1FIREWALL-CMD(1)                  firewall-cmd                  FIREWALL-CMD(1)
2
3
4

NAME

6       firewall-cmd - firewalld command line client
7

SYNOPSIS

9       firewall-cmd [OPTIONS...]
10

DESCRIPTION

12       firewall-cmd is the command line client of the firewalld daemon. It
13       provides interface to manage runtime and permanent configuration.
14
15       The runtime configuration in firewalld is separated from the permanent
16       configuration. This means that things can get changed in the runtime or
17       permanent configuration.
18

OPTIONS

20       For sequence options, this are the options that can be specified
21       multiple times, the exit code is 0 if there is at least one item that
22       succeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also
23       ZONE_ALREADY_SET (16) errors are treated as succeeded. If there are
24       issues while parsing the items, then these are treated as warnings and
25       will not change the result as long as there is a succeeded one. Without
26       any succeeded item, the exit code will depend on the error codes. If
27       there is exactly one error code, then this is used. If there are more
28       than one then UNKNOWN_ERROR (254) will be used.
29
30       The following options are supported:
31
32   General Options
33       -h, --help
34           Prints a short help text and exits.
35
36       -V, --version
37           Print the version string of firewalld. This option is not
38           combinable with other options.
39
40       -q, --quiet
41           Do not print status messages.
42
43   Status Options
44       --state
45           Check whether the firewalld daemon is active (i.e. running).
46           Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
47           failure occurred on startup, NOT_RUNNING otherwise. See the section
48           called “EXIT CODES”. This will also print the state to STDOUT.
49
50       --reload
51           Reload firewall rules and keep state information. Current permanent
52           configuration will become new runtime configuration, i.e. all
53           runtime only changes done until reload are lost with reload if they
54           have not been also in permanent configuration.
55
56           Note: Runtime changes applied via the direct interface are not
57           affected and will therefore stay in place until firewalld daemon is
58           restarted completely.
59
60       --complete-reload
61           Reload firewall completely, even netfilter kernel modules. This
62           will most likely terminate active connections, because state
63           information is lost. This option should only be used in case of
64           severe firewall problems. For example if there are state
65           information problems that no connection can be established with
66           correct firewall rules.
67
68           Note: Runtime changes applied via the direct interface are not
69           affected and will therefore stay in place until firewalld daemon is
70           restarted completely.
71
72       --runtime-to-permanent
73           Save active runtime configuration and overwrite permanent
74           configuration with it. The way this is supposed to work is that
75           when configuring firewalld you do runtime changes only and once
76           you're happy with the configuration and you tested that it works
77           the way you want, you save the configuration to disk.
78
79   Log Denied Options
80       --get-log-denied
81           Print the log denied setting.
82
83       --set-log-denied=value
84           Add logging rules right before reject and drop rules in the INPUT,
85           FORWARD and OUTPUT chains for the default rules and also final
86           reject and drop rules in zones for the configured link-layer packet
87           type. The possible values are: all, unicast, broadcast, multicast
88           and off. The default setting is off, which disables the logging.
89
90           This is a runtime and permanent change and will also reload the
91           firewall to be able to add the logging rules.
92
93   Automatic Helpers Options
94       --get-automatic-helpers
95           Print the automatic helpers setting.
96
97       --set-automatic-helpers=value
98           For the secure use of iptables and connection tracking helpers it
99           is recommended to turn AutomaticHelpers off. But this might have
100           side effects on other services using the netfilter helpers as the
101           sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will
102           be changed. With the system setting, the default value set in the
103           kernel or with sysctl will be used. Possible values are: yes, no
104           and system. The default value is system.
105
106           This is a runtime and permanent change and will also reload the
107           firewall to be able to make the helpers usable.
108
109   Permanent Options
110       --permanent
111           The permanent option --permanent can be used to set options
112           permanently. These changes are not effective immediately, only
113           after service restart/reload or system reboot. Without the
114           --permanent option, a change will only be part of the runtime
115           configuration.
116
117           If you want to make a change in runtime and permanent
118           configuration, use the same call with and without the --permanent
119           option.
120
121           The --permanent option can be optionally added to all options
122           further down where it is supported.
123
124   Zone Options
125       --get-default-zone
126           Print default zone for connections and interfaces.
127
128       --set-default-zone=zone
129           Set default zone for connections and interfaces where no zone has
130           been selected. Setting the default zone changes the zone for the
131           connections or interfaces, that are using the default zone.
132
133           This is a runtime and permanent change.
134
135       --get-active-zones
136           Print currently active zones altogether with interfaces and sources
137           used in these zones. Active zones are zones, that have a binding to
138           an interface or source. The output format is:
139
140               zone1
141                 interfaces: interface1 interface2 ..
142                 sources: source1 ..
143               zone2
144                 interfaces: interface3 ..
145               zone3
146                 sources: source2 ..
147
148
149           If there are no interfaces or sources bound to the zone, the
150           corresponding line will be omitted.
151
152       [--permanent] --get-zones
153           Print predefined zones as a space separated list.
154
155       [--permanent] --get-services
156           Print predefined services as a space separated list.
157
158       [--permanent] --get-icmptypes
159           Print predefined icmptypes as a space separated list.
160
161       [--permanent] --get-zone-of-interface=interface
162           Print the name of the zone the interface is bound to or no zone.
163
164       [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
165           Print the name of the zone the source is bound to or no zone.
166
167       [--permanent] --info-zone=zone
168           Print information about the zone zone. The output format is:
169
170               zone
171                 interfaces: interface1 ..
172                 sources: source1 ..
173                 services: service1 ..
174                 ports: port1 ..
175                 protocols: protocol1 ..
176                 forward-ports:
177                       forward-port1
178                       ..
179                 source-ports: source-port1 ..
180                 icmp-blocks: icmp-type1 ..
181                 rich rules:
182                       rich-rule1
183                       ..
184
185
186
187       [--permanent] --list-all-zones
188           List everything added for or enabled in all zones. The output
189           format is:
190
191               zone1
192                 interfaces: interface1 ..
193                 sources: source1 ..
194                 services: service1 ..
195                 ports: port1 ..
196                 protocols: protocol1 ..
197                 forward-ports:
198                       forward-port1
199                       ..
200                 icmp-blocks: icmp-type1 ..
201                 rich rules:
202                       rich-rule1
203                       ..
204               ..
205
206
207
208       --permanent --new-zone=zone
209           Add a new permanent and empty zone.
210
211       --permanent --new-zone-from-file=filename [--name=zone]
212           Add a new permanent zone from a prepared zone file with an optional
213           name override.
214
215       --permanent --delete-zone=zone
216           Delete an existing permanent zone.
217
218       --permanent --load-zone-defaults=zone
219           Load zone default settings or report NO_DEFAULTS error.
220
221       --permanent --path-zone=zone
222           Print path of the zone configuration file.
223
224       --permanent --zone=zone --set-description=description
225           Set new description to zone
226
227       --permanent --zone=zone --get-description
228           Print description for zone
229
230       --permanent --zone=zone --set-short=description
231           Set short description to zone
232
233       --permanent --zone=zone --get-short
234           Print short description for zone
235
236       --permanent [--zone=zone] --get-target
237           Get the target of a permanent zone.
238
239       --permanent [--zone=zone] --set-target=target
240           Set the target of a permanent zone.  target is one of: default,
241           ACCEPT, DROP, REJECT
242
243   Options to Adapt and Query Zones
244       Options in this section affect only one particular zone. If used with
245       --zone=zone option, they affect the zone zone. If the option is
246       omitted, they affect default zone (see --get-default-zone).
247
248       [--permanent] [--zone=zone] --list-all
249           List everything added for or enabled in zone. If zone is omitted,
250           default zone will be used.
251
252       [--permanent] [--zone=zone] --list-services
253           List services added for zone as a space separated list. If zone is
254           omitted, default zone will be used.
255
256       [--permanent] [--zone=zone] --add-service=service [--timeout=timeval]
257           Add a service for zone. If zone is omitted, default zone will be
258           used. This option can be specified multiple times. If a timeout is
259           supplied, the rule will be active for the specified amount of time
260           and will be removed automatically afterwards.  timeval is either a
261           number (of seconds) or number followed by one of characters s
262           (seconds), m (minutes), h (hours), for example 20m or 1h.
263
264           The service is one of the firewalld provided services. To get a
265           list of the supported services, use firewall-cmd --get-services.
266
267           The --timeout option is not combinable with the --permanent option.
268
269       [--permanent] [--zone=zone] --remove-service=service
270           Remove a service from zone. This option can be specified multiple
271           times. If zone is omitted, default zone will be used.
272
273       [--permanent] [--zone=zone] --query-service=service
274           Return whether service has been added for zone. If zone is omitted,
275           default zone will be used. Returns 0 if true, 1 otherwise.
276
277       [--permanent] [--zone=zone] --list-ports
278           List ports added for zone as a space separated list. A port is of
279           the form portid[-portid]/protocol, it can be either a port and
280           protocol pair or a port range with a protocol. If zone is omitted,
281           default zone will be used.
282
283       [--permanent] [--zone=zone] --add-port=portid[-portid]/protocol
284       [--timeout=timeval]
285           Add the port for zone. If zone is omitted, default zone will be
286           used. This option can be specified multiple times. If a timeout is
287           supplied, the rule will be active for the specified amount of time
288           and will be removed automatically afterwards.  timeval is either a
289           number (of seconds) or number followed by one of characters s
290           (seconds), m (minutes), h (hours), for example 20m or 1h.
291
292           The port can either be a single port number or a port range
293           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
294
295           The --timeout option is not combinable with the --permanent option.
296
297       [--permanent] [--zone=zone] --remove-port=portid[-portid]/protocol
298           Remove the port from zone. If zone is omitted, default zone will be
299           used. This option can be specified multiple times.
300
301       [--permanent] [--zone=zone] --query-port=portid[-portid]/protocol
302           Return whether the port has been added for zone. If zone is
303           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
304
305       [--permanent] [--zone=zone] --list-protocols
306           List protocols added for zone as a space separated list. If zone is
307           omitted, default zone will be used.
308
309       [--permanent] [--zone=zone] --add-protocol=protocol [--timeout=timeval]
310           Add the protocol for zone. If zone is omitted, default zone will be
311           used. This option can be specified multiple times. If a timeout is
312           supplied, the rule will be active for the specified amount of time
313           and will be removed automatically afterwards.  timeval is either a
314           number (of seconds) or number followed by one of characters s
315           (seconds), m (minutes), h (hours), for example 20m or 1h.
316
317           The protocol can be any protocol supported by the system. Please
318           have a look at /etc/protocols for supported protocols.
319
320           The --timeout option is not combinable with the --permanent option.
321
322       [--permanent] [--zone=zone] --remove-protocol=protocol
323           Remove the protocol from zone. If zone is omitted, default zone
324           will be used. This option can be specified multiple times.
325
326       [--permanent] [--zone=zone] --query-protocol=protocol
327           Return whether the protocol has been added for zone. If zone is
328           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
329
330       [--permanent] [--zone=zone] --list-source-ports
331           List source ports added for zone as a space separated list. A port
332           is of the form portid[-portid]/protocol. If zone is omitted,
333           default zone will be used.
334
335       [--permanent] [--zone=zone] --add-source-port=portid[-portid]/protocol
336       [--timeout=timeval]
337           Add the source port for zone. If zone is omitted, default zone will
338           be used. This option can be specified multiple times. If a timeout
339           is supplied, the rule will be active for the specified amount of
340           time and will be removed automatically afterwards.  timeval is
341           either a number (of seconds) or number followed by one of
342           characters s (seconds), m (minutes), h (hours), for example 20m or
343           1h.
344
345           The port can either be a single port number or a port range
346           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
347
348           The --timeout option is not combinable with the --permanent option.
349
350       [--permanent] [--zone=zone]
351       --remove-source-port=portid[-portid]/protocol
352           Remove the source port from zone. If zone is omitted, default zone
353           will be used. This option can be specified multiple times.
354
355       [--permanent] [--zone=zone]
356       --query-source-port=portid[-portid]/protocol
357           Return whether the source port has been added for zone. If zone is
358           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
359
360       [--permanent] [--zone=zone] --list-icmp-blocks
361           List Internet Control Message Protocol (ICMP) type blocks added for
362           zone as a space separated list. If zone is omitted, default zone
363           will be used.
364
365       [--permanent] [--zone=zone] --add-icmp-block=icmptype
366       [--timeout=timeval]
367           Add an ICMP block for icmptype for zone. If zone is omitted,
368           default zone will be used. This option can be specified multiple
369           times. If a timeout is supplied, the rule will be active for the
370           specified amount of time and will be removed automatically
371           afterwards.  timeval is either a number (of seconds) or number
372           followed by one of characters s (seconds), m (minutes), h (hours),
373           for example 20m or 1h.
374
375           The icmptype is the one of the icmp types firewalld supports. To
376           get a listing of supported icmp types: firewall-cmd --get-icmptypes
377
378           The --timeout option is not combinable with the --permanent option.
379
380       [--permanent] [--zone=zone] --remove-icmp-block=icmptype
381           Remove the ICMP block for icmptype from zone. If zone is omitted,
382           default zone will be used. This option can be specified multiple
383           times.
384
385       [--permanent] [--zone=zone] --query-icmp-block=icmptype
386           Return whether an ICMP block for icmptype has been added for zone.
387           If zone is omitted, default zone will be used. Returns 0 if true, 1
388           otherwise.
389
390       [--permanent] [--zone=zone] --list-forward-ports
391           List IPv4 forward ports added for zone as a space separated list.
392           If zone is omitted, default zone will be used.
393
394           For IPv6 forward ports, please use the rich language.
395
396       [--permanent] [--zone=zone]
397       --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
398       [--timeout=timeval]
399           Add the IPv4 forward port for zone. If zone is omitted, default
400           zone will be used. This option can be specified multiple times. If
401           a timeout is supplied, the rule will be active for the specified
402           amount of time and will be removed automatically afterwards.
403           timeval is either a number (of seconds) or number followed by one
404           of characters s (seconds), m (minutes), h (hours), for example 20m
405           or 1h.
406
407           The port can either be a single port number portid or a port range
408           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
409           The destination address is a simple IP address.
410
411           The --timeout option is not combinable with the --permanent option.
412
413           For IPv6 forward ports, please use the rich language.
414
415       [--permanent] [--zone=zone]
416       --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
417           Remove the IPv4 forward port from zone. If zone is omitted, default
418           zone will be used. This option can be specified multiple times.
419
420           For IPv6 forward ports, please use the rich language.
421
422       [--permanent] [--zone=zone]
423       --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
424           Return whether the IPv4 forward port has been added for zone. If
425           zone is omitted, default zone will be used. Returns 0 if true, 1
426           otherwise.
427
428           For IPv6 forward ports, please use the rich language.
429
430       [--permanent] [--zone=zone] --add-masquerade [--timeout=timeval]
431           Enable IPv4 masquerade for zone. If zone is omitted, default zone
432           will be used. If a timeout is supplied, masquerading will be active
433           for the specified amount of time.  timeval is either a number (of
434           seconds) or number followed by one of characters s (seconds), m
435           (minutes), h (hours), for example 20m or 1h. Masquerading is useful
436           if the machine is a router and machines connected over an interface
437           in another zone should be able to use the first connection.
438
439           The --timeout option is not combinable with the --permanent option.
440
441           For IPv6 masquerading, please use the rich language.
442
443       [--permanent] [--zone=zone] --remove-masquerade
444           Disable IPv4 masquerade for zone. If zone is omitted, default zone
445           will be used. If the masquerading was enabled with a timeout, it
446           will be disabled also.
447
448           For IPv6 masquerading, please use the rich language.
449
450       [--permanent] [--zone=zone] --query-masquerade
451           Return whether IPv4 masquerading has been enabled for zone. If zone
452           is omitted, default zone will be used. Returns 0 if true, 1
453           otherwise.
454
455           For IPv6 masquerading, please use the rich language.
456
457       [--permanent] [--zone=zone] --list-rich-rules
458           List rich language rules added for zone as a newline separated
459           list. If zone is omitted, default zone will be used.
460
461       [--permanent] [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
462           Add rich language rule 'rule' for zone. This option can be
463           specified multiple times. If zone is omitted, default zone will be
464           used. If a timeout is supplied, the rule will be active for the
465           specified amount of time and will be removed automatically
466           afterwards.  timeval is either a number (of seconds) or number
467           followed by one of characters s (seconds), m (minutes), h (hours),
468           for example 20m or 1h.
469
470           For the rich language rule syntax, please have a look at
471           firewalld.richlanguage(5).
472
473           The --timeout option is not combinable with the --permanent option.
474
475       [--permanent] [--zone=zone] --remove-rich-rule='rule'
476           Remove rich language rule 'rule' from zone. This option can be
477           specified multiple times. If zone is omitted, default zone will be
478           used.
479
480           For the rich language rule syntax, please have a look at
481           firewalld.richlanguage(5).
482
483       [--permanent] [--zone=zone] --query-rich-rule='rule'
484           Return whether a rich language rule 'rule' has been added for zone.
485           If zone is omitted, default zone will be used. Returns 0 if true, 1
486           otherwise.
487
488           For the rich language rule syntax, please have a look at
489           firewalld.richlanguage(5).
490
491   Options to Handle Bindings of Interfaces
492       Binding an interface to a zone means that this zone settings are used
493       to restrict traffic via the interface.
494
495       Options in this section affect only one particular zone. If used with
496       --zone=zone option, they affect the zone zone. If the option is
497       omitted, they affect default zone (see --get-default-zone).
498
499       For a list of predefined zones use firewall-cmd --get-zones.
500
501       An interface name is a string up to 16 characters long, that may not
502       contain ' ', '/', '!' and '*'.
503
504       [--permanent] [--zone=zone] --list-interfaces
505           List interfaces that are bound to zone zone as a space separated
506           list. If zone is omitted, default zone will be used.
507
508       [--permanent] [--zone=zone] --add-interface=interface
509           Bind interface interface to zone zone. If zone is omitted, default
510           zone will be used.
511
512           If the interface is under control of NetworkManager, it is at first
513           connected to change the zone for the connection that is using the
514           interface. If this fails, the zone binding is created in firewalld
515           and the limitations below apply. For interfaces that are not under
516           control of NetworkManager, firewalld tries to change the ZONE
517           setting in the ifcfg file, if the file exists.
518
519           As a end user you don't need this in most cases, because
520           NetworkManager (or legacy network service) adds interfaces into
521           zones automatically (according to ZONE= option from ifcfg-interface
522           file) if NM_CONTROLLED=no is not set. You should do it only if
523           there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
524           there is such file and you add interface to zone with this
525           --add-interface option, make sure the zone is the same in both
526           cases, otherwise the behaviour would be undefined. Please also have
527           a look at the firewalld(1) man page in the Concepts section. For
528           permanent association of interface with a zone, see also 'How to
529           set or change a zone for a connection?' in firewalld.zones(5).
530
531       [--zone=zone] --change-interface=interface
532           If the interface is under control of NetworkManager, it is at first
533           connected to change the zone for the connection that is using the
534           interface. If this fails, the zone binding is created in firewalld
535           and the limitations below apply. For interfaces that are not under
536           control of NetworkManager, firewalld tries to change the ZONE
537           setting in the ifcfg file, if the file exists.
538
539           Change zone the interface interface is bound to to zone zone. It's
540           basically --remove-interface followed by --add-interface. If the
541           interface has not been bound to a zone before, it behaves like
542           --add-interface. If zone is omitted, default zone will be used.
543
544       [--permanent] [--zone=zone] --query-interface=interface
545           Query whether interface interface is bound to zone zone. Returns 0
546           if true, 1 otherwise.
547
548       [--permanent] --remove-interface=interface
549           If the interface is under control of NetworkManager, it is at first
550           connected to change the zone for the connection that is using the
551           interface. If this fails, the zone binding is created in firewalld
552           and the limitations below apply.
553
554           For the addion or change of interfaces that are not under control
555           of NetworkManager: firewalld tries to change the ZONE setting in
556           the ifcfg file, if an ifcfg file exists that is using the
557           interface.
558
559           Only for the removal of interfaces that are not under control of
560           NetworkManager: firewalld is not trying to change the ZONE setting
561           in the ifcfg file. This is needed to make sure that an ifdown of
562           the interface will not result in a reset of the zone setting to the
563           default zone. Only the zone binding is then removed in firewalld
564           then.
565
566           Remove binding of interface interface from zone it was previously
567           added to.
568
569   Options to Handle Bindings of Sources
570       Binding a source to a zone means that this zone settings will be used
571       to restrict traffic from this source.
572
573       A source address or address range is either an IP address or a network
574       IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
575       with the ipset: prefix. For IPv4, the mask can be a network mask or a
576       plain number. For IPv6 the mask is a plain number. The use of host
577       names is not supported.
578
579       Options in this section affect only one particular zone. If used with
580       --zone=zone option, they affect the zone zone. If the option is
581       omitted, they affect default zone (see --get-default-zone).
582
583       For a list of predefined zones use firewall-cmd [--permanent]
584       --get-zones.
585
586       [--permanent] [--zone=zone] --list-sources
587           List sources that are bound to zone zone as a space separated list.
588           If zone is omitted, default zone will be used.
589
590       [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
591           Bind the source to zone zone. If zone is omitted, default zone will
592           be used.
593
594       [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
595           Change zone the source is bound to to zone zone. It's basically
596           --remove-source followed by --add-source. If the source has not
597           been bound to a zone before, it behaves like --add-source. If zone
598           is omitted, default zone will be used.
599
600       [--permanent] [--zone=zone]
601       --query-source=source[/mask]|MAC|ipset:ipset
602           Query whether the source is bound to the zone zone. Returns 0 if
603           true, 1 otherwise.
604
605       [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
606           Remove binding of the source from zone it was previously added to.
607
608   IPSet Options
609       --get-ipset-types
610           Print the supported ipset types.
611
612       --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
613       [--option=key[=value]]
614           Add a new permanent and empty ipset with specifying the type and
615           optional the family and options like timeout, hashsize and maxelem.
616           For more information please have a look at ipset(8) man page.
617
618       --permanent --new-ipset-from-file=filename [--name=ipset]
619           Add a new permanent ipset from a prepared ipset file with an
620           optional name override.
621
622       --permanent --delete-ipset=ipset
623           Delete an existing permanent ipset.
624
625       --permanent --load-ipset-defaults=ipset
626           Load ipset default settings or report NO_DEFAULTS error.
627
628       [--permanent] --info-ipset=ipset
629           Print information about the ipset ipset. The output format is:
630
631               ipset
632                 type: type
633                 options: option1[=value1] ..
634                 entries: entry1 ..
635
636
637
638       [--permanent] --get-ipsets
639           Print predefined ipsets as a space separated list.
640
641       --permanent --ipset=ipset --set-description=description
642           Set new description to ipset
643
644       --permanent --ipset=ipset --get-description
645           Print description for ipset
646
647       --permanent --ipset=ipset --set-short=description
648           Set short description to ipset
649
650       --permanent --ipset=ipset --get-short
651           Print short description for ipset
652
653       [--permanent] --ipset=ipset --add-entry=entry
654           Add a new entry to the ipset.
655
656           Adding an entry to an ipset with option timeout is permitted, but
657           these entries are not tracked by firewalld.
658
659       [--permanent] --ipset=ipset --remove-entry=entry
660           Remove an entry from the ipset.
661
662       [--permanent] --ipset=ipset --query-entry=entry
663           Return whether the entry has been added to an ipset. Returns 0 if
664           true, 1 otherwise.
665
666           Querying an ipset with a timeout will yield an error. Entries are
667           not tracked for ipsets with a timeout.
668
669       [--permanent] --ipset=ipset --get-entries
670           List all entries of the ipset.
671
672       [--permanent] --ipset=ipset --add-entries-from-file=filename
673           Add a new entries to the ipset from the file. For all entries that
674           are listed in the file but already in the ipset, a warning will be
675           printed.
676
677           The file should contain an entry per line. Lines starting with an
678           hash or semicolon are ignored. Also empty lines.
679
680       [--permanent] --ipset=ipset --remove-entries-from-file=filename
681           Remove existing entries from the ipset from the file. For all
682           entries that are listed in the file but not in the ipset, a warning
683           will be printed.
684
685           The file should contain an entry per line. Lines starting with an
686           hash or semicolon are ignored. Also empty lines.
687
688       --permanent --path-ipset=ipset
689           Print path of the ipset configuration file.
690
691   Service Options
692       Options in this section affect only one particular service.
693
694       [--permanent] --info-service=service
695           Print information about the service service. The output format is:
696
697               service
698                 ports: port1 ..
699                 protocols: protocol1 ..
700                 source-ports: source-port1 ..
701                 modules: module1 ..
702                 destination: ipv1:address1 ..
703
704
705
706       The following options are only usable in the permanent configuration.
707
708       --permanent --new-service=service
709           Add a new permanent and empty service.
710
711       --permanent --new-service-from-file=filename [--name=service]
712           Add a new permanent service from a prepared service file with an
713           optional name override.
714
715       --permanent --delete-service=service
716           Delete an existing permanent service.
717
718       --permanent --load-service-defaults=service
719           Load service default settings or report NO_DEFAULTS error.
720
721       --permanent --path-service=service
722           Print path of the service configuration file.
723
724       --permanent --service=service --set-description=description
725           Set new description to service
726
727       --permanent --service=service --get-description
728           Print description for service
729
730       --permanent --service=service --set-short=description
731           Set short description to service
732
733       --permanent --service=service --get-short
734           Print short description for service
735
736       --permanent --service=service --add-port=portid[-portid]/protocol
737           Add a new port to the permanent service.
738
739       --permanent --service=service --remove-port=portid[-portid]/protocol
740           Remove a port from the permanent service.
741
742       --permanent --service=service --query-port=portid[-portid]/protocol
743           Return wether the port has been added to the permanent service.
744
745       --permanent --service=service --get-ports
746           List ports added to the permanent service.
747
748       --permanent --service=service --add-protocol=protocol
749           Add a new protocol to the permanent service.
750
751       --permanent --service=service --remove-protocol=protocol
752           Remove a protocol from the permanent service.
753
754       --permanent --service=service --query-protocol=protocol
755           Return wether the protocol has been added to the permanent service.
756
757       --permanent --service=service --get-protocols
758           List protocols added to the permanent service.
759
760       --permanent --service=service
761       --add-source-port=portid[-portid]/protocol
762           Add a new source port to the permanent service.
763
764       --permanent --service=service
765       --remove-source-port=portid[-portid]/protocol
766           Remove a source port from the permanent service.
767
768       --permanent --service=service
769       --query-source-port=portid[-portid]/protocol
770           Return wether the source port has been added to the permanent
771           service.
772
773       --permanent --service=service --get-source-ports
774           List source ports added to the permanent service.
775
776       --permanent --service=service --add-module=module
777           Add a new module to the permanent service.
778
779       --permanent --service=service --remove-module=module
780           Remove a module from the permanent service.
781
782       --permanent --service=service --query-module=module
783           Return wether the module has been added to the permanent service.
784
785       --permanent --service=service --get-modules
786           List modules added to the permanent service.
787
788       --permanent --service=service --set-destination=ipv:address[/mask]
789           Set destination for ipv to address[/mask] in the permanent service.
790
791       --permanent --service=service --remove-destination=ipv
792           Remove the destination for ipv from the permanent service.
793
794       --permanent --service=service --query-destination=ipv:address[/mask]
795           Return wether the destination ipv to address[/mask] has been set in
796           the permanent service.
797
798       --permanent --service=service --get-destinations
799           List destinations added to the permanent service.
800
801   Helper Options
802       Options in this section affect only one particular helper.
803
804       [--permanent] --info-helper=helper
805           Print information about the helper helper. The output format is:
806
807               helper
808                 family: family
809                 module: module
810                 ports: port1 ..
811
812
813
814       The following options are only usable in the permanent configuration.
815
816       --permanent --new-helper=helper --module=nf_conntrack_module
817       [--family=ipv4|ipv6]
818           Add a new permanent helper with module and optionally family
819           defined.
820
821       --permanent --new-helper-from-file=filename [--name=helper]
822           Add a new permanent helper from a prepared helper file with an
823           optional name override.
824
825       --permanent --delete-helper=helper
826           Delete an existing permanent helper.
827
828       --permanent --load-helper-defaults=helper
829           Load helper default settings or report NO_DEFAULTS error.
830
831       --permanent --path-helper=helper
832           Print path of the helper configuration file.
833
834       [--permanent] --get-helpers
835           Print predefined helpers as a space separated list.
836
837       --permanent --helper=helper --set-description=description
838           Set new description to helper
839
840       --permanent --helper=helper --get-description
841           Print description for helper
842
843       --permanent --helper=helper --set-short=description
844           Set short description to helper
845
846       --permanent --helper=helper --get-short
847           Print short description for helper
848
849       --permanent --helper=helper --add-port=portid[-portid]/protocol
850           Add a new port to the permanent helper.
851
852       --permanent --helper=helper --remove-port=portid[-portid]/protocol
853           Remove a port from the permanent helper.
854
855       --permanent --helper=helper --query-port=portid[-portid]/protocol
856           Return wether the port has been added to the permanent helper.
857
858       --permanent --helper=helper --get-ports
859           List ports added to the permanent helper.
860
861       --permanent --helper=helper --set-module=description
862           Set module description for helper
863
864       --permanent --helper=helper --get-module
865           Print module description for helper
866
867       --permanent --helper=helper --set-family=description
868           Set family description for helper
869
870       --permanent --helper=helper --get-family
871           Print family description of helper
872
873   Internet Control Message Protocol (ICMP) type Options
874       Options in this section affect only one particular icmptype.
875
876       [--permanent] --info-icmptype=icmptype
877           Print information about the icmptype icmptype. The output format
878           is:
879
880               icmptype
881                 destination: ipv1 ..
882
883
884
885       The following options are only usable in the permanent configuration.
886
887       --permanent --new-icmptype=icmptype
888           Add a new permanent and empty icmptype.
889
890       --permanent --new-icmptype-from-file=filename [--name=icmptype]
891           Add a new permanent icmptype from a prepared icmptype file with an
892           optional name override.
893
894       --permanent --delete-icmptype=icmptype
895           Delete an existing permanent icmptype.
896
897       --permanent --load-icmptype-defaults=icmptype
898           Load icmptype default settings or report NO_DEFAULTS error.
899
900       --permanent --icmptype=icmptype --set-description=description
901           Set new description to icmptype
902
903       --permanent --icmptype=icmptype --get-description
904           Print description for icmptype
905
906       --permanent --icmptype=icmptype --set-short=description
907           Set short description to icmptype
908
909       --permanent --icmptype=icmptype --get-short
910           Print short description for icmptype
911
912       --permanent --icmptype=icmptype --add-destination=ipv
913           Enable destination for ipv in permanent icmptype. ipv is one of
914           ipv4 or ipv6.
915
916       --permanent --icmptype=icmptype --remove-destination=ipv
917           Disable destination for ipv in permanent icmptype. ipv is one of
918           ipv4 or ipv6.
919
920       --permanent --icmptype=icmptype --query-destination=ipv
921           Return whether destination for ipv is enabled in permanent
922           icmptype. ipv is one of ipv4 or ipv6.
923
924       --permanent --icmptype=icmptype --get-destinations
925           List destinations in permanent icmptype.
926
927       --permanent --path-icmptype=icmptype
928           Print path of the icmptype configuration file.
929
930   Direct Options
931       The direct options give a more direct access to the firewall. These
932       options require user to know basic iptables concepts, i.e.  table
933       (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
934       (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
935       (ACCEPT/DROP/REJECT/...).
936
937       Direct options should be used only as a last resort when it's not
938       possible to use for example --add-service=service or
939       --add-rich-rule='rule'.
940
941       The first argument of each option has to be ipv4 or ipv6 or eb. With
942       ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
943       (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
944
945       [--permanent] --direct --get-all-chains
946           Get all chains added to all tables. This option concerns only
947           chains previously added with --direct --add-chain.
948
949       [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
950           Get all chains added to table table as a space separated list. This
951           option concerns only chains previously added with --direct
952           --add-chain.
953
954       [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
955           Add a new chain with name chain to table table. Make sure there's
956           no other chain with this name already.
957
958           There already exist basic chains to use with direct options, for
959           example INPUT_direct chain (see iptables-save | grep direct output
960           for all of them). These chains are jumped into before chains for
961           zones, i.e. every rule put into INPUT_direct will be checked before
962           rules in zones.
963
964       [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
965           Remove chain with name chain from table table. Only chains
966           previously added with --direct --add-chain can be removed this way.
967
968       [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
969           Return whether a chain with name chain exists in table table.
970           Returns 0 if true, 1 otherwise. This option concerns only chains
971           previously added with --direct --add-chain.
972
973       [--permanent] --direct --get-all-rules
974           Get all rules added to all chains in all tables as a newline
975           separated list of the priority and arguments. This option concerns
976           only rules previously added with --direct --add-rule.
977
978       [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
979           Get all rules added to chain chain in table table as a newline
980           separated list of the priority and arguments. This option concerns
981           only rules previously added with --direct --add-rule.
982
983       [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
984       priority args
985           Add a rule with the arguments args to chain chain in table table
986           with priority priority.
987
988           The priority is used to order rules. Priority 0 means add rule on
989           top of the chain, with a higher priority the rule will be added
990           further down. Rules with the same priority are on the same level
991           and the order of these rules is not fixed and may change. If you
992           want to make sure that a rule will be added after another one, use
993           a low priority for the first and a higher for the following.
994
995       [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
996       priority args
997           Remove a rule with priority and the arguments args from chain chain
998           in table table. Only rules previously added with --direct
999           --add-rule can be removed this way.
1000
1001       [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1002           Remove all rules in the chain with name chain exists in table
1003           table. This option concerns only rules previously added with
1004           --direct --add-rule in this chain.
1005
1006       [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1007       priority args
1008           Return whether a rule with priority and the arguments args exists
1009           in chain chain in table table. Returns 0 if true, 1 otherwise. This
1010           option concerns only rules previously added with --direct
1011           --add-rule.
1012
1013       --direct --passthrough { ipv4 | ipv6 | eb } args
1014           Pass a command through to the firewall.  args can be all iptables,
1015           ip6tables and ebtables command line arguments. This command is
1016           untracked, which means that firewalld is not able to provide
1017           information about this command later on, also not a listing of the
1018           untracked passthoughs.
1019
1020       [--permanent] --direct --get-all-passthroughs
1021           Get all passthrough rules as a newline separated list of the ipv
1022           value and arguments.
1023
1024       [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1025           Get all passthrough rules for the ipv value as a newline separated
1026           list of the priority and arguments.
1027
1028       [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1029           Add a passthrough rule with the arguments args for the ipv value.
1030
1031       [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1032           Remove a passthrough rule with the arguments args for the ipv
1033           value.
1034
1035       [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1036           Return whether a passthrough rule with the arguments args exists
1037           for the ipv value. Returns 0 if true, 1 otherwise.
1038
1039   Lockdown Options
1040       Local applications or services are able to change the firewall
1041       configuration if they are running as root (example: libvirt) or are
1042       authenticated using PolicyKit. With this feature administrators can
1043       lock the firewall configuration so that only applications on lockdown
1044       whitelist are able to request firewall changes.
1045
1046       The lockdown access check limits D-Bus methods that are changing
1047       firewall rules. Query, list and get methods are not limited.
1048
1049       The lockdown feature is a very light version of user and application
1050       policies for firewalld and is turned off by default.
1051
1052       --lockdown-on
1053           Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1054           whitelist when you enable lockdown you won't be able to disable it
1055           again with firewall-cmd, you would need to edit firewalld.conf.
1056
1057           This is a runtime and permanent change.
1058
1059       --lockdown-off
1060           Disable lockdown.
1061
1062           This is a runtime and permanent change.
1063
1064       --query-lockdown
1065           Query whether lockdown is enabled. Returns 0 if lockdown is
1066           enabled, 1 otherwise.
1067
1068   Lockdown Whitelist Options
1069       The lockdown whitelist can contain commands, contexts, users and user
1070       ids.
1071
1072       If a command entry on the whitelist ends with an asterisk '*', then all
1073       command lines starting with the command will match. If the '*' is not
1074       there the absolute command inclusive arguments must match.
1075
1076       Commands for user root and others is not always the same. Example: As
1077       root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1078       is be used on Fedora.
1079
1080       The context is the security (SELinux) context of a running application
1081       or service. To get the context of a running application use ps -e
1082       --context.
1083
1084       Warning: If the context is unconfined, then this will open access for
1085       more than the desired application.
1086
1087       The lockdown whitelist entries are checked in the following order:
1088           1. context
1089           2. uid
1090           3. user
1091           4. command
1092
1093       [--permanent] --list-lockdown-whitelist-commands
1094           List all command lines that are on the whitelist.
1095
1096       [--permanent] --add-lockdown-whitelist-command=command
1097           Add the command to the whitelist.
1098
1099       [--permanent] --remove-lockdown-whitelist-command=command
1100           Remove the command from the whitelist.
1101
1102       [--permanent] --query-lockdown-whitelist-command=command
1103           Query whether the command is on the whitelist. Returns 0 if true, 1
1104           otherwise.
1105
1106       [--permanent] --list-lockdown-whitelist-contexts
1107           List all contexts that are on the whitelist.
1108
1109       [--permanent] --add-lockdown-whitelist-context=context
1110           Add the context context to the whitelist.
1111
1112       [--permanent] --remove-lockdown-whitelist-context=context
1113           Remove the context from the whitelist.
1114
1115       [--permanent] --query-lockdown-whitelist-context=context
1116           Query whether the context is on the whitelist. Returns 0 if true, 1
1117           otherwise.
1118
1119       [--permanent] --list-lockdown-whitelist-uids
1120           List all user ids that are on the whitelist.
1121
1122       [--permanent] --add-lockdown-whitelist-uid=uid
1123           Add the user id uid to the whitelist.
1124
1125       [--permanent] --remove-lockdown-whitelist-uid=uid
1126           Remove the user id uid from the whitelist.
1127
1128       [--permanent] --query-lockdown-whitelist-uid=uid
1129           Query whether the user id uid is on the whitelist. Returns 0 if
1130           true, 1 otherwise.
1131
1132       [--permanent] --list-lockdown-whitelist-users
1133           List all user names that are on the whitelist.
1134
1135       [--permanent] --add-lockdown-whitelist-user=user
1136           Add the user name user to the whitelist.
1137
1138       [--permanent] --remove-lockdown-whitelist-user=user
1139           Remove the user name user from the whitelist.
1140
1141       [--permanent] --query-lockdown-whitelist-user=user
1142           Query whether the user name user is on the whitelist. Returns 0 if
1143           true, 1 otherwise.
1144
1145   Panic Options
1146       --panic-on
1147           Enable panic mode. All incoming and outgoing packets are dropped,
1148           active connections will expire. Enable this only if there are
1149           serious problems with your network environment. For example if the
1150           machine is getting hacked in.
1151
1152           This is a runtime only change.
1153
1154       --panic-off
1155           Disable panic mode. After disabling panic mode established
1156           connections might work again, if panic mode was enabled for a short
1157           period of time.
1158
1159           This is a runtime only change.
1160
1161       --query-panic
1162           Returns 0 if panic mode is enabled, 1 otherwise.
1163

EXAMPLES

1165       For more examples see http://fedoraproject.org/wiki/FirewallD
1166
1167   Example 1
1168       Enable http service in default zone. This is runtime only change, i.e.
1169       effective until restart.
1170
1171           firewall-cmd --add-service=http
1172
1173
1174
1175   Example 2
1176       Enable port 443/tcp immediately and permanently in default zone. To
1177       make the change effective immediately and also after restart we need
1178       two commands. The first command makes the change in runtime
1179       configuration, i.e. makes it effective immediately, until restart. The
1180       second command makes the change in permanent configuration, i.e. makes
1181       it effective after restart.
1182
1183           firewall-cmd --add-port=443/tcp
1184           firewall-cmd --permanent --add-port=443/tcp
1185
1186
1187

EXIT CODES

1189       On success 0 is returned. On failure the output is red colored and exit
1190       code is either 2 in case of wrong command-line option usage or one of
1191       the following error codes in other cases:
1192
1193       ┌────────────────────┬──────┐
1194String              Code 
1195       ├────────────────────┼──────┤
1196       │ALREADY_ENABLED     │   11 │
1197       ├────────────────────┼──────┤
1198       │NOT_ENABLED         │   12 │
1199       ├────────────────────┼──────┤
1200       │COMMAND_FAILED      │   13 │
1201       ├────────────────────┼──────┤
1202       │NO_IPV6_NAT         │   14 │
1203       ├────────────────────┼──────┤
1204       │PANIC_MODE          │   15 │
1205       ├────────────────────┼──────┤
1206       │ZONE_ALREADY_SET    │   16 │
1207       ├────────────────────┼──────┤
1208       │UNKNOWN_INTERFACE   │   17 │
1209       ├────────────────────┼──────┤
1210       │ZONE_CONFLICT       │   18 │
1211       ├────────────────────┼──────┤
1212       │BUILTIN_CHAIN       │   19 │
1213       ├────────────────────┼──────┤
1214       │EBTABLES_NO_REJECT  │   20 │
1215       ├────────────────────┼──────┤
1216       │NOT_OVERLOADABLE    │   21 │
1217       ├────────────────────┼──────┤
1218       │NO_DEFAULTS         │   22 │
1219       ├────────────────────┼──────┤
1220       │BUILTIN_ZONE        │   23 │
1221       ├────────────────────┼──────┤
1222       │BUILTIN_SERVICE     │   24 │
1223       ├────────────────────┼──────┤
1224       │BUILTIN_ICMPTYPE    │   25 │
1225       ├────────────────────┼──────┤
1226       │NAME_CONFLICT       │   26 │
1227       ├────────────────────┼──────┤
1228       │NAME_MISMATCH       │   27 │
1229       ├────────────────────┼──────┤
1230       │PARSE_ERROR         │   28 │
1231       ├────────────────────┼──────┤
1232       │ACCESS_DENIED       │   29 │
1233       ├────────────────────┼──────┤
1234       │UNKNOWN_SOURCE      │   30 │
1235       ├────────────────────┼──────┤
1236       │RT_TO_PERM_FAILED   │   31 │
1237       ├────────────────────┼──────┤
1238       │IPSET_WITH_TIMEOUT  │   32 │
1239       ├────────────────────┼──────┤
1240       │BUILTIN_IPSET       │   33 │
1241       ├────────────────────┼──────┤
1242       │ALREADY_SET         │   34 │
1243       ├────────────────────┼──────┤
1244       │MISSING_IMPORT      │   35 │
1245       ├────────────────────┼──────┤
1246       │DBUS_ERROR          │   36 │
1247       ├────────────────────┼──────┤
1248       │BUILTIN_HELPER      │   37 │
1249       ├────────────────────┼──────┤
1250       │NOT_APPLIED         │   38 │
1251       ├────────────────────┼──────┤
1252       │INVALID_ACTION      │  100 │
1253       ├────────────────────┼──────┤
1254       │INVALID_SERVICE     │  101 │
1255       ├────────────────────┼──────┤
1256       │INVALID_PORT        │  102 │
1257       ├────────────────────┼──────┤
1258       │INVALID_PROTOCOL    │  103 │
1259       ├────────────────────┼──────┤
1260       │INVALID_INTERFACE   │  104 │
1261       ├────────────────────┼──────┤
1262       │INVALID_ADDR        │  105 │
1263       ├────────────────────┼──────┤
1264       │INVALID_FORWARD     │  106 │
1265       ├────────────────────┼──────┤
1266       │INVALID_ICMPTYPE    │  107 │
1267       ├────────────────────┼──────┤
1268       │INVALID_TABLE       │  108 │
1269       ├────────────────────┼──────┤
1270       │INVALID_CHAIN       │  109 │
1271       ├────────────────────┼──────┤
1272       │INVALID_TARGET      │  110 │
1273       ├────────────────────┼──────┤
1274       │INVALID_IPV         │  111 │
1275       ├────────────────────┼──────┤
1276       │INVALID_ZONE        │  112 │
1277       ├────────────────────┼──────┤
1278       │INVALID_PROPERTY    │  113 │
1279       ├────────────────────┼──────┤
1280       │INVALID_VALUE       │  114 │
1281       ├────────────────────┼──────┤
1282       │INVALID_OBJECT      │  115 │
1283       ├────────────────────┼──────┤
1284       │INVALID_NAME        │  116 │
1285       ├────────────────────┼──────┤
1286       │INVALID_FILENAME    │  117 │
1287       ├────────────────────┼──────┤
1288       │INVALID_DIRECTORY   │  118 │
1289       ├────────────────────┼──────┤
1290       │INVALID_TYPE        │  119 │
1291       ├────────────────────┼──────┤
1292       │INVALID_SETTING     │  120 │
1293       ├────────────────────┼──────┤
1294       │INVALID_DESTINATION │  121 │
1295       ├────────────────────┼──────┤
1296       │INVALID_RULE        │  122 │
1297       ├────────────────────┼──────┤
1298       │INVALID_LIMIT       │  123 │
1299       ├────────────────────┼──────┤
1300       │INVALID_FAMILY      │  124 │
1301       ├────────────────────┼──────┤
1302       │INVALID_LOG_LEVEL   │  125 │
1303       ├────────────────────┼──────┤
1304       │INVALID_AUDIT_TYPE  │  126 │
1305       ├────────────────────┼──────┤
1306       │INVALID_MARK        │  127 │
1307       ├────────────────────┼──────┤
1308       │INVALID_CONTEXT     │  128 │
1309       ├────────────────────┼──────┤
1310       │INVALID_COMMAND     │  129 │
1311       ├────────────────────┼──────┤
1312       │INVALID_USER        │  130 │
1313       ├────────────────────┼──────┤
1314       │INVALID_UID         │  131 │
1315       ├────────────────────┼──────┤
1316       │INVALID_MODULE      │  132 │
1317       ├────────────────────┼──────┤
1318       │INVALID_PASSTHROUGH │  133 │
1319       ├────────────────────┼──────┤
1320       │INVALID_MAC         │  134 │
1321       ├────────────────────┼──────┤
1322       │INVALID_IPSET       │  135 │
1323       ├────────────────────┼──────┤
1324       │INVALID_ENTRY       │  136 │
1325       ├────────────────────┼──────┤
1326       │INVALID_OPTION      │  137 │
1327       ├────────────────────┼──────┤
1328       │INVALID_HELPER      │  138 │
1329       ├────────────────────┼──────┤
1330       │MISSING_TABLE       │  200 │
1331       ├────────────────────┼──────┤
1332       │MISSING_CHAIN       │  201 │
1333       ├────────────────────┼──────┤
1334       │MISSING_PORT        │  202 │
1335       ├────────────────────┼──────┤
1336       │MISSING_PROTOCOL    │  203 │
1337       ├────────────────────┼──────┤
1338       │MISSING_ADDR        │  204 │
1339       ├────────────────────┼──────┤
1340       │MISSING_NAME        │  205 │
1341       ├────────────────────┼──────┤
1342       │MISSING_SETTING     │  206 │
1343       ├────────────────────┼──────┤
1344       │MISSING_FAMILY      │  207 │
1345       ├────────────────────┼──────┤
1346       │RUNNING_BUT_FAILED  │  251 │
1347       ├────────────────────┼──────┤
1348       │NOT_RUNNING         │  252 │
1349       ├────────────────────┼──────┤
1350       │NOT_AUTHORIZED      │  253 │
1351       ├────────────────────┼──────┤
1352       │UNKNOWN_ERROR       │  254 │
1353       └────────────────────┴──────┘
1354
1355       Note that return codes of --query-* options are special: Successful
1356       queries return 0, unsuccessful ones return 1 unless an error occurred
1357       in which case the table above applies.
1358

SEE ALSO

1360       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1361       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1362       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1363       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1364       firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1365       firewalld.helper(5)
1366

NOTES

1368       firewalld home page:
1369           http://firewalld.org
1370
1371       More documentation with examples:
1372           http://fedoraproject.org/wiki/FirewallD
1373

AUTHORS

1375       Thomas Woerner <twoerner@redhat.com>
1376           Developer
1377
1378       Jiri Popelka <jpopelka@redhat.com>
1379           Developer
1380
1381
1382
1383firewalld 0.6.3                                                FIREWALL-CMD(1)
Impressum