1FIREWALL-CMD(1)                  firewall-cmd                  FIREWALL-CMD(1)
2
3
4

NAME

6       firewall-cmd - firewalld command line client
7

SYNOPSIS

9       firewall-cmd [OPTIONS...]
10

DESCRIPTION

12       firewall-cmd is the command line client of the firewalld daemon. It
13       provides interface to manage runtime and permanent configuration.
14
15       The runtime configuration in firewalld is separated from the permanent
16       configuration. This means that things can get changed in the runtime or
17       permanent configuration.
18

OPTIONS

20       Sequence options are the options that can be specified multiple times,
21       the exit code is 0 if there is at least one item that succeeded. The
22       ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
23       errors are treated as succeeded. If there are issues while parsing the
24       items, then these are treated as warnings and will not change the
25       result as long as there is a succeeded one. Without any succeeded item,
26       the exit code will depend on the error codes. If there is exactly one
27       error code, then this is used. If there are more than one then
28       UNKNOWN_ERROR (254) will be used.
29
30       The following options are supported:
31
32   General Options
33       -h, --help
34           Prints a short help text and exits.
35
36       -V, --version
37           Print the version string of firewalld. This option is not
38           combinable with other options.
39
40       -q, --quiet
41           Do not print status messages.
42
43   Status Options
44       --state
45           Check whether the firewalld daemon is active (i.e. running).
46           Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
47           failure occurred on startup, NOT_RUNNING otherwise. See the section
48           called “EXIT CODES”. This will also print the state to STDOUT.
49
50       --reload
51           Reload firewall rules and keep state information. Current permanent
52           configuration will become new runtime configuration, i.e. all
53           runtime only changes done until reload are lost with reload if they
54           have not been also in permanent configuration.
55
56           Note: Runtime changes applied via the direct interface are not
57           affected and will therefore stay in place until firewalld daemon is
58           restarted completely.
59
60       --complete-reload
61           Reload firewall completely, even netfilter kernel modules. This
62           will most likely terminate active connections, because state
63           information is lost. This option should only be used in case of
64           severe firewall problems. For example if there are state
65           information problems that no connection can be established with
66           correct firewall rules.
67
68           Note: Runtime changes applied via the direct interface are not
69           affected and will therefore stay in place until firewalld daemon is
70           restarted completely.
71
72       --runtime-to-permanent
73           Save active runtime configuration and overwrite permanent
74           configuration with it. The way this is supposed to work is that
75           when configuring firewalld you do runtime changes only and once
76           you're happy with the configuration and you tested that it works
77           the way you want, you save the configuration to disk.
78
79       --check-config
80           Run checks on the permanent configuration. This includes XML
81           validity and semantics.
82
83   Log Denied Options
84       --get-log-denied
85           Print the log denied setting.
86
87       --set-log-denied=value
88           Add logging rules right before reject and drop rules in the INPUT,
89           FORWARD and OUTPUT chains for the default rules and also final
90           reject and drop rules in zones for the configured link-layer packet
91           type. The possible values are: all, unicast, broadcast, multicast
92           and off. The default setting is off, which disables the logging.
93
94           This is a runtime and permanent change and will also reload the
95           firewall to be able to add the logging rules.
96
97   Automatic Helpers Options
98       --get-automatic-helpers
99           Print the automatic helpers setting.
100
101       --set-automatic-helpers=value
102           For the secure use of iptables and connection tracking helpers it
103           is recommended to turn AutomaticHelpers off. But this might have
104           side effects on other services using the netfilter helpers as the
105           sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will
106           be changed. With the system setting, the default value set in the
107           kernel or with sysctl will be used. Possible values are: yes, no
108           and system. The default value is system.
109
110           This is a runtime and permanent change and will also reload the
111           firewall to be able to make the helpers usable.
112
113   Permanent Options
114       --permanent
115           The permanent option --permanent can be used to set options
116           permanently. These changes are not effective immediately, only
117           after service restart/reload or system reboot. Without the
118           --permanent option, a change will only be part of the runtime
119           configuration.
120
121           If you want to make a change in runtime and permanent
122           configuration, use the same call with and without the --permanent
123           option.
124
125           The --permanent option can be optionally added to all options
126           further down where it is supported.
127
128   Zone Options
129       --get-default-zone
130           Print default zone for connections and interfaces.
131
132       --set-default-zone=zone
133           Set default zone for connections and interfaces where no zone has
134           been selected. Setting the default zone changes the zone for the
135           connections or interfaces, that are using the default zone.
136
137           This is a runtime and permanent change.
138
139       --get-active-zones
140           Print currently active zones altogether with interfaces and sources
141           used in these zones. Active zones are zones, that have a binding to
142           an interface or source. The output format is:
143
144               zone1
145                 interfaces: interface1 interface2 ..
146                 sources: source1 ..
147               zone2
148                 interfaces: interface3 ..
149               zone3
150                 sources: source2 ..
151
152
153           If there are no interfaces or sources bound to the zone, the
154           corresponding line will be omitted.
155
156       [--permanent] --get-zones
157           Print predefined zones as a space separated list.
158
159       [--permanent] --get-services
160           Print predefined services as a space separated list.
161
162       [--permanent] --get-icmptypes
163           Print predefined icmptypes as a space separated list.
164
165       [--permanent] --get-zone-of-interface=interface
166           Print the name of the zone the interface is bound to or no zone.
167
168       [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
169           Print the name of the zone the source is bound to or no zone.
170
171       [--permanent] --info-zone=zone
172           Print information about the zone zone. The output format is:
173
174               zone
175                 interfaces: interface1 ..
176                 sources: source1 ..
177                 services: service1 ..
178                 ports: port1 ..
179                 protocols: protocol1 ..
180                 forward-ports:
181                       forward-port1
182                       ..
183                 source-ports: source-port1 ..
184                 icmp-blocks: icmp-type1 ..
185                 rich rules:
186                       rich-rule1
187                       ..
188
189
190
191       [--permanent] --list-all-zones
192           List everything added for or enabled in all zones. The output
193           format is:
194
195               zone1
196                 interfaces: interface1 ..
197                 sources: source1 ..
198                 services: service1 ..
199                 ports: port1 ..
200                 protocols: protocol1 ..
201                 forward-ports:
202                       forward-port1
203                       ..
204                 icmp-blocks: icmp-type1 ..
205                 rich rules:
206                       rich-rule1
207                       ..
208               ..
209
210
211
212       --permanent --new-zone=zone
213           Add a new permanent and empty zone.
214
215       --permanent --new-zone-from-file=filename [--name=zone]
216           Add a new permanent zone from a prepared zone file with an optional
217           name override.
218
219       --permanent --delete-zone=zone
220           Delete an existing permanent zone.
221
222       --permanent --load-zone-defaults=zone
223           Load zone default settings or report NO_DEFAULTS error.
224
225       --permanent --path-zone=zone
226           Print path of the zone configuration file.
227
228       --permanent --zone=zone --set-description=description
229           Set new description to zone
230
231       --permanent --zone=zone --get-description
232           Print description for zone
233
234       --permanent --zone=zone --set-short=description
235           Set short description to zone
236
237       --permanent --zone=zone --get-short
238           Print short description for zone
239
240       --permanent [--zone=zone] --get-target
241           Get the target of a permanent zone.
242
243       --permanent [--zone=zone] --set-target=target
244           Set the target of a permanent zone.  target is one of: default,
245           ACCEPT, DROP, REJECT
246
247   Options to Adapt and Query Zones
248       Options in this section affect only one particular zone. If used with
249       --zone=zone option, they affect the zone zone. If the option is
250       omitted, they affect default zone (see --get-default-zone).
251
252       [--permanent] [--zone=zone] --list-all
253           List everything added for or enabled in zone. If zone is omitted,
254           default zone will be used.
255
256       [--permanent] [--zone=zone] --list-services
257           List services added for zone as a space separated list. If zone is
258           omitted, default zone will be used.
259
260       [--permanent] [--zone=zone] --add-service=service [--timeout=timeval]
261           Add a service for zone. If zone is omitted, default zone will be
262           used. This option can be specified multiple times. If a timeout is
263           supplied, the rule will be active for the specified amount of time
264           and will be removed automatically afterwards.  timeval is either a
265           number (of seconds) or number followed by one of characters s
266           (seconds), m (minutes), h (hours), for example 20m or 1h.
267
268           The service is one of the firewalld provided services. To get a
269           list of the supported services, use firewall-cmd --get-services.
270
271           The --timeout option is not combinable with the --permanent option.
272
273       [--permanent] [--zone=zone] --remove-service=service
274           Remove a service from zone. This option can be specified multiple
275           times. If zone is omitted, default zone will be used.
276
277       [--permanent] [--zone=zone] --query-service=service
278           Return whether service has been added for zone. If zone is omitted,
279           default zone will be used. Returns 0 if true, 1 otherwise.
280
281       [--permanent] [--zone=zone] --list-ports
282           List ports added for zone as a space separated list. A port is of
283           the form portid[-portid]/protocol, it can be either a port and
284           protocol pair or a port range with a protocol. If zone is omitted,
285           default zone will be used.
286
287       [--permanent] [--zone=zone] --add-port=portid[-portid]/protocol
288       [--timeout=timeval]
289           Add the port for zone. If zone is omitted, default zone will be
290           used. This option can be specified multiple times. If a timeout is
291           supplied, the rule will be active for the specified amount of time
292           and will be removed automatically afterwards.  timeval is either a
293           number (of seconds) or number followed by one of characters s
294           (seconds), m (minutes), h (hours), for example 20m or 1h.
295
296           The port can either be a single port number or a port range
297           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
298
299           The --timeout option is not combinable with the --permanent option.
300
301       [--permanent] [--zone=zone] --remove-port=portid[-portid]/protocol
302           Remove the port from zone. If zone is omitted, default zone will be
303           used. This option can be specified multiple times.
304
305       [--permanent] [--zone=zone] --query-port=portid[-portid]/protocol
306           Return whether the port has been added for zone. If zone is
307           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
308
309       [--permanent] [--zone=zone] --list-protocols
310           List protocols added for zone as a space separated list. If zone is
311           omitted, default zone will be used.
312
313       [--permanent] [--zone=zone] --add-protocol=protocol [--timeout=timeval]
314           Add the protocol for zone. If zone is omitted, default zone will be
315           used. This option can be specified multiple times. If a timeout is
316           supplied, the rule will be active for the specified amount of time
317           and will be removed automatically afterwards.  timeval is either a
318           number (of seconds) or number followed by one of characters s
319           (seconds), m (minutes), h (hours), for example 20m or 1h.
320
321           The protocol can be any protocol supported by the system. Please
322           have a look at /etc/protocols for supported protocols.
323
324           The --timeout option is not combinable with the --permanent option.
325
326       [--permanent] [--zone=zone] --remove-protocol=protocol
327           Remove the protocol from zone. If zone is omitted, default zone
328           will be used. This option can be specified multiple times.
329
330       [--permanent] [--zone=zone] --query-protocol=protocol
331           Return whether the protocol has been added for zone. If zone is
332           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
333
334       [--permanent] [--zone=zone] --list-source-ports
335           List source ports added for zone as a space separated list. A port
336           is of the form portid[-portid]/protocol. If zone is omitted,
337           default zone will be used.
338
339       [--permanent] [--zone=zone] --add-source-port=portid[-portid]/protocol
340       [--timeout=timeval]
341           Add the source port for zone. If zone is omitted, default zone will
342           be used. This option can be specified multiple times. If a timeout
343           is supplied, the rule will be active for the specified amount of
344           time and will be removed automatically afterwards.  timeval is
345           either a number (of seconds) or number followed by one of
346           characters s (seconds), m (minutes), h (hours), for example 20m or
347           1h.
348
349           The port can either be a single port number or a port range
350           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
351
352           The --timeout option is not combinable with the --permanent option.
353
354       [--permanent] [--zone=zone]
355       --remove-source-port=portid[-portid]/protocol
356           Remove the source port from zone. If zone is omitted, default zone
357           will be used. This option can be specified multiple times.
358
359       [--permanent] [--zone=zone]
360       --query-source-port=portid[-portid]/protocol
361           Return whether the source port has been added for zone. If zone is
362           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
363
364       [--permanent] [--zone=zone] --list-icmp-blocks
365           List Internet Control Message Protocol (ICMP) type blocks added for
366           zone as a space separated list. If zone is omitted, default zone
367           will be used.
368
369       [--permanent] [--zone=zone] --add-icmp-block=icmptype
370       [--timeout=timeval]
371           Add an ICMP block for icmptype for zone. If zone is omitted,
372           default zone will be used. This option can be specified multiple
373           times. If a timeout is supplied, the rule will be active for the
374           specified amount of time and will be removed automatically
375           afterwards.  timeval is either a number (of seconds) or number
376           followed by one of characters s (seconds), m (minutes), h (hours),
377           for example 20m or 1h.
378
379           The icmptype is the one of the icmp types firewalld supports. To
380           get a listing of supported icmp types: firewall-cmd --get-icmptypes
381
382           The --timeout option is not combinable with the --permanent option.
383
384       [--permanent] [--zone=zone] --remove-icmp-block=icmptype
385           Remove the ICMP block for icmptype from zone. If zone is omitted,
386           default zone will be used. This option can be specified multiple
387           times.
388
389       [--permanent] [--zone=zone] --query-icmp-block=icmptype
390           Return whether an ICMP block for icmptype has been added for zone.
391           If zone is omitted, default zone will be used. Returns 0 if true, 1
392           otherwise.
393
394       [--permanent] [--zone=zone] --list-forward-ports
395           List IPv4 forward ports added for zone as a space separated list.
396           If zone is omitted, default zone will be used.
397
398           For IPv6 forward ports, please use the rich language.
399
400       [--permanent] [--zone=zone]
401       --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
402       [--timeout=timeval]
403           Add the IPv4 forward port for zone. If zone is omitted, default
404           zone will be used. This option can be specified multiple times. If
405           a timeout is supplied, the rule will be active for the specified
406           amount of time and will be removed automatically afterwards.
407           timeval is either a number (of seconds) or number followed by one
408           of characters s (seconds), m (minutes), h (hours), for example 20m
409           or 1h.
410
411           The port can either be a single port number portid or a port range
412           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
413           The destination address is a simple IP address.
414
415           The --timeout option is not combinable with the --permanent option.
416
417           For IPv6 forward ports, please use the rich language.
418
419           Note: IP forwarding will be implicitly enabled if toaddr is
420           specified.
421
422       [--permanent] [--zone=zone]
423       --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
424           Remove the IPv4 forward port from zone. If zone is omitted, default
425           zone will be used. This option can be specified multiple times.
426
427           For IPv6 forward ports, please use the rich language.
428
429       [--permanent] [--zone=zone]
430       --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
431           Return whether the IPv4 forward port has been added for zone. If
432           zone is omitted, default zone will be used. Returns 0 if true, 1
433           otherwise.
434
435           For IPv6 forward ports, please use the rich language.
436
437       [--permanent] [--zone=zone] --add-masquerade [--timeout=timeval]
438           Enable IPv4 masquerade for zone. If zone is omitted, default zone
439           will be used. If a timeout is supplied, masquerading will be active
440           for the specified amount of time.  timeval is either a number (of
441           seconds) or number followed by one of characters s (seconds), m
442           (minutes), h (hours), for example 20m or 1h. Masquerading is useful
443           if the machine is a router and machines connected over an interface
444           in another zone should be able to use the first connection.
445
446           The --timeout option is not combinable with the --permanent option.
447
448           For IPv6 masquerading, please use the rich language.
449
450           Note: IP forwarding will be implicitly enabled.
451
452       [--permanent] [--zone=zone] --remove-masquerade
453           Disable IPv4 masquerade for zone. If zone is omitted, default zone
454           will be used. If the masquerading was enabled with a timeout, it
455           will be disabled also.
456
457           For IPv6 masquerading, please use the rich language.
458
459       [--permanent] [--zone=zone] --query-masquerade
460           Return whether IPv4 masquerading has been enabled for zone. If zone
461           is omitted, default zone will be used. Returns 0 if true, 1
462           otherwise.
463
464           For IPv6 masquerading, please use the rich language.
465
466       [--permanent] [--zone=zone] --list-rich-rules
467           List rich language rules added for zone as a newline separated
468           list. If zone is omitted, default zone will be used.
469
470       [--permanent] [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
471           Add rich language rule 'rule' for zone. This option can be
472           specified multiple times. If zone is omitted, default zone will be
473           used. If a timeout is supplied, the rule will be active for the
474           specified amount of time and will be removed automatically
475           afterwards.  timeval is either a number (of seconds) or number
476           followed by one of characters s (seconds), m (minutes), h (hours),
477           for example 20m or 1h.
478
479           For the rich language rule syntax, please have a look at
480           firewalld.richlanguage(5).
481
482           The --timeout option is not combinable with the --permanent option.
483
484       [--permanent] [--zone=zone] --remove-rich-rule='rule'
485           Remove rich language rule 'rule' from zone. This option can be
486           specified multiple times. If zone is omitted, default zone will be
487           used.
488
489           For the rich language rule syntax, please have a look at
490           firewalld.richlanguage(5).
491
492       [--permanent] [--zone=zone] --query-rich-rule='rule'
493           Return whether a rich language rule 'rule' has been added for zone.
494           If zone is omitted, default zone will be used. Returns 0 if true, 1
495           otherwise.
496
497           For the rich language rule syntax, please have a look at
498           firewalld.richlanguage(5).
499
500   Options to Handle Bindings of Interfaces
501       Binding an interface to a zone means that this zone settings are used
502       to restrict traffic via the interface.
503
504       Options in this section affect only one particular zone. If used with
505       --zone=zone option, they affect the zone zone. If the option is
506       omitted, they affect default zone (see --get-default-zone).
507
508       For a list of predefined zones use firewall-cmd --get-zones.
509
510       An interface name is a string up to 16 characters long, that may not
511       contain ' ', '/', '!' and '*'.
512
513       [--permanent] [--zone=zone] --list-interfaces
514           List interfaces that are bound to zone zone as a space separated
515           list. If zone is omitted, default zone will be used.
516
517       [--permanent] [--zone=zone] --add-interface=interface
518           Bind interface interface to zone zone. If zone is omitted, default
519           zone will be used.
520
521           If the interface is under control of NetworkManager, it is at first
522           connected to change the zone for the connection that is using the
523           interface. If this fails, the zone binding is created in firewalld
524           and the limitations below apply. For interfaces that are not under
525           control of NetworkManager, firewalld tries to change the ZONE
526           setting in the ifcfg file, if the file exists.
527
528           As a end user you don't need this in most cases, because
529           NetworkManager (or legacy network service) adds interfaces into
530           zones automatically (according to ZONE= option from ifcfg-interface
531           file) if NM_CONTROLLED=no is not set. You should do it only if
532           there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
533           there is such file and you add interface to zone with this
534           --add-interface option, make sure the zone is the same in both
535           cases, otherwise the behaviour would be undefined. Please also have
536           a look at the firewalld(1) man page in the Concepts section. For
537           permanent association of interface with a zone, see also 'How to
538           set or change a zone for a connection?' in firewalld.zones(5).
539
540       [--permanent] [--zone=zone] --change-interface=interface
541           If the interface is under control of NetworkManager, it is at first
542           connected to change the zone for the connection that is using the
543           interface. If this fails, the zone binding is created in firewalld
544           and the limitations below apply. For interfaces that are not under
545           control of NetworkManager, firewalld tries to change the ZONE
546           setting in the ifcfg file, if the file exists.
547
548           Change zone the interface interface is bound to to zone zone. It's
549           basically --remove-interface followed by --add-interface. If the
550           interface has not been bound to a zone before, it behaves like
551           --add-interface. If zone is omitted, default zone will be used.
552
553       [--permanent] [--zone=zone] --query-interface=interface
554           Query whether interface interface is bound to zone zone. Returns 0
555           if true, 1 otherwise.
556
557       [--permanent] --remove-interface=interface
558           If the interface is under control of NetworkManager, it is at first
559           connected to change the zone for the connection that is using the
560           interface. If this fails, the zone binding is created in firewalld
561           and the limitations below apply.
562
563           For the addion or change of interfaces that are not under control
564           of NetworkManager: firewalld tries to change the ZONE setting in
565           the ifcfg file, if an ifcfg file exists that is using the
566           interface.
567
568           Only for the removal of interfaces that are not under control of
569           NetworkManager: firewalld is not trying to change the ZONE setting
570           in the ifcfg file. This is needed to make sure that an ifdown of
571           the interface will not result in a reset of the zone setting to the
572           default zone. Only the zone binding is then removed in firewalld
573           then.
574
575           Remove binding of interface interface from zone it was previously
576           added to.
577
578   Options to Handle Bindings of Sources
579       Binding a source to a zone means that this zone settings will be used
580       to restrict traffic from this source.
581
582       A source address or address range is either an IP address or a network
583       IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
584       with the ipset: prefix. For IPv4, the mask can be a network mask or a
585       plain number. For IPv6 the mask is a plain number. The use of host
586       names is not supported.
587
588       Options in this section affect only one particular zone. If used with
589       --zone=zone option, they affect the zone zone. If the option is
590       omitted, they affect default zone (see --get-default-zone).
591
592       For a list of predefined zones use firewall-cmd [--permanent]
593       --get-zones.
594
595       [--permanent] [--zone=zone] --list-sources
596           List sources that are bound to zone zone as a space separated list.
597           If zone is omitted, default zone will be used.
598
599       [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
600           Bind the source to zone zone. If zone is omitted, default zone will
601           be used.
602
603       [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
604           Change zone the source is bound to to zone zone. It's basically
605           --remove-source followed by --add-source. If the source has not
606           been bound to a zone before, it behaves like --add-source. If zone
607           is omitted, default zone will be used.
608
609       [--permanent] [--zone=zone]
610       --query-source=source[/mask]|MAC|ipset:ipset
611           Query whether the source is bound to the zone zone. Returns 0 if
612           true, 1 otherwise.
613
614       [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
615           Remove binding of the source from zone it was previously added to.
616
617   IPSet Options
618       --get-ipset-types
619           Print the supported ipset types.
620
621       --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
622       [--option=key[=value]]
623           Add a new permanent and empty ipset with specifying the type and
624           optional the family and options like timeout, hashsize and maxelem.
625           For more information please have a look at ipset(8) man page.
626
627       --permanent --new-ipset-from-file=filename [--name=ipset]
628           Add a new permanent ipset from a prepared ipset file with an
629           optional name override.
630
631       --permanent --delete-ipset=ipset
632           Delete an existing permanent ipset.
633
634       --permanent --load-ipset-defaults=ipset
635           Load ipset default settings or report NO_DEFAULTS error.
636
637       [--permanent] --info-ipset=ipset
638           Print information about the ipset ipset. The output format is:
639
640               ipset
641                 type: type
642                 options: option1[=value1] ..
643                 entries: entry1 ..
644
645
646
647       [--permanent] --get-ipsets
648           Print predefined ipsets as a space separated list.
649
650       --permanent --ipset=ipset --set-description=description
651           Set new description to ipset
652
653       --permanent --ipset=ipset --get-description
654           Print description for ipset
655
656       --permanent --ipset=ipset --set-short=description
657           Set short description to ipset
658
659       --permanent --ipset=ipset --get-short
660           Print short description for ipset
661
662       [--permanent] --ipset=ipset --add-entry=entry
663           Add a new entry to the ipset.
664
665           Adding an entry to an ipset with option timeout is permitted, but
666           these entries are not tracked by firewalld.
667
668       [--permanent] --ipset=ipset --remove-entry=entry
669           Remove an entry from the ipset.
670
671       [--permanent] --ipset=ipset --query-entry=entry
672           Return whether the entry has been added to an ipset. Returns 0 if
673           true, 1 otherwise.
674
675           Querying an ipset with a timeout will yield an error. Entries are
676           not tracked for ipsets with a timeout.
677
678       [--permanent] --ipset=ipset --get-entries
679           List all entries of the ipset.
680
681       [--permanent] --ipset=ipset --add-entries-from-file=filename
682           Add a new entries to the ipset from the file. For all entries that
683           are listed in the file but already in the ipset, a warning will be
684           printed.
685
686           The file should contain an entry per line. Lines starting with an
687           hash or semicolon are ignored. Also empty lines.
688
689       [--permanent] --ipset=ipset --remove-entries-from-file=filename
690           Remove existing entries from the ipset from the file. For all
691           entries that are listed in the file but not in the ipset, a warning
692           will be printed.
693
694           The file should contain an entry per line. Lines starting with an
695           hash or semicolon are ignored. Also empty lines.
696
697       --permanent --path-ipset=ipset
698           Print path of the ipset configuration file.
699
700   Service Options
701       Options in this section affect only one particular service.
702
703       [--permanent] --info-service=service
704           Print information about the service service. The output format is:
705
706               service
707                 ports: port1 ..
708                 protocols: protocol1 ..
709                 source-ports: source-port1 ..
710                 modules: module1 ..
711                 destination: ipv1:address1 ..
712
713
714
715       The following options are only usable in the permanent configuration.
716
717       --permanent --new-service=service
718           Add a new permanent and empty service.
719
720       --permanent --new-service-from-file=filename [--name=service]
721           Add a new permanent service from a prepared service file with an
722           optional name override.
723
724       --permanent --delete-service=service
725           Delete an existing permanent service.
726
727       --permanent --load-service-defaults=service
728           Load service default settings or report NO_DEFAULTS error.
729
730       --permanent --path-service=service
731           Print path of the service configuration file.
732
733       --permanent --service=service --set-description=description
734           Set new description to service
735
736       --permanent --service=service --get-description
737           Print description for service
738
739       --permanent --service=service --set-short=description
740           Set short description to service
741
742       --permanent --service=service --get-short
743           Print short description for service
744
745       --permanent --service=service --add-port=portid[-portid]/protocol
746           Add a new port to the permanent service.
747
748       --permanent --service=service --remove-port=portid[-portid]/protocol
749           Remove a port from the permanent service.
750
751       --permanent --service=service --query-port=portid[-portid]/protocol
752           Return wether the port has been added to the permanent service.
753
754       --permanent --service=service --get-ports
755           List ports added to the permanent service.
756
757       --permanent --service=service --add-protocol=protocol
758           Add a new protocol to the permanent service.
759
760       --permanent --service=service --remove-protocol=protocol
761           Remove a protocol from the permanent service.
762
763       --permanent --service=service --query-protocol=protocol
764           Return wether the protocol has been added to the permanent service.
765
766       --permanent --service=service --get-protocols
767           List protocols added to the permanent service.
768
769       --permanent --service=service
770       --add-source-port=portid[-portid]/protocol
771           Add a new source port to the permanent service.
772
773       --permanent --service=service
774       --remove-source-port=portid[-portid]/protocol
775           Remove a source port from the permanent service.
776
777       --permanent --service=service
778       --query-source-port=portid[-portid]/protocol
779           Return wether the source port has been added to the permanent
780           service.
781
782       --permanent --service=service --get-source-ports
783           List source ports added to the permanent service.
784
785       --permanent --service=service --add-module=module
786           Add a new module to the permanent service.
787
788       --permanent --service=service --remove-module=module
789           Remove a module from the permanent service.
790
791       --permanent --service=service --query-module=module
792           Return wether the module has been added to the permanent service.
793
794       --permanent --service=service --get-modules
795           List modules added to the permanent service.
796
797       --permanent --service=service --set-destination=ipv:address[/mask]
798           Set destination for ipv to address[/mask] in the permanent service.
799
800       --permanent --service=service --remove-destination=ipv
801           Remove the destination for ipv from the permanent service.
802
803       --permanent --service=service --query-destination=ipv:address[/mask]
804           Return wether the destination ipv to address[/mask] has been set in
805           the permanent service.
806
807       --permanent --service=service --get-destinations
808           List destinations added to the permanent service.
809
810       --permanent --service=service --add-include=service
811           Add a new include to the permanent service.
812
813       --permanent --service=service --remove-include=service
814           Remove a include from the permanent service.
815
816       --permanent --service=service --query-include=service
817           Return wether the include has been added to the permanent service.
818
819       --permanent --service=service --get-includes
820           List includes added to the permanent service.
821
822   Helper Options
823       Options in this section affect only one particular helper.
824
825       [--permanent] --info-helper=helper
826           Print information about the helper helper. The output format is:
827
828               helper
829                 family: family
830                 module: module
831                 ports: port1 ..
832
833
834
835       The following options are only usable in the permanent configuration.
836
837       --permanent --new-helper=helper --module=nf_conntrack_module
838       [--family=ipv4|ipv6]
839           Add a new permanent helper with module and optionally family
840           defined.
841
842       --permanent --new-helper-from-file=filename [--name=helper]
843           Add a new permanent helper from a prepared helper file with an
844           optional name override.
845
846       --permanent --delete-helper=helper
847           Delete an existing permanent helper.
848
849       --permanent --load-helper-defaults=helper
850           Load helper default settings or report NO_DEFAULTS error.
851
852       --permanent --path-helper=helper
853           Print path of the helper configuration file.
854
855       [--permanent] --get-helpers
856           Print predefined helpers as a space separated list.
857
858       --permanent --helper=helper --set-description=description
859           Set new description to helper
860
861       --permanent --helper=helper --get-description
862           Print description for helper
863
864       --permanent --helper=helper --set-short=description
865           Set short description to helper
866
867       --permanent --helper=helper --get-short
868           Print short description for helper
869
870       --permanent --helper=helper --add-port=portid[-portid]/protocol
871           Add a new port to the permanent helper.
872
873       --permanent --helper=helper --remove-port=portid[-portid]/protocol
874           Remove a port from the permanent helper.
875
876       --permanent --helper=helper --query-port=portid[-portid]/protocol
877           Return wether the port has been added to the permanent helper.
878
879       --permanent --helper=helper --get-ports
880           List ports added to the permanent helper.
881
882       --permanent --helper=helper --set-module=description
883           Set module description for helper
884
885       --permanent --helper=helper --get-module
886           Print module description for helper
887
888       --permanent --helper=helper --set-family=description
889           Set family description for helper
890
891       --permanent --helper=helper --get-family
892           Print family description of helper
893
894   Internet Control Message Protocol (ICMP) type Options
895       Options in this section affect only one particular icmptype.
896
897       [--permanent] --info-icmptype=icmptype
898           Print information about the icmptype icmptype. The output format
899           is:
900
901               icmptype
902                 destination: ipv1 ..
903
904
905
906       The following options are only usable in the permanent configuration.
907
908       --permanent --new-icmptype=icmptype
909           Add a new permanent and empty icmptype.
910
911       --permanent --new-icmptype-from-file=filename [--name=icmptype]
912           Add a new permanent icmptype from a prepared icmptype file with an
913           optional name override.
914
915       --permanent --delete-icmptype=icmptype
916           Delete an existing permanent icmptype.
917
918       --permanent --load-icmptype-defaults=icmptype
919           Load icmptype default settings or report NO_DEFAULTS error.
920
921       --permanent --icmptype=icmptype --set-description=description
922           Set new description to icmptype
923
924       --permanent --icmptype=icmptype --get-description
925           Print description for icmptype
926
927       --permanent --icmptype=icmptype --set-short=description
928           Set short description to icmptype
929
930       --permanent --icmptype=icmptype --get-short
931           Print short description for icmptype
932
933       --permanent --icmptype=icmptype --add-destination=ipv
934           Enable destination for ipv in permanent icmptype. ipv is one of
935           ipv4 or ipv6.
936
937       --permanent --icmptype=icmptype --remove-destination=ipv
938           Disable destination for ipv in permanent icmptype. ipv is one of
939           ipv4 or ipv6.
940
941       --permanent --icmptype=icmptype --query-destination=ipv
942           Return whether destination for ipv is enabled in permanent
943           icmptype. ipv is one of ipv4 or ipv6.
944
945       --permanent --icmptype=icmptype --get-destinations
946           List destinations in permanent icmptype.
947
948       --permanent --path-icmptype=icmptype
949           Print path of the icmptype configuration file.
950
951   Direct Options
952       The direct options give a more direct access to the firewall. These
953       options require user to know basic iptables concepts, i.e.  table
954       (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
955       (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
956       (ACCEPT/DROP/REJECT/...).
957
958       Direct options should be used only as a last resort when it's not
959       possible to use for example --add-service=service or
960       --add-rich-rule='rule'.
961
962       The first argument of each option has to be ipv4 or ipv6 or eb. With
963       ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
964       (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
965
966       [--permanent] --direct --get-all-chains
967           Get all chains added to all tables. This option concerns only
968           chains previously added with --direct --add-chain.
969
970       [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
971           Get all chains added to table table as a space separated list. This
972           option concerns only chains previously added with --direct
973           --add-chain.
974
975       [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
976           Add a new chain with name chain to table table. Make sure there's
977           no other chain with this name already.
978
979           There already exist basic chains to use with direct options, for
980           example INPUT_direct chain (see iptables-save | grep direct output
981           for all of them). These chains are jumped into before chains for
982           zones, i.e. every rule put into INPUT_direct will be checked before
983           rules in zones.
984
985       [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
986           Remove chain with name chain from table table. Only chains
987           previously added with --direct --add-chain can be removed this way.
988
989       [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
990           Return whether a chain with name chain exists in table table.
991           Returns 0 if true, 1 otherwise. This option concerns only chains
992           previously added with --direct --add-chain.
993
994       [--permanent] --direct --get-all-rules
995           Get all rules added to all chains in all tables as a newline
996           separated list of the priority and arguments. This option concerns
997           only rules previously added with --direct --add-rule.
998
999       [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
1000           Get all rules added to chain chain in table table as a newline
1001           separated list of the priority and arguments. This option concerns
1002           only rules previously added with --direct --add-rule.
1003
1004       [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
1005       priority args
1006           Add a rule with the arguments args to chain chain in table table
1007           with priority priority.
1008
1009           The priority is used to order rules. Priority 0 means add rule on
1010           top of the chain, with a higher priority the rule will be added
1011           further down. Rules with the same priority are on the same level
1012           and the order of these rules is not fixed and may change. If you
1013           want to make sure that a rule will be added after another one, use
1014           a low priority for the first and a higher for the following.
1015
1016       [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
1017       priority args
1018           Remove a rule with priority and the arguments args from chain chain
1019           in table table. Only rules previously added with --direct
1020           --add-rule can be removed this way.
1021
1022       [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1023           Remove all rules in the chain with name chain exists in table
1024           table. This option concerns only rules previously added with
1025           --direct --add-rule in this chain.
1026
1027       [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1028       priority args
1029           Return whether a rule with priority and the arguments args exists
1030           in chain chain in table table. Returns 0 if true, 1 otherwise. This
1031           option concerns only rules previously added with --direct
1032           --add-rule.
1033
1034       --direct --passthrough { ipv4 | ipv6 | eb } args
1035           Pass a command through to the firewall.  args can be all iptables,
1036           ip6tables and ebtables command line arguments. This command is
1037           untracked, which means that firewalld is not able to provide
1038           information about this command later on, also not a listing of the
1039           untracked passthoughs.
1040
1041       [--permanent] --direct --get-all-passthroughs
1042           Get all passthrough rules as a newline separated list of the ipv
1043           value and arguments.
1044
1045       [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1046           Get all passthrough rules for the ipv value as a newline separated
1047           list of the priority and arguments.
1048
1049       [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1050           Add a passthrough rule with the arguments args for the ipv value.
1051
1052       [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1053           Remove a passthrough rule with the arguments args for the ipv
1054           value.
1055
1056       [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1057           Return whether a passthrough rule with the arguments args exists
1058           for the ipv value. Returns 0 if true, 1 otherwise.
1059
1060   Lockdown Options
1061       Local applications or services are able to change the firewall
1062       configuration if they are running as root (example: libvirt) or are
1063       authenticated using PolicyKit. With this feature administrators can
1064       lock the firewall configuration so that only applications on lockdown
1065       whitelist are able to request firewall changes.
1066
1067       The lockdown access check limits D-Bus methods that are changing
1068       firewall rules. Query, list and get methods are not limited.
1069
1070       The lockdown feature is a very light version of user and application
1071       policies for firewalld and is turned off by default.
1072
1073       --lockdown-on
1074           Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1075           whitelist when you enable lockdown you won't be able to disable it
1076           again with firewall-cmd, you would need to edit firewalld.conf.
1077
1078           This is a runtime and permanent change.
1079
1080       --lockdown-off
1081           Disable lockdown.
1082
1083           This is a runtime and permanent change.
1084
1085       --query-lockdown
1086           Query whether lockdown is enabled. Returns 0 if lockdown is
1087           enabled, 1 otherwise.
1088
1089   Lockdown Whitelist Options
1090       The lockdown whitelist can contain commands, contexts, users and user
1091       ids.
1092
1093       If a command entry on the whitelist ends with an asterisk '*', then all
1094       command lines starting with the command will match. If the '*' is not
1095       there the absolute command inclusive arguments must match.
1096
1097       Commands for user root and others is not always the same. Example: As
1098       root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1099       is be used on Fedora.
1100
1101       The context is the security (SELinux) context of a running application
1102       or service. To get the context of a running application use ps -e
1103       --context.
1104
1105       Warning: If the context is unconfined, then this will open access for
1106       more than the desired application.
1107
1108       The lockdown whitelist entries are checked in the following order:
1109           1. context
1110           2. uid
1111           3. user
1112           4. command
1113
1114       [--permanent] --list-lockdown-whitelist-commands
1115           List all command lines that are on the whitelist.
1116
1117       [--permanent] --add-lockdown-whitelist-command=command
1118           Add the command to the whitelist.
1119
1120       [--permanent] --remove-lockdown-whitelist-command=command
1121           Remove the command from the whitelist.
1122
1123       [--permanent] --query-lockdown-whitelist-command=command
1124           Query whether the command is on the whitelist. Returns 0 if true, 1
1125           otherwise.
1126
1127       [--permanent] --list-lockdown-whitelist-contexts
1128           List all contexts that are on the whitelist.
1129
1130       [--permanent] --add-lockdown-whitelist-context=context
1131           Add the context context to the whitelist.
1132
1133       [--permanent] --remove-lockdown-whitelist-context=context
1134           Remove the context from the whitelist.
1135
1136       [--permanent] --query-lockdown-whitelist-context=context
1137           Query whether the context is on the whitelist. Returns 0 if true, 1
1138           otherwise.
1139
1140       [--permanent] --list-lockdown-whitelist-uids
1141           List all user ids that are on the whitelist.
1142
1143       [--permanent] --add-lockdown-whitelist-uid=uid
1144           Add the user id uid to the whitelist.
1145
1146       [--permanent] --remove-lockdown-whitelist-uid=uid
1147           Remove the user id uid from the whitelist.
1148
1149       [--permanent] --query-lockdown-whitelist-uid=uid
1150           Query whether the user id uid is on the whitelist. Returns 0 if
1151           true, 1 otherwise.
1152
1153       [--permanent] --list-lockdown-whitelist-users
1154           List all user names that are on the whitelist.
1155
1156       [--permanent] --add-lockdown-whitelist-user=user
1157           Add the user name user to the whitelist.
1158
1159       [--permanent] --remove-lockdown-whitelist-user=user
1160           Remove the user name user from the whitelist.
1161
1162       [--permanent] --query-lockdown-whitelist-user=user
1163           Query whether the user name user is on the whitelist. Returns 0 if
1164           true, 1 otherwise.
1165
1166   Panic Options
1167       --panic-on
1168           Enable panic mode. All incoming and outgoing packets are dropped,
1169           active connections will expire. Enable this only if there are
1170           serious problems with your network environment. For example if the
1171           machine is getting hacked in.
1172
1173           This is a runtime only change.
1174
1175       --panic-off
1176           Disable panic mode. After disabling panic mode established
1177           connections might work again, if panic mode was enabled for a short
1178           period of time.
1179
1180           This is a runtime only change.
1181
1182       --query-panic
1183           Returns 0 if panic mode is enabled, 1 otherwise.
1184

EXAMPLES

1186       For more examples see http://fedoraproject.org/wiki/FirewallD
1187
1188   Example 1
1189       Enable http service in default zone. This is runtime only change, i.e.
1190       effective until restart.
1191
1192           firewall-cmd --add-service=http
1193
1194
1195
1196   Example 2
1197       Enable port 443/tcp immediately and permanently in default zone. To
1198       make the change effective immediately and also after restart we need
1199       two commands. The first command makes the change in runtime
1200       configuration, i.e. makes it effective immediately, until restart. The
1201       second command makes the change in permanent configuration, i.e. makes
1202       it effective after restart.
1203
1204           firewall-cmd --add-port=443/tcp
1205           firewall-cmd --permanent --add-port=443/tcp
1206
1207
1208

EXIT CODES

1210       On success 0 is returned. On failure the output is red colored and exit
1211       code is either 2 in case of wrong command-line option usage or one of
1212       the following error codes in other cases:
1213
1214       ┌────────────────────┬──────┐
1215String              Code 
1216       ├────────────────────┼──────┤
1217       │ALREADY_ENABLED     │   11 │
1218       ├────────────────────┼──────┤
1219       │NOT_ENABLED         │   12 │
1220       ├────────────────────┼──────┤
1221       │COMMAND_FAILED      │   13 │
1222       ├────────────────────┼──────┤
1223       │NO_IPV6_NAT         │   14 │
1224       ├────────────────────┼──────┤
1225       │PANIC_MODE          │   15 │
1226       ├────────────────────┼──────┤
1227       │ZONE_ALREADY_SET    │   16 │
1228       ├────────────────────┼──────┤
1229       │UNKNOWN_INTERFACE   │   17 │
1230       ├────────────────────┼──────┤
1231       │ZONE_CONFLICT       │   18 │
1232       ├────────────────────┼──────┤
1233       │BUILTIN_CHAIN       │   19 │
1234       ├────────────────────┼──────┤
1235       │EBTABLES_NO_REJECT  │   20 │
1236       ├────────────────────┼──────┤
1237       │NOT_OVERLOADABLE    │   21 │
1238       ├────────────────────┼──────┤
1239       │NO_DEFAULTS         │   22 │
1240       ├────────────────────┼──────┤
1241       │BUILTIN_ZONE        │   23 │
1242       ├────────────────────┼──────┤
1243       │BUILTIN_SERVICE     │   24 │
1244       ├────────────────────┼──────┤
1245       │BUILTIN_ICMPTYPE    │   25 │
1246       ├────────────────────┼──────┤
1247       │NAME_CONFLICT       │   26 │
1248       ├────────────────────┼──────┤
1249       │NAME_MISMATCH       │   27 │
1250       ├────────────────────┼──────┤
1251       │PARSE_ERROR         │   28 │
1252       ├────────────────────┼──────┤
1253       │ACCESS_DENIED       │   29 │
1254       ├────────────────────┼──────┤
1255       │UNKNOWN_SOURCE      │   30 │
1256       ├────────────────────┼──────┤
1257       │RT_TO_PERM_FAILED   │   31 │
1258       ├────────────────────┼──────┤
1259       │IPSET_WITH_TIMEOUT  │   32 │
1260       ├────────────────────┼──────┤
1261       │BUILTIN_IPSET       │   33 │
1262       ├────────────────────┼──────┤
1263       │ALREADY_SET         │   34 │
1264       ├────────────────────┼──────┤
1265       │MISSING_IMPORT      │   35 │
1266       ├────────────────────┼──────┤
1267       │DBUS_ERROR          │   36 │
1268       ├────────────────────┼──────┤
1269       │BUILTIN_HELPER      │   37 │
1270       ├────────────────────┼──────┤
1271       │NOT_APPLIED         │   38 │
1272       ├────────────────────┼──────┤
1273       │INVALID_ACTION      │  100 │
1274       ├────────────────────┼──────┤
1275       │INVALID_SERVICE     │  101 │
1276       ├────────────────────┼──────┤
1277       │INVALID_PORT        │  102 │
1278       ├────────────────────┼──────┤
1279       │INVALID_PROTOCOL    │  103 │
1280       ├────────────────────┼──────┤
1281       │INVALID_INTERFACE   │  104 │
1282       ├────────────────────┼──────┤
1283       │INVALID_ADDR        │  105 │
1284       ├────────────────────┼──────┤
1285       │INVALID_FORWARD     │  106 │
1286       ├────────────────────┼──────┤
1287       │INVALID_ICMPTYPE    │  107 │
1288       ├────────────────────┼──────┤
1289       │INVALID_TABLE       │  108 │
1290       ├────────────────────┼──────┤
1291       │INVALID_CHAIN       │  109 │
1292       ├────────────────────┼──────┤
1293       │INVALID_TARGET      │  110 │
1294       ├────────────────────┼──────┤
1295       │INVALID_IPV         │  111 │
1296       ├────────────────────┼──────┤
1297       │INVALID_ZONE        │  112 │
1298       ├────────────────────┼──────┤
1299       │INVALID_PROPERTY    │  113 │
1300       ├────────────────────┼──────┤
1301       │INVALID_VALUE       │  114 │
1302       ├────────────────────┼──────┤
1303       │INVALID_OBJECT      │  115 │
1304       ├────────────────────┼──────┤
1305       │INVALID_NAME        │  116 │
1306       ├────────────────────┼──────┤
1307       │INVALID_FILENAME    │  117 │
1308       ├────────────────────┼──────┤
1309       │INVALID_DIRECTORY   │  118 │
1310       ├────────────────────┼──────┤
1311       │INVALID_TYPE        │  119 │
1312       ├────────────────────┼──────┤
1313       │INVALID_SETTING     │  120 │
1314       ├────────────────────┼──────┤
1315       │INVALID_DESTINATION │  121 │
1316       ├────────────────────┼──────┤
1317       │INVALID_RULE        │  122 │
1318       ├────────────────────┼──────┤
1319       │INVALID_LIMIT       │  123 │
1320       ├────────────────────┼──────┤
1321       │INVALID_FAMILY      │  124 │
1322       ├────────────────────┼──────┤
1323       │INVALID_LOG_LEVEL   │  125 │
1324       ├────────────────────┼──────┤
1325       │INVALID_AUDIT_TYPE  │  126 │
1326       ├────────────────────┼──────┤
1327       │INVALID_MARK        │  127 │
1328       ├────────────────────┼──────┤
1329       │INVALID_CONTEXT     │  128 │
1330       ├────────────────────┼──────┤
1331       │INVALID_COMMAND     │  129 │
1332       ├────────────────────┼──────┤
1333       │INVALID_USER        │  130 │
1334       ├────────────────────┼──────┤
1335       │INVALID_UID         │  131 │
1336       ├────────────────────┼──────┤
1337       │INVALID_MODULE      │  132 │
1338       ├────────────────────┼──────┤
1339       │INVALID_PASSTHROUGH │  133 │
1340       ├────────────────────┼──────┤
1341       │INVALID_MAC         │  134 │
1342       ├────────────────────┼──────┤
1343       │INVALID_IPSET       │  135 │
1344       ├────────────────────┼──────┤
1345       │INVALID_ENTRY       │  136 │
1346       ├────────────────────┼──────┤
1347       │INVALID_OPTION      │  137 │
1348       ├────────────────────┼──────┤
1349       │INVALID_HELPER      │  138 │
1350       ├────────────────────┼──────┤
1351       │INVALID_PRIORITY    │  139 │
1352       ├────────────────────┼──────┤
1353       │MISSING_TABLE       │  200 │
1354       ├────────────────────┼──────┤
1355       │MISSING_CHAIN       │  201 │
1356       ├────────────────────┼──────┤
1357       │MISSING_PORT        │  202 │
1358       ├────────────────────┼──────┤
1359       │MISSING_PROTOCOL    │  203 │
1360       ├────────────────────┼──────┤
1361       │MISSING_ADDR        │  204 │
1362       ├────────────────────┼──────┤
1363       │MISSING_NAME        │  205 │
1364       ├────────────────────┼──────┤
1365       │MISSING_SETTING     │  206 │
1366       ├────────────────────┼──────┤
1367       │MISSING_FAMILY      │  207 │
1368       ├────────────────────┼──────┤
1369       │RUNNING_BUT_FAILED  │  251 │
1370       ├────────────────────┼──────┤
1371       │NOT_RUNNING         │  252 │
1372       ├────────────────────┼──────┤
1373       │NOT_AUTHORIZED      │  253 │
1374       ├────────────────────┼──────┤
1375       │UNKNOWN_ERROR       │  254 │
1376       └────────────────────┴──────┘
1377
1378       Note that return codes of --query-* options are special: Successful
1379       queries return 0, unsuccessful ones return 1 unless an error occurred
1380       in which case the table above applies.
1381

SEE ALSO

1383       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1384       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1385       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1386       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1387       firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1388       firewalld.helper(5)
1389

NOTES

1391       firewalld home page:
1392           http://firewalld.org
1393
1394       More documentation with examples:
1395           http://fedoraproject.org/wiki/FirewallD
1396

AUTHORS

1398       Thomas Woerner <twoerner@redhat.com>
1399           Developer
1400
1401       Jiri Popelka <jpopelka@redhat.com>
1402           Developer
1403
1404
1405
1406firewalld 0.7.2                                                FIREWALL-CMD(1)
Impressum