Provided by: firewalld_2.3.0-1_all 
NAME
firewalld.conf - firewalld configuration file
SYNOPSIS
/etc/firewalld/firewalld.conf
DESCRIPTION
firewalld.conf is loaded by firewalld during the initialization process. The file contains
the basic configuration options for firewalld.
OPTIONS
These are the options that can be set in the config file:
DefaultZone
This sets the default zone for connections or interfaces if the zone is not selected
or specified by NetworkManager, initscripts or command line tool. The default zone is
public.
MinimalMark
Deprecated. This option is ignored and no longer used. Marks are no longer used
internally.
CleanupModulesOnExit
Setting this option to yes or true unloads all firewall-related kernel modules when
firewalld is stopped. The default value is no or false.
CleanupOnExit
If firewalld stops, it cleans up all firewall rules. Setting this option to no or
false leaves the current firewall rules untouched. The default value is yes or true.
IPv6_rpfilter
Performs reverse path filtering (RPF) on IPv6 packets as per RFC 3704. Possible
values: - strict: Performs "strict" filtering as per RFC 3704. This check verifies
that the in ingress interface is the same interface that would be used to send a
packet reply to the source. That is, ingress == egress. - loose: Performs "loose"
filtering as per RFC 3704. This check only verifies that there is a route back to the
source through any interface; even if it's not the same one on which the packet
arrived. - strict-forward: This is almost identical to "loose", but does not perform
RPF for packets targeted to the host (INPUT). - loose-forward: This is almost
identical to "loose", but does not perform RPF for packets targeted to the host
(INPUT). - no: RPF is completely disabled. The rp_filter for IPv4 is controlled using
sysctl.
Note: This feature has a performance impact. In most cases the impact is not enough to
cause a noticeable difference. It requires route lookups and its execution occurs
before the established connections fast path. As such it can have a significant
performance impact if there is a lot of traffic. It's enabled by default for security,
but can be disabled if performance is a concern. Alternatively one of the variants
that only does RPF on forwarded packets may be used.
IndividualCalls
If this option is disabled (it is by default), combined -restore calls are used and
not individual calls to apply changes to the firewall. The use of individual calls
increases the time that is needed to apply changes and to start the daemon, but is
good for debugging as error messages are more specific.
LogDenied
Add logging rules right before reject and drop rules in the INPUT, FORWARD and OUTPUT
chains for the default rules and also final reject and drop rules in zones for the
configured link-layer packet type. The possible values are: all, unicast, broadcast,
multicast and off. The default setting is off, which disables the logging.
AutomaticHelpers
Deprecated. This option is ignored and no longer used.
FirewallBackend
Selects the firewall backend implementation. Possible values are; nftables (default),
or iptables. This applies to all firewalld primitives. The only exception is direct
and passthrough rules which always use the traditional iptables, ip6tables, and
ebtables backends.
Note: The iptables backend is deprecated. It will be removed in a future release.
FlushAllOnReload
Flush all runtime rules on a reload. In previous releases some runtime configuration
was retained during a reload, namely; interface to zone assignment, and direct rules.
This was confusing to users. To get the old behavior set this to "no". Defaults to
"yes".
ReloadPolicy
The policy during reload. By default, all traffic except established connections is
dropped while reloading the firewall rules. This can be overridden for INPUT, FORWARD
and OUTPUT. The accepted values are "DROP", "REJECT" and "ACCEPT", which then applies
to all tables. Alternatively, the policy can be specified per table, like
"INPUT:REJECT,FORWARD:DROP,OUTPUT:ACCEPT". Defaults to
"INPUT:DROP,FORWARD:DROP,OUTPUT:DROP".
RFC3964_IPv4
As per RFC 3964, filter IPv6 traffic with 6to4 destination addresses that correspond
to IPv4 addresses that should not be routed over the public internet. Defaults to
"yes".
StrictForwardPorts
If set to yes, the generated destination NAT (DNAT) rules will NOT accept traffic that
was DNAT'd by other entities, e.g. docker. Firewalld will be strict and not allow
published container ports until they're explicitly allowed via firewalld. If set to
no, then docker (and podman) integrates seamlessly with firewalld. Published container
ports are implicitly allowed. Defaults to "no".
AllowZoneDrifting
Deprecated. This option is ignored and no longer used.
NftablesFlowtable
This may improve forwarded traffic throughput by enabling nftables flowtable. It is a
software fastpath and avoids calling nftables rule evaluation for data packets. Its
value is a space separate list of interfaces. Example value "eth0 eth1". Defaults to
"off".
NftablesCounters
If set to yes, add a counter to every nftables rule. This is useful for debugging and
comes with a small performance cost. Defaults to "no".
NftablesTableOwner
If set to yes, the generated nftables rule set will be owned exclusively by firewalld.
This prevents other entities from mistakenly (or maliciously) modifying firewalld's
rule set. If you intentionally modify firewalld's rules, then you will have to set
this to "no". Defaults to "yes".
SEE ALSO
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5),
firewalld.direct(5), firewalld.dbus(5), firewalld.icmptype(5), firewall-offline-cmd(1),
firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5), firewalld.zones(5),
firewalld.policy(5), firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
NOTES
firewalld home page:
http://firewalld.org
AUTHORS
Thomas Woerner <twoerner@redhat.com>
Developer
Jiri Popelka <jpopelka@redhat.com>
Developer
Eric Garver <eric@garver.life>
Developer