1FIREWALL-CMD(1) firewall-cmd FIREWALL-CMD(1)
2
3
4
6 firewall-cmd - firewalld command line client
7
9 firewall-cmd [OPTIONS...]
10
12 firewall-cmd is the command line client of the firewalld daemon. It
13 provides interface to manage runtime and permanent configuration.
14
15 The runtime configuration in firewalld is separated from the permanent
16 configuration. This means that things can get changed in the runtime or
17 permanent configuration.
18
20 For sequence options, this are the options that can be specified
21 multiple times, the exit code is 0 if there is at least one item that
22 succeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also
23 ZONE_ALREADY_SET (16) errors are treated as succeeded. If there are
24 issues while parsing the items, then these are treated as warnings and
25 will not change the result as long as there is a succeeded one. Without
26 any succeeded item, the exit code will depend on the error codes. If
27 there is exactly one error code, then this is used. If there are more
28 than one then UNKNOWN_ERROR (254) will be used.
29
30 The following options are supported:
31
32 General Options
33 -h, --help
34 Prints a short help text and exits.
35
36 -V, --version
37 Print the version string of firewalld. This option is not
38 combinable with other options.
39
40 -q, --quiet
41 Do not print status messages.
42
43 Status Options
44 --state
45 Check whether the firewalld daemon is active (i.e. running).
46 Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
47 failure occurred on startup, NOT_RUNNING otherwise. See the section
48 called “EXIT CODES”. This will also print the state to STDOUT.
49
50 --reload
51 Reload firewall rules and keep state information. Current permanent
52 configuration will become new runtime configuration, i.e. all
53 runtime only changes done until reload are lost with reload if they
54 have not been also in permanent configuration.
55
56 Note: Runtime changes applied via the direct interface are not
57 affected and will therefore stay in place until firewalld daemon is
58 restarted completely.
59
60 --complete-reload
61 Reload firewall completely, even netfilter kernel modules. This
62 will most likely terminate active connections, because state
63 information is lost. This option should only be used in case of
64 severe firewall problems. For example if there are state
65 information problems that no connection can be established with
66 correct firewall rules.
67
68 Note: Runtime changes applied via the direct interface are not
69 affected and will therefore stay in place until firewalld daemon is
70 restarted completely.
71
72 --runtime-to-permanent
73 Save active runtime configuration and overwrite permanent
74 configuration with it. The way this is supposed to work is that
75 when configuring firewalld you do runtime changes only and once
76 you're happy with the configuration and you tested that it works
77 the way you want, you save the configuration to disk.
78
79 --check-config
80 Run checks on the permanent configuration. This includes XML
81 validity and semantics.
82
83 Log Denied Options
84 --get-log-denied
85 Print the log denied setting.
86
87 --set-log-denied=value
88 Add logging rules right before reject and drop rules in the INPUT,
89 FORWARD and OUTPUT chains for the default rules and also final
90 reject and drop rules in zones for the configured link-layer packet
91 type. The possible values are: all, unicast, broadcast, multicast
92 and off. The default setting is off, which disables the logging.
93
94 This is a runtime and permanent change and will also reload the
95 firewall to be able to add the logging rules.
96
97 Automatic Helpers Options
98 --get-automatic-helpers
99 Print the automatic helpers setting.
100
101 --set-automatic-helpers=value
102 For the secure use of iptables and connection tracking helpers it
103 is recommended to turn AutomaticHelpers off. But this might have
104 side effects on other services using the netfilter helpers as the
105 sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will
106 be changed. With the system setting, the default value set in the
107 kernel or with sysctl will be used. Possible values are: yes, no
108 and system. The default value is system.
109
110 This is a runtime and permanent change and will also reload the
111 firewall to be able to make the helpers usable.
112
113 Permanent Options
114 --permanent
115 The permanent option --permanent can be used to set options
116 permanently. These changes are not effective immediately, only
117 after service restart/reload or system reboot. Without the
118 --permanent option, a change will only be part of the runtime
119 configuration.
120
121 If you want to make a change in runtime and permanent
122 configuration, use the same call with and without the --permanent
123 option.
124
125 The --permanent option can be optionally added to all options
126 further down where it is supported.
127
128 Zone Options
129 --get-default-zone
130 Print default zone for connections and interfaces.
131
132 --set-default-zone=zone
133 Set default zone for connections and interfaces where no zone has
134 been selected. Setting the default zone changes the zone for the
135 connections or interfaces, that are using the default zone.
136
137 This is a runtime and permanent change.
138
139 --get-active-zones
140 Print currently active zones altogether with interfaces and sources
141 used in these zones. Active zones are zones, that have a binding to
142 an interface or source. The output format is:
143
144 zone1
145 interfaces: interface1 interface2 ..
146 sources: source1 ..
147 zone2
148 interfaces: interface3 ..
149 zone3
150 sources: source2 ..
151
152
153 If there are no interfaces or sources bound to the zone, the
154 corresponding line will be omitted.
155
156 [--permanent] --get-zones
157 Print predefined zones as a space separated list.
158
159 [--permanent] --get-services
160 Print predefined services as a space separated list.
161
162 [--permanent] --get-icmptypes
163 Print predefined icmptypes as a space separated list.
164
165 [--permanent] --get-zone-of-interface=interface
166 Print the name of the zone the interface is bound to or no zone.
167
168 [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
169 Print the name of the zone the source is bound to or no zone.
170
171 [--permanent] --info-zone=zone
172 Print information about the zone zone. The output format is:
173
174 zone
175 interfaces: interface1 ..
176 sources: source1 ..
177 services: service1 ..
178 ports: port1 ..
179 protocols: protocol1 ..
180 forward-ports:
181 forward-port1
182 ..
183 source-ports: source-port1 ..
184 icmp-blocks: icmp-type1 ..
185 rich rules:
186 rich-rule1
187 ..
188
189
190
191 [--permanent] --list-all-zones
192 List everything added for or enabled in all zones. The output
193 format is:
194
195 zone1
196 interfaces: interface1 ..
197 sources: source1 ..
198 services: service1 ..
199 ports: port1 ..
200 protocols: protocol1 ..
201 forward-ports:
202 forward-port1
203 ..
204 icmp-blocks: icmp-type1 ..
205 rich rules:
206 rich-rule1
207 ..
208 ..
209
210
211
212 --permanent --new-zone=zone
213 Add a new permanent and empty zone.
214
215 --permanent --new-zone-from-file=filename [--name=zone]
216 Add a new permanent zone from a prepared zone file with an optional
217 name override.
218
219 --permanent --delete-zone=zone
220 Delete an existing permanent zone.
221
222 --permanent --load-zone-defaults=zone
223 Load zone default settings or report NO_DEFAULTS error.
224
225 --permanent --path-zone=zone
226 Print path of the zone configuration file.
227
228 --permanent --zone=zone --set-description=description
229 Set new description to zone
230
231 --permanent --zone=zone --get-description
232 Print description for zone
233
234 --permanent --zone=zone --set-short=description
235 Set short description to zone
236
237 --permanent --zone=zone --get-short
238 Print short description for zone
239
240 --permanent [--zone=zone] --get-target
241 Get the target of a permanent zone.
242
243 --permanent [--zone=zone] --set-target=target
244 Set the target of a permanent zone. target is one of: default,
245 ACCEPT, DROP, REJECT
246
247 Options to Adapt and Query Zones
248 Options in this section affect only one particular zone. If used with
249 --zone=zone option, they affect the zone zone. If the option is
250 omitted, they affect default zone (see --get-default-zone).
251
252 [--permanent] [--zone=zone] --list-all
253 List everything added for or enabled in zone. If zone is omitted,
254 default zone will be used.
255
256 [--permanent] [--zone=zone] --list-services
257 List services added for zone as a space separated list. If zone is
258 omitted, default zone will be used.
259
260 [--permanent] [--zone=zone] --add-service=service [--timeout=timeval]
261 Add a service for zone. If zone is omitted, default zone will be
262 used. This option can be specified multiple times. If a timeout is
263 supplied, the rule will be active for the specified amount of time
264 and will be removed automatically afterwards. timeval is either a
265 number (of seconds) or number followed by one of characters s
266 (seconds), m (minutes), h (hours), for example 20m or 1h.
267
268 The service is one of the firewalld provided services. To get a
269 list of the supported services, use firewall-cmd --get-services.
270
271 The --timeout option is not combinable with the --permanent option.
272
273 [--permanent] [--zone=zone] --remove-service=service
274 Remove a service from zone. This option can be specified multiple
275 times. If zone is omitted, default zone will be used.
276
277 [--permanent] [--zone=zone] --query-service=service
278 Return whether service has been added for zone. If zone is omitted,
279 default zone will be used. Returns 0 if true, 1 otherwise.
280
281 [--permanent] [--zone=zone] --list-ports
282 List ports added for zone as a space separated list. A port is of
283 the form portid[-portid]/protocol, it can be either a port and
284 protocol pair or a port range with a protocol. If zone is omitted,
285 default zone will be used.
286
287 [--permanent] [--zone=zone] --add-port=portid[-portid]/protocol
288 [--timeout=timeval]
289 Add the port for zone. If zone is omitted, default zone will be
290 used. This option can be specified multiple times. If a timeout is
291 supplied, the rule will be active for the specified amount of time
292 and will be removed automatically afterwards. timeval is either a
293 number (of seconds) or number followed by one of characters s
294 (seconds), m (minutes), h (hours), for example 20m or 1h.
295
296 The port can either be a single port number or a port range
297 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
298
299 The --timeout option is not combinable with the --permanent option.
300
301 [--permanent] [--zone=zone] --remove-port=portid[-portid]/protocol
302 Remove the port from zone. If zone is omitted, default zone will be
303 used. This option can be specified multiple times.
304
305 [--permanent] [--zone=zone] --query-port=portid[-portid]/protocol
306 Return whether the port has been added for zone. If zone is
307 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
308
309 [--permanent] [--zone=zone] --list-protocols
310 List protocols added for zone as a space separated list. If zone is
311 omitted, default zone will be used.
312
313 [--permanent] [--zone=zone] --add-protocol=protocol [--timeout=timeval]
314 Add the protocol for zone. If zone is omitted, default zone will be
315 used. This option can be specified multiple times. If a timeout is
316 supplied, the rule will be active for the specified amount of time
317 and will be removed automatically afterwards. timeval is either a
318 number (of seconds) or number followed by one of characters s
319 (seconds), m (minutes), h (hours), for example 20m or 1h.
320
321 The protocol can be any protocol supported by the system. Please
322 have a look at /etc/protocols for supported protocols.
323
324 The --timeout option is not combinable with the --permanent option.
325
326 [--permanent] [--zone=zone] --remove-protocol=protocol
327 Remove the protocol from zone. If zone is omitted, default zone
328 will be used. This option can be specified multiple times.
329
330 [--permanent] [--zone=zone] --query-protocol=protocol
331 Return whether the protocol has been added for zone. If zone is
332 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
333
334 [--permanent] [--zone=zone] --list-source-ports
335 List source ports added for zone as a space separated list. A port
336 is of the form portid[-portid]/protocol. If zone is omitted,
337 default zone will be used.
338
339 [--permanent] [--zone=zone] --add-source-port=portid[-portid]/protocol
340 [--timeout=timeval]
341 Add the source port for zone. If zone is omitted, default zone will
342 be used. This option can be specified multiple times. If a timeout
343 is supplied, the rule will be active for the specified amount of
344 time and will be removed automatically afterwards. timeval is
345 either a number (of seconds) or number followed by one of
346 characters s (seconds), m (minutes), h (hours), for example 20m or
347 1h.
348
349 The port can either be a single port number or a port range
350 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
351
352 The --timeout option is not combinable with the --permanent option.
353
354 [--permanent] [--zone=zone]
355 --remove-source-port=portid[-portid]/protocol
356 Remove the source port from zone. If zone is omitted, default zone
357 will be used. This option can be specified multiple times.
358
359 [--permanent] [--zone=zone]
360 --query-source-port=portid[-portid]/protocol
361 Return whether the source port has been added for zone. If zone is
362 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
363
364 [--permanent] [--zone=zone] --list-icmp-blocks
365 List Internet Control Message Protocol (ICMP) type blocks added for
366 zone as a space separated list. If zone is omitted, default zone
367 will be used.
368
369 [--permanent] [--zone=zone] --add-icmp-block=icmptype
370 [--timeout=timeval]
371 Add an ICMP block for icmptype for zone. If zone is omitted,
372 default zone will be used. This option can be specified multiple
373 times. If a timeout is supplied, the rule will be active for the
374 specified amount of time and will be removed automatically
375 afterwards. timeval is either a number (of seconds) or number
376 followed by one of characters s (seconds), m (minutes), h (hours),
377 for example 20m or 1h.
378
379 The icmptype is the one of the icmp types firewalld supports. To
380 get a listing of supported icmp types: firewall-cmd --get-icmptypes
381
382 The --timeout option is not combinable with the --permanent option.
383
384 [--permanent] [--zone=zone] --remove-icmp-block=icmptype
385 Remove the ICMP block for icmptype from zone. If zone is omitted,
386 default zone will be used. This option can be specified multiple
387 times.
388
389 [--permanent] [--zone=zone] --query-icmp-block=icmptype
390 Return whether an ICMP block for icmptype has been added for zone.
391 If zone is omitted, default zone will be used. Returns 0 if true, 1
392 otherwise.
393
394 [--permanent] [--zone=zone] --list-forward-ports
395 List IPv4 forward ports added for zone as a space separated list.
396 If zone is omitted, default zone will be used.
397
398 For IPv6 forward ports, please use the rich language.
399
400 [--permanent] [--zone=zone]
401 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
402 [--timeout=timeval]
403 Add the IPv4 forward port for zone. If zone is omitted, default
404 zone will be used. This option can be specified multiple times. If
405 a timeout is supplied, the rule will be active for the specified
406 amount of time and will be removed automatically afterwards.
407 timeval is either a number (of seconds) or number followed by one
408 of characters s (seconds), m (minutes), h (hours), for example 20m
409 or 1h.
410
411 The port can either be a single port number portid or a port range
412 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
413 The destination address is a simple IP address.
414
415 The --timeout option is not combinable with the --permanent option.
416
417 For IPv6 forward ports, please use the rich language.
418
419 Note: IP forwarding will be implicitly enabled if toaddr is
420 specified.
421
422 [--permanent] [--zone=zone]
423 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
424 Remove the IPv4 forward port from zone. If zone is omitted, default
425 zone will be used. This option can be specified multiple times.
426
427 For IPv6 forward ports, please use the rich language.
428
429 [--permanent] [--zone=zone]
430 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
431 Return whether the IPv4 forward port has been added for zone. If
432 zone is omitted, default zone will be used. Returns 0 if true, 1
433 otherwise.
434
435 For IPv6 forward ports, please use the rich language.
436
437 [--permanent] [--zone=zone] --add-masquerade [--timeout=timeval]
438 Enable IPv4 masquerade for zone. If zone is omitted, default zone
439 will be used. If a timeout is supplied, masquerading will be active
440 for the specified amount of time. timeval is either a number (of
441 seconds) or number followed by one of characters s (seconds), m
442 (minutes), h (hours), for example 20m or 1h. Masquerading is useful
443 if the machine is a router and machines connected over an interface
444 in another zone should be able to use the first connection.
445
446 The --timeout option is not combinable with the --permanent option.
447
448 For IPv6 masquerading, please use the rich language.
449
450 Note: IP forwarding will be implicitly enabled.
451
452 [--permanent] [--zone=zone] --remove-masquerade
453 Disable IPv4 masquerade for zone. If zone is omitted, default zone
454 will be used. If the masquerading was enabled with a timeout, it
455 will be disabled also.
456
457 For IPv6 masquerading, please use the rich language.
458
459 [--permanent] [--zone=zone] --query-masquerade
460 Return whether IPv4 masquerading has been enabled for zone. If zone
461 is omitted, default zone will be used. Returns 0 if true, 1
462 otherwise.
463
464 For IPv6 masquerading, please use the rich language.
465
466 [--permanent] [--zone=zone] --list-rich-rules
467 List rich language rules added for zone as a newline separated
468 list. If zone is omitted, default zone will be used.
469
470 [--permanent] [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
471 Add rich language rule 'rule' for zone. This option can be
472 specified multiple times. If zone is omitted, default zone will be
473 used. If a timeout is supplied, the rule will be active for the
474 specified amount of time and will be removed automatically
475 afterwards. timeval is either a number (of seconds) or number
476 followed by one of characters s (seconds), m (minutes), h (hours),
477 for example 20m or 1h.
478
479 For the rich language rule syntax, please have a look at
480 firewalld.richlanguage(5).
481
482 The --timeout option is not combinable with the --permanent option.
483
484 [--permanent] [--zone=zone] --remove-rich-rule='rule'
485 Remove rich language rule 'rule' from zone. This option can be
486 specified multiple times. If zone is omitted, default zone will be
487 used.
488
489 For the rich language rule syntax, please have a look at
490 firewalld.richlanguage(5).
491
492 [--permanent] [--zone=zone] --query-rich-rule='rule'
493 Return whether a rich language rule 'rule' has been added for zone.
494 If zone is omitted, default zone will be used. Returns 0 if true, 1
495 otherwise.
496
497 For the rich language rule syntax, please have a look at
498 firewalld.richlanguage(5).
499
500 Options to Handle Bindings of Interfaces
501 Binding an interface to a zone means that this zone settings are used
502 to restrict traffic via the interface.
503
504 Options in this section affect only one particular zone. If used with
505 --zone=zone option, they affect the zone zone. If the option is
506 omitted, they affect default zone (see --get-default-zone).
507
508 For a list of predefined zones use firewall-cmd --get-zones.
509
510 An interface name is a string up to 16 characters long, that may not
511 contain ' ', '/', '!' and '*'.
512
513 [--permanent] [--zone=zone] --list-interfaces
514 List interfaces that are bound to zone zone as a space separated
515 list. If zone is omitted, default zone will be used.
516
517 [--permanent] [--zone=zone] --add-interface=interface
518 Bind interface interface to zone zone. If zone is omitted, default
519 zone will be used.
520
521 If the interface is under control of NetworkManager, it is at first
522 connected to change the zone for the connection that is using the
523 interface. If this fails, the zone binding is created in firewalld
524 and the limitations below apply. For interfaces that are not under
525 control of NetworkManager, firewalld tries to change the ZONE
526 setting in the ifcfg file, if the file exists.
527
528 As a end user you don't need this in most cases, because
529 NetworkManager (or legacy network service) adds interfaces into
530 zones automatically (according to ZONE= option from ifcfg-interface
531 file) if NM_CONTROLLED=no is not set. You should do it only if
532 there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
533 there is such file and you add interface to zone with this
534 --add-interface option, make sure the zone is the same in both
535 cases, otherwise the behaviour would be undefined. Please also have
536 a look at the firewalld(1) man page in the Concepts section. For
537 permanent association of interface with a zone, see also 'How to
538 set or change a zone for a connection?' in firewalld.zones(5).
539
540 [--zone=zone] --change-interface=interface
541 If the interface is under control of NetworkManager, it is at first
542 connected to change the zone for the connection that is using the
543 interface. If this fails, the zone binding is created in firewalld
544 and the limitations below apply. For interfaces that are not under
545 control of NetworkManager, firewalld tries to change the ZONE
546 setting in the ifcfg file, if the file exists.
547
548 Change zone the interface interface is bound to to zone zone. It's
549 basically --remove-interface followed by --add-interface. If the
550 interface has not been bound to a zone before, it behaves like
551 --add-interface. If zone is omitted, default zone will be used.
552
553 [--permanent] [--zone=zone] --query-interface=interface
554 Query whether interface interface is bound to zone zone. Returns 0
555 if true, 1 otherwise.
556
557 [--permanent] --remove-interface=interface
558 If the interface is under control of NetworkManager, it is at first
559 connected to change the zone for the connection that is using the
560 interface. If this fails, the zone binding is created in firewalld
561 and the limitations below apply.
562
563 For the addion or change of interfaces that are not under control
564 of NetworkManager: firewalld tries to change the ZONE setting in
565 the ifcfg file, if an ifcfg file exists that is using the
566 interface.
567
568 Only for the removal of interfaces that are not under control of
569 NetworkManager: firewalld is not trying to change the ZONE setting
570 in the ifcfg file. This is needed to make sure that an ifdown of
571 the interface will not result in a reset of the zone setting to the
572 default zone. Only the zone binding is then removed in firewalld
573 then.
574
575 Remove binding of interface interface from zone it was previously
576 added to.
577
578 Options to Handle Bindings of Sources
579 Binding a source to a zone means that this zone settings will be used
580 to restrict traffic from this source.
581
582 A source address or address range is either an IP address or a network
583 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
584 with the ipset: prefix. For IPv4, the mask can be a network mask or a
585 plain number. For IPv6 the mask is a plain number. The use of host
586 names is not supported.
587
588 Options in this section affect only one particular zone. If used with
589 --zone=zone option, they affect the zone zone. If the option is
590 omitted, they affect default zone (see --get-default-zone).
591
592 For a list of predefined zones use firewall-cmd [--permanent]
593 --get-zones.
594
595 [--permanent] [--zone=zone] --list-sources
596 List sources that are bound to zone zone as a space separated list.
597 If zone is omitted, default zone will be used.
598
599 [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
600 Bind the source to zone zone. If zone is omitted, default zone will
601 be used.
602
603 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
604 Change zone the source is bound to to zone zone. It's basically
605 --remove-source followed by --add-source. If the source has not
606 been bound to a zone before, it behaves like --add-source. If zone
607 is omitted, default zone will be used.
608
609 [--permanent] [--zone=zone]
610 --query-source=source[/mask]|MAC|ipset:ipset
611 Query whether the source is bound to the zone zone. Returns 0 if
612 true, 1 otherwise.
613
614 [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
615 Remove binding of the source from zone it was previously added to.
616
617 IPSet Options
618 --get-ipset-types
619 Print the supported ipset types.
620
621 --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
622 [--option=key[=value]]
623 Add a new permanent and empty ipset with specifying the type and
624 optional the family and options like timeout, hashsize and maxelem.
625 For more information please have a look at ipset(8) man page.
626
627 --permanent --new-ipset-from-file=filename [--name=ipset]
628 Add a new permanent ipset from a prepared ipset file with an
629 optional name override.
630
631 --permanent --delete-ipset=ipset
632 Delete an existing permanent ipset.
633
634 --permanent --load-ipset-defaults=ipset
635 Load ipset default settings or report NO_DEFAULTS error.
636
637 [--permanent] --info-ipset=ipset
638 Print information about the ipset ipset. The output format is:
639
640 ipset
641 type: type
642 options: option1[=value1] ..
643 entries: entry1 ..
644
645
646
647 [--permanent] --get-ipsets
648 Print predefined ipsets as a space separated list.
649
650 --permanent --ipset=ipset --set-description=description
651 Set new description to ipset
652
653 --permanent --ipset=ipset --get-description
654 Print description for ipset
655
656 --permanent --ipset=ipset --set-short=description
657 Set short description to ipset
658
659 --permanent --ipset=ipset --get-short
660 Print short description for ipset
661
662 [--permanent] --ipset=ipset --add-entry=entry
663 Add a new entry to the ipset.
664
665 Adding an entry to an ipset with option timeout is permitted, but
666 these entries are not tracked by firewalld.
667
668 [--permanent] --ipset=ipset --remove-entry=entry
669 Remove an entry from the ipset.
670
671 [--permanent] --ipset=ipset --query-entry=entry
672 Return whether the entry has been added to an ipset. Returns 0 if
673 true, 1 otherwise.
674
675 Querying an ipset with a timeout will yield an error. Entries are
676 not tracked for ipsets with a timeout.
677
678 [--permanent] --ipset=ipset --get-entries
679 List all entries of the ipset.
680
681 [--permanent] --ipset=ipset --add-entries-from-file=filename
682 Add a new entries to the ipset from the file. For all entries that
683 are listed in the file but already in the ipset, a warning will be
684 printed.
685
686 The file should contain an entry per line. Lines starting with an
687 hash or semicolon are ignored. Also empty lines.
688
689 [--permanent] --ipset=ipset --remove-entries-from-file=filename
690 Remove existing entries from the ipset from the file. For all
691 entries that are listed in the file but not in the ipset, a warning
692 will be printed.
693
694 The file should contain an entry per line. Lines starting with an
695 hash or semicolon are ignored. Also empty lines.
696
697 --permanent --path-ipset=ipset
698 Print path of the ipset configuration file.
699
700 Service Options
701 Options in this section affect only one particular service.
702
703 [--permanent] --info-service=service
704 Print information about the service service. The output format is:
705
706 service
707 ports: port1 ..
708 protocols: protocol1 ..
709 source-ports: source-port1 ..
710 modules: module1 ..
711 destination: ipv1:address1 ..
712
713
714
715 The following options are only usable in the permanent configuration.
716
717 --permanent --new-service=service
718 Add a new permanent and empty service.
719
720 --permanent --new-service-from-file=filename [--name=service]
721 Add a new permanent service from a prepared service file with an
722 optional name override.
723
724 --permanent --delete-service=service
725 Delete an existing permanent service.
726
727 --permanent --load-service-defaults=service
728 Load service default settings or report NO_DEFAULTS error.
729
730 --permanent --path-service=service
731 Print path of the service configuration file.
732
733 --permanent --service=service --set-description=description
734 Set new description to service
735
736 --permanent --service=service --get-description
737 Print description for service
738
739 --permanent --service=service --set-short=description
740 Set short description to service
741
742 --permanent --service=service --get-short
743 Print short description for service
744
745 --permanent --service=service --add-port=portid[-portid]/protocol
746 Add a new port to the permanent service.
747
748 --permanent --service=service --remove-port=portid[-portid]/protocol
749 Remove a port from the permanent service.
750
751 --permanent --service=service --query-port=portid[-portid]/protocol
752 Return wether the port has been added to the permanent service.
753
754 --permanent --service=service --get-ports
755 List ports added to the permanent service.
756
757 --permanent --service=service --add-protocol=protocol
758 Add a new protocol to the permanent service.
759
760 --permanent --service=service --remove-protocol=protocol
761 Remove a protocol from the permanent service.
762
763 --permanent --service=service --query-protocol=protocol
764 Return wether the protocol has been added to the permanent service.
765
766 --permanent --service=service --get-protocols
767 List protocols added to the permanent service.
768
769 --permanent --service=service
770 --add-source-port=portid[-portid]/protocol
771 Add a new source port to the permanent service.
772
773 --permanent --service=service
774 --remove-source-port=portid[-portid]/protocol
775 Remove a source port from the permanent service.
776
777 --permanent --service=service
778 --query-source-port=portid[-portid]/protocol
779 Return wether the source port has been added to the permanent
780 service.
781
782 --permanent --service=service --get-source-ports
783 List source ports added to the permanent service.
784
785 --permanent --service=service --add-module=module
786 Add a new module to the permanent service.
787
788 --permanent --service=service --remove-module=module
789 Remove a module from the permanent service.
790
791 --permanent --service=service --query-module=module
792 Return wether the module has been added to the permanent service.
793
794 --permanent --service=service --get-modules
795 List modules added to the permanent service.
796
797 --permanent --service=service --set-destination=ipv:address[/mask]
798 Set destination for ipv to address[/mask] in the permanent service.
799
800 --permanent --service=service --remove-destination=ipv
801 Remove the destination for ipv from the permanent service.
802
803 --permanent --service=service --query-destination=ipv:address[/mask]
804 Return wether the destination ipv to address[/mask] has been set in
805 the permanent service.
806
807 --permanent --service=service --get-destinations
808 List destinations added to the permanent service.
809
810 Helper Options
811 Options in this section affect only one particular helper.
812
813 [--permanent] --info-helper=helper
814 Print information about the helper helper. The output format is:
815
816 helper
817 family: family
818 module: module
819 ports: port1 ..
820
821
822
823 The following options are only usable in the permanent configuration.
824
825 --permanent --new-helper=helper --module=nf_conntrack_module
826 [--family=ipv4|ipv6]
827 Add a new permanent helper with module and optionally family
828 defined.
829
830 --permanent --new-helper-from-file=filename [--name=helper]
831 Add a new permanent helper from a prepared helper file with an
832 optional name override.
833
834 --permanent --delete-helper=helper
835 Delete an existing permanent helper.
836
837 --permanent --load-helper-defaults=helper
838 Load helper default settings or report NO_DEFAULTS error.
839
840 --permanent --path-helper=helper
841 Print path of the helper configuration file.
842
843 [--permanent] --get-helpers
844 Print predefined helpers as a space separated list.
845
846 --permanent --helper=helper --set-description=description
847 Set new description to helper
848
849 --permanent --helper=helper --get-description
850 Print description for helper
851
852 --permanent --helper=helper --set-short=description
853 Set short description to helper
854
855 --permanent --helper=helper --get-short
856 Print short description for helper
857
858 --permanent --helper=helper --add-port=portid[-portid]/protocol
859 Add a new port to the permanent helper.
860
861 --permanent --helper=helper --remove-port=portid[-portid]/protocol
862 Remove a port from the permanent helper.
863
864 --permanent --helper=helper --query-port=portid[-portid]/protocol
865 Return wether the port has been added to the permanent helper.
866
867 --permanent --helper=helper --get-ports
868 List ports added to the permanent helper.
869
870 --permanent --helper=helper --set-module=description
871 Set module description for helper
872
873 --permanent --helper=helper --get-module
874 Print module description for helper
875
876 --permanent --helper=helper --set-family=description
877 Set family description for helper
878
879 --permanent --helper=helper --get-family
880 Print family description of helper
881
882 Internet Control Message Protocol (ICMP) type Options
883 Options in this section affect only one particular icmptype.
884
885 [--permanent] --info-icmptype=icmptype
886 Print information about the icmptype icmptype. The output format
887 is:
888
889 icmptype
890 destination: ipv1 ..
891
892
893
894 The following options are only usable in the permanent configuration.
895
896 --permanent --new-icmptype=icmptype
897 Add a new permanent and empty icmptype.
898
899 --permanent --new-icmptype-from-file=filename [--name=icmptype]
900 Add a new permanent icmptype from a prepared icmptype file with an
901 optional name override.
902
903 --permanent --delete-icmptype=icmptype
904 Delete an existing permanent icmptype.
905
906 --permanent --load-icmptype-defaults=icmptype
907 Load icmptype default settings or report NO_DEFAULTS error.
908
909 --permanent --icmptype=icmptype --set-description=description
910 Set new description to icmptype
911
912 --permanent --icmptype=icmptype --get-description
913 Print description for icmptype
914
915 --permanent --icmptype=icmptype --set-short=description
916 Set short description to icmptype
917
918 --permanent --icmptype=icmptype --get-short
919 Print short description for icmptype
920
921 --permanent --icmptype=icmptype --add-destination=ipv
922 Enable destination for ipv in permanent icmptype. ipv is one of
923 ipv4 or ipv6.
924
925 --permanent --icmptype=icmptype --remove-destination=ipv
926 Disable destination for ipv in permanent icmptype. ipv is one of
927 ipv4 or ipv6.
928
929 --permanent --icmptype=icmptype --query-destination=ipv
930 Return whether destination for ipv is enabled in permanent
931 icmptype. ipv is one of ipv4 or ipv6.
932
933 --permanent --icmptype=icmptype --get-destinations
934 List destinations in permanent icmptype.
935
936 --permanent --path-icmptype=icmptype
937 Print path of the icmptype configuration file.
938
939 Direct Options
940 The direct options give a more direct access to the firewall. These
941 options require user to know basic iptables concepts, i.e. table
942 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
943 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
944 (ACCEPT/DROP/REJECT/...).
945
946 Direct options should be used only as a last resort when it's not
947 possible to use for example --add-service=service or
948 --add-rich-rule='rule'.
949
950 The first argument of each option has to be ipv4 or ipv6 or eb. With
951 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
952 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
953
954 [--permanent] --direct --get-all-chains
955 Get all chains added to all tables. This option concerns only
956 chains previously added with --direct --add-chain.
957
958 [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
959 Get all chains added to table table as a space separated list. This
960 option concerns only chains previously added with --direct
961 --add-chain.
962
963 [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
964 Add a new chain with name chain to table table. Make sure there's
965 no other chain with this name already.
966
967 There already exist basic chains to use with direct options, for
968 example INPUT_direct chain (see iptables-save | grep direct output
969 for all of them). These chains are jumped into before chains for
970 zones, i.e. every rule put into INPUT_direct will be checked before
971 rules in zones.
972
973 [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
974 Remove chain with name chain from table table. Only chains
975 previously added with --direct --add-chain can be removed this way.
976
977 [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
978 Return whether a chain with name chain exists in table table.
979 Returns 0 if true, 1 otherwise. This option concerns only chains
980 previously added with --direct --add-chain.
981
982 [--permanent] --direct --get-all-rules
983 Get all rules added to all chains in all tables as a newline
984 separated list of the priority and arguments. This option concerns
985 only rules previously added with --direct --add-rule.
986
987 [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
988 Get all rules added to chain chain in table table as a newline
989 separated list of the priority and arguments. This option concerns
990 only rules previously added with --direct --add-rule.
991
992 [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
993 priority args
994 Add a rule with the arguments args to chain chain in table table
995 with priority priority.
996
997 The priority is used to order rules. Priority 0 means add rule on
998 top of the chain, with a higher priority the rule will be added
999 further down. Rules with the same priority are on the same level
1000 and the order of these rules is not fixed and may change. If you
1001 want to make sure that a rule will be added after another one, use
1002 a low priority for the first and a higher for the following.
1003
1004 [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
1005 priority args
1006 Remove a rule with priority and the arguments args from chain chain
1007 in table table. Only rules previously added with --direct
1008 --add-rule can be removed this way.
1009
1010 [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1011 Remove all rules in the chain with name chain exists in table
1012 table. This option concerns only rules previously added with
1013 --direct --add-rule in this chain.
1014
1015 [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1016 priority args
1017 Return whether a rule with priority and the arguments args exists
1018 in chain chain in table table. Returns 0 if true, 1 otherwise. This
1019 option concerns only rules previously added with --direct
1020 --add-rule.
1021
1022 --direct --passthrough { ipv4 | ipv6 | eb } args
1023 Pass a command through to the firewall. args can be all iptables,
1024 ip6tables and ebtables command line arguments. This command is
1025 untracked, which means that firewalld is not able to provide
1026 information about this command later on, also not a listing of the
1027 untracked passthoughs.
1028
1029 [--permanent] --direct --get-all-passthroughs
1030 Get all passthrough rules as a newline separated list of the ipv
1031 value and arguments.
1032
1033 [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1034 Get all passthrough rules for the ipv value as a newline separated
1035 list of the priority and arguments.
1036
1037 [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1038 Add a passthrough rule with the arguments args for the ipv value.
1039
1040 [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1041 Remove a passthrough rule with the arguments args for the ipv
1042 value.
1043
1044 [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1045 Return whether a passthrough rule with the arguments args exists
1046 for the ipv value. Returns 0 if true, 1 otherwise.
1047
1048 Lockdown Options
1049 Local applications or services are able to change the firewall
1050 configuration if they are running as root (example: libvirt) or are
1051 authenticated using PolicyKit. With this feature administrators can
1052 lock the firewall configuration so that only applications on lockdown
1053 whitelist are able to request firewall changes.
1054
1055 The lockdown access check limits D-Bus methods that are changing
1056 firewall rules. Query, list and get methods are not limited.
1057
1058 The lockdown feature is a very light version of user and application
1059 policies for firewalld and is turned off by default.
1060
1061 --lockdown-on
1062 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1063 whitelist when you enable lockdown you won't be able to disable it
1064 again with firewall-cmd, you would need to edit firewalld.conf.
1065
1066 This is a runtime and permanent change.
1067
1068 --lockdown-off
1069 Disable lockdown.
1070
1071 This is a runtime and permanent change.
1072
1073 --query-lockdown
1074 Query whether lockdown is enabled. Returns 0 if lockdown is
1075 enabled, 1 otherwise.
1076
1077 Lockdown Whitelist Options
1078 The lockdown whitelist can contain commands, contexts, users and user
1079 ids.
1080
1081 If a command entry on the whitelist ends with an asterisk '*', then all
1082 command lines starting with the command will match. If the '*' is not
1083 there the absolute command inclusive arguments must match.
1084
1085 Commands for user root and others is not always the same. Example: As
1086 root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1087 is be used on Fedora.
1088
1089 The context is the security (SELinux) context of a running application
1090 or service. To get the context of a running application use ps -e
1091 --context.
1092
1093 Warning: If the context is unconfined, then this will open access for
1094 more than the desired application.
1095
1096 The lockdown whitelist entries are checked in the following order:
1097 1. context
1098 2. uid
1099 3. user
1100 4. command
1101
1102 [--permanent] --list-lockdown-whitelist-commands
1103 List all command lines that are on the whitelist.
1104
1105 [--permanent] --add-lockdown-whitelist-command=command
1106 Add the command to the whitelist.
1107
1108 [--permanent] --remove-lockdown-whitelist-command=command
1109 Remove the command from the whitelist.
1110
1111 [--permanent] --query-lockdown-whitelist-command=command
1112 Query whether the command is on the whitelist. Returns 0 if true, 1
1113 otherwise.
1114
1115 [--permanent] --list-lockdown-whitelist-contexts
1116 List all contexts that are on the whitelist.
1117
1118 [--permanent] --add-lockdown-whitelist-context=context
1119 Add the context context to the whitelist.
1120
1121 [--permanent] --remove-lockdown-whitelist-context=context
1122 Remove the context from the whitelist.
1123
1124 [--permanent] --query-lockdown-whitelist-context=context
1125 Query whether the context is on the whitelist. Returns 0 if true, 1
1126 otherwise.
1127
1128 [--permanent] --list-lockdown-whitelist-uids
1129 List all user ids that are on the whitelist.
1130
1131 [--permanent] --add-lockdown-whitelist-uid=uid
1132 Add the user id uid to the whitelist.
1133
1134 [--permanent] --remove-lockdown-whitelist-uid=uid
1135 Remove the user id uid from the whitelist.
1136
1137 [--permanent] --query-lockdown-whitelist-uid=uid
1138 Query whether the user id uid is on the whitelist. Returns 0 if
1139 true, 1 otherwise.
1140
1141 [--permanent] --list-lockdown-whitelist-users
1142 List all user names that are on the whitelist.
1143
1144 [--permanent] --add-lockdown-whitelist-user=user
1145 Add the user name user to the whitelist.
1146
1147 [--permanent] --remove-lockdown-whitelist-user=user
1148 Remove the user name user from the whitelist.
1149
1150 [--permanent] --query-lockdown-whitelist-user=user
1151 Query whether the user name user is on the whitelist. Returns 0 if
1152 true, 1 otherwise.
1153
1154 Panic Options
1155 --panic-on
1156 Enable panic mode. All incoming and outgoing packets are dropped,
1157 active connections will expire. Enable this only if there are
1158 serious problems with your network environment. For example if the
1159 machine is getting hacked in.
1160
1161 This is a runtime only change.
1162
1163 --panic-off
1164 Disable panic mode. After disabling panic mode established
1165 connections might work again, if panic mode was enabled for a short
1166 period of time.
1167
1168 This is a runtime only change.
1169
1170 --query-panic
1171 Returns 0 if panic mode is enabled, 1 otherwise.
1172
1174 For more examples see http://fedoraproject.org/wiki/FirewallD
1175
1176 Example 1
1177 Enable http service in default zone. This is runtime only change, i.e.
1178 effective until restart.
1179
1180 firewall-cmd --add-service=http
1181
1182
1183
1184 Example 2
1185 Enable port 443/tcp immediately and permanently in default zone. To
1186 make the change effective immediately and also after restart we need
1187 two commands. The first command makes the change in runtime
1188 configuration, i.e. makes it effective immediately, until restart. The
1189 second command makes the change in permanent configuration, i.e. makes
1190 it effective after restart.
1191
1192 firewall-cmd --add-port=443/tcp
1193 firewall-cmd --permanent --add-port=443/tcp
1194
1195
1196
1198 On success 0 is returned. On failure the output is red colored and exit
1199 code is either 2 in case of wrong command-line option usage or one of
1200 the following error codes in other cases:
1201
1202 ┌────────────────────┬──────┐
1203 │String │ Code │
1204 ├────────────────────┼──────┤
1205 │ALREADY_ENABLED │ 11 │
1206 ├────────────────────┼──────┤
1207 │NOT_ENABLED │ 12 │
1208 ├────────────────────┼──────┤
1209 │COMMAND_FAILED │ 13 │
1210 ├────────────────────┼──────┤
1211 │NO_IPV6_NAT │ 14 │
1212 ├────────────────────┼──────┤
1213 │PANIC_MODE │ 15 │
1214 ├────────────────────┼──────┤
1215 │ZONE_ALREADY_SET │ 16 │
1216 ├────────────────────┼──────┤
1217 │UNKNOWN_INTERFACE │ 17 │
1218 ├────────────────────┼──────┤
1219 │ZONE_CONFLICT │ 18 │
1220 ├────────────────────┼──────┤
1221 │BUILTIN_CHAIN │ 19 │
1222 ├────────────────────┼──────┤
1223 │EBTABLES_NO_REJECT │ 20 │
1224 ├────────────────────┼──────┤
1225 │NOT_OVERLOADABLE │ 21 │
1226 ├────────────────────┼──────┤
1227 │NO_DEFAULTS │ 22 │
1228 ├────────────────────┼──────┤
1229 │BUILTIN_ZONE │ 23 │
1230 ├────────────────────┼──────┤
1231 │BUILTIN_SERVICE │ 24 │
1232 ├────────────────────┼──────┤
1233 │BUILTIN_ICMPTYPE │ 25 │
1234 ├────────────────────┼──────┤
1235 │NAME_CONFLICT │ 26 │
1236 ├────────────────────┼──────┤
1237 │NAME_MISMATCH │ 27 │
1238 ├────────────────────┼──────┤
1239 │PARSE_ERROR │ 28 │
1240 ├────────────────────┼──────┤
1241 │ACCESS_DENIED │ 29 │
1242 ├────────────────────┼──────┤
1243 │UNKNOWN_SOURCE │ 30 │
1244 ├────────────────────┼──────┤
1245 │RT_TO_PERM_FAILED │ 31 │
1246 ├────────────────────┼──────┤
1247 │IPSET_WITH_TIMEOUT │ 32 │
1248 ├────────────────────┼──────┤
1249 │BUILTIN_IPSET │ 33 │
1250 ├────────────────────┼──────┤
1251 │ALREADY_SET │ 34 │
1252 ├────────────────────┼──────┤
1253 │MISSING_IMPORT │ 35 │
1254 ├────────────────────┼──────┤
1255 │DBUS_ERROR │ 36 │
1256 ├────────────────────┼──────┤
1257 │BUILTIN_HELPER │ 37 │
1258 ├────────────────────┼──────┤
1259 │NOT_APPLIED │ 38 │
1260 ├────────────────────┼──────┤
1261 │INVALID_ACTION │ 100 │
1262 ├────────────────────┼──────┤
1263 │INVALID_SERVICE │ 101 │
1264 ├────────────────────┼──────┤
1265 │INVALID_PORT │ 102 │
1266 ├────────────────────┼──────┤
1267 │INVALID_PROTOCOL │ 103 │
1268 ├────────────────────┼──────┤
1269 │INVALID_INTERFACE │ 104 │
1270 ├────────────────────┼──────┤
1271 │INVALID_ADDR │ 105 │
1272 ├────────────────────┼──────┤
1273 │INVALID_FORWARD │ 106 │
1274 ├────────────────────┼──────┤
1275 │INVALID_ICMPTYPE │ 107 │
1276 ├────────────────────┼──────┤
1277 │INVALID_TABLE │ 108 │
1278 ├────────────────────┼──────┤
1279 │INVALID_CHAIN │ 109 │
1280 ├────────────────────┼──────┤
1281 │INVALID_TARGET │ 110 │
1282 ├────────────────────┼──────┤
1283 │INVALID_IPV │ 111 │
1284 ├────────────────────┼──────┤
1285 │INVALID_ZONE │ 112 │
1286 ├────────────────────┼──────┤
1287 │INVALID_PROPERTY │ 113 │
1288 ├────────────────────┼──────┤
1289 │INVALID_VALUE │ 114 │
1290 ├────────────────────┼──────┤
1291 │INVALID_OBJECT │ 115 │
1292 ├────────────────────┼──────┤
1293 │INVALID_NAME │ 116 │
1294 ├────────────────────┼──────┤
1295 │INVALID_FILENAME │ 117 │
1296 ├────────────────────┼──────┤
1297 │INVALID_DIRECTORY │ 118 │
1298 ├────────────────────┼──────┤
1299 │INVALID_TYPE │ 119 │
1300 ├────────────────────┼──────┤
1301 │INVALID_SETTING │ 120 │
1302 ├────────────────────┼──────┤
1303 │INVALID_DESTINATION │ 121 │
1304 ├────────────────────┼──────┤
1305 │INVALID_RULE │ 122 │
1306 ├────────────────────┼──────┤
1307 │INVALID_LIMIT │ 123 │
1308 ├────────────────────┼──────┤
1309 │INVALID_FAMILY │ 124 │
1310 ├────────────────────┼──────┤
1311 │INVALID_LOG_LEVEL │ 125 │
1312 ├────────────────────┼──────┤
1313 │INVALID_AUDIT_TYPE │ 126 │
1314 ├────────────────────┼──────┤
1315 │INVALID_MARK │ 127 │
1316 ├────────────────────┼──────┤
1317 │INVALID_CONTEXT │ 128 │
1318 ├────────────────────┼──────┤
1319 │INVALID_COMMAND │ 129 │
1320 ├────────────────────┼──────┤
1321 │INVALID_USER │ 130 │
1322 ├────────────────────┼──────┤
1323 │INVALID_UID │ 131 │
1324 ├────────────────────┼──────┤
1325 │INVALID_MODULE │ 132 │
1326 ├────────────────────┼──────┤
1327 │INVALID_PASSTHROUGH │ 133 │
1328 ├────────────────────┼──────┤
1329 │INVALID_MAC │ 134 │
1330 ├────────────────────┼──────┤
1331 │INVALID_IPSET │ 135 │
1332 ├────────────────────┼──────┤
1333 │INVALID_ENTRY │ 136 │
1334 ├────────────────────┼──────┤
1335 │INVALID_OPTION │ 137 │
1336 ├────────────────────┼──────┤
1337 │INVALID_HELPER │ 138 │
1338 ├────────────────────┼──────┤
1339 │MISSING_TABLE │ 200 │
1340 ├────────────────────┼──────┤
1341 │MISSING_CHAIN │ 201 │
1342 ├────────────────────┼──────┤
1343 │MISSING_PORT │ 202 │
1344 ├────────────────────┼──────┤
1345 │MISSING_PROTOCOL │ 203 │
1346 ├────────────────────┼──────┤
1347 │MISSING_ADDR │ 204 │
1348 ├────────────────────┼──────┤
1349 │MISSING_NAME │ 205 │
1350 ├────────────────────┼──────┤
1351 │MISSING_SETTING │ 206 │
1352 ├────────────────────┼──────┤
1353 │MISSING_FAMILY │ 207 │
1354 ├────────────────────┼──────┤
1355 │RUNNING_BUT_FAILED │ 251 │
1356 ├────────────────────┼──────┤
1357 │NOT_RUNNING │ 252 │
1358 ├────────────────────┼──────┤
1359 │NOT_AUTHORIZED │ 253 │
1360 ├────────────────────┼──────┤
1361 │UNKNOWN_ERROR │ 254 │
1362 └────────────────────┴──────┘
1363
1364 Note that return codes of --query-* options are special: Successful
1365 queries return 0, unsuccessful ones return 1 unless an error occurred
1366 in which case the table above applies.
1367
1369 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1370 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1371 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1372 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1373 firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1374 firewalld.helper(5)
1375
1377 firewalld home page:
1378 http://firewalld.org
1379
1380 More documentation with examples:
1381 http://fedoraproject.org/wiki/FirewallD
1382
1384 Thomas Woerner <twoerner@redhat.com>
1385 Developer
1386
1387 Jiri Popelka <jpopelka@redhat.com>
1388 Developer
1389
1390
1391
1392firewalld 0.6.4 FIREWALL-CMD(1)