1FIREWALL-CMD(1)                  firewall-cmd                  FIREWALL-CMD(1)
2
3
4

NAME

6       firewall-cmd - firewalld command line client
7

SYNOPSIS

9       firewall-cmd [OPTIONS...]
10

DESCRIPTION

12       firewall-cmd is the command line client of the firewalld daemon. It
13       provides interface to manage runtime and permanent configuration.
14
15       The runtime configuration in firewalld is separated from the permanent
16       configuration. This means that things can get changed in the runtime or
17       permanent configuration.
18

OPTIONS

20       For sequence options, this are the options that can be specified
21       multiple times, the exit code is 0 if there is at least one item that
22       succeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also
23       ZONE_ALREADY_SET (16) errors are treated as succeeded. If there are
24       issues while parsing the items, then these are treated as warnings and
25       will not change the result as long as there is a succeeded one. Without
26       any succeeded item, the exit code will depend on the error codes. If
27       there is exactly one error code, then this is used. If there are more
28       than one then UNKNOWN_ERROR (254) will be used.
29
30       The following options are supported:
31
32   General Options
33       -h, --help
34           Prints a short help text and exits.
35
36       -V, --version
37           Print the version string of firewalld. This option is not
38           combinable with other options.
39
40       -q, --quiet
41           Do not print status messages.
42
43   Status Options
44       --state
45           Check whether the firewalld daemon is active (i.e. running).
46           Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
47           failure occurred on startup, NOT_RUNNING otherwise. See the section
48           called “EXIT CODES”. This will also print the state to STDOUT.
49
50       --reload
51           Reload firewall rules and keep state information. Current permanent
52           configuration will become new runtime configuration, i.e. all
53           runtime only changes done until reload are lost with reload if they
54           have not been also in permanent configuration.
55
56           Note: Runtime changes applied via the direct interface are not
57           affected and will therefore stay in place until firewalld daemon is
58           restarted completely.
59
60       --complete-reload
61           Reload firewall completely, even netfilter kernel modules. This
62           will most likely terminate active connections, because state
63           information is lost. This option should only be used in case of
64           severe firewall problems. For example if there are state
65           information problems that no connection can be established with
66           correct firewall rules.
67
68           Note: Runtime changes applied via the direct interface are not
69           affected and will therefore stay in place until firewalld daemon is
70           restarted completely.
71
72       --runtime-to-permanent
73           Save active runtime configuration and overwrite permanent
74           configuration with it. The way this is supposed to work is that
75           when configuring firewalld you do runtime changes only and once
76           you're happy with the configuration and you tested that it works
77           the way you want, you save the configuration to disk.
78
79       --check-config
80           Run checks on the permanent configuration. This includes XML
81           validity and semantics.
82
83   Log Denied Options
84       --get-log-denied
85           Print the log denied setting.
86
87       --set-log-denied=value
88           Add logging rules right before reject and drop rules in the INPUT,
89           FORWARD and OUTPUT chains for the default rules and also final
90           reject and drop rules in zones for the configured link-layer packet
91           type. The possible values are: all, unicast, broadcast, multicast
92           and off. The default setting is off, which disables the logging.
93
94           This is a runtime and permanent change and will also reload the
95           firewall to be able to add the logging rules.
96
97   Automatic Helpers Options
98       --get-automatic-helpers
99           Print the automatic helpers setting.
100
101       --set-automatic-helpers=value
102           For the secure use of iptables and connection tracking helpers it
103           is recommended to turn AutomaticHelpers off. But this might have
104           side effects on other services using the netfilter helpers as the
105           sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will
106           be changed. With the system setting, the default value set in the
107           kernel or with sysctl will be used. Possible values are: yes, no
108           and system. The default value is system.
109
110           This is a runtime and permanent change and will also reload the
111           firewall to be able to make the helpers usable.
112
113   Permanent Options
114       --permanent
115           The permanent option --permanent can be used to set options
116           permanently. These changes are not effective immediately, only
117           after service restart/reload or system reboot. Without the
118           --permanent option, a change will only be part of the runtime
119           configuration.
120
121           If you want to make a change in runtime and permanent
122           configuration, use the same call with and without the --permanent
123           option.
124
125           The --permanent option can be optionally added to all options
126           further down where it is supported.
127
128   Zone Options
129       --get-default-zone
130           Print default zone for connections and interfaces.
131
132       --set-default-zone=zone
133           Set default zone for connections and interfaces where no zone has
134           been selected. Setting the default zone changes the zone for the
135           connections or interfaces, that are using the default zone.
136
137           This is a runtime and permanent change.
138
139       --get-active-zones
140           Print currently active zones altogether with interfaces and sources
141           used in these zones. Active zones are zones, that have a binding to
142           an interface or source. The output format is:
143
144               zone1
145                 interfaces: interface1 interface2 ..
146                 sources: source1 ..
147               zone2
148                 interfaces: interface3 ..
149               zone3
150                 sources: source2 ..
151
152
153           If there are no interfaces or sources bound to the zone, the
154           corresponding line will be omitted.
155
156       [--permanent] --get-zones
157           Print predefined zones as a space separated list.
158
159       [--permanent] --get-services
160           Print predefined services as a space separated list.
161
162       [--permanent] --get-icmptypes
163           Print predefined icmptypes as a space separated list.
164
165       [--permanent] --get-zone-of-interface=interface
166           Print the name of the zone the interface is bound to or no zone.
167
168       [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
169           Print the name of the zone the source is bound to or no zone.
170
171       [--permanent] --info-zone=zone
172           Print information about the zone zone. The output format is:
173
174               zone
175                 interfaces: interface1 ..
176                 sources: source1 ..
177                 services: service1 ..
178                 ports: port1 ..
179                 protocols: protocol1 ..
180                 forward-ports:
181                       forward-port1
182                       ..
183                 source-ports: source-port1 ..
184                 icmp-blocks: icmp-type1 ..
185                 rich rules:
186                       rich-rule1
187                       ..
188
189
190
191       [--permanent] --list-all-zones
192           List everything added for or enabled in all zones. The output
193           format is:
194
195               zone1
196                 interfaces: interface1 ..
197                 sources: source1 ..
198                 services: service1 ..
199                 ports: port1 ..
200                 protocols: protocol1 ..
201                 forward-ports:
202                       forward-port1
203                       ..
204                 icmp-blocks: icmp-type1 ..
205                 rich rules:
206                       rich-rule1
207                       ..
208               ..
209
210
211
212       --permanent --new-zone=zone
213           Add a new permanent and empty zone.
214
215       --permanent --new-zone-from-file=filename [--name=zone]
216           Add a new permanent zone from a prepared zone file with an optional
217           name override.
218
219       --permanent --delete-zone=zone
220           Delete an existing permanent zone.
221
222       --permanent --load-zone-defaults=zone
223           Load zone default settings or report NO_DEFAULTS error.
224
225       --permanent --path-zone=zone
226           Print path of the zone configuration file.
227
228       --permanent --zone=zone --set-description=description
229           Set new description to zone
230
231       --permanent --zone=zone --get-description
232           Print description for zone
233
234       --permanent --zone=zone --set-short=description
235           Set short description to zone
236
237       --permanent --zone=zone --get-short
238           Print short description for zone
239
240       --permanent [--zone=zone] --get-target
241           Get the target of a permanent zone.
242
243       --permanent [--zone=zone] --set-target=target
244           Set the target of a permanent zone.  target is one of: default,
245           ACCEPT, DROP, REJECT
246
247   Options to Adapt and Query Zones
248       Options in this section affect only one particular zone. If used with
249       --zone=zone option, they affect the zone zone. If the option is
250       omitted, they affect default zone (see --get-default-zone).
251
252       [--permanent] [--zone=zone] --list-all
253           List everything added for or enabled in zone. If zone is omitted,
254           default zone will be used.
255
256       [--permanent] [--zone=zone] --list-services
257           List services added for zone as a space separated list. If zone is
258           omitted, default zone will be used.
259
260       [--permanent] [--zone=zone] --add-service=service [--timeout=timeval]
261           Add a service for zone. If zone is omitted, default zone will be
262           used. This option can be specified multiple times. If a timeout is
263           supplied, the rule will be active for the specified amount of time
264           and will be removed automatically afterwards.  timeval is either a
265           number (of seconds) or number followed by one of characters s
266           (seconds), m (minutes), h (hours), for example 20m or 1h.
267
268           The service is one of the firewalld provided services. To get a
269           list of the supported services, use firewall-cmd --get-services.
270
271           The --timeout option is not combinable with the --permanent option.
272
273       [--permanent] [--zone=zone] --remove-service=service
274           Remove a service from zone. This option can be specified multiple
275           times. If zone is omitted, default zone will be used.
276
277       [--permanent] [--zone=zone] --query-service=service
278           Return whether service has been added for zone. If zone is omitted,
279           default zone will be used. Returns 0 if true, 1 otherwise.
280
281       [--permanent] [--zone=zone] --list-ports
282           List ports added for zone as a space separated list. A port is of
283           the form portid[-portid]/protocol, it can be either a port and
284           protocol pair or a port range with a protocol. If zone is omitted,
285           default zone will be used.
286
287       [--permanent] [--zone=zone] --add-port=portid[-portid]/protocol
288       [--timeout=timeval]
289           Add the port for zone. If zone is omitted, default zone will be
290           used. This option can be specified multiple times. If a timeout is
291           supplied, the rule will be active for the specified amount of time
292           and will be removed automatically afterwards.  timeval is either a
293           number (of seconds) or number followed by one of characters s
294           (seconds), m (minutes), h (hours), for example 20m or 1h.
295
296           The port can either be a single port number or a port range
297           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
298
299           The --timeout option is not combinable with the --permanent option.
300
301       [--permanent] [--zone=zone] --remove-port=portid[-portid]/protocol
302           Remove the port from zone. If zone is omitted, default zone will be
303           used. This option can be specified multiple times.
304
305       [--permanent] [--zone=zone] --query-port=portid[-portid]/protocol
306           Return whether the port has been added for zone. If zone is
307           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
308
309       [--permanent] [--zone=zone] --list-protocols
310           List protocols added for zone as a space separated list. If zone is
311           omitted, default zone will be used.
312
313       [--permanent] [--zone=zone] --add-protocol=protocol [--timeout=timeval]
314           Add the protocol for zone. If zone is omitted, default zone will be
315           used. This option can be specified multiple times. If a timeout is
316           supplied, the rule will be active for the specified amount of time
317           and will be removed automatically afterwards.  timeval is either a
318           number (of seconds) or number followed by one of characters s
319           (seconds), m (minutes), h (hours), for example 20m or 1h.
320
321           The protocol can be any protocol supported by the system. Please
322           have a look at /etc/protocols for supported protocols.
323
324           The --timeout option is not combinable with the --permanent option.
325
326       [--permanent] [--zone=zone] --remove-protocol=protocol
327           Remove the protocol from zone. If zone is omitted, default zone
328           will be used. This option can be specified multiple times.
329
330       [--permanent] [--zone=zone] --query-protocol=protocol
331           Return whether the protocol has been added for zone. If zone is
332           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
333
334       [--permanent] [--zone=zone] --list-source-ports
335           List source ports added for zone as a space separated list. A port
336           is of the form portid[-portid]/protocol. If zone is omitted,
337           default zone will be used.
338
339       [--permanent] [--zone=zone] --add-source-port=portid[-portid]/protocol
340       [--timeout=timeval]
341           Add the source port for zone. If zone is omitted, default zone will
342           be used. This option can be specified multiple times. If a timeout
343           is supplied, the rule will be active for the specified amount of
344           time and will be removed automatically afterwards.  timeval is
345           either a number (of seconds) or number followed by one of
346           characters s (seconds), m (minutes), h (hours), for example 20m or
347           1h.
348
349           The port can either be a single port number or a port range
350           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
351
352           The --timeout option is not combinable with the --permanent option.
353
354       [--permanent] [--zone=zone]
355       --remove-source-port=portid[-portid]/protocol
356           Remove the source port from zone. If zone is omitted, default zone
357           will be used. This option can be specified multiple times.
358
359       [--permanent] [--zone=zone]
360       --query-source-port=portid[-portid]/protocol
361           Return whether the source port has been added for zone. If zone is
362           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
363
364       [--permanent] [--zone=zone] --list-icmp-blocks
365           List Internet Control Message Protocol (ICMP) type blocks added for
366           zone as a space separated list. If zone is omitted, default zone
367           will be used.
368
369       [--permanent] [--zone=zone] --add-icmp-block=icmptype
370       [--timeout=timeval]
371           Add an ICMP block for icmptype for zone. If zone is omitted,
372           default zone will be used. This option can be specified multiple
373           times. If a timeout is supplied, the rule will be active for the
374           specified amount of time and will be removed automatically
375           afterwards.  timeval is either a number (of seconds) or number
376           followed by one of characters s (seconds), m (minutes), h (hours),
377           for example 20m or 1h.
378
379           The icmptype is the one of the icmp types firewalld supports. To
380           get a listing of supported icmp types: firewall-cmd --get-icmptypes
381
382           The --timeout option is not combinable with the --permanent option.
383
384       [--permanent] [--zone=zone] --remove-icmp-block=icmptype
385           Remove the ICMP block for icmptype from zone. If zone is omitted,
386           default zone will be used. This option can be specified multiple
387           times.
388
389       [--permanent] [--zone=zone] --query-icmp-block=icmptype
390           Return whether an ICMP block for icmptype has been added for zone.
391           If zone is omitted, default zone will be used. Returns 0 if true, 1
392           otherwise.
393
394       [--permanent] [--zone=zone] --list-forward-ports
395           List IPv4 forward ports added for zone as a space separated list.
396           If zone is omitted, default zone will be used.
397
398           For IPv6 forward ports, please use the rich language.
399
400       [--permanent] [--zone=zone]
401       --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
402       [--timeout=timeval]
403           Add the IPv4 forward port for zone. If zone is omitted, default
404           zone will be used. This option can be specified multiple times. If
405           a timeout is supplied, the rule will be active for the specified
406           amount of time and will be removed automatically afterwards.
407           timeval is either a number (of seconds) or number followed by one
408           of characters s (seconds), m (minutes), h (hours), for example 20m
409           or 1h.
410
411           The port can either be a single port number portid or a port range
412           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
413           The destination address is a simple IP address.
414
415           The --timeout option is not combinable with the --permanent option.
416
417           For IPv6 forward ports, please use the rich language.
418
419           Note: IP forwarding will be implicitly enabled if toaddr is
420           specified.
421
422       [--permanent] [--zone=zone]
423       --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
424           Remove the IPv4 forward port from zone. If zone is omitted, default
425           zone will be used. This option can be specified multiple times.
426
427           For IPv6 forward ports, please use the rich language.
428
429       [--permanent] [--zone=zone]
430       --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
431           Return whether the IPv4 forward port has been added for zone. If
432           zone is omitted, default zone will be used. Returns 0 if true, 1
433           otherwise.
434
435           For IPv6 forward ports, please use the rich language.
436
437       [--permanent] [--zone=zone] --add-masquerade [--timeout=timeval]
438           Enable IPv4 masquerade for zone. If zone is omitted, default zone
439           will be used. If a timeout is supplied, masquerading will be active
440           for the specified amount of time.  timeval is either a number (of
441           seconds) or number followed by one of characters s (seconds), m
442           (minutes), h (hours), for example 20m or 1h. Masquerading is useful
443           if the machine is a router and machines connected over an interface
444           in another zone should be able to use the first connection.
445
446           The --timeout option is not combinable with the --permanent option.
447
448           For IPv6 masquerading, please use the rich language.
449
450           Note: IP forwarding will be implicitly enabled.
451
452       [--permanent] [--zone=zone] --remove-masquerade
453           Disable IPv4 masquerade for zone. If zone is omitted, default zone
454           will be used. If the masquerading was enabled with a timeout, it
455           will be disabled also.
456
457           For IPv6 masquerading, please use the rich language.
458
459       [--permanent] [--zone=zone] --query-masquerade
460           Return whether IPv4 masquerading has been enabled for zone. If zone
461           is omitted, default zone will be used. Returns 0 if true, 1
462           otherwise.
463
464           For IPv6 masquerading, please use the rich language.
465
466       [--permanent] [--zone=zone] --list-rich-rules
467           List rich language rules added for zone as a newline separated
468           list. If zone is omitted, default zone will be used.
469
470       [--permanent] [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
471           Add rich language rule 'rule' for zone. This option can be
472           specified multiple times. If zone is omitted, default zone will be
473           used. If a timeout is supplied, the rule will be active for the
474           specified amount of time and will be removed automatically
475           afterwards.  timeval is either a number (of seconds) or number
476           followed by one of characters s (seconds), m (minutes), h (hours),
477           for example 20m or 1h.
478
479           For the rich language rule syntax, please have a look at
480           firewalld.richlanguage(5).
481
482           The --timeout option is not combinable with the --permanent option.
483
484       [--permanent] [--zone=zone] --remove-rich-rule='rule'
485           Remove rich language rule 'rule' from zone. This option can be
486           specified multiple times. If zone is omitted, default zone will be
487           used.
488
489           For the rich language rule syntax, please have a look at
490           firewalld.richlanguage(5).
491
492       [--permanent] [--zone=zone] --query-rich-rule='rule'
493           Return whether a rich language rule 'rule' has been added for zone.
494           If zone is omitted, default zone will be used. Returns 0 if true, 1
495           otherwise.
496
497           For the rich language rule syntax, please have a look at
498           firewalld.richlanguage(5).
499
500   Options to Handle Bindings of Interfaces
501       Binding an interface to a zone means that this zone settings are used
502       to restrict traffic via the interface.
503
504       Options in this section affect only one particular zone. If used with
505       --zone=zone option, they affect the zone zone. If the option is
506       omitted, they affect default zone (see --get-default-zone).
507
508       For a list of predefined zones use firewall-cmd --get-zones.
509
510       An interface name is a string up to 16 characters long, that may not
511       contain ' ', '/', '!' and '*'.
512
513       [--permanent] [--zone=zone] --list-interfaces
514           List interfaces that are bound to zone zone as a space separated
515           list. If zone is omitted, default zone will be used.
516
517       [--permanent] [--zone=zone] --add-interface=interface
518           Bind interface interface to zone zone. If zone is omitted, default
519           zone will be used.
520
521           If the interface is under control of NetworkManager, it is at first
522           connected to change the zone for the connection that is using the
523           interface. If this fails, the zone binding is created in firewalld
524           and the limitations below apply. For interfaces that are not under
525           control of NetworkManager, firewalld tries to change the ZONE
526           setting in the ifcfg file, if the file exists.
527
528           As a end user you don't need this in most cases, because
529           NetworkManager (or legacy network service) adds interfaces into
530           zones automatically (according to ZONE= option from ifcfg-interface
531           file) if NM_CONTROLLED=no is not set. You should do it only if
532           there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
533           there is such file and you add interface to zone with this
534           --add-interface option, make sure the zone is the same in both
535           cases, otherwise the behaviour would be undefined. Please also have
536           a look at the firewalld(1) man page in the Concepts section. For
537           permanent association of interface with a zone, see also 'How to
538           set or change a zone for a connection?' in firewalld.zones(5).
539
540       [--zone=zone] --change-interface=interface
541           If the interface is under control of NetworkManager, it is at first
542           connected to change the zone for the connection that is using the
543           interface. If this fails, the zone binding is created in firewalld
544           and the limitations below apply. For interfaces that are not under
545           control of NetworkManager, firewalld tries to change the ZONE
546           setting in the ifcfg file, if the file exists.
547
548           Change zone the interface interface is bound to to zone zone. It's
549           basically --remove-interface followed by --add-interface. If the
550           interface has not been bound to a zone before, it behaves like
551           --add-interface. If zone is omitted, default zone will be used.
552
553       [--permanent] [--zone=zone] --query-interface=interface
554           Query whether interface interface is bound to zone zone. Returns 0
555           if true, 1 otherwise.
556
557       [--permanent] --remove-interface=interface
558           If the interface is under control of NetworkManager, it is at first
559           connected to change the zone for the connection that is using the
560           interface. If this fails, the zone binding is created in firewalld
561           and the limitations below apply.
562
563           For the addion or change of interfaces that are not under control
564           of NetworkManager: firewalld tries to change the ZONE setting in
565           the ifcfg file, if an ifcfg file exists that is using the
566           interface.
567
568           Only for the removal of interfaces that are not under control of
569           NetworkManager: firewalld is not trying to change the ZONE setting
570           in the ifcfg file. This is needed to make sure that an ifdown of
571           the interface will not result in a reset of the zone setting to the
572           default zone. Only the zone binding is then removed in firewalld
573           then.
574
575           Remove binding of interface interface from zone it was previously
576           added to.
577
578   Options to Handle Bindings of Sources
579       Binding a source to a zone means that this zone settings will be used
580       to restrict traffic from this source.
581
582       A source address or address range is either an IP address or a network
583       IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
584       with the ipset: prefix. For IPv4, the mask can be a network mask or a
585       plain number. For IPv6 the mask is a plain number. The use of host
586       names is not supported.
587
588       Options in this section affect only one particular zone. If used with
589       --zone=zone option, they affect the zone zone. If the option is
590       omitted, they affect default zone (see --get-default-zone).
591
592       For a list of predefined zones use firewall-cmd [--permanent]
593       --get-zones.
594
595       [--permanent] [--zone=zone] --list-sources
596           List sources that are bound to zone zone as a space separated list.
597           If zone is omitted, default zone will be used.
598
599       [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
600           Bind the source to zone zone. If zone is omitted, default zone will
601           be used.
602
603       [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
604           Change zone the source is bound to to zone zone. It's basically
605           --remove-source followed by --add-source. If the source has not
606           been bound to a zone before, it behaves like --add-source. If zone
607           is omitted, default zone will be used.
608
609       [--permanent] [--zone=zone]
610       --query-source=source[/mask]|MAC|ipset:ipset
611           Query whether the source is bound to the zone zone. Returns 0 if
612           true, 1 otherwise.
613
614       [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
615           Remove binding of the source from zone it was previously added to.
616
617   IPSet Options
618       --get-ipset-types
619           Print the supported ipset types.
620
621       --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
622       [--option=key[=value]]
623           Add a new permanent and empty ipset with specifying the type and
624           optional the family and options like timeout, hashsize and maxelem.
625           For more information please have a look at ipset(8) man page.
626
627       --permanent --new-ipset-from-file=filename [--name=ipset]
628           Add a new permanent ipset from a prepared ipset file with an
629           optional name override.
630
631       --permanent --delete-ipset=ipset
632           Delete an existing permanent ipset.
633
634       --permanent --load-ipset-defaults=ipset
635           Load ipset default settings or report NO_DEFAULTS error.
636
637       [--permanent] --info-ipset=ipset
638           Print information about the ipset ipset. The output format is:
639
640               ipset
641                 type: type
642                 options: option1[=value1] ..
643                 entries: entry1 ..
644
645
646
647       [--permanent] --get-ipsets
648           Print predefined ipsets as a space separated list.
649
650       --permanent --ipset=ipset --set-description=description
651           Set new description to ipset
652
653       --permanent --ipset=ipset --get-description
654           Print description for ipset
655
656       --permanent --ipset=ipset --set-short=description
657           Set short description to ipset
658
659       --permanent --ipset=ipset --get-short
660           Print short description for ipset
661
662       [--permanent] --ipset=ipset --add-entry=entry
663           Add a new entry to the ipset.
664
665           Adding an entry to an ipset with option timeout is permitted, but
666           these entries are not tracked by firewalld.
667
668       [--permanent] --ipset=ipset --remove-entry=entry
669           Remove an entry from the ipset.
670
671       [--permanent] --ipset=ipset --query-entry=entry
672           Return whether the entry has been added to an ipset. Returns 0 if
673           true, 1 otherwise.
674
675           Querying an ipset with a timeout will yield an error. Entries are
676           not tracked for ipsets with a timeout.
677
678       [--permanent] --ipset=ipset --get-entries
679           List all entries of the ipset.
680
681       [--permanent] --ipset=ipset --add-entries-from-file=filename
682           Add a new entries to the ipset from the file. For all entries that
683           are listed in the file but already in the ipset, a warning will be
684           printed.
685
686           The file should contain an entry per line. Lines starting with an
687           hash or semicolon are ignored. Also empty lines.
688
689       [--permanent] --ipset=ipset --remove-entries-from-file=filename
690           Remove existing entries from the ipset from the file. For all
691           entries that are listed in the file but not in the ipset, a warning
692           will be printed.
693
694           The file should contain an entry per line. Lines starting with an
695           hash or semicolon are ignored. Also empty lines.
696
697       --permanent --path-ipset=ipset
698           Print path of the ipset configuration file.
699
700   Service Options
701       Options in this section affect only one particular service.
702
703       [--permanent] --info-service=service
704           Print information about the service service. The output format is:
705
706               service
707                 ports: port1 ..
708                 protocols: protocol1 ..
709                 source-ports: source-port1 ..
710                 modules: module1 ..
711                 destination: ipv1:address1 ..
712
713
714
715       The following options are only usable in the permanent configuration.
716
717       --permanent --new-service=service
718           Add a new permanent and empty service.
719
720       --permanent --new-service-from-file=filename [--name=service]
721           Add a new permanent service from a prepared service file with an
722           optional name override.
723
724       --permanent --delete-service=service
725           Delete an existing permanent service.
726
727       --permanent --load-service-defaults=service
728           Load service default settings or report NO_DEFAULTS error.
729
730       --permanent --path-service=service
731           Print path of the service configuration file.
732
733       --permanent --service=service --set-description=description
734           Set new description to service
735
736       --permanent --service=service --get-description
737           Print description for service
738
739       --permanent --service=service --set-short=description
740           Set short description to service
741
742       --permanent --service=service --get-short
743           Print short description for service
744
745       --permanent --service=service --add-port=portid[-portid]/protocol
746           Add a new port to the permanent service.
747
748       --permanent --service=service --remove-port=portid[-portid]/protocol
749           Remove a port from the permanent service.
750
751       --permanent --service=service --query-port=portid[-portid]/protocol
752           Return wether the port has been added to the permanent service.
753
754       --permanent --service=service --get-ports
755           List ports added to the permanent service.
756
757       --permanent --service=service --add-protocol=protocol
758           Add a new protocol to the permanent service.
759
760       --permanent --service=service --remove-protocol=protocol
761           Remove a protocol from the permanent service.
762
763       --permanent --service=service --query-protocol=protocol
764           Return wether the protocol has been added to the permanent service.
765
766       --permanent --service=service --get-protocols
767           List protocols added to the permanent service.
768
769       --permanent --service=service
770       --add-source-port=portid[-portid]/protocol
771           Add a new source port to the permanent service.
772
773       --permanent --service=service
774       --remove-source-port=portid[-portid]/protocol
775           Remove a source port from the permanent service.
776
777       --permanent --service=service
778       --query-source-port=portid[-portid]/protocol
779           Return wether the source port has been added to the permanent
780           service.
781
782       --permanent --service=service --get-source-ports
783           List source ports added to the permanent service.
784
785       --permanent --service=service --add-module=module
786           Add a new module to the permanent service.
787
788       --permanent --service=service --remove-module=module
789           Remove a module from the permanent service.
790
791       --permanent --service=service --query-module=module
792           Return wether the module has been added to the permanent service.
793
794       --permanent --service=service --get-modules
795           List modules added to the permanent service.
796
797       --permanent --service=service --set-destination=ipv:address[/mask]
798           Set destination for ipv to address[/mask] in the permanent service.
799
800       --permanent --service=service --remove-destination=ipv
801           Remove the destination for ipv from the permanent service.
802
803       --permanent --service=service --query-destination=ipv:address[/mask]
804           Return wether the destination ipv to address[/mask] has been set in
805           the permanent service.
806
807       --permanent --service=service --get-destinations
808           List destinations added to the permanent service.
809
810   Helper Options
811       Options in this section affect only one particular helper.
812
813       [--permanent] --info-helper=helper
814           Print information about the helper helper. The output format is:
815
816               helper
817                 family: family
818                 module: module
819                 ports: port1 ..
820
821
822
823       The following options are only usable in the permanent configuration.
824
825       --permanent --new-helper=helper --module=nf_conntrack_module
826       [--family=ipv4|ipv6]
827           Add a new permanent helper with module and optionally family
828           defined.
829
830       --permanent --new-helper-from-file=filename [--name=helper]
831           Add a new permanent helper from a prepared helper file with an
832           optional name override.
833
834       --permanent --delete-helper=helper
835           Delete an existing permanent helper.
836
837       --permanent --load-helper-defaults=helper
838           Load helper default settings or report NO_DEFAULTS error.
839
840       --permanent --path-helper=helper
841           Print path of the helper configuration file.
842
843       [--permanent] --get-helpers
844           Print predefined helpers as a space separated list.
845
846       --permanent --helper=helper --set-description=description
847           Set new description to helper
848
849       --permanent --helper=helper --get-description
850           Print description for helper
851
852       --permanent --helper=helper --set-short=description
853           Set short description to helper
854
855       --permanent --helper=helper --get-short
856           Print short description for helper
857
858       --permanent --helper=helper --add-port=portid[-portid]/protocol
859           Add a new port to the permanent helper.
860
861       --permanent --helper=helper --remove-port=portid[-portid]/protocol
862           Remove a port from the permanent helper.
863
864       --permanent --helper=helper --query-port=portid[-portid]/protocol
865           Return wether the port has been added to the permanent helper.
866
867       --permanent --helper=helper --get-ports
868           List ports added to the permanent helper.
869
870       --permanent --helper=helper --set-module=description
871           Set module description for helper
872
873       --permanent --helper=helper --get-module
874           Print module description for helper
875
876       --permanent --helper=helper --set-family=description
877           Set family description for helper
878
879       --permanent --helper=helper --get-family
880           Print family description of helper
881
882   Internet Control Message Protocol (ICMP) type Options
883       Options in this section affect only one particular icmptype.
884
885       [--permanent] --info-icmptype=icmptype
886           Print information about the icmptype icmptype. The output format
887           is:
888
889               icmptype
890                 destination: ipv1 ..
891
892
893
894       The following options are only usable in the permanent configuration.
895
896       --permanent --new-icmptype=icmptype
897           Add a new permanent and empty icmptype.
898
899       --permanent --new-icmptype-from-file=filename [--name=icmptype]
900           Add a new permanent icmptype from a prepared icmptype file with an
901           optional name override.
902
903       --permanent --delete-icmptype=icmptype
904           Delete an existing permanent icmptype.
905
906       --permanent --load-icmptype-defaults=icmptype
907           Load icmptype default settings or report NO_DEFAULTS error.
908
909       --permanent --icmptype=icmptype --set-description=description
910           Set new description to icmptype
911
912       --permanent --icmptype=icmptype --get-description
913           Print description for icmptype
914
915       --permanent --icmptype=icmptype --set-short=description
916           Set short description to icmptype
917
918       --permanent --icmptype=icmptype --get-short
919           Print short description for icmptype
920
921       --permanent --icmptype=icmptype --add-destination=ipv
922           Enable destination for ipv in permanent icmptype. ipv is one of
923           ipv4 or ipv6.
924
925       --permanent --icmptype=icmptype --remove-destination=ipv
926           Disable destination for ipv in permanent icmptype. ipv is one of
927           ipv4 or ipv6.
928
929       --permanent --icmptype=icmptype --query-destination=ipv
930           Return whether destination for ipv is enabled in permanent
931           icmptype. ipv is one of ipv4 or ipv6.
932
933       --permanent --icmptype=icmptype --get-destinations
934           List destinations in permanent icmptype.
935
936       --permanent --path-icmptype=icmptype
937           Print path of the icmptype configuration file.
938
939   Direct Options
940       The direct options give a more direct access to the firewall. These
941       options require user to know basic iptables concepts, i.e.  table
942       (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
943       (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
944       (ACCEPT/DROP/REJECT/...).
945
946       Direct options should be used only as a last resort when it's not
947       possible to use for example --add-service=service or
948       --add-rich-rule='rule'.
949
950       The first argument of each option has to be ipv4 or ipv6 or eb. With
951       ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
952       (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
953
954       [--permanent] --direct --get-all-chains
955           Get all chains added to all tables. This option concerns only
956           chains previously added with --direct --add-chain.
957
958       [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
959           Get all chains added to table table as a space separated list. This
960           option concerns only chains previously added with --direct
961           --add-chain.
962
963       [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
964           Add a new chain with name chain to table table. Make sure there's
965           no other chain with this name already.
966
967           There already exist basic chains to use with direct options, for
968           example INPUT_direct chain (see iptables-save | grep direct output
969           for all of them). These chains are jumped into before chains for
970           zones, i.e. every rule put into INPUT_direct will be checked before
971           rules in zones.
972
973       [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
974           Remove chain with name chain from table table. Only chains
975           previously added with --direct --add-chain can be removed this way.
976
977       [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
978           Return whether a chain with name chain exists in table table.
979           Returns 0 if true, 1 otherwise. This option concerns only chains
980           previously added with --direct --add-chain.
981
982       [--permanent] --direct --get-all-rules
983           Get all rules added to all chains in all tables as a newline
984           separated list of the priority and arguments. This option concerns
985           only rules previously added with --direct --add-rule.
986
987       [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
988           Get all rules added to chain chain in table table as a newline
989           separated list of the priority and arguments. This option concerns
990           only rules previously added with --direct --add-rule.
991
992       [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
993       priority args
994           Add a rule with the arguments args to chain chain in table table
995           with priority priority.
996
997           The priority is used to order rules. Priority 0 means add rule on
998           top of the chain, with a higher priority the rule will be added
999           further down. Rules with the same priority are on the same level
1000           and the order of these rules is not fixed and may change. If you
1001           want to make sure that a rule will be added after another one, use
1002           a low priority for the first and a higher for the following.
1003
1004       [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
1005       priority args
1006           Remove a rule with priority and the arguments args from chain chain
1007           in table table. Only rules previously added with --direct
1008           --add-rule can be removed this way.
1009
1010       [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1011           Remove all rules in the chain with name chain exists in table
1012           table. This option concerns only rules previously added with
1013           --direct --add-rule in this chain.
1014
1015       [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1016       priority args
1017           Return whether a rule with priority and the arguments args exists
1018           in chain chain in table table. Returns 0 if true, 1 otherwise. This
1019           option concerns only rules previously added with --direct
1020           --add-rule.
1021
1022       --direct --passthrough { ipv4 | ipv6 | eb } args
1023           Pass a command through to the firewall.  args can be all iptables,
1024           ip6tables and ebtables command line arguments. This command is
1025           untracked, which means that firewalld is not able to provide
1026           information about this command later on, also not a listing of the
1027           untracked passthoughs.
1028
1029       [--permanent] --direct --get-all-passthroughs
1030           Get all passthrough rules as a newline separated list of the ipv
1031           value and arguments.
1032
1033       [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1034           Get all passthrough rules for the ipv value as a newline separated
1035           list of the priority and arguments.
1036
1037       [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1038           Add a passthrough rule with the arguments args for the ipv value.
1039
1040       [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1041           Remove a passthrough rule with the arguments args for the ipv
1042           value.
1043
1044       [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1045           Return whether a passthrough rule with the arguments args exists
1046           for the ipv value. Returns 0 if true, 1 otherwise.
1047
1048   Lockdown Options
1049       Local applications or services are able to change the firewall
1050       configuration if they are running as root (example: libvirt) or are
1051       authenticated using PolicyKit. With this feature administrators can
1052       lock the firewall configuration so that only applications on lockdown
1053       whitelist are able to request firewall changes.
1054
1055       The lockdown access check limits D-Bus methods that are changing
1056       firewall rules. Query, list and get methods are not limited.
1057
1058       The lockdown feature is a very light version of user and application
1059       policies for firewalld and is turned off by default.
1060
1061       --lockdown-on
1062           Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1063           whitelist when you enable lockdown you won't be able to disable it
1064           again with firewall-cmd, you would need to edit firewalld.conf.
1065
1066           This is a runtime and permanent change.
1067
1068       --lockdown-off
1069           Disable lockdown.
1070
1071           This is a runtime and permanent change.
1072
1073       --query-lockdown
1074           Query whether lockdown is enabled. Returns 0 if lockdown is
1075           enabled, 1 otherwise.
1076
1077   Lockdown Whitelist Options
1078       The lockdown whitelist can contain commands, contexts, users and user
1079       ids.
1080
1081       If a command entry on the whitelist ends with an asterisk '*', then all
1082       command lines starting with the command will match. If the '*' is not
1083       there the absolute command inclusive arguments must match.
1084
1085       Commands for user root and others is not always the same. Example: As
1086       root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1087       is be used on Fedora.
1088
1089       The context is the security (SELinux) context of a running application
1090       or service. To get the context of a running application use ps -e
1091       --context.
1092
1093       Warning: If the context is unconfined, then this will open access for
1094       more than the desired application.
1095
1096       The lockdown whitelist entries are checked in the following order:
1097           1. context
1098           2. uid
1099           3. user
1100           4. command
1101
1102       [--permanent] --list-lockdown-whitelist-commands
1103           List all command lines that are on the whitelist.
1104
1105       [--permanent] --add-lockdown-whitelist-command=command
1106           Add the command to the whitelist.
1107
1108       [--permanent] --remove-lockdown-whitelist-command=command
1109           Remove the command from the whitelist.
1110
1111       [--permanent] --query-lockdown-whitelist-command=command
1112           Query whether the command is on the whitelist. Returns 0 if true, 1
1113           otherwise.
1114
1115       [--permanent] --list-lockdown-whitelist-contexts
1116           List all contexts that are on the whitelist.
1117
1118       [--permanent] --add-lockdown-whitelist-context=context
1119           Add the context context to the whitelist.
1120
1121       [--permanent] --remove-lockdown-whitelist-context=context
1122           Remove the context from the whitelist.
1123
1124       [--permanent] --query-lockdown-whitelist-context=context
1125           Query whether the context is on the whitelist. Returns 0 if true, 1
1126           otherwise.
1127
1128       [--permanent] --list-lockdown-whitelist-uids
1129           List all user ids that are on the whitelist.
1130
1131       [--permanent] --add-lockdown-whitelist-uid=uid
1132           Add the user id uid to the whitelist.
1133
1134       [--permanent] --remove-lockdown-whitelist-uid=uid
1135           Remove the user id uid from the whitelist.
1136
1137       [--permanent] --query-lockdown-whitelist-uid=uid
1138           Query whether the user id uid is on the whitelist. Returns 0 if
1139           true, 1 otherwise.
1140
1141       [--permanent] --list-lockdown-whitelist-users
1142           List all user names that are on the whitelist.
1143
1144       [--permanent] --add-lockdown-whitelist-user=user
1145           Add the user name user to the whitelist.
1146
1147       [--permanent] --remove-lockdown-whitelist-user=user
1148           Remove the user name user from the whitelist.
1149
1150       [--permanent] --query-lockdown-whitelist-user=user
1151           Query whether the user name user is on the whitelist. Returns 0 if
1152           true, 1 otherwise.
1153
1154   Panic Options
1155       --panic-on
1156           Enable panic mode. All incoming and outgoing packets are dropped,
1157           active connections will expire. Enable this only if there are
1158           serious problems with your network environment. For example if the
1159           machine is getting hacked in.
1160
1161           This is a runtime only change.
1162
1163       --panic-off
1164           Disable panic mode. After disabling panic mode established
1165           connections might work again, if panic mode was enabled for a short
1166           period of time.
1167
1168           This is a runtime only change.
1169
1170       --query-panic
1171           Returns 0 if panic mode is enabled, 1 otherwise.
1172

EXAMPLES

1174       For more examples see http://fedoraproject.org/wiki/FirewallD
1175
1176   Example 1
1177       Enable http service in default zone. This is runtime only change, i.e.
1178       effective until restart.
1179
1180           firewall-cmd --add-service=http
1181
1182
1183
1184   Example 2
1185       Enable port 443/tcp immediately and permanently in default zone. To
1186       make the change effective immediately and also after restart we need
1187       two commands. The first command makes the change in runtime
1188       configuration, i.e. makes it effective immediately, until restart. The
1189       second command makes the change in permanent configuration, i.e. makes
1190       it effective after restart.
1191
1192           firewall-cmd --add-port=443/tcp
1193           firewall-cmd --permanent --add-port=443/tcp
1194
1195
1196

EXIT CODES

1198       On success 0 is returned. On failure the output is red colored and exit
1199       code is either 2 in case of wrong command-line option usage or one of
1200       the following error codes in other cases:
1201
1202       ┌────────────────────┬──────┐
1203String              Code 
1204       ├────────────────────┼──────┤
1205       │ALREADY_ENABLED     │   11 │
1206       ├────────────────────┼──────┤
1207       │NOT_ENABLED         │   12 │
1208       ├────────────────────┼──────┤
1209       │COMMAND_FAILED      │   13 │
1210       ├────────────────────┼──────┤
1211       │NO_IPV6_NAT         │   14 │
1212       ├────────────────────┼──────┤
1213       │PANIC_MODE          │   15 │
1214       ├────────────────────┼──────┤
1215       │ZONE_ALREADY_SET    │   16 │
1216       ├────────────────────┼──────┤
1217       │UNKNOWN_INTERFACE   │   17 │
1218       ├────────────────────┼──────┤
1219       │ZONE_CONFLICT       │   18 │
1220       ├────────────────────┼──────┤
1221       │BUILTIN_CHAIN       │   19 │
1222       ├────────────────────┼──────┤
1223       │EBTABLES_NO_REJECT  │   20 │
1224       ├────────────────────┼──────┤
1225       │NOT_OVERLOADABLE    │   21 │
1226       ├────────────────────┼──────┤
1227       │NO_DEFAULTS         │   22 │
1228       ├────────────────────┼──────┤
1229       │BUILTIN_ZONE        │   23 │
1230       ├────────────────────┼──────┤
1231       │BUILTIN_SERVICE     │   24 │
1232       ├────────────────────┼──────┤
1233       │BUILTIN_ICMPTYPE    │   25 │
1234       ├────────────────────┼──────┤
1235       │NAME_CONFLICT       │   26 │
1236       ├────────────────────┼──────┤
1237       │NAME_MISMATCH       │   27 │
1238       ├────────────────────┼──────┤
1239       │PARSE_ERROR         │   28 │
1240       ├────────────────────┼──────┤
1241       │ACCESS_DENIED       │   29 │
1242       ├────────────────────┼──────┤
1243       │UNKNOWN_SOURCE      │   30 │
1244       ├────────────────────┼──────┤
1245       │RT_TO_PERM_FAILED   │   31 │
1246       ├────────────────────┼──────┤
1247       │IPSET_WITH_TIMEOUT  │   32 │
1248       ├────────────────────┼──────┤
1249       │BUILTIN_IPSET       │   33 │
1250       ├────────────────────┼──────┤
1251       │ALREADY_SET         │   34 │
1252       ├────────────────────┼──────┤
1253       │MISSING_IMPORT      │   35 │
1254       ├────────────────────┼──────┤
1255       │DBUS_ERROR          │   36 │
1256       ├────────────────────┼──────┤
1257       │BUILTIN_HELPER      │   37 │
1258       ├────────────────────┼──────┤
1259       │NOT_APPLIED         │   38 │
1260       ├────────────────────┼──────┤
1261       │INVALID_ACTION      │  100 │
1262       ├────────────────────┼──────┤
1263       │INVALID_SERVICE     │  101 │
1264       ├────────────────────┼──────┤
1265       │INVALID_PORT        │  102 │
1266       ├────────────────────┼──────┤
1267       │INVALID_PROTOCOL    │  103 │
1268       ├────────────────────┼──────┤
1269       │INVALID_INTERFACE   │  104 │
1270       ├────────────────────┼──────┤
1271       │INVALID_ADDR        │  105 │
1272       ├────────────────────┼──────┤
1273       │INVALID_FORWARD     │  106 │
1274       ├────────────────────┼──────┤
1275       │INVALID_ICMPTYPE    │  107 │
1276       ├────────────────────┼──────┤
1277       │INVALID_TABLE       │  108 │
1278       ├────────────────────┼──────┤
1279       │INVALID_CHAIN       │  109 │
1280       ├────────────────────┼──────┤
1281       │INVALID_TARGET      │  110 │
1282       ├────────────────────┼──────┤
1283       │INVALID_IPV         │  111 │
1284       ├────────────────────┼──────┤
1285       │INVALID_ZONE        │  112 │
1286       ├────────────────────┼──────┤
1287       │INVALID_PROPERTY    │  113 │
1288       ├────────────────────┼──────┤
1289       │INVALID_VALUE       │  114 │
1290       ├────────────────────┼──────┤
1291       │INVALID_OBJECT      │  115 │
1292       ├────────────────────┼──────┤
1293       │INVALID_NAME        │  116 │
1294       ├────────────────────┼──────┤
1295       │INVALID_FILENAME    │  117 │
1296       ├────────────────────┼──────┤
1297       │INVALID_DIRECTORY   │  118 │
1298       ├────────────────────┼──────┤
1299       │INVALID_TYPE        │  119 │
1300       ├────────────────────┼──────┤
1301       │INVALID_SETTING     │  120 │
1302       ├────────────────────┼──────┤
1303       │INVALID_DESTINATION │  121 │
1304       ├────────────────────┼──────┤
1305       │INVALID_RULE        │  122 │
1306       ├────────────────────┼──────┤
1307       │INVALID_LIMIT       │  123 │
1308       ├────────────────────┼──────┤
1309       │INVALID_FAMILY      │  124 │
1310       ├────────────────────┼──────┤
1311       │INVALID_LOG_LEVEL   │  125 │
1312       ├────────────────────┼──────┤
1313       │INVALID_AUDIT_TYPE  │  126 │
1314       ├────────────────────┼──────┤
1315       │INVALID_MARK        │  127 │
1316       ├────────────────────┼──────┤
1317       │INVALID_CONTEXT     │  128 │
1318       ├────────────────────┼──────┤
1319       │INVALID_COMMAND     │  129 │
1320       ├────────────────────┼──────┤
1321       │INVALID_USER        │  130 │
1322       ├────────────────────┼──────┤
1323       │INVALID_UID         │  131 │
1324       ├────────────────────┼──────┤
1325       │INVALID_MODULE      │  132 │
1326       ├────────────────────┼──────┤
1327       │INVALID_PASSTHROUGH │  133 │
1328       ├────────────────────┼──────┤
1329       │INVALID_MAC         │  134 │
1330       ├────────────────────┼──────┤
1331       │INVALID_IPSET       │  135 │
1332       ├────────────────────┼──────┤
1333       │INVALID_ENTRY       │  136 │
1334       ├────────────────────┼──────┤
1335       │INVALID_OPTION      │  137 │
1336       ├────────────────────┼──────┤
1337       │INVALID_HELPER      │  138 │
1338       ├────────────────────┼──────┤
1339       │MISSING_TABLE       │  200 │
1340       ├────────────────────┼──────┤
1341       │MISSING_CHAIN       │  201 │
1342       ├────────────────────┼──────┤
1343       │MISSING_PORT        │  202 │
1344       ├────────────────────┼──────┤
1345       │MISSING_PROTOCOL    │  203 │
1346       ├────────────────────┼──────┤
1347       │MISSING_ADDR        │  204 │
1348       ├────────────────────┼──────┤
1349       │MISSING_NAME        │  205 │
1350       ├────────────────────┼──────┤
1351       │MISSING_SETTING     │  206 │
1352       ├────────────────────┼──────┤
1353       │MISSING_FAMILY      │  207 │
1354       ├────────────────────┼──────┤
1355       │RUNNING_BUT_FAILED  │  251 │
1356       ├────────────────────┼──────┤
1357       │NOT_RUNNING         │  252 │
1358       ├────────────────────┼──────┤
1359       │NOT_AUTHORIZED      │  253 │
1360       ├────────────────────┼──────┤
1361       │UNKNOWN_ERROR       │  254 │
1362       └────────────────────┴──────┘
1363
1364       Note that return codes of --query-* options are special: Successful
1365       queries return 0, unsuccessful ones return 1 unless an error occurred
1366       in which case the table above applies.
1367

SEE ALSO

1369       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1370       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1371       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1372       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1373       firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1374       firewalld.helper(5)
1375

NOTES

1377       firewalld home page:
1378           http://firewalld.org
1379
1380       More documentation with examples:
1381           http://fedoraproject.org/wiki/FirewallD
1382

AUTHORS

1384       Thomas Woerner <twoerner@redhat.com>
1385           Developer
1386
1387       Jiri Popelka <jpopelka@redhat.com>
1388           Developer
1389
1390
1391
1392firewalld 0.6.4                                                FIREWALL-CMD(1)
Impressum