{"id":7155,"date":"2018-01-05T09:57:04","date_gmt":"2018-01-05T01:57:04","guid":{"rendered":"http:\/\/rmohan.com\/?p=7155"},"modified":"2018-01-05T09:57:21","modified_gmt":"2018-01-05T01:57:21","slug":"firewalld-centos-7","status":"publish","type":"post","link":"https:\/\/mohan.sg\/?p=7155","title":{"rendered":"Firewalld Centos-7"},"content":{"rendered":"<p>As of Centos7 the default firewall application has changed from iptables to firewalld. FirewallD provides dynamic filterinc versus static ones in iptables. You can read more about details of the features included at Fedora project page <a href=\"https:\/\/fedoraproject.org\/wiki\/FirewallD\">here<\/a> and or on their official homepage <a href=\"http:\/\/www.firewalld.org\/\">here<\/a>.<\/p>\n<p>This page will help me to unlearn the iptables and remember the firewalld commands.<\/p>\n<h2>Get Initial information<\/h2>\n<ul>\n<li>Get the status of firewalld<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">state<\/span><\/pre>\n<ul>\n<li>Reload the firewall without loosing state information:<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">reload<\/span><\/pre>\n<ul>\n<li>Get a list of all supported zones<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">get<\/span><span class=\"pun\">-<\/span><span class=\"pln\">zones<\/span><\/pre>\n<ul>\n<li>Get a list of all supported services<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">get<\/span><span class=\"pun\">-<\/span><span class=\"pln\">services<\/span><\/pre>\n<ul>\n<li>Get a list of all supported icmptypes<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">get<\/span><span class=\"pun\">-<\/span><span class=\"pln\">icmptypes<\/span><\/pre>\n<ul>\n<li>List all zones with the enabled features.<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">list<\/span><span class=\"pun\">-<\/span><span class=\"pln\">all<\/span><span class=\"pun\">-<\/span><span class=\"pln\">zones<\/span><\/pre>\n<ul>\n<li>Print zone &lt;zone&gt; with the enabled features. If zone is omitted, the default zone will be used.<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">list<\/span><span class=\"pun\">-<\/span><span class=\"pln\">all<\/span><\/pre>\n<ul>\n<li>Get the default zone set for network connections<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">get<\/span><span class=\"pun\">-<\/span><span class=\"kwd\">default<\/span><span class=\"pun\">-<\/span><span class=\"pln\">zone<\/span><\/pre>\n<ul>\n<li>Set the default zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">set<\/span><span class=\"pun\">-<\/span><span class=\"kwd\">default<\/span><span class=\"pun\">-<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<div class=\"googlepublisherpluginad\"><\/div>\n<p>All interfaces that are located in the default zone will be pushed in the new default zone, that defines the limitations for new external initiated connection attempts. Active connections are not affected.<\/p>\n<ul>\n<li>Get active zones<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">get<\/span><span class=\"pun\">-<\/span><span class=\"pln\">active<\/span><span class=\"pun\">-<\/span><span class=\"pln\">zones<\/span><\/pre>\n<ul>\n<li>Get zone related to an interface<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">get<\/span><span class=\"pun\">-<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">-<\/span><span class=\"pln\">of<\/span><span class=\"pun\">-<\/span><span class=\"kwd\">interface<\/span><span class=\"pun\">=&lt;<\/span><span class=\"kwd\">interface<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<p>&nbsp;<\/p>\n<h2>Update the basic rules<\/h2>\n<p>This prints the zone name, if the interface is part of a zone<\/p>\n<ul>\n<li>Add an interface to a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"kwd\">interface<\/span><span class=\"pun\">=&lt;<\/span><span class=\"kwd\">interface<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<p>Add an interface to a zone, if it was not in a zone before. If the zone options is omitted, the default zone will be used. The interfaces are reapplied after reloads.<\/p>\n<ul>\n<li>Change the zone an interface belongs to<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">change<\/span><span class=\"pun\">-<\/span><span class=\"kwd\">interface<\/span><span class=\"pun\">=&lt;<\/span><span class=\"kwd\">interface<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<p>This is similar to the \u2013add-interface options, but pushes the interface in the new zone even if it was in another zone before.<\/p>\n<ul>\n<li>Remove an interface from a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">remove<\/span><span class=\"pun\">-<\/span><span class=\"kwd\">interface<\/span><span class=\"pun\">=&lt;<\/span><span class=\"kwd\">interface<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<ul>\n<li>Query if an interface is in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"kwd\">interface<\/span><span class=\"pun\">=&lt;<\/span><span class=\"kwd\">interface<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<p>Returns if the interface is in the zone. There is no output.<\/p>\n<ul>\n<li>List the enabled services in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">list<\/span><span class=\"pun\">-<\/span><span class=\"pln\">services<\/span><\/pre>\n<ul>\n<li>Enable panic mode to block all network traffic in case of emergency<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><code class=\" prettyprinted\"><span class=\"pun\">--<\/span><span class=\"pln\">enable<\/span><span class=\"pun\">-<\/span><span class=\"pln\">panic<\/span><\/code><\/pre>\n<ul>\n<li>Disable panic mode<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">disable<\/span><span class=\"pun\">-<\/span><span class=\"pln\">panic<\/span><\/pre>\n<div class=\"messagebox\"><\/div>\n<ul>\n<li>Query panic mode<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"pln\">panic<\/span><\/pre>\n<p>This returns the state of the panic mode, there is no output. To get a visual state use<\/p>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"pln\">panic <\/span><span class=\"pun\">&amp;&amp;<\/span><span class=\"pln\"> echo <\/span><span class=\"str\">\"On\"<\/span> <span class=\"pun\">||<\/span><span class=\"pln\"> echo <\/span><span class=\"str\">\"Off\"<\/span><\/pre>\n<h4><span id=\"Runtime_zone_handling\" class=\"mw-headline\"> Runtime zone handling <\/span><\/h4>\n<p>In the runtime mode the changes to zones are not permanent. The changes will be gone after reload or restart.<\/p>\n<ul>\n<li>Enable a service in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">service<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">service<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">[--<\/span><span class=\"pln\">timeout<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">seconds<\/span><span class=\"pun\">&gt;]<\/span><\/pre>\n<p>This enables a service in a zone. If zone is not set, the default zone will be used. If timeout is set, the service will only be enabled for the amount of seconds in the zone. If the service is already active, there will be no warning message.<\/p>\n<ul>\n<li><b>Example:<\/b> Enable ipp-client service for 60 seconds in the home zone:<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=<\/span><span class=\"pln\">home <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">service<\/span><span class=\"pun\">=<\/span><span class=\"pln\">ipp<\/span><span class=\"pun\">-<\/span><span class=\"pln\">client <\/span><span class=\"pun\">--<\/span><span class=\"pln\">timeout<\/span><span class=\"pun\">=<\/span><span class=\"lit\">60<\/span><\/pre>\n<ul>\n<li><b>Example:<\/b> Enable the http service in the default zone:<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">service<\/span><span class=\"pun\">=<\/span><span class=\"pln\">http<\/span><\/pre>\n<ul>\n<li>Disable a service in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">remove<\/span><span class=\"pun\">-<\/span><span class=\"pln\">service<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">service<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<p>This disables a service in a zone. If zone is not set, the default zone will be used.<\/p>\n<ul>\n<li><b>Example:<\/b> Disable http service in the home zone:<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=<\/span><span class=\"pln\">home <\/span><span class=\"pun\">--<\/span><span class=\"pln\">remove<\/span><span class=\"pun\">-<\/span><span class=\"pln\">service<\/span><span class=\"pun\">=<\/span><span class=\"pln\">http<\/span><\/pre>\n<p>The service will be disabled in the zone. If the service is not enabled in the zone, there will be an warning message.<\/p>\n<ul>\n<li>Query if a service is enabled in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"pln\">service<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">service<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<p>This returns 1 if the service is enabled in the zone, otherwise 0. There is no output.<\/p>\n<ul>\n<li>Enable a port and protocol combination in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]\/&lt;<\/span><span class=\"pln\">protocol<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">[--<\/span><span class=\"pln\">timeout<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">seconds<\/span><span class=\"pun\">&gt;]<\/span><\/pre>\n<p>This enables a port and protocol combination. The port can be a single port or a port range -. The protocol can be either <b>tcp<\/b> or <b>udp<\/b>.<\/p>\n<ul>\n<li>Disable a port and protocol combination in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">remove<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]\/&lt;<\/span><span class=\"pln\">protocol<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<ul>\n<li>Query if a port and protocol combination in enabled in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]\/&lt;<\/span><span class=\"pln\">protocol<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<p>This command returns if it is enabled, there is no output.<\/p>\n<h2>Masquerading<\/h2>\n<p>This is used to hide internal addresses behind a public IP or port.<\/p>\n<ul>\n<li>Enable masquerading in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">masquerade<\/span><\/pre>\n<p>This enables masquerading for the zone. The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation and mostly used in routers. Masquerading is IPv4 only because of kernel limitations.<\/p>\n<ul>\n<li>Disable masquerading in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">remove<\/span><span class=\"pun\">-<\/span><span class=\"pln\">masquerade<\/span><\/pre>\n<ul>\n<li>Query masquerading in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"pln\">masquerade<\/span><\/pre>\n<p>This command returns if it is enabled, there is no output.<\/p>\n<ul>\n<li>Enable ICMP blocks in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">icmp<\/span><span class=\"pun\">-<\/span><span class=\"pln\">block<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">icmptype<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<p>This enabled the block of a selected Internet Control Message Protocol (ICMP) message. ICMP messages are either information requests or created as a reply to information requests or in error conditions.<\/p>\n<ul>\n<li>Disable ICMP blocks in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">remove<\/span><span class=\"pun\">-<\/span><span class=\"pln\">icmp<\/span><span class=\"pun\">-<\/span><span class=\"pln\">block<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">icmptype<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<ul>\n<li>Query ICMP blocks in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"pln\">icmp<\/span><span class=\"pun\">-<\/span><span class=\"pln\">block<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">icmptype<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<p>This command returns if it is enabled, there is no output.<\/p>\n<ul>\n<li><b>Example:<\/b> Block echo-reply messages in the public zone:<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=<\/span><span class=\"kwd\">public<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">icmp<\/span><span class=\"pun\">-<\/span><span class=\"pln\">block<\/span><span class=\"pun\">=<\/span><span class=\"pln\">echo<\/span><span class=\"pun\">-<\/span><span class=\"pln\">reply<\/span><\/pre>\n<ul>\n<li>Enable port forwarding or port mapping in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">forward<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]:<\/span><span class=\"pln\">proto<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">protocol<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">{<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toport<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">|<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toaddr<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">address<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">|<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toport<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]:<\/span><span class=\"pln\">toaddr<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">address<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">}<\/span><\/pre>\n<p>The port is either mapped to the same port on another host or to another port on the same host or to another port on another host. The port can be a singe port &lt;port&gt; or a port range &lt;port&gt;-&lt;port&gt;. The protocol is either <b>tcp<\/b> or <b>udp<\/b>. toport is either port or a port range -. toaddr is an IPv4 address. Port forwarding is IPv4 only because of kernel limitations.<\/p>\n<ul>\n<li>Disable port forwarding or port mapping in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">remove<\/span><span class=\"pun\">-<\/span><span class=\"pln\">forward<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]:<\/span><span class=\"pln\">proto<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">protocol<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">{<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toport<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">|<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toaddr<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">address<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">|<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toport<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]:<\/span><span class=\"pln\">toaddr<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">address<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">}<\/span><\/pre>\n<ul>\n<li>Query port forwarding or port mapping in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"pln\">forward<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]:<\/span><span class=\"pln\">proto<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">protocol<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">{<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toport<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">|<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toaddr<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">address<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">|<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toport<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]:<\/span><span class=\"pln\">toaddr<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">address<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">}<\/span><\/pre>\n<p>This command returns if it is enabled, there is no output.<\/p>\n<ul>\n<li><b>Example:<\/b> Forward ssh to host 127.0.0.2 in the home zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=<\/span><span class=\"pln\">home <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">forward<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=<\/span><span class=\"lit\">22<\/span><span class=\"pun\">:<\/span><span class=\"pln\">proto<\/span><span class=\"pun\">=<\/span><span class=\"pln\">tcp<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toaddr<\/span><span class=\"pun\">=<\/span><span class=\"lit\">127.0<\/span><span class=\"pun\">.<\/span><span class=\"lit\">0.2<\/span><\/pre>\n<h4><span id=\"Permanent_zone_handling\" class=\"mw-headline\"> Permanent zone handling <\/span><\/h4>\n<p>The permanent options are not affecting runtime directly. These options are only available after a reload or restart. To have runtime and permanent setting, you need to supply both. The <b>\u2013permanent<\/b> option needs to be the first option for all permanent calls.<\/p>\n<ul>\n<li>Get a list of supported permanent services<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">get<\/span><span class=\"pun\">-<\/span><span class=\"pln\">services<\/span><\/pre>\n<ul>\n<li>Get a list of supported permanent icmptypes<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">get<\/span><span class=\"pun\">-<\/span><span class=\"pln\">icmptypes<\/span><\/pre>\n<ul>\n<li>Get a list of supported permanent zones<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">get<\/span><span class=\"pun\">-<\/span><span class=\"pln\">zones<\/span><\/pre>\n<ul>\n<li>Enable a service in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">service<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">service<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<p>This enables the service in the zone permanently. If the zone option is omitted, the default zone is used.<\/p>\n<ul>\n<li>Disable a service in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">remove<\/span><span class=\"pun\">-<\/span><span class=\"pln\">service<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">service<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<ul>\n<li>Query if a service is enabled in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"pln\">service<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">service<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<p>This command returns if it is enabled, there is no output.<\/p>\n<ul>\n<li><b>Example:<\/b> Enable service ipp-client permanently in the home zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=<\/span><span class=\"pln\">home <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">service<\/span><span class=\"pun\">=<\/span><span class=\"pln\">ipp<\/span><span class=\"pun\">-<\/span><span class=\"pln\">client<\/span><\/pre>\n<ul>\n<li>Enable a port and protocol combination permanently in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]\/&lt;<\/span><span class=\"pln\">protocol<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<ul>\n<li>Disable a port and protocol combination permanently in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">remove<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]\/&lt;<\/span><span class=\"pln\">protocol<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<ul>\n<li>Query if a port and protocol combination is enabled permanently in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]\/&lt;<\/span><span class=\"pln\">protocol<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<p>This command returns if it is enabled, there is no output.<\/p>\n<ul>\n<li><b>Example:<\/b> Enable port 443\/tcp for https permanently in the home zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=<\/span><span class=\"pln\">home <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=<\/span><span class=\"lit\">443<\/span><span class=\"pun\">\/<\/span><span class=\"pln\">tcp<\/span><\/pre>\n<ul>\n<li>Enable masquerading permanently in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">masquerade<\/span><\/pre>\n<p>This enables masquerading for the zone. The addresses of a private network are mapped to and hidden behind a public IP address. This is a form of address translation and mostly used in routers. Masquerading is IPv4 only because of kernel limitations.<\/p>\n<ul>\n<li>Disable masquerading permanently in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">remove<\/span><span class=\"pun\">-<\/span><span class=\"pln\">masquerade<\/span><\/pre>\n<ul>\n<li>Query masquerading permanently in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"pln\">masquerade<\/span><\/pre>\n<p>This command returns if it is enabled, there is no output.<\/p>\n<ul>\n<li>Enable ICMP blocks permanently in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">icmp<\/span><span class=\"pun\">-<\/span><span class=\"pln\">block<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">icmptype<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<p>This enabled the block of a selected Internet Control Message Protocol (ICMP) message. ICMP messages are either information requests or created as a reply to information requests or in error conditions.<\/p>\n<ul>\n<li>Disable ICMP blocks permanently in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">remove<\/span><span class=\"pun\">-<\/span><span class=\"pln\">icmp<\/span><span class=\"pun\">-<\/span><span class=\"pln\">block<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">icmptype<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<ul>\n<li>Query ICMP blocks permanently in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"pln\">icmp<\/span><span class=\"pun\">-<\/span><span class=\"pln\">block<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">icmptype<\/span><span class=\"pun\">&gt;<\/span><\/pre>\n<p>This command returns if it is enabled, there is no output.<\/p>\n<ul>\n<li><b>Example:<\/b> Block echo-reply messages in the public zone:<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=<\/span><span class=\"kwd\">public<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">icmp<\/span><span class=\"pun\">-<\/span><span class=\"pln\">block<\/span><span class=\"pun\">=<\/span><span class=\"pln\">echo<\/span><span class=\"pun\">-<\/span><span class=\"pln\">reply<\/span><\/pre>\n<ul>\n<li>Enable port forwarding or port mapping permanently in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">forward<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]:<\/span><span class=\"pln\">proto<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">protocol<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">{<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toport<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">|<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toaddr<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">address<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">|<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toport<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]:<\/span><span class=\"pln\">toaddr<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">address<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">}<\/span><\/pre>\n<p>The port is either mapped to the same port on another host or to another port on the same host or to another port on another host. The port can be a singe port &lt;port&gt; or a port range &lt;port&gt;-&lt;port&gt;. The protocol is either <b>tcp<\/b> or <b>udp<\/b>. toport is either port or a port range -. toaddr is an IPv4 address. Port forwarding is IPv4 only because of kernel limitations.<\/p>\n<ul>\n<li>Disable port forwarding or port mapping permanently in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">remove<\/span><span class=\"pun\">-<\/span><span class=\"pln\">forward<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]:<\/span><span class=\"pln\">proto<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">protocol<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">{<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toport<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">|<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toaddr<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">address<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">|<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toport<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]:<\/span><span class=\"pln\">toaddr<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">address<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">}<\/span><\/pre>\n<ul>\n<li>Query port forwarding or port mapping permanently in a zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"pln\">forward<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]:<\/span><span class=\"pln\">proto<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">protocol<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">{<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toport<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]<\/span> <span class=\"pun\">|<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toaddr<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">address<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">|<\/span><span class=\"pln\">\u00a0<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toport<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;[-&lt;<\/span><span class=\"pln\">port<\/span><span class=\"pun\">&gt;]:<\/span><span class=\"pln\">toaddr<\/span><span class=\"pun\">=&lt;<\/span><span class=\"pln\">address<\/span><span class=\"pun\">&gt;<\/span> <span class=\"pun\">}<\/span><\/pre>\n<p>This command returns if it is enabled, there is no output.<\/p>\n<ul>\n<li><b>Example:<\/b> Forward ssh to host 127.0.0.2 in the home zone<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">permanent <\/span><span class=\"pun\">--<\/span><span class=\"pln\">zone<\/span><span class=\"pun\">=<\/span><span class=\"pln\">home <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">forward<\/span><span class=\"pun\">-<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=<\/span><span class=\"pln\">port<\/span><span class=\"pun\">=<\/span><span class=\"lit\">22<\/span><span class=\"pun\">:<\/span><span class=\"pln\">proto<\/span><span class=\"pun\">=<\/span><span class=\"pln\">tcp<\/span><span class=\"pun\">:<\/span><span class=\"pln\">toaddr<\/span><span class=\"pun\">=<\/span><span class=\"lit\">127.0<\/span><span class=\"pun\">.<\/span><span class=\"lit\">0.2<\/span><\/pre>\n<h4><span id=\"Direct_options\" class=\"mw-headline\"> Direct options <\/span><\/h4>\n<p>The direct options give a more direct access to the firewall. These options require user to know basic iptables concepts, i.e. table (filter\/mangle\/nat\/\u2026), chain (INPUT\/OUTPUT\/FORWARD\/\u2026), commands (-A\/-D\/-I\/\u2026), parameters (-p\/-s\/-d\/-j\/\u2026) and targets (ACCEPT\/DROP\/REJECT\/\u2026). Direct options should be used only as a last resort when it\u2019s not possible to use for example \u2013add-service=service or \u2013add-rich-rule=\u2019rule\u2019. The first argument of each option has to be <b>ipv4<\/b> or <b>ipv6<\/b> or <b>eb<\/b>. With <b>ipv4<\/b> it will be for IPv4 (iptables(8)), with <b>ipv6<\/b> for IPv6 (ip6tables(8)) and with <b>eb<\/b> for ethernet bridges (ebtables(8)).<\/p>\n<div class=\"googlepublisherpluginad\"><ins class=\"adsbygoogle\" data-ad-format=\"auto\" data-ad-client=\"ca-pub-8312212426279189\" data-ad-slot=\"4418058754\" data-ad-channel=\"WordPressSinglePost+pso-lv-10\" data-adsbygoogle-status=\"done\"><ins id=\"aswift_0_expand\"><ins id=\"aswift_0_anchor\"><iframe id=\"aswift_0\" name=\"aswift_0\" width=\"700\" height=\"75\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\" data-mce-fragment=\"1\"><\/iframe><\/ins><\/ins><\/ins><\/div>\n<ul>\n<li>Pass a command through to the firewall. &lt;args&gt; can be all iptables, ip6tables and ebtables command line arguments<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">--<\/span><span class=\"pln\">direct <\/span><span class=\"pun\">--<\/span><span class=\"pln\">passthrough <\/span><span class=\"pun\">{<\/span><span class=\"pln\"> ipv4 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> ipv6 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> eb <\/span><span class=\"pun\">}<\/span> <span class=\"str\">&lt;args&gt;<\/span><\/pre>\n<ul>\n<li>Add a new chain &lt;chain&gt; to a table &lt;table&gt;.<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">permanent<\/span><span class=\"pun\">]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">direct <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">chain <\/span><span class=\"pun\">{<\/span><span class=\"pln\"> ipv4 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> ipv6 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> eb <\/span><span class=\"pun\">}<\/span> <span class=\"str\">&lt;table&gt;<\/span> <span class=\"str\">&lt;chain&gt;<\/span><\/pre>\n<ul>\n<li>Remove a chain with name &lt;chain&gt; from table &lt;table&gt;.<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">permanent<\/span><span class=\"pun\">]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">direct <\/span><span class=\"pun\">--<\/span><span class=\"pln\">remove<\/span><span class=\"pun\">-<\/span><span class=\"pln\">chain <\/span><span class=\"pun\">{<\/span><span class=\"pln\"> ipv4 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> ipv6 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> eb <\/span><span class=\"pun\">}<\/span> <span class=\"str\">&lt;table&gt;<\/span> <span class=\"str\">&lt;chain&gt;<\/span><\/pre>\n<ul>\n<li>Query if a chain with name &lt;chain&gt; exists in table &lt;table&gt;. Returns 0 if true, 1 otherwise.<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">permanent<\/span><span class=\"pun\">]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">direct <\/span><span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"pln\">chain <\/span><span class=\"pun\">{<\/span><span class=\"pln\"> ipv4 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> ipv6 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> eb <\/span><span class=\"pun\">}<\/span> <span class=\"str\">&lt;table&gt;<\/span> <span class=\"str\">&lt;chain&gt;<\/span><\/pre>\n<p>This command returns if it is enabled, there is no output.<\/p>\n<ul>\n<li>Get all chains added to table &lt;table&gt; as a space separated list.<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">permanent<\/span><span class=\"pun\">]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">direct <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">get<\/span><span class=\"pun\">-<\/span><span class=\"pln\">chains <\/span><span class=\"pun\">{<\/span><span class=\"pln\"> ipv4 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> ipv6 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> eb <\/span><span class=\"pun\">}<\/span> <span class=\"str\">&lt;table&gt;<\/span><\/pre>\n<ul>\n<li>Add a rule with the arguments &lt;args&gt; to chain &lt;chain&gt; in table &lt;table&gt; with priority &lt;priority&gt;.<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">permanent<\/span><span class=\"pun\">]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">direct <\/span><span class=\"pun\">--<\/span><span class=\"pln\">add<\/span><span class=\"pun\">-<\/span><span class=\"pln\">rule <\/span><span class=\"pun\">{<\/span><span class=\"pln\"> ipv4 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> ipv6 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> eb <\/span><span class=\"pun\">}<\/span> <span class=\"str\">&lt;table&gt;<\/span> <span class=\"str\">&lt;chain&gt;<\/span> <span class=\"str\">&lt;priority&gt;<\/span> <span class=\"str\">&lt;args&gt;<\/span><\/pre>\n<ul>\n<li>Remove a rule with the arguments &lt;args&gt; from chain &lt;chain&gt; in table &lt;table&gt;.<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">permanent<\/span><span class=\"pun\">]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">direct <\/span><span class=\"pun\">--<\/span><span class=\"pln\">remove<\/span><span class=\"pun\">-<\/span><span class=\"pln\">rule <\/span><span class=\"pun\">{<\/span><span class=\"pln\"> ipv4 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> ipv6 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> eb <\/span><span class=\"pun\">}<\/span> <span class=\"str\">&lt;table&gt;<\/span> <span class=\"str\">&lt;chain&gt;<\/span> <span class=\"str\">&lt;args&gt;<\/span><\/pre>\n<ul>\n<li>Query if a rule with the arguments &lt;args&gt; exists in chain &lt;chain&gt; in table &lt;table&gt;. Returns 0 if true, 1 otherwise.<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">permanent<\/span><span class=\"pun\">]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">direct <\/span><span class=\"pun\">--<\/span><span class=\"pln\">query<\/span><span class=\"pun\">-<\/span><span class=\"pln\">rule <\/span><span class=\"pun\">{<\/span><span class=\"pln\"> ipv4 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> ipv6 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> eb <\/span><span class=\"pun\">}<\/span> <span class=\"str\">&lt;table&gt;<\/span> <span class=\"str\">&lt;chain&gt;<\/span> <span class=\"str\">&lt;args&gt;<\/span><\/pre>\n<p>This command returns if it is enabled, there is no output.<\/p>\n<ul>\n<li>Get all rules added to chain &lt;chain&gt; in table &lt;table&gt; as a newline separated list of arguments.<\/li>\n<\/ul>\n<pre class=\" prettyprinted\"><span class=\"pln\"> firewall<\/span><span class=\"pun\">-<\/span><span class=\"pln\">cmd <\/span><span class=\"pun\">[--<\/span><span class=\"pln\">permanent<\/span><span class=\"pun\">]<\/span> <span class=\"pun\">--<\/span><span class=\"pln\">direct <\/span><span class=\"pun\">--<\/span><span class=\"kwd\">get<\/span><span class=\"pun\">-<\/span><span class=\"pln\">rules <\/span><span class=\"pun\">{<\/span><span class=\"pln\"> ipv4 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> ipv6 <\/span><span class=\"pun\">|<\/span><span class=\"pln\"> eb <\/span><span class=\"pun\">}<\/span> <span class=\"str\">&lt;table&gt;<\/span> <span class=\"str\">&lt;chain&gt;<\/span><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>As of Centos7 the default firewall application has changed from iptables to firewalld. FirewallD provides dynamic filterinc versus static ones in iptables. You can read more about details of the features included at Fedora project page here and or on their official homepage here.<\/p>\n<p>This page will help me to unlearn the iptables and remember [&#8230;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7155"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7155"}],"version-history":[{"count":2,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7155\/revisions"}],"predecessor-version":[{"id":7157,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/7155\/revisions\/7157"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}