Return value is a array of (ipv, array of arguments).
For permanent operation see org.fedoraproject.FirewallD1.config.direct.Methods.getAll‐
Passthroughs.
ipv (s): either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebtables).
arguments (as): array of commands, parameters and other iptables/ip6tables/ebtables command line
options.
getAllRules() → a(sssias)
Get all rules added to all chains in all tables in format: ipv, table, chain, priority, rule.
This concerns only rules previously added with addRule. Return value is a array of (ipv, table,
chain, priority, array of arguments). For permanent operation see org.fedoraproject.Fire‐
wallD1.config.direct.Methods.getAllRules.
ipv (s): either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebtables).
table (s): one of filter, mangle, nat, raw, security
chain (s): name of a chain.
priority (i): used to order rules.
arguments (as): array of commands, parameters and other iptables/ip6tables/ebtables command line
options.
getChains(s: ipv, s: table) → as
Return an array of chains (s) added to table for ipv being either ipv4 (iptables) or ipv6 (ip6ta‐
bles) or eb (ebtables). This concerns only chains previously added with addChain. For permanent
operation see org.fedoraproject.FirewallD1.config.direct.Methods.getChains.
Possible errors: INVALID_IPV, INVALID_TABLE
getPassthroughs(s: ipv) → aas
Get tracked passthrough rules added in either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebta‐
bles). This concerns only rules previously added with addPassthrough. Return value is a array of
(array of arguments). For permanent operation see org.fedoraproject.FirewallD1.config.di‐
rect.Methods.getPassthroughs.
arguments (as): array of commands, parameters and other iptables/ip6tables/ebtables command line
options.
getRules(s: ipv, s: table, s: chain) → a(ias)
Get all rules added to chain in table for ipv being either ipv4 (iptables) or ipv6 (ip6tables) or
eb (ebtables). This concerns only rules previously added with addRule. Return value is a array of
(priority, array of arguments). For permanent operation see org.fedoraproject.FirewallD1.con‐
fig.direct.Methods.getRules.
priority (i): used to order rules.
arguments (as): array of commands, parameters and other iptables/ip6tables/ebtables command line
options.
Possible errors: INVALID_IPV, INVALID_TABLE
passthrough(s: ipv, as: args) → s
Pass a command through to the firewall. ipv can be either ipv4 (iptables) or ipv6 (ip6tables) or
eb (ebtables). args can be all iptables, ip6tables and ebtables command line arguments. args
can be all iptables, ip6tables and ebtables command line arguments. This command is untracked,
which means that firewalld is not able to provide information about this command later on.
Possible errors: COMMAND_FAILED
queryChain(s: ipv, s: table, s: chain) → b
Return whether a chain exists in table for ipv being either ipv4 (iptables) or ipv6 (ip6tables)
or eb (ebtables). This concerns only chains previously added with addChain. For permanent opera‐
tion see org.fedoraproject.FirewallD1.config.direct.Methods.queryChain.
Possible errors: INVALID_IPV, INVALID_TABLE
queryPassthrough(s: ipv, as: args) → b
Return whether a tracked passthrough rule with the arguments args exists for ipv being either
ipv4 (iptables) or ipv6 (ip6tables) or eb (ebtables). This concerns only rules previously added
with addPassthrough. For permanent operation see org.fedoraproject.FirewallD1.config.direct.Meth‐
ods.queryPassthrough.
Possible errors: INVALID_IPV
queryRule(s: ipv, s: table, s: chain, i: priority, as: args) → b
Return whether a rule with priority and the arguments args exists in chain in table for ipv being
either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebtables). This concerns only rules previously
added with addRule. For permanent operation see org.fedoraproject.FirewallD1.config.direct.Meth‐
ods.queryRule.
Possible errors: INVALID_IPV, INVALID_TABLE
removeAllPassthroughs() → Nothing
Remove all passthrough rules previously added with addPassthrough.
removeChain(s: ipv, s: table, s: chain) → Nothing
Remove a chain from table for ipv being either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebta‐
bles). Only chains previously added with addChain can be removed this way. For permanent opera‐
tion see org.fedoraproject.FirewallD1.config.direct.Methods.removeChain.
Possible errors: INVALID_IPV, INVALID_TABLE, NOT_ENABLED, COMMAND_FAILED
removePassthrough(s: ipv, as: args) → Nothing
Remove a tracked passthrough rule with arguments args for ipv being either ipv4 (iptables) or
ipv6 (ip6tables) or eb (ebtables). Only rules previously added with addPassthrough can be removed
this way. For permanent operation see org.fedoraproject.FirewallD1.config.direct.Methods.re‐
movePassthrough.
Possible errors: INVALID_IPV, NOT_ENABLED, COMMAND_FAILED
removeRule(s: ipv, s: table, s: chain, i: priority, as: args) → Nothing
Remove a rule with priority and arguments args from chain in table for ipv being either ipv4
(iptables) or ipv6 (ip6tables) or eb (ebtables). Only rules previously added with addRule can be
removed this way. For permanent operation see org.fedoraproject.FirewallD1.config.direct.Meth‐
ods.removeRule.
Possible errors: INVALID_IPV, INVALID_TABLE, NOT_ENABLED, COMMAND_FAILED
removeRules(s: ipv, s: table, s: chain) → Nothing
Remove all rules from chain in table for ipv being either ipv4 (iptables) or ipv6 (ip6tables) or
eb (ebtables). This concerns only rules previously added with addRule. For permanent operation
see org.fedoraproject.FirewallD1.config.direct.Methods.removeRules.
Possible errors: INVALID_IPV, INVALID_TABLE
Signals
ChainAdded(s: ipv, s: table, s: chain)
Emitted when chain has been added into table for ipv being either ipv4 (iptables) or ipv6 (ip6ta‐
bles) or eb (ebtables).
ChainRemoved(s: ipv, s: table, s: chain)
Emitted when chain has been removed from table for ipv being either ipv4 (iptables) or ipv6
(ip6tables) or eb (ebtables).
PassthroughAdded(s: ipv, as: args)
Emitted when a tracked passthrough rule with args has been added for ipv being either ipv4 (ipta‐
bles) or ipv6 (ip6tables) or eb (ebtables).
PassthroughRemoved(s: ipv, as: args)
Emitted when a tracked passthrough rule with args has been removed for ipv being either ipv4
(iptables) or ipv6 (ip6tables) or eb (ebtables).
RuleAdded(s: ipv, s: table, s: chain, i: priority, as: args)
Emitted when a rule with args has been added to chain in table with priority for ipv being either
ipv4 (iptables) or ipv6 (ip6tables) or eb (ebtables).
RuleRemoved(s: ipv, s: table, s: chain, i: priority, as: args)
Emitted when a rule with args has been removed from chain in table with priority for ipv being
either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebtables).
org.fedoraproject.FirewallD1.zone
Operations in this interface allows one to get, add, remove and query runtime zone's settings. For perma‐
nent settings see org.fedoraproject.FirewallD1.config.zone interface.
Methods
getZoneSettings2(s: zone) → a{sv}
Return runtime settings of given zone. For getting permanent settings see org.fedoraproject.Fire‐
wallD1.config.zone.Methods.getSettings2. Settings are a dictionary indexed by keywords. For the
type of each value see below. If the value is empty it may be omitted.
version (s): see version attribute of zone tag in firewalld.zone(5).
name (s): see short tag in firewalld.zone(5).
description (s): see description tag in firewalld.zone(5).
target (s): see target attribute of zone tag in firewalld.zone(5).
services (as): array of service names, see service tag in firewalld.zone(5).
ports (a(ss)): array of port and protocol pairs. See port tag in firewalld.zone(5).
icmp_blocks (as): array of icmp-blocks. See icmp-block tag in firewalld.zone(5).
masquerade (b): see masquerade tag in firewalld.zone(5).
forward_ports (a(ssss)): array of (port, protocol, to-port, to-addr). See forward-port tag in
firewalld.zone(5).
interfaces (as): array of interfaces. See interface tag in firewalld.zone(5).
sources (as): array of source addresses. See source tag in firewalld.zone(5).
rules_str (as): array of rich-language rules. See rule tag in firewalld.zone(5).
protocols (as): array of protocols, see protocol tag in firewalld.zone(5).
source_ports (a(ss)): array of port and protocol pairs. See source-port tag in firewalld.zone(5).
icmp_block_inversion (b): see icmp-block-inversion tag in firewalld.zone(5).
forward (b): see forward tag in firewalld.zone(5).
ingress-priority (i): see ingress-priority tag in firewalld.zone(5).
egress-priority (i): see egress-priority tag in firewalld.zone(5).
Possible errors: INVALID_ZONE
setZoneSettings2(s: zone, a{sv}: settings, i: timeout)
Set runtime settings of given zone. For setting permanent settings see org.fedoraproject.Fire‐
wallD1.config.zone.Methods.update2. Settings are a dictionary indexed by keywords. For the type
of each value see below. To zero a value pass an empty string or list.
services (as): array of service names, see service tag in firewalld.zone(5).
ports (a(ss)): array of port and protocol pairs. See port tag in firewalld.zone(5).
icmp_blocks (as): array of icmp-blocks. See icmp-block tag in firewalld.zone(5).
masquerade (b): see masquerade tag in firewalld.zone(5).
forward_ports (a(ssss)): array of (port, protocol, to-port, to-addr). See forward-port tag in
firewalld.zone(5).
interfaces (as): array of interfaces. See interface tag in firewalld.zone(5).
sources (as): array of source addresses. See source tag in firewalld.zone(5).
rules_str (as): array of rich-language rules. See rule tag in firewalld.zone(5).
protocols (as): array of protocols, see protocol tag in firewalld.zone(5).
source_ports (a(ss)): array of port and protocol pairs. See source-port tag in firewalld.zone(5).
icmp_block_inversion (b): see icmp-block-inversion tag in firewalld.zone(5).
forward (b): see forward tag in firewalld.zone(5).
Possible errors: INVALID_ZONE
addForwardPort(s: zone, s: port, s: protocol, s: toport, s: toaddr, i: timeout) → s
Add the IPv4 forward port into zone. If zone is empty, use default zone. The port can either be a
single port number portid or a port range portid-portid. The protocol can either be tcp or udp.
The destination address is a simple IP address. If timeout is non-zero, the operation will be ac‐
tive only for the amount of seconds. For permanent settings see org.fedoraproject.FirewallD1.con‐
fig.zone.Methods.addForwardPort.
Returns name of zone to which the forward port was added.
Possible errors: INVALID_ZONE, INVALID_PORT, MISSING_PROTOCOL, INVALID_PROTOCOL, INVALID_ADDR,
INVALID_FORWARD, ALREADY_ENABLED, INVALID_COMMAND
addIcmpBlock(s: zone, s: icmp, i: timeout) → s
Add an ICMP block icmp into zone. The icmp is the one of the icmp types firewalld supports. To
get a listing of supported icmp types use org.fedoraproject.FirewallD1.Methods.listIcmpTypes If
zone is empty, use default zone. If timeout is non-zero, the operation will be active only for
the amount of seconds. For permanent settings see org.fedoraproject.FirewallD1.config.zone.Meth‐
ods.addIcmpBlock.
Returns name of zone to which the ICMP block was added.
Possible errors: INVALID_ZONE, INVALID_ICMPTYPE, ALREADY_ENABLED, INVALID_COMMAND
addIcmpBlockInversion(s: zone) → s
Add ICMP block inversion to zone. If zone is empty, use default zone. For permanent settings see
org.fedoraproject.FirewallD1.config.zone.Methods.addIcmpBlockInversion.
Returns name of zone to which the ICMP block inversion was added.
Possible errors: INVALID_ZONE, ALREADY_ENABLED, INVALID_COMMAND
addInterface(s: zone, s: interface) → s
Bind interface with zone. From now on all traffic going through the interface will respect the
zone's settings. If zone is empty, use default zone. For permanent settings see org.fedorapro‐
ject.FirewallD1.config.zone.Methods.addInterface.
Returns name of zone to which the interface was bound.
Possible errors: INVALID_ZONE, INVALID_INTERFACE, ALREADY_ENABLED, INVALID_COMMAND
addMasquerade(s: zone, i: timeout) → s
Enable masquerade in zone. If zone is empty, use default zone. If timeout is non-zero, masquerad‐
ing will be active for the amount of seconds. For permanent settings see org.fedoraproject.Fire‐
wallD1.config.zone.Methods.addMasquerade.
Returns name of zone in which the masquerade was enabled.
Possible errors: INVALID_ZONE, ALREADY_ENABLED, INVALID_COMMAND
addPort(s: zone, s: port, s: protocol, i: timeout) → s
Add port into zone. If zone is empty, use default zone. The port can either be a single port num‐
ber or a port range portid-portid. The protocol can either be tcp or udp. If timeout is non-zero,
the operation will be active only for the amount of seconds. For permanent settings see org.fedo‐
raproject.FirewallD1.config.zone.Methods.addPort.
Returns name of zone to which the port was added.
Possible errors: INVALID_ZONE, INVALID_PORT, MISSING_PROTOCOL, INVALID_PROTOCOL, ALREADY_ENABLED,
INVALID_COMMAND
addProtocol(s: zone, s: protocol, i: timeout) → s
Add protocol into zone. If zone is empty, use default zone. The protocol can be any protocol sup‐
ported by the system. Please have a look at /etc/protocols for supported protocols. If timeout is
non-zero, the operation will be active only for the amount of seconds. For permanent settings see
org.fedoraproject.FirewallD1.config.zone.Methods.addProtocol.
Returns name of zone to which the protocol was added.
Possible errors: INVALID_ZONE, INVALID_PROTOCOL, ALREADY_ENABLED, INVALID_COMMAND
addRichRule(s: zone, s: rule, i: timeout) → s
Add rich language rule into zone. For the rich language rule syntax, please have a look at fire‐
walld.direct(5). If zone is empty, use default zone. If timeout is non-zero, the operation will
be active only for the amount of seconds. For permanent settings see org.fedoraproject.Fire‐
wallD1.config.zone.Methods.addRichRule.
Returns name of zone to which the rich language rule was added.
Possible errors: INVALID_ZONE, INVALID_RULE, ALREADY_ENABLED, INVALID_COMMAND
addService(s: zone, s: service, i: timeout) → s
Add service into zone. If zone is empty, use default zone. If timeout is non-zero, the operation
will be active only for the amount of seconds. To get a list of supported services, use org.fedo‐
raproject.FirewallD1.Methods.listServices. For permanent settings see org.fedoraproject.Fire‐
wallD1.config.zone.Methods.addService.
Returns name of zone to which the service was added.
Possible errors: INVALID_ZONE, INVALID_SERVICE, ALREADY_ENABLED, INVALID_COMMAND
addSource(s: zone, s: source) → s
Bind source with zone. From now on all traffic going from this source will respect the zone's
settings. A source address or address range is either an IP address or a network IP address with
a mask for IPv4 or IPv6. For IPv4, the mask can be a network mask or a plain number. For IPv6 the
mask is a plain number. Use of host names is not supported. If zone is empty, use default zone.
For permanent settings see org.fedoraproject.FirewallD1.config.zone.Methods.addSource.
Returns name of zone to which the source was bound.
Possible errors: INVALID_ZONE, INVALID_ADDR, ALREADY_ENABLED, INVALID_COMMAND
addSourcePort(s: zone, s: port, s: protocol, i: timeout) → s
Add source port into zone. If zone is empty, use default zone. The port can either be a single
port number or a port range portid-portid. The protocol can either be tcp or udp. If timeout is
non-zero, the operation will be active only for the amount of seconds. For permanent settings see
org.fedoraproject.FirewallD1.config.zone.Methods.addSourcePort.
Returns name of zone to which the port was added.
Possible errors: INVALID_ZONE, INVALID_PORT, MISSING_PROTOCOL, INVALID_PROTOCOL, ALREADY_ENABLED,
INVALID_COMMAND
changeZone(s: zone, s: interface) → s
This function is deprecated, use org.fedoraproject.FirewallD1.zone.Methods.changeZoneOfInterface
instead.
changeZoneOfInterface(s: zone, s: interface) → s
Change a zone an interface is bound to to zone. It's basically removeInterface(interface) fol‐
lowed by addInterface(zone, interface). If interface has not been bound to a zone before, it be‐
haves like addInterface. If zone is empty, use default zone.
Returns name of zone to which the interface was bound.
Possible errors: INVALID_ZONE, ZONE_ALREADY_SET, ZONE_CONFLICT
changeZoneOfSource(s: zone, s: source) → s
Change a zone an source is bound to to zone. It's basically removeSource(source) followed by
addSource(zone, source). If source has not been bound to a zone before, it behaves like
addSource. If zone is empty, use default zone.
Returns name of zone to which the source was bound.
Possible errors: INVALID_ZONE, ZONE_ALREADY_SET, ZONE_CONFLICT
getActiveZones() → a{sa{sas}}
Return dictionary of currently active zones altogether with interfaces and sources used in these
zones. Active zones are zones, that have a binding to an interface or source.
Return value is a dictionary where keys are zone names (s) and values are again dictionaries
where keys are either 'interfaces' or 'sources' and values are arrays of interface names (s) or
sources (s).
getForwardPorts(s: zone) → aas
Return array of IPv4 forward ports previously added into zone. If zone is empty, use default
zone. For getting permanent settings see org.fedoraproject.FirewallD1.config.zone.Methods.getFor‐
wardPorts.
Return value is array of 4-tuples, where each 4-tuple consists of (port, protocol, to-port,
to-addr). to-addr might be empty in case of local forwarding.
Possible errors: INVALID_ZONE
getIcmpBlocks(s: zone) → as
Return array of ICMP type (s) blocks previously added into zone. If zone is empty, use default
zone. For getting permanent settings see org.fedoraproject.FirewallD1.config.zone.Methods.get‐
IcmpBlocks.
Possible errors: INVALID_ZONE
getIcmpBlockInversion(s: zone) → b
Return whether ICMP block inversion was previously added to zone. If zone is empty, use default
zone. For getting permanent settings see org.fedoraproject.FirewallD1.config.zone.Methods.get‐
IcmpBlockInversion.
Possible errors: INVALID_ZONE
getInterfaces(s: zone) → as
Return array of interfaces (s) previously bound with zone. If zone is empty, use default zone.
For getting permanent settings see org.fedoraproject.FirewallD1.config.zone.Methods.getInter‐
faces.
Possible errors: INVALID_ZONE
getPorts(s: zone) → aas
Return array of ports (2-tuple of port and protocol) previously enabled in zone. If zone is
empty, use default zone. For getting permanent settings see org.fedoraproject.FirewallD1.con‐
fig.zone.Methods.getPorts.
Possible errors: INVALID_ZONE
getProtocols(s: zone) → as
Return array of protocols (s) previously enabled in zone. If zone is empty, use default zone. For
getting permanent settings see org.fedoraproject.FirewallD1.config.zone.Methods.getProtocols.
Possible errors: INVALID_ZONE
getRichRules(s: zone) → as
Return array of rich language rules (s) previously added into zone. If zone is empty, use default
zone. For getting permanent settings see org.fedoraproject.FirewallD1.config.zone.Methods.get‐
RichRules.
Possible errors: INVALID_ZONE
getServices(s: zone) → as
Return array of services (s) previously enabled in zone. If zone is empty, use default zone. For
getting permanent settings see org.fedoraproject.FirewallD1.config.zone.Methods.getServices.
Possible errors: INVALID_ZONE
getSourcePorts(s: zone) → aas
Return array of source ports (2-tuple of port and protocol) previously enabled in zone. If zone
is empty, use default zone. For getting permanent settings see org.fedoraproject.FirewallD1.con‐
fig.zone.Methods.getSourcePorts.
Possible errors: INVALID_ZONE
getSources(s: zone) → as
Return array of sources (s) previously bound with zone. If zone is empty, use default zone. For
getting permanent settings see org.fedoraproject.FirewallD1.config.zone.Methods.getSources.
Possible errors: INVALID_ZONE
getZoneOfInterface(s: interface) → s
Return name (s) of zone the interface is bound to or empty string.
getZoneOfSource(s: source) → s
Return name (s) of zone the source is bound to or empty string.
getZones() → as
Return array of names (s) of predefined zones known to current runtime environment. For list of
zones known to permanent environment see org.fedoraproject.FirewallD1.config.Methods.listZones.
The lists (of zones known to runtime and permanent environment) will contain same zones in most
cases, but might differ for example if org.fedoraproject.FirewallD1.config.Methods.addZone has
been called recently, but firewalld has not been reloaded since then.
isImmutable(s: zone) → b
Deprecated.
queryForwardPort(s: zone, s: port, s: protocol, s: toport, s: toaddr) → b
Return whether the IPv4 forward port (port, protocol, toport, toaddr) has been added into zone.
If zone is empty, use default zone. For permanent operation see org.fedoraproject.FirewallD1.con‐
fig.zone.Methods.queryForwardPort.
Possible errors: INVALID_ZONE, INVALID_PORT, MISSING_PROTOCOL, INVALID_PROTOCOL, INVALID_ADDR,
INVALID_FORWARD
queryIcmpBlock(s: zone, s: icmp) → b
Return whether an ICMP block for icmp has been added into zone. If zone is empty, use default
zone. For permanent operation see org.fedoraproject.FirewallD1.config.zone.Methods.queryIcmp‐
Block.
Possible errors: INVALID_ZONE, INVALID_ICMPTYPE
queryIcmpBlockInversion(s: zone) → b
Return whether ICMP block inversion has been added to zone. If zone is empty, use default zone.
For permanent operation see org.fedoraproject.FirewallD1.config.zone.Methods.queryIcmpBlockInver‐
sion.
Possible errors: INVALID_ZONE, INVALID_ICMPTYPE
queryInterface(s: zone, s: interface) → b
Query whether interface has been bound to zone. If zone is empty, use default zone. For permanent
operation see org.fedoraproject.FirewallD1.config.zone.Methods.queryInterface.
Possible errors: INVALID_ZONE, INVALID_INTERFACE
queryMasquerade(s: zone) → b
Return whether masquerading has been enabled in zone If zone is empty, use default zone. For per‐
manent operation see org.fedoraproject.FirewallD1.config.zone.Methods.queryMasquerade.
Possible errors: INVALID_ZONE
queryPort(s: zone, s: port, s: protocol) → b
Return whether port/protocol has been added in zone. If zone is empty, use default zone. For per‐
manent operation see org.fedoraproject.FirewallD1.config.zone.Methods.queryPort.
Possible errors: INVALID_ZONE, INVALID_PORT, MISSING_PROTOCOL, INVALID_PROTOCOL
queryProtocol(s: zone, s: protocol) → b
Return whether protocol has been added in zone. If zone is empty, use default zone. For permanent
operation see org.fedoraproject.FirewallD1.config.zone.Methods.queryProtocol.
Possible errors: INVALID_ZONE, INVALID_PROTOCOL
queryRichRule(s: zone, s: rule) → b
Return whether rich rule rule has been added in zone. If zone is empty, use default zone. For
permanent operation see org.fedoraproject.FirewallD1.config.zone.Methods.queryRichRule.
Possible errors: INVALID_ZONE, INVALID_RULE
queryService(s: zone, s: service) → b
Return whether service has been added for zone. If zone is empty, use default zone. For permanent
operation see org.fedoraproject.FirewallD1.config.zone.Methods.queryService.
Possible errors: INVALID_ZONE, INVALID_SERVICE
querySource(s: zone, s: source) → b
Query whether sourcehas been bound to zone. If zone is empty, use default zone. For permanent op‐
eration see org.fedoraproject.FirewallD1.config.zone.Methods.querySource.
Possible errors: INVALID_ZONE, INVALID_ADDR
querySourcePort(s: zone, s: port, s: protocol) → b
Return whether port/protocol has been added in zone. If zone is empty, use default zone. For per‐
manent operation see org.fedoraproject.FirewallD1.config.zone.Methods.querySourcePort.
Possible errors: INVALID_ZONE, INVALID_PORT, MISSING_PROTOCOL, INVALID_PROTOCOL
removeForwardPort(s: zone, s: port, s: protocol, s: toport, s: toaddr) → s
Remove IPv4 forward port ((port, protocol, toport, toaddr)) from zone. If zone is empty, use de‐
fault zone. For permanent operation see org.fedoraproject.FirewallD1.config.zone.Methods.remove‐
ForwardPort.
Returns name of zone from which the forward port was removed.
Possible errors: INVALID_ZONE, INVALID_PORT, MISSING_PROTOCOL, INVALID_PROTOCOL, INVALID_ADDR,
INVALID_FORWARD, NOT_ENABLED, INVALID_COMMAND
removeIcmpBlock(s: zone, s: icmp) → s
Remove ICMP block icmp from zone. If zone is empty, use default zone. For permanent operation see
org.fedoraproject.FirewallD1.config.zone.Methods.removeIcmpBlock.
Returns name of zone from which the ICMP block was removed.
Possible errors: INVALID_ZONE, INVALID_ICMPTYPE, NOT_ENABLED, INVALID_COMMAND
removeIcmpBlockInversion(s: zone) → s
Remove ICMP block inversion from zone. If zone is empty, use default zone. For permanent opera‐
tion see org.fedoraproject.FirewallD1.config.zone.Methods.removeIcmpBlockInversion.
Returns name of zone from which the ICMP block inversion was removed.
Possible errors: INVALID_ZONE, NOT_ENABLED, INVALID_COMMAND
removeInterface(s: zone, s: interface) → s
Remove binding of interface from zone. If zone is empty, the interface will be removed from zone
it belongs to. For permanent operation see org.fedoraproject.FirewallD1.config.zone.Methods.re‐
moveInterface.
Returns name of zone from which the interface was removed.
Possible errors: INVALID_ZONE, INVALID_INTERFACE, NOT_ENABLED, INVALID_COMMAND
removeMasquerade(s: zone) → s
Disable masquerade for zone. If zone is empty, use default zone. For permanent operation see
org.fedoraproject.FirewallD1.config.zone.Methods.removeMasquerade.
Returns name of zone for which the masquerade was disabled.
Possible errors: INVALID_ZONE, NOT_ENABLED, INVALID_COMMAND
removePort(s: zone, s: port, s: protocol) → s
Remove port/protocol from zone. If zone is empty, use default zone. For permanent operation see
org.fedoraproject.FirewallD1.config.zone.Methods.removePort.
Returns name of zone from which the port was removed.
Possible errors: INVALID_ZONE, INVALID_PORT, MISSING_PROTOCOL, INVALID_PROTOCOL, NOT_ENABLED, IN‐
VALID_COMMAND
removeProtocol(s: zone, s: protocol) → s
Remove protocol from zone. If zone is empty, use default zone. For permanent operation see
org.fedoraproject.FirewallD1.config.zone.Methods.removeProtocol.
Returns name of zone from which the protocol was removed.
Possible errors: INVALID_ZONE, INVALID_PROTOCOL, NOT_ENABLED, INVALID_COMMAND
removeRichRule(s: zone, s: rule) → s
Remove rich language rule from zone. If zone is empty, use default zone. For permanent operation
see org.fedoraproject.FirewallD1.config.zone.Methods.removeRichRule.
Returns name of zone from which the rich language rule was removed.
Possible errors: INVALID_ZONE, INVALID_RULE, NOT_ENABLED, INVALID_COMMAND
removeService(s: zone, s: service) → s
Remove service from zone. If zone is empty, use default zone. For permanent operation see org.fe‐
doraproject.FirewallD1.config.zone.Methods.removeService.
Returns name of zone from which the service was removed.
Possible errors: INVALID_ZONE, INVALID_SERVICE, NOT_ENABLED, INVALID_COMMAND
removeSource(s: zone, s: source) → s
Remove binding of source from zone. If zone is empty, the source will be removed from zone it be‐
longs to. For permanent operation see org.fedoraproject.FirewallD1.config.zone.Methods.re‐
moveSource.
Returns name of zone from which the source was removed.
Possible errors: INVALID_ZONE, INVALID_ADDR, NOT_ENABLED, INVALID_COMMAND
removeSourcePort(s: zone, s: port, s: protocol) → s
Remove port/protocol from zone. If zone is empty, use default zone. For permanent operation see
org.fedoraproject.FirewallD1.config.zone.Methods.removeSourcePort.
Returns name of zone from which the source port was removed.
Possible errors: INVALID_ZONE, INVALID_PORT, MISSING_PROTOCOL, INVALID_PROTOCOL, NOT_ENABLED, IN‐
VALID_COMMAND
Signals
ForwardPortAdded(s: zone, s: port, s: protocol, s: toport, s: toaddr, i: timeout)
Emitted when forward port has been added to zone with timeout.
ForwardPortRemoved(s: zone, s: port, s: protocol, s: toport, s: toaddr)
Emitted when forward port has been removed from zone.
IcmpBlockAdded(s: zone, s: icmp, i: timeout)
Emitted when ICMP block for icmp has been added to zone with timeout.
IcmpBlockInversionAdded(s: zone)
Emitted when ICMP block inversion has been added to zone.
IcmpBlockInversionRemoved(s: zone)
Emitted when ICMP block inversion has been removed from zone.
IcmpBlockRemoved(s: zone, s: icmp)
Emitted when ICMP block for icmp has been removed from zone.
InterfaceAdded(s: zone, s: interface)
Emitted when interface has been added to zone.
InterfaceRemoved(s: zone, s: interface)
Emitted when interface has been removed from zone.
MasqueradeAdded(s: zone, i: timeout)
Emitted when masquerade has been enabled for zone.
MasqueradeRemoved(s: zone)
Emitted when masquerade has been disabled for zone.
PortAdded(s: zone, s: port, s: protocol, i: timeout)
Emitted when port/protocol has been added to zone with timeout.
PortRemoved(s: zone, s: port, s: protocol)
Emitted when port/protocol has been removed from zone.
ProtocolAdded(s: zone, s: protocol, i: timeout)
Emitted when protocol has been added to zone with timeout.
ProtocolRemoved(s: zone, s: protocol)
Emitted when protocol has been removed from zone.
RichRuleAdded(s: zone, s: rule, i: timeout)
Emitted when rich language rule has been added to zone with timeout.
RichRuleRemoved(s: zone, s: rule)
Emitted when rich language rule has been removed from zone.
ServiceAdded(s: zone, s: service, i: timeout)
Emitted when service has been added to zone with timeout.
ServiceRemoved(s: zone, s: service)
Emitted when service has been removed from zone.
SourceAdded(s: zone, s: source)
Emitted when source has been added to zone.
SourcePortAdded(s: zone, s: port, s: protocol, i: timeout)
Emitted when source-port/protocol has been added to zone with timeout.
SourcePortRemoved(s: zone, s: port, s: protocol)
Emitted when source-port/protocol has been removed from zone.
SourceRemoved(s: zone, s: source)
Emitted when source has been removed from zone.
ZoneChanged(s: zone, s: interface)
Deprecated
ZoneOfInterfaceChanged(s: zone, s: interface)
Emitted when a zone an interface is part of has been changed to zone.
ZoneOfSourceChanged(s: zone, s: source)
Emitted when a zone an source is part of has been changed to zone.
ZoneUpdated2(s: zone, a{sv}: settings)
Emitted when a zone's settings are updated via org.fedoraproject.FirewallD1.zone.Methods.setZone‐
Settings2
org.fedoraproject.FirewallD1.policy
Operations in this interface allows one to get, add, remove and query runtime policy settings. For perma‐
nent settings see org.fedoraproject.FirewallD1.config.policy interface.
Methods
getActivePolicies() → a{sa{sas}}
Return dictionary of currently active policies altogether with ingress zones and egress zones
used in these policies. Active policies are policies, that have a binding to an active ingress
zone and an active egress zone.
Return value is a dictionary where keys are policy names (s) and values are again dictionaries
where keys are either 'ingress_zones' or 'egress_zones' and values are arrays of zone names (s).
getPolicies() → as
Return array of names (s) of predefined policies known to current runtime environment. For list
of policies known to permanent environment see org.fedoraproject.FirewallD1.config.Methods.list‐
Policies. The lists (of policies known to runtime and permanent environment) will contain same
policies in most cases, but might differ for example if org.fedoraproject.FirewallD1.config.Meth‐
ods.addPolicy has been called recently, but firewalld has not been reloaded since then.
getPolicySettings(s: policy) → a{sv}
Return runtime settings of given policy. For getting permanent settings see org.fedorapro‐
ject.FirewallD1.config.policy.Methods.getSettings. Settings are a dictionary indexed by keywords.
For possible keywords see org.fedoraproject.FirewallD1.config.Methods.addPolicy. If the value is
empty it may be omitted.
Possible errors: INVALID_POLICY
setPolicySettings(s: policy, a{sv}: settings, i: timeout)
Set runtime settings of given policy. For setting permanent settings see org.fedoraproject.Fire‐
wallD1.config.policy.Methods.update. Settings are a dictionary indexed by keywords. For possible
keywords see org.fedoraproject.FirewallD1.config.Methods.addPolicy. To zero a value pass an empty
string or list. Some keywords are not available to modify in the runtime: description, name, pri‐
ority, target, version.
Possible errors: INVALID_POLICY
Signals
ForwardPortAdded(s: policy, a{sv}: settings)
Emitted when a policy's settings are updated via org.fedoraproject.FirewallD1.policy.Methods.set‐
PolicySettings
org.fedoraproject.FirewallD1.config
Allows one to permanently add, remove and query zones, services and icmp types.
Methods
addIPSet(s: ipset, (ssssa{ss}as): settings) → o
Add ipset with given settings into permanent configuration. Settings are in format: version,
name, description, type, dictionary of options and array of entries.
version (s): see version attribute of ipset tag in firewalld.ipset(5).
name (s): see short tag in firewalld.ipset(5).
description (s): see description tag in firewalld.ipset(5).
type (s): see type attribute of ipset tag in firewalld.ipset(5).
options (a{ss}): dictionary of {option : value} . See options tag in firewalld.ipset(5).
entries (as): array of entries, see entry tag in firewalld.ipset(5).
Possible errors: NAME_CONFLICT, INVALID_NAME, INVALID_TYPE
addIcmpType(s: icmptype, (sssas): settings) → o
Add icmptype with given settings into permanent configuration. Settings are in format: version,
name, description, array of destinations. Returns object path of the new icmp type.
version (s): see version attribute of icmptype tag in firewalld.icmptype(5).
name (s): see short tag in firewalld.icmptype(5).
description (s): see description tag in firewalld.icmptype(5).
destinations (as): array, either empty or containing strings 'ipv4' or 'ipv6', see destination
tag in firewalld.icmptype(5).
Possible errors: NAME_CONFLICT, INVALID_NAME, INVALID_TYPE
addService(s: service, (sssa(ss)asa{ss}asa(ss)): settings) → o
This function is deprecated, use org.fedoraproject.FirewallD1.config.Methods.addService2 instead.
addService2s: service, a{sv}: settings) → o
Add service with given settings into permanent configuration. Settings are a dictionary indexed
by keywords. For the type of each value see below. To zero a value pass an empty string or list.
version (s): see version attribute of service tag in firewalld.service(5).
name (s): see short tag in firewalld.service(5).
description (s): see description tag in firewalld.service(5).
ports (a(ss)): array of port and protocol pairs. See port tag in firewalld.service(5).
module names (as): array of kernel netfilter helpers, see module tag in firewalld.service(5).
destinations (a{ss}): dictionary of {IP family : IP address} where 'IP family' key can be either
'ipv4' or 'ipv6'. See destination tag in firewalld.service(5).
protocols (as): array of protocols, see protocol tag in firewalld.service(5).
source_ports (a(ss)): array of port and protocol pairs. See source-port tag in firewalld.ser‐
vice(5).
includes (as): array of service includes, see include tag in firewalld.service(5).
helpers (as): array of service helpers, see helper tag in firewalld.service(5).
Possible errors: NAME_CONFLICT, INVALID_NAME, INVALID_TYPE
addZone(s: zone, (sssbsasa(ss)asba(ssss)asasasasa(ss)b): settings) → o
This function is deprecated, use org.fedoraproject.FirewallD1.config.Methods.addZone2 instead.
addZone2(s: zone, a{sv}: settings) → o
Add zone with given settings into permanent configuration. Settings are a dictionary indexed by
keywords. For the type of each value see below. To zero a value pass an empty string or list.
version (s): see version attribute of zone tag in firewalld.zone(5).
name (s): see short tag in firewalld.zone(5).
description (s): see description tag in firewalld.zone(5).
target (s): see target attribute of zone tag in firewalld.zone(5).
services (as): array of service names, see service tag in firewalld.zone(5).
ports (a(ss)): array of port and protocol pairs. See port tag in firewalld.zone(5).
icmp_blocks (as): array of icmp-blocks. See icmp-block tag in firewalld.zone(5).
masquerade (b): see masquerade tag in firewalld.zone(5).
forward_ports (a(ssss)): array of (port, protocol, to-port, to-addr). See forward-port tag in
firewalld.zone(5).
interfaces (as): array of interfaces. See interface tag in firewalld.zone(5).
sources (as): array of source addresses. See source tag in firewalld.zone(5).
rules_str (as): array of rich-language rules. See rule tag in firewalld.zone(5).
protocols (as): array of protocols, see protocol tag in firewalld.zone(5).
source_ports (a(ss)): array of port and protocol pairs. See source-port tag in firewalld.zone(5).
icmp_block_inversion (b): see icmp-block-inversion tag in firewalld.zone(5).
forward (b): see forward tag in firewalld.zone(5).
ingress_priority (i): see ingress-priority tag in firewalld.zone(5).
egress_priority (i): see egress-priority tag in firewalld.zone(5).
Possible errors: NAME_CONFLICT, INVALID_NAME, INVALID_TYPE
addPolicy(s: policy, a{sv}: settings) → o
Add policy with given settings into permanent configuration. Settings are a dictionary indexed by
keywords. For the type of each value see below. If a keyword is omitted the default value will be
used.
description (s): see description tag in firewalld.policy(5).
egress_zones as: array of zone names. See egress-zone tag in firewalld.policy(5).
forward_ports (a(ssss)): array of (port, protocol, to-port, to-addr). See forward-port tag in
firewalld.policy(5).
icmp_blocks (as): array of icmp-blocks. See icmp-block tag in firewalld.policy(5).
ingress_zones as: array of zone names. See ingress-zone tag in firewalld.policy(5).
masquerade (b): see masquerade tag in firewalld.policy(5).
ports (a(ss)): array of port and protocol pairs. See port tag in firewalld.policy(5).
priority (i): see priority tag in firewalld.policy(5).
protocols (as): array of protocols, see protocol tag in firewalld.policy(5).
rich_rules (as): array of rich-language rules. See rule tag in firewalld.policy(5).
services (as): array of service names, see service tag in firewalld.policy(5).
short (s): see short tag in firewalld.policy(5).
source_ports (a(ss)): array of port and protocol pairs. See source-port tag in firewalld.pol‐
icy(5).
target (s): see target attribute of policy tag in firewalld.policy(5).
version (s): see version attribute of policy tag in firewalld.policy(5).
Possible errors: NAME_CONFLICT, INVALID_NAME, INVALID_TYPE
getHelperByName(s: helper) → o
Return object path (permanent configuration) of helper with given name.
Possible errors: INVALID_HELPER
getHelperNames() → as
Return list of helper names (permanent configuration).
getIPSetByName(s: ipset) → o
Return object path (permanent configuration) of ipset with given name.
Possible errors: INVALID_IPSET
getIPSetNames() → as
Return list of ipset names (permanent configuration).
getIcmpTypeByName(s: icmptype) → o
Return object path (permanent configuration) of icmptype with given name.
Possible errors: INVALID_ICMPTYPE
getIcmpTypeNames() → as
Return list of icmptype names (permanent configuration).
getServiceByName(s: service) → o
Return object path (permanent configuration) of service with given name.
Possible errors: INVALID_SERVICE
getServiceNames() → as
Return list of service names (permanent configuration).
getZoneByName(s: zone) → o
Return object path (permanent configuration) of zone with given name.
Possible errors: INVALID_ZONE
getZoneNames() → as
Return list of zone names (permanent configuration) of.
getZoneOfInterface(s: iface) → s
Return name of zone the iface is bound to or empty string.
getZoneOfSource(s: source) → s
Return name of zone the source is bound to or empty string.
getPolicyByName(s: policy) → o
Return object path (permanent configuration) of policy with given name.
Possible errors: INVALID_POLICY
getPolicyNames() → as
Return list of policy names (permanent configuration).
listHelpers() → ao
Return array of object paths (o) of helper in permanent configuration. For runtime configuration
see org.fedoraproject.FirewallD1.Methods.getHelpers.
listIPSets() → ao
Return array of object paths (o) of ipset in permanent configuration. For runtime configuration
see org.fedoraproject.FirewallD1.ipset.Methods.getIPSets.
listIcmpTypes() → ao
Return array of object paths (o) of icmp types in permanent configuration. For runtime configura‐
tion see org.fedoraproject.FirewallD1.Methods.listIcmpTypes.
listServices() → ao
Return array of objects paths (o) of services in permanent configuration. For runtime configura‐
tion see org.fedoraproject.FirewallD1.Methods.listServices.
listZones() → ao
List object paths of zones known to permanent environment. For list of zones known to runtime en‐
vironment see org.fedoraproject.FirewallD1.zone.Methods.getZones. The lists (of zones known to
runtime and permanent environment) will contain same zones in most cases, but might differ for
example if org.fedoraproject.FirewallD1.config.Methods.addZone has been called recently, but
firewalld has not been reloaded since then.
listPolicies() → ao
List object paths of policies known to permanent environment. For list of policies known to run‐
time environment see org.fedoraproject.FirewallD1.policy.Methods.getPolicies. The lists (of poli‐
cies known to runtime and permanent environment) will contain same policies in most cases, but
might differ for example if org.fedoraproject.FirewallD1.config.Methods.addPolicy has been called
recently, but firewalld has not been reloaded since then.
Signals
HelperAdded(s: helper)
Emitted when helper has been added.
IPSetAdded(s: ipset)
Emitted when ipset has been added.
IcmpTypeAdded(s: icmptype)
Emitted when icmptype has been added.
ServiceAdded(s: service)
Emitted when service has been added.
ZoneAdded(s: zone)
Emitted when zone has been added.
Properties
AllowZoneDrifting - s - (rw)
Deprecated. Getting this value always returns "no". Setting this value is ignored.
AutomaticHelpers - s - (rw)
Deprecated. Getting this value always returns "no". Setting this value is ignored.
CleanupModulesOnExit - s - (rw)
Setting this option to yes or true unloads all firewall-related kernel modules when firewalld is
stopped.
CleanupOnExit - s - (rw)
If firewalld stops, it cleans up all firewall rules. Setting this option to no or false leaves
the current firewall rules untouched.
DefaultZone - s - (ro)
Default zone for connections or interfaces if the zone is not selected or specified by Network‐
Manager, initscripts or command line tool.
FirewallBackend - s - (rw)
Selects the firewalld backend for all rules except the direct interface. Valid options are; nfta‐
bles, iptables. Default in nftables.
Note: The iptables backend is deprecated. It will be removed in a future release.
FlushAllOnReload - s - (rw)
Flush all runtime rules on a reload. Valid options are; yes, no.
IPv6_rpfilter - b - (rw)
Deprecated. See org.fedoraproject.FirewallD1.config.Properties.IPv6_rpfilter2.
IPv6_rpfilter2 - s - (rw)
Indicates whether the reverse path filter (RFE 3704) test on a packet for IPv6 is enabled.
IndividualCalls - s - (ro)
Indicates whether individual calls combined -restore calls are used. If enabled, this increases
the time that is needed to apply changes and to start the daemon, but is good for debugging.
LogDenied - s - (rw)
If LogDenied is enabled, then logging rules are added right before reject and drop rules in the
INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in
zones. Possible values are: all, unicast, broadcast, multicast and off.
MinimalMark - i - (rw)
Deprecated. This option is ignored and no longer used. Marks are no longer used internally.
RFC3964_IPv4 - s - (rw)
As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that correspond to IPv4 ad‐
dresses that should not be routed over the public internet. Valid options are; yes, no.
StrictForwardPorts - s - (rw)
If set to yes, the generated destination NAT (DNAT) rules will NOT accept traffic that was DNAT'd
by other entities, e.g. docker. Firewalld will be strict and not allow published container ports
until they're explicitly allowed via firewalld. If set to no, then docker (and podman) integrates
seamlessly with firewalld. Published container ports are implicitly allowed.
NftablesFlowtable - s - (rw)
This may improve forwarded traffic throughput by enabling nftables flowtable. It is a software
fastpath and avoids calling nftables rule evaluation for data packets. Its value is a space sepa‐
rate list of interfaces.
NftablesCounters - s - (rw)
If set to yes, add a counter to every nftables rule. This is useful for debugging and comes with
a small performance cost.
NftablesTableOwner - s - (rw)
If set to yes, the generated nftables rule set will be owned exclusively by firewalld. This pre‐
vents other entities from mistakenly (or maliciously) modifying firewalld's rule set. If you in‐
tentionally modify firewalld's rules, then you will have to set this to "no".
org.fedoraproject.FirewallD1.config.direct
DEPRECATED
The direct interface has been deprecated. It will be removed in a future release. It is superseded by
policies, see firewalld.policies(5).
Interface for permanent direct configuration, see also firewalld.direct(5). For runtime direct configura‐
tion see org.fedoraproject.FirewallD1.direct interface.
Methods
addChain(s: ipv, s: table, s: chain) → Nothing
Add a new chain to table for ipv being either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebta‐
bles). Make sure there's no other chain with this name already. There already exist basic chains
to use with direct methods, for example INPUT_direct chain. These chains are jumped into before
chains for zones, i.e. every rule put into INPUT_direct will be checked before rules in zones.
For runtime operation see org.fedoraproject.FirewallD1.direct.Methods.addChain.
Possible errors: INVALID_IPV, INVALID_TABLE, ALREADY_ENABLED
addPassthrough(s: ipv, as: args) → Nothing
Add a passthrough rule with the arguments args for ipv being either ipv4 (iptables) or ipv6
(ip6tables) or eb (ebtables). For runtime operation see org.fedoraproject.FirewallD1.direct.Meth‐
ods.addPassthrough.
Possible errors: INVALID_IPV, ALREADY_ENABLED
addRule(s: ipv, s: table, s: chain, i: priority, as: args) → Nothing
Add a rule with the arguments args to chain in table with priority for ipv being either ipv4
(iptables) or ipv6 (ip6tables) or eb (ebtables). The priority is used to order rules. Priority 0
means add rule on top of the chain, with a higher priority the rule will be added further down.
Rules with the same priority are on the same level and the order of these rules is not fixed and
may change. If you want to make sure that a rule will be added after another one, use a low pri‐
ority for the first and a higher for the following. For runtime operation see org.fedorapro‐
ject.FirewallD1.direct.Methods.addRule.
Possible errors: INVALID_IPV, INVALID_TABLE, ALREADY_ENABLED
getAllChains() → a(sss)
Get all chains added to all tables in format: ipv, table, chain. This concerns only chains previ‐
ously added with addChain. Return value is a array of (ipv, table, chain). For runtime operation
see org.fedoraproject.FirewallD1.direct.Methods.getAllChains.
ipv (s): either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebtables).
table (s): one of filter, mangle, nat, raw, security
chain (s): name of a chain.
getAllPassthroughs() → a(sas)
Get all passthrough rules added in all ipv types in format: ipv, rule. This concerns only rules
previously added with addPassthrough. Return value is a array of (ipv, array of arguments). For
runtime operation see org.fedoraproject.FirewallD1.direct.Methods.getAllPassthroughs.
ipv (s): either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebtables).
arguments (as): array of commands, parameters and other iptables/ip6tables/ebtables command line
options.
getAllRules() → a(sssias)
Get all rules added to all chains in all tables in format: ipv, table, chain, priority, rule.
This concerns only rules previously added with addRule. Return value is a array of (ipv, table,
chain, priority, array of arguments). For runtime operation see org.fedoraproject.FirewallD1.di‐
rect.Methods.getAllRules.
ipv (s): either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebtables).
table (s): one of filter, mangle, nat, raw, security
chain (s): name of a chain.
priority (i): used to order rules.
arguments (as): array of commands, parameters and other iptables/ip6tables/ebtables command line
options.
getChains(s: ipv, s: table) → as
Return an array of chains (s) added to table for ipv being either ipv4 (iptables) or ipv6 (ip6ta‐
bles) or eb (ebtables). This concerns only chains previously added with addChain. For runtime op‐
eration see org.fedoraproject.FirewallD1.direct.Methods.getChains.
Possible errors: INVALID_IPV, INVALID_TABLE
getPassthroughs(s: ipv) → aas
Get tracked passthrough rules added in either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebta‐
bles). This concerns only rules previously added with addPassthrough. Return value is a array of
(array of arguments). For runtime operation see org.fedoraproject.FirewallD1.direct.Methods.get‐
Passthroughs.
arguments (as): array of commands, parameters and other iptables/ip6tables/ebtables command line
options.
getRules(s: ipv, s: table, s: chain) → a(ias)
Get all rules added to chain in table for ipv being either ipv4 (iptables) or ipv6 (ip6tables) or
eb (ebtables). This concerns only rules previously added with addRule. Return value is a array of
(priority, array of arguments). For runtime operation see org.fedoraproject.FirewallD1.di‐
rect.Methods.getRules.
priority (i): used to order rules.
arguments (as): array of commands, parameters and other iptables/ip6tables/ebtables command line
options.
Possible errors: INVALID_IPV, INVALID_TABLE
getSettings() → (a(sss)a(sssias)a(sas))
Get settings of permanent direct configuration in format: array of chains, array of rules, array
of passthroughs.
chains (a(sss)): array of (ipv, table, chain), see 'chain' in firewalld.direct(5).
.
.PP rules (a(sssias)): array of (ipv, table, chain, priority, array of argu‐
ments), see 'rule' in firewalld.direct(5).
.
.PP passthroughs (a(sas)): array of (ipv, array of arguments), see passthrough
in firewalld.direct(5).
.
.sp
queryChain(s: ipv, s: table, s: chain) → b
Return whether a chain exists in table for ipv being either ipv4 (iptables) or ipv6 (ip6tables)
or eb (ebtables). This concerns only chains previously added with addChain. For runtime operation
see org.fedoraproject.FirewallD1.direct.Methods.queryChain.
Possible errors: INVALID_IPV, INVALID_TABLE
queryPassthrough(s: ipv, as: args) → b
Return whether a tracked passthrough rule with the arguments args exists for ipv being either
ipv4 (iptables) or ipv6 (ip6tables) or eb (ebtables). This concerns only rules previously added
with addPassthrough. For runtime operation see org.fedoraproject.FirewallD1.direct.Methods.query‐
Passthrough.
Possible errors: INVALID_IPV
queryRule(s: ipv, s: table, s: chain, i: priority, as: args) → b
Return whether a rule with priority and the arguments args exists in chain in table for ipv being
either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebtables). This concerns only rules previously
added with addRule. For runtime operation see org.fedoraproject.FirewallD1.direct.Meth‐
ods.queryRule.
Possible errors: INVALID_IPV, INVALID_TABLE
removeChain(s: ipv, s: table, s: chain) → Nothing
Remove a chain from table for ipv being either ipv4 (iptables) or ipv6 (ip6tables) or eb (ebta‐
bles). Only chains previously added with addChain can be removed this way. For runtime operation
see org.fedoraproject.FirewallD1.direct.Methods.removeChain.
Possible errors: INVALID_IPV, INVALID_TABLE, NOT_ENABLED
removePassthrough(s: ipv, as: args) → Nothing
Remove a passthrough rule with arguments args for ipv being either ipv4 (iptables) or ipv6
(ip6tables) or eb (ebtables). Only rules previously added with addPassthrough can be removed this
way. For runtime operation see org.fedoraproject.FirewallD1.direct.Methods.removePassthrough.
Possible errors: INVALID_IPV, NOT_ENABLED
removeRule(s: ipv, s: table, s: chain, i: priority, as: args) → Nothing
Remove a rule with priority and arguments args from chain in table for ipv being either ipv4
(iptables) or ipv6 (ip6tables) or eb (ebtables). Only rules previously added with addRule can be
removed this way. For runtime operation see org.fedoraproject.FirewallD1.direct.Methods.re‐
moveRule.
Possible errors: INVALID_IPV, INVALID_TABLE, NOT_ENABLED
removeRules(s: ipv, s: table, s: chain) → Nothing
Remove all rules from chain in table for ipv being either ipv4 (iptables) or ipv6 (ip6tables) or
eb (ebtables). This concerns only rules previously added with addRule. For runtime operation see
org.fedoraproject.FirewallD1.direct.Methods.removeRules.
Possible errors: INVALID_IPV, INVALID_TABLE
update((a(sss)a(sssias)a(sas)): settings) → Nothing
Update permanent direct configuration with given settings. Settings are in format: array of
chains, array of rules, array of passthroughs.
chains (a(sss)): array of (ipv, table, chain), see 'chain' in firewalld.direct(5).
.
.PP rules (a(sssias)): array of (ipv, table, chain, priority, array of argu‐
ments), see 'rule' in firewalld.direct(5).
.
.PP passthroughs (a(sas)): array of (ipv, array of arguments), see passthrough
in firewalld.direct(5).
.
.sp Possible errors: INVALID_TYPE
Signals
Updated()
Emitted when configuration has been updated.
org.fedoraproject.FirewallD1.config.ipset
Interface for permanent ipset configuration, see also firewalld.ipset(5).
Methods
addEntry(s: entry) → Nothing
Permanently add entry to list of entries of ipset. See entry tag in firewalld.ipset(5). For run‐
time operation see org.fedoraproject.FirewallD1.ipset.Methods.addEntry.
Possible errors: ALREADY_ENABLED
addOption(s: key, s: value) → Nothing
Permanently add (key, value) to the ipset. See option tag in firewalld.ipset(5).
Possible errors: ALREADY_ENABLED
getDescription() → s
Get description of ipset. See description tag in firewalld.ipset(5).
getEntries() → as
Get list of entries added to ipset. See entry tag in firewalld.ipset(5). For runtime operation
see org.fedoraproject.FirewallD1.ipset.Methods.getEntries.
Possible errors: IPSET_WITH_TIMEOUT
getOptions() → a{ss}
Get dictionary of options set for ipset. See option tag in firewalld.ipset(5).
getSettings() → (ssssa{ss}as)
Return permanent settings of the ipset. For getting runtime settings see org.fedoraproject.Fire‐
wallD1.ipset.Methods.getIPSetSettings. Settings are in format: version, name, description, type,
dictionary of options and array of entries.
version (s): see version attribute of ipset tag in firewalld.ipset(5).
name (s): see short tag in firewalld.ipset(5).
description (s): see description tag in firewalld.ipset(5).
type (s): see type attribute of ipset tag in firewalld.ipset(5).
options (a{ss}): dictionary of {option : value} . See options tag in firewalld.ipset(5).
entries (as): array of entries, see entry tag in firewalld.ipset(5).
getShort() → s
Get name of ipset. See short tag in firewalld.ipset(5).
getType() → s
Get type of ipset. See type attribute of ipset tag in firewalld.ipset(5).
getVersion() → s
Get version of ipset. See version attribute of ipset tag in firewalld.ipset(5).
loadDefaults() → Nothing
Load default settings for built-in ipset.
Possible errors: NO_DEFAULTS
queryEntry(s: entry) → b
Return whether entry has been added to ipset. For runtime operation see org.fedoraproject.Fire‐
wallD1.ipset.Methods.queryEntry.
queryOption(s: key, s: value) → b
Return whether (key, value) has been added to options of the ipset.
remove() → Nothing
Remove not built-in ipset.
Possible errors: BUILTIN_IPSET
removeEntry(s: entry) → Nothing
Permanently remove entry from ipset. See entry tag in firewalld.ipset(5). For runtime operation
see org.fedoraproject.FirewallD1.ipset.Methods.removeEntry.
Possible errors: NOT_ENABLED
removeOption(s: key) → Nothing
Permanently remove key from the ipset. See option tag in firewalld.ipset(5).
Possible errors: NOT_ENABLED
rename(s: name) → Nothing
Rename not built-in ipset to name.
Possible errors: BUILTIN_IPSET
setDescription(s: description) → Nothing
Permanently set description of ipset to description. See description tag in firewalld.ipset(5).
setEntries(as: entries) → Nothing
Permanently set list of entries to entries. See entry tag in firewalld.ipset(5).
setOptions(a{ss}: options) → Nothing
Permanently set dict of options to options. See option tag in firewalld.ipset(5).
setShort(s: short) → Nothing
Permanently set name of ipset to short. See short tag in firewalld.ipset(5).
setType(s: ipset_type) → Nothing
Permanently set type of ipset to ipset_type. See type attribute of ipset tag in fire‐
walld.ipset(5).
setVersion(s: version) → Nothing
Permanently set version of ipset to version. See version attribute of ipset tag in fire‐
walld.ipset(5).
update((ssssa{ss}as): settings) → Nothing
Update settings of ipset to settings. Settings are in format: version, name, description, type,
dictionary of options and array of entries.
version (s): see version attribute of ipset tag in firewalld.ipset(5).
name (s): see short tag in firewalld.ipset(5).
description (s): see description tag in firewalld.ipset(5).
type (s): see type attribute of ipset tag in firewalld.ipset(5).
options (a{ss}): dictionary of {option : value} . See options tag in firewalld.ipset(5).
entries (as): array of entries, see entry tag in firewalld.ipset(5).
Possible errors: INVALID_TYPE
Signals
Removed(s: name)
Emitted when ipset with name has been removed.
Renamed(s: name)
Emitted when ipset has been renamed to name.
Updated(s: name)
Emitted when ipset with name has been updated.
Properties
builtin - b - (ro)
True if ipset is build-in, false else.
default - b - (ro)
True if build-in ipset has default settings. False if it has been modified. Always False for not
build-in ipsets.
filename - s - (ro)
Name (including .xml extension) of file where the configuration is stored.
name - s - (ro)
Name of ipset.
path - s - (ro)
Path to directory where the ipset configuration is stored. Should be either /usr/lib/fire‐
walld/ipsets or /etc/firewalld/ipsets.
org.fedoraproject.FirewallD1.config.zone
Interface for permanent zone configuration, see also firewalld.zone(5).
Methods
addForwardPort(s: port, s: protocol, s: toport, s: toaddr) → Nothing
Permanently add (port, protocol, toport, toaddr) to list of forward ports of zone. See for‐
ward-port tag in firewalld.zone(5). For runtime operation see org.fedoraproject.Fire‐
wallD1.zone.Methods.addForwardPort.
Possible errors: ALREADY_ENABLED
addIcmpBlock(s: icmptype) → Nothing
Permanently add icmptype to list of icmp types blocked in zone. See icmp-block tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.addIcmpBlock.
Possible errors: ALREADY_ENABLED
addIcmpBlock(s: icmptype) → Nothing
Permanently add icmp block inversion to zone. See icmp-block-inversion tag in firewalld.zone(5).
For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.addIcmpBlockInversion.
Possible errors: ALREADY_ENABLED
addInterface(s: interface) → Nothing
Permanently add interface to list of interfaces bound to zone. See interface tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.addInterface.
Possible errors: ALREADY_ENABLED
addMasquerade() → Nothing
Permanently enable masquerading in zone. See masquerade tag in firewalld.zone(5). For runtime op‐
eration see org.fedoraproject.FirewallD1.zone.Methods.addMasquerade.
Possible errors: ALREADY_ENABLED
addPort(s: port, s: protocol) → Nothing
Permanently add (port, protocol) to list of ports of zone. See port tag in firewalld.zone(5). For
runtime operation see org.fedoraproject.FirewallD1.zone.Methods.addPort.
Possible errors: ALREADY_ENABLED
addProtocol(s: protocol) → Nothing
Permanently add protocol into zone. The protocol can be any protocol supported by the system.
Please have a look at /etc/protocols for supported protocols. For runtime operation see org.fedo‐
raproject.FirewallD1.zone.Methods.addProtocol.
Possible errors: INVALID_PROTOCOL, ALREADY_ENABLED
addRichRule(s: rule) → Nothing
Permanently add rule to list of rich-language rules in zone. See rule tag in firewalld.zone(5).
For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.addRichRule.
Possible errors: ALREADY_ENABLED
addService(s: service) → Nothing
Permanently add service to list of services used in zone. See service tag in firewalld.zone(5).
For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.addService.
Possible errors: ALREADY_ENABLED
addSource(s: source) → Nothing
Permanently add source to list of source addresses bound to zone. See source tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.addSource.
Possible errors: ALREADY_ENABLED
addSourcePort(s: port, s: protocol) → Nothing
Permanently add (port, protocol) to list of source ports of zone. See source-port tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.addSourcePort.
Possible errors: ALREADY_ENABLED
getDescription() → s
Get description of zone. See description tag in firewalld.zone(5).
getForwardPorts() → a(ssss)
Get list of (port, protocol, toport, toaddr) defined in zone. See forward-port tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.getForward‐
Ports.
getIcmpBlockInversion() → b
Get icmp block inversion flag of zone. See icmp-block-inversion tag in firewalld.zone(5).
getIcmpBlocks() → as
Get list of icmp type names blocked in zone. See icmp-block tag in firewalld.zone(5). For runtime
operation see org.fedoraproject.FirewallD1.zone.Methods.getIcmpBlocks.
getInterfaces() → as
Get list of interfaces bound to zone. See interface tag in firewalld.zone(5). For runtime opera‐
tion see org.fedoraproject.FirewallD1.zone.Methods.getInterfaces.
getMasquerade() → b
Return whether masquerade is enabled in zone. This is the same as queryMasquerade() method. See
masquerade tag in firewalld.zone(5).
getPorts() → a(ss)
Get list of (port, protocol) defined in zone. See port tag in firewalld.zone(5). For runtime op‐
eration see org.fedoraproject.FirewallD1.zone.Methods.getPorts.
getProtocols() → as
Return array of protocols (s) previously enabled in zone. For getting runtime settings see
org.fedoraproject.FirewallD1.zone.Methods.getProtocols.
getRichRules() → as
Get list of rich-language rules in zone. See rule tag in firewalld.zone(5). For runtime operation
see org.fedoraproject.FirewallD1.zone.Methods.getRichRules.
getServices() → as
Get list of service names used in zone. See service tag in firewalld.zone(5). For runtime opera‐
tion see org.fedoraproject.FirewallD1.zone.Methods.getServices.
getSettings() → (sssbsasa(ss)asba(ssss)asasasasa(ss)b)
This function is deprecated, use org.fedoraproject.FirewallD1.config.zone.Methods.getSettings2
instead.
getSettings2() → a{sv}
Return permanent settings of given zone. For getting runtime settings see org.fedoraproject.Fire‐
wallD1.zone.Methods.getZoneSettings2. Settings are a dictionary indexed by keywords. For the type
of each value see below. If the value is empty it may be omitted.
version (s): see version attribute of zone tag in firewalld.zone(5).
name (s): see short tag in firewalld.zone(5).
description (s): see description tag in firewalld.zone(5).
target (s): see target attribute of zone tag in firewalld.zone(5).
services (as): array of service names, see service tag in firewalld.zone(5).
ports (a(ss)): array of port and protocol pairs. See port tag in firewalld.zone(5).
icmp_blocks (as): array of icmp-blocks. See icmp-block tag in firewalld.zone(5).
masquerade (b): see masquerade tag in firewalld.zone(5).
forward_ports (a(ssss)): array of (port, protocol, to-port, to-addr). See forward-port tag in
firewalld.zone(5).
interfaces (as): array of interfaces. See interface tag in firewalld.zone(5).
sources (as): array of source addresses. See source tag in firewalld.zone(5).
rules_str (as): array of rich-language rules. See rule tag in firewalld.zone(5).
protocols (as): array of protocols, see protocol tag in firewalld.zone(5).
source_ports (a(ss)): array of port and protocol pairs. See source-port tag in firewalld.zone(5).
icmp_block_inversion (b): see icmp-block-inversion tag in firewalld.zone(5).
forward (b): see forward tag in firewalld.zone(5).
ingress_priority (i): see ingress-priority tag in firewalld.zone(5).
egress_priority (i): see egress-priority tag in firewalld.zone(5).
getShort() → s
Get name of zone. See short tag in firewalld.zone(5).
getSourcePorts() → a(ss)
Get list of (port, protocol) defined in zone. See source-port tag in firewalld.zone(5). For run‐
time operation see org.fedoraproject.FirewallD1.zone.Methods.getSourcePorts.
getSources() → as
Get list of source addresses bound to zone. See source tag in firewalld.zone(5). For runtime op‐
eration see org.fedoraproject.FirewallD1.zone.Methods.getSources.
getTarget() → s
Get target of zone. See target attribute of zone tag in firewalld.zone(5).
getVersion() → s
Get version of zone. See version attribute of zone tag in firewalld.zone(5).
loadDefaults() → Nothing
Load default settings for built-in zone.
Possible errors: NO_DEFAULTS
queryForwardPort(s: port, s: protocol, s: toport, s: toaddr) → b
Return whether (port, protocol, toport, toaddr) is in list of forward ports of zone. See for‐
ward-port tag in firewalld.zone(5). For runtime operation see org.fedoraproject.Fire‐
wallD1.zone.Methods.queryForwardPort.
queryIcmpBlock(s: icmptype) → b
Return whether icmptype is in list of icmp types blocked in zone. See icmp-block tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.queryIcmp‐
Block.
queryIcmpBlockInversion() → b
Return whether icmp block inversion is in enabled in zone. See icmp-block-inversion tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.queryIcmp‐
BlockInversion.
queryInterface(s: interface) → b
Return whether interface is in list of interfaces bound to zone. See interface tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.queryInter‐
face.
queryMasquerade() → b
Return whether masquerade is enabled in zone. This is the same as getMasquerade() method. See
masquerade tag in firewalld.zone(5). For runtime operation see org.fedoraproject.Fire‐
wallD1.zone.Methods.queryMasquerade.
queryPort(s: port, s: protocol) → b
Return whether (port, protocol) is in list of ports of zone. See port tag in firewalld.zone(5).
For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.queryPort.
queryProtocol(s: protocol) → b
Return whether protocol has been added in zone. For runtime operation see org.fedoraproject.Fire‐
wallD1.zone.Methods.queryProtocol.
Possible errors: INVALID_PROTOCOL
queryRichRule(s: rule) → b
Return whether rule is in list of rich-language rules in zone. See rule tag in firewalld.zone(5).
For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.queryRichRule.
queryService(s: service) → b
Return whether service is in list of services used in zone. See service tag in firewalld.zone(5).
For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.queryService.
querySource(s: source) → b
Return whether source is in list of source addresses bound to zone. See source tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.querySource.
querySourcePort(s: port, s: protocol) → b
Return whether (port, protocol) is in list of source ports of zone. See source-port tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.querySource‐
Port.
remove() → Nothing
Remove not built-in zone.
Possible errors: BUILTIN_ZONE
removeForwardPort(s: port, s: protocol, s: toport, s: toaddr) → Nothing
Permanently remove (port, protocol, toport, toaddr) from list of forward ports of zone. See for‐
ward-port tag in firewalld.zone(5). For runtime operation see org.fedoraproject.Fire‐
wallD1.zone.Methods.removeForwardPort.
Possible errors: NOT_ENABLED
removeIcmpBlock(s: icmptype) → Nothing
Permanently remove icmptype from list of icmp types blocked in zone. See icmp-block tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.removeIcmp‐
Block.
Possible errors: NOT_ENABLED
removeIcmpBlockInversion() → Nothing
Permanently remove icmp block inversion from the zone. See icmp-block-inversion tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.removeIcmp‐
BlockInversion.
Possible errors: NOT_ENABLED
removeInterface(s: interface) → Nothing
Permanently remove interface from list of interfaces bound to zone. See interface tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.removeInter‐
face.
Possible errors: NOT_ENABLED
removeMasquerade() → Nothing
Permanently disable masquerading in zone. See masquerade tag in firewalld.zone(5). For runtime
operation see org.fedoraproject.FirewallD1.zone.Methods.removeMasquerade.
Possible errors: NOT_ENABLED
removePort(s: port, s: protocol) → Nothing
Permanently remove (port, protocol) from list of ports of zone. See port tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.removePort.
Possible errors: NOT_ENABLED
removeProtocol(s: protocol) → Nothing
Permanently remove protocol from zone. For runtime operation see org.fedoraproject.Fire‐
wallD1.zone.Methods.removeProtocol.
Possible errors: INVALID_PROTOCOL, NOT_ENABLED
removeRichRule(s: rule) → Nothing
Permanently remove rule from list of rich-language rules in zone. See rule tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.re‐
moveRichRule.
Possible errors: NOT_ENABLED
removeService(s: service) → Nothing
Permanently remove service from list of services used in zone. See service tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.removeService.
Possible errors: NOT_ENABLED
removeSource(s: source) → Nothing
Permanently remove source from list of source addresses bound to zone. See source tag in fire‐
walld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.removeSource.
Possible errors: NOT_ENABLED
removeSourcePort(s: port, s: protocol) → Nothing
Permanently remove (port, protocol) from list of source ports of zone. See source-port tag in
firewalld.zone(5). For runtime operation see org.fedoraproject.FirewallD1.zone.Methods.re‐
moveSourcePort.
Possible errors: NOT_ENABLED
rename(s: name) → Nothing
Rename not built-in zone to name.
Possible errors: BUILTIN_ZONE
setDescription(s: description) → Nothing
Permanently set description of zone to description. See description tag in firewalld.zone(5).
setForwardPorts(a(ssss): ports) → Nothing
Permanently set forward ports of zone to list of (port, protocol, toport, toaddr). See for‐
ward-port tag in firewalld.zone(5).
setIcmpBlockInversion(b: flag) → Nothing
Permanently set icmp block inversion flag of zone to flag. See icmp-block-inversion tag in fire‐
walld.zone(5).
setIcmpBlocks(as: icmptypes) → Nothing
Permanently set list of icmp types blocked in zone to icmptypes. See icmp-block tag in fire‐
walld.zone(5).
setInterfaces(as: interfaces) → Nothing
Permanently set list of interfaces bound to zone to interfaces. See interface tag in fire‐
walld.zone(5).
setMasquerade(b: masquerade) → Nothing
Permanently set masquerading in zone to masquerade. See masquerade tag in firewalld.zone(5).
setPorts(a(ss): ports) → Nothing
Permanently set ports of zone to list of (port, protocol). See port tag in firewalld.zone(5).
setProtocols(as: protocols) → Nothing
Permanently set list of protocols used in zone to protocols. See protocol tag in fire‐
walld.zone(5).
setRichRules(as: rules) → Nothing
Permanently set list of rich-language rules to rules. See rule tag in firewalld.zone(5).
setServices(as: services) → Nothing
Permanently set list of services used in zone to services. See service tag in firewalld.zone(5).
setShort(s: short) → Nothing
Permanently set name of zone to short. See short tag in firewalld.zone(5).
setSourcePorts(a(ss): ports) → Nothing
Permanently set source-ports of zone to list of (port, protocol). See source-port tag in fire‐
walld.zone(5).
setSources(as: sources) → Nothing
Permanently set list of source addresses bound to zone to sources. See source tag in fire‐
walld.zone(5).
setTarget(s: target) → Nothing
Permanently set target of zone to target. See target attribute of zone tag in firewalld.zone(5).
setVersion(s: version) → Nothing
Permanently set version of zone to version. See version attribute of zone tag in fire‐
walld.zone(5).
update((sssbsasa(ss)asba(ssss)asasasasa(ss)b): settings) → Nothing
This function is deprecated, use org.fedoraproject.FirewallD1.config.zone.Methods.update2 in‐
stead.
update2(a{sv}: settings) → Nothing
Update settings of zone to settings. Settings are a dictionary indexed by keywords. For the type
of each value see below. To zero a value pass an empty string or list.
version (s): see version attribute of zone tag in firewalld.zone(5).
name (s): see short tag in firewalld.zone(5).
description (s): see description tag in firewalld.zone(5).
target (s): see target attribute of zone tag in firewalld.zone(5).
services (as): array of service names, see service tag in firewalld.zone(5).
ports (a(ss)): array of port and protocol pairs. See port tag in firewalld.zone(5).
icmp_blocks (as): array of icmp-blocks. See icmp-block tag in firewalld.zone(5).
masquerade (b): see masquerade tag in firewalld.zone(5).
forward_ports (a(ssss)): array of (port, protocol, to-port, to-addr). See forward-port tag in
firewalld.zone(5).
interfaces (as): array of interfaces. See interface tag in firewalld.zone(5).
sources (as): array of source addresses. See source tag in firewalld.zone(5).
rules_str (as): array of rich-language rules. See rule tag in firewalld.zone(5).
protocols (as): array of protocols, see protocol tag in firewalld.zone(5).
source_ports (a(ss)): array of port and protocol pairs. See source-port tag in firewalld.zone(5).
icmp_block_inversion (b): see icmp-block-inversion tag in firewalld.zone(5).
forward (b): see forward tag in firewalld.zone(5).
ingress_priority (i): see ingress-priority tag in firewalld.zone(5).
egress_priority (i): see egress-priority tag in firewalld.zone(5).
Possible errors: INVALID_TYPE
Signals
Removed(s: name)
Emitted when zone with name has been removed.
Renamed(s: name)
Emitted when zone has been renamed to name.
Updated(s: name)
Emitted when zone with name has been updated.
Properties
builtin - b - (ro)
True if zone is build-in, false else.
default - b - (ro)
True if build-in zone has default settings. False if it has been modified. Always False for not
build-in zones.
filename - s - (ro)
Name (including .xml extension) of file where the configuration is stored.
name - s - (ro)
Name of zone.
path - s - (ro)
Path to directory where the zone configuration is stored. Should be either /usr/lib/fire‐
walld/zones or /etc/firewalld/zones.
org.fedoraproject.FirewallD1.config.policy
Interface for permanent policy configuration, see also firewalld.policy(5).
Methods
getSettings() → a{sv}
Return permanent settings of given policy. For getting runtime settings see org.fedorapro‐
ject.FirewallD1.policy.Methods.getPolicySettings. Settings are a dictionary indexed by keywords.
For possible keywords see org.fedoraproject.FirewallD1.config.Methods.addPolicy.
loadDefaults() → Nothing
Load default settings for built-in policy.
Possible errors: NO_DEFAULTS
remove() → Nothing
Remove not built-in policy.
Possible errors: BUILTIN_POLICY
rename(s: name) → Nothing
Rename not built-in policy to name.
Possible errors: BUILTIN_POLICY
update(a{sv}: settings) → Nothing
Update settings of policy to settings. Settings are a dictionary indexed by keywords. For possi‐
ble keywords see org.fedoraproject.FirewallD1.config.Methods.addPolicy. To zero a value pass an
empty string or list.
Possible errors: INVALID_TYPE
Signals
Removed(s: name)
Emitted when policy with name has been removed.
Renamed(s: name)
Emitted when policy has been renamed to name.
Updated(s: name)
Emitted when policy with name has been updated.
Properties
builtin - b - (ro)
True if policy is build-in, false else.
default - b - (ro)
True if build-in policy has default settings. False if it has been modified. Always False for not
build-in policies.
filename - s - (ro)
Name (including .xml extension) of file where the configuration is stored.
name - s - (ro)
Name of policy.
path - s - (ro)
Path to directory where the policy configuration is stored. Should be either /usr/lib/fire‐
walld/policies or /etc/firewalld/policies.
org.fedoraproject.FirewallD1.config.service
Interface for permanent service configuration, see also firewalld.service(5).
Methods
addModule(s: module) → Nothing
This method is deprecated. Please use "helpers" in the update2() method.
addPort(s: port, s: protocol) → Nothing
Permanently add (port, protocol) to list of ports in service. See port tag in firewalld.ser‐
vice(5).
Possible errors: ALREADY_ENABLED
addProtocol(s: protocol) → Nothing
Permanently add protocol into zone. The protocol can be any protocol supported by the system.
Please have a look at /etc/protocols for supported protocols. See protocol tag in firewalld.ser‐
vice(5).
Possible errors: INVALID_PROTOCOL, ALREADY_ENABLED
addSourcePort(s: port, s: protocol) → Nothing
Permanently add (port, protocol) to list of source ports in service. See source-port tag in fire‐
walld.service(5).
Possible errors: ALREADY_ENABLED
getDescription() → s
Get description of service. See description tag in firewalld.service(5).
getDestination(s: family) → s
Get destination for IP family being either 'ipv4' or 'ipv6'. See destination tag in fire‐
walld.service(5).
Possible errors: ALREADY_ENABLED
getDestinations() → a{ss}
Get list of destinations. Return value is a dictionary of {IP family : IP address} where 'IP fam‐
ily' key can be either 'ipv4' or 'ipv6'. See destination tag in firewalld.service(5).
getModules() → as
This method is deprecated. Please use "helpers" in the getSettings2() method.
getPorts() → a(ss)
Get list of (port, protocol) defined in service. See port tag in firewalld.service(5).
getProtocols() → as
Return array of protocols (s) defined in service. See protocol tag in firewalld.service(5).
getSettings() → (sssa(ss)asa{ss}asa(ss))
This function is deprecated, use org.fedoraproject.FirewallD1.config.service.Methods.getSettings2
instead.
getSettings2(s: service) → s{sv}
Return runtime settings of given service. For getting runtime settings see org.fedorapro‐
ject.FirewallD1.Methods.getServiceSettings2. Settings are a dictionary indexed by keywords. For
the type of each value see below. If the value is empty it may be omitted.
version (s): see version attribute of service tag in firewalld.service(5).
name (s): see short tag in firewalld.service(5).
description (s): see description tag in firewalld.service(5).
ports (a(ss)): array of port and protocol pairs. See port tag in firewalld.service(5).
module names (as): array of kernel netfilter helpers, see module tag in firewalld.service(5).
destinations (a{ss}): dictionary of {IP family : IP address} where 'IP family' key can be either
'ipv4' or 'ipv6'. See destination tag in firewalld.service(5).
protocols (as): array of protocols, see protocol tag in firewalld.service(5).
source_ports (a(ss)): array of port and protocol pairs. See source-port tag in firewalld.ser‐
vice(5).
includes (as): array of service includes, see include tag in firewalld.service(5).
helpers (as): array of service helpers, see helper tag in firewalld.service(5).
getShort() → s
Get name of service. See short tag in firewalld.service(5).
getSourcePorts() → a(ss)
Get list of (port, protocol) defined in service. See source-port tag in firewalld.service(5).
getVersion() → s
Get version of service. See version attribute of service tag in firewalld.service(5).
loadDefaults() → Nothing
Load default settings for built-in service.
Possible errors: NO_DEFAULTS
queryDestination(s: family, s: address) → b
Return whether a destination is in dictionary of destinations of this service. destination is in
format: (IP family, IP address) where IP family can be either 'ipv4' or 'ipv6'. See destination
tag in firewalld.service(5).
queryModule(s: module) → b
This method is deprecated. Please use "helpers" in the getSettings2() method.
queryPort(s: port, s: protocol) → b
Return whether (port, protocol) is in list of ports in service. See port tag in firewalld.ser‐
vice(5).
queryProtocol(s: protocol) → b
Return whether protocol is in list of protocols in service. See protocol tag in firewalld.ser‐
vice(5).
querySourcePort(s: port, s: protocol) → b
Return whether (port, protocol) is in list of source ports in service. See source-port tag in
firewalld.service(5).
remove() → Nothing
Remove not built-in service.
Possible errors: BUILTIN_SERVICE
removeDestination(s: family) → Nothing
Permanently remove a destination with family ('ipv4' or 'ipv6') from service. See destination tag
in firewalld.service(5).
Possible errors: NOT_ENABLED
removeModule(s: module) → Nothing
This method is deprecated. Please use "helpers" in the update2() method.
removePort(s: port, s: protocol) → Nothing
Permanently remove (port, protocol) from list of ports in service. See port tag in firewalld.ser‐
vice(5).
Possible errors: NOT_ENABLED
removeProtocol(s: protocol) → Nothing
Permanently remove protocol from list of protocols in service. See protocol tag in firewalld.ser‐
vice(5).
Possible errors: NOT_ENABLED
removeSourcePort(s: port, s: protocol) → Nothing
Permanently remove (port, protocol) from list of source ports in service. See source-port tag in
firewalld.service(5).
Possible errors: NOT_ENABLED
rename(s: name) → Nothing
Rename not built-in service to name.
Possible errors: BUILTIN_SERVICE
setDescription(s: description) → Nothing
Permanently set description of service to description. See description tag in firewalld.ser‐
vice(5).
setDestination(s: family, s: address) → Nothing
Permanently set a destination address. destination is in format: (IP family, IP address) where IP
family can be either 'ipv4' or 'ipv6'. See destination tag in firewalld.service(5).
Possible errors: ALREADY_ENABLED
setDestinations(a{ss}: destinations) → Nothing
Permanently set destinations of service to destinations, which is a dictionary of {IP family : IP
address} where 'IP family' key can be either 'ipv4' or 'ipv6'. See destination tag in fire‐
walld.service(5).
setModules(as: modules) → Nothing
This method is deprecated. Please use "helpers" in the update2() method.
setPorts(a(ss): ports) → Nothing
Permanently set ports of service to list of (port, protocol). See port tag in firewalld.ser‐
vice(5).
setProtocols(as: protocols) → Nothing
Permanently set protocols of service to list of protocols. See protocol tag in firewalld.ser‐
vice(5).
setShort(s: short) → Nothing
Permanently set name of service to short. See short tag in firewalld.service(5).
setSourcePorts(a(ss): ports) → Nothing
Permanently set source-ports of service to list of (port, protocol). See source-port tag in fire‐
walld.service(5).
setVersion(s: version) → Nothing
Permanently set version of service to version. See version attribute of service tag in fire‐
walld.service(5).
update((sssa(ss)asa{ss}asa(ss)): settings) → Nothing
This function is deprecated, use org.fedoraproject.FirewallD1.config.service.Methods.update2 in‐
stead.
update2a{sv}: settings) → Nothing
Update settings of service to settings. Settings are a dictionary indexed by keywords. For the
type of each value see below. To zero a value pass an empty string or list.
version (s): see version attribute of service tag in firewalld.service(5).
name (s): see short tag in firewalld.service(5).
description (s): see description tag in firewalld.service(5).
ports (a(ss)): array of port and protocol pairs. See port tag in firewalld.service(5).
module names (as): array of kernel netfilter helpers, see module tag in firewalld.service(5).
destinations (a{ss}): dictionary of {IP family : IP address} where 'IP family' key can be either
'ipv4' or 'ipv6'. See destination tag in firewalld.service(5).
protocols (as): array of protocols, see protocol tag in firewalld.service(5).
source_ports (a(ss)): array of port and protocol pairs. See source-port tag in firewalld.ser‐
vice(5).
includes (as): array of service includes, see include tag in firewalld.service(5).
helpers (as): array of service helpers, see helper tag in firewalld.service(5).
Possible errors: INVALID_TYPE
Signals
Removed(s: name)
Emitted when service with name has been removed.
Renamed(s: name)
Emitted when service has been renamed to name.
Updated(s: name)
Emitted when service with name has been updated.
Properties
builtin - b - (ro)
True if service is build-in, false else.
default - b - (ro)
True if build-in service has default settings. False if it has been modified. Always False for
not build-in services.
filename - s - (ro)
Name (including .xml extension) of file where the configuration is stored.
name - s - (ro)
Name of service.
path - s - (ro)
Path to directory where the configuration is stored. Should be either /usr/lib/firewalld/services
or /etc/firewalld/services.
org.fedoraproject.FirewallD1.config.helper
Interface for permanent helper configuration, see also firewalld.helper(5).
Methods
addPort(s: port, s: protocol) → Nothing
Permanently add (port, protocol) to list of ports in helper. See port tag in firewalld.helper(5).
Possible errors: ALREADY_ENABLED
getDescription() → s
Get description of helper. See description tag in firewalld.helper(5).
getFamily() → s
Get family being 'ipv4', 'ipv6' or empty for both. See family tag in firewalld.helper(5).
getModule() → s
Get modules (netfilter kernel helpers) used in helper. See module tag in firewalld.helper(5).
getPorts() → a(ss)
Get list of (port, protocol) defined in helper. See port tag in firewalld.helper(5).
getSettings() → (sssssa(ss))
Return permanent settings of a helper. For getting runtime settings see org.fedoraproject.Fire‐
wallD1.Methods.getHelperSettings. Settings are in format: version, name, description, family,
module, array of ports (port, protocol).
version (s): see version attribute of helper tag in firewalld.helper(5).
name (s): see short tag in firewalld.helper(5).
description (s): see description tag in firewalld.helper(5).
family (s): see family tag in firewalld.helper(5).
module (s): see module tag in firewalld.helper(5).
ports (a(ss)): array of port and protocol pairs. See port tag in firewalld.helper(5).
getShort() → s
Get name of helper. See short tag in firewalld.helper(5).
getVersion() → s
Get version of helper. See version attribute of helper tag in firewalld.helper(5).
loadDefaults() → Nothing
Load default settings for built-in helper.
Possible errors: NO_DEFAULTS
queryFamily(s: module) → b
Return whether family is set for helper. See family tag in firewalld.helper(5).
queryModule(s: module) → b
Return whether module (netfilter kernel helpers) is used in helper. See module tag in fire‐
walld.helper(5).
queryPort(s: port, s: protocol) → b
Return whether (port, protocol) is in list of ports in helper. See port tag in fire‐
walld.helper(5).
remove() → Nothing
Remove not built-in helper.
Possible errors: BUILTIN_HELPER
removePort(s: port, s: protocol) → Nothing
Permanently remove (port, protocol) from list of ports in helper. See port tag in fire‐
walld.helper(5).
Possible errors: NOT_ENABLED
rename(s: name) → Nothing
Rename not built-in helper to name.
Possible errors: BUILTIN_HELPER
setDescription(s: description) → Nothing
Permanently set description of helper to description. See description tag in firewalld.helper(5).
setFamily(s: family) → Nothing
Permanently set family of helper to family. See family tag in firewalld.helper(5).
setModule(s: module) → Nothing
Permanently set module of helper to description. See module tag in firewalld.helper(5).
setPorts(a(ss): ports) → Nothing
Permanently set ports of helper to list of (port, protocol). See port tag in firewalld.helper(5).
setShort(s: short) → Nothing
Permanently set name of helper to short. See short tag in firewalld.helper(5).
setVersion(s: version) → Nothing
Permanently set version of helper to version. See version attribute of helper tag in fire‐
walld.helper(5).
update((sssssa(ss)): settings) → Nothing
Update settings of helper to settings. Settings are in format: version, name, description, fam‐
ily, module and array of ports.
version (s): see version attribute of helper tag in firewalld.helper(5).
name (s): see short tag in firewalld.helper(5).
description (s): see description tag in firewalld.helper(5).
family (s): see family tag in firewalld.helper(5).
module (s): see module tag in firewalld.helper(5).
ports (a(ss)): array of port and protocol pairs. See port tag in firewalld.helper(5).
Possible errors: INVALID_HELPER
Signals
Removed(s: name)
Emitted when helper with name has been removed.
Renamed(s: name)
Emitted when helper has been renamed to name.
Updated(s: name)
Emitted when helper with name has been updated.
Properties
builtin - b - (ro)
True if helper is build-in, false else.
default - b - (ro)
True if build-in helper has default settings. False if it has been modified. Always False for not
build-in helpers.
filename - s - (ro)
Name (including .xml extension) of file where the configuration is stored.
name - s - (ro)
Name of helper.
path - s - (ro)
Path to directory where the configuration is stored. Should be either /usr/lib/firewalld/helpers
or /etc/firewalld/helpers.
org.fedoraproject.FirewallD1.config.icmptype
Interface for permanent icmp type configuration, see also firewalld.icmptype(5).
Methods
addDestination(s: destination) → Nothing
Permanently add a destination ('ipv4' or 'ipv6') to list of destinations of this icmp type. See
destination tag in firewalld.icmptype(5).
Possible errors: ALREADY_ENABLED
getDescription() → s
Get description of icmp type. See description tag in firewalld.icmptype(5).
getDestinations() → as
Get list of destinations. See destination tag in firewalld.icmptype(5).
getSettings() → (sssas)
Return permanent settings of icmp type. For getting runtime settings see org.fedoraproject.Fire‐
wallD1.Methods.getIcmpTypeSettings. Settings are in format: version, name, description, array of
destinations.
version (s): see version attribute of icmptype tag in firewalld.icmptype(5).
name (s): see short tag in firewalld.icmptype(5).
description (s): see description tag in firewalld.icmptype(5).
destinations (as): array, either empty or containing strings 'ipv4' and/or 'ipv6', see destina‐
tion tag in firewalld.icmptype(5).
getShort() → s
Get name of icmp type. See short tag in firewalld.icmptype(5).
getVersion() → s
Get version of icmp type. See version attribute of icmptype tag in firewalld.icmptype(5).
loadDefaults() → Nothing
Load default settings for built-in icmp type.
Possible errors: NO_DEFAULTS
queryDestination(s: destination) → b
Return whether a destination ('ipv4' or 'ipv6') is in list of destinations of this icmp type. See
destination tag in firewalld.icmptype(5).
remove() → Nothing
Remove not built-in icmp type.
Possible errors: BUILTIN_ICMPTYPE
removeDestination(s: destination) → Nothing
Permanently remove a destination ('ipv4' or 'ipv6') from list of destinations of this icmp type.
See destination tag in firewalld.icmptype(5).
Possible errors: NOT_ENABLED
rename(s: name) → Nothing
Rename not built-in icmp type to name.
Possible errors: BUILTIN_ICMPTYPE
setDescription(s: description) → Nothing
Permanently set description of icmp type to description. See description tag in firewalld.icmp‐
type(5).
setDestinations(as: destinations) → Nothing
Permanently set destinations of icmp type to destinations, which is array, either empty or con‐
taining strings 'ipv4' and/or 'ipv6'. See destination tag in firewalld.icmptype(5).
setShort(s: short) → Nothing
Permanently set name of icmp type to short. See short tag in firewalld.icmptype(5).
setVersion(s: version) → Nothing
Permanently set version of icmp type to version. See version attribute of icmptype tag in fire‐
walld.icmptype(5).
update((sssas): settings) → Nothing
Update permanent settings of icmp type to settings. Settings are in format: version, name, de‐
scription, array of destinations.
version (s): see version attribute of icmptype tag in firewalld.icmptype(5).
name (s): see short tag in firewalld.icmptype(5).
description (s): see description tag in firewalld.icmptype(5).
destinations (as): array, either empty or containing strings 'ipv4' and/or 'ipv6', see destina‐
tion tag in firewalld.icmptype(5).
Signals
Removed(s: name)
Emitted when icmp type with name has been removed.
Renamed(s: name)
Emitted when icmp type has been renamed to name.
Updated(s: name)
Emitted when icmp type with name has been updated.
Properties
builtin - b - (ro)
True if icmptype is build-in, false else.
default - b - (ro)
True if build-in icmp type has default settings. False if it has been modified. Always False for
not build-in zones.
filename - s - (ro)
Name (including .xml extension) of file where the configuration is stored.
name - s - (ro)
Name of icmp type.
path - s - (ro)
Path to directory where the icmp type configuration is stored. Should be either /usr/lib/fire‐
walld/icmptypes or /etc/firewalld/icmptypes.
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD.DBUS(5)
firewalld.direct
# man firewalld.direct
FIREWALLD.DIRECT(5) firewalld.direct FIREWALLD.DIRECT(5)
NAME
firewalld.direct - firewalld direct configuration file
SYNOPSIS
/etc/firewalld/direct.xml
DEPRECATED
The direct interface has been deprecated. It will be removed in a future release. It is superseded by
policies, see firewalld.policies(5).
DESCRIPTION
Direct configuration gives a more direct access to the firewall. It requires user to know basic ip(6)ta‐
bles/ebtables concepts, i.e. table (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
(-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets (ACCEPT/DROP/REJECT/...). Direct configuration
should be used only as a last resort when it's not possible to use firewalld.zone(5). See also Direct Op‐
tions in firewall-cmd(1).
A firewalld direct configuration file contains information about permanent direct chains, rules and
passthrough ...
This is the structure of a direct configuration file:
<?xml version="1.0" encoding="utf-8"?>
<direct>
[ <chain ipv="ipv4|ipv6|eb" table="table" chain="chain"/> ]
[ <rule ipv="ipv4|ipv6|eb" table="table" chain="chain" priority="priority"> args </rule> ]
[ <passthrough ipv="ipv4|ipv6|eb"> args </passthrough> ]
</direct>
direct
The mandatory direct start and end tag defines the direct. This tag can only be used once in a direct
configuration file. There are no attributes for direct.
chain
Is an optional empty-element tag and can be used several times. It can be used to define names for addi‐
tional chains. A chain entry has exactly three attributes:
ipv="ipv4|ipv6|eb"
The IP family where the chain will be created. This can be either ipv4, ipv6 or eb.
table="table"
The table name where the chain will be created. This can be one of the tables that can be used for
iptables, ip6tables or ebtables. For the possible values, see TABLES section in the iptables, ip6ta‐
bles or ebtables man pages.
chain="chain"
The name of the chain, that will be created. Please make sure that there is no other chain with this
name already.
Please remember to add a rule or passthrough rule with an --jump or --goto option to connect the chain to
another one.
rule
Is an optional element tag and can be used several times. It can be used to add rules to a built-in or
added chain. A rule entry has exactly four attributes:
ipv="ipv4|ipv6|eb"
The IP family where the rule will be added. This can be either ipv4, ipv6 or eb.
table="table"
The table name where the rule will be added. This can be one of the tables that can be used for ipta‐
bles, ip6tables or ebtables. For the possible values, see TABLES section in the iptables, ip6tables
or ebtables man pages.
chain="chain"
The name of the chain where the rule will be added. This can be either a built-in chain or a chain
that has been created with the chain tag. If the chain name is a built-in chain, then the rule will
be added to chain_direct, else the supplied chain name is used. chain_direct is created internally
for all built-in chains to make sure that the added rules do not conflict with the rules created by
firewalld.
priority="priority"
The priority is used to order rules. Priority 0 means add rule on top of the chain, with a higher
priority the rule will be added further down. Rules with the same priority are on the same level and
the order of these rules is not fixed and may change. If you want to make sure that a rule will be
added after another one, use a low priority for the first and a higher for the following.
The args can be any arguments of iptables or ip6tables, that do not conflict with the table or chain at‐
tributes.
passthrough
Is an optional element tag and can be used several times. It can be used to add rules to a built-in or
added chain. A rule entry has exactly one attribute:
ipv="ipv4|ipv6|eb"
The IP family where the passthrough rule will be added. This can be either ipv4, ipv6 or eb.
The args can be any arguments of iptables or ip6tables.
The passthrough rule will be added to the chain directly. There is no mechanism like for the direct rule
above. The user of the passthrough rule has to make sure that there will be no conflict with the rules
created by firewalld.
CAVEATS
Depending on the value of FirewallBackend (see firewalld.conf(5)) direct rules behave differently in some
scenarios.
Packet accept/drop precedence
Due to implementation details of netfilter inside the kernel, if FirewallBackend=nftables is used direct
rules that ACCEPT packets don't actually cause the packets to be immediately accepted by the system.
Those packets are still be subject to firewalld's nftables ruleset. This basically means there are two
independent firewalls and packets must be accepted by both (iptables and nftables). As an aside, this
scenario also occurs inside of nftables (again due to netfilter) if there are multiple chains attached to
the same hook - it's not as simple as iptables vs nftables.
There are a handful of options to workaround the ACCEPT issue:
1. Rich Rules
If a rich rule can be used, then they should always be preferred over direct rules. Rich Rules will
be converted to the enabled FirewallBackend. See firewalld.richlanguage(5).
2. Blanket Accept
Users can add an explicit accept to the nftables ruleset. This can be done by adding the interface or
source to the trusted zone.
This strategy is often employed by things that perform their own filtering such as: libvirt, podman,
docker.
Warning: This means firewalld will do no filtering on these packets. It must all be done via direct
rules or out-of-band iptables rules.
3. Selective Accept
Alternatively, enable only the relevant service, port, address, or otherwise in the appropriate zone.
4. Revert to the iptables backend
A last resort is to revert to the iptables backend by setting FirewallBackend=iptables. Users should
be aware that firewalld development focuses on the nftables backend.
For direct rules that DROP packets the packets are immediately dropped regardless of the value of Fire‐
wallBackend. As such, there is no special consideration needed.
Firewalld guarantees the above ACCEPT/DROP behavior by registering nftables hooks with a lower precedence
than iptables hooks.
Direct interface precedence
With FirewallBackend=iptables firewalld's top-level internal rules apply before direct rules are exe‐
cuted. This includes rules to accept existing connections. In the past this has surprised users. As an
example, if a user adds a direct rule to drop traffic on destination port 22 existing SSH sessions would
continue to function, but new connections would be denied.
With FirewallBackend=nftables direct rules were deliberately given a higher precedence than all other
firewalld rules. This includes rules to accept existing connections.
EXAMPLE
Denylisting of the networks 192.168.1.0/24 and 192.168.5.0/24 with logging and dropping early in the raw
table:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<chain ipv="ipv4" table="raw" chain="denylist"/>
<rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0">-s 192.168.1.0/24 -j denylist</rule>
<rule ipv="ipv4" table="raw" chain="PREROUTING" priority="1">-s 192.168.5.0/24 -j denylist</rule>
<rule ipv="ipv4" table="raw" chain="denylist" priority="0">-m limit --limit 1/min -j LOG --log-prefix "denylisted: "</rule>
<rule ipv="ipv4" table="raw" chain="denylist" priority="1">-j DROP</rule>
</direct>
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD.DIRECT(5)
firewalld.helper
# man firewalld.helper
FIREWALLD.HELPER(5) firewalld.helper FIREWALLD.HELPER(5)
NAME
firewalld.helper - firewalld helper configuration files
SYNOPSIS
/etc/firewalld/helpers/helper.xml
/usr/lib/firewalld/helpers/helper.xml
DESCRIPTION
A firewalld helper configuration file provides the information of a helper entry for firewalld. The most
important configuration options are ports, family and module.
This example configuration file shows the structure of a helper configuration file:
<?xml version="1.0" encoding="utf-8"?>
<helper module="nf_conntrack_module" [family="ipv4|ipv6"]>
<short>short</short>
<description>description</description>
<port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/>
</helper>
OPTIONS
The config can contain these tags and attributes. Some of them are mandatory, others optional.
helper
The mandatory helper start and end tag defines the helper. This tag can only be used once in a helper
configuration file. There is one mandatory and also optional attributes for helper:
module="string"
The mandatory module of the helper. This is one of the netfilter conntrack helper modules. The name
starts with nf_conntrack_.
family="ipv4|ipv6"
The optional family of the helper. This can be one of these ipv types: ipv4 or ipv6. If the family
is not specified, then the helper is usable for IPv4 and IPv6.
version="string"
To give the helper a version.
short
Is an optional start and end tag and is used to give a helper a more readable name.
description
Is an optional start and end tag to have a description for a helper.
port
Is an mandatory empty-element tag and can be used several times to have more than one port entry. All
attributes of a port entry are mandatory:
port="string"
The port string can be a single port number or a port range portid-portid or also empty to match a
protocol only.
protocol="string"
The protocol value can either be tcp, udp, sctp or dccp.
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD.HELPER(5)
firewalld.icmptype
# man firewalld.icmptype
FIREWALLD.ICMPTYPE(5) firewalld.icmptype FIREWALLD.ICMPTYPE(5)
NAME
firewalld.icmptype - firewalld icmptype configuration files
SYNOPSIS
/etc/firewalld/icmptypes/icmptype.xml
/usr/lib/firewalld/icmptypes/icmptype.xml
DESCRIPTION
A firewalld icmptype configuration file provides the information for an Internet Control Message Proto‐
col (ICMP) type for firewalld.
This example configuration file shows the structure of an icmptype configuration file:
<?xml version="1.0" encoding="utf-8"?>
<icmptype>
<short>My Icmptype</short>
<description>description</description>
<destination ipv4="yes" ipv6="yes"/>
</icmptype>
OPTIONS
The config can contain these tags and attributes. Some of them are mandatory, others optional.
icmptype
The mandatory icmptype start and end tag defines the icmptype. This tag can only be used once in an
icmptype configuration file. This tag has optional attributes:
version="string"
To give the icmptype a version.
short
Is an optional start and end tag and is used to give an icmptype a more readable name.
description
Is an optional start and end tag to have a description for a icmptype.
destination
Is an optional empty-element tag and can be used only once. The destination tag specifies if an icmptype
entry is available for IPv4 and/or IPv6. The default is IPv4 and IPv6, where this tag can be missing.
ipv4="bool"
Describes if the icmptype is available for IPv4.
ipv6="bool"
Describes if the icmptype is available for IPv6.
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD.ICMPTYPE(5)
firewalld.ipset
# man firewalld.ipset
FIREWALLD.IPSET(5) firewalld.ipset FIREWALLD.IPSET(5)
NAME
firewalld.ipset - firewalld ipset configuration files
SYNOPSIS
/etc/firewalld/ipsets/ipset.xml
/usr/lib/firewalld/ipsets/ipset.xml
DESCRIPTION
A firewalld ipset configuration file provides the information of an ip set for firewalld. The most im‐
portant configuration options are type, option and entry.
This example configuration file shows the structure of an ipset configuration file:
<?xml version="1.0" encoding="utf-8"?>
<ipset type="hash:ip">
<short>My Ipset</short>
<description>description</description>
<entry>1.2.3.4</entry>
<entry>1.2.3.5</entry>
<entry>1.2.3.6</entry>
</ipset>
OPTIONS
The config can contain these tags and attributes. Some of them are mandatory, others optional.
ipset
The mandatory ipset start and end tag defines the ipset. This tag can only be used once in a ipset con‐
figuration file. There is one mandatory and also optional attributes for ipsets:
type="string"
The mandatory type of the ipset. To get the list of supported types, use firewall-cmd
--get-ipset-types.
version="string"
To give the ipset a version.
short
Is an optional start and end tag and is used to give an ipset a more readable name.
description
Is an optional start and end tag to have a description for a ipset.
option
Is an optional empty-element tag and can be used several times to have more than one option. Mostly all
attributes of an option entry are mandatory:
name="string"
The mandatory option name string.
value="string"
The optional value of the option.
The supported options are: family: "inet"|"inet6", timeout: integer, hashsize: integer, maxelem: inte‐
ger. For more information on these options, please have a look at the ipset documentation.
entry
Is an optional start and end tag and can be used several times to have more than one entry entry. An en‐
try entry does not have attributes.
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD.IPSET(5)
firewalld.policies
# man firewalld.policies
FIREWALLD.POLICIES(5) firewalld.policies FIREWALLD.POLICIES(5)
NAME
firewalld.policies - firewalld policies
DESCRIPTION
What is a policy?
A policy applies a set of rules to traffic flowing between zones (see zones (see firewalld.zones(5)).
The policy affects traffic in a stateful unidirectional manner, e.g. zoneA to zoneB. This allows asym‐
metric filtering policies.
A policy's relationship to zones is defined by assigning a set of ingress zones and a set of egress
zones. For example, if the set of ingress zones contains "internal" and the set of egress zones contains
"external" then the policy will affect all traffic flowing from the "internal" zone to the "external"
zone. However, since policies are unidirectional it will not apply to traffic flowing from "external" to
"internal". The ingress set and egress set may contain multiple zones.
Below as a visual representation of policy foobar followed by the CLI commands to create it. This policy
would affect traffic flowing from the internal zone to the external zone. Initially, the target is set
to ACCEPT to allow all traffic. This is common if the internal network is trusted.
+----------+ +----------+
| | policy | |
| internal | --------> | external |
| zone | foobar | zone |
| | | |
+----------+ +----------+
# firewall-cmd --permanent --new-policy foobar
# firewall-cmd --permanent --policy foobar --add-ingress-zone internal
# firewall-cmd --permanent --policy foobar --add-egress-zone external
# firewall-cmd --permanent --policy foobar --set-target ACCEPT
# firewall-cmd --reload
Perhaps it makes sense to be more restrictive. This example changes foobar so that it only allows: dns,
http, and https traffic. Everything else is blocked. Clients would only be allowed to surf the web.
# firewall-cmd --permanent --policy foobar --set-target REJECT
# firewall-cmd --permanent --policy foobar --add-service dns
# firewall-cmd --permanent --policy foobar --add-service http
# firewall-cmd --permanent --policy foobar --add-service https
# firewall-cmd --reload
Active Policies
Policies only become active if all of the following are true.
• The policy is not disabled.
• The ingress zones list contain at least one regular zone or a single symbolic zone.
• The egress zones list contain at least one regular zone or a single symbolic zone.
• For non symbolic zones, the zone must be active. That is, it must have interfaces or sources as‐
signed to it.
If the policy is not active then the policy has no effect.
Symbolic Zones
Regular zones are not enough to express every form of packet filtering. For example there is no zone to
represent traffic flowing to or from the host running firewalld. As such, there are some symbolic zones
to fill these gaps. However, symbolic zones are unique in that they're the only zone allowed in the
ingress or egress zone sets. For example, you cannot use "public" and "HOST" in the ingress zones.
Symbolic zones:
1. HOST
This symbolic zone is for traffic flowing to or from the host running firewalld. This corresponds to
netfilter (iptables/nftables) chains INPUT and OUTPUT.
• If used in the egress zones list it will apply to traffic on the INPUT chain.
• If used in the ingress zones list it will apply to traffic on the OUTPUT chain.
2. ANY
This symbolic zone behaves like a wildcard for the ingress and egress zones. With the exception that
it does not include "HOST". It's useful if you want a policy to apply to every zone.
• If used in the ingress zones list it will apply for traffic originating from any zone.
• If used in the egress zones list it will apply for traffic destined to any zone.
Predefined Policies
firewalld ships with some predefined policies. These may or may not be active by default. For details
see the description of each policy.
• allow-host-ipv6
Similarity to Zones
Policies are similar to zones in that they are an attachment point for firewalld's primitives: services,
ports, forward ports, etc. This is not a coincidence. Policies are a generalization of how zones have
traditionally achieved filtering. In fact, in modern firewalld zones are internally implemented as a set
of policies.
The main difference between policies and zones is that policies allow filtering in all directions: in‐
put, output, and forwarding. With a couple of exceptions zones only allow input filtering which is suf‐
ficient for an end station firewalling. However, for network level filtering or filtering on behalf of
virtual machines and containers something more flexible, i.e. policies, are needed.
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD.POLICIES(5)
firewalld.policy
# man firewalld.policy
FIREWALLD.POLICY(5) firewalld.policy FIREWALLD.POLICY(5)
NAME
firewalld.policy - firewalld policy configuration files
SYNOPSIS
/etc/firewalld/policies/policy.xml
/usr/lib/firewalld/policies/policy.xml
DESCRIPTION
A firewalld policy configuration file contains the information for a policy. These are the policy de‐
scriptions, services, ports, protocols, icmp-blocks, masquerade, forward-ports and rich language rules
in an XML file format. The file name has to be policy_name.xml where length of policy_name is currently
limited to 17 chars.
This is the structure of a policy configuration file:
<?xml version="1.0" encoding="utf-8"?>
<policy [version="versionstring"] [target="CONTINUE|ACCEPT|REJECT|DROP"] [priority="priority"]>
[ <disable/> ]
[ <ingress-zone name="zone"/> ]
[ <egress-zone name="zone"/> ]
[ <short>short description</short> ]
[ <description>description</description> ]
[ <service name="string"/> ]
[ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
[ <protocol value="protocol"/> ]
[ <icmp-block name="string"/> ]
[ <masquerade/> ]
[ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="IP address"]/> ]
[ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
[
<rule [family="ipv4|ipv6"] [priority="priority"]>
[ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
[ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
[
<service name="string"/> |
<port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
<protocol value="protocol"/> |
<icmp-block name="icmptype"/> |
<icmp-type name="icmptype"/> |
<masquerade/> |
<forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/>
]
[
<log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
<nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
]
[ <audit> [<limit value="rate/duration"/>] </audit> ]
[
<accept> [<limit value="rate/duration"/>] </accept> |
<reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
<drop> [<limit value="rate/duration"/>] </drop> |
<mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
]
</rule>
]
</policy>
The config can contain these tags and attributes. Some of them are mandatory, others optional.
policy
The mandatory policy start and end tag defines the policy. This tag can only be used once in a policy
configuration file. There are optional attributes for policy:
version="string"
To give the policy a version.
target="CONTINUE|ACCEPT|REJECT|DROP"
Can be used to accept, reject or drop every packet that doesn't match any rule (port, service,
etc.). The CONTINUE is the default and used for policies that are non-terminal.
disable
Is an optional empty-element tag. It can be used only once. If it's present the policy is disabled and
will not activate.
ingress-zone
An optional element that can be used several times. It can be the name of a firewalld zone or one of the
symbolic zones: HOST, ANY. See firewalld.policies(5) for information about symbolic zones.
egress-zone
An optional element that can be used several times. It can be the name of a firewalld zone or one of the
symbolic zones: HOST, ANY. See firewalld.policies(5) for information about symbolic zones.
short
Is an optional start and end tag and is used to give a more readable name.
description
Is an optional start and end tag to have a description.
service
Is an optional empty-element tag and can be used several times to have more than one service entry en‐
abled. A service entry has exactly one attribute:
name="string"
The name of the service to be enabled. To get a list of valid service names firewall-cmd --get-ser‐
vices can be used.
port
Is an optional empty-element tag and can be used several times to have more than one port entry. All at‐
tributes of a port entry are mandatory:
port="portid[-portid]"
The port can either be a single port number portid or a port range portid-portid.
protocol="tcp|udp|sctp|dccp"
The protocol can either be tcp, udp, sctp or dccp.
protocol
Is an optional empty-element tag and can be used several times to have more than one protocol entry. All
protocol has exactly one attribute:
value="string"
The protocol can be any protocol supported by the system. Please have a look at /etc/protocols for
supported protocols.
icmp-block
Is an optional empty-element tag and can be used several times to have more than one icmp-block entry.
Each icmp-block tag has exactly one mandatory attribute:
name="string"
The name of the Internet Control Message Protocol (ICMP) type to be blocked. To get a list of valid
ICMP types firewall-cmd --get-icmptypes can be used.
masquerade
Is an optional empty-element tag. It can be used only once. If it's present masquerading is enabled.
forward-port
Is an optional empty-element tag and can be used several times to have more than one port or packet for‐
ward entry. There are mandatory and also optional attributes for forward ports:
Mandatory attributes:
The local port and protocol to be forwarded.
port="portid[-portid]"
The port can either be a single port number portid or a port range portid-portid.
protocol="tcp|udp|sctp|dccp"
The protocol can either be tcp, udp, sctp or dccp.
Optional attributes:
The destination of the forward. For local forwarding add to-port only. For remote forwarding add
to-addr and use to-port optionally if the destination port on the destination machine should be dif‐
ferent.
to-port="portid[-portid]"
The destination port or port range to forward to. If omitted, the value of the port= attribute
will be used altogether with the to-addr attribute.
to-addr="address"
The destination IP address either for IPv4 or IPv6.
source-port
All attributes of a source port entry are mandatory:
port="portid[-portid]"
The port can either be a single port number portid or a port range portid-portid.
protocol="tcp|udp|sctp|dccp"
The protocol can either be tcp, udp, sctp or dccp.
rule
Is an optional element tag and can be used several times to have more than one rich language rule entry.
The general rule structure:
<rule [family="ipv4|ipv6"] [priority="priority"]>
[ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
[ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
[
<service name="string"/> |
<port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
<protocol value="protocol"/> |
<icmp-block name="icmptype"/> |
<icmp-type name="icmptype"/> |
<masquerade/> |
<forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> |
<source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
]
[
<log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
<nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
]
[ <audit> [<limit value="rate/duration"/>] </audit> ]
[
<accept> [<limit value="rate/duration"/>] </accept> |
<reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
<drop> [<limit value="rate/duration"/>] </drop> |
<mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
]
</rule>
Rule structure for source black or white listing:
<rule [family="ipv4|ipv6"] [priority="priority"]>
<source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/>
[
<log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
<nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
]
[ <audit> [<limit value="rate/duration"/>] </audit> ]
<accept> [<limit value="rate/duration"/>] </accept> |
<reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
<drop> [<limit value="rate/duration"/>] </drop>
</rule>
For a full description on rich language rules, please have a look at firewalld.richlanguage(5).
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD.POLICY(5)
firewalld.policy-set-gateway
# man firewalld.policy-set-gateway
firewalld.policy-set-gateway manpage
FIREWALLD.POLICY-(5) Firewalld Policy Set Gateway FIREWALLD.POLICY-(5)
NAME
firewalld.policy-set-gateway - Firewalld Policy Set Gateway
DESCRIPTION
Policy Set: Gateway
The Gateway policy set is a useful starting point for a home router. It enables masquerading, conntrack
helpers, and forwarding between zones.
Zones used by this set are logically grouped. These groups name are used by the predefined policies.
+-----------+ +-----------+
| LAN | | WORLD |
|-----------| |-----------|
| zones: | | zones: |
| internal | | external |
| home | | public |
| trusted | | |
+-----------+ +-----------+
| |
| |
| +-----------+ |
+---------| HOST |--------+
|-----------|
| zones: |
+---------| HOST |--------+
| +-----------+ |
| |
| |
+-----------+ +-----------+
| WORK | | DMZ |
|-----------| |-----------|
| zones: | | zones: |
| work | | dmz |
+-----------+ +-----------+
Policies in the Gateway set
gateway-dmz-to-HOST
Enables services commonly needed for a gateway, e.g. dns, dhcp.
File location: /usr/lib/firewalld/policies/gateway-dmz-to-HOST.xml
gateway-lan-to-work
Allows all traffic from LAN to work. Enables masquerading and common connection tracking helpers.
File location: /usr/lib/firewalld/policies/gateway-lan-to-work.xml
gateway-lan-to-world
Allows all traffic from LAN to world. If an interface is added to the "external" zone then the traf‐
fic will be masqueraded. Also enables connection tracking helpers for common services, e.g. ftp.
File location: /usr/lib/firewalld/policies/gateway-lan-to-world.xml
Policies in the Gateway set
gateway-dmz-to-HOST
Enables services commonly needed for a gateway, e.g. dns, dhcp.
File location: /usr/lib/firewalld/policies/gateway-dmz-to-HOST.xml
gateway-lan-to-work
Allows all traffic from LAN to work. Enables masquerading and common connection tracking helpers.
File location: /usr/lib/firewalld/policies/gateway-lan-to-work.xml
gateway-lan-to-world
Allows all traffic from LAN to world. If an interface is added to the "external" zone then the traf‐
fic will be masqueraded. Also enables connection tracking helpers for common services, e.g. ftp.
File location: /usr/lib/firewalld/policies/gateway-lan-to-world.xml
gateway-lan-to-HOST
Enables services commonly needed for a gateway, e.g. dns, dhcp.
File location: /usr/lib/firewalld/policies/gateway-lan-to-HOST.xml
gateway-world-to-HOST
May be used to expose internal/dmz services to the world by adding a forward port to this policy.
Here is an example for adding a forward port. It forward port 8080 to 10.1.1.42:80.
# firewall-cmd --permanent --policy gateway-world-to-HOST \
--add-forward-port=port=8080:proto=tcp:toport=80:toaddr=10.1.1.42
# firewall-cmd --reload
File location: /usr/lib/firewalld/policies/gateway-world-to-HOST.xml
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD.POLICY-(5)
firewalld.policy-sets
# man firewalld.policy-sets
FIREWALLD.POLICY-(5) Firewalld Policy Sets FIREWALLD.POLICY-(5)
NAME
firewalld.policy-sets - Policy Sets
DESCRIPTION
What Are Policy Sets?
Policy sets are collections of policies that serve as starting configuration for specific use cases,
e.g. a home router. They provide an easy way to get started. Users may then fine tune the configuration
for their environment. Every policy set has a dedicated man page to explain its use case.
All policy sets shipped by firewalld are administratively disabled by default. Using them is a matter of
adding your interfaces to zones and removing the disable.
Enabling a Policy Set
Below is a complete example for using the gateway policy set. In this example: eth0 is the LAN inter‐
face, and eth1 is the uplink to the internet.
# firewall-cmd --permanent --zone internal eth0
# firewall-cmd --permanent --zone external eth1
# firewall-cmd --permanent --policy-set gateway --remove-disable
# firewall-cmd --reload
Enabling Multiple Policy Sets
Policy sets are guaranteed to interoperate. Multiple policy sets may be enabled simultaneously.
Existing Policy Sets
gateway
Provides basic functionality for a gateway, e.g. a home router. See firewalld.policy-set-gateway(5).
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD.POLICY-(5)
firewalld.richlanguage
# man firewalld.richlanguage
firewalld.richlanguage manpage
FIREWALLD.RICHLANG(5) firewalld.richlanguage FIREWALLD.RICHLANG(5)
NAME
firewalld.richlanguage - Rich Language Documentation
DESCRIPTION
With the rich language more complex firewall rules can be created in an easy to understand way. The lan‐
guage uses keywords with values and is an abstract representation of ip*tables rules.
The rich language extends the current zone elements (service, port, icmp-block, icmp-type, masquerade,
forward-port and source-port) with additional source and destination addresses, logging, actions and
limits for logs and actions.
This page describes the rich language used in the command line client and D-Bus interface. For informa‐
tion about the rich language representation used in the zone configuration files, please have a look at
firewalld.zone(5).
A rule is part of a zone. One zone can contain several rules. If some rules interact/contradict, the
first rule that matches "wins".
General rule structure
rule
[source]
[destination]
service|port|protocol|icmp-block|icmp-type|masquerade|forward-port|source-port
[log|nflog]
[audit]
[accept|reject|drop|mark]
The complete rule is provided as a single line string. A destination is allowed here as long as it does
not conflict with the destination of a service.
Rule structure for source black or white listing
rule
source
[log|nflog]
[audit]
accept|reject|drop|mark
This is used to grant or limit access from a source to this machine or machines that are reachable by
this machine. A destination is not allowed here.
Important information about element options: Options for elements in a rule need to be added exactly af‐
ter the element. If the option is placed somewhere else it might be used for another element as far as
it matches the options of the other element or will result in a rule error.
Rule
rule [family="ipv4|ipv6"] [priority="priority"]
If the rule family is provided, it can be either "ipv4" or "ipv6", which limits the rule to IPv4 or
IPv6. If the rule family is not provided, the rule will be added for IPv4 and IPv6. If source or desti‐
nation addresses are used in a rule, then the rule family need to be provided. This is also the case for
port/packet forwarding.
If the rule priority is provided, it can be in the range of -32768 to 32767 where lower values have
higher precedence. Rich rules are sorted by priority. Ordering for rules with the same priority value is
undefined. A negative priority value will be executed before other firewalld primitives. A positive pri‐
ority value will be executed after other firewalld primitives. A priority value of 0 will place the rule
in a chain based on the action as per the "Information about logging and actions" below.
Source
source [not] address="address[/mask]"|mac="mac-address"|ipset="ipset"
With the source address the origin of a connection attempt can be limited to the source address. An ad‐
dress is either a single IP address, or a network IP address, a MAC address or an IPSet. The address has
to match the rule family (IPv4/IPv6). Subnet mask is expressed in either dot-decimal (/x.x.x.x) or pre‐
fix (/x) notations for IPv4, and in prefix notation (/x) for IPv6 network addresses. It is possible to
invert the sense of an address by adding not before address. All but the specified address will match
then.
Destination
destination [not] address="address[/mask]"|ipset="ipset"
With the destination address the target can be limited to the destination address. The destination ad‐
dress is using the same syntax as the source address.
The use of source and destination addresses is optional and the use of a destination addresses is not
possible with all elements. This depends on the use of destination addresses for example in service en‐
tries.
Service
service name="service name"
The service service name will be added to the rule. The service name is one of the firewalld provided
services. To get a list of the supported services, use firewall-cmd --get-services.
If a service provides a destination address, it will conflict with a destination address in the rule and
will result in an error. The services using destination addresses internally are mostly services using
multicast.
Port
port port="port value" protocol="tcp|udp|sctp|dccp"
The port port value can either be a single port number portid or a port range portid-portid. The proto‐
col can either be tcp, udp, sctp or dccp.
Protocol
protocol value="protocol value"
The protocol value can be either a protocol id number or a protocol name. For allowed protocol entries,
please have a look at /etc/protocols.
Tcp-Mss-Clamp
tcp-mss-clamp="value=pmtu|value=number >= 536|None"
The tcp-mss-clamp sets the maximum segment size in the rule.
The tcp-mss-clamp has an optional attribute value can be either be set to "pmtu" or a number greater
than or equal to 536. If attribute value is not present then the maximum segment size is automatically
set to "pmtu".
ICMP-Block
icmp-block name="icmptype name"
The icmptype is the one of the icmp types firewalld supports. To get a listing of supported icmp types:
firewall-cmd --get-icmptypes
It is not allowed to specify an action here. icmp-block uses the action reject internally.
Masquerade
masquerade
Turn on masquerading in the rule. A source and also a destination address can be provided to limit mas‐
querading to this area.
It is not allowed to specify an action here.
Note: IP forwarding will be implicitly enabled.
ICMP-Type
icmp-type name="icmptype name"
The icmptype is the one of the icmp types firewalld supports. To get a listing of supported icmp types:
firewall-cmd --get-icmptypes
Forward-Port
forward-port port="port value" protocol="tcp|udp|sctp|dccp" to-port="port value" to-addr="address"
Forward port/packets from local port value with protocol "tcp" or "udp" to either another port locally
or to another machine or to another port on another machine.
The port value can either be a single port number or a port range portid-portid. The to-addr is an IP
address. The protocol can either be tcp, udp, sctp or dccp.
It is not allowed to specify an action here. forward-port uses the action accept internally.
Note: IP forwarding will be implicitly enabled if to-addr is specified.
Source-Port
source-port port="port value" protocol="tcp|udp|sctp|dccp"
The source-port port value can either be a single port number portid or a port range portid-portid. The
protocol can either be tcp, udp, sctp or dccp.
Log
log [prefix="prefix text"] [level="log level"] [limit value="rate/duration"]
Log new connection attempts to the rule with kernel logging for example in syslog. You can define a pre‐
fix text with a maximum length of 127 characters that will be added to the log message as a prefix. Log
level can be one of "emerg", "alert", "crit", "error", "warning", "notice", "info" or "debug", where de‐
fault (i.e. if there's no one specified) is "warning". See syslog(3) for description of levels. See
Limit section for description of limit tag.
Note: The iptables backend truncates prefix to 29 characters.
NFLog
nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"] [limit value="rate/duration"]
Log new connection attempts to the rule using kernel logging to pass the packets through a 'netlink'
socket to users or applications monitoring the multicast group. The minimum and default value for group
is 0, maximum value is 65535. See NETLINK_NETFILTER in netlink(7) man page and NFLOG in both iptables-
extensions(8) and nft(8) man pages for a more detailed description.
You can define a prefix text with a maximum length of 127 characters that will be added to the log mes‐
sage as a prefix. The queue-size option can be set to increase the queue threshold which can help limit
context switching. The default value for queue-size is 1, maximum value is 65535. See iptables-exten‐
sions(8) and nft(8) for more details.
See Limit section for description of limit tag.
Note: The iptables backend truncates prefix to 63 characters.
Audit
audit [limit value="rate/duration"]
Audit provides an alternative way for logging using audit records sent to the service auditd. Audit type
will be discovered from the rule action automatically. Use of audit is optional. See Limit section for
description of limit tag.
Action
An action can be one of accept, reject, drop or mark.
The rule can either contain an element or also a source only. If the rule contains an element, then new
connection matching the element will be handled with the action. If the rule does not contain an ele‐
ment, then everything from the source address will be handled with the action.
accept [limit value="rate/duration"]
reject [type="reject type"] [limit value="rate/duration"]
drop [limit value="rate/duration"]
mark set="mark[/mask]" [limit value="rate/duration"]
With accept all new connection attempts will be granted. With reject they will not be accepted and their
source will get a reject ICMP(v6) message. The reject type can be set to specify appropriate ICMP(v6)
error message. For valid reject types see --reject-with type in iptables-extensions(8) man page. Because
reject types are different for IPv4 and IPv6 you have to specify rule family when using reject type.
With drop all packets will be dropped immediately, there is no information sent to the source. With mark
all packets will be marked in the PREROUTING chain in the mangle table with the mark and mask combina‐
tion. See Limit section for description of limit tag.
Limit
limit value="rate/duration"
It is possible to limit Log, NFLog, Audit and Action. A rule using this tag will match until this limit
is reached. The rate is a natural positive number [1, ..] The duration is of "s", "m", "h", "d". "s"
means seconds, "m" minutes, "h" hours and "d" days. Maximum limit value is "2/d", which means at maximum
two matches per day.
Information about logging and actions
Logging can be done with the log, nflog and audit actions. A new chain is added to all zones: zone_log.
This will be jumped into before the deny chain to be able to have a proper ordering.
The rules or parts of them are placed in separate chains according to the priority and action of the
rule:
zone_pre
zone_log
zone_deny
zone_allow
zone_post
When priority < 0, the rich rule will be placed in the zone_pre chain.
When priority == 0 Then all logging rules will be placed in the zone_log chain. All reject and drop
rules will be placed in the zone_deny chain, which will be walked after the log chain. All accept rules
will be placed in the zone_allow chain, which will be walked after the deny chain. If a rule contains
log and also deny or allow actions, the parts are placed in the matching chains.
When priority > 0, the rich rule will be placed in the zone_post chain.
EXAMPLES
These are examples of how to specify rich language rules. This format (i.e. one string that specifies
whole rule) uses for example firewall-cmd --add-rich-rule (see firewall-cmd(1)) as well as D-Bus inter‐
face.
Example 1
Enable new IPv4 and IPv6 connections for protocol 'ah'
rule protocol value="ah" accept
Example 2
Allow new IPv4 and IPv6 connections for service ftp and log 1 per minute using audit
rule service name="ftp" log limit value="1/m" audit accept
Example 3
Allow new IPv4 connections from address 192.168.0.0/24 for service tftp and log 1 per minutes using sys‐
log
rule family="ipv4" source address="192.168.0.0/24" service name="tftp" log prefix="tftp" level="info" limit value="1/m" accept
Example 4
New IPv6 connections from 1:2:3:4:6:: to service radius are all rejected and logged at a rate of 3 per
minute. New IPv6 connections from other sources are accepted.
rule family="ipv6" source address="1:2:3:4:6::" service name="radius" log prefix="dns" level="info" limit value="3/m" reject
rule family="ipv6" service name="radius" accept
Example 5
Forward IPv6 port/packets receiving from 1:2:3:4:6:: on port 4011 with protocol tcp to 1::2:3:4:7 on
port 4012
rule family="ipv6" source address="1:2:3:4:6::" forward-port to-addr="1::2:3:4:7" to-port="4012" protocol="tcp" port="4011"
Example 6
White-list source address to allow all connections from 192.168.2.2
rule family="ipv4" source address="192.168.2.2" accept
Example 7
Black-list source address to reject all connections from 192.168.2.3
rule family="ipv4" source address="192.168.2.3" reject type="icmp-admin-prohibited"
Example 8
Black-list source address to drop all connections from 192.168.2.4
rule family="ipv4" source address="192.168.2.4" drop
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD.RICHLANG(5)
firewalld.service
# man firewalld.service
FIREWALLD.SERVICE(5) firewalld.service FIREWALLD.SERVICE(5)
NAME
firewalld.service - firewalld service configuration files
SYNOPSIS
/etc/firewalld/services/service.xml
/usr/lib/firewalld/services/service.xml
DESCRIPTION
A firewalld service configuration file provides the information of a service entry for firewalld. The
most important configuration options are ports, modules and destination addresses.
This example configuration file shows the structure of a service configuration file:
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>My Service</short>
<description>description</description>
<port port="137" protocol="tcp"/>
<protocol value="igmp"/>
<module name="nf_conntrack_netbios_ns"/>
<destination ipv4="224.0.0.251" ipv6="ff02::fb"/>
<include service="ssdp"/>
<helper name="ftp"/>
</service>
OPTIONS
The config can contain these tags and attributes. Some of them are mandatory, others optional.
service
The mandatory service start and end tag defines the service. This tag can only be used once in a service
configuration file. There are optional attributes for services:
version="string"
To give the service a version.
short
Is an optional start and end tag and is used to give an service a more readable name.
description
Is an optional start and end tag to have a description for a service.
port
Is an optional empty-element tag and can be used several times to have more than one port entry. All at‐
tributes of a port entry are mandatory:
port="string"
The port string can be a single port number or a port range portid-portid or also empty to match a
protocol only.
protocol="string"
The protocol value can either be tcp, udp, sctp or dccp.
For compatibility with older firewalld versions, it is possible to add protocols with the port option
where the port is empty. With the addition of native protocol support in the service, this it not needed
anymore. These entries will automatically be converted to protocols. With the next modification of the
service file, the enries will be listed as protocols.
protocol
Is an optional empty-element tag and can be used several times to have more than one protocol entry. A
protocol entry has exactly one attribute:
value="string"
The protocol can be any protocol supported by the system. Please have a look at /etc/protocols for
supported protocols.
source-port
Is an optional empty-element tag and can be used several times to have more than one source port entry.
All attributes of a source port entry are mandatory:
port="string"
The port string can be a single port number or a port range portid-portid.
protocol="string"
The protocol value can either be tcp, udp, sctp or dccp.
module
This element is deprecated. Please use helper described below in the section called “helper”.
destination
Is an optional empty-element tag and can be used only once. The destination specifies the destination
network as a network IP address (optional with /mask), or a plain IP address. The use of hostnames is
not recommended, because these will only be resolved at service activation and transmitted to the ker‐
nel. For more information in this element, please have a look at --destination in iptables(8) and ip6ta‐
bles(8).
ipv4="address[/mask]"
The IPv4 destination address with optional mask.
ipv6="address[/mask]"
The IPv6 destination address with optional mask.
include
Is an optional empty-element tag and can be used several times to have more than one include entry. An
include entry has exactly one attribute:
service="string"
The include can be any service supported by firewalld.
Warning:Firewalld will only check that the included service is a valid service if it's applied to a
zone.
helper
Is an optional empty-element tag and can be used several times to have more than one helper entry. An
helper entry has exactly one attribute:
name="string"
The helper can be any helper supported by firewalld.
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD.SERVICE(5)
firewalld.zone
# man firewalld.zone
FIREWALLD.ZONE(5) firewalld.zone FIREWALLD.ZONE(5)
NAME
firewalld.zone - firewalld zone configuration files
SYNOPSIS
/etc/firewalld/zones/zone.xml
/usr/lib/firewalld/zones/zone.xml
DESCRIPTION
A firewalld zone configuration file contains the information for a zone. These are the zone description,
services, ports, protocols, icmp-blocks, masquerade, forward-ports, intra-zone forwarding and rich lan‐
guage rules in an XML file format. The file name has to be zone_name.xml where length of zone_name is
currently limited to 17 chars.
This is the structure of a zone configuration file:
<?xml version="1.0" encoding="utf-8"?>
<zone [version="versionstring"] [target="ACCEPT|%%REJECT%%|DROP"] [ingress-priority="priority"] [egress-priority="priority"]>
[ <interface name="string"/> ]
[ <source address="address[/mask]"|mac="MAC"|ipset="ipset"/> ]
[ <icmp-block-inversion/> ]
[ <forward/> ]
[ <short>short description</short> ]
[ <description>description</description> ]
[ <service name="string"/> ]
[ <port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
[ <protocol value="protocol"/> ]
[ <icmp-block name="string"/> ]
[ <masquerade/> ]
[ <forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="IP address"]/> ]
[ <source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> ]
[
<rule [family="ipv4|ipv6"] [priority="priority"]>
[ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
[ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
[
<service name="string"/> |
<port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
<protocol value="protocol"/> |
<icmp-block name="icmptype"/> |
<icmp-type name="icmptype"/> |
<masquerade/> |
<forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/>
]
[
<log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
<nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
]
[ <audit> [<limit value="rate/duration"/>] </audit> ]
[
<accept> [<limit value="rate/duration"/>] </accept> |
<reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
<drop> [<limit value="rate/duration"/>] </drop> |
<mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
]
</rule>
]
</zone>
The config can contain these tags and attributes. Some of them are mandatory, others optional.
zone
The mandatory zone start and end tag defines the zone. This tag can only be used once in a zone configu‐
ration file. There are optional attributes for zones:
version="string"
To give the zone a version.
target="ACCEPT|%%REJECT%%|DROP"
Can be used to accept, reject or drop every packet that doesn't match any rule (port, service,
etc.).
ACCEPT is special: packets which are not addressed to the host will be forwarded to their destina‐
tion regardless of the zone's forward setting, or any policies attached to the zone.
If unspecified, the default behavior applies: ICMP will be accepted and everything else will be re‐
jected.
ingress-priority="priority"
Ingress priority for classifying traffic into a zone. A zone with a lower priority value will be
considered before a zone with a higher priority value. This allows custom ordering of zone dispatch.
egress-priority="priority"
Same as ingress-priority, but for egress classification.
interface
Is an optional empty-element tag and can be used several times. It can be used to bind an interface to a
zone. You don't need this for NetworkManager-managed interfaces, because NetworkManager binds interfaces
to zones automatically. See also 'How to set or change a zone for a connection?' in firewalld.zones(5).
You can use it as a fallback mechanism for interfaces that can't be managed via NetworkManager. An in‐
terface entry has exactly one attribute:
name="string"
The name of the interface to be bound to the zone.
source
Is an optional empty-element tag and can be used several times. It can be used to bind a source address,
address range, a MAC address or an ipset to a zone. A source entry has exactly one of these attributes:
address="address[/mask]"
The source is either an IP address or a network IP address with a mask for IPv4 or IPv6. The network
family (IPv4/IPv6) will be automatically discovered. For IPv4, the mask can be a network mask or a
plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
mac="MAC"
The source is a MAC address. It must be of the form XX:XX:XX:XX:XX:XX.
ipset="ipset"
The source is an ipset.
icmp-block-inversion
Is an optional empty-element tag and can be used only once in a zone configuration. This flag inverts
the icmp block handling. Only enabled ICMP types are accepted and all others are rejected in the zone.
forward
Is an optional empty-element tag and can be used only once in a zone configuration. This flag enables
intra-zone forwarding. When enabled, packets will be forwarded between interfaces or sources within a
zone, even if the zone's target is not set to ACCEPT.
short
Is an optional start and end tag and is used to give a more readable name.
description
Is an optional start and end tag to have a description.
service
Is an optional empty-element tag and can be used several times to have more than one service entry en‐
abled. A service entry has exactly one attribute:
name="string"
The name of the service to be enabled. To get a list of valid service names firewall-cmd --get-ser‐
vices can be used.
port
Is an optional empty-element tag and can be used several times to have more than one port entry. All at‐
tributes of a port entry are mandatory:
port="portid[-portid]"
The port can either be a single port number portid or a port range portid-portid.
protocol="tcp|udp|sctp|dccp"
The protocol can either be tcp, udp, sctp or dccp.
protocol
Is an optional empty-element tag and can be used several times to have more than one protocol entry. All
protocol has exactly one attribute:
value="string"
The protocol can be any protocol supported by the system. Please have a look at /etc/protocols for
supported protocols.
icmp-block
Is an optional empty-element tag and can be used several times to have more than one icmp-block entry.
Each icmp-block tag has exactly one mandatory attribute:
name="string"
The name of the Internet Control Message Protocol (ICMP) type to be blocked. To get a list of valid
ICMP types firewall-cmd --get-icmptypes can be used.
masquerade
Is an optional empty-element tag. It can be used only once. If it's present masquerading is enabled.
forward-port
Is an optional empty-element tag and can be used several times to have more than one port or packet for‐
ward entry. There are mandatory and also optional attributes for forward ports:
Mandatory attributes:
The local port and protocol to be forwarded.
port="portid[-portid]"
The port can either be a single port number portid or a port range portid-portid.
protocol="tcp|udp|sctp|dccp"
The protocol can either be tcp, udp, sctp or dccp.
Optional attributes:
The destination of the forward. For local forwarding add to-port only. For remote forwarding add
to-addr and use to-port optionally if the destination port on the destination machine should be dif‐
ferent.
to-port="portid[-portid]"
The destination port or port range to forward to. If omitted, the value of the port= attribute
will be used altogether with the to-addr attribute.
to-addr="address"
The destination IP address either for IPv4 or IPv6.
source-port
Is an optional empty-element tag and can be used several times to have more than one source port entry.
All attributes of a source port entry are mandatory:
port="portid[-portid]"
The port can either be a single port number portid or a port range portid-portid.
protocol="tcp|udp|sctp|dccp"
The protocol can either be tcp, udp, sctp or dccp.
rule
Is an optional element tag and can be used several times to have more than one rich language rule entry.
The general rule structure:
<rule [family="ipv4|ipv6"] [priority="priority"]>
[ <source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/> ]
[ <destination address="address[/mask]"|ipset="ipset" [invert="True"]/> ]
[
<service name="string"/> |
<port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
<protocol value="protocol"/> |
<icmp-block name="icmptype"/> |
<icmp-type name="icmptype"/> |
<masquerade/> |
<forward-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp" [to-port="portid[-portid]"] [to-addr="address"]/> |
<source-port port="portid[-portid]" protocol="tcp|udp|sctp|dccp"/> |
]
[
<log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
<nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
]
[ <audit> [<limit value="rate/duration"/>] </audit> ]
[
<accept> [<limit value="rate/duration"/>] </accept> |
<reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
<drop> [<limit value="rate/duration"/>] </drop> |
<mark set="mark[/mask]"> [<limit value="rate/duration"/>] </mark>
]
</rule>
Rule structure for source black or white listing:
<rule [family="ipv4|ipv6"] [priority="priority"]>
<source address="address[/mask]"|mac="MAC"|ipset="ipset" [invert="True"]/>
[
<log [prefix="prefix text"] [level="emerg|alert|crit|err|warn|notice|info|debug"]> [<limit value="rate/duration"/>] </log> |
<nflog [group="group id"] [prefix="prefix text"] [queue-size="threshold"]> [<limit value="rate/duration"/>] </nflog>
]
[ <audit> [<limit value="rate/duration"/>] </audit> ]
<accept> [<limit value="rate/duration"/>] </accept> |
<reject [type="rejecttype"]> [<limit value="rate/duration"/>] </reject> |
<drop> [<limit value="rate/duration"/>] </drop>
</rule>
For a full description on rich language rules, please have a look at firewalld.richlanguage(5).
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD.ZONE(5)
firewalld.zones
# man firewalld.zones
FIREWALLD.ZONES(5) firewalld.zones FIREWALLD.ZONES(5)
NAME
firewalld.zones - firewalld zones
DESCRIPTION
What is a zone?
A network zone defines the level of trust for network connections. This is a one to many relation, which
means that a connection can only be part of one zone, but a zone can be used for many network connec‐
tions.
The zone defines the firewall features that are enabled in this zone:
Intra Zone Forwarding
Allows packets received by a zone to be forwarded to other interfaces or sources within the same
zone, even if the zone's target is not ACCEPT.
Predefined services
A service is a combination of port and/or protocol entries. Optionally netfilter helper modules can
be added and also a IPv4 and IPv6 destination address.
Ports and protocols
Definition of tcp, udp, sctp or dccp ports, where ports can be a single port or a port range.
ICMP blocks
Blocks selected Internet Control Message Protocol (ICMP) messages. These messages are either infor‐
mation requests or created as a reply to information requests or in error conditions.
ICMP block inversion
Changes how ICMP messages are handled. When enabled, all ICMP message types are blocked, except for
those in the ICMP block list.
Masquerading
The addresses of a private network are mapped to and hidden behind a public IP address. This is a
form of address translation.
Forward ports
A forward port is either mapped to the same port on another host or to another port on the same host
or to another port on another host.
Rich language rules
The rich language extends the elements (service, port, icmp-block, masquerade, forward-port and
source-port) with additional source and destination addresses, logging, actions and limits for logs
and actions. It can also be used for host or network white and black listing (for more information,
please have a look at firewalld.richlanguage(5)).
For more information on the zone file format, please have a look at firewalld.zone(5).
Which zones are available?
Here are the zones provided by firewalld sorted according to the default trust level of the zones from
untrusted to trusted:
drop
Any incoming network packets are dropped, there is no reply. Only outgoing network connections are
possible.
block
Any incoming network connections are rejected with an icmp-host-prohibited message for IPv4 and
icmp6-adm-prohibited for IPv6. Only network connections initiated within this system are possible.
public
For use in public areas. You do not trust the other computers on networks to not harm your computer.
Only selected incoming connections are accepted.
external
For use on external networks with masquerading enabled especially for routers. You do not trust the
other computers on networks to not harm your computer. Only selected incoming connections are ac‐
cepted.
dmz
For computers in your demilitarized zone that are publicly-accessible with limited access to your
internal network. Only selected incoming connections are accepted.
work
For use in work areas. You mostly trust the other computers on networks to not harm your computer.
Only selected incoming connections are accepted.
home
For use in home areas. You mostly trust the other computers on networks to not harm your computer.
Only selected incoming connections are accepted.
internal
For use on internal networks. You mostly trust the other computers on the networks to not harm your
computer. Only selected incoming connections are accepted.
trusted
All network connections are accepted. Packets not addressed to this host will be forwarded.
Which zone should be used?
A public WIFI network connection for example should be mainly untrusted, a wired home network connection
should be fairly trusted. Select the zone that best matches the network you are using.
How to configure or add zones?
To configure or add zones you can either use one of the firewalld interfaces to handle and change the
configuration: These are the graphical configuration tool firewall-config, the command line tool fire‐
wall-cmd or the D-Bus interface. Or you can create or copy a zone file in one of the configuration di‐
rectories. /usr/lib/firewalld/zones is used for default and fallback configurations and /etc/fire‐
walld/zones is used for user created and customized configuration files.
How to set or change a zone for a connection?
The zone is stored into the ifcfg of the connection with ZONE= option. If the option is missing or
empty, the default zone set in firewalld is used.
If the connection is controlled by NetworkManager, you can also use nm-connection-editor to change the
zone.
For the addition or change of interfaces that are not under control of NetworkManager: firewalld tries
to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.
Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying
to change the ZONE setting in the ifcfg file. This is needed to make sure that an ifdown of the inter‐
face will not result in a reset of the zone setting to the default zone. Only the zone binding is then
removed in firewalld then.
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALLD.ZONES(5)
firewall-offline-cmd
# man firewall-offline-cmd
FIREWALL-OFFLINE-C(1) firewall-offline-cmd FIREWALL-OFFLINE-C(1)
NAME
firewall-offline-cmd - firewalld offline command line client
SYNOPSIS
firewall-offline-cmd [OPTIONS...]
DESCRIPTION
firewall-offline-cmd is an offline command line client of the firewalld daemon. It should be used only
if the firewalld service is not running. For example to migrate from system-config-firewall/lokkit or in
the install environment to configure firewall settings with kickstart.
Some lokkit options can not be automatically converted for firewalld, they will result in an error or
warning message. This tool tries to convert as much as possible, but there are limitations for example
with custom rules, modules and masquerading.
Check the firewall configuration after using this tool.
OPTIONS
If no options are given, configuration from /etc/sysconfig/system-config-firewall will be migrated.
Sequence options are the options that can be specified multiple times, the exit code is 0 if there is at
least one item that succeeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
errors are treated as succeeded. If there are issues while parsing the items, then these are treated as
warnings and will not change the result as long as there is a succeeded one. Without any succeeded item,
the exit code will depend on the error codes. If there is exactly one error code, then this is used. If
there are more than one then UNKNOWN_ERROR (254) will be used.
The following options are supported:
General Options
-h, --help
Prints a short help text and exits.
-V, --version
Prints the version string of firewalld and exits.
-q, --quiet
Do not print status messages.
--default-config
Path to firewalld default configuration. This usually defaults to /usr/lib/firewalld.
--system-config
Path to firewalld system (user) configuration. This usually defaults to /etc/firewalld.
Status Options
--enabled
Enable the firewall. This option is a default option and will activate the firewall if not already
enabled as long as the option --disabled is not given.
--disabled
Disable the firewall by disabling the firewalld service.
--check-config
Run checks on the permanent (default and system) configuration. This includes XML validity and se‐
mantics.
This is may be used with --system-config to check the validity of handwritten configuration files
before copying them to the standard location.
--reset-to-defaults
Reset configuration to firewalld's default configuration
Lokkit Compatibility Options
These options are nearly identical to the options of lokkit.
--migrate-system-config-firewall=file
Migrate system-config-firewall configuration from the given file. No further
--addmodule=module
This option will result in a warning message and will be ignored.
Handling of netfilter helpers has been merged into services completely. Adding or removing netfilter
helpers outside of services is therefore not needed anymore. For more information on handling net‐
filter helpers in services, please have a look at firewalld.zone(5).
--removemodule
This option will result in a warning message and will be ignored.
Handling of netfilter helpers has been merged into services completely. Adding or removing netfilter
helpers outside of services is therefore not needed anymore. For more information on handling net‐
filter helpers in services, please have a look at firewalld.zone(5).
--remove-service=service
Remove a service from the default zone. This option can be specified multiple times.
The service is one of the firewalld provided services. To get a list of the supported services, use
firewall-cmd --get-services.
-s service, --service=service
Add a service to the default zone. This option can be specified multiple times.
The service is one of the firewalld provided services. To get a list of the supported services, use
firewall-cmd --get-services.
-p portid[-portid]:protocol, --port=portid[-portid]:protocol
Add the port to the default zone. This option can be specified multiple times.
The port can either be a single port number or a port range portid-portid. The protocol can either
be tcp, udp, sctp or dccp.
-t interface, --trust=interface
This option will result in a warning message.
Mark an interface as trusted. This option can be specified multiple times. The interface will be
bound to the trusted zone.
If the interface is used in a NetworkManager managed connection or if there is an ifcfg file for
this interface, the zone will be changed to the zone defined in the configuration as soon as it gets
activated. To change the zone of a connection use nm-connection-editor and set the zone to trusted,
for an ifcfg file, use an editor and add "ZONE=trusted". If the zone is not defined in the ifcfg
file, the firewalld default zone will be used.
-m interface, --masq=interface
This option will result in a warning message.
Masquerading will be enabled in the default zone. The interface argument will be ignored. This is
for IPv4 only.
--custom-rules=[type:][table:]filename
This option will result in a warning message and will be ignored.
Custom rule files are not supported by firewalld.
--forward-port=if=interface:port=port:proto=protocol[:toport=destination port:][:toaddr=destination ad‐
dress]
This option will result in a warning message.
Add the IPv4 forward port in the default zone. This option can be specified multiple times.
The port can either be a single port number portid or a port range portid-portid. The protocol can
either be tcp, udp, sctp or dccp. The destination address is an IP address.
--block-icmp=icmptype
This option will result in a warning message.
Add an ICMP block for icmptype in the default zone. This option can be specified multiple times.
The icmptype is the one of the icmp types firewalld supports. To get a listing of supported icmp
types: firewall-cmd --get-icmptypes
Log Denied Options
--get-log-denied
Print the log denied setting.
--set-log-denied=value
Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the
default rules and also final reject and drop rules in zones for the configured link-layer packet
type. The possible values are: all, unicast, broadcast, multicast and off. The default setting is
off, which disables the logging.
This is a runtime and permanent change and will also reload the firewall to be able to add the log‐
ging rules.
Zone Options
--get-default-zone
Print default zone for connections and interfaces.
--set-default-zone=zone
Set default zone for connections and interfaces where no zone has been selected. Setting the default
zone changes the zone for the connections or interfaces, that are using the default zone.
--get-zones
Print predefined zones as a space separated list.
--get-services
Print predefined services as a space separated list.
--get-icmptypes
Print predefined icmptypes as a space separated list.
--get-zone-of-interface=interface
Print the name of the zone the interface is bound to or no zone.
--get-zone-of-source=source[/mask]|MAC|ipset:ipset
Print the name of the zone the source is bound to or no zone.
--info-zone=zone
Print information about the zone zone. The output format is:
zone
interfaces: interface1 ..
sources: source1 ..
services: service1 ..
ports: port1 ..
protocols: protocol1 ..
forward-ports:
forward-port1
..
source-ports: source-port1 ..
icmp-blocks: icmp-type1 ..
rich rules:
rich-rule1
..
--list-all-zones
List everything added for or enabled in all zones. The output format is:
zone1
interfaces: interface1 ..
sources: source1 ..
services: service1 ..
ports: port1 ..
protocols: protocol1 ..
forward-ports:
forward-port1
..
source-ports: source-port1 ..
icmp-blocks: icmp-type1 ..
rich rules:
rich-rule1
..
..
--new-zone=zone
Add a new permanent zone.
Zone names must be alphanumeric and may additionally include characters: '_' and '-'.
--new-zone-from-file=filename [--name=zone]
Add a new permanent zone from a prepared zone file with an optional name override.
--path-zone=zone
Print path of the zone configuration file.
--delete-zone=zone
Delete an existing permanent zone.
Policy Options
--get-policies
Print predefined policies as a space separated list.
--info-policy=policy
Print information about the policy policy.
--list-all-policies
List everything added for or enabled in all policies.
--new-policy=policy
Add a new permanent policy.
Policy names must be alphanumeric and may additionally include characters: '_' and '-'.
--new-policy-from-file=filename [--name=policy]
Add a new permanent policy from a prepared policy file with an optional name override.
--path-policy=policy
Print path of the policy configuration file.
--delete-policy=policy
Delete an existing permanent policy.
--load-policy-defaults=policy
Load the shipped defaults for a policy. Only applies to policies shipped with firewalld. Does not
apply to user defined policies.
Options to Adapt and Query Zones and Policies
Options in this section affect only one particular zone or policy. If used with --zone=zone or --pol‐
icy=policy option, they affect the specified zone or policy. If both options are omitted, they affect
default zone (see --get-default-zone).
[--zone=zone] [--policy=policy] --list-all
List everything added or enabled.
[--zone=zone] [--policy=policy] --get-target
Get the target.
[--zone=zone] [--policy=policy] --set-target=target
Set the target.
For zones target is one of: default, ACCEPT, DROP, REJECT
For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
default is similar to REJECT, but it implicitly allows ICMP packets.
ACCEPT allows traffic to be forwarded from the zone, either to the same zone or other zones.
[--zone=zone] [--policy=policy] --set-description=description
Set description.
[--zone=zone] [--policy=policy] --get-description
Print description.
[--zone=zone] [--policy=policy] --set-short=description
Set short description.
[--zone=zone] [--policy=policy] --get-short
Print short description.
[--zone=zone] [--policy=policy] --list-services
List services added as a space separated list.
[--zone=zone] [--policy=policy] --add-service=service
Add a service. This option can be specified multiple times.
The service is one of the firewalld provided services. To get a list of the supported services, use
firewall-cmd --get-services.
Note: Some services define connection tracking helpers. Helpers that may operate in client mode
(e.g. tftp) must be added to an outbound policy instead of a zone to take effect for clients. Other‐
wise the helper will not be applied to the outbound traffic. The related traffic, as defined by the
connection tracking helper, on the return path (ingress) will be allowed by the stateful firewall
rules.
An example of an outbound policy for connection tracking helpers:
# firewall-cmd --new-policy clientConntrack
# firewall-cmd --policy clientConntrack --add-ingress-zone HOST
# firewall-cmd --policy clientConntrack --add-egress-zone ANY
# firewall-cmd --policy clientConntrack --add-service tftp
[--zone=zone] --remove-service-from-zone=service
Remove a service from zone. This option can be specified multiple times. If zone is omitted, default
zone will be used.
[--policy=policy] --remove-service-from-policy=service
Remove a service from policy. This option can be specified multiple times.
[--zone=zone] [--policy=policy] --query-service=service
Return whether service has been added. Returns 0 if true, 1 otherwise.
[--zone=zone] [--policy=policy] --list-ports
List ports added as a space separated list. A port is of the form portid[-portid]/protocol, it can
be either a port and protocol pair or a port range with a protocol.
[--zone=zone] [--policy=policy] --add-port=portid[-portid]/protocol
Add the port. This option can be specified multiple times.
The port can either be a single port number or a port range portid-portid. The protocol can either
be tcp, udp, sctp or dccp.
[--zone=zone] [--policy=policy] --remove-port=portid[-portid]/protocol
Remove the port. This option can be specified multiple times.
[--zone=zone] [--policy=policy] --query-port=portid[-portid]/protocol
Return whether the port has been added. Returns 0 if true, 1 otherwise.
[--zone=zone] [--policy=policy] --list-protocols
List protocols added as a space separated list.
[--zone=zone] [--policy=policy] --add-protocol=protocol
Add the protocol. This option can be specified multiple times. timeval is either a number (of sec‐
onds) or number followed by one of characters s (seconds), m (minutes), h (hours), for example 20m
or 1h.
The protocol can be any protocol supported by the system. Please have a look at /etc/protocols for
supported protocols.
[--zone=zone] [--policy=policy] --remove-protocol=protocol
Remove the protocol. This option can be specified multiple times.
[--zone=zone] [--policy=policy] --query-protocol=protocol
Return whether the protocol has been added. Returns 0 if true, 1 otherwise.
[--zone=zone] [--policy=policy] --list-icmp-blocks
List Internet Control Message Protocol (ICMP) type blocks added as a space separated list.
[--zone=zone] [--policy=policy] --add-icmp-block=icmptype
Add an ICMP block for icmptype. This option can be specified multiple times.
The icmptype is the one of the icmp types firewalld supports. To get a listing of supported icmp
types: firewall-cmd --get-icmptypes
[--zone=zone] [--policy=policy] --remove-icmp-block=icmptype
Remove the ICMP block for icmptype. This option can be specified multiple times.
[--zone=zone] [--policy=policy] --query-icmp-block=icmptype
Return whether an ICMP block for icmptype has been added. Returns 0 if true, 1 otherwise.
[--zone=zone] [--policy=policy] --list-forward-ports
List IPv4 forward ports added as a space separated list.
For IPv6 forward ports, please use the rich language.
[--zone=zone] [--policy=policy] --add-forward-port=port=portid[-portid]:proto=protocol[:toport=por‐
tid[-portid]][:toaddr=address[/mask]]
Add the IPv4 forward port. This option can be specified multiple times.
The port can either be a single port number portid or a port range portid-portid. The protocol can
either be tcp, udp, sctp or dccp. The destination address is a simple IP address.
For IPv6 forward ports, please use the rich language.
Note: IP forwarding will be implicitly enabled if toaddr is specified.
[--zone=zone] [--policy=policy] --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=por‐
tid[-portid]][:toaddr=address[/mask]]
Remove the IPv4 forward port. This option can be specified multiple times.
For IPv6 forward ports, please use the rich language.
[--zone=zone] [--policy=policy] --query-forward-port=port=portid[-portid]:proto=protocol[:toport=por‐
tid[-portid]][:toaddr=address[/mask]]
Return whether the IPv4 forward port has been added. Returns 0 if true, 1 otherwise.
For IPv6 forward ports, please use the rich language.
[--zone=zone] [--policy=policy] --list-source-ports
List source ports added as a space separated list. A port is of the form portid[-portid]/protocol.
[--zone=zone] [--policy=policy] --add-source-port=portid[-portid]/protocol
Add the source port. This option can be specified multiple times.
The port can either be a single port number or a port range portid-portid. The protocol can either
be tcp, udp, sctp or dccp.
[--zone=zone] [--policy=policy] --remove-source-port=portid[-portid]/protocol
Remove the source port. This option can be specified multiple times.
[--zone=zone] [--policy=policy] --query-source-port=portid[-portid]/protocol
Return whether the source port has been added. Returns 0 if true, 1 otherwise.
[--zone=zone] [--policy=policy] --add-masquerade
Enable IPv4 masquerade. Masquerading is useful if the machine is a router and machines connected
over an interface in another zone should be able to use the first connection.
For IPv6 masquerading, please use the rich language.
Note: IP forwarding will be implicitly enabled.
[--zone=zone] [--policy=policy] --remove-masquerade
Disable IPv4 masquerade.
For IPv6 masquerading, please use the rich language.
[--zone=zone] [--policy=policy] --query-masquerade
Return whether IPv4 masquerading has been enabled. Returns 0 if true, 1 otherwise.
For IPv6 masquerading, please use the rich language.
[--zone=zone] [--policy=policy] --list-rich-rules
List rich language rules added as a newline separated list.
[--zone=zone] [--policy=policy] --add-rich-rule='rule'
Add rich language rule 'rule'. This option can be specified multiple times.
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
[--zone=zone] [--policy=policy] --remove-rich-rule='rule'
Remove rich language rule 'rule'. This option can be specified multiple times.
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
[--zone=zone] [--policy=policy] --query-rich-rule='rule'
Return whether a rich language rule 'rule' has been added. Returns 0 if true, 1 otherwise.
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
Options to Adapt and Query Zones
Options in this section affect only one particular zone. If used with --zone=zone option, they affect
the specified zone. If the option is omitted, they affect the default zone (see --get-default-zone).
[--zone=zone] --add-icmp-block-inversion
Enable ICMP block inversion.
[--zone=zone] --remove-icmp-block-inversion
Disable ICMP block inversion.
[--zone=zone] --query-icmp-block-inversion
Return whether ICMP block inversion is enabled. Returns 0 if true, 1 otherwise.
[--zone=zone] --add-forward
Enable intra zone forwarding.
[--zone=zone] --remove-forward
Disable intra zone forwarding.
[--zone=zone] --query-forward
Return whether intra zone forwarding is enabled. Returns 0 if true, 1 otherwise.
[--zone=zone] --get-priority
Get the priority of the zone.
[--zone=zone] --set-priority
Set the zone's priority for packet classification. This will set both the ingress and egress prior‐
ity.
[--zone=zone] --get-ingress-priority
Get the ingress priority of the zone.
[--zone=zone] --set-ingress-priority
Set the zone's ingress priority for packet classification.
[--zone=zone] --get-egress-priority
Get the egress priority of the zone.
[--zone=zone] --set-egress-priority
Set the zone's egress priority for packet classification.
Options to Adapt and Query Policies
Options in this section affect only one particular policy. It's required to specify --policy=policy with
these options.
--policy=policy --get-priority
Get the priority.
--policy=policy --set-prioritypriority
Set the priority. The priority determines the relative ordering of policies. This is an integer
value between -32768 and 32767 where -1 is the default value for new policies and 0 is reserved for
internal use.
If a priority is < 0, then the policy's rules will execute before all rules in all zones.
If a priority is > 0, then the policy's rules will execute after all rules in all zones.
--policy=policy --list-ingress-zones
List ingress zones added as a space separated list.
--policy=policy --add-ingress-zone=zone
Add an ingress zone. This option can be specified multiple times.
The ingress zone is one of the firewalld provided zones or one of the pseudo-zones: HOST, ANY.
HOST is used for traffic originating from the host machine, i.e. the host running firewalld.
ANY is used for traffic originating from any zone. This can be thought of as a wild card for zones.
However it does not include traffic originating from the host machine - use HOST for that.
--policy=policy --remove-ingress-zone=zone
Remove an ingress zone. This option can be specified multiple times.
--policy=policy --query-ingress-zone=zone
Return whether zone has been added. Returns 0 if true, 1 otherwise.
--policy=policy --list-egress-zones
List egress zones added as a space separated list.
--policy=policy --add-egress-zone=zone
Add an egress zone. This option can be specified multiple times.
The egress zone is one of the firewalld provided zones or one of the pseudo-zones: HOST, ANY.
For clarification on HOST and ANY see option --add-ingress-zone.
--policy=policy --remove-egress-zone=zone
Remove an egress zone. This option can be specified multiple times.
--policy=policy --query-egress-zone=zone
Return whether zone has been added. Returns 0 if true, 1 otherwise.
--policy=policy|--policy-set=policy-set --add-disable
Administratively disable a policy. A disabled policy will not activate.
--policy=policy|--policy-set=policy-set --remove-disable
Remove the administratively disable from a policy. Allows a policy to activate.
--policy=policy --query-disable
Return if the policy is administratively disabled.
Options to Handle Bindings of Interfaces
Binding an interface to a zone means that this zone settings are used to restrict traffic via the inter‐
face.
Options in this section affect only one particular zone. If used with --zone=zone option, they affect
the zone zone. If the option is omitted, they affect default zone (see --get-default-zone).
For a list of predefined zones use firewall-cmd --get-zones.
An interface name is a string up to 16 characters long, that may not contain ' ', '/', '!' and '*'.
[--zone=zone] --list-interfaces
List interfaces that are bound to zone zone as a space separated list. If zone is omitted, default
zone will be used.
[--zone=zone] --add-interface=interface
Bind interface interface to zone zone. If zone is omitted, default zone will be used.
[--zone=zone] --change-interface=interface
Change zone the interface interface is bound to to zone zone. If zone is omitted, default zone will
be used. If old and new zone are the same, the call will be ignored without an error. If the inter‐
face has not been bound to a zone before, it will behave like --add-interface.
[--zone=zone] --query-interface=interface
Query whether interface interface is bound to zone zone. Returns 0 if true, 1 otherwise.
[--zone=zone] --remove-interface=interface
Remove binding of interface interface from zone zone. If zone is omitted, default zone will be used.
Options to Handle Bindings of Sources
Binding a source to a zone means that this zone settings will be used to restrict traffic from this
source.
A source address or address range is either an IP address or a network IP address with a mask for IPv4
or IPv6 or a MAC address or an ipset with the ipset: prefix. For IPv4, the mask can be a network mask or
a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
Options in this section affect only one particular zone. If used with --zone=zone option, they affect
the zone zone. If the option is omitted, they affect default zone (see --get-default-zone).
For a list of predefined zones use firewall-cmd --get-zones.
[--zone=zone] --list-sources
List sources that are bound to zone zone as a space separated list. If zone is omitted, default zone
will be used.
[--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
Bind the source to zone zone. If zone is omitted, default zone will be used.
[--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
Change zone the source is bound to to zone zone. If zone is omitted, default zone will be used. If
old and new zone are the same, the call will be ignored without an error. If the source has not been
bound to a zone before, it will behave like --add-source.
[--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
Query whether the source is bound to the zone zone. Returns 0 if true, 1 otherwise.
[--zone=zone] --remove-source=source[/mask]|MAC|ipset:ipset
Remove binding of the source from zone zone. If zone is omitted, default zone will be used.
IPSet Options
--new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
Add a new permanent ipset with specifying the type and optional options.
ipset names must be alphanumeric and may additionally include characters: '_' and '-'.
--new-ipset-from-file=filename [--name=ipset]
Add a new permanent ipset from a prepared ipset file with an optional name override.
--delete-ipset=ipset
Delete an existing permanent ipset.
--info-ipset=ipset
Print information about the ipset ipset. The output format is:
ipset
type: type
options: option1[=value1] ..
entries: entry1 ..
--get-ipsets
Print predefined ipsets as a space separated list.
--ipset=ipset --add-entry=entry
Add a new entry to the ipset.
--ipset=ipset --remove-entry=entry
Remove an entry from the ipset.
--ipset=ipset --query-entry=entry
Return whether the entry has been added to an ipset. Returns 0 if true, 1 otherwise.
--ipset=ipset --get-entries
List all entries of the ipset.
--ipset=ipset --add-entries-from-file=filename
Add a new entries to the ipset from the file. For all entries that are listed in the file but al‐
ready in the ipset, a warning will be printed.
The file should contain an entry per line. Lines starting with an hash or semicolon are ignored.
Also empty lines.
--ipset=ipset --remove-entries-from-file=filename
Remove existing entries from the ipset from the file. For all entries that are listed in the file
but not in the ipset, a warning will be printed.
The file should contain an entry per line. Lines starting with an hash or semicolon are ignored.
Also empty lines.
--ipset=ipset --set-description=description
Set new description to ipset
--ipset=ipset --get-description
Print description for ipset
--ipset=ipset --set-short=description
Set new short description to ipset
--ipset=ipset --get-short
Print short description for ipset
--path-ipset=ipset
Print path of the ipset configuration file.
Service Options
--info-service=service
Print information about the service service. The output format is:
service
ports: port1 ..
protocols: protocol1 ..
source-ports: source-port1 ..
helpers: helper1 ..
destination: ipv1:address1 ..
--new-service=service
Add a new permanent service.
Service names must be alphanumeric and may additionally include characters: '_' and '-'.
--new-service-from-file=filename [--name=service]
Add a new permanent service from a prepared service file with an optional name override.
--delete-service=service
Delete an existing permanent service.
--path-service=service
Print path of the service configuration file.
--service=service --set-description=description
Set new description to service
--service=service --get-description
Print description for service
--service=service --set-short=description
Set short description to service
--service=service --get-short
Print short description for service
--service=service --add-port=portid[-portid]/protocol
Add a new port to the permanent service.
--service=service --remove-port=portid[-portid]/protocol
Remove a port from the permanent service.
--service=service --query-port=portid[-portid]/protocol
Return whether the port has been added to the permanent service.
--service=service --get-ports
List ports added to the permanent service.
--service=service --add-protocol=protocol
Add a new protocol to the permanent service.
--service=service --remove-protocol=protocol
Remove a protocol from the permanent service.
--service=service --query-protocol=protocol
Return whether the protocol has been added to the permanent service.
--service=service --get-protocols
List protocols added to the permanent service.
--service=service --add-source-port=portid[-portid]/protocol
Add a new source port to the permanent service.
--service=service --remove-source-port=portid[-portid]/protocol
Remove a source port from the permanent service.
--service=service --query-source-port=portid[-portid]/protocol
Return whether the source port has been added to the permanent service.
--service=service --get-source-ports
List source ports added to the permanent service.
--service=service --add-helper=helper
Add a new helper to the permanent service.
--service=service --remove-helper=helper
Remove a helper from the permanent service.
--service=service --query-helper=helper
--service=service --get-service-helpers
List helpers added to the permanent service.
--service=service --set-destination=ipv:address[/mask]
Set destination for ipv to address[/mask] in the permanent service.
--service=service --remove-destination=ipv
Remove the destination for ipv from the permanent service.
--service=service --query-destination=ipv:address[/mask]
Return whether the destination ipv to address[/mask] has been set in the permanent service.
--service=service --get-destinations
List destinations added to the permanent service.
--service=service --add-include=service
Add a new include to the permanent service.
--service=service --remove-include=service
Remove a include from the permanent service.
--service=service --query-include=service
Return whether the include has been added to the permanent service.
--service=service --get-includes
List includes added to the permanent service.
Helper Options
Options in this section affect only one particular helper.
--info-helper=helper
Print information about the helper helper. The output format is:
helper
family: family
module: module
ports: port1 ..
The following options are only usable in the permanent configuration.
--new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
Add a new permanent helper with module and optionally family defined.
Helper names must be alphanumeric and may additionally include characters: '-'.
--new-helper-from-file=filename [--name=helper]
Add a new permanent helper from a prepared helper file with an optional name override.
--delete-helper=helper
Delete an existing permanent helper.
--load-helper-defaults=helper
Load helper default settings or report NO_DEFAULTS error.
--path-helper=helper
Print path of the helper configuration file.
--get-helpers
Print predefined helpers as a space separated list.
--helper=helper --set-description=description
Set new description to helper
--helper=helper --get-description
Print description for helper
--helper=helper --set-short=description
Set short description to helper
--helper=helper --get-short
Print short description for helper
--helper=helper --add-port=portid[-portid]/protocol
Add a new port to the permanent helper.
--helper=helper --remove-port=portid[-portid]/protocol
Remove a port from the permanent helper.
--helper=helper --query-port=portid[-portid]/protocol
Return whether the port has been added to the permanent helper.
--helper=helper --get-ports
List ports added to the permanent helper.
--helper=helper --set-module=description
Set module description for helper
--helper=helper --get-module
Print module description for helper
--helper=helper --set-family=description
Set family description for helper
--helper=helper --get-family
Print family description of helper
Internet Control Message Protocol (ICMP) type Options
--info-icmptype=icmptype
Print information about the icmptype icmptype. The output format is:
icmptype
destination: ipv1 ..
--new-icmptype=icmptype
Add a new permanent icmptype.
ICMP type names must be alphanumeric and may additionally include characters: '_' and '-'.
--new-icmptype-from-file=filename [--name=icmptype]
Add a new permanent icmptype from a prepared icmptype file with an optional name override.
--delete-icmptype=icmptype
Delete an existing permanent icmptype.
--icmptype=icmptype --set-description=description
Set new description to icmptype
--icmptype=icmptype --get-description
Print description for icmptype
--icmptype=icmptype --set-short=description
Set short description to icmptype
--icmptype=icmptype --get-short
Print short description for icmptype
--icmptype=icmptype --add-destination=ipv
Enable destination for ipv in permanent icmptype. ipv is one of ipv4 or ipv6.
--icmptype=icmptype --remove-destination=ipv
Disable destination for ipv in permanent icmptype. ipv is one of ipv4 or ipv6.
--icmptype=icmptype --query-destination=ipv
Return whether destination for ipv is enabled in permanent icmptype. ipv is one of ipv4 or ipv6.
--icmptype=icmptype --get-destinations
List destinations in permanent icmptype.
--path-icmptype=icmptype
Print path of the icmptype configuration file.
Direct Options
DEPRECATED
The direct interface has been deprecated. It will be removed in a future release. It is superseded
by policies, see firewalld.policies(5).
The direct options give a more direct access to the firewall. These options require user to know basic
iptables concepts, i.e. table (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
(-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets (ACCEPT/DROP/REJECT/...).
Direct options should be used only as a last resort when it's not possible to use for example --add-ser‐
vice=service or --add-rich-rule='rule'.
Warning: Direct rules behavior is different depending on the value of FirewallBackend. See CAVEATS in
firewalld.direct(5).
The first argument of each option has to be ipv4 or ipv6 or eb. With ipv4 it will be for IPv4 (ipta‐
bles(8)), with ipv6 for IPv6 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
--direct --get-all-chains
Get all chains added to all tables.
This option concerns only chains previously added with --direct --add-chain.
--direct --get-chains { ipv4 | ipv6 | eb } table
Get all chains added to table table as a space separated list.
This option concerns only chains previously added with --direct --add-chain.
--direct --add-chain { ipv4 | ipv6 | eb } table chain
Add a new chain with name chain to table table.
There already exist basic chains to use with direct options, for example INPUT_direct chain (see
iptables-save | grep direct output for all of them). These chains are jumped into before chains for
zones, i.e. every rule put into INPUT_direct will be checked before rules in zones.
--direct --remove-chain { ipv4 | ipv6 | eb } table chain
Remove the chain with name chain from table table.
--direct --query-chain { ipv4 | ipv6 | eb } table chain
Return whether a chain with name chain exists in table table. Returns 0 if true, 1 otherwise.
This option concerns only chains previously added with --direct --add-chain.
--direct --get-all-rules
Get all rules added to all chains in all tables as a newline separated list of the priority and ar‐
guments.
--direct --get-rules { ipv4 | ipv6 | eb } table chain
Get all rules added to chain chain in table table as a newline separated list of the priority and
arguments.
--direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
Add a rule with the arguments args to chain chain in table table with priority priority.
The priority is used to order rules. Priority 0 means add rule on top of the chain, with a higher
priority the rule will be added further down. Rules with the same priority are on the same level and
the order of these rules is not fixed and may change. If you want to make sure that a rule will be
added after another one, use a low priority for the first and a higher for the following.
--direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
Remove a rule with priority and the arguments args from chain chain in table table.
--direct --remove-rules { ipv4 | ipv6 | eb } table chain
Remove all rules in the chain with name chain exists in table table.
This option concerns only rules previously added with --direct --add-rule in this chain.
--direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
Return whether a rule with priority and the arguments args exists in chain chain in table table. Re‐
turns 0 if true, 1 otherwise.
--direct --get-all-passthroughs
Get all permanent passthrough rules for the ipv value as a newline separated list of the priority
and arguments.
--direct --add-passthrough { ipv4 | ipv6 | eb } args
Add a permanent passthrough rule with the arguments args for the ipv value.
--direct --remove-passthrough { ipv4 | ipv6 | eb } args
Remove a permanent passthrough rule with the arguments args for the ipv value.
--direct --query-passthrough { ipv4 | ipv6 | eb } args
Return whether a permanent passthrough rule with the arguments args exists for the ipv value. Re‐
turns 0 if true, 1 otherwise.
Policy Options
--policy-server
Change Polkit actions to 'server' (more restricted)
--policy-desktop
Change Polkit actions to 'desktop' (less restricted)
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.di‐
rect(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1), firewalld.richlanguage(5),
firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5),
firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer
firewalld 2.4.1 FIREWALL-OFFLINE-C(1)
Quick Reference zur Verwaltung von Firewall-Regeln
Installation
Zum Installieren des firewalld verwenden wir den Pakatmanager pacman unter Archlinux.
# pacman -S firewalld
Daemon relevante Befehle
Zum Starten, stoppen, Verhalten beim Booten des Hosts und zum Reloaden des firewalld stehen uns folgende Befehle zur Verfügung:
Checken ob der firewalld läuft
# firewall-cmd --state
Starten des firewalld
# systemctl start firewalld
Stoppen des firewalld
# systemctl stop firewalld
Restarten des firewalld
Beim Restart des Daemon erfolgt wie beim __reload via firewall-cmd werden kurz alle Verbindungen gekappt!
# systemctl restart firewalld
Aktivieren des Auto-Start des firewalld beim Booten des Hosts
# systemctl enable firewalld
Deaktivieren des Auto-Start des firewalld beim Booten des Hosts
# systemctl disable firewalld
Prüfen des Auto-Starts des firewalld beim Booten des Hosts
# systemctl is-enabled firewalld
Reload des firewalld ohne droppen bestehender Verbindungen
# firewall-cmd --reload
Kompletter Reload des firewalld mit Unterbrechen bestehender Verbindungen
# firewall-cmd --complete-reload
Unterschied von runtime zu permanent
Per Default gelten Änderungen mit firewall-cmd nur zur Laufzeit und gehen beim Neuladen der Konfiguration verloren! Damit Änderungen dauerhaft in die Konfiguration übernommen werden können, bedarf des der Angabe der Option --permanent. Zum Aktivieren solcher Konfigurationsänderung muß der Regelsatz neu geladen werden.
SSH nur zur Laufzeit erlauben
# firewall-cmd --add-service=ssh
SSH reloadfest erlauben
# firewall-cmd --permanent --add-service=ssh
Aktivieren aller permanenten Reglen
# firewall-cmd --reload
Permanentes Sichern aller runtime Regeln
# firewall-cmd --runtime-to-permanent
Logging
Zum Debugging und Auditing empfiehlt es sich abgelehnte Pakete im Journal zu protokollieren.
Anzeige der aktuellen log-denied Einstellungen
# firewall-cmd --get-log-denied
Logging aller abgelehnten Pakete
# firewall-cmd --set-log-denied=all
Nur abgelehnte Unicast-Pakete protokollieren
# firewall-cmd --set-log-denied=unicast
Deaktivierung der Loggingfunktionalitäten
# firewall-cmd --set-log-denied=off
Zonens
Zonen definieren Vertrauensstufen für alle Netzwerkverbindungen; jede Schnittstelle gehört dabei jeweils immer nur zu einer Zone.
Anzeigen aller verfügbaren Zonen
# firewall-cmd --get-zones
Definieren der Default-Zone IDMZ
# firewall-cmd --set-default-zone=idmz
Anzeige der Default-Zone
# firewall-cmd --get-default-zone
Anzeige der aktiven Zonen mit ihren Netzwerkschnittstellen
# firewall-cmd --get-active-zones
Anzeige aller Konfigurationsparameter einer Zone
# firewall-cmd --zone=idmz --list-all
Zuweisen einer Netzwerkschnittstelle zur Laufzeit
# firewall-cmd --zone=idmz --change-interface=net0
Permanentes Zuweisen einer Netzwerkschnittstelle
# firewall-cmd --permanent --zone=public --add-interface=net0
temporäres Entfernen einer Netzwerkschnittstelle von einer Zone
# firewall-cmd --zone=idmz --remove-interface=net0
Dauerhaftes Entfernen einer Netzwerkschnittstelle von einer Zone
# firewall-cmd --permanent --zone=idmz --remove-interface=net0
Anzeige der Zone eines Netzwerkinterfaces
# firewall-cmd --get-zone-of-interface=net0
Port Forwarding von einem Port auf einen anderen Port
# firewall-cmd --permanent --zone=edmz --add-forward-port=port=9999:proto=tcp:toport=22
Redirect Traffic zu einem anderen Server
# firewall-cmd --permanent --zone=edmz --add-forward-port=port=80:proto=tcp:toaddr=10.0.10.80
Policies
Für den Firewall überschreitenden Traffic nutzen wir Policies. Mit Hilfe von NAT-Masquerading können Hosts in einem privaten Netzwerk über einen Firewall-Host, welcher als Gateway fungiert, auf das Internet zugreifen. Das Gateway ersetzt bei ausgehenden Paketen die private Quell-IP durch seine eigene öffentliche IP und kehrt diesen Vorgang beim rückwärtigen Ip-Traffic wieder um.
IPv4 und IPv6 Forwarding aktivieren
Damit der Firewall-Node IP-Pakete für IPv4 und IPv6 forwarden kann, aktivieren wir dies entsprechend.
# vim /etc/sysctl.d/60-forwarding.conf
- 60-forwarding.conf
# Configure IPv4 forwarding net.ipv4.conf.all.forwarding = 1 # Configure IPv6 forwarding net.ipv6.conf.all.forwarding = 1
NAT für den Verkehr IDMZ → EDMZ einrichten
Anlegen der Policy idmz_2_edmz:
# firewall-cmd --permanent --new-policy idmz_2_edmz
Zone idmz als ankommende Verkehrsrichtung der Policy idmz_2_edmz festlegen:
# firewall-cmd --permanent --policy idmz_2_edmz --add-ingress-zone idmz
Zone edmz als ausgehende Verkehrsrichtung der Policy 'idmz_2_edmz festlegen:
# firewall-cmd --permanent --policy idmz_2_edmz --add-egress-zone edmz
Default Target ACCEPT der Policy idmz_2_edmz festlegen:
# firewall-cmd --permanent --policy idmz_2_edmz --set-target ACCEPT
Zusätzlich noch Masquerading für den Verkehr aus der Zone idmz zur Zone edmz aktivieren und Änderungen scharf schalten:
# firewall-cmd --permanent --policy idmz_2_edmz --add-masquerade # firewall-cmd --reload
Default Target REJECT für ankommenden Transiverkehr blocken
# firewall-cmd --permanent --policy edmz_2_idmz --set-target REJECT
ICMP Type echo-request erlauben für den IPv6-Verkehr aus der edmz zur idmz
# firewall-cmd --permanent --policy=edmz_2_idmz --add-rich-rule='rule family=ipv6 icmp-type name=echo-request accept'
Prüfen ob Masquerading für eine Policy aktiv ist
# firewall-cmd --zone=public --query-masquerade
Masquerading für eine Policy aktivieren
# firewall-cmd --permanent --policy=idmz_2_edmz --add-masquerade
Masquerading bei einer Policy entfernen
# firewall-cmd --permanent --policy=idmz_2_edmz ----remove-masquerade
Anzeige aller Konfigurationsparameter einer Policy
# firewall-cmd --policy=edmz_2_idmz --list-all
Services
Nachfolgende Befehle erlauben oder blockieren Services, die in /usr/lib/firewalld/services/ definiert sind.
Anzeige aller definierten Services
# firewall-cmd --get-services
Anzeige aller erlaubten Services einer Zone
# firewall-cmd --zone=idmz --list-services
Anzeige aller erlaubten Services einer Policy
# firewall-cmd --policy=idmz_2_edmz --list-services
Anzeige von Ports und Protokollen eines Service
# firewall-cmd --info-service=prometheus-node-exporter
Erstellen eines eigenen Services
Manchmal verwendet eine Anwendung einen nicht standardmäßigen Port, der in den vordefinierten Diensten nicht vorhanden ist. In solchen Fällen erstellt man am besten eine benutzerdefinierte Dienstdefinition.
# vim /etc/firewalld/services/prometheus-chrony-exporter.xml
- /etc/firewalld/services/prometheus-chrony-exporter.xml
<?xml version="1.0" encoding="utf-8"?> <service> <short>prometheus-chrony-exporter</short> <description>Prometheus chronyd Exporter</description> <port protocol="tcp" port="9108"/> </service>
Zum Einbinden unseres neues Services prometheus-chrony-exporter führen wir einen Reload des Daemon durch.
# firewall-cmd --reload
Anschließend können wir unseren neuen Service entsprechend einbinden.
# firewall-cmd --permanent --zone=idmz --add-service=prometheus-chrony-exporter
Erlauben des Service smtp-submission
# firewall-cmd --permanent --zone=idmz --add-service=smtp-submission
Entfernen des Service smtp-submission
# firewall-cmd --permanet --zone=idmz --remove-service=smtp-submission
Ping requests (ICMP) erlauben
# firewall-cmd --permanent --zone=intra --add-icmp-block-inversion
Blockieren von ICMP ping requests
# firewall-cmd --permanent --zone=edmz --add-icmp-block=echo-request
Ports
Öffnen und Schließen von Ports und Poretbereichen, sofern z.B. kein passender Service dazu existiert.
Anzeige aller geöffneten Ports einer Zone
# firewall-cmd --zone=idmz --list-ports
Öffnen eines UDP-Ports
# firewall-cmd --permanent --zone=idmz --add-port=40443/udp
Öffnen einer TCP-Port-Range
# firewall-cmd --permanent --zone=idmz --add-port=4010-4020/tcp
Entfernen einer TCP-Port Erlaubnis
# firewall-cmd --permanent --zone=idmz --remove-port=8080/tcp
Rich Rules
Rich Rules ermöglichen eine feingranulare Steuerung von Quelle, Ziel, Port und Aktion bei den Paketfilterregeln.
Traffic eines ganzen Subnetzes erlauben
# firewall-cmd --public --zone=intra --add-rich-rule='rule family="ipv4" source address="10.0.10.0/24" accept'
Jedweden Traffic einer IP blocken
# firewall-cmd --permanent --policy=edmz_2_idmz --add-rich-rule='rule family="ipv4" source address="213.95.220.17" reject'
Anzeige der rich-rules einer Zone
# firewall-cmd --zone=edmz --list-rich-rules
Anzeige der rich-rules einer Policy
# firewall-cmd --policy=edmz_2_idmz --list-rich-rules
Erlaube TCP Traffic für einen gezielten Port nur von einer ganz bestimmten Absender-Addresse
# firewall-cmd --permanent --zone=idmz --add-rich-rule='rule family="ipv4" source address="10.0.0.147" destination address="10.0.0.80" port port="9100" protocol="tcp" accept'
Entfernen einer rich rule
# firewall-cmd --permanent --zone=idmz --remove-rich-rule='rule family="ipv4" source address="193.219.105.10" reject' --permanent
Traffic Limitierung
Zum Abwehren von Brute-Force-Angriffe kann die Anzahl der Verbindungen einer Quelle begrenzt werden.
# firewall-cmd --permanent --policy=edmz_2_idmz --add-rich-rule='rule service name="ssh" limit value="5/m" accept'
IP Sets
Mit IP-Sets können umfangreiche Listen von IP-Adressen effizient verwaltet werden.
Erstellen einer neuen IP Set Liste
# firewall-cmd --permanent --new-ipset=blocked_ips --type=hash:ip # firewall-cmd --reload
Mehrere IP-Adressen dem IP Set blocked_ips hinzufügen
# firewall-cmd --permanent --ipset=blocked_ips --add-entry=213.95.220.17 # firewall-cmd --permanent --ipset=blocked_ips --add-entry=193.219.105.10 # firewall-cmd --permanent --ipset=blocked_ips --add-entry=195.201.193.99 # firewall-cmd --permanent --ipset=blocked_ips --add-entry=148.251.78.221 # firewall-cmd --permanent --ipset=blocked_ips --add-entry=57.129.83.60 # firewall-cmd --permanent --ipset=blocked_ips --add-entry=57.129.83.68 # firewall-cmd --reload
Blocken aller IPs der IP set Liste blocked_ips
# firewall-cmd --permanent --zone=drop --add-source=ipset:blocked_ips # firewall-cmd --reload
nftables
Die eigentlichen Firewall-Regeln werden mit Hilfe von nftables abgebildet. firewalld ist hier „nur“ das Frontend hingegen nftables als Backend fungiert.
Eine Anzeige aller NF-Tables kann man über folgenden Befehl sich anzeigen lassen:
# nft list table inet firewalld
Ausgabe des Befehls nft list table inet firewalld
table inet firewalld { # progname firewalld
flags owner,persist
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_POLICIES
}
chain mangle_PREROUTING_POLICIES {
iifname "net0" jump mangle_PRE_policy_allow-host-ipv6
iifname "net0" jump mangle_PRE_edmz
iifname "net0" return
iifname "net1" jump mangle_PRE_policy_allow-host-ipv6
iifname "net1" jump mangle_PRE_idmz
iifname "net1" return
jump mangle_PRE_policy_allow-host-ipv6
jump mangle_PRE_idmz
return
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_POLICIES
}
chain nat_PREROUTING_POLICIES {
iifname "net0" jump nat_PRE_policy_allow-host-ipv6
iifname "net0" jump nat_PRE_edmz
iifname "net0" return
iifname "net1" jump nat_PRE_policy_allow-host-ipv6
iifname "net1" jump nat_PRE_idmz
iifname "net1" return
jump nat_PRE_policy_allow-host-ipv6
jump nat_PRE_idmz
return
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_POLICIES
}
chain nat_POSTROUTING_POLICIES {
iifname "net0" oifname "net0" jump nat_POST_edmz
iifname "net0" oifname "net0" return
iifname "net1" oifname "net0" jump nat_POST_policy_idmz_2_edmz
iifname "net1" oifname "net0" jump nat_POST_edmz
iifname "net1" oifname "net0" return
oifname "net0" jump nat_POST_policy_idmz_2_edmz
oifname "net0" jump nat_POST_edmz
oifname "net0" return
iifname "net0" oifname "net1" jump nat_POST_policy_edmz_2_idmz
iifname "net0" oifname "net1" jump nat_POST_idmz
iifname "net0" oifname "net1" return
iifname "net1" oifname "net1" jump nat_POST_idmz
iifname "net1" oifname "net1" return
oifname "net1" jump nat_POST_idmz
oifname "net1" return
iifname "net0" jump nat_POST_policy_edmz_2_idmz
iifname "net0" jump nat_POST_idmz
iifname "net0" return
iifname "net1" jump nat_POST_idmz
iifname "net1" return
jump nat_POST_idmz
return
}
chain nat_OUTPUT {
type nat hook output priority dstnat + 10; policy accept;
jump nat_OUTPUT_POLICIES
}
chain nat_OUTPUT_POLICIES {
oifname "net0" jump nat_OUT_edmz
oifname "net0" return
oifname "net1" jump nat_OUT_idmz
oifname "net1" return
jump nat_OUT_idmz
return
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid log prefix "STATE_INVALID_DROP: "
ct state invalid drop
jump filter_INPUT_POLICIES
log prefix "FINAL_REJECT: "
reject with icmpx admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ct state invalid log prefix "STATE_INVALID_DROP: "
ct state invalid drop
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 addr-unreachable
jump filter_FORWARD_POLICIES
log prefix "FINAL_REJECT: "
reject with icmpx admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } log prefix "RFC3964_IPv4_REJECT: " reject with icmpv6 addr-unreachable
jump filter_OUTPUT_POLICIES
}
chain filter_INPUT_POLICIES {
iifname "net0" jump filter_IN_policy_allow-host-ipv6
iifname "net0" jump filter_IN_edmz
iifname "net0" log prefix "filter_IN_edmz_REJECT: "
iifname "net0" reject with icmpx admin-prohibited
iifname "net1" jump filter_IN_policy_allow-host-ipv6
iifname "net1" jump filter_IN_idmz
iifname "net1" log prefix "filter_IN_idmz_REJECT: "
iifname "net1" reject with icmpx admin-prohibited
jump filter_IN_policy_allow-host-ipv6
jump filter_IN_idmz
log prefix "filter_IN_idmz_REJECT: "
reject with icmpx admin-prohibited
}
chain filter_FORWARD_POLICIES {
iifname "net0" oifname "net0" jump filter_FWD_edmz
iifname "net0" oifname "net0" log prefix "filter_FWD_edmz_REJECT: "
iifname "net0" oifname "net0" reject with icmpx admin-prohibited
iifname "net0" oifname "net1" jump filter_FWD_policy_edmz_2_idmz
iifname "net0" oifname "net1" jump filter_FWD_edmz
iifname "net0" oifname "net1" log prefix "filter_FWD_edmz_REJECT: "
iifname "net0" oifname "net1" reject with icmpx admin-prohibited
iifname "net0" jump filter_FWD_policy_edmz_2_idmz
iifname "net0" jump filter_FWD_edmz
iifname "net0" log prefix "filter_FWD_edmz_REJECT: "
iifname "net0" reject with icmpx admin-prohibited
iifname "net1" oifname "net0" jump filter_FWD_policy_idmz_2_edmz
iifname "net1" oifname "net0" jump filter_FWD_idmz
iifname "net1" oifname "net0" log prefix "filter_FWD_idmz_REJECT: "
iifname "net1" oifname "net0" reject with icmpx admin-prohibited
iifname "net1" oifname "net1" jump filter_FWD_idmz
iifname "net1" oifname "net1" log prefix "filter_FWD_idmz_REJECT: "
iifname "net1" oifname "net1" reject with icmpx admin-prohibited
iifname "net1" jump filter_FWD_idmz
iifname "net1" log prefix "filter_FWD_idmz_REJECT: "
iifname "net1" reject with icmpx admin-prohibited
oifname "net0" jump filter_FWD_policy_idmz_2_edmz
oifname "net0" jump filter_FWD_idmz
oifname "net0" log prefix "filter_FWD_idmz_REJECT: "
oifname "net0" reject with icmpx admin-prohibited
oifname "net1" jump filter_FWD_idmz
oifname "net1" log prefix "filter_FWD_idmz_REJECT: "
oifname "net1" reject with icmpx admin-prohibited
jump filter_FWD_idmz
log prefix "filter_FWD_idmz_REJECT: "
reject with icmpx admin-prohibited
}
chain filter_OUTPUT_POLICIES {
oifname "net0" jump filter_OUT_edmz
oifname "net0" return
oifname "net1" jump filter_OUT_idmz
oifname "net1" return
jump filter_OUT_idmz
return
}
chain filter_IN_idmz {
jump filter_IN_idmz_pre
jump filter_IN_idmz_log
jump filter_IN_idmz_deny
jump filter_IN_idmz_allow
jump filter_IN_idmz_post
meta l4proto { icmp, ipv6-icmp } log prefix "filter_zone_idmz_HOST_ICMP_BLOCK: "
meta l4proto { icmp, ipv6-icmp } reject with icmpx admin-prohibited
}
chain filter_IN_idmz_pre {
}
chain filter_IN_idmz_log {
}
chain filter_IN_idmz_deny {
}
chain filter_IN_idmz_allow {
tcp dport 22 accept
icmp type redirect accept
icmpv6 type nd-redirect icmpv6 code 0 accept
icmp type router-advertisement accept
icmpv6 type nd-router-advert icmpv6 code 0 accept
ip daddr 10.0.0.210 ip saddr 10.0.0.147 tcp dport 9100 accept
ip daddr 10.0.0.210 ip saddr 10.0.0.147 tcp dport 9108 accept
icmpv6 type echo-request accept
meta l4proto icmp accept
}
chain filter_IN_idmz_post {
}
chain filter_OUT_idmz {
jump filter_OUT_idmz_pre
jump filter_OUT_idmz_log
jump filter_OUT_idmz_deny
jump filter_OUT_idmz_allow
jump filter_OUT_idmz_post
}
chain filter_OUT_idmz_pre {
}
chain filter_OUT_idmz_log {
}
chain filter_OUT_idmz_deny {
}
chain filter_OUT_idmz_allow {
}
chain filter_OUT_idmz_post {
}
chain nat_OUT_idmz {
jump nat_OUT_idmz_pre
jump nat_OUT_idmz_log
jump nat_OUT_idmz_deny
jump nat_OUT_idmz_allow
jump nat_OUT_idmz_post
}
chain nat_OUT_idmz_pre {
}
chain nat_OUT_idmz_log {
}
chain nat_OUT_idmz_deny {
}
chain nat_OUT_idmz_allow {
}
chain nat_OUT_idmz_post {
}
chain nat_POST_idmz {
jump nat_POST_idmz_pre
jump nat_POST_idmz_log
jump nat_POST_idmz_deny
jump nat_POST_idmz_allow
jump nat_POST_idmz_post
}
chain nat_POST_idmz_pre {
}
chain nat_POST_idmz_log {
}
chain nat_POST_idmz_deny {
}
chain nat_POST_idmz_allow {
}
chain nat_POST_idmz_post {
}
chain filter_FWD_idmz {
jump filter_FWD_idmz_pre
jump filter_FWD_idmz_log
jump filter_FWD_idmz_deny
jump filter_FWD_idmz_allow
jump filter_FWD_idmz_post
}
chain filter_FWD_idmz_pre {
}
chain filter_FWD_idmz_log {
}
chain filter_FWD_idmz_deny {
}
chain filter_FWD_idmz_allow {
}
chain filter_FWD_idmz_post {
}
chain nat_PRE_idmz {
jump nat_PRE_idmz_pre
jump nat_PRE_idmz_log
jump nat_PRE_idmz_deny
jump nat_PRE_idmz_allow
jump nat_PRE_idmz_post
}
chain nat_PRE_idmz_pre {
}
chain nat_PRE_idmz_log {
}
chain nat_PRE_idmz_deny {
}
chain nat_PRE_idmz_allow {
}
chain nat_PRE_idmz_post {
}
chain mangle_PRE_idmz {
jump mangle_PRE_idmz_pre
jump mangle_PRE_idmz_log
jump mangle_PRE_idmz_deny
jump mangle_PRE_idmz_allow
jump mangle_PRE_idmz_post
}
chain mangle_PRE_idmz_pre {
}
chain mangle_PRE_idmz_log {
}
chain mangle_PRE_idmz_deny {
}
chain mangle_PRE_idmz_allow {
}
chain mangle_PRE_idmz_post {
}
chain filter_IN_edmz {
jump filter_IN_edmz_pre
jump filter_IN_edmz_log
jump filter_IN_edmz_deny
jump filter_IN_edmz_allow
jump filter_IN_edmz_post
meta l4proto { icmp, ipv6-icmp } log prefix "filter_zone_edmz_HOST_ICMP_BLOCK: "
meta l4proto { icmp, ipv6-icmp } reject with icmpx admin-prohibited
}
chain filter_IN_edmz_pre {
}
chain filter_IN_edmz_log {
}
chain filter_IN_edmz_deny {
}
chain filter_IN_edmz_allow {
icmp type redirect accept
icmpv6 type nd-redirect icmpv6 code 0 accept
icmp type router-advertisement accept
icmpv6 type nd-router-advert icmpv6 code 0 accept
ip daddr 224.0.0.1 meta l4proto igmp accept
ip daddr 172.17.2.210 ip saddr 10.0.0.147 tcp dport 9100 accept
ip daddr 172.17.2.210 ip saddr 10.0.0.147 tcp dport 9108 accept
ip saddr 172.17.2.0/24 tcp dport 22 accept
icmpv6 type echo-request accept
ip6 saddr 2003:a:e0d:7600::/64 tcp dport 22 accept
meta l4proto icmp accept
}
chain filter_IN_edmz_post {
}
chain filter_OUT_edmz {
jump filter_OUT_edmz_pre
jump filter_OUT_edmz_log
jump filter_OUT_edmz_deny
jump filter_OUT_edmz_allow
jump filter_OUT_edmz_post
}
chain filter_OUT_edmz_pre {
}
chain filter_OUT_edmz_log {
}
chain filter_OUT_edmz_deny {
}
chain filter_OUT_edmz_allow {
}
chain filter_OUT_edmz_post {
}
chain nat_OUT_edmz {
jump nat_OUT_edmz_pre
jump nat_OUT_edmz_log
jump nat_OUT_edmz_deny
jump nat_OUT_edmz_allow
jump nat_OUT_edmz_post
}
chain nat_OUT_edmz_pre {
}
chain nat_OUT_edmz_log {
}
chain nat_OUT_edmz_deny {
}
chain nat_OUT_edmz_allow {
}
chain nat_OUT_edmz_post {
}
chain nat_POST_edmz {
jump nat_POST_edmz_pre
jump nat_POST_edmz_log
jump nat_POST_edmz_deny
jump nat_POST_edmz_allow
jump nat_POST_edmz_post
}
chain nat_POST_edmz_pre {
}
chain nat_POST_edmz_log {
}
chain nat_POST_edmz_deny {
}
chain nat_POST_edmz_allow {
}
chain nat_POST_edmz_post {
}
chain filter_FWD_edmz {
jump filter_FWD_edmz_pre
jump filter_FWD_edmz_log
jump filter_FWD_edmz_deny
jump filter_FWD_edmz_allow
jump filter_FWD_edmz_post
}
chain filter_FWD_edmz_pre {
}
chain filter_FWD_edmz_log {
}
chain filter_FWD_edmz_deny {
}
chain filter_FWD_edmz_allow {
}
chain filter_FWD_edmz_post {
}
chain nat_PRE_edmz {
jump nat_PRE_edmz_pre
jump nat_PRE_edmz_log
jump nat_PRE_edmz_deny
jump nat_PRE_edmz_allow
jump nat_PRE_edmz_post
}
chain nat_PRE_edmz_pre {
}
chain nat_PRE_edmz_log {
}
chain nat_PRE_edmz_deny {
}
chain nat_PRE_edmz_allow {
meta nfproto ipv4 tcp dport 873 dnat ip to 10.0.0.40:873
meta nfproto ipv4 tcp dport 80 dnat ip to 10.0.0.80:80
meta nfproto ipv4 tcp dport 443 dnat ip to 10.0.0.80:443
meta nfproto ipv4 tcp dport 25 dnat ip to 10.0.0.87:25
meta nfproto ipv4 tcp dport 465 dnat ip to 10.0.0.87:465
meta nfproto ipv4 tcp dport 587 dnat ip to 10.0.0.87:587
meta nfproto ipv4 tcp dport 143 dnat ip to 10.0.0.77:143
meta nfproto ipv4 tcp dport 993 dnat ip to 10.0.0.77:993
meta nfproto ipv4 tcp dport 110 dnat ip to 10.0.0.77:110
meta nfproto ipv4 tcp dport 995 dnat ip to 10.0.0.77:995
meta nfproto ipv4 tcp dport 4190 dnat ip to 10.0.0.77:4190
meta nfproto ipv4 tcp dport 53 dnat ip to 10.0.0.110:53
meta nfproto ipv4 udp dport 53 dnat ip to 10.0.0.110:53
}
chain nat_PRE_edmz_post {
}
chain mangle_PRE_edmz {
jump mangle_PRE_edmz_pre
jump mangle_PRE_edmz_log
jump mangle_PRE_edmz_deny
jump mangle_PRE_edmz_allow
jump mangle_PRE_edmz_post
}
chain mangle_PRE_edmz_pre {
}
chain mangle_PRE_edmz_log {
}
chain mangle_PRE_edmz_deny {
}
chain mangle_PRE_edmz_allow {
}
chain mangle_PRE_edmz_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type mld-listener-done accept
icmpv6 type mld-listener-query accept
icmpv6 type mld-listener-report accept
icmpv6 type mld2-listener-report accept
icmpv6 type nd-neighbor-advert icmpv6 code 0 accept
icmpv6 type nd-neighbor-solicit icmpv6 code 0 accept
icmpv6 type nd-redirect icmpv6 code 0 accept
icmpv6 type nd-router-advert icmpv6 code 0 accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
chain filter_FWD_policy_edmz_2_idmz {
jump filter_FWD_policy_edmz_2_idmz_pre
jump filter_FWD_policy_edmz_2_idmz_log
jump filter_FWD_policy_edmz_2_idmz_deny
jump filter_FWD_policy_edmz_2_idmz_allow
jump filter_FWD_policy_edmz_2_idmz_post
}
chain filter_FWD_policy_edmz_2_idmz_pre {
}
chain filter_FWD_policy_edmz_2_idmz_log {
}
chain filter_FWD_policy_edmz_2_idmz_deny {
}
chain filter_FWD_policy_edmz_2_idmz_allow {
icmpv6 type echo-request accept
}
chain filter_FWD_policy_edmz_2_idmz_post {
}
chain nat_POST_policy_edmz_2_idmz {
jump nat_POST_policy_edmz_2_idmz_pre
jump nat_POST_policy_edmz_2_idmz_log
jump nat_POST_policy_edmz_2_idmz_deny
jump nat_POST_policy_edmz_2_idmz_allow
jump nat_POST_policy_edmz_2_idmz_post
}
chain nat_POST_policy_edmz_2_idmz_pre {
}
chain nat_POST_policy_edmz_2_idmz_log {
}
chain nat_POST_policy_edmz_2_idmz_deny {
}
chain nat_POST_policy_edmz_2_idmz_allow {
}
chain nat_POST_policy_edmz_2_idmz_post {
}
chain filter_FWD_policy_idmz_2_edmz {
jump filter_FWD_policy_idmz_2_edmz_pre
jump filter_FWD_policy_idmz_2_edmz_log
jump filter_FWD_policy_idmz_2_edmz_deny
jump filter_FWD_policy_idmz_2_edmz_allow
jump filter_FWD_policy_idmz_2_edmz_post
accept
}
chain filter_FWD_policy_idmz_2_edmz_pre {
}
chain filter_FWD_policy_idmz_2_edmz_log {
}
chain filter_FWD_policy_idmz_2_edmz_deny {
}
chain filter_FWD_policy_idmz_2_edmz_allow {
tcp dport 80 accept
tcp dport 443 accept
icmpv6 type echo-request accept
}
chain filter_FWD_policy_idmz_2_edmz_post {
}
chain nat_POST_policy_idmz_2_edmz {
jump nat_POST_policy_idmz_2_edmz_pre
jump nat_POST_policy_idmz_2_edmz_log
jump nat_POST_policy_idmz_2_edmz_deny
jump nat_POST_policy_idmz_2_edmz_allow
jump nat_POST_policy_idmz_2_edmz_post
}
chain nat_POST_policy_idmz_2_edmz_pre {
}
chain nat_POST_policy_idmz_2_edmz_log {
}
chain nat_POST_policy_idmz_2_edmz_deny {
}
chain nat_POST_policy_idmz_2_edmz_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_policy_idmz_2_edmz_post {
}
}
Konfigurationsbeispiele
Hier in Djangos WIKI gibt es einige Praxisbeispiele zu firewalld Implementierungen:
Links
Diese Website verwendet Cookies. Durch die Nutzung der Website stimmen Sie dem Speichern von Cookies auf Ihrem Computer zu. Außerdem bestätigen Sie, dass Sie unsere Datenschutzbestimmungen gelesen und verstanden haben. Wenn Sie nicht einverstanden sind, verlassen Sie die Website.Weitere Information
django