FIREWALL-OFFLINE-C(1) | firewall-offline-cmd | FIREWALL-OFFLINE-C(1) |
NAME¶
firewall-offline-cmd - firewalld offline command line client
SYNOPSIS¶
firewall-offline-cmd [OPTIONS...]
DESCRIPTION¶
firewall-offline-cmd is an offline command line client of the firewalld daemon. It should be used only if the firewalld service is not running. For example to migrate from system-config-firewall/lokkit or in the install environment to configure firewall settings with kickstart.
Some lokkit options can not be automatically converted for firewalld, they will result in an error or warning message. This tool tries to convert as much as possible, but there are limitations for example with custom rules, modules and masquerading.
Check the firewall configuration after using this tool.
OPTIONS¶
If no options are given, configuration from /etc/sysconfig/system-config-firewall will be migrated.
Sequence options are the options that can be specified multiple times, the exit code is 0 if there is at least one item that succeeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16) errors are treated as succeeded. If there are issues while parsing the items, then these are treated as warnings and will not change the result as long as there is a succeeded one. Without any succeeded item, the exit code will depend on the error codes. If there is exactly one error code, then this is used. If there are more than one then UNKNOWN_ERROR (254) will be used.
The following options are supported:
General Options¶
-h, --help
-V, --version
-q, --quiet
--default-config
--system-config
Status Options¶
--enabled
--disabled
--check-config
This is may be used with --system-config to check the validity of handwritten configuration files before copying them to the standard location.
--reset-to-defaults
Lokkit Compatibility Options¶
These options are nearly identical to the options of lokkit.
--migrate-system-config-firewall=file
--addmodule=module
Handling of netfilter helpers has been merged into services completely. Adding or removing netfilter helpers outside of services is therefore not needed anymore. For more information on handling netfilter helpers in services, please have a look at firewalld.zone(5).
--removemodule
Handling of netfilter helpers has been merged into services completely. Adding or removing netfilter helpers outside of services is therefore not needed anymore. For more information on handling netfilter helpers in services, please have a look at firewalld.zone(5).
--remove-service=service
The service is one of the firewalld provided services. To get a list of the supported services, use firewall-cmd --get-services.
-s service, --service=service
The service is one of the firewalld provided services. To get a list of the supported services, use firewall-cmd --get-services.
-p portid[-portid]:protocol, --port=portid[-portid]:protocol
The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp.
-t interface, --trust=interface
Mark an interface as trusted. This option can be specified multiple times. The interface will be bound to the trusted zone.
If the interface is used in a NetworkManager managed connection or if there is an ifcfg file for this interface, the zone will be changed to the zone defined in the configuration as soon as it gets activated. To change the zone of a connection use nm-connection-editor and set the zone to trusted, for an ifcfg file, use an editor and add "ZONE=trusted". If the zone is not defined in the ifcfg file, the firewalld default zone will be used.
-m interface, --masq=interface
Masquerading will be enabled in the default zone. The interface argument will be ignored. This is for IPv4 only.
--custom-rules=[type:][table:]filename
Custom rule files are not supported by firewalld.
--forward-port=if=interface:port=port:proto=protocol[:toport=destination port:][:toaddr=destination address]
Add the IPv4 forward port in the default zone. This option can be specified multiple times.
The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. The destination address is an IP address.
--block-icmp=icmptype
Add an ICMP block for icmptype in the default zone. This option can be specified multiple times.
The icmptype is the one of the icmp types firewalld supports. To get a listing of supported icmp types: firewall-cmd --get-icmptypes
Log Denied Options¶
--get-log-denied
--set-log-denied=value
This is a runtime and permanent change and will also reload the firewall to be able to add the logging rules.
Zone Options¶
--get-default-zone
--set-default-zone=zone
--get-zones
--get-services
--get-icmptypes
--get-zone-of-interface=interface
--get-zone-of-source=source[/mask]|MAC|ipset:ipset
--info-zone=zone
zone
interfaces: interface1 ..
sources: source1 ..
services: service1 ..
ports: port1 ..
protocols: protocol1 ..
forward-ports:
forward-port1
..
source-ports: source-port1 ..
icmp-blocks: icmp-type1 ..
rich rules:
rich-rule1
..
--list-all-zones
zone1
interfaces: interface1 ..
sources: source1 ..
services: service1 ..
ports: port1 ..
protocols: protocol1 ..
forward-ports:
forward-port1
..
source-ports: source-port1 ..
icmp-blocks: icmp-type1 ..
rich rules:
rich-rule1
.. ..
--new-zone=zone
Zone names must be alphanumeric and may additionally include characters: '_' and '-'.
--new-zone-from-file=filename [--name=zone]
--path-zone=zone
--delete-zone=zone
Policy Options¶
--get-policies
--info-policy=policy
--list-all-policies
--new-policy=policy
Policy names must be alphanumeric and may additionally include characters: '_' and '-'.
--new-policy-from-file=filename [--name=policy]
--path-policy=policy
--delete-policy=policy
--load-policy-defaults=policy
Options to Adapt and Query Zones and Policies¶
Options in this section affect only one particular zone or policy. If used with --zone=zone or --policy=policy option, they affect the specified zone or policy. If both options are omitted, they affect default zone (see --get-default-zone).
[--zone=zone] [--policy=policy] --list-all
[--zone=zone] [--policy=policy] --get-target
[--zone=zone] [--policy=policy] --set-target=target
For zones target is one of: default, ACCEPT, DROP, REJECT
For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
default is similar to REJECT, but it implicitly allows ICMP packets.
[--zone=zone] [--policy=policy] --set-description=description
[--zone=zone] [--policy=policy] --get-description
[--zone=zone] [--policy=policy] --set-short=description
[--zone=zone] [--policy=policy] --get-short
[--zone=zone] [--policy=policy] --list-services
[--zone=zone] [--policy=policy] --add-service=service
The service is one of the firewalld provided services. To get a list of the supported services, use firewall-cmd --get-services.
Note: Some services define connection tracking helpers. Helpers that may operate in client mode (e.g. tftp) must be added to an outbound policy instead of a zone to take effect for clients. Otherwise the helper will not be applied to the outbound traffic. The related traffic, as defined by the connection tracking helper, on the return path (ingress) will be allowed by the stateful firewall rules.
An example of an outbound policy for connection tracking helpers:
# firewall-cmd --new-policy clientConntrack # firewall-cmd --policy clientConntrack --add-ingress-zone HOST # firewall-cmd --policy clientConntrack --add-egress-zone ANY # firewall-cmd --policy clientConntrack --add-service tftp
[--zone=zone] --remove-service-from-zone=service
[--policy=policy] --remove-service-from-policy=service
[--zone=zone] [--policy=policy] --query-service=service
[--zone=zone] [--policy=policy] --list-ports
[--zone=zone] [--policy=policy] --add-port=portid[-portid]/protocol
The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp.
[--zone=zone] [--policy=policy] --remove-port=portid[-portid]/protocol
[--zone=zone] [--policy=policy] --query-port=portid[-portid]/protocol
[--zone=zone] [--policy=policy] --list-protocols
[--zone=zone] [--policy=policy] --add-protocol=protocol
The protocol can be any protocol supported by the system. Please have a look at /etc/protocols for supported protocols.
[--zone=zone] [--policy=policy] --remove-protocol=protocol
[--zone=zone] [--policy=policy] --query-protocol=protocol
[--zone=zone] [--policy=policy] --list-icmp-blocks
[--zone=zone] [--policy=policy] --add-icmp-block=icmptype
The icmptype is the one of the icmp types firewalld supports. To get a listing of supported icmp types: firewall-cmd --get-icmptypes
[--zone=zone] [--policy=policy] --remove-icmp-block=icmptype
[--zone=zone] [--policy=policy] --query-icmp-block=icmptype
[--zone=zone] [--policy=policy] --list-forward-ports
For IPv6 forward ports, please use the rich language.
[--zone=zone] [--policy=policy] --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. The destination address is a simple IP address.
For IPv6 forward ports, please use the rich language.
Note: IP forwarding will be implicitly enabled if toaddr is specified.
[--zone=zone] [--policy=policy] --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
For IPv6 forward ports, please use the rich language.
[--zone=zone] [--policy=policy] --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
For IPv6 forward ports, please use the rich language.
[--zone=zone] [--policy=policy] --list-source-ports
[--zone=zone] [--policy=policy] --add-source-port=portid[-portid]/protocol
The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp.
[--zone=zone] [--policy=policy] --remove-source-port=portid[-portid]/protocol
[--zone=zone] [--policy=policy] --query-source-port=portid[-portid]/protocol
[--zone=zone] [--policy=policy] --add-masquerade
For IPv6 masquerading, please use the rich language.
Note: IP forwarding will be implicitly enabled.
[--zone=zone] [--policy=policy] --remove-masquerade
For IPv6 masquerading, please use the rich language.
[--zone=zone] [--policy=policy] --query-masquerade
For IPv6 masquerading, please use the rich language.
[--zone=zone] [--policy=policy] --list-rich-rules
[--zone=zone] [--policy=policy] --add-rich-rule='rule'
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
[--zone=zone] [--policy=policy] --remove-rich-rule='rule'
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
[--zone=zone] [--policy=policy] --query-rich-rule='rule'
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
Options to Adapt and Query Zones¶
Options in this section affect only one particular zone. If used with --zone=zone option, they affect the specified zone. If the option is omitted, they affect the default zone (see --get-default-zone).
[--zone=zone] --add-icmp-block-inversion
[--zone=zone] --remove-icmp-block-inversion
[--zone=zone] --query-icmp-block-inversion
[--zone=zone] --add-forward
[--zone=zone] --remove-forward
[--zone=zone] --query-forward
Options to Adapt and Query Policies¶
Options in this section affect only one particular policy. It's required to specify --policy=policy with these options.
--policy=policy --get-priority
--policy=policy --set-prioritypriority
If a priority is < 0, then the policy's rules will execute before all rules in all zones.
If a priority is > 0, then the policy's rules will execute after all rules in all zones.
--policy=policy --list-ingress-zones
--policy=policy --add-ingress-zone=zone
The ingress zone is one of the firewalld provided zones or one of the pseudo-zones: HOST, ANY.
HOST is used for traffic originating from the host machine, i.e. the host running firewalld.
ANY is used for traffic originating from any zone. This can be thought of as a wild card for zones. However it does not include traffic originating from the host machine - use HOST for that.
--policy=policy --remove-ingress-zone=zone
--policy=policy --query-ingress-zone=zone
--policy=policy --list-egress-zones
--policy=policy --add-egress-zone=zone
The egress zone is one of the firewalld provided zones or one of the pseudo-zones: HOST, ANY.
For clarification on HOST and ANY see option --add-ingress-zone.
--policy=policy --remove-egress-zone=zone
--policy=policy --query-egress-zone=zone
Options to Handle Bindings of Interfaces¶
Binding an interface to a zone means that this zone settings are used to restrict traffic via the interface.
Options in this section affect only one particular zone. If used with --zone=zone option, they affect the zone zone. If the option is omitted, they affect default zone (see --get-default-zone).
For a list of predefined zones use firewall-cmd --get-zones.
An interface name is a string up to 16 characters long, that may not contain ' ', '/', '!' and '*'.
[--zone=zone] --list-interfaces
[--zone=zone] --add-interface=interface
[--zone=zone] --change-interface=interface
[--zone=zone] --query-interface=interface
[--zone=zone] --remove-interface=interface
Options to Handle Bindings of Sources¶
Binding a source to a zone means that this zone settings will be used to restrict traffic from this source.
A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset with the ipset: prefix. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
Options in this section affect only one particular zone. If used with --zone=zone option, they affect the zone zone. If the option is omitted, they affect default zone (see --get-default-zone).
For a list of predefined zones use firewall-cmd --get-zones.
[--zone=zone] --list-sources
[--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
[--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
[--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
[--zone=zone] --remove-source=source[/mask]|MAC|ipset:ipset
IPSet Options¶
--new-ipset=ipset --type=ipset type [--option=ipset option[=value]]
ipset names must be alphanumeric and may additionally include characters: '_' and '-'.
--new-ipset-from-file=filename [--name=ipset]
--delete-ipset=ipset
--info-ipset=ipset
ipset
type: type
options: option1[=value1] ..
entries: entry1 ..
--get-ipsets
--ipset=ipset --add-entry=entry
--ipset=ipset --remove-entry=entry
--ipset=ipset --query-entry=entry
--ipset=ipset --get-entries
--ipset=ipset --add-entries-from-file=filename
The file should contain an entry per line. Lines starting with an hash or semicolon are ignored. Also empty lines.
--ipset=ipset --remove-entries-from-file=filename
The file should contain an entry per line. Lines starting with an hash or semicolon are ignored. Also empty lines.
--ipset=ipset --set-description=description
--ipset=ipset --get-description
--ipset=ipset --set-short=description
--ipset=ipset --get-short
--path-ipset=ipset
Service Options¶
--info-service=service
service
ports: port1 ..
protocols: protocol1 ..
source-ports: source-port1 ..
helpers: helper1 ..
destination: ipv1:address1 ..
--new-service=service
Service names must be alphanumeric and may additionally include characters: '_' and '-'.
--new-service-from-file=filename [--name=service]
--delete-service=service
--path-service=service
--service=service --set-description=description
--service=service --get-description
--service=service --set-short=description
--service=service --get-short
--service=service --add-port=portid[-portid]/protocol
--service=service --remove-port=portid[-portid]/protocol
--service=service --query-port=portid[-portid]/protocol
--service=service --get-ports
--service=service --add-protocol=protocol
--service=service --remove-protocol=protocol
--service=service --query-protocol=protocol
--service=service --get-protocols
--service=service --add-source-port=portid[-portid]/protocol
--service=service --remove-source-port=portid[-portid]/protocol
--service=service --query-source-port=portid[-portid]/protocol
--service=service --get-source-ports
--service=service --add-helper=helper
--service=service --remove-helper=helper
--service=service --query-helper=helper
--service=service --get-service-helpers
--service=service --set-destination=ipv:address[/mask]
--service=service --remove-destination=ipv
--service=service --query-destination=ipv:address[/mask]
--service=service --get-destinations
--service=service --add-include=service
--service=service --remove-include=service
--service=service --query-include=service
--service=service --get-includes
Helper Options¶
Options in this section affect only one particular helper.
--info-helper=helper
helper
family: family
module: module
ports: port1 ..
The following options are only usable in the permanent configuration.
--new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
Helper names must be alphanumeric and may additionally include characters: '-'.
--new-helper-from-file=filename [--name=helper]
--delete-helper=helper
--load-helper-defaults=helper
--path-helper=helper
--get-helpers
--helper=helper --set-description=description
--helper=helper --get-description
--helper=helper --set-short=description
--helper=helper --get-short
--helper=helper --add-port=portid[-portid]/protocol
--helper=helper --remove-port=portid[-portid]/protocol
--helper=helper --query-port=portid[-portid]/protocol
--helper=helper --get-ports
--helper=helper --set-module=description
--helper=helper --get-module
--helper=helper --set-family=description
--helper=helper --get-family
Internet Control Message Protocol (ICMP) type Options¶
--info-icmptype=icmptype
icmptype
destination: ipv1 ..
--new-icmptype=icmptype
ICMP type names must be alphanumeric and may additionally include characters: '_' and '-'.
--new-icmptype-from-file=filename [--name=icmptype]
--delete-icmptype=icmptype
--icmptype=icmptype --set-description=description
--icmptype=icmptype --get-description
--icmptype=icmptype --set-short=description
--icmptype=icmptype --get-short
--icmptype=icmptype --add-destination=ipv
--icmptype=icmptype --remove-destination=ipv
--icmptype=icmptype --query-destination=ipv
--icmptype=icmptype --get-destinations
--path-icmptype=icmptype
Direct Options¶
DEPRECATED
The direct interface has been deprecated. It will be removed in a future release. It is superseded by policies, see firewalld.policies(5).
The direct options give a more direct access to the firewall. These options require user to know basic iptables concepts, i.e. table (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets (ACCEPT/DROP/REJECT/...).
Direct options should be used only as a last resort when it's not possible to use for example --add-service=service or --add-rich-rule='rule'.
Warning: Direct rules behavior is different depending on the value of FirewallBackend. See CAVEATS in firewalld.direct(5).
The first argument of each option has to be ipv4 or ipv6 or eb. With ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
--direct --get-all-chains
This option concerns only chains previously added with --direct --add-chain.
--direct --get-chains { ipv4 | ipv6 | eb } table
This option concerns only chains previously added with --direct --add-chain.
--direct --add-chain { ipv4 | ipv6 | eb } table chain
There already exist basic chains to use with direct options, for example INPUT_direct chain (see iptables-save | grep direct output for all of them). These chains are jumped into before chains for zones, i.e. every rule put into INPUT_direct will be checked before rules in zones.
--direct --remove-chain { ipv4 | ipv6 | eb } table chain
--direct --query-chain { ipv4 | ipv6 | eb } table chain
This option concerns only chains previously added with --direct --add-chain.
--direct --get-all-rules
--direct --get-rules { ipv4 | ipv6 | eb } table chain
--direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
The priority is used to order rules. Priority 0 means add rule on top of the chain, with a higher priority the rule will be added further down. Rules with the same priority are on the same level and the order of these rules is not fixed and may change. If you want to make sure that a rule will be added after another one, use a low priority for the first and a higher for the following.
--direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
--direct --remove-rules { ipv4 | ipv6 | eb } table chain
This option concerns only rules previously added with --direct --add-rule in this chain.
--direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
--direct --get-all-passthroughs
--direct --get-passthroughs { ipv4 | ipv6 | eb }
--direct --add-passthrough { ipv4 | ipv6 | eb } args
--direct --remove-passthrough { ipv4 | ipv6 | eb } args
--direct --query-passthrough { ipv4 | ipv6 | eb } args
Lockdown Options¶
Local applications or services are able to change the firewall configuration if they are running as root (example: libvirt) or are authenticated using PolicyKit. With this feature administrators can lock the firewall configuration so that only applications on lockdown whitelist are able to request firewall changes.
The lockdown access check limits D-Bus methods that are changing firewall rules. Query, list and get methods are not limited.
The lockdown feature is a very light version of user and application policies for firewalld and is turned off by default.
--lockdown-on
--lockdown-off
--query-lockdown
Lockdown Whitelist Options¶
The lockdown whitelist can contain commands, contexts, users and user ids.
If a command entry on the whitelist ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match.
Commands for user root and others is not always the same. Example: As root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd is be used on Fedora.
The context is the security (SELinux) context of a running application or service. To get the context of a running application use ps -e --context.
Warning: If the context is unconfined, then this will open access for more than the desired application.
The lockdown whitelist entries are checked in the following order:
--list-lockdown-whitelist-commands
--add-lockdown-whitelist-command=command
--remove-lockdown-whitelist-command=command
--query-lockdown-whitelist-command=command
--list-lockdown-whitelist-contexts
--add-lockdown-whitelist-context=context
--remove-lockdown-whitelist-context=context
--query-lockdown-whitelist-context=context
--list-lockdown-whitelist-uids
--add-lockdown-whitelist-uid=uid
--remove-lockdown-whitelist-uid=uid
--query-lockdown-whitelist-uid=uid
--list-lockdown-whitelist-users
--add-lockdown-whitelist-user=user
--remove-lockdown-whitelist-user=user
--query-lockdown-whitelist-user=user
Policy Options¶
--policy-server
--policy-desktop
SEE ALSO¶
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5), firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
NOTES¶
firewalld home page:
More documentation with examples:
AUTHORS¶
Thomas Woerner <twoerner@redhat.com>
Jiri Popelka <jpopelka@redhat.com>
Eric Garver <eric@garver.life>
firewalld 1.3.3 |