1FIREWALL-CMD(1) firewall-cmd FIREWALL-CMD(1)
2
6 firewall-cmd - firewalld command line client
7
9 firewall-cmd [OPTIONS...]
10
12 firewall-cmd is the command line client of the firewalld daemon. It
13 provides interface to manage runtime and permanent configuration.
14 The runtime configuration in firewalld is separated from the permanent
16 configuration. This means that things can get changed in the runtime or
17 permanent configuration.
18
20 For sequence options, this are the options that can be specified
21 multiple times, the exit code is 0 if there is at least one item that
22 succeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also
23 ZONE_ALREADY_SET (16) errors are treated as succeeded. If there are
24 issues while parsing the items, then these are treated as warnings and
25 will not change the result as long as there is a succeeded one. Without
26 any succeeded item, the exit code will depend on the error codes. If
27 there is exactly one error code, then this is used. If there are more
28 than one then UNKNOWN_ERROR (254) will be used.
29 The following options are supported:
31 General Options
33 -h, --help
34 Prints a short help text and exits.
35 -V, --version
37 Print the version string of firewalld. This option is not
38 combinable with other options.
39 -q, --quiet
41 Do not print status messages.
42 Status Options
44 --state
45 Check whether the firewalld daemon is active (i.e. running).
46 Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
47 failure occurred on startup, NOT_RUNNING otherwise. See the section
48 called “EXIT CODES”. This will also print the state to STDOUT.
49 --reload
51 Reload firewall rules and keep state information. Current permanent
52 configuration will become new runtime configuration, i.e. all
53 runtime only changes done until reload are lost with reload if they
54 have not been also in permanent configuration.
55 Note: Runtime changes applied via the direct interface are not
57 affected and will therefore stay in place until firewalld daemon is
58 restarted completely.
59 --complete-reload
61 Reload firewall completely, even netfilter kernel modules. This
62 will most likely terminate active connections, because state
63 information is lost. This option should only be used in case of
64 severe firewall problems. For example if there are state
65 information problems that no connection can be established with
66 correct firewall rules.
67 Note: Runtime changes applied via the direct interface are not
69 affected and will therefore stay in place until firewalld daemon is
70 restarted completely.
71 --runtime-to-permanent
73 Save active runtime configuration and overwrite permanent
74 configuration with it. The way this is supposed to work is that
75 when configuring firewalld you do runtime changes only and once
76 you're happy with the configuration and you tested that it works
77 the way you want, you save the configuration to disk.
78 Log Denied Options
80 --get-log-denied
81 Print the log denied setting.
82 --set-log-denied=value
84 Add logging rules right before reject and drop rules in the INPUT,
85 FORWARD and OUTPUT chains for the default rules and also final
86 reject and drop rules in zones for the configured link-layer packet
87 type. The possible values are: all, unicast, broadcast, multicast
88 and off. The default setting is off, which disables the logging.
89 This is a runtime and permanent change and will also reload the
91 firewall to be able to add the logging rules.
92 Automatic Helpers Options
94 --get-automatic-helpers
95 Print the automatic helpers setting.
96 --set-automatic-helpers=value
98 For the secure use of iptables and connection tracking helpers it
99 is recommended to turn AutomaticHelpers off. But this might have
100 side effects on other services using the netfilter helpers as the
101 sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will
102 be changed. With the system setting, the default value set in the
103 kernel or with sysctl will be used. Possible values are: yes, no
104 and system. The default value is system.
105 This is a runtime and permanent change and will also reload the
107 firewall to be able to make the helpers usable.
108 Permanent Options
110 --permanent
111 The permanent option --permanent can be used to set options
112 permanently. These changes are not effective immediately, only
113 after service restart/reload or system reboot. Without the
114 --permanent option, a change will only be part of the runtime
115 configuration.
116 If you want to make a change in runtime and permanent
118 configuration, use the same call with and without the --permanent
119 option.
120 The --permanent option can be optionally added to all options
122 further down where it is supported.
123 Zone Options
125 --get-default-zone
126 Print default zone for connections and interfaces.
127 --set-default-zone=zone
129 Set default zone for connections and interfaces where no zone has
130 been selected. Setting the default zone changes the zone for the
131 connections or interfaces, that are using the default zone.
132 This is a runtime and permanent change.
134 --get-active-zones
136 Print currently active zones altogether with interfaces and sources
137 used in these zones. Active zones are zones, that have a binding to
138 an interface or source. The output format is:
139 zone1
141 interfaces: interface1 interface2 ..
142 sources: source1 ..
143 zone2
144 interfaces: interface3 ..
145 zone3
146 sources: source2 ..
147 If there are no interfaces or sources bound to the zone, the
150 corresponding line will be omitted.
151 [--permanent] --get-zones
153 Print predefined zones as a space separated list.
154 [--permanent] --get-services
156 Print predefined services as a space separated list.
157 [--permanent] --get-icmptypes
159 Print predefined icmptypes as a space separated list.
160 [--permanent] --get-zone-of-interface=interface
162 Print the name of the zone the interface is bound to or no zone.
163 [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
165 Print the name of the zone the source is bound to or no zone.
166 [--permanent] --info-zone=zone
168 Print information about the zone zone. The output format is:
169 zone
171 interfaces: interface1 ..
172 sources: source1 ..
173 services: service1 ..
174 ports: port1 ..
175 protocols: protocol1 ..
176 forward-ports:
177 forward-port1
178 ..
179 source-ports: source-port1 ..
180 icmp-blocks: icmp-type1 ..
181 rich rules:
182 rich-rule1
183 ..
184 [--permanent] --list-all-zones
188 List everything added for or enabled in all zones. The output
189 format is:
190 zone1
192 interfaces: interface1 ..
193 sources: source1 ..
194 services: service1 ..
195 ports: port1 ..
196 protocols: protocol1 ..
197 forward-ports:
198 forward-port1
199 ..
200 icmp-blocks: icmp-type1 ..
201 rich rules:
202 rich-rule1
203 ..
204 ..
205 --permanent --new-zone=zone
209 Add a new permanent and empty zone.
210 --permanent --new-zone-from-file=filename [--name=zone]
212 Add a new permanent zone from a prepared zone file with an optional
213 name override.
214 --permanent --delete-zone=zone
216 Delete an existing permanent zone.
217 --permanent --load-zone-defaults=zone
219 Load zone default settings or report NO_DEFAULTS error.
220 --permanent --path-zone=zone
222 Print path of the zone configuration file.
223 --permanent --zone=zone --set-description=description
225 Set new description to zone
226 --permanent --zone=zone --get-description
228 Print description for zone
229 --permanent --zone=zone --set-short=description
231 Set short description to zone
232 --permanent --zone=zone --get-short
234 Print short description for zone
235 --permanent [--zone=zone] --get-target
237 Get the target of a permanent zone.
238 --permanent [--zone=zone] --set-target=target
240 Set the target of a permanent zone. target is one of: default,
241 ACCEPT, DROP, REJECT
242 Options to Adapt and Query Zones
244 Options in this section affect only one particular zone. If used with
245 --zone=zone option, they affect the zone zone. If the option is
246 omitted, they affect default zone (see --get-default-zone).
247 [--permanent] [--zone=zone] --list-all
249 List everything added for or enabled in zone. If zone is omitted,
250 default zone will be used.
251 [--permanent] [--zone=zone] --list-services
253 List services added for zone as a space separated list. If zone is
254 omitted, default zone will be used.
255 [--permanent] [--zone=zone] --add-service=service [--timeout=timeval]
257 Add a service for zone. If zone is omitted, default zone will be
258 used. This option can be specified multiple times. If a timeout is
259 supplied, the rule will be active for the specified amount of time
260 and will be removed automatically afterwards. timeval is either a
261 number (of seconds) or number followed by one of characters s
262 (seconds), m (minutes), h (hours), for example 20m or 1h.
263 The service is one of the firewalld provided services. To get a
265 list of the supported services, use firewall-cmd --get-services.
266 The --timeout option is not combinable with the --permanent option.
268 [--permanent] [--zone=zone] --remove-service=service
270 Remove a service from zone. This option can be specified multiple
271 times. If zone is omitted, default zone will be used.
272 [--permanent] [--zone=zone] --query-service=service
274 Return whether service has been added for zone. If zone is omitted,
275 default zone will be used. Returns 0 if true, 1 otherwise.
276 [--permanent] [--zone=zone] --list-ports
278 List ports added for zone as a space separated list. A port is of
279 the form portid[-portid]/protocol, it can be either a port and
280 protocol pair or a port range with a protocol. If zone is omitted,
281 default zone will be used.
282 [--permanent] [--zone=zone] --add-port=portid[-portid]/protocol
284 [--timeout=timeval]
285 Add the port for zone. If zone is omitted, default zone will be
286 used. This option can be specified multiple times. If a timeout is
287 supplied, the rule will be active for the specified amount of time
288 and will be removed automatically afterwards. timeval is either a
289 number (of seconds) or number followed by one of characters s
290 (seconds), m (minutes), h (hours), for example 20m or 1h.
291 The port can either be a single port number or a port range
293 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
294 The --timeout option is not combinable with the --permanent option.
296 [--permanent] [--zone=zone] --remove-port=portid[-portid]/protocol
298 Remove the port from zone. If zone is omitted, default zone will be
299 used. This option can be specified multiple times.
300 [--permanent] [--zone=zone] --query-port=portid[-portid]/protocol
302 Return whether the port has been added for zone. If zone is
303 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
304 [--permanent] [--zone=zone] --list-protocols
306 List protocols added for zone as a space separated list. If zone is
307 omitted, default zone will be used.
308 [--permanent] [--zone=zone] --add-protocol=protocol [--timeout=timeval]
310 Add the protocol for zone. If zone is omitted, default zone will be
311 used. This option can be specified multiple times. If a timeout is
312 supplied, the rule will be active for the specified amount of time
313 and will be removed automatically afterwards. timeval is either a
314 number (of seconds) or number followed by one of characters s
315 (seconds), m (minutes), h (hours), for example 20m or 1h.
316 The protocol can be any protocol supported by the system. Please
318 have a look at /etc/protocols for supported protocols.
319 The --timeout option is not combinable with the --permanent option.
321 [--permanent] [--zone=zone] --remove-protocol=protocol
323 Remove the protocol from zone. If zone is omitted, default zone
324 will be used. This option can be specified multiple times.
325 [--permanent] [--zone=zone] --query-protocol=protocol
327 Return whether the protocol has been added for zone. If zone is
328 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
329 [--permanent] [--zone=zone] --list-source-ports
331 List source ports added for zone as a space separated list. A port
332 is of the form portid[-portid]/protocol. If zone is omitted,
333 default zone will be used.
334 [--permanent] [--zone=zone] --add-source-port=portid[-portid]/protocol
336 [--timeout=timeval]
337 Add the source port for zone. If zone is omitted, default zone will
338 be used. This option can be specified multiple times. If a timeout
339 is supplied, the rule will be active for the specified amount of
340 time and will be removed automatically afterwards. timeval is
341 either a number (of seconds) or number followed by one of
342 characters s (seconds), m (minutes), h (hours), for example 20m or
343 1h.
344 The port can either be a single port number or a port range
346 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
347 The --timeout option is not combinable with the --permanent option.
349 [--permanent] [--zone=zone]
351 --remove-source-port=portid[-portid]/protocol
352 Remove the source port from zone. If zone is omitted, default zone
353 will be used. This option can be specified multiple times.
354 [--permanent] [--zone=zone]
356 --query-source-port=portid[-portid]/protocol
357 Return whether the source port has been added for zone. If zone is
358 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
359 [--permanent] [--zone=zone] --list-icmp-blocks
361 List Internet Control Message Protocol (ICMP) type blocks added for
362 zone as a space separated list. If zone is omitted, default zone
363 will be used.
364 [--permanent] [--zone=zone] --add-icmp-block=icmptype
366 [--timeout=timeval]
367 Add an ICMP block for icmptype for zone. If zone is omitted,
368 default zone will be used. This option can be specified multiple
369 times. If a timeout is supplied, the rule will be active for the
370 specified amount of time and will be removed automatically
371 afterwards. timeval is either a number (of seconds) or number
372 followed by one of characters s (seconds), m (minutes), h (hours),
373 for example 20m or 1h.
374 The icmptype is the one of the icmp types firewalld supports. To
376 get a listing of supported icmp types: firewall-cmd --get-icmptypes
377 The --timeout option is not combinable with the --permanent option.
379 [--permanent] [--zone=zone] --remove-icmp-block=icmptype
381 Remove the ICMP block for icmptype from zone. If zone is omitted,
382 default zone will be used. This option can be specified multiple
383 times.
384 [--permanent] [--zone=zone] --query-icmp-block=icmptype
386 Return whether an ICMP block for icmptype has been added for zone.
387 If zone is omitted, default zone will be used. Returns 0 if true, 1
388 otherwise.
389 [--permanent] [--zone=zone] --list-forward-ports
391 List IPv4 forward ports added for zone as a space separated list.
392 If zone is omitted, default zone will be used.
393 For IPv6 forward ports, please use the rich language.
395 [--permanent] [--zone=zone]
397 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
398 [--timeout=timeval]
399 Add the IPv4 forward port for zone. If zone is omitted, default
400 zone will be used. This option can be specified multiple times. If
401 a timeout is supplied, the rule will be active for the specified
402 amount of time and will be removed automatically afterwards.
403 timeval is either a number (of seconds) or number followed by one
404 of characters s (seconds), m (minutes), h (hours), for example 20m
405 or 1h.
406 The port can either be a single port number portid or a port range
408 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
409 The destination address is a simple IP address.
410 The --timeout option is not combinable with the --permanent option.
412 For IPv6 forward ports, please use the rich language.
414 [--permanent] [--zone=zone]
416 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
417 Remove the IPv4 forward port from zone. If zone is omitted, default
418 zone will be used. This option can be specified multiple times.
419 For IPv6 forward ports, please use the rich language.
421 [--permanent] [--zone=zone]
423 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
424 Return whether the IPv4 forward port has been added for zone. If
425 zone is omitted, default zone will be used. Returns 0 if true, 1
426 otherwise.
427 For IPv6 forward ports, please use the rich language.
429 [--permanent] [--zone=zone] --add-masquerade [--timeout=timeval]
431 Enable IPv4 masquerade for zone. If zone is omitted, default zone
432 will be used. If a timeout is supplied, masquerading will be active
433 for the specified amount of time. timeval is either a number (of
434 seconds) or number followed by one of characters s (seconds), m
435 (minutes), h (hours), for example 20m or 1h. Masquerading is useful
436 if the machine is a router and machines connected over an interface
437 in another zone should be able to use the first connection.
438 The --timeout option is not combinable with the --permanent option.
440 For IPv6 masquerading, please use the rich language.
442 [--permanent] [--zone=zone] --remove-masquerade
444 Disable IPv4 masquerade for zone. If zone is omitted, default zone
445 will be used. If the masquerading was enabled with a timeout, it
446 will be disabled also.
447 For IPv6 masquerading, please use the rich language.
449 [--permanent] [--zone=zone] --query-masquerade
451 Return whether IPv4 masquerading has been enabled for zone. If zone
452 is omitted, default zone will be used. Returns 0 if true, 1
453 otherwise.
454 For IPv6 masquerading, please use the rich language.
456 [--permanent] [--zone=zone] --list-rich-rules
458 List rich language rules added for zone as a newline separated
459 list. If zone is omitted, default zone will be used.
460 [--permanent] [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
462 Add rich language rule 'rule' for zone. This option can be
463 specified multiple times. If zone is omitted, default zone will be
464 used. If a timeout is supplied, the rule will be active for the
465 specified amount of time and will be removed automatically
466 afterwards. timeval is either a number (of seconds) or number
467 followed by one of characters s (seconds), m (minutes), h (hours),
468 for example 20m or 1h.
469 For the rich language rule syntax, please have a look at
471 firewalld.richlanguage(5).
472 The --timeout option is not combinable with the --permanent option.
474 [--permanent] [--zone=zone] --remove-rich-rule='rule'
476 Remove rich language rule 'rule' from zone. This option can be
477 specified multiple times. If zone is omitted, default zone will be
478 used.
479 For the rich language rule syntax, please have a look at
481 firewalld.richlanguage(5).
482 [--permanent] [--zone=zone] --query-rich-rule='rule'
484 Return whether a rich language rule 'rule' has been added for zone.
485 If zone is omitted, default zone will be used. Returns 0 if true, 1
486 otherwise.
487 For the rich language rule syntax, please have a look at
489 firewalld.richlanguage(5).
490 Options to Handle Bindings of Interfaces
492 Binding an interface to a zone means that this zone settings are used
493 to restrict traffic via the interface.
494 Options in this section affect only one particular zone. If used with
496 --zone=zone option, they affect the zone zone. If the option is
497 omitted, they affect default zone (see --get-default-zone).
498 For a list of predefined zones use firewall-cmd --get-zones.
500 An interface name is a string up to 16 characters long, that may not
502 contain ' ', '/', '!' and '*'.
503 [--permanent] [--zone=zone] --list-interfaces
505 List interfaces that are bound to zone zone as a space separated
506 list. If zone is omitted, default zone will be used.
507 [--permanent] [--zone=zone] --add-interface=interface
509 Bind interface interface to zone zone. If zone is omitted, default
510 zone will be used.
511 If the interface is under control of NetworkManager, it is at first
513 connected to change the zone for the connection that is using the
514 interface. If this fails, the zone binding is created in firewalld
515 and the limitations below apply. For interfaces that are not under
516 control of NetworkManager, firewalld tries to change the ZONE
517 setting in the ifcfg file, if the file exists.
518 As a end user you don't need this in most cases, because
520 NetworkManager (or legacy network service) adds interfaces into
521 zones automatically (according to ZONE= option from ifcfg-interface
522 file) if NM_CONTROLLED=no is not set. You should do it only if
523 there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
524 there is such file and you add interface to zone with this
525 --add-interface option, make sure the zone is the same in both
526 cases, otherwise the behaviour would be undefined. Please also have
527 a look at the firewalld(1) man page in the Concepts section. For
528 permanent association of interface with a zone, see also 'How to
529 set or change a zone for a connection?' in firewalld.zones(5).
530 [--zone=zone] --change-interface=interface
532 If the interface is under control of NetworkManager, it is at first
533 connected to change the zone for the connection that is using the
534 interface. If this fails, the zone binding is created in firewalld
535 and the limitations below apply. For interfaces that are not under
536 control of NetworkManager, firewalld tries to change the ZONE
537 setting in the ifcfg file, if the file exists.
538 Change zone the interface interface is bound to to zone zone. It's
540 basically --remove-interface followed by --add-interface. If the
541 interface has not been bound to a zone before, it behaves like
542 --add-interface. If zone is omitted, default zone will be used.
543 [--permanent] [--zone=zone] --query-interface=interface
545 Query whether interface interface is bound to zone zone. Returns 0
546 if true, 1 otherwise.
547 [--permanent] --remove-interface=interface
549 If the interface is under control of NetworkManager, it is at first
550 connected to change the zone for the connection that is using the
551 interface. If this fails, the zone binding is created in firewalld
552 and the limitations below apply.
553 For the addion or change of interfaces that are not under control
555 of NetworkManager: firewalld tries to change the ZONE setting in
556 the ifcfg file, if an ifcfg file exists that is using the
557 interface.
558 Only for the removal of interfaces that are not under control of
560 NetworkManager: firewalld is not trying to change the ZONE setting
561 in the ifcfg file. This is needed to make sure that an ifdown of
562 the interface will not result in a reset of the zone setting to the
563 default zone. Only the zone binding is then removed in firewalld
564 then.
565 Remove binding of interface interface from zone it was previously
567 added to.
568 Options to Handle Bindings of Sources
570 Binding a source to a zone means that this zone settings will be used
571 to restrict traffic from this source.
572 A source address or address range is either an IP address or a network
574 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
575 with the ipset: prefix. For IPv4, the mask can be a network mask or a
576 plain number. For IPv6 the mask is a plain number. The use of host
577 names is not supported.
578 Options in this section affect only one particular zone. If used with
580 --zone=zone option, they affect the zone zone. If the option is
581 omitted, they affect default zone (see --get-default-zone).
582 For a list of predefined zones use firewall-cmd [--permanent]
584 --get-zones.
585 [--permanent] [--zone=zone] --list-sources
587 List sources that are bound to zone zone as a space separated list.
588 If zone is omitted, default zone will be used.
589 [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
591 Bind the source to zone zone. If zone is omitted, default zone will
592 be used.
593 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
595 Change zone the source is bound to to zone zone. It's basically
596 --remove-source followed by --add-source. If the source has not
597 been bound to a zone before, it behaves like --add-source. If zone
598 is omitted, default zone will be used.
599 [--permanent] [--zone=zone]
601 --query-source=source[/mask]|MAC|ipset:ipset
602 Query whether the source is bound to the zone zone. Returns 0 if
603 true, 1 otherwise.
604 [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
606 Remove binding of the source from zone it was previously added to.
607 IPSet Options
609 --get-ipset-types
610 Print the supported ipset types.
611 --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
613 [--option=key[=value]]
614 Add a new permanent and empty ipset with specifying the type and
615 optional the family and options like timeout, hashsize and maxelem.
616 For more information please have a look at ipset(8) man page.
617 --permanent --new-ipset-from-file=filename [--name=ipset]
619 Add a new permanent ipset from a prepared ipset file with an
620 optional name override.
621 --permanent --delete-ipset=ipset
623 Delete an existing permanent ipset.
624 --permanent --load-ipset-defaults=ipset
626 Load ipset default settings or report NO_DEFAULTS error.
627 [--permanent] --info-ipset=ipset
629 Print information about the ipset ipset. The output format is:
630 ipset
632 type: type
633 options: option1[=value1] ..
634 entries: entry1 ..
635 [--permanent] --get-ipsets
639 Print predefined ipsets as a space separated list.
640 --permanent --ipset=ipset --set-description=description
642 Set new description to ipset
643 --permanent --ipset=ipset --get-description
645 Print description for ipset
646 --permanent --ipset=ipset --set-short=description
648 Set short description to ipset
649 --permanent --ipset=ipset --get-short
651 Print short description for ipset
652 [--permanent] --ipset=ipset --add-entry=entry
654 Add a new entry to the ipset.
655 Adding an entry to an ipset with option timeout is permitted, but
657 these entries are not tracked by firewalld.
658 [--permanent] --ipset=ipset --remove-entry=entry
660 Remove an entry from the ipset.
661 [--permanent] --ipset=ipset --query-entry=entry
663 Return whether the entry has been added to an ipset. Returns 0 if
664 true, 1 otherwise.
665 Querying an ipset with a timeout will yield an error. Entries are
667 not tracked for ipsets with a timeout.
668 [--permanent] --ipset=ipset --get-entries
670 List all entries of the ipset.
671 [--permanent] --ipset=ipset --add-entries-from-file=filename
673 Add a new entries to the ipset from the file. For all entries that
674 are listed in the file but already in the ipset, a warning will be
675 printed.
676 The file should contain an entry per line. Lines starting with an
678 hash or semicolon are ignored. Also empty lines.
679 [--permanent] --ipset=ipset --remove-entries-from-file=filename
681 Remove existing entries from the ipset from the file. For all
682 entries that are listed in the file but not in the ipset, a warning
683 will be printed.
684 The file should contain an entry per line. Lines starting with an
686 hash or semicolon are ignored. Also empty lines.
687 --permanent --path-ipset=ipset
689 Print path of the ipset configuration file.
690 Service Options
692 Options in this section affect only one particular service.
693 [--permanent] --info-service=service
695 Print information about the service service. The output format is:
696 service
698 ports: port1 ..
699 protocols: protocol1 ..
700 source-ports: source-port1 ..
701 modules: module1 ..
702 destination: ipv1:address1 ..
703 The following options are only usable in the permanent configuration.
707 --permanent --new-service=service
709 Add a new permanent and empty service.
710 --permanent --new-service-from-file=filename [--name=service]
712 Add a new permanent service from a prepared service file with an
713 optional name override.
714 --permanent --delete-service=service
716 Delete an existing permanent service.
717 --permanent --load-service-defaults=service
719 Load service default settings or report NO_DEFAULTS error.
720 --permanent --path-service=service
722 Print path of the service configuration file.
723 --permanent --service=service --set-description=description
725 Set new description to service
726 --permanent --service=service --get-description
728 Print description for service
729 --permanent --service=service --set-short=description
731 Set short description to service
732 --permanent --service=service --get-short
734 Print short description for service
735 --permanent --service=service --add-port=portid[-portid]/protocol
737 Add a new port to the permanent service.
738 --permanent --service=service --remove-port=portid[-portid]/protocol
740 Remove a port from the permanent service.
741 --permanent --service=service --query-port=portid[-portid]/protocol
743 Return wether the port has been added to the permanent service.
744 --permanent --service=service --get-ports
746 List ports added to the permanent service.
747 --permanent --service=service --add-protocol=protocol
749 Add a new protocol to the permanent service.
750 --permanent --service=service --remove-protocol=protocol
752 Remove a protocol from the permanent service.
753 --permanent --service=service --query-protocol=protocol
755 Return wether the protocol has been added to the permanent service.
756 --permanent --service=service --get-protocols
758 List protocols added to the permanent service.
759 --permanent --service=service
761 --add-source-port=portid[-portid]/protocol
762 Add a new source port to the permanent service.
763 --permanent --service=service
765 --remove-source-port=portid[-portid]/protocol
766 Remove a source port from the permanent service.
767 --permanent --service=service
769 --query-source-port=portid[-portid]/protocol
770 Return wether the source port has been added to the permanent
771 service.
772 --permanent --service=service --get-source-ports
774 List source ports added to the permanent service.
775 --permanent --service=service --add-module=module
777 Add a new module to the permanent service.
778 --permanent --service=service --remove-module=module
780 Remove a module from the permanent service.
781 --permanent --service=service --query-module=module
783 Return wether the module has been added to the permanent service.
784 --permanent --service=service --get-modules
786 List modules added to the permanent service.
787 --permanent --service=service --set-destination=ipv:address[/mask]
789 Set destination for ipv to address[/mask] in the permanent service.
790 --permanent --service=service --remove-destination=ipv
792 Remove the destination for ipv from the permanent service.
793 --permanent --service=service --query-destination=ipv:address[/mask]
795 Return wether the destination ipv to address[/mask] has been set in
796 the permanent service.
797 --permanent --service=service --get-destinations
799 List destinations added to the permanent service.
800 Helper Options
802 Options in this section affect only one particular helper.
803 [--permanent] --info-helper=helper
805 Print information about the helper helper. The output format is:
806 helper
808 family: family
809 module: module
810 ports: port1 ..
811 The following options are only usable in the permanent configuration.
815 --permanent --new-helper=helper --module=nf_conntrack_module
817 [--family=ipv4|ipv6]
818 Add a new permanent helper with module and optionally family
819 defined.
820 --permanent --new-helper-from-file=filename [--name=helper]
822 Add a new permanent helper from a prepared helper file with an
823 optional name override.
824 --permanent --delete-helper=helper
826 Delete an existing permanent helper.
827 --permanent --load-helper-defaults=helper
829 Load helper default settings or report NO_DEFAULTS error.
830 --permanent --path-helper=helper
832 Print path of the helper configuration file.
833 [--permanent] --get-helpers
835 Print predefined helpers as a space separated list.
836 --permanent --helper=helper --set-description=description
838 Set new description to helper
839 --permanent --helper=helper --get-description
841 Print description for helper
842 --permanent --helper=helper --set-short=description
844 Set short description to helper
845 --permanent --helper=helper --get-short
847 Print short description for helper
848 --permanent --helper=helper --add-port=portid[-portid]/protocol
850 Add a new port to the permanent helper.
851 --permanent --helper=helper --remove-port=portid[-portid]/protocol
853 Remove a port from the permanent helper.
854 --permanent --helper=helper --query-port=portid[-portid]/protocol
856 Return wether the port has been added to the permanent helper.
857 --permanent --helper=helper --get-ports
859 List ports added to the permanent helper.
860 --permanent --helper=helper --set-module=description
862 Set module description for helper
863 --permanent --helper=helper --get-module
865 Print module description for helper
866 --permanent --helper=helper --set-family=description
868 Set family description for helper
869 --permanent --helper=helper --get-family
871 Print family description of helper
872 Internet Control Message Protocol (ICMP) type Options
874 Options in this section affect only one particular icmptype.
875 [--permanent] --info-icmptype=icmptype
877 Print information about the icmptype icmptype. The output format
878 is:
879 icmptype
881 destination: ipv1 ..
882 The following options are only usable in the permanent configuration.
886 --permanent --new-icmptype=icmptype
888 Add a new permanent and empty icmptype.
889 --permanent --new-icmptype-from-file=filename [--name=icmptype]
891 Add a new permanent icmptype from a prepared icmptype file with an
892 optional name override.
893 --permanent --delete-icmptype=icmptype
895 Delete an existing permanent icmptype.
896 --permanent --load-icmptype-defaults=icmptype
898 Load icmptype default settings or report NO_DEFAULTS error.
899 --permanent --icmptype=icmptype --set-description=description
901 Set new description to icmptype
902 --permanent --icmptype=icmptype --get-description
904 Print description for icmptype
905 --permanent --icmptype=icmptype --set-short=description
907 Set short description to icmptype
908 --permanent --icmptype=icmptype --get-short
910 Print short description for icmptype
911 --permanent --icmptype=icmptype --add-destination=ipv
913 Enable destination for ipv in permanent icmptype. ipv is one of
914 ipv4 or ipv6.
915 --permanent --icmptype=icmptype --remove-destination=ipv
917 Disable destination for ipv in permanent icmptype. ipv is one of
918 ipv4 or ipv6.
919 --permanent --icmptype=icmptype --query-destination=ipv
921 Return whether destination for ipv is enabled in permanent
922 icmptype. ipv is one of ipv4 or ipv6.
923 --permanent --icmptype=icmptype --get-destinations
925 List destinations in permanent icmptype.
926 --permanent --path-icmptype=icmptype
928 Print path of the icmptype configuration file.
929 Direct Options
931 The direct options give a more direct access to the firewall. These
932 options require user to know basic iptables concepts, i.e. table
933 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
934 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
935 (ACCEPT/DROP/REJECT/...).
936 Direct options should be used only as a last resort when it's not
938 possible to use for example --add-service=service or
939 --add-rich-rule='rule'.
940 The first argument of each option has to be ipv4 or ipv6 or eb. With
942 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
943 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
944 [--permanent] --direct --get-all-chains
946 Get all chains added to all tables. This option concerns only
947 chains previously added with --direct --add-chain.
948 [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
950 Get all chains added to table table as a space separated list. This
951 option concerns only chains previously added with --direct
952 --add-chain.
953 [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
955 Add a new chain with name chain to table table. Make sure there's
956 no other chain with this name already.
957 There already exist basic chains to use with direct options, for
959 example INPUT_direct chain (see iptables-save | grep direct output
960 for all of them). These chains are jumped into before chains for
961 zones, i.e. every rule put into INPUT_direct will be checked before
962 rules in zones.
963 [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
965 Remove chain with name chain from table table. Only chains
966 previously added with --direct --add-chain can be removed this way.
967 [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
969 Return whether a chain with name chain exists in table table.
970 Returns 0 if true, 1 otherwise. This option concerns only chains
971 previously added with --direct --add-chain.
972 [--permanent] --direct --get-all-rules
974 Get all rules added to all chains in all tables as a newline
975 separated list of the priority and arguments. This option concerns
976 only rules previously added with --direct --add-rule.
977 [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
979 Get all rules added to chain chain in table table as a newline
980 separated list of the priority and arguments. This option concerns
981 only rules previously added with --direct --add-rule.
982 [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
984 priority args
985 Add a rule with the arguments args to chain chain in table table
986 with priority priority.
987 The priority is used to order rules. Priority 0 means add rule on
989 top of the chain, with a higher priority the rule will be added
990 further down. Rules with the same priority are on the same level
991 and the order of these rules is not fixed and may change. If you
992 want to make sure that a rule will be added after another one, use
993 a low priority for the first and a higher for the following.
994 [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
996 priority args
997 Remove a rule with priority and the arguments args from chain chain
998 in table table. Only rules previously added with --direct
999 --add-rule can be removed this way.
1000 [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1002 Remove all rules in the chain with name chain exists in table
1003 table. This option concerns only rules previously added with
1004 --direct --add-rule in this chain.
1005 [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1007 priority args
1008 Return whether a rule with priority and the arguments args exists
1009 in chain chain in table table. Returns 0 if true, 1 otherwise. This
1010 option concerns only rules previously added with --direct
1011 --add-rule.
1012 --direct --passthrough { ipv4 | ipv6 | eb } args
1014 Pass a command through to the firewall. args can be all iptables,
1015 ip6tables and ebtables command line arguments. This command is
1016 untracked, which means that firewalld is not able to provide
1017 information about this command later on, also not a listing of the
1018 untracked passthoughs.
1019 [--permanent] --direct --get-all-passthroughs
1021 Get all passthrough rules as a newline separated list of the ipv
1022 value and arguments.
1023 [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1025 Get all passthrough rules for the ipv value as a newline separated
1026 list of the priority and arguments.
1027 [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1029 Add a passthrough rule with the arguments args for the ipv value.
1030 [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1032 Remove a passthrough rule with the arguments args for the ipv
1033 value.
1034 [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1036 Return whether a passthrough rule with the arguments args exists
1037 for the ipv value. Returns 0 if true, 1 otherwise.
1038 Lockdown Options
1040 Local applications or services are able to change the firewall
1041 configuration if they are running as root (example: libvirt) or are
1042 authenticated using PolicyKit. With this feature administrators can
1043 lock the firewall configuration so that only applications on lockdown
1044 whitelist are able to request firewall changes.
1045 The lockdown access check limits D-Bus methods that are changing
1047 firewall rules. Query, list and get methods are not limited.
1048 The lockdown feature is a very light version of user and application
1050 policies for firewalld and is turned off by default.
1051 --lockdown-on
1053 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1054 whitelist when you enable lockdown you won't be able to disable it
1055 again with firewall-cmd, you would need to edit firewalld.conf.
1056 This is a runtime and permanent change.
1058 --lockdown-off
1060 Disable lockdown.
1061 This is a runtime and permanent change.
1063 --query-lockdown
1065 Query whether lockdown is enabled. Returns 0 if lockdown is
1066 enabled, 1 otherwise.
1067 Lockdown Whitelist Options
1069 The lockdown whitelist can contain commands, contexts, users and user
1070 ids.
1071 If a command entry on the whitelist ends with an asterisk '*', then all
1073 command lines starting with the command will match. If the '*' is not
1074 there the absolute command inclusive arguments must match.
1075 Commands for user root and others is not always the same. Example: As
1077 root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1078 is be used on Fedora.
1079 The context is the security (SELinux) context of a running application
1081 or service. To get the context of a running application use ps -e
1082 --context.
1083 Warning: If the context is unconfined, then this will open access for
1085 more than the desired application.
1086 The lockdown whitelist entries are checked in the following order:
1088 1. context
1089 2. uid
1090 3. user
1091 4. command
1092 [--permanent] --list-lockdown-whitelist-commands
1094 List all command lines that are on the whitelist.
1095 [--permanent] --add-lockdown-whitelist-command=command
1097 Add the command to the whitelist.
1098 [--permanent] --remove-lockdown-whitelist-command=command
1100 Remove the command from the whitelist.
1101 [--permanent] --query-lockdown-whitelist-command=command
1103 Query whether the command is on the whitelist. Returns 0 if true, 1
1104 otherwise.
1105 [--permanent] --list-lockdown-whitelist-contexts
1107 List all contexts that are on the whitelist.
1108 [--permanent] --add-lockdown-whitelist-context=context
1110 Add the context context to the whitelist.
1111 [--permanent] --remove-lockdown-whitelist-context=context
1113 Remove the context from the whitelist.
1114 [--permanent] --query-lockdown-whitelist-context=context
1116 Query whether the context is on the whitelist. Returns 0 if true, 1
1117 otherwise.
1118 [--permanent] --list-lockdown-whitelist-uids
1120 List all user ids that are on the whitelist.
1121 [--permanent] --add-lockdown-whitelist-uid=uid
1123 Add the user id uid to the whitelist.
1124 [--permanent] --remove-lockdown-whitelist-uid=uid
1126 Remove the user id uid from the whitelist.
1127 [--permanent] --query-lockdown-whitelist-uid=uid
1129 Query whether the user id uid is on the whitelist. Returns 0 if
1130 true, 1 otherwise.
1131 [--permanent] --list-lockdown-whitelist-users
1133 List all user names that are on the whitelist.
1134 [--permanent] --add-lockdown-whitelist-user=user
1136 Add the user name user to the whitelist.
1137 [--permanent] --remove-lockdown-whitelist-user=user
1139 Remove the user name user from the whitelist.
1140 [--permanent] --query-lockdown-whitelist-user=user
1142 Query whether the user name user is on the whitelist. Returns 0 if
1143 true, 1 otherwise.
1144 Panic Options
1146 --panic-on
1147 Enable panic mode. All incoming and outgoing packets are dropped,
1148 active connections will expire. Enable this only if there are
1149 serious problems with your network environment. For example if the
1150 machine is getting hacked in.
1151 This is a runtime only change.
1153 --panic-off
1155 Disable panic mode. After disabling panic mode established
1156 connections might work again, if panic mode was enabled for a short
1157 period of time.
1158 This is a runtime only change.
1160 --query-panic
1162 Returns 0 if panic mode is enabled, 1 otherwise.
1163
1165 For more examples see http://fedoraproject.org/wiki/FirewallD
1166 Example 1
1168 Enable http service in default zone. This is runtime only change, i.e.
1169 effective until restart.
1170 firewall-cmd --add-service=http
1172 Example 2
1176 Enable port 443/tcp immediately and permanently in default zone. To
1177 make the change effective immediately and also after restart we need
1178 two commands. The first command makes the change in runtime
1179 configuration, i.e. makes it effective immediately, until restart. The
1180 second command makes the change in permanent configuration, i.e. makes
1181 it effective after restart.
1182 firewall-cmd --add-port=443/tcp
1184 firewall-cmd --permanent --add-port=443/tcp
1185
1189 On success 0 is returned. On failure the output is red colored and exit
1190 code is either 2 in case of wrong command-line option usage or one of
1191 the following error codes in other cases:
1192 ┌────────────────────┬──────┐
1194 │String │ Code │
1195 ├────────────────────┼──────┤
1196 │ALREADY_ENABLED │ 11 │
1197 ├────────────────────┼──────┤
1198 │NOT_ENABLED │ 12 │
1199 ├────────────────────┼──────┤
1200 │COMMAND_FAILED │ 13 │
1201 ├────────────────────┼──────┤
1202 │NO_IPV6_NAT │ 14 │
1203 ├────────────────────┼──────┤
1204 │PANIC_MODE │ 15 │
1205 ├────────────────────┼──────┤
1206 │ZONE_ALREADY_SET │ 16 │
1207 ├────────────────────┼──────┤
1208 │UNKNOWN_INTERFACE │ 17 │
1209 ├────────────────────┼──────┤
1210 │ZONE_CONFLICT │ 18 │
1211 ├────────────────────┼──────┤
1212 │BUILTIN_CHAIN │ 19 │
1213 ├────────────────────┼──────┤
1214 │EBTABLES_NO_REJECT │ 20 │
1215 ├────────────────────┼──────┤
1216 │NOT_OVERLOADABLE │ 21 │
1217 ├────────────────────┼──────┤
1218 │NO_DEFAULTS │ 22 │
1219 ├────────────────────┼──────┤
1220 │BUILTIN_ZONE │ 23 │
1221 ├────────────────────┼──────┤
1222 │BUILTIN_SERVICE │ 24 │
1223 ├────────────────────┼──────┤
1224 │BUILTIN_ICMPTYPE │ 25 │
1225 ├────────────────────┼──────┤
1226 │NAME_CONFLICT │ 26 │
1227 ├────────────────────┼──────┤
1228 │NAME_MISMATCH │ 27 │
1229 ├────────────────────┼──────┤
1230 │PARSE_ERROR │ 28 │
1231 ├────────────────────┼──────┤
1232 │ACCESS_DENIED │ 29 │
1233 ├────────────────────┼──────┤
1234 │UNKNOWN_SOURCE │ 30 │
1235 ├────────────────────┼──────┤
1236 │RT_TO_PERM_FAILED │ 31 │
1237 ├────────────────────┼──────┤
1238 │IPSET_WITH_TIMEOUT │ 32 │
1239 ├────────────────────┼──────┤
1240 │BUILTIN_IPSET │ 33 │
1241 ├────────────────────┼──────┤
1242 │ALREADY_SET │ 34 │
1243 ├────────────────────┼──────┤
1244 │MISSING_IMPORT │ 35 │
1245 ├────────────────────┼──────┤
1246 │DBUS_ERROR │ 36 │
1247 ├────────────────────┼──────┤
1248 │BUILTIN_HELPER │ 37 │
1249 ├────────────────────┼──────┤
1250 │NOT_APPLIED │ 38 │
1251 ├────────────────────┼──────┤
1252 │INVALID_ACTION │ 100 │
1253 ├────────────────────┼──────┤
1254 │INVALID_SERVICE │ 101 │
1255 ├────────────────────┼──────┤
1256 │INVALID_PORT │ 102 │
1257 ├────────────────────┼──────┤
1258 │INVALID_PROTOCOL │ 103 │
1259 ├────────────────────┼──────┤
1260 │INVALID_INTERFACE │ 104 │
1261 ├────────────────────┼──────┤
1262 │INVALID_ADDR │ 105 │
1263 ├────────────────────┼──────┤
1264 │INVALID_FORWARD │ 106 │
1265 ├────────────────────┼──────┤
1266 │INVALID_ICMPTYPE │ 107 │
1267 ├────────────────────┼──────┤
1268 │INVALID_TABLE │ 108 │
1269 ├────────────────────┼──────┤
1270 │INVALID_CHAIN │ 109 │
1271 ├────────────────────┼──────┤
1272 │INVALID_TARGET │ 110 │
1273 ├────────────────────┼──────┤
1274 │INVALID_IPV │ 111 │
1275 ├────────────────────┼──────┤
1276 │INVALID_ZONE │ 112 │
1277 ├────────────────────┼──────┤
1278 │INVALID_PROPERTY │ 113 │
1279 ├────────────────────┼──────┤
1280 │INVALID_VALUE │ 114 │
1281 ├────────────────────┼──────┤
1282 │INVALID_OBJECT │ 115 │
1283 ├────────────────────┼──────┤
1284 │INVALID_NAME │ 116 │
1285 ├────────────────────┼──────┤
1286 │INVALID_FILENAME │ 117 │
1287 ├────────────────────┼──────┤
1288 │INVALID_DIRECTORY │ 118 │
1289 ├────────────────────┼──────┤
1290 │INVALID_TYPE │ 119 │
1291 ├────────────────────┼──────┤
1292 │INVALID_SETTING │ 120 │
1293 ├────────────────────┼──────┤
1294 │INVALID_DESTINATION │ 121 │
1295 ├────────────────────┼──────┤
1296 │INVALID_RULE │ 122 │
1297 ├────────────────────┼──────┤
1298 │INVALID_LIMIT │ 123 │
1299 ├────────────────────┼──────┤
1300 │INVALID_FAMILY │ 124 │
1301 ├────────────────────┼──────┤
1302 │INVALID_LOG_LEVEL │ 125 │
1303 ├────────────────────┼──────┤
1304 │INVALID_AUDIT_TYPE │ 126 │
1305 ├────────────────────┼──────┤
1306 │INVALID_MARK │ 127 │
1307 ├────────────────────┼──────┤
1308 │INVALID_CONTEXT │ 128 │
1309 ├────────────────────┼──────┤
1310 │INVALID_COMMAND │ 129 │
1311 ├────────────────────┼──────┤
1312 │INVALID_USER │ 130 │
1313 ├────────────────────┼──────┤
1314 │INVALID_UID │ 131 │
1315 ├────────────────────┼──────┤
1316 │INVALID_MODULE │ 132 │
1317 ├────────────────────┼──────┤
1318 │INVALID_PASSTHROUGH │ 133 │
1319 ├────────────────────┼──────┤
1320 │INVALID_MAC │ 134 │
1321 ├────────────────────┼──────┤
1322 │INVALID_IPSET │ 135 │
1323 ├────────────────────┼──────┤
1324 │INVALID_ENTRY │ 136 │
1325 ├────────────────────┼──────┤
1326 │INVALID_OPTION │ 137 │
1327 ├────────────────────┼──────┤
1328 │INVALID_HELPER │ 138 │
1329 ├────────────────────┼──────┤
1330 │INVALID_PRIORITY │ 139 │
1331 ├────────────────────┼──────┤
1332 │MISSING_TABLE │ 200 │
1333 ├────────────────────┼──────┤
1334 │MISSING_CHAIN │ 201 │
1335 ├────────────────────┼──────┤
1336 │MISSING_PORT │ 202 │
1337 ├────────────────────┼──────┤
1338 │MISSING_PROTOCOL │ 203 │
1339 ├────────────────────┼──────┤
1340 │MISSING_ADDR │ 204 │
1341 ├────────────────────┼──────┤
1342 │MISSING_NAME │ 205 │
1343 ├────────────────────┼──────┤
1344 │MISSING_SETTING │ 206 │
1345 ├────────────────────┼──────┤
1346 │MISSING_FAMILY │ 207 │
1347 ├────────────────────┼──────┤
1348 │RUNNING_BUT_FAILED │ 251 │
1349 ├────────────────────┼──────┤
1350 │NOT_RUNNING │ 252 │
1351 ├────────────────────┼──────┤
1352 │NOT_AUTHORIZED │ 253 │
1353 ├────────────────────┼──────┤
1354 │UNKNOWN_ERROR │ 254 │
1355 └────────────────────┴──────┘
1356 Note that return codes of --query-* options are special: Successful
1358 queries return 0, unsuccessful ones return 1 unless an error occurred
1359 in which case the table above applies.
1360
1362 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1363 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1364 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1365 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1366 firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1367 firewalld.helper(5)
1368
1370 firewalld home page:
1371 http://firewalld.org
1372 More documentation with examples:
1374 http://fedoraproject.org/wiki/FirewallD
1375
1377 Thomas Woerner <twoerner@redhat.com>
1378 Developer
1379 Jiri Popelka <jpopelka@redhat.com>
1381 Developer
1382firewalld 0.6.3 FIREWALL-CMD(1)