OPTIONS¶
These are the options that can be set in the config file:
DefaultZone
This sets the default zone for connections or interfaces
if the zone is not selected or specified by NetworkManager, initscripts or
command line tool. The default zone is public.
MinimalMark
Deprecated. This option is ignored and no longer used.
Marks are no longer used internally.
CleanupModulesOnExit
Setting this option to yes or true unloads all
firewall-related kernel modules when firewalld is stopped. The default value
is no or false.
CleanupOnExit
If firewalld stops, it cleans up all firewall rules.
Setting this option to no or false leaves the current firewall rules
untouched. The default value is yes or true.
Lockdown
If this option is enabled, firewall changes with the
D-Bus interface will be limited to applications that are listed in the
lockdown whitelist (see
firewalld.lockdown-whitelist(5)). The default
value is no or false.
IPv6_rpfilter
If this option is enabled (it is by default), reverse
path filter test on a packet for IPv6 is performed. If a reply to the packet
would be sent via the same interface that the packet arrived on, the packet
will match and be accepted, otherwise dropped. For IPv4 the rp_filter is
controlled using sysctl.
Note: This feature has a performance impact. In most cases
the impact is not enough to cause a noticeable difference. It requires route
lookups and its execution occurs before the established connections fast
path. As such it can have a significant performance impact if there is a lot
of traffic. It's enabled by default for security, but can be disabled if
performance is a concern.
IndividualCalls
If this option is disabled (it is by default), combined
-restore calls are used and not individual calls to apply changes to the
firewall. The use of individual calls increases the time that is needed to
apply changes and to start the daemon, but is good for debugging as error
messages are more specific.
LogDenied
Add logging rules right before reject and drop rules in
the INPUT, FORWARD and OUTPUT chains for the default rules and also final
reject and drop rules in zones for the configured link-layer packet type. The
possible values are: all, unicast, broadcast,
multicast and off. The default setting is off, which
disables the logging.
AutomaticHelpers
Deprecated. This option is ignored and no longer
used.
FirewallBackend
Selects the firewall backend implementation. Possible
values are;
nftables (default), or
iptables. This applies to all
firewalld primitives. The only exception is direct and passthrough rules which
always use the traditional iptables, ip6tables, and ebtables backends.
Note: The iptables backend is deprecated. It will be
removed in a future release.
FlushAllOnReload
Flush all runtime rules on a reload. In previous releases
some runtime configuration was retained during a reload, namely; interface to
zone assignment, and direct rules. This was confusing to users. To override
this behavior set this to "yes". Defaults to "no".
ReloadPolicy
The policy during reload. By default, all traffic except
established connections is dropped while reloading the firewall rules. This
can be overridden for INPUT, FORWARD and OUTPUT. The accepted values are
"DROP", "REJECT" and "ACCEPT", which then
applies to all tables. Alternatively, the policy can be specified per table,
like "INPUT:REJECT,FORWARD:DROP,OUTPUT:ACCEPT". Defaults to
"INPUT:DROP,FORWARD:DROP,OUTPUT:DROP".
RFC3964_IPv4
As per RFC 3964, filter IPv6 traffic with 6to4
destination addresses that correspond to IPv4 addresses that should not be
routed over the public internet. Defaults to "yes".
AllowZoneDrifting
Deprecated. This option is ignored and no longer
used.
NftablesFlowtable
This may improve forwarded traffic throughput by enabling
nftables flowtable. It is a software fastpath and avoids calling nftables rule
evaluation for data packets. Its value is a space separate list of interfaces.
Example value "eth0 eth1". Defaults to "off".
NftablesCounters
If set to yes, add a counter to every nftables rule. This
is useful for debugging and comes with a small performance cost. Defaults to
"no".