1FIREWALL-CMD(1) firewall-cmd FIREWALL-CMD(1)
2
6 firewall-cmd - firewalld command line client
7
9 firewall-cmd [OPTIONS...]
10
12 firewall-cmd is the command line client of the firewalld daemon. It
13 provides interface to manage runtime and permanent configuration.
14 The runtime configuration in firewalld is separated from the permanent
16 configuration. This means that things can get changed in the runtime or
17 permanent configuration.
18
20 For sequence options, this are the options that can be specified
21 multiple times, the exit code is 0 if there is at least one item that
22 succeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also
23 ZONE_ALREADY_SET (16) errors are treated as succeeded. If there are
24 issues while parsing the items, then these are treated as warnings and
25 will not change the result as long as there is a succeeded one. Without
26 any succeeded item, the exit code will depend on the error codes. If
27 there is exactly one error code, then this is used. If there are more
28 than one then UNKNOWN_ERROR (254) will be used.
29 The following options are supported:
31 General Options
33 -h, --help
34 Prints a short help text and exits.
35 -V, --version
37 Print the version string of firewalld. This option is not
38 combinable with other options.
39 -q, --quiet
41 Do not print status messages.
42 Status Options
44 --state
45 Check whether the firewalld daemon is active (i.e. running).
46 Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
47 failure occurred on startup, NOT_RUNNING otherwise. See the section
48 called “EXIT CODES”. This will also print the state to STDOUT.
49 --reload
51 Reload firewall rules and keep state information. Current permanent
52 configuration will become new runtime configuration, i.e. all
53 runtime only changes done until reload are lost with reload if they
54 have not been also in permanent configuration.
55 Note: Runtime changes applied via the direct interface are not
57 affected and will therefore stay in place until firewalld daemon is
58 restarted completely.
59 --complete-reload
61 Reload firewall completely, even netfilter kernel modules. This
62 will most likely terminate active connections, because state
63 information is lost. This option should only be used in case of
64 severe firewall problems. For example if there are state
65 information problems that no connection can be established with
66 correct firewall rules.
67 Note: Runtime changes applied via the direct interface are not
69 affected and will therefore stay in place until firewalld daemon is
70 restarted completely.
71 --runtime-to-permanent
73 Save active runtime configuration and overwrite permanent
74 configuration with it. The way this is supposed to work is that
75 when configuring firewalld you do runtime changes only and once
76 you're happy with the configuration and you tested that it works
77 the way you want, you save the configuration to disk.
78 --check-config
80 Run checks on the permanent configuration. This includes XML
81 validity and semantics.
82 Log Denied Options
84 --get-log-denied
85 Print the log denied setting.
86 --set-log-denied=value
88 Add logging rules right before reject and drop rules in the INPUT,
89 FORWARD and OUTPUT chains for the default rules and also final
90 reject and drop rules in zones for the configured link-layer packet
91 type. The possible values are: all, unicast, broadcast, multicast
92 and off. The default setting is off, which disables the logging.
93 This is a runtime and permanent change and will also reload the
95 firewall to be able to add the logging rules.
96 Automatic Helpers Options
98 --get-automatic-helpers
99 Print the automatic helpers setting.
100 --set-automatic-helpers=value
102 For the secure use of iptables and connection tracking helpers it
103 is recommended to turn AutomaticHelpers off. But this might have
104 side effects on other services using the netfilter helpers as the
105 sysctl setting in /proc/sys/net/netfilter/nf_conntrack_helper will
106 be changed. With the system setting, the default value set in the
107 kernel or with sysctl will be used. Possible values are: yes, no
108 and system. The default value is system.
109 This is a runtime and permanent change and will also reload the
111 firewall to be able to make the helpers usable.
112 Permanent Options
114 --permanent
115 The permanent option --permanent can be used to set options
116 permanently. These changes are not effective immediately, only
117 after service restart/reload or system reboot. Without the
118 --permanent option, a change will only be part of the runtime
119 configuration.
120 If you want to make a change in runtime and permanent
122 configuration, use the same call with and without the --permanent
123 option.
124 The --permanent option can be optionally added to all options
126 further down where it is supported.
127 Zone Options
129 --get-default-zone
130 Print default zone for connections and interfaces.
131 --set-default-zone=zone
133 Set default zone for connections and interfaces where no zone has
134 been selected. Setting the default zone changes the zone for the
135 connections or interfaces, that are using the default zone.
136 This is a runtime and permanent change.
138 --get-active-zones
140 Print currently active zones altogether with interfaces and sources
141 used in these zones. Active zones are zones, that have a binding to
142 an interface or source. The output format is:
143 zone1
145 interfaces: interface1 interface2 ..
146 sources: source1 ..
147 zone2
148 interfaces: interface3 ..
149 zone3
150 sources: source2 ..
151 If there are no interfaces or sources bound to the zone, the
154 corresponding line will be omitted.
155 [--permanent] --get-zones
157 Print predefined zones as a space separated list.
158 [--permanent] --get-services
160 Print predefined services as a space separated list.
161 [--permanent] --get-icmptypes
163 Print predefined icmptypes as a space separated list.
164 [--permanent] --get-zone-of-interface=interface
166 Print the name of the zone the interface is bound to or no zone.
167 [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
169 Print the name of the zone the source is bound to or no zone.
170 [--permanent] --info-zone=zone
172 Print information about the zone zone. The output format is:
173 zone
175 interfaces: interface1 ..
176 sources: source1 ..
177 services: service1 ..
178 ports: port1 ..
179 protocols: protocol1 ..
180 forward-ports:
181 forward-port1
182 ..
183 source-ports: source-port1 ..
184 icmp-blocks: icmp-type1 ..
185 rich rules:
186 rich-rule1
187 ..
188 [--permanent] --list-all-zones
192 List everything added for or enabled in all zones. The output
193 format is:
194 zone1
196 interfaces: interface1 ..
197 sources: source1 ..
198 services: service1 ..
199 ports: port1 ..
200 protocols: protocol1 ..
201 forward-ports:
202 forward-port1
203 ..
204 icmp-blocks: icmp-type1 ..
205 rich rules:
206 rich-rule1
207 ..
208 ..
209 --permanent --new-zone=zone
213 Add a new permanent and empty zone.
214 --permanent --new-zone-from-file=filename [--name=zone]
216 Add a new permanent zone from a prepared zone file with an optional
217 name override.
218 --permanent --delete-zone=zone
220 Delete an existing permanent zone.
221 --permanent --load-zone-defaults=zone
223 Load zone default settings or report NO_DEFAULTS error.
224 --permanent --path-zone=zone
226 Print path of the zone configuration file.
227 --permanent --zone=zone --set-description=description
229 Set new description to zone
230 --permanent --zone=zone --get-description
232 Print description for zone
233 --permanent --zone=zone --set-short=description
235 Set short description to zone
236 --permanent --zone=zone --get-short
238 Print short description for zone
239 --permanent [--zone=zone] --get-target
241 Get the target of a permanent zone.
242 --permanent [--zone=zone] --set-target=target
244 Set the target of a permanent zone. target is one of: default,
245 ACCEPT, DROP, REJECT
246 Options to Adapt and Query Zones
248 Options in this section affect only one particular zone. If used with
249 --zone=zone option, they affect the zone zone. If the option is
250 omitted, they affect default zone (see --get-default-zone).
251 [--permanent] [--zone=zone] --list-all
253 List everything added for or enabled in zone. If zone is omitted,
254 default zone will be used.
255 [--permanent] [--zone=zone] --list-services
257 List services added for zone as a space separated list. If zone is
258 omitted, default zone will be used.
259 [--permanent] [--zone=zone] --add-service=service [--timeout=timeval]
261 Add a service for zone. If zone is omitted, default zone will be
262 used. This option can be specified multiple times. If a timeout is
263 supplied, the rule will be active for the specified amount of time
264 and will be removed automatically afterwards. timeval is either a
265 number (of seconds) or number followed by one of characters s
266 (seconds), m (minutes), h (hours), for example 20m or 1h.
267 The service is one of the firewalld provided services. To get a
269 list of the supported services, use firewall-cmd --get-services.
270 The --timeout option is not combinable with the --permanent option.
272 [--permanent] [--zone=zone] --remove-service=service
274 Remove a service from zone. This option can be specified multiple
275 times. If zone is omitted, default zone will be used.
276 [--permanent] [--zone=zone] --query-service=service
278 Return whether service has been added for zone. If zone is omitted,
279 default zone will be used. Returns 0 if true, 1 otherwise.
280 [--permanent] [--zone=zone] --list-ports
282 List ports added for zone as a space separated list. A port is of
283 the form portid[-portid]/protocol, it can be either a port and
284 protocol pair or a port range with a protocol. If zone is omitted,
285 default zone will be used.
286 [--permanent] [--zone=zone] --add-port=portid[-portid]/protocol
288 [--timeout=timeval]
289 Add the port for zone. If zone is omitted, default zone will be
290 used. This option can be specified multiple times. If a timeout is
291 supplied, the rule will be active for the specified amount of time
292 and will be removed automatically afterwards. timeval is either a
293 number (of seconds) or number followed by one of characters s
294 (seconds), m (minutes), h (hours), for example 20m or 1h.
295 The port can either be a single port number or a port range
297 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
298 The --timeout option is not combinable with the --permanent option.
300 [--permanent] [--zone=zone] --remove-port=portid[-portid]/protocol
302 Remove the port from zone. If zone is omitted, default zone will be
303 used. This option can be specified multiple times.
304 [--permanent] [--zone=zone] --query-port=portid[-portid]/protocol
306 Return whether the port has been added for zone. If zone is
307 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
308 [--permanent] [--zone=zone] --list-protocols
310 List protocols added for zone as a space separated list. If zone is
311 omitted, default zone will be used.
312 [--permanent] [--zone=zone] --add-protocol=protocol [--timeout=timeval]
314 Add the protocol for zone. If zone is omitted, default zone will be
315 used. This option can be specified multiple times. If a timeout is
316 supplied, the rule will be active for the specified amount of time
317 and will be removed automatically afterwards. timeval is either a
318 number (of seconds) or number followed by one of characters s
319 (seconds), m (minutes), h (hours), for example 20m or 1h.
320 The protocol can be any protocol supported by the system. Please
322 have a look at /etc/protocols for supported protocols.
323 The --timeout option is not combinable with the --permanent option.
325 [--permanent] [--zone=zone] --remove-protocol=protocol
327 Remove the protocol from zone. If zone is omitted, default zone
328 will be used. This option can be specified multiple times.
329 [--permanent] [--zone=zone] --query-protocol=protocol
331 Return whether the protocol has been added for zone. If zone is
332 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
333 [--permanent] [--zone=zone] --list-source-ports
335 List source ports added for zone as a space separated list. A port
336 is of the form portid[-portid]/protocol. If zone is omitted,
337 default zone will be used.
338 [--permanent] [--zone=zone] --add-source-port=portid[-portid]/protocol
340 [--timeout=timeval]
341 Add the source port for zone. If zone is omitted, default zone will
342 be used. This option can be specified multiple times. If a timeout
343 is supplied, the rule will be active for the specified amount of
344 time and will be removed automatically afterwards. timeval is
345 either a number (of seconds) or number followed by one of
346 characters s (seconds), m (minutes), h (hours), for example 20m or
347 1h.
348 The port can either be a single port number or a port range
350 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
351 The --timeout option is not combinable with the --permanent option.
353 [--permanent] [--zone=zone]
355 --remove-source-port=portid[-portid]/protocol
356 Remove the source port from zone. If zone is omitted, default zone
357 will be used. This option can be specified multiple times.
358 [--permanent] [--zone=zone]
360 --query-source-port=portid[-portid]/protocol
361 Return whether the source port has been added for zone. If zone is
362 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
363 [--permanent] [--zone=zone] --list-icmp-blocks
365 List Internet Control Message Protocol (ICMP) type blocks added for
366 zone as a space separated list. If zone is omitted, default zone
367 will be used.
368 [--permanent] [--zone=zone] --add-icmp-block=icmptype
370 [--timeout=timeval]
371 Add an ICMP block for icmptype for zone. If zone is omitted,
372 default zone will be used. This option can be specified multiple
373 times. If a timeout is supplied, the rule will be active for the
374 specified amount of time and will be removed automatically
375 afterwards. timeval is either a number (of seconds) or number
376 followed by one of characters s (seconds), m (minutes), h (hours),
377 for example 20m or 1h.
378 The icmptype is the one of the icmp types firewalld supports. To
380 get a listing of supported icmp types: firewall-cmd --get-icmptypes
381 The --timeout option is not combinable with the --permanent option.
383 [--permanent] [--zone=zone] --remove-icmp-block=icmptype
385 Remove the ICMP block for icmptype from zone. If zone is omitted,
386 default zone will be used. This option can be specified multiple
387 times.
388 [--permanent] [--zone=zone] --query-icmp-block=icmptype
390 Return whether an ICMP block for icmptype has been added for zone.
391 If zone is omitted, default zone will be used. Returns 0 if true, 1
392 otherwise.
393 [--permanent] [--zone=zone] --list-forward-ports
395 List IPv4 forward ports added for zone as a space separated list.
396 If zone is omitted, default zone will be used.
397 For IPv6 forward ports, please use the rich language.
399 [--permanent] [--zone=zone]
401 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
402 [--timeout=timeval]
403 Add the IPv4 forward port for zone. If zone is omitted, default
404 zone will be used. This option can be specified multiple times. If
405 a timeout is supplied, the rule will be active for the specified
406 amount of time and will be removed automatically afterwards.
407 timeval is either a number (of seconds) or number followed by one
408 of characters s (seconds), m (minutes), h (hours), for example 20m
409 or 1h.
410 The port can either be a single port number portid or a port range
412 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
413 The destination address is a simple IP address.
414 The --timeout option is not combinable with the --permanent option.
416 For IPv6 forward ports, please use the rich language.
418 Note: IP forwarding will be implicitly enabled if toaddr is
420 specified.
421 [--permanent] [--zone=zone]
423 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
424 Remove the IPv4 forward port from zone. If zone is omitted, default
425 zone will be used. This option can be specified multiple times.
426 For IPv6 forward ports, please use the rich language.
428 [--permanent] [--zone=zone]
430 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
431 Return whether the IPv4 forward port has been added for zone. If
432 zone is omitted, default zone will be used. Returns 0 if true, 1
433 otherwise.
434 For IPv6 forward ports, please use the rich language.
436 [--permanent] [--zone=zone] --add-masquerade [--timeout=timeval]
438 Enable IPv4 masquerade for zone. If zone is omitted, default zone
439 will be used. If a timeout is supplied, masquerading will be active
440 for the specified amount of time. timeval is either a number (of
441 seconds) or number followed by one of characters s (seconds), m
442 (minutes), h (hours), for example 20m or 1h. Masquerading is useful
443 if the machine is a router and machines connected over an interface
444 in another zone should be able to use the first connection.
445 The --timeout option is not combinable with the --permanent option.
447 For IPv6 masquerading, please use the rich language.
449 Note: IP forwarding will be implicitly enabled.
451 [--permanent] [--zone=zone] --remove-masquerade
453 Disable IPv4 masquerade for zone. If zone is omitted, default zone
454 will be used. If the masquerading was enabled with a timeout, it
455 will be disabled also.
456 For IPv6 masquerading, please use the rich language.
458 [--permanent] [--zone=zone] --query-masquerade
460 Return whether IPv4 masquerading has been enabled for zone. If zone
461 is omitted, default zone will be used. Returns 0 if true, 1
462 otherwise.
463 For IPv6 masquerading, please use the rich language.
465 [--permanent] [--zone=zone] --list-rich-rules
467 List rich language rules added for zone as a newline separated
468 list. If zone is omitted, default zone will be used.
469 [--permanent] [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
471 Add rich language rule 'rule' for zone. This option can be
472 specified multiple times. If zone is omitted, default zone will be
473 used. If a timeout is supplied, the rule will be active for the
474 specified amount of time and will be removed automatically
475 afterwards. timeval is either a number (of seconds) or number
476 followed by one of characters s (seconds), m (minutes), h (hours),
477 for example 20m or 1h.
478 For the rich language rule syntax, please have a look at
480 firewalld.richlanguage(5).
481 The --timeout option is not combinable with the --permanent option.
483 [--permanent] [--zone=zone] --remove-rich-rule='rule'
485 Remove rich language rule 'rule' from zone. This option can be
486 specified multiple times. If zone is omitted, default zone will be
487 used.
488 For the rich language rule syntax, please have a look at
490 firewalld.richlanguage(5).
491 [--permanent] [--zone=zone] --query-rich-rule='rule'
493 Return whether a rich language rule 'rule' has been added for zone.
494 If zone is omitted, default zone will be used. Returns 0 if true, 1
495 otherwise.
496 For the rich language rule syntax, please have a look at
498 firewalld.richlanguage(5).
499 Options to Handle Bindings of Interfaces
501 Binding an interface to a zone means that this zone settings are used
502 to restrict traffic via the interface.
503 Options in this section affect only one particular zone. If used with
505 --zone=zone option, they affect the zone zone. If the option is
506 omitted, they affect default zone (see --get-default-zone).
507 For a list of predefined zones use firewall-cmd --get-zones.
509 An interface name is a string up to 16 characters long, that may not
511 contain ' ', '/', '!' and '*'.
512 [--permanent] [--zone=zone] --list-interfaces
514 List interfaces that are bound to zone zone as a space separated
515 list. If zone is omitted, default zone will be used.
516 [--permanent] [--zone=zone] --add-interface=interface
518 Bind interface interface to zone zone. If zone is omitted, default
519 zone will be used.
520 If the interface is under control of NetworkManager, it is at first
522 connected to change the zone for the connection that is using the
523 interface. If this fails, the zone binding is created in firewalld
524 and the limitations below apply. For interfaces that are not under
525 control of NetworkManager, firewalld tries to change the ZONE
526 setting in the ifcfg file, if the file exists.
527 As a end user you don't need this in most cases, because
529 NetworkManager (or legacy network service) adds interfaces into
530 zones automatically (according to ZONE= option from ifcfg-interface
531 file) if NM_CONTROLLED=no is not set. You should do it only if
532 there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
533 there is such file and you add interface to zone with this
534 --add-interface option, make sure the zone is the same in both
535 cases, otherwise the behaviour would be undefined. Please also have
536 a look at the firewalld(1) man page in the Concepts section. For
537 permanent association of interface with a zone, see also 'How to
538 set or change a zone for a connection?' in firewalld.zones(5).
539 [--zone=zone] --change-interface=interface
541 If the interface is under control of NetworkManager, it is at first
542 connected to change the zone for the connection that is using the
543 interface. If this fails, the zone binding is created in firewalld
544 and the limitations below apply. For interfaces that are not under
545 control of NetworkManager, firewalld tries to change the ZONE
546 setting in the ifcfg file, if the file exists.
547 Change zone the interface interface is bound to to zone zone. It's
549 basically --remove-interface followed by --add-interface. If the
550 interface has not been bound to a zone before, it behaves like
551 --add-interface. If zone is omitted, default zone will be used.
552 [--permanent] [--zone=zone] --query-interface=interface
554 Query whether interface interface is bound to zone zone. Returns 0
555 if true, 1 otherwise.
556 [--permanent] --remove-interface=interface
558 If the interface is under control of NetworkManager, it is at first
559 connected to change the zone for the connection that is using the
560 interface. If this fails, the zone binding is created in firewalld
561 and the limitations below apply.
562 For the addion or change of interfaces that are not under control
564 of NetworkManager: firewalld tries to change the ZONE setting in
565 the ifcfg file, if an ifcfg file exists that is using the
566 interface.
567 Only for the removal of interfaces that are not under control of
569 NetworkManager: firewalld is not trying to change the ZONE setting
570 in the ifcfg file. This is needed to make sure that an ifdown of
571 the interface will not result in a reset of the zone setting to the
572 default zone. Only the zone binding is then removed in firewalld
573 then.
574 Remove binding of interface interface from zone it was previously
576 added to.
577 Options to Handle Bindings of Sources
579 Binding a source to a zone means that this zone settings will be used
580 to restrict traffic from this source.
581 A source address or address range is either an IP address or a network
583 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
584 with the ipset: prefix. For IPv4, the mask can be a network mask or a
585 plain number. For IPv6 the mask is a plain number. The use of host
586 names is not supported.
587 Options in this section affect only one particular zone. If used with
589 --zone=zone option, they affect the zone zone. If the option is
590 omitted, they affect default zone (see --get-default-zone).
591 For a list of predefined zones use firewall-cmd [--permanent]
593 --get-zones.
594 [--permanent] [--zone=zone] --list-sources
596 List sources that are bound to zone zone as a space separated list.
597 If zone is omitted, default zone will be used.
598 [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
600 Bind the source to zone zone. If zone is omitted, default zone will
601 be used.
602 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
604 Change zone the source is bound to to zone zone. It's basically
605 --remove-source followed by --add-source. If the source has not
606 been bound to a zone before, it behaves like --add-source. If zone
607 is omitted, default zone will be used.
608 [--permanent] [--zone=zone]
610 --query-source=source[/mask]|MAC|ipset:ipset
611 Query whether the source is bound to the zone zone. Returns 0 if
612 true, 1 otherwise.
613 [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
615 Remove binding of the source from zone it was previously added to.
616 IPSet Options
618 --get-ipset-types
619 Print the supported ipset types.
620 --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
622 [--option=key[=value]]
623 Add a new permanent and empty ipset with specifying the type and
624 optional the family and options like timeout, hashsize and maxelem.
625 For more information please have a look at ipset(8) man page.
626 --permanent --new-ipset-from-file=filename [--name=ipset]
628 Add a new permanent ipset from a prepared ipset file with an
629 optional name override.
630 --permanent --delete-ipset=ipset
632 Delete an existing permanent ipset.
633 --permanent --load-ipset-defaults=ipset
635 Load ipset default settings or report NO_DEFAULTS error.
636 [--permanent] --info-ipset=ipset
638 Print information about the ipset ipset. The output format is:
639 ipset
641 type: type
642 options: option1[=value1] ..
643 entries: entry1 ..
644 [--permanent] --get-ipsets
648 Print predefined ipsets as a space separated list.
649 --permanent --ipset=ipset --set-description=description
651 Set new description to ipset
652 --permanent --ipset=ipset --get-description
654 Print description for ipset
655 --permanent --ipset=ipset --set-short=description
657 Set short description to ipset
658 --permanent --ipset=ipset --get-short
660 Print short description for ipset
661 [--permanent] --ipset=ipset --add-entry=entry
663 Add a new entry to the ipset.
664 Adding an entry to an ipset with option timeout is permitted, but
666 these entries are not tracked by firewalld.
667 [--permanent] --ipset=ipset --remove-entry=entry
669 Remove an entry from the ipset.
670 [--permanent] --ipset=ipset --query-entry=entry
672 Return whether the entry has been added to an ipset. Returns 0 if
673 true, 1 otherwise.
674 Querying an ipset with a timeout will yield an error. Entries are
676 not tracked for ipsets with a timeout.
677 [--permanent] --ipset=ipset --get-entries
679 List all entries of the ipset.
680 [--permanent] --ipset=ipset --add-entries-from-file=filename
682 Add a new entries to the ipset from the file. For all entries that
683 are listed in the file but already in the ipset, a warning will be
684 printed.
685 The file should contain an entry per line. Lines starting with an
687 hash or semicolon are ignored. Also empty lines.
688 [--permanent] --ipset=ipset --remove-entries-from-file=filename
690 Remove existing entries from the ipset from the file. For all
691 entries that are listed in the file but not in the ipset, a warning
692 will be printed.
693 The file should contain an entry per line. Lines starting with an
695 hash or semicolon are ignored. Also empty lines.
696 --permanent --path-ipset=ipset
698 Print path of the ipset configuration file.
699 Service Options
701 Options in this section affect only one particular service.
702 [--permanent] --info-service=service
704 Print information about the service service. The output format is:
705 service
707 ports: port1 ..
708 protocols: protocol1 ..
709 source-ports: source-port1 ..
710 modules: module1 ..
711 destination: ipv1:address1 ..
712 The following options are only usable in the permanent configuration.
716 --permanent --new-service=service
718 Add a new permanent and empty service.
719 --permanent --new-service-from-file=filename [--name=service]
721 Add a new permanent service from a prepared service file with an
722 optional name override.
723 --permanent --delete-service=service
725 Delete an existing permanent service.
726 --permanent --load-service-defaults=service
728 Load service default settings or report NO_DEFAULTS error.
729 --permanent --path-service=service
731 Print path of the service configuration file.
732 --permanent --service=service --set-description=description
734 Set new description to service
735 --permanent --service=service --get-description
737 Print description for service
738 --permanent --service=service --set-short=description
740 Set short description to service
741 --permanent --service=service --get-short
743 Print short description for service
744 --permanent --service=service --add-port=portid[-portid]/protocol
746 Add a new port to the permanent service.
747 --permanent --service=service --remove-port=portid[-portid]/protocol
749 Remove a port from the permanent service.
750 --permanent --service=service --query-port=portid[-portid]/protocol
752 Return wether the port has been added to the permanent service.
753 --permanent --service=service --get-ports
755 List ports added to the permanent service.
756 --permanent --service=service --add-protocol=protocol
758 Add a new protocol to the permanent service.
759 --permanent --service=service --remove-protocol=protocol
761 Remove a protocol from the permanent service.
762 --permanent --service=service --query-protocol=protocol
764 Return wether the protocol has been added to the permanent service.
765 --permanent --service=service --get-protocols
767 List protocols added to the permanent service.
768 --permanent --service=service
770 --add-source-port=portid[-portid]/protocol
771 Add a new source port to the permanent service.
772 --permanent --service=service
774 --remove-source-port=portid[-portid]/protocol
775 Remove a source port from the permanent service.
776 --permanent --service=service
778 --query-source-port=portid[-portid]/protocol
779 Return wether the source port has been added to the permanent
780 service.
781 --permanent --service=service --get-source-ports
783 List source ports added to the permanent service.
784 --permanent --service=service --add-module=module
786 Add a new module to the permanent service.
787 --permanent --service=service --remove-module=module
789 Remove a module from the permanent service.
790 --permanent --service=service --query-module=module
792 Return wether the module has been added to the permanent service.
793 --permanent --service=service --get-modules
795 List modules added to the permanent service.
796 --permanent --service=service --set-destination=ipv:address[/mask]
798 Set destination for ipv to address[/mask] in the permanent service.
799 --permanent --service=service --remove-destination=ipv
801 Remove the destination for ipv from the permanent service.
802 --permanent --service=service --query-destination=ipv:address[/mask]
804 Return wether the destination ipv to address[/mask] has been set in
805 the permanent service.
806 --permanent --service=service --get-destinations
808 List destinations added to the permanent service.
809 Helper Options
811 Options in this section affect only one particular helper.
812 [--permanent] --info-helper=helper
814 Print information about the helper helper. The output format is:
815 helper
817 family: family
818 module: module
819 ports: port1 ..
820 The following options are only usable in the permanent configuration.
824 --permanent --new-helper=helper --module=nf_conntrack_module
826 [--family=ipv4|ipv6]
827 Add a new permanent helper with module and optionally family
828 defined.
829 --permanent --new-helper-from-file=filename [--name=helper]
831 Add a new permanent helper from a prepared helper file with an
832 optional name override.
833 --permanent --delete-helper=helper
835 Delete an existing permanent helper.
836 --permanent --load-helper-defaults=helper
838 Load helper default settings or report NO_DEFAULTS error.
839 --permanent --path-helper=helper
841 Print path of the helper configuration file.
842 [--permanent] --get-helpers
844 Print predefined helpers as a space separated list.
845 --permanent --helper=helper --set-description=description
847 Set new description to helper
848 --permanent --helper=helper --get-description
850 Print description for helper
851 --permanent --helper=helper --set-short=description
853 Set short description to helper
854 --permanent --helper=helper --get-short
856 Print short description for helper
857 --permanent --helper=helper --add-port=portid[-portid]/protocol
859 Add a new port to the permanent helper.
860 --permanent --helper=helper --remove-port=portid[-portid]/protocol
862 Remove a port from the permanent helper.
863 --permanent --helper=helper --query-port=portid[-portid]/protocol
865 Return wether the port has been added to the permanent helper.
866 --permanent --helper=helper --get-ports
868 List ports added to the permanent helper.
869 --permanent --helper=helper --set-module=description
871 Set module description for helper
872 --permanent --helper=helper --get-module
874 Print module description for helper
875 --permanent --helper=helper --set-family=description
877 Set family description for helper
878 --permanent --helper=helper --get-family
880 Print family description of helper
881 Internet Control Message Protocol (ICMP) type Options
883 Options in this section affect only one particular icmptype.
884 [--permanent] --info-icmptype=icmptype
886 Print information about the icmptype icmptype. The output format
887 is:
888 icmptype
890 destination: ipv1 ..
891 The following options are only usable in the permanent configuration.
895 --permanent --new-icmptype=icmptype
897 Add a new permanent and empty icmptype.
898 --permanent --new-icmptype-from-file=filename [--name=icmptype]
900 Add a new permanent icmptype from a prepared icmptype file with an
901 optional name override.
902 --permanent --delete-icmptype=icmptype
904 Delete an existing permanent icmptype.
905 --permanent --load-icmptype-defaults=icmptype
907 Load icmptype default settings or report NO_DEFAULTS error.
908 --permanent --icmptype=icmptype --set-description=description
910 Set new description to icmptype
911 --permanent --icmptype=icmptype --get-description
913 Print description for icmptype
914 --permanent --icmptype=icmptype --set-short=description
916 Set short description to icmptype
917 --permanent --icmptype=icmptype --get-short
919 Print short description for icmptype
920 --permanent --icmptype=icmptype --add-destination=ipv
922 Enable destination for ipv in permanent icmptype. ipv is one of
923 ipv4 or ipv6.
924 --permanent --icmptype=icmptype --remove-destination=ipv
926 Disable destination for ipv in permanent icmptype. ipv is one of
927 ipv4 or ipv6.
928 --permanent --icmptype=icmptype --query-destination=ipv
930 Return whether destination for ipv is enabled in permanent
931 icmptype. ipv is one of ipv4 or ipv6.
932 --permanent --icmptype=icmptype --get-destinations
934 List destinations in permanent icmptype.
935 --permanent --path-icmptype=icmptype
937 Print path of the icmptype configuration file.
938 Direct Options
940 The direct options give a more direct access to the firewall. These
941 options require user to know basic iptables concepts, i.e. table
942 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
943 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
944 (ACCEPT/DROP/REJECT/...).
945 Direct options should be used only as a last resort when it's not
947 possible to use for example --add-service=service or
948 --add-rich-rule='rule'.
949 The first argument of each option has to be ipv4 or ipv6 or eb. With
951 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
952 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
953 [--permanent] --direct --get-all-chains
955 Get all chains added to all tables. This option concerns only
956 chains previously added with --direct --add-chain.
957 [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
959 Get all chains added to table table as a space separated list. This
960 option concerns only chains previously added with --direct
961 --add-chain.
962 [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
964 Add a new chain with name chain to table table. Make sure there's
965 no other chain with this name already.
966 There already exist basic chains to use with direct options, for
968 example INPUT_direct chain (see iptables-save | grep direct output
969 for all of them). These chains are jumped into before chains for
970 zones, i.e. every rule put into INPUT_direct will be checked before
971 rules in zones.
972 [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
974 Remove chain with name chain from table table. Only chains
975 previously added with --direct --add-chain can be removed this way.
976 [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
978 Return whether a chain with name chain exists in table table.
979 Returns 0 if true, 1 otherwise. This option concerns only chains
980 previously added with --direct --add-chain.
981 [--permanent] --direct --get-all-rules
983 Get all rules added to all chains in all tables as a newline
984 separated list of the priority and arguments. This option concerns
985 only rules previously added with --direct --add-rule.
986 [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
988 Get all rules added to chain chain in table table as a newline
989 separated list of the priority and arguments. This option concerns
990 only rules previously added with --direct --add-rule.
991 [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
993 priority args
994 Add a rule with the arguments args to chain chain in table table
995 with priority priority.
996 The priority is used to order rules. Priority 0 means add rule on
998 top of the chain, with a higher priority the rule will be added
999 further down. Rules with the same priority are on the same level
1000 and the order of these rules is not fixed and may change. If you
1001 want to make sure that a rule will be added after another one, use
1002 a low priority for the first and a higher for the following.
1003 [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
1005 priority args
1006 Remove a rule with priority and the arguments args from chain chain
1007 in table table. Only rules previously added with --direct
1008 --add-rule can be removed this way.
1009 [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1011 Remove all rules in the chain with name chain exists in table
1012 table. This option concerns only rules previously added with
1013 --direct --add-rule in this chain.
1014 [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1016 priority args
1017 Return whether a rule with priority and the arguments args exists
1018 in chain chain in table table. Returns 0 if true, 1 otherwise. This
1019 option concerns only rules previously added with --direct
1020 --add-rule.
1021 --direct --passthrough { ipv4 | ipv6 | eb } args
1023 Pass a command through to the firewall. args can be all iptables,
1024 ip6tables and ebtables command line arguments. This command is
1025 untracked, which means that firewalld is not able to provide
1026 information about this command later on, also not a listing of the
1027 untracked passthoughs.
1028 [--permanent] --direct --get-all-passthroughs
1030 Get all passthrough rules as a newline separated list of the ipv
1031 value and arguments.
1032 [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1034 Get all passthrough rules for the ipv value as a newline separated
1035 list of the priority and arguments.
1036 [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1038 Add a passthrough rule with the arguments args for the ipv value.
1039 [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1041 Remove a passthrough rule with the arguments args for the ipv
1042 value.
1043 [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1045 Return whether a passthrough rule with the arguments args exists
1046 for the ipv value. Returns 0 if true, 1 otherwise.
1047 Lockdown Options
1049 Local applications or services are able to change the firewall
1050 configuration if they are running as root (example: libvirt) or are
1051 authenticated using PolicyKit. With this feature administrators can
1052 lock the firewall configuration so that only applications on lockdown
1053 whitelist are able to request firewall changes.
1054 The lockdown access check limits D-Bus methods that are changing
1056 firewall rules. Query, list and get methods are not limited.
1057 The lockdown feature is a very light version of user and application
1059 policies for firewalld and is turned off by default.
1060 --lockdown-on
1062 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1063 whitelist when you enable lockdown you won't be able to disable it
1064 again with firewall-cmd, you would need to edit firewalld.conf.
1065 This is a runtime and permanent change.
1067 --lockdown-off
1069 Disable lockdown.
1070 This is a runtime and permanent change.
1072 --query-lockdown
1074 Query whether lockdown is enabled. Returns 0 if lockdown is
1075 enabled, 1 otherwise.
1076 Lockdown Whitelist Options
1078 The lockdown whitelist can contain commands, contexts, users and user
1079 ids.
1080 If a command entry on the whitelist ends with an asterisk '*', then all
1082 command lines starting with the command will match. If the '*' is not
1083 there the absolute command inclusive arguments must match.
1084 Commands for user root and others is not always the same. Example: As
1086 root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1087 is be used on Fedora.
1088 The context is the security (SELinux) context of a running application
1090 or service. To get the context of a running application use ps -e
1091 --context.
1092 Warning: If the context is unconfined, then this will open access for
1094 more than the desired application.
1095 The lockdown whitelist entries are checked in the following order:
1097 1. context
1098 2. uid
1099 3. user
1100 4. command
1101 [--permanent] --list-lockdown-whitelist-commands
1103 List all command lines that are on the whitelist.
1104 [--permanent] --add-lockdown-whitelist-command=command
1106 Add the command to the whitelist.
1107 [--permanent] --remove-lockdown-whitelist-command=command
1109 Remove the command from the whitelist.
1110 [--permanent] --query-lockdown-whitelist-command=command
1112 Query whether the command is on the whitelist. Returns 0 if true, 1
1113 otherwise.
1114 [--permanent] --list-lockdown-whitelist-contexts
1116 List all contexts that are on the whitelist.
1117 [--permanent] --add-lockdown-whitelist-context=context
1119 Add the context context to the whitelist.
1120 [--permanent] --remove-lockdown-whitelist-context=context
1122 Remove the context from the whitelist.
1123 [--permanent] --query-lockdown-whitelist-context=context
1125 Query whether the context is on the whitelist. Returns 0 if true, 1
1126 otherwise.
1127 [--permanent] --list-lockdown-whitelist-uids
1129 List all user ids that are on the whitelist.
1130 [--permanent] --add-lockdown-whitelist-uid=uid
1132 Add the user id uid to the whitelist.
1133 [--permanent] --remove-lockdown-whitelist-uid=uid
1135 Remove the user id uid from the whitelist.
1136 [--permanent] --query-lockdown-whitelist-uid=uid
1138 Query whether the user id uid is on the whitelist. Returns 0 if
1139 true, 1 otherwise.
1140 [--permanent] --list-lockdown-whitelist-users
1142 List all user names that are on the whitelist.
1143 [--permanent] --add-lockdown-whitelist-user=user
1145 Add the user name user to the whitelist.
1146 [--permanent] --remove-lockdown-whitelist-user=user
1148 Remove the user name user from the whitelist.
1149 [--permanent] --query-lockdown-whitelist-user=user
1151 Query whether the user name user is on the whitelist. Returns 0 if
1152 true, 1 otherwise.
1153 Panic Options
1155 --panic-on
1156 Enable panic mode. All incoming and outgoing packets are dropped,
1157 active connections will expire. Enable this only if there are
1158 serious problems with your network environment. For example if the
1159 machine is getting hacked in.
1160 This is a runtime only change.
1162 --panic-off
1164 Disable panic mode. After disabling panic mode established
1165 connections might work again, if panic mode was enabled for a short
1166 period of time.
1167 This is a runtime only change.
1169 --query-panic
1171 Returns 0 if panic mode is enabled, 1 otherwise.
1172
1174 For more examples see http://fedoraproject.org/wiki/FirewallD
1175 Example 1
1177 Enable http service in default zone. This is runtime only change, i.e.
1178 effective until restart.
1179 firewall-cmd --add-service=http
1181 Example 2
1185 Enable port 443/tcp immediately and permanently in default zone. To
1186 make the change effective immediately and also after restart we need
1187 two commands. The first command makes the change in runtime
1188 configuration, i.e. makes it effective immediately, until restart. The
1189 second command makes the change in permanent configuration, i.e. makes
1190 it effective after restart.
1191 firewall-cmd --add-port=443/tcp
1193 firewall-cmd --permanent --add-port=443/tcp
1194
1198 On success 0 is returned. On failure the output is red colored and exit
1199 code is either 2 in case of wrong command-line option usage or one of
1200 the following error codes in other cases:
1201 ┌────────────────────┬──────┐
1203 │String │ Code │
1204 ├────────────────────┼──────┤
1205 │ALREADY_ENABLED │ 11 │
1206 ├────────────────────┼──────┤
1207 │NOT_ENABLED │ 12 │
1208 ├────────────────────┼──────┤
1209 │COMMAND_FAILED │ 13 │
1210 ├────────────────────┼──────┤
1211 │NO_IPV6_NAT │ 14 │
1212 ├────────────────────┼──────┤
1213 │PANIC_MODE │ 15 │
1214 ├────────────────────┼──────┤
1215 │ZONE_ALREADY_SET │ 16 │
1216 ├────────────────────┼──────┤
1217 │UNKNOWN_INTERFACE │ 17 │
1218 ├────────────────────┼──────┤
1219 │ZONE_CONFLICT │ 18 │
1220 ├────────────────────┼──────┤
1221 │BUILTIN_CHAIN │ 19 │
1222 ├────────────────────┼──────┤
1223 │EBTABLES_NO_REJECT │ 20 │
1224 ├────────────────────┼──────┤
1225 │NOT_OVERLOADABLE │ 21 │
1226 ├────────────────────┼──────┤
1227 │NO_DEFAULTS │ 22 │
1228 ├────────────────────┼──────┤
1229 │BUILTIN_ZONE │ 23 │
1230 ├────────────────────┼──────┤
1231 │BUILTIN_SERVICE │ 24 │
1232 ├────────────────────┼──────┤
1233 │BUILTIN_ICMPTYPE │ 25 │
1234 ├────────────────────┼──────┤
1235 │NAME_CONFLICT │ 26 │
1236 ├────────────────────┼──────┤
1237 │NAME_MISMATCH │ 27 │
1238 ├────────────────────┼──────┤
1239 │PARSE_ERROR │ 28 │
1240 ├────────────────────┼──────┤
1241 │ACCESS_DENIED │ 29 │
1242 ├────────────────────┼──────┤
1243 │UNKNOWN_SOURCE │ 30 │
1244 ├────────────────────┼──────┤
1245 │RT_TO_PERM_FAILED │ 31 │
1246 ├────────────────────┼──────┤
1247 │IPSET_WITH_TIMEOUT │ 32 │
1248 ├────────────────────┼──────┤
1249 │BUILTIN_IPSET │ 33 │
1250 ├────────────────────┼──────┤
1251 │ALREADY_SET │ 34 │
1252 ├────────────────────┼──────┤
1253 │MISSING_IMPORT │ 35 │
1254 ├────────────────────┼──────┤
1255 │DBUS_ERROR │ 36 │
1256 ├────────────────────┼──────┤
1257 │BUILTIN_HELPER │ 37 │
1258 ├────────────────────┼──────┤
1259 │NOT_APPLIED │ 38 │
1260 ├────────────────────┼──────┤
1261 │INVALID_ACTION │ 100 │
1262 ├────────────────────┼──────┤
1263 │INVALID_SERVICE │ 101 │
1264 ├────────────────────┼──────┤
1265 │INVALID_PORT │ 102 │
1266 ├────────────────────┼──────┤
1267 │INVALID_PROTOCOL │ 103 │
1268 ├────────────────────┼──────┤
1269 │INVALID_INTERFACE │ 104 │
1270 ├────────────────────┼──────┤
1271 │INVALID_ADDR │ 105 │
1272 ├────────────────────┼──────┤
1273 │INVALID_FORWARD │ 106 │
1274 ├────────────────────┼──────┤
1275 │INVALID_ICMPTYPE │ 107 │
1276 ├────────────────────┼──────┤
1277 │INVALID_TABLE │ 108 │
1278 ├────────────────────┼──────┤
1279 │INVALID_CHAIN │ 109 │
1280 ├────────────────────┼──────┤
1281 │INVALID_TARGET │ 110 │
1282 ├────────────────────┼──────┤
1283 │INVALID_IPV │ 111 │
1284 ├────────────────────┼──────┤
1285 │INVALID_ZONE │ 112 │
1286 ├────────────────────┼──────┤
1287 │INVALID_PROPERTY │ 113 │
1288 ├────────────────────┼──────┤
1289 │INVALID_VALUE │ 114 │
1290 ├────────────────────┼──────┤
1291 │INVALID_OBJECT │ 115 │
1292 ├────────────────────┼──────┤
1293 │INVALID_NAME │ 116 │
1294 ├────────────────────┼──────┤
1295 │INVALID_FILENAME │ 117 │
1296 ├────────────────────┼──────┤
1297 │INVALID_DIRECTORY │ 118 │
1298 ├────────────────────┼──────┤
1299 │INVALID_TYPE │ 119 │
1300 ├────────────────────┼──────┤
1301 │INVALID_SETTING │ 120 │
1302 ├────────────────────┼──────┤
1303 │INVALID_DESTINATION │ 121 │
1304 ├────────────────────┼──────┤
1305 │INVALID_RULE │ 122 │
1306 ├────────────────────┼──────┤
1307 │INVALID_LIMIT │ 123 │
1308 ├────────────────────┼──────┤
1309 │INVALID_FAMILY │ 124 │
1310 ├────────────────────┼──────┤
1311 │INVALID_LOG_LEVEL │ 125 │
1312 ├────────────────────┼──────┤
1313 │INVALID_AUDIT_TYPE │ 126 │
1314 ├────────────────────┼──────┤
1315 │INVALID_MARK │ 127 │
1316 ├────────────────────┼──────┤
1317 │INVALID_CONTEXT │ 128 │
1318 ├────────────────────┼──────┤
1319 │INVALID_COMMAND │ 129 │
1320 ├────────────────────┼──────┤
1321 │INVALID_USER │ 130 │
1322 ├────────────────────┼──────┤
1323 │INVALID_UID │ 131 │
1324 ├────────────────────┼──────┤
1325 │INVALID_MODULE │ 132 │
1326 ├────────────────────┼──────┤
1327 │INVALID_PASSTHROUGH │ 133 │
1328 ├────────────────────┼──────┤
1329 │INVALID_MAC │ 134 │
1330 ├────────────────────┼──────┤
1331 │INVALID_IPSET │ 135 │
1332 ├────────────────────┼──────┤
1333 │INVALID_ENTRY │ 136 │
1334 ├────────────────────┼──────┤
1335 │INVALID_OPTION │ 137 │
1336 ├────────────────────┼──────┤
1337 │INVALID_HELPER │ 138 │
1338 ├────────────────────┼──────┤
1339 │MISSING_TABLE │ 200 │
1340 ├────────────────────┼──────┤
1341 │MISSING_CHAIN │ 201 │
1342 ├────────────────────┼──────┤
1343 │MISSING_PORT │ 202 │
1344 ├────────────────────┼──────┤
1345 │MISSING_PROTOCOL │ 203 │
1346 ├────────────────────┼──────┤
1347 │MISSING_ADDR │ 204 │
1348 ├────────────────────┼──────┤
1349 │MISSING_NAME │ 205 │
1350 ├────────────────────┼──────┤
1351 │MISSING_SETTING │ 206 │
1352 ├────────────────────┼──────┤
1353 │MISSING_FAMILY │ 207 │
1354 ├────────────────────┼──────┤
1355 │RUNNING_BUT_FAILED │ 251 │
1356 ├────────────────────┼──────┤
1357 │NOT_RUNNING │ 252 │
1358 ├────────────────────┼──────┤
1359 │NOT_AUTHORIZED │ 253 │
1360 ├────────────────────┼──────┤
1361 │UNKNOWN_ERROR │ 254 │
1362 └────────────────────┴──────┘
1363 Note that return codes of --query-* options are special: Successful
1365 queries return 0, unsuccessful ones return 1 unless an error occurred
1366 in which case the table above applies.
1367
1369 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1370 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1371 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1372 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1373 firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1374 firewalld.helper(5)
1375
1377 firewalld home page:
1378 http://firewalld.org
1379 More documentation with examples:
1381 http://fedoraproject.org/wiki/FirewallD
1382
1384 Thomas Woerner <twoerner@redhat.com>
1385 Developer
1386 Jiri Popelka <jpopelka@redhat.com>
1388 Developer
1389firewalld 0.6.4 FIREWALL-CMD(1)