'\" t .\" Title: firewalld.policy .\" Author: Thomas Woerner .\" Generator: DocBook XSL Stylesheets vsnapshot .\" Date: .\" Manual: firewalld.policy .\" Source: firewalld 0.9.3 .\" Language: English .\" .TH "FIREWALLD\&.POLICY" "5" "" "firewalld 0.9.3" "firewalld.policy" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" firewalld.policy \- firewalld policy configuration files .SH "SYNOPSIS" .PP \fI/etc/firewalld/policies/policy\&.xml\fR .PP \fI/usr/lib/firewalld/policies/policy\&.xml\fR .SH "DESCRIPTION" .PP A firewalld policy configuration file contains the information for a policy\&. These are the policy descriptions, services, ports, protocols, icmp\-blocks, masquerade, forward\-ports and rich language rules in an XML file format\&. The file name has to be \fIpolicy_name\fR\&.xml where length of \fIpolicy_name\fR is currently limited to 17 chars\&. .PP This is the structure of a policy configuration file: .sp .if n \{\ .RS 4 .\} .nf [ ] [ ] [ \fIshort description\fR ] [ \fIdescription\fR ] [ ] [ ] [ ] [ ] [ ] [ ] [ ] [ [ ] [ ] [ | | | | | | ] [ [] ] [ [] ] [ [] | [] | [] | [] ] ] .fi .if n \{\ .RE .\} .PP The config can contain these tags and attributes\&. Some of them are mandatory, others optional\&. .SS "policy" .PP The mandatory policy start and end tag defines the policy\&. This tag can only be used once in a policy configuration file\&. There are optional attributes for policy: .PP version="\fIstring\fR" .RS 4 To give the policy a version\&. .RE .PP target="\fICONTINUE\fR\fIACCEPT\fR|\fIREJECT\fR|\fIDROP\fR" .RS 4 Can be used to accept, reject or drop every packet that doesn\*(Aqt match any rule (port, service, etc\&.)\&. The \fICONTINUE\fR is the default and used for policies that an non\-terminal\&. .RE .SS "ingress\-zone" .PP An optional element that can be used several times\&. It can be the name of a firewalld zone or one of the symbolic zones: HOST, ANY\&. See \fBfirewalld.policies\fR(5) for information about symbolic zones\&. .SS "egress\-zone" .PP An optional element that can be used several times\&. It can be the name of a firewalld zone or one of the symbolic zones: HOST, ANY\&. See \fBfirewalld.policies\fR(5) for information about symbolic zones\&. .SS "short" .PP Is an optional start and end tag and is used to give a more readable name\&. .SS "description" .PP Is an optional start and end tag to have a description\&. .SS "service" .PP Is an optional empty\-element tag and can be used several times to have more than one service entry enabled\&. A service entry has exactly one attribute: .PP name="\fIstring\fR" .RS 4 The name of the service to be enabled\&. To get a list of valid service names \fBfirewall\-cmd \-\-list=services\fR can be used\&. .RE .SS "port" .PP Is an optional empty\-element tag and can be used several times to have more than one port entry\&. All attributes of a port entry are mandatory: .PP port="\fIportid\fR[\-\fIportid\fR]" .RS 4 The port can either be a single port number \fIportid\fR or a port range \fIportid\fR\-\fIportid\fR\&. .RE .PP protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR" .RS 4 The protocol can either be \fItcp\fR, \fIudp\fR, \fIsctp\fR or \fIdccp\fR\&. .RE .SS "protocol" .PP Is an optional empty\-element tag and can be used several times to have more than one protocol entry\&. All protocol has exactly one attribute: .PP value="\fIstring\fR" .RS 4 The protocol can be any protocol supported by the system\&. Please have a look at \fI/etc/protocols\fR for supported protocols\&. .RE .SS "icmp\-block" .PP Is an optional empty\-element tag and can be used several times to have more than one icmp\-block entry\&. Each icmp\-block tag has exactly one mandatory attribute: .PP name="\fIstring\fR" .RS 4 The name of the Internet Control Message Protocol (ICMP) type to be blocked\&. To get a list of valid ICMP types \fBfirewall\-cmd \-\-list=icmptypes\fR can be used\&. .RE .SS "masquerade" .PP Is an optional empty\-element tag\&. It can be used only once\&. If it\*(Aqs present masquerading is enabled\&. .SS "forward\-port" .PP Is an optional empty\-element tag and can be used several times to have more than one port or packet forward entry\&. There are mandatory and also optional attributes for forward ports: .sp .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBMandatory attributes:\fR .RS 4 .PP The local port and protocol to be forwarded\&. .PP port="\fIportid\fR[\-\fIportid\fR]" .RS 4 The port can either be a single port number \fIportid\fR or a port range \fIportid\fR\-\fIportid\fR\&. .RE .PP protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR" .RS 4 The protocol can either be \fItcp\fR, \fIudp\fR, \fIsctp\fR or \fIdccp\fR\&. .RE .RE .sp .it 1 an-trap .nr an-no-space-flag 1 .nr an-break-flag 1 .br .ps +1 \fBOptional attributes:\fR .RS 4 .PP The destination of the forward\&. For local forwarding add \fBto\-port\fR only\&. For remote forwarding add \fBto\-addr\fR and use \fBto\-port\fR optionally if the destination port on the destination machine should be different\&. .PP to\-port="\fIportid\fR[\-\fIportid\fR]" .RS 4 The destination port or port range to forward to\&. If omitted, the value of the port= attribute will be used altogether with the to\-addr attribute\&. .RE .PP to\-addr="\fIaddress\fR" .RS 4 The destination IP address either for IPv4 or IPv6\&. .RE .RE .SS "source\-port" .PP Is an optional empty\-element tag and can be used several times to have more than one source port entry\&. All attributes of a source port entry are mandatory: .PP port="\fIportid\fR[\-\fIportid\fR]" .RS 4 The port can either be a single port number \fIportid\fR or a port range \fIportid\fR\-\fIportid\fR\&. .RE .PP protocol="\fItcp\fR|\fIudp\fR|\fIsctp\fR|\fIdccp\fR" .RS 4 The protocol can either be \fItcp\fR, \fIudp\fR, \fIsctp\fR or \fIdccp\fR\&. .RE .SS "rule" .PP Is an optional element tag and can be used several times to have more than one rich language rule entry\&. .PP The general rule structure: .PP .if n \{\ .RS 4 .\} .nf [ ] [ ] [ | | | | | | | | ] [ [] ] [ [] ] [ [] | [] | [] | [] ] .fi .if n \{\ .RE .\} .PP Rule structure for source black or white listing: .PP .if n \{\ .RS 4 .\} .nf [ [] ] [ [] ] [] | [] | [] .fi .if n \{\ .RE .\} .PP For a full description on rich language rules, please have a look at \fBfirewalld.richlanguage\fR(5)\&. .SH "SEE ALSO" \fBfirewall-applet\fR(1), \fBfirewalld\fR(1), \fBfirewall-cmd\fR(1), \fBfirewall-config\fR(1), \fBfirewalld.conf\fR(5), \fBfirewalld.direct\fR(5), \fBfirewalld.dbus\fR(5), \fBfirewalld.icmptype\fR(5), \fBfirewalld.lockdown-whitelist\fR(5), \fBfirewall-offline-cmd\fR(1), \fBfirewalld.richlanguage\fR(5), \fBfirewalld.service\fR(5), \fBfirewalld.zone\fR(5), \fBfirewalld.zones\fR(5), \fBfirewalld.policy\fR(5), \fBfirewalld.policies\fR(5), \fBfirewalld.ipset\fR(5), \fBfirewalld.helper\fR(5) .SH "NOTES" .PP firewalld home page: .RS 4 \m[blue]\fB\%http://firewalld.org\fR\m[] .RE .PP More documentation with examples: .RS 4 \m[blue]\fB\%http://fedoraproject.org/wiki/FirewallD\fR\m[] .RE .SH "AUTHORS" .PP \fBThomas Woerner\fR <\&twoerner@redhat\&.com\&> .RS 4 Developer .RE .PP \fBJiri Popelka\fR <\&jpopelka@redhat\&.com\&> .RS 4 Developer .RE .PP \fBEric Garver\fR <\&eric@garver\&.life\&> .RS 4 Developer .RE