1FIREWALL-CMD(1) firewall-cmd FIREWALL-CMD(1)
2
3
4
6 firewall-cmd - firewalld command line client
7
9 firewall-cmd [OPTIONS...]
10
12 firewall-cmd is the command line client of the firewalld daemon. It
13 provides interface to manage runtime and permanent configuration.
14
15 The runtime configuration in firewalld is separated from the permanent
16 configuration. This means that things can get changed in the runtime or
17 permanent configuration.
18
20 For sequence options, this are the options that can be specified
21 multiple times, the exit code is 0 if there is at least one item that
22 succeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also
23 ZONE_ALREADY_SET (16) errors are treated as succeeded. If there are
24 issues while parsing the items, then these are treated as warnings and
25 will not change the result as long as there is a succeeded one. Without
26 any succeeded item, the exit code will depend on the error codes. If
27 there is exactly one error code, then this is used. If there are more
28 than one then UNKNOWN_ERROR (254) will be used.
29
30 The following options are supported:
31
32 General Options
33 -h, --help
34 Prints a short help text and exits.
35
36 -V, --version
37 Print the version string of firewalld. This option is not
38 combinable with other options.
39
40 -q, --quiet
41 Do not print status messages.
42
43 Status Options
44 --state
45 Check whether the firewalld daemon is active (i.e. running).
46 Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
47 failure occurred on startup, NOT_RUNNING otherwise. See the section
48 called “EXIT CODES”. This will also print the state to STDOUT.
49
50 --reload
51 Reload firewall rules and keep state information. Current permanent
52 configuration will become new runtime configuration, i.e. all
53 runtime only changes done until reload are lost with reload if they
54 have not been also in permanent configuration.
55
56 Note: Runtime changes applied via the direct interface are not
57 affected and will therefore stay in place until firewalld daemon is
58 restarted completely.
59
60 --complete-reload
61 Reload firewall completely, even netfilter kernel modules. This
62 will most likely terminate active connections, because state
63 information is lost. This option should only be used in case of
64 severe firewall problems. For example if there are state
65 information problems that no connection can be established with
66 correct firewall rules.
67
68 Note: Runtime changes applied via the direct interface are not
69 affected and will therefore stay in place until firewalld daemon is
70 restarted completely.
71
72 --runtime-to-permanent
73 Save active runtime configuration and overwrite permanent
74 configuration with it. The way this is supposed to work is that
75 when configuring firewalld you do runtime changes only and once
76 you're happy with the configuration and you tested that it works
77 the way you want, you save the configuration to disk.
78
79 Log Denied Options
80 --get-log-denied
81 Print the log denied setting.
82
83 --set-log-denied=value
84 Add logging rules right before reject and drop rules in the INPUT,
85 FORWARD and OUTPUT chains for the default rules and also final
86 reject and drop rules in zones for the configured link-layer packet
87 type. The possible values are: all, unicast, broadcast, multicast
88 and off. The default setting is off, which disables the logging.
89
90 This is a runtime and permanent change and will also reload the
91 firewall to be able to add the logging rules.
92
93 Automatic Helpers Options
94 --get-automatic-helpers
95 Print the automatic helpers setting.
96
97 --set-automatic-helpers=value
98 For the secure use of iptables and connection tracking helpers it
99 is recommended to turn AutomaticHelpers off. But this might have
100 side effects on other services using the netfilter helpers as the
101 sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will
102 be changed. With the system setting, the default value set in the
103 kernel or with sysctl will be used. Possible values are: yes, no
104 and system. The default value is system.
105
106 This is a runtime and permanent change and will also reload the
107 firewall to be able to make the helpers usable.
108
109 Permanent Options
110 --permanent
111 The permanent option --permanent can be used to set options
112 permanently. These changes are not effective immediately, only
113 after service restart/reload or system reboot. Without the
114 --permanent option, a change will only be part of the runtime
115 configuration.
116
117 If you want to make a change in runtime and permanent
118 configuration, use the same call with and without the --permanent
119 option.
120
121 The --permanent option can be optionally added to all options
122 further down where it is supported.
123
124 Zone Options
125 --get-default-zone
126 Print default zone for connections and interfaces.
127
128 --set-default-zone=zone
129 Set default zone for connections and interfaces where no zone has
130 been selected. Setting the default zone changes the zone for the
131 connections or interfaces, that are using the default zone.
132
133 This is a runtime and permanent change.
134
135 --get-active-zones
136 Print currently active zones altogether with interfaces and sources
137 used in these zones. Active zones are zones, that have a binding to
138 an interface or source. The output format is:
139
140 zone1
141 interfaces: interface1 interface2 ..
142 sources: source1 ..
143 zone2
144 interfaces: interface3 ..
145 zone3
146 sources: source2 ..
147
148
149 If there are no interfaces or sources bound to the zone, the
150 corresponding line will be omitted.
151
152 [--permanent] --get-zones
153 Print predefined zones as a space separated list.
154
155 [--permanent] --get-services
156 Print predefined services as a space separated list.
157
158 [--permanent] --get-icmptypes
159 Print predefined icmptypes as a space separated list.
160
161 [--permanent] --get-zone-of-interface=interface
162 Print the name of the zone the interface is bound to or no zone.
163
164 [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
165 Print the name of the zone the source is bound to or no zone.
166
167 [--permanent] --info-zone=zone
168 Print information about the zone zone. The output format is:
169
170 zone
171 interfaces: interface1 ..
172 sources: source1 ..
173 services: service1 ..
174 ports: port1 ..
175 protocols: protocol1 ..
176 forward-ports:
177 forward-port1
178 ..
179 source-ports: source-port1 ..
180 icmp-blocks: icmp-type1 ..
181 rich rules:
182 rich-rule1
183 ..
184
185
186
187 [--permanent] --list-all-zones
188 List everything added for or enabled in all zones. The output
189 format is:
190
191 zone1
192 interfaces: interface1 ..
193 sources: source1 ..
194 services: service1 ..
195 ports: port1 ..
196 protocols: protocol1 ..
197 forward-ports:
198 forward-port1
199 ..
200 icmp-blocks: icmp-type1 ..
201 rich rules:
202 rich-rule1
203 ..
204 ..
205
206
207
208 --permanent --new-zone=zone
209 Add a new permanent and empty zone.
210
211 --permanent --new-zone-from-file=filename [--name=zone]
212 Add a new permanent zone from a prepared zone file with an optional
213 name override.
214
215 --permanent --delete-zone=zone
216 Delete an existing permanent zone.
217
218 --permanent --load-zone-defaults=zone
219 Load zone default settings or report NO_DEFAULTS error.
220
221 --permanent --path-zone=zone
222 Print path of the zone configuration file.
223
224 --permanent --zone=zone --set-description=description
225 Set new description to zone
226
227 --permanent --zone=zone --get-description
228 Print description for zone
229
230 --permanent --zone=zone --set-short=description
231 Set short description to zone
232
233 --permanent --zone=zone --get-short
234 Print short description for zone
235
236 --permanent [--zone=zone] --get-target
237 Get the target of a permanent zone.
238
239 --permanent [--zone=zone] --set-target=target
240 Set the target of a permanent zone. target is one of: default,
241 ACCEPT, DROP, REJECT
242
243 Options to Adapt and Query Zones
244 Options in this section affect only one particular zone. If used with
245 --zone=zone option, they affect the zone zone. If the option is
246 omitted, they affect default zone (see --get-default-zone).
247
248 [--permanent] [--zone=zone] --list-all
249 List everything added for or enabled in zone. If zone is omitted,
250 default zone will be used.
251
252 [--permanent] [--zone=zone] --list-services
253 List services added for zone as a space separated list. If zone is
254 omitted, default zone will be used.
255
256 [--permanent] [--zone=zone] --add-service=service [--timeout=timeval]
257 Add a service for zone. If zone is omitted, default zone will be
258 used. This option can be specified multiple times. If a timeout is
259 supplied, the rule will be active for the specified amount of time
260 and will be removed automatically afterwards. timeval is either a
261 number (of seconds) or number followed by one of characters s
262 (seconds), m (minutes), h (hours), for example 20m or 1h.
263
264 The service is one of the firewalld provided services. To get a
265 list of the supported services, use firewall-cmd --get-services.
266
267 The --timeout option is not combinable with the --permanent option.
268
269 [--permanent] [--zone=zone] --remove-service=service
270 Remove a service from zone. This option can be specified multiple
271 times. If zone is omitted, default zone will be used.
272
273 [--permanent] [--zone=zone] --query-service=service
274 Return whether service has been added for zone. If zone is omitted,
275 default zone will be used. Returns 0 if true, 1 otherwise.
276
277 [--permanent] [--zone=zone] --list-ports
278 List ports added for zone as a space separated list. A port is of
279 the form portid[-portid]/protocol, it can be either a port and
280 protocol pair or a port range with a protocol. If zone is omitted,
281 default zone will be used.
282
283 [--permanent] [--zone=zone] --add-port=portid[-portid]/protocol
284 [--timeout=timeval]
285 Add the port for zone. If zone is omitted, default zone will be
286 used. This option can be specified multiple times. If a timeout is
287 supplied, the rule will be active for the specified amount of time
288 and will be removed automatically afterwards. timeval is either a
289 number (of seconds) or number followed by one of characters s
290 (seconds), m (minutes), h (hours), for example 20m or 1h.
291
292 The port can either be a single port number or a port range
293 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
294
295 The --timeout option is not combinable with the --permanent option.
296
297 [--permanent] [--zone=zone] --remove-port=portid[-portid]/protocol
298 Remove the port from zone. If zone is omitted, default zone will be
299 used. This option can be specified multiple times.
300
301 [--permanent] [--zone=zone] --query-port=portid[-portid]/protocol
302 Return whether the port has been added for zone. If zone is
303 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
304
305 [--permanent] [--zone=zone] --list-protocols
306 List protocols added for zone as a space separated list. If zone is
307 omitted, default zone will be used.
308
309 [--permanent] [--zone=zone] --add-protocol=protocol [--timeout=timeval]
310 Add the protocol for zone. If zone is omitted, default zone will be
311 used. This option can be specified multiple times. If a timeout is
312 supplied, the rule will be active for the specified amount of time
313 and will be removed automatically afterwards. timeval is either a
314 number (of seconds) or number followed by one of characters s
315 (seconds), m (minutes), h (hours), for example 20m or 1h.
316
317 The protocol can be any protocol supported by the system. Please
318 have a look at /etc/protocols for supported protocols.
319
320 The --timeout option is not combinable with the --permanent option.
321
322 [--permanent] [--zone=zone] --remove-protocol=protocol
323 Remove the protocol from zone. If zone is omitted, default zone
324 will be used. This option can be specified multiple times.
325
326 [--permanent] [--zone=zone] --query-protocol=protocol
327 Return whether the protocol has been added for zone. If zone is
328 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
329
330 [--permanent] [--zone=zone] --list-source-ports
331 List source ports added for zone as a space separated list. A port
332 is of the form portid[-portid]/protocol. If zone is omitted,
333 default zone will be used.
334
335 [--permanent] [--zone=zone] --add-source-port=portid[-portid]/protocol
336 [--timeout=timeval]
337 Add the source port for zone. If zone is omitted, default zone will
338 be used. This option can be specified multiple times. If a timeout
339 is supplied, the rule will be active for the specified amount of
340 time and will be removed automatically afterwards. timeval is
341 either a number (of seconds) or number followed by one of
342 characters s (seconds), m (minutes), h (hours), for example 20m or
343 1h.
344
345 The port can either be a single port number or a port range
346 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
347
348 The --timeout option is not combinable with the --permanent option.
349
350 [--permanent] [--zone=zone]
351 --remove-source-port=portid[-portid]/protocol
352 Remove the source port from zone. If zone is omitted, default zone
353 will be used. This option can be specified multiple times.
354
355 [--permanent] [--zone=zone]
356 --query-source-port=portid[-portid]/protocol
357 Return whether the source port has been added for zone. If zone is
358 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
359
360 [--permanent] [--zone=zone] --list-icmp-blocks
361 List Internet Control Message Protocol (ICMP) type blocks added for
362 zone as a space separated list. If zone is omitted, default zone
363 will be used.
364
365 [--permanent] [--zone=zone] --add-icmp-block=icmptype
366 [--timeout=timeval]
367 Add an ICMP block for icmptype for zone. If zone is omitted,
368 default zone will be used. This option can be specified multiple
369 times. If a timeout is supplied, the rule will be active for the
370 specified amount of time and will be removed automatically
371 afterwards. timeval is either a number (of seconds) or number
372 followed by one of characters s (seconds), m (minutes), h (hours),
373 for example 20m or 1h.
374
375 The icmptype is the one of the icmp types firewalld supports. To
376 get a listing of supported icmp types: firewall-cmd --get-icmptypes
377
378 The --timeout option is not combinable with the --permanent option.
379
380 [--permanent] [--zone=zone] --remove-icmp-block=icmptype
381 Remove the ICMP block for icmptype from zone. If zone is omitted,
382 default zone will be used. This option can be specified multiple
383 times.
384
385 [--permanent] [--zone=zone] --query-icmp-block=icmptype
386 Return whether an ICMP block for icmptype has been added for zone.
387 If zone is omitted, default zone will be used. Returns 0 if true, 1
388 otherwise.
389
390 [--permanent] [--zone=zone] --list-forward-ports
391 List IPv4 forward ports added for zone as a space separated list.
392 If zone is omitted, default zone will be used.
393
394 For IPv6 forward ports, please use the rich language.
395
396 [--permanent] [--zone=zone]
397 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
398 [--timeout=timeval]
399 Add the IPv4 forward port for zone. If zone is omitted, default
400 zone will be used. This option can be specified multiple times. If
401 a timeout is supplied, the rule will be active for the specified
402 amount of time and will be removed automatically afterwards.
403 timeval is either a number (of seconds) or number followed by one
404 of characters s (seconds), m (minutes), h (hours), for example 20m
405 or 1h.
406
407 The port can either be a single port number portid or a port range
408 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
409 The destination address is a simple IP address.
410
411 The --timeout option is not combinable with the --permanent option.
412
413 For IPv6 forward ports, please use the rich language.
414
415 [--permanent] [--zone=zone]
416 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
417 Remove the IPv4 forward port from zone. If zone is omitted, default
418 zone will be used. This option can be specified multiple times.
419
420 For IPv6 forward ports, please use the rich language.
421
422 [--permanent] [--zone=zone]
423 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
424 Return whether the IPv4 forward port has been added for zone. If
425 zone is omitted, default zone will be used. Returns 0 if true, 1
426 otherwise.
427
428 For IPv6 forward ports, please use the rich language.
429
430 [--permanent] [--zone=zone] --add-masquerade [--timeout=timeval]
431 Enable IPv4 masquerade for zone. If zone is omitted, default zone
432 will be used. If a timeout is supplied, masquerading will be active
433 for the specified amount of time. timeval is either a number (of
434 seconds) or number followed by one of characters s (seconds), m
435 (minutes), h (hours), for example 20m or 1h. Masquerading is useful
436 if the machine is a router and machines connected over an interface
437 in another zone should be able to use the first connection.
438
439 The --timeout option is not combinable with the --permanent option.
440
441 For IPv6 masquerading, please use the rich language.
442
443 [--permanent] [--zone=zone] --remove-masquerade
444 Disable IPv4 masquerade for zone. If zone is omitted, default zone
445 will be used. If the masquerading was enabled with a timeout, it
446 will be disabled also.
447
448 For IPv6 masquerading, please use the rich language.
449
450 [--permanent] [--zone=zone] --query-masquerade
451 Return whether IPv4 masquerading has been enabled for zone. If zone
452 is omitted, default zone will be used. Returns 0 if true, 1
453 otherwise.
454
455 For IPv6 masquerading, please use the rich language.
456
457 [--permanent] [--zone=zone] --list-rich-rules
458 List rich language rules added for zone as a newline separated
459 list. If zone is omitted, default zone will be used.
460
461 [--permanent] [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
462 Add rich language rule 'rule' for zone. This option can be
463 specified multiple times. If zone is omitted, default zone will be
464 used. If a timeout is supplied, the rule will be active for the
465 specified amount of time and will be removed automatically
466 afterwards. timeval is either a number (of seconds) or number
467 followed by one of characters s (seconds), m (minutes), h (hours),
468 for example 20m or 1h.
469
470 For the rich language rule syntax, please have a look at
471 firewalld.richlanguage(5).
472
473 The --timeout option is not combinable with the --permanent option.
474
475 [--permanent] [--zone=zone] --remove-rich-rule='rule'
476 Remove rich language rule 'rule' from zone. This option can be
477 specified multiple times. If zone is omitted, default zone will be
478 used.
479
480 For the rich language rule syntax, please have a look at
481 firewalld.richlanguage(5).
482
483 [--permanent] [--zone=zone] --query-rich-rule='rule'
484 Return whether a rich language rule 'rule' has been added for zone.
485 If zone is omitted, default zone will be used. Returns 0 if true, 1
486 otherwise.
487
488 For the rich language rule syntax, please have a look at
489 firewalld.richlanguage(5).
490
491 Options to Handle Bindings of Interfaces
492 Binding an interface to a zone means that this zone settings are used
493 to restrict traffic via the interface.
494
495 Options in this section affect only one particular zone. If used with
496 --zone=zone option, they affect the zone zone. If the option is
497 omitted, they affect default zone (see --get-default-zone).
498
499 For a list of predefined zones use firewall-cmd --get-zones.
500
501 An interface name is a string up to 16 characters long, that may not
502 contain ' ', '/', '!' and '*'.
503
504 [--permanent] [--zone=zone] --list-interfaces
505 List interfaces that are bound to zone zone as a space separated
506 list. If zone is omitted, default zone will be used.
507
508 [--permanent] [--zone=zone] --add-interface=interface
509 Bind interface interface to zone zone. If zone is omitted, default
510 zone will be used.
511
512 If the interface is under control of NetworkManager, it is at first
513 connected to change the zone for the connection that is using the
514 interface. If this fails, the zone binding is created in firewalld
515 and the limitations below apply. For interfaces that are not under
516 control of NetworkManager, firewalld tries to change the ZONE
517 setting in the ifcfg file, if the file exists.
518
519 As a end user you don't need this in most cases, because
520 NetworkManager (or legacy network service) adds interfaces into
521 zones automatically (according to ZONE= option from ifcfg-interface
522 file) if NM_CONTROLLED=no is not set. You should do it only if
523 there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
524 there is such file and you add interface to zone with this
525 --add-interface option, make sure the zone is the same in both
526 cases, otherwise the behaviour would be undefined. Please also have
527 a look at the firewalld(1) man page in the Concepts section. For
528 permanent association of interface with a zone, see also 'How to
529 set or change a zone for a connection?' in firewalld.zones(5).
530
531 [--zone=zone] --change-interface=interface
532 If the interface is under control of NetworkManager, it is at first
533 connected to change the zone for the connection that is using the
534 interface. If this fails, the zone binding is created in firewalld
535 and the limitations below apply. For interfaces that are not under
536 control of NetworkManager, firewalld tries to change the ZONE
537 setting in the ifcfg file, if the file exists.
538
539 Change zone the interface interface is bound to to zone zone. It's
540 basically --remove-interface followed by --add-interface. If the
541 interface has not been bound to a zone before, it behaves like
542 --add-interface. If zone is omitted, default zone will be used.
543
544 [--permanent] [--zone=zone] --query-interface=interface
545 Query whether interface interface is bound to zone zone. Returns 0
546 if true, 1 otherwise.
547
548 [--permanent] --remove-interface=interface
549 If the interface is under control of NetworkManager, it is at first
550 connected to change the zone for the connection that is using the
551 interface. If this fails, the zone binding is created in firewalld
552 and the limitations below apply.
553
554 For the addion or change of interfaces that are not under control
555 of NetworkManager: firewalld tries to change the ZONE setting in
556 the ifcfg file, if an ifcfg file exists that is using the
557 interface.
558
559 Only for the removal of interfaces that are not under control of
560 NetworkManager: firewalld is not trying to change the ZONE setting
561 in the ifcfg file. This is needed to make sure that an ifdown of
562 the interface will not result in a reset of the zone setting to the
563 default zone. Only the zone binding is then removed in firewalld
564 then.
565
566 Remove binding of interface interface from zone it was previously
567 added to.
568
569 Options to Handle Bindings of Sources
570 Binding a source to a zone means that this zone settings will be used
571 to restrict traffic from this source.
572
573 A source address or address range is either an IP address or a network
574 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
575 with the ipset: prefix. For IPv4, the mask can be a network mask or a
576 plain number. For IPv6 the mask is a plain number. The use of host
577 names is not supported.
578
579 Options in this section affect only one particular zone. If used with
580 --zone=zone option, they affect the zone zone. If the option is
581 omitted, they affect default zone (see --get-default-zone).
582
583 For a list of predefined zones use firewall-cmd [--permanent]
584 --get-zones.
585
586 [--permanent] [--zone=zone] --list-sources
587 List sources that are bound to zone zone as a space separated list.
588 If zone is omitted, default zone will be used.
589
590 [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
591 Bind the source to zone zone. If zone is omitted, default zone will
592 be used.
593
594 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
595 Change zone the source is bound to to zone zone. It's basically
596 --remove-source followed by --add-source. If the source has not
597 been bound to a zone before, it behaves like --add-source. If zone
598 is omitted, default zone will be used.
599
600 [--permanent] [--zone=zone]
601 --query-source=source[/mask]|MAC|ipset:ipset
602 Query whether the source is bound to the zone zone. Returns 0 if
603 true, 1 otherwise.
604
605 [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
606 Remove binding of the source from zone it was previously added to.
607
608 IPSet Options
609 --get-ipset-types
610 Print the supported ipset types.
611
612 --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
613 [--option=key[=value]]
614 Add a new permanent and empty ipset with specifying the type and
615 optional the family and options like timeout, hashsize and maxelem.
616 For more information please have a look at ipset(8) man page.
617
618 --permanent --new-ipset-from-file=filename [--name=ipset]
619 Add a new permanent ipset from a prepared ipset file with an
620 optional name override.
621
622 --permanent --delete-ipset=ipset
623 Delete an existing permanent ipset.
624
625 --permanent --load-ipset-defaults=ipset
626 Load ipset default settings or report NO_DEFAULTS error.
627
628 [--permanent] --info-ipset=ipset
629 Print information about the ipset ipset. The output format is:
630
631 ipset
632 type: type
633 options: option1[=value1] ..
634 entries: entry1 ..
635
636
637
638 [--permanent] --get-ipsets
639 Print predefined ipsets as a space separated list.
640
641 --permanent --ipset=ipset --set-description=description
642 Set new description to ipset
643
644 --permanent --ipset=ipset --get-description
645 Print description for ipset
646
647 --permanent --ipset=ipset --set-short=description
648 Set short description to ipset
649
650 --permanent --ipset=ipset --get-short
651 Print short description for ipset
652
653 [--permanent] --ipset=ipset --add-entry=entry
654 Add a new entry to the ipset.
655
656 Adding an entry to an ipset with option timeout is permitted, but
657 these entries are not tracked by firewalld.
658
659 [--permanent] --ipset=ipset --remove-entry=entry
660 Remove an entry from the ipset.
661
662 [--permanent] --ipset=ipset --query-entry=entry
663 Return whether the entry has been added to an ipset. Returns 0 if
664 true, 1 otherwise.
665
666 Querying an ipset with a timeout will yield an error. Entries are
667 not tracked for ipsets with a timeout.
668
669 [--permanent] --ipset=ipset --get-entries
670 List all entries of the ipset.
671
672 [--permanent] --ipset=ipset --add-entries-from-file=filename
673 Add a new entries to the ipset from the file. For all entries that
674 are listed in the file but already in the ipset, a warning will be
675 printed.
676
677 The file should contain an entry per line. Lines starting with an
678 hash or semicolon are ignored. Also empty lines.
679
680 [--permanent] --ipset=ipset --remove-entries-from-file=filename
681 Remove existing entries from the ipset from the file. For all
682 entries that are listed in the file but not in the ipset, a warning
683 will be printed.
684
685 The file should contain an entry per line. Lines starting with an
686 hash or semicolon are ignored. Also empty lines.
687
688 --permanent --path-ipset=ipset
689 Print path of the ipset configuration file.
690
691 Service Options
692 Options in this section affect only one particular service.
693
694 [--permanent] --info-service=service
695 Print information about the service service. The output format is:
696
697 service
698 ports: port1 ..
699 protocols: protocol1 ..
700 source-ports: source-port1 ..
701 modules: module1 ..
702 destination: ipv1:address1 ..
703
704
705
706 The following options are only usable in the permanent configuration.
707
708 --permanent --new-service=service
709 Add a new permanent and empty service.
710
711 --permanent --new-service-from-file=filename [--name=service]
712 Add a new permanent service from a prepared service file with an
713 optional name override.
714
715 --permanent --delete-service=service
716 Delete an existing permanent service.
717
718 --permanent --load-service-defaults=service
719 Load service default settings or report NO_DEFAULTS error.
720
721 --permanent --path-service=service
722 Print path of the service configuration file.
723
724 --permanent --service=service --set-description=description
725 Set new description to service
726
727 --permanent --service=service --get-description
728 Print description for service
729
730 --permanent --service=service --set-short=description
731 Set short description to service
732
733 --permanent --service=service --get-short
734 Print short description for service
735
736 --permanent --service=service --add-port=portid[-portid]/protocol
737 Add a new port to the permanent service.
738
739 --permanent --service=service --remove-port=portid[-portid]/protocol
740 Remove a port from the permanent service.
741
742 --permanent --service=service --query-port=portid[-portid]/protocol
743 Return wether the port has been added to the permanent service.
744
745 --permanent --service=service --get-ports
746 List ports added to the permanent service.
747
748 --permanent --service=service --add-protocol=protocol
749 Add a new protocol to the permanent service.
750
751 --permanent --service=service --remove-protocol=protocol
752 Remove a protocol from the permanent service.
753
754 --permanent --service=service --query-protocol=protocol
755 Return wether the protocol has been added to the permanent service.
756
757 --permanent --service=service --get-protocols
758 List protocols added to the permanent service.
759
760 --permanent --service=service
761 --add-source-port=portid[-portid]/protocol
762 Add a new source port to the permanent service.
763
764 --permanent --service=service
765 --remove-source-port=portid[-portid]/protocol
766 Remove a source port from the permanent service.
767
768 --permanent --service=service
769 --query-source-port=portid[-portid]/protocol
770 Return wether the source port has been added to the permanent
771 service.
772
773 --permanent --service=service --get-source-ports
774 List source ports added to the permanent service.
775
776 --permanent --service=service --add-module=module
777 Add a new module to the permanent service.
778
779 --permanent --service=service --remove-module=module
780 Remove a module from the permanent service.
781
782 --permanent --service=service --query-module=module
783 Return wether the module has been added to the permanent service.
784
785 --permanent --service=service --get-modules
786 List modules added to the permanent service.
787
788 --permanent --service=service --set-destination=ipv:address[/mask]
789 Set destination for ipv to address[/mask] in the permanent service.
790
791 --permanent --service=service --remove-destination=ipv
792 Remove the destination for ipv from the permanent service.
793
794 --permanent --service=service --query-destination=ipv:address[/mask]
795 Return wether the destination ipv to address[/mask] has been set in
796 the permanent service.
797
798 --permanent --service=service --get-destinations
799 List destinations added to the permanent service.
800
801 Helper Options
802 Options in this section affect only one particular helper.
803
804 [--permanent] --info-helper=helper
805 Print information about the helper helper. The output format is:
806
807 helper
808 family: family
809 module: module
810 ports: port1 ..
811
812
813
814 The following options are only usable in the permanent configuration.
815
816 --permanent --new-helper=helper --module=nf_conntrack_module
817 [--family=ipv4|ipv6]
818 Add a new permanent helper with module and optionally family
819 defined.
820
821 --permanent --new-helper-from-file=filename [--name=helper]
822 Add a new permanent helper from a prepared helper file with an
823 optional name override.
824
825 --permanent --delete-helper=helper
826 Delete an existing permanent helper.
827
828 --permanent --load-helper-defaults=helper
829 Load helper default settings or report NO_DEFAULTS error.
830
831 --permanent --path-helper=helper
832 Print path of the helper configuration file.
833
834 [--permanent] --get-helpers
835 Print predefined helpers as a space separated list.
836
837 --permanent --helper=helper --set-description=description
838 Set new description to helper
839
840 --permanent --helper=helper --get-description
841 Print description for helper
842
843 --permanent --helper=helper --set-short=description
844 Set short description to helper
845
846 --permanent --helper=helper --get-short
847 Print short description for helper
848
849 --permanent --helper=helper --add-port=portid[-portid]/protocol
850 Add a new port to the permanent helper.
851
852 --permanent --helper=helper --remove-port=portid[-portid]/protocol
853 Remove a port from the permanent helper.
854
855 --permanent --helper=helper --query-port=portid[-portid]/protocol
856 Return wether the port has been added to the permanent helper.
857
858 --permanent --helper=helper --get-ports
859 List ports added to the permanent helper.
860
861 --permanent --helper=helper --set-module=description
862 Set module description for helper
863
864 --permanent --helper=helper --get-module
865 Print module description for helper
866
867 --permanent --helper=helper --set-family=description
868 Set family description for helper
869
870 --permanent --helper=helper --get-family
871 Print family description of helper
872
873 Internet Control Message Protocol (ICMP) type Options
874 Options in this section affect only one particular icmptype.
875
876 [--permanent] --info-icmptype=icmptype
877 Print information about the icmptype icmptype. The output format
878 is:
879
880 icmptype
881 destination: ipv1 ..
882
883
884
885 The following options are only usable in the permanent configuration.
886
887 --permanent --new-icmptype=icmptype
888 Add a new permanent and empty icmptype.
889
890 --permanent --new-icmptype-from-file=filename [--name=icmptype]
891 Add a new permanent icmptype from a prepared icmptype file with an
892 optional name override.
893
894 --permanent --delete-icmptype=icmptype
895 Delete an existing permanent icmptype.
896
897 --permanent --load-icmptype-defaults=icmptype
898 Load icmptype default settings or report NO_DEFAULTS error.
899
900 --permanent --icmptype=icmptype --set-description=description
901 Set new description to icmptype
902
903 --permanent --icmptype=icmptype --get-description
904 Print description for icmptype
905
906 --permanent --icmptype=icmptype --set-short=description
907 Set short description to icmptype
908
909 --permanent --icmptype=icmptype --get-short
910 Print short description for icmptype
911
912 --permanent --icmptype=icmptype --add-destination=ipv
913 Enable destination for ipv in permanent icmptype. ipv is one of
914 ipv4 or ipv6.
915
916 --permanent --icmptype=icmptype --remove-destination=ipv
917 Disable destination for ipv in permanent icmptype. ipv is one of
918 ipv4 or ipv6.
919
920 --permanent --icmptype=icmptype --query-destination=ipv
921 Return whether destination for ipv is enabled in permanent
922 icmptype. ipv is one of ipv4 or ipv6.
923
924 --permanent --icmptype=icmptype --get-destinations
925 List destinations in permanent icmptype.
926
927 --permanent --path-icmptype=icmptype
928 Print path of the icmptype configuration file.
929
930 Direct Options
931 The direct options give a more direct access to the firewall. These
932 options require user to know basic iptables concepts, i.e. table
933 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
934 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
935 (ACCEPT/DROP/REJECT/...).
936
937 Direct options should be used only as a last resort when it's not
938 possible to use for example --add-service=service or
939 --add-rich-rule='rule'.
940
941 The first argument of each option has to be ipv4 or ipv6 or eb. With
942 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
943 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
944
945 [--permanent] --direct --get-all-chains
946 Get all chains added to all tables. This option concerns only
947 chains previously added with --direct --add-chain.
948
949 [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
950 Get all chains added to table table as a space separated list. This
951 option concerns only chains previously added with --direct
952 --add-chain.
953
954 [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
955 Add a new chain with name chain to table table. Make sure there's
956 no other chain with this name already.
957
958 There already exist basic chains to use with direct options, for
959 example INPUT_direct chain (see iptables-save | grep direct output
960 for all of them). These chains are jumped into before chains for
961 zones, i.e. every rule put into INPUT_direct will be checked before
962 rules in zones.
963
964 [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
965 Remove chain with name chain from table table. Only chains
966 previously added with --direct --add-chain can be removed this way.
967
968 [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
969 Return whether a chain with name chain exists in table table.
970 Returns 0 if true, 1 otherwise. This option concerns only chains
971 previously added with --direct --add-chain.
972
973 [--permanent] --direct --get-all-rules
974 Get all rules added to all chains in all tables as a newline
975 separated list of the priority and arguments. This option concerns
976 only rules previously added with --direct --add-rule.
977
978 [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
979 Get all rules added to chain chain in table table as a newline
980 separated list of the priority and arguments. This option concerns
981 only rules previously added with --direct --add-rule.
982
983 [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
984 priority args
985 Add a rule with the arguments args to chain chain in table table
986 with priority priority.
987
988 The priority is used to order rules. Priority 0 means add rule on
989 top of the chain, with a higher priority the rule will be added
990 further down. Rules with the same priority are on the same level
991 and the order of these rules is not fixed and may change. If you
992 want to make sure that a rule will be added after another one, use
993 a low priority for the first and a higher for the following.
994
995 [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
996 priority args
997 Remove a rule with priority and the arguments args from chain chain
998 in table table. Only rules previously added with --direct
999 --add-rule can be removed this way.
1000
1001 [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1002 Remove all rules in the chain with name chain exists in table
1003 table. This option concerns only rules previously added with
1004 --direct --add-rule in this chain.
1005
1006 [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1007 priority args
1008 Return whether a rule with priority and the arguments args exists
1009 in chain chain in table table. Returns 0 if true, 1 otherwise. This
1010 option concerns only rules previously added with --direct
1011 --add-rule.
1012
1013 --direct --passthrough { ipv4 | ipv6 | eb } args
1014 Pass a command through to the firewall. args can be all iptables,
1015 ip6tables and ebtables command line arguments. This command is
1016 untracked, which means that firewalld is not able to provide
1017 information about this command later on, also not a listing of the
1018 untracked passthoughs.
1019
1020 [--permanent] --direct --get-all-passthroughs
1021 Get all passthrough rules as a newline separated list of the ipv
1022 value and arguments.
1023
1024 [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1025 Get all passthrough rules for the ipv value as a newline separated
1026 list of the priority and arguments.
1027
1028 [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1029 Add a passthrough rule with the arguments args for the ipv value.
1030
1031 [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1032 Remove a passthrough rule with the arguments args for the ipv
1033 value.
1034
1035 [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1036 Return whether a passthrough rule with the arguments args exists
1037 for the ipv value. Returns 0 if true, 1 otherwise.
1038
1039 Lockdown Options
1040 Local applications or services are able to change the firewall
1041 configuration if they are running as root (example: libvirt) or are
1042 authenticated using PolicyKit. With this feature administrators can
1043 lock the firewall configuration so that only applications on lockdown
1044 whitelist are able to request firewall changes.
1045
1046 The lockdown access check limits D-Bus methods that are changing
1047 firewall rules. Query, list and get methods are not limited.
1048
1049 The lockdown feature is a very light version of user and application
1050 policies for firewalld and is turned off by default.
1051
1052 --lockdown-on
1053 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1054 whitelist when you enable lockdown you won't be able to disable it
1055 again with firewall-cmd, you would need to edit firewalld.conf.
1056
1057 This is a runtime and permanent change.
1058
1059 --lockdown-off
1060 Disable lockdown.
1061
1062 This is a runtime and permanent change.
1063
1064 --query-lockdown
1065 Query whether lockdown is enabled. Returns 0 if lockdown is
1066 enabled, 1 otherwise.
1067
1068 Lockdown Whitelist Options
1069 The lockdown whitelist can contain commands, contexts, users and user
1070 ids.
1071
1072 If a command entry on the whitelist ends with an asterisk '*', then all
1073 command lines starting with the command will match. If the '*' is not
1074 there the absolute command inclusive arguments must match.
1075
1076 Commands for user root and others is not always the same. Example: As
1077 root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1078 is be used on Fedora.
1079
1080 The context is the security (SELinux) context of a running application
1081 or service. To get the context of a running application use ps -e
1082 --context.
1083
1084 Warning: If the context is unconfined, then this will open access for
1085 more than the desired application.
1086
1087 The lockdown whitelist entries are checked in the following order:
1088 1. context
1089 2. uid
1090 3. user
1091 4. command
1092
1093 [--permanent] --list-lockdown-whitelist-commands
1094 List all command lines that are on the whitelist.
1095
1096 [--permanent] --add-lockdown-whitelist-command=command
1097 Add the command to the whitelist.
1098
1099 [--permanent] --remove-lockdown-whitelist-command=command
1100 Remove the command from the whitelist.
1101
1102 [--permanent] --query-lockdown-whitelist-command=command
1103 Query whether the command is on the whitelist. Returns 0 if true, 1
1104 otherwise.
1105
1106 [--permanent] --list-lockdown-whitelist-contexts
1107 List all contexts that are on the whitelist.
1108
1109 [--permanent] --add-lockdown-whitelist-context=context
1110 Add the context context to the whitelist.
1111
1112 [--permanent] --remove-lockdown-whitelist-context=context
1113 Remove the context from the whitelist.
1114
1115 [--permanent] --query-lockdown-whitelist-context=context
1116 Query whether the context is on the whitelist. Returns 0 if true, 1
1117 otherwise.
1118
1119 [--permanent] --list-lockdown-whitelist-uids
1120 List all user ids that are on the whitelist.
1121
1122 [--permanent] --add-lockdown-whitelist-uid=uid
1123 Add the user id uid to the whitelist.
1124
1125 [--permanent] --remove-lockdown-whitelist-uid=uid
1126 Remove the user id uid from the whitelist.
1127
1128 [--permanent] --query-lockdown-whitelist-uid=uid
1129 Query whether the user id uid is on the whitelist. Returns 0 if
1130 true, 1 otherwise.
1131
1132 [--permanent] --list-lockdown-whitelist-users
1133 List all user names that are on the whitelist.
1134
1135 [--permanent] --add-lockdown-whitelist-user=user
1136 Add the user name user to the whitelist.
1137
1138 [--permanent] --remove-lockdown-whitelist-user=user
1139 Remove the user name user from the whitelist.
1140
1141 [--permanent] --query-lockdown-whitelist-user=user
1142 Query whether the user name user is on the whitelist. Returns 0 if
1143 true, 1 otherwise.
1144
1145 Panic Options
1146 --panic-on
1147 Enable panic mode. All incoming and outgoing packets are dropped,
1148 active connections will expire. Enable this only if there are
1149 serious problems with your network environment. For example if the
1150 machine is getting hacked in.
1151
1152 This is a runtime only change.
1153
1154 --panic-off
1155 Disable panic mode. After disabling panic mode established
1156 connections might work again, if panic mode was enabled for a short
1157 period of time.
1158
1159 This is a runtime only change.
1160
1161 --query-panic
1162 Returns 0 if panic mode is enabled, 1 otherwise.
1163
1165 For more examples see http://fedoraproject.org/wiki/FirewallD
1166
1167 Example 1
1168 Enable http service in default zone. This is runtime only change, i.e.
1169 effective until restart.
1170
1171 firewall-cmd --add-service=http
1172
1173
1174
1175 Example 2
1176 Enable port 443/tcp immediately and permanently in default zone. To
1177 make the change effective immediately and also after restart we need
1178 two commands. The first command makes the change in runtime
1179 configuration, i.e. makes it effective immediately, until restart. The
1180 second command makes the change in permanent configuration, i.e. makes
1181 it effective after restart.
1182
1183 firewall-cmd --add-port=443/tcp
1184 firewall-cmd --permanent --add-port=443/tcp
1185
1186
1187
1189 On success 0 is returned. On failure the output is red colored and exit
1190 code is either 2 in case of wrong command-line option usage or one of
1191 the following error codes in other cases:
1192
1193 ┌────────────────────┬──────┐
1194 │String │ Code │
1195 ├────────────────────┼──────┤
1196 │ALREADY_ENABLED │ 11 │
1197 ├────────────────────┼──────┤
1198 │NOT_ENABLED │ 12 │
1199 ├────────────────────┼──────┤
1200 │COMMAND_FAILED │ 13 │
1201 ├────────────────────┼──────┤
1202 │NO_IPV6_NAT │ 14 │
1203 ├────────────────────┼──────┤
1204 │PANIC_MODE │ 15 │
1205 ├────────────────────┼──────┤
1206 │ZONE_ALREADY_SET │ 16 │
1207 ├────────────────────┼──────┤
1208 │UNKNOWN_INTERFACE │ 17 │
1209 ├────────────────────┼──────┤
1210 │ZONE_CONFLICT │ 18 │
1211 ├────────────────────┼──────┤
1212 │BUILTIN_CHAIN │ 19 │
1213 ├────────────────────┼──────┤
1214 │EBTABLES_NO_REJECT │ 20 │
1215 ├────────────────────┼──────┤
1216 │NOT_OVERLOADABLE │ 21 │
1217 ├────────────────────┼──────┤
1218 │NO_DEFAULTS │ 22 │
1219 ├────────────────────┼──────┤
1220 │BUILTIN_ZONE │ 23 │
1221 ├────────────────────┼──────┤
1222 │BUILTIN_SERVICE │ 24 │
1223 ├────────────────────┼──────┤
1224 │BUILTIN_ICMPTYPE │ 25 │
1225 ├────────────────────┼──────┤
1226 │NAME_CONFLICT │ 26 │
1227 ├────────────────────┼──────┤
1228 │NAME_MISMATCH │ 27 │
1229 ├────────────────────┼──────┤
1230 │PARSE_ERROR │ 28 │
1231 ├────────────────────┼──────┤
1232 │ACCESS_DENIED │ 29 │
1233 ├────────────────────┼──────┤
1234 │UNKNOWN_SOURCE │ 30 │
1235 ├────────────────────┼──────┤
1236 │RT_TO_PERM_FAILED │ 31 │
1237 ├────────────────────┼──────┤
1238 │IPSET_WITH_TIMEOUT │ 32 │
1239 ├────────────────────┼──────┤
1240 │BUILTIN_IPSET │ 33 │
1241 ├────────────────────┼──────┤
1242 │ALREADY_SET │ 34 │
1243 ├────────────────────┼──────┤
1244 │MISSING_IMPORT │ 35 │
1245 ├────────────────────┼──────┤
1246 │DBUS_ERROR │ 36 │
1247 ├────────────────────┼──────┤
1248 │BUILTIN_HELPER │ 37 │
1249 ├────────────────────┼──────┤
1250 │NOT_APPLIED │ 38 │
1251 ├────────────────────┼──────┤
1252 │INVALID_ACTION │ 100 │
1253 ├────────────────────┼──────┤
1254 │INVALID_SERVICE │ 101 │
1255 ├────────────────────┼──────┤
1256 │INVALID_PORT │ 102 │
1257 ├────────────────────┼──────┤
1258 │INVALID_PROTOCOL │ 103 │
1259 ├────────────────────┼──────┤
1260 │INVALID_INTERFACE │ 104 │
1261 ├────────────────────┼──────┤
1262 │INVALID_ADDR │ 105 │
1263 ├────────────────────┼──────┤
1264 │INVALID_FORWARD │ 106 │
1265 ├────────────────────┼──────┤
1266 │INVALID_ICMPTYPE │ 107 │
1267 ├────────────────────┼──────┤
1268 │INVALID_TABLE │ 108 │
1269 ├────────────────────┼──────┤
1270 │INVALID_CHAIN │ 109 │
1271 ├────────────────────┼──────┤
1272 │INVALID_TARGET │ 110 │
1273 ├────────────────────┼──────┤
1274 │INVALID_IPV │ 111 │
1275 ├────────────────────┼──────┤
1276 │INVALID_ZONE │ 112 │
1277 ├────────────────────┼──────┤
1278 │INVALID_PROPERTY │ 113 │
1279 ├────────────────────┼──────┤
1280 │INVALID_VALUE │ 114 │
1281 ├────────────────────┼──────┤
1282 │INVALID_OBJECT │ 115 │
1283 ├────────────────────┼──────┤
1284 │INVALID_NAME │ 116 │
1285 ├────────────────────┼──────┤
1286 │INVALID_FILENAME │ 117 │
1287 ├────────────────────┼──────┤
1288 │INVALID_DIRECTORY │ 118 │
1289 ├────────────────────┼──────┤
1290 │INVALID_TYPE │ 119 │
1291 ├────────────────────┼──────┤
1292 │INVALID_SETTING │ 120 │
1293 ├────────────────────┼──────┤
1294 │INVALID_DESTINATION │ 121 │
1295 ├────────────────────┼──────┤
1296 │INVALID_RULE │ 122 │
1297 ├────────────────────┼──────┤
1298 │INVALID_LIMIT │ 123 │
1299 ├────────────────────┼──────┤
1300 │INVALID_FAMILY │ 124 │
1301 ├────────────────────┼──────┤
1302 │INVALID_LOG_LEVEL │ 125 │
1303 ├────────────────────┼──────┤
1304 │INVALID_AUDIT_TYPE │ 126 │
1305 ├────────────────────┼──────┤
1306 │INVALID_MARK │ 127 │
1307 ├────────────────────┼──────┤
1308 │INVALID_CONTEXT │ 128 │
1309 ├────────────────────┼──────┤
1310 │INVALID_COMMAND │ 129 │
1311 ├────────────────────┼──────┤
1312 │INVALID_USER │ 130 │
1313 ├────────────────────┼──────┤
1314 │INVALID_UID │ 131 │
1315 ├────────────────────┼──────┤
1316 │INVALID_MODULE │ 132 │
1317 ├────────────────────┼──────┤
1318 │INVALID_PASSTHROUGH │ 133 │
1319 ├────────────────────┼──────┤
1320 │INVALID_MAC │ 134 │
1321 ├────────────────────┼──────┤
1322 │INVALID_IPSET │ 135 │
1323 ├────────────────────┼──────┤
1324 │INVALID_ENTRY │ 136 │
1325 ├────────────────────┼──────┤
1326 │INVALID_OPTION │ 137 │
1327 ├────────────────────┼──────┤
1328 │INVALID_HELPER │ 138 │
1329 ├────────────────────┼──────┤
1330 │MISSING_TABLE │ 200 │
1331 ├────────────────────┼──────┤
1332 │MISSING_CHAIN │ 201 │
1333 ├────────────────────┼──────┤
1334 │MISSING_PORT │ 202 │
1335 ├────────────────────┼──────┤
1336 │MISSING_PROTOCOL │ 203 │
1337 ├────────────────────┼──────┤
1338 │MISSING_ADDR │ 204 │
1339 ├────────────────────┼──────┤
1340 │MISSING_NAME │ 205 │
1341 ├────────────────────┼──────┤
1342 │MISSING_SETTING │ 206 │
1343 ├────────────────────┼──────┤
1344 │MISSING_FAMILY │ 207 │
1345 ├────────────────────┼──────┤
1346 │RUNNING_BUT_FAILED │ 251 │
1347 ├────────────────────┼──────┤
1348 │NOT_RUNNING │ 252 │
1349 ├────────────────────┼──────┤
1350 │NOT_AUTHORIZED │ 253 │
1351 ├────────────────────┼──────┤
1352 │UNKNOWN_ERROR │ 254 │
1353 └────────────────────┴──────┘
1354
1355 Note that return codes of --query-* options are special: Successful
1356 queries return 0, unsuccessful ones return 1 unless an error occurred
1357 in which case the table above applies.
1358
1360 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1361 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1362 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1363 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1364 firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1365 firewalld.helper(5)
1366
1368 firewalld home page:
1369 http://firewalld.org
1370
1371 More documentation with examples:
1372 http://fedoraproject.org/wiki/FirewallD
1373
1375 Thomas Woerner <twoerner@redhat.com>
1376 Developer
1377
1378 Jiri Popelka <jpopelka@redhat.com>
1379 Developer
1380
1381
1382
1383firewalld 0.6.3 FIREWALL-CMD(1)