source-git / firewalld

Clone
Source Code
GIT

Files

  1.   88d72e1b29d2c9ff805b55ecb08874557aa5c6eb
  2.   doc
  3.   xml
  4.   firewalld.conf.xml
Blob Blame History Raw 
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[
<!ENTITY authors SYSTEM "authors.xml">
<!ENTITY seealso SYSTEM "seealso.xml">
<!ENTITY notes SYSTEM "notes.xml">
]>

<!--
  This file is part of firewalld.

  Copyright (C) 2010-2013 Red Hat, Inc.
  Authors:
  Thomas Woerner <twoerner@redhat.com>

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.

  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with this program.  If not, see <http://www.gnu.org/licenses/>.
-->

<refentry id="firewalld.conf">

  <refentryinfo>
    <title>firewalld.conf</title>
    <productname>firewalld</productname>
    &authors;
  </refentryinfo>

  <refmeta>
    <refentrytitle>firewalld.conf</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>firewalld.conf</refname>
    <refpurpose>firewalld configuration file</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para>
      <programlisting>
<filename><config.sysconfdir/>/firewalld/firewalld.conf</filename>
      </programlisting>
    </para>
  </refsynopsisdiv>

  <refsect1 id="description">
    <title>Description</title>

    <para>
      firewalld.conf is loaded by firewalld during the initialization process. The file contains the basic configuration options for firewalld.
    </para>

  </refsect1>

  <refsect1 id="options">
    <title>Options</title>

    <para>
      These are the options that can be set in the config file:
    </para>

    <variablelist>
      <varlistentry>
	<term><option>DefaultZone</option></term>
        <listitem>
	  <para>
	    This sets the default zone for connections or interfaces if the zone is not selected or specified by NetworkManager, initscripts or command line tool. The default zone is public.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term><option>MinimalMark</option></term>
        <listitem>
	  <para>
        Deprecated. This option is ignored and no longer used. Marks are no longer used internally.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term><option>CleanupOnExit</option></term>
        <listitem>
	  <para>
            If firewalld stops, it cleans up all firewall rules. Setting this option to no or false leaves the current firewall rules untouched. The default value is yes or true.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term><option>Lockdown</option></term>
        <listitem>
	  <para>
	    If this option is enabled, firewall changes with the D-Bus interface will be limited to applications that are listed in the lockdown whitelist (see <citerefentry><refentrytitle>firewalld.lockdown-whitelist</refentrytitle><manvolnum>5</manvolnum></citerefentry>). The default value is no or false.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term><option>IPv6_rpfilter</option></term>
        <listitem>
	  <para>
	    If this option is enabled (it is by default), reverse path filter test on a packet for IPv6 is performed.
	    If a reply to the packet would be sent via the same interface that the packet arrived on, the packet will match and be accepted, otherwise dropped.
            For IPv4 the rp_filter is controlled using sysctl.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term><option>IndividualCalls</option></term>
        <listitem>
	  <para>
	    If this option is disabled (it is by default), combined -restore calls are used and not individual calls to apply changes to the firewall. The use of individiual calls increases the time that is needed to apply changes and to start the daemon, but is good for debugging as error messages are more specific.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term><option>LogDenied</option></term>
        <listitem>
	  <para>
	    Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT chains for the default rules and also final reject and drop rules in zones for the configured link-layer packet type. The possible values are: <replaceable>all</replaceable>, <replaceable>unicast</replaceable>, <replaceable>broadcast</replaceable>, <replaceable>multicast</replaceable> and <replaceable>off</replaceable>. The default setting is <replaceable>off</replaceable>, which disables the logging.
	  </para>
	</listitem>
      </varlistentry>

      <varlistentry>
	<term><option>AutomaticHelpers</option></term>
        <listitem>
	  <para>
        Deprecated. This option is ignored and no longer used.
	  </para>
	</listitem>
      </varlistentry>

        <varlistentry>
            <term><option>FirewallBackend</option></term>
            <listitem>
                <para>
                Selects the firewall backend implementation. Possible values
                are; <replaceable>nftables</replaceable> (default), or
                <replaceable>iptables</replaceable>. This applies to all
                firewalld primitives. The only exception is direct and
                passthrough rules which always use the traditional iptables,
                ip6tables, and ebtables backends.
                </para>
	        </listitem>
        </varlistentry>

        <varlistentry>
            <term><option>FlushAllOnReload</option></term>
            <listitem>
                <para>
                Flush all runtime rules on a reload. In previous releases some
                runtime configuration was retained during a reload, namely;
                interface to zone assignment, and direct rules. This was
                confusing to users. To get the old behavior set this to "no".
                Defaults to "yes".
                </para>
            </listitem>
        </varlistentry>

        <varlistentry>
            <term><option>RFC3964_IPv4</option></term>
            <listitem>
                <para>
                As per RFC 3964, filter IPv6 traffic with 6to4 destination
                addresses that correspond to IPv4 addresses that should not
                be routed over the public internet.
                Defaults to "yes".
                </para>
            </listitem>
        </varlistentry>

        <varlistentry>
            <term><option>AllowZoneDrifting</option></term>
            <listitem>
                <para>
                Older versions of firewalld had undocumented behavior known
                as "zone drifting". This allowed packets to ingress multiple
                zones - this is a violation of zone based firewalls. However,
                some users rely on this behavior to have a "catch-all" zone,
                e.g. the default zone. You can enable this if you desire such
                behavior. It's disabled by default for security reasons.
                Note: If "yes" packets will only drift from source based zones
                to interface based zones (including the default zone). Packets
                never drift from interface based zones to other interfaces
                based zones (including the default zone).
                Valid values; "yes", "no". Defaults to "yes".
                </para>
            </listitem>
        </varlistentry>

    </variablelist>

  </refsect1>

  &seealso;

  &notes;

</refentry>

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation