summaryrefslogtreecommitdiffstats
path: root/doc/xml/firewalld.service.xml
blob: 3a8dca11c6eea264c360481ace89586e485b1161 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[
<!ENTITY authors SYSTEM "authors.xml">
<!ENTITY seealso SYSTEM "seealso.xml">
<!ENTITY notes SYSTEM "notes.xml">
]>

<!--
  This file is part of firewalld.

  Copyright (C) 2010-2013 Red Hat, Inc.
  Authors:
  Thomas Woerner <twoerner@redhat.com>

  This program is free software; you can redistribute it and/or modify
  it under the terms of the GNU General Public License as published by
  the Free Software Foundation; either version 2 of the License, or
  (at your option) any later version.

  This program is distributed in the hope that it will be useful,
  but WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  GNU General Public License for more details.

  You should have received a copy of the GNU General Public License
  along with this program.  If not, see <http://www.gnu.org/licenses/>.
-->

<refentry id="firewalld.service">

  <refentryinfo>
    <title>firewalld.service</title>
    <productname>firewalld</productname>
    &authors;
  </refentryinfo>

  <refmeta>
    <refentrytitle>firewalld.service</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>firewalld.service</refname>
    <refpurpose>firewalld service configuration files</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para>
      <programlisting>
<filename><config.sysconfdir/>/firewalld/services/service.xml</filename>
<filename><config.prefix/>/lib/firewalld/services/service.xml</filename>
      </programlisting>
    </para>
  </refsynopsisdiv>

  <refsect1 id="description">
    <title>Description</title>

    <para>
      A firewalld service configuration file provides the information of a service entry for firewalld. The most important configuration options are ports, modules and destination addresses.
    </para>
 
    <para>
      This example configuration file shows the structure of an service configuration file:

      <programlisting>
&lt;?xml version="1.0" encoding="utf-8"?&gt;
&lt;service&gt;
  &lt;short&gt;<replaceable>My Service</replaceable>&lt;/short&gt;
  &lt;description&gt;<replaceable>description</replaceable>&lt;/description&gt;
  &lt;port port="<replaceable>137</replaceable>" protocol="<replaceable>tcp</replaceable>"/&gt;
  &lt;module name="<replaceable>nf_conntrack_netbios_ns</replaceable>"/&gt;
  &lt;destination ipv4="<replaceable>224.0.0.251</replaceable>" ipv6="<replaceable>ff02::fb</replaceable>"/&gt;
&lt;/service&gt;
      </programlisting>
    </para>
  </refsect1>

  <refsect1 id="options">
    <title>Options</title>
    <para>
      The config can contain these tags and attributes. Some of them are mandatory, others optional.
    </para>

    <refsect2 id="options_service">
      <title>service</title>
      <para>
	The mandatory service start and end tag defines the service. This tag can only be used once in a service configuration file. There are optional attributes for services:
      </para>

      <variablelist>
	<varlistentry>
	  <term>version="<replaceable>string</replaceable>"</term>
          <listitem>
	    <para>
              To give the service a version.
	    </para>
	  </listitem>
	</varlistentry>
      </variablelist>
    </refsect2>

    <refsect2 id="options_short">
      <title>short</title>
      <para>
	Is an optional start and end tag and is used to give an icmptype a more	readable name.
      </para>
    </refsect2>

    <refsect2 id="options_description">
      <title>description</title>
      <para>
	Is an optional start and end tag to have a description for a icmptype.
      </para>
    </refsect2>

    <refsect2 id="options_port">
      <title>port</title>
      <para>
	Is an optional empty-element tag and can be used several times to have more than one port entry. All attributes of a port entry are mandatory:
      </para>

      <variablelist>
	<varlistentry>
	  <term>port="<replaceable>string</replaceable>"</term>
          <listitem>
	    <para>
	      The port <replaceable>string</replaceable> can be a single port number or a port range <replaceable>portid</replaceable>-<replaceable>portid</replaceable> or also empty to match a protocol only.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term>protocol="<replaceable>string</replaceable>"</term>
          <listitem>
	    <para>
              If a port is given, the protocol value can either be <option>tcp</option> or <option>udp</option>. If no port is given, it can be any protocol from <filename>/etc/protocols</filename> to have a protocol match only.
	    </para>
	  </listitem>
	</varlistentry>
      </variablelist>
    </refsect2>

    <refsect2 id="options_module">
      <title>module</title>
      <para>
	Is an optional empty-element tag and can be used several times to enable more than one netfilter kernel helper for the service. A module entry has exactly one attribute:
      </para>

      <variablelist>
	<varlistentry>
	  <term>name="<replaceable>string</replaceable>"</term>
          <listitem>
	    <para>
              Defines the name of the kernel netfilter helper as a string.
	    </para>
	  </listitem>
	</varlistentry>
      </variablelist>
    </refsect2>

    <refsect2 id="options_destination">
      <title>destination</title>
      <para>
	Is an optional empty-element tag and can be used only once. The destination specifies the destination network as a network IP address (optional with /mask), or a plain IP address. The use of hostnames is not recommended, because these will only be resolved at service activation and transmitted to the kernel. For more information in this element, please have a look at <option>--destination</option> in <citerefentry><refentrytitle>iptables</refentrytitle><manvolnum>8</manvolnum></citerefentry> and <citerefentry><refentrytitle>ip6tables</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
      </para>

      <variablelist>
	<varlistentry>
	  <term>ipv4="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]"</term>
          <listitem>
	    <para>
              The IPv4 destination address with optional mask.
	    </para>
	  </listitem>
	</varlistentry>

	<varlistentry>
	  <term>ipv6="<replaceable>address</replaceable>[/<replaceable>mask</replaceable>]"</term>
          <listitem>
	    <para>
              The IPv6 destination address with optional mask.
	    </para>
	  </listitem>
	</varlistentry>
      </variablelist>
    </refsect2>

  </refsect1>

  &seealso;

  &notes;

</refentry>