Skip to content

Commit

Permalink
docs(firewall*-cmd): --set-target default is now similar to reject
Browse files Browse the repository at this point in the history 
The only difference is default implicitly allows ICMP.
  • Loading branch information
@erig0
erig0 committed Mar 3, 2021
1 parent 82f96c6 commit babd9f3
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 50 deletions.
26 changes: 1 addition & 25 deletions doc/xml/firewall-cmd.xml.in
View file
Original file line number Diff line number Diff line change
Expand Up @@ -535,31 +535,7 @@
For policies <replaceable>target</replaceable> is one of: <literal>CONTINUE</literal>, <literal>ACCEPT</literal>, <literal>DROP</literal>, <literal>REJECT</literal>
</para>
<para>
<literal>default</literal> is similar to <literal>REJECT</literal>, but has special meaning in the following scenarios:
<orderedlist>
<listitem><para>ICMP explicitly allowed</para>
<para>
At the end of the zone's ruleset ICMP packets are explicitly allowed.
</para>
</listitem>

<listitem><para>forwarded packets follow the <replaceable>target</replaceable> of the egress zone</para>
<para>
In the case of forwarded packets, if the ingress zone uses <literal>default</literal> then whether or not the packet will be allowed is determined by the egress zone.
</para>
<para>
For a forwarded packet that ingresses zoneA and egresses zoneB:
</para>
<itemizedlist>
<listitem>
<para>if zoneA's <replaceable>target</replaceable> is <literal>ACCEPT</literal>, <literal>DROP</literal>, or <literal>REJECT</literal> then the packet is accepted, dropped, or rejected respectively.</para>
</listitem>
<listitem>
<para>if zoneA's <replaceable>target</replaceable> is <literal>default</literal>, then the packet is accepted, dropped, or rejected based on zoneB's <replaceable>target</replaceable>. If zoneB's <replaceable>target</replaceable> is also <literal>default</literal>, then the packet will be rejected by firewalld's catchall reject.</para>
</listitem>
</itemizedlist>
</listitem>
</orderedlist>
<literal>default</literal> is similar to <literal>REJECT</literal>, but it implicitly allows ICMP packets.
</para>
</listitem>
</varlistentry>
Expand Down
26 changes: 1 addition & 25 deletions doc/xml/firewall-offline-cmd.xml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -627,31 +627,7 @@
For policies <replaceable>target</replaceable> is one of: <literal>CONTINUE</literal>, <literal>ACCEPT</literal>, <literal>DROP</literal>, <literal>REJECT</literal>
</para>
<para>
<literal>default</literal> is similar to <literal>REJECT</literal>, but has special meaning in the following scenarios:
<orderedlist>
<listitem><para>ICMP explicitly allowed</para>
<para>
At the end of the zone's ruleset ICMP packets are explicitly allowed.
</para>
</listitem>

<listitem><para>forwarded packets follow the <replaceable>target</replaceable> of the egress zone</para>
<para>
In the case of forwarded packets, if the ingress zone uses <literal>default</literal> then whether or not the packet will be allowed is determined by the egress zone.
</para>
<para>
For a forwarded packet that ingresses zoneA and egresses zoneB:
</para>
<itemizedlist>
<listitem>
<para>if zoneA's <replaceable>target</replaceable> is <literal>ACCEPT</literal>, <literal>DROP</literal>, or <literal>REJECT</literal> then the packet is accepted, dropped, or rejected respectively.</para>
</listitem>
<listitem>
<para>if zoneA's <replaceable>target</replaceable> is <literal>default</literal>, then the packet is accepted, dropped, or rejected based on zoneB's <replaceable>target</replaceable>. If zoneB's <replaceable>target</replaceable> is also <literal>default</literal>, then the packet will be rejected by firewalld's catchall reject.</para>
</listitem>
</itemizedlist>
</listitem>
</orderedlist>
<literal>default</literal> is similar to <literal>REJECT</literal>, but it implicitly allows ICMP packets.
</para>
</listitem>
</varlistentry>
Expand Down

0 comments on commit babd9f3

Please sign in to comment.