FIREWALLD.DIRECT(5)firewalld.directFIREWALLD.DIRECT(5)NAMEfirewalld.direct - firewalld direct configuration file
SYNOPSIS
/usr/etc/firewalld/direct.xml
DESCRIPTION
A firewalld direct configuration file contains the information about
permanent direct chains and rules. These are the chains, rules and
passthrough ...
This is the structure of a direct configuration file:
<?xml version="1.0" encoding="utf-8"?>
<direct>
[ <chain ipv="ipv4|ipv6" table="table" chain="chain"/> ]
[ <rule ipv="ipv4|ipv6" table="table" chain="chain" priority="priority"> args </rule> ]
[ <passthrough ipv="ipv4|ipv6"> args </passthrough> ]
</direct>
direct
The mandatory direct start and end tag defines the direct. This tag can
only be used once in a direct configuration file. There are no
attributes for direct.
chain
Is an optional empty-element tag and can be used several times. It can
be used to define names for additional chains. A chain entry has
exactly three attributes:
ipv="ipv4|ipv6"
The IP family where the chain will be created. This can be either
ipv4 or ipv6.
table="table"
The table name where the chain will be created. This can be one of
the tables that can be used for iptables or ip6tables. For the
possible values, please have a look at the TABLES section in the
iptables man pages: For ipv="ipv4" in iptables(8), for ipv="ipv6"
in ip6tables(8).
chain="chain"
The name of the chain, that will be created. Please make sure that
there is no other chain with this name already.
Please remember to add a rule or passthrough rule with an --jump or
--goto option to connect the chain to another one.
rule
Is an optional element tag and can be used several times. It can be
used to add rules to a built-in or added chain. A rule entry has
exactly four attributes:
ipv="ipv4|ipv6"
The IP family where the rule will be added. This can be either ipv4
or ipv6.
table="table"
The table name where the chain will be created. This can be one of
the tables that casn be used for iptables or ip6tables. For the
possible values, please have a look at the TABLES section in the
iptables man pages: For ipv="ipv4" in iptables(8), for ipv="ipv6"
in ip6tables(8).
chain="chain"
The name of the chain where the rule will be added. This can be
either a built-in chain or a chain that has been created with the
chain tag.
priority="priority"
The priority is used to order rules. Priority 0 means add rule on
top of the chain, with a higher priority the rule will be added
further down. Rules with the same priority are on the same level
and the order of these rules is not fixed and may change. If you
want to make sure that a rule will be added after another one, use
a low priority for the first and a higher for the following.
The args can be any arguments of iptables or ip6tables, that do not
conflict with the table or chain attributes.
If the chain name is a built-in chain, then the rule will be added to
chain_direct, else the supplied chain name is used. chain_direct is
created internally for all built-in chains to make sure that the added
rules do not conflict with the rules created by firewalld.
passthrough
Is an optional element tag and can be used several times. It can be
used to add rules to a built-in or added chain. A rule entry has
exactly one attribute:
ipv="ipv4|ipv6"
The IP family where the passthrough rule will be added. This can be
either ipv4 or ipv6.
The args can be any arguments of iptables or ip6tables.
The passthrough rule will be added to the chain directly. There is no
mechanism like for the direct rule above. The user of the passthrough
rule has to make sure that there will be no conflict with the rules
created by firewalld.
EXAMPLE
Blacklisting of the networks 192.168.1.0/24 and 192.168.5.0/24 with
logging and dropping early in the raw table:
<?xml version="1.0" encoding="utf-8"?>
<direct>
<chain ipv="ipv4" table="raw" chain="blacklist"/>
<rule ipv="ipv4" table="raw" chain="PREROUTING" priority="0">-s 192.168.1.0/24 -j blacklist</rule>
<rule ipv="ipv4" table="raw" chain="PREROUTING" priority="1">-s 192.168.5.0/24 -j blacklist</rule>
<rule ipv="ipv4" table="raw" chain="blacklist" priority="0">-m limit --limit 1/min -j LOG --log-prefix "blacklisted: "</rule>
<rule ipv="ipv4" table="raw" chain="blacklist" priority="1">-j DROP</rule>
</direct>
SEE ALSOfirewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
firewalld.conf(5), firewalld.direct(5), firewalld.icmptype(5),
firewalld.lockdown-whitelist(5), firewall-offline-cmd(1),
firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5),
firewalld.zones(5)NOTES
firewalld home page at fedorahosted.org:
http://fedorahosted.org/firewalld/
More documentation with examples:
http://fedoraproject.org/wiki/FirewallD
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
firewalld 0.3.8FIREWALLD.DIRECT(5)
