1FIREWALL-CMD(1) firewall-cmd FIREWALL-CMD(1)
2
6 firewall-cmd - firewalld command line client
7
9 firewall-cmd [OPTIONS...]
10
12 firewall-cmd is the command line client of the firewalld daemon. It
13 provides interface to manage runtime and permanent configuration.
14 The runtime configuration in firewalld is separated from the permanent
16 configuration. This means that things can get changed in the runtime or
17 permanent configuration.
18
20 Sequence options are the options that can be specified multiple times,
21 the exit code is 0 if there is at least one item that succeeded. The
22 ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
23 errors are treated as succeeded. If there are issues while parsing the
24 items, then these are treated as warnings and will not change the
25 result as long as there is a succeeded one. Without any succeeded item,
26 the exit code will depend on the error codes. If there is exactly one
27 error code, then this is used. If there are more than one then
28 UNKNOWN_ERROR (254) will be used.
29 The following options are supported:
31 General Options
33 -h, --help
34 Prints a short help text and exits.
35 -V, --version
37 Print the version string of firewalld. This option is not
38 combinable with other options.
39 -q, --quiet
41 Do not print status messages.
42 Status Options
44 --state
45 Check whether the firewalld daemon is active (i.e. running).
46 Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
47 failure occurred on startup, NOT_RUNNING otherwise. See the section
48 called “EXIT CODES”. This will also print the state to STDOUT.
49 --reload
51 Reload firewall rules and keep state information. Current permanent
52 configuration will become new runtime configuration, i.e. all
53 runtime only changes done until reload are lost with reload if they
54 have not been also in permanent configuration.
55 Note: Runtime changes applied via the direct interface are not
57 affected and will therefore stay in place until firewalld daemon is
58 restarted completely.
59 --complete-reload
61 Reload firewall completely, even netfilter kernel modules. This
62 will most likely terminate active connections, because state
63 information is lost. This option should only be used in case of
64 severe firewall problems. For example if there are state
65 information problems that no connection can be established with
66 correct firewall rules.
67 Note: Runtime changes applied via the direct interface are not
69 affected and will therefore stay in place until firewalld daemon is
70 restarted completely.
71 --runtime-to-permanent
73 Save active runtime configuration and overwrite permanent
74 configuration with it. The way this is supposed to work is that
75 when configuring firewalld you do runtime changes only and once
76 you're happy with the configuration and you tested that it works
77 the way you want, you save the configuration to disk.
78 --check-config
80 Run checks on the permanent configuration. This includes XML
81 validity and semantics.
82 Log Denied Options
84 --get-log-denied
85 Print the log denied setting.
86 --set-log-denied=value
88 Add logging rules right before reject and drop rules in the INPUT,
89 FORWARD and OUTPUT chains for the default rules and also final
90 reject and drop rules in zones for the configured link-layer packet
91 type. The possible values are: all, unicast, broadcast, multicast
92 and off. The default setting is off, which disables the logging.
93 This is a runtime and permanent change and will also reload the
95 firewall to be able to add the logging rules.
96 Permanent Options
98 --permanent
99 The permanent option --permanent can be used to set options
100 permanently. These changes are not effective immediately, only
101 after service restart/reload or system reboot. Without the
102 --permanent option, a change will only be part of the runtime
103 configuration.
104 If you want to make a change in runtime and permanent
106 configuration, use the same call with and without the --permanent
107 option.
108 The --permanent option can be optionally added to all options
110 further down where it is supported.
111 Zone Options
113 --get-default-zone
114 Print default zone for connections and interfaces.
115 --set-default-zone=zone
117 Set default zone for connections and interfaces where no zone has
118 been selected. Setting the default zone changes the zone for the
119 connections or interfaces, that are using the default zone.
120 This is a runtime and permanent change.
122 --get-active-zones
124 Print currently active zones altogether with interfaces and sources
125 used in these zones. Active zones are zones, that have a binding to
126 an interface or source. The output format is:
127 zone1
129 interfaces: interface1 interface2 ..
130 sources: source1 ..
131 zone2
132 interfaces: interface3 ..
133 zone3
134 sources: source2 ..
135 If there are no interfaces or sources bound to the zone, the
138 corresponding line will be omitted.
139 [--permanent] --get-zones
141 Print predefined zones as a space separated list.
142 [--permanent] --get-services
144 Print predefined services as a space separated list.
145 [--permanent] --get-icmptypes
147 Print predefined icmptypes as a space separated list.
148 [--permanent] --get-zone-of-interface=interface
150 Print the name of the zone the interface is bound to or no zone.
151 [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
153 Print the name of the zone the source is bound to or no zone.
154 [--permanent] --info-zone=zone
156 Print information about the zone zone. The output format is:
157 zone
159 interfaces: interface1 ..
160 sources: source1 ..
161 services: service1 ..
162 ports: port1 ..
163 protocols: protocol1 ..
164 forward-ports:
165 forward-port1
166 ..
167 source-ports: source-port1 ..
168 icmp-blocks: icmp-type1 ..
169 rich rules:
170 rich-rule1
171 ..
172 [--permanent] --list-all-zones
176 List everything added for or enabled in all zones. The output
177 format is:
178 zone1
180 interfaces: interface1 ..
181 sources: source1 ..
182 services: service1 ..
183 ports: port1 ..
184 protocols: protocol1 ..
185 forward-ports:
186 forward-port1
187 ..
188 icmp-blocks: icmp-type1 ..
189 rich rules:
190 rich-rule1
191 ..
192 ..
193 --permanent --new-zone=zone
197 Add a new permanent and empty zone.
198 Zone names must be alphanumeric and may additionally include
200 characters: '_' and '-'.
201 --permanent --new-zone-from-file=filename [--name=zone]
203 Add a new permanent zone from a prepared zone file with an optional
204 name override.
205 --permanent --delete-zone=zone
207 Delete an existing permanent zone.
208 --permanent --load-zone-defaults=zone
210 Load zone default settings or report NO_DEFAULTS error.
211 --permanent --path-zone=zone
213 Print path of the zone configuration file.
214 --permanent --zone=zone --set-description=description
216 Set new description to zone
217 --permanent --zone=zone --get-description
219 Print description for zone
220 --permanent --zone=zone --set-short=description
222 Set short description to zone
223 --permanent --zone=zone --get-short
225 Print short description for zone
226 --permanent [--zone=zone] --get-target
228 Get the target of a permanent zone.
229 --permanent [--zone=zone] --set-target=target
231 Set the target of a permanent zone. target is one of: default,
232 ACCEPT, DROP, REJECT
233 default is similar to REJECT, but has special meaning in the
235 following scenarios:
236 1. ICMP explicitly allowed
238 At the end of the zone's ruleset ICMP packets are explicitly
240 allowed.
241 2. forwarded packets follow the target of the egress zone
243 In the case of forwarded packets, if the ingress zone uses
245 default then whether or not the packet will be allowed is
246 determined by the egress zone.
247 For a forwarded packet that ingresses zoneA and egresses zoneB:
249 · if zoneA's target is ACCEPT, DROP, or REJECT then the
251 packet is accepted, dropped, or rejected respectively.
252 · if zoneA's target is default, then the packet is accepted,
254 dropped, or rejected based on zoneB's target. If zoneB's
255 target is also default, then the packet will be rejected by
256 firewalld's catchall reject.
257 3. Zone drifting from source-based zone to interface-based zone
259 This only applies if AllowZoneDrifting is enabled. See
261 firewalld.conf(5).
262 If a packet ingresses a source-based zone with a target of
264 default, it may still enter an interface-based zone (including
265 the default zone).
266 Options to Adapt and Query Zones
269 Options in this section affect only one particular zone. If used with
270 --zone=zone option, they affect the zone zone. If the option is
271 omitted, they affect default zone (see --get-default-zone).
272 [--permanent] [--zone=zone] --list-all
274 List everything added for or enabled in zone. If zone is omitted,
275 default zone will be used.
276 [--permanent] [--zone=zone] --list-services
278 List services added for zone as a space separated list. If zone is
279 omitted, default zone will be used.
280 [--permanent] [--zone=zone] --add-service=service [--timeout=timeval]
282 Add a service for zone. If zone is omitted, default zone will be
283 used. This option can be specified multiple times. If a timeout is
284 supplied, the rule will be active for the specified amount of time
285 and will be removed automatically afterwards. timeval is either a
286 number (of seconds) or number followed by one of characters s
287 (seconds), m (minutes), h (hours), for example 20m or 1h.
288 The service is one of the firewalld provided services. To get a
290 list of the supported services, use firewall-cmd --get-services.
291 The --timeout option is not combinable with the --permanent option.
293 [--permanent] [--zone=zone] --remove-service=service
295 Remove a service from zone. This option can be specified multiple
296 times. If zone is omitted, default zone will be used.
297 [--permanent] [--zone=zone] --query-service=service
299 Return whether service has been added for zone. If zone is omitted,
300 default zone will be used. Returns 0 if true, 1 otherwise.
301 [--permanent] [--zone=zone] --list-ports
303 List ports added for zone as a space separated list. A port is of
304 the form portid[-portid]/protocol, it can be either a port and
305 protocol pair or a port range with a protocol. If zone is omitted,
306 default zone will be used.
307 [--permanent] [--zone=zone] --add-port=portid[-portid]/protocol
309 [--timeout=timeval]
310 Add the port for zone. If zone is omitted, default zone will be
311 used. This option can be specified multiple times. If a timeout is
312 supplied, the rule will be active for the specified amount of time
313 and will be removed automatically afterwards. timeval is either a
314 number (of seconds) or number followed by one of characters s
315 (seconds), m (minutes), h (hours), for example 20m or 1h.
316 The port can either be a single port number or a port range
318 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
319 The --timeout option is not combinable with the --permanent option.
321 [--permanent] [--zone=zone] --remove-port=portid[-portid]/protocol
323 Remove the port from zone. If zone is omitted, default zone will be
324 used. This option can be specified multiple times.
325 [--permanent] [--zone=zone] --query-port=portid[-portid]/protocol
327 Return whether the port has been added for zone. If zone is
328 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
329 [--permanent] [--zone=zone] --list-protocols
331 List protocols added for zone as a space separated list. If zone is
332 omitted, default zone will be used.
333 [--permanent] [--zone=zone] --add-protocol=protocol [--timeout=timeval]
335 Add the protocol for zone. If zone is omitted, default zone will be
336 used. This option can be specified multiple times. If a timeout is
337 supplied, the rule will be active for the specified amount of time
338 and will be removed automatically afterwards. timeval is either a
339 number (of seconds) or number followed by one of characters s
340 (seconds), m (minutes), h (hours), for example 20m or 1h.
341 The protocol can be any protocol supported by the system. Please
343 have a look at /etc/protocols for supported protocols.
344 The --timeout option is not combinable with the --permanent option.
346 [--permanent] [--zone=zone] --remove-protocol=protocol
348 Remove the protocol from zone. If zone is omitted, default zone
349 will be used. This option can be specified multiple times.
350 [--permanent] [--zone=zone] --query-protocol=protocol
352 Return whether the protocol has been added for zone. If zone is
353 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
354 [--permanent] [--zone=zone] --list-source-ports
356 List source ports added for zone as a space separated list. A port
357 is of the form portid[-portid]/protocol. If zone is omitted,
358 default zone will be used.
359 [--permanent] [--zone=zone] --add-source-port=portid[-portid]/protocol
361 [--timeout=timeval]
362 Add the source port for zone. If zone is omitted, default zone will
363 be used. This option can be specified multiple times. If a timeout
364 is supplied, the rule will be active for the specified amount of
365 time and will be removed automatically afterwards. timeval is
366 either a number (of seconds) or number followed by one of
367 characters s (seconds), m (minutes), h (hours), for example 20m or
368 1h.
369 The port can either be a single port number or a port range
371 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
372 The --timeout option is not combinable with the --permanent option.
374 [--permanent] [--zone=zone]
376 --remove-source-port=portid[-portid]/protocol
377 Remove the source port from zone. If zone is omitted, default zone
378 will be used. This option can be specified multiple times.
379 [--permanent] [--zone=zone]
381 --query-source-port=portid[-portid]/protocol
382 Return whether the source port has been added for zone. If zone is
383 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
384 [--permanent] [--zone=zone] --list-icmp-blocks
386 List Internet Control Message Protocol (ICMP) type blocks added for
387 zone as a space separated list. If zone is omitted, default zone
388 will be used.
389 [--permanent] [--zone=zone] --add-icmp-block=icmptype
391 [--timeout=timeval]
392 Add an ICMP block for icmptype for zone. If zone is omitted,
393 default zone will be used. This option can be specified multiple
394 times. If a timeout is supplied, the rule will be active for the
395 specified amount of time and will be removed automatically
396 afterwards. timeval is either a number (of seconds) or number
397 followed by one of characters s (seconds), m (minutes), h (hours),
398 for example 20m or 1h.
399 The icmptype is the one of the icmp types firewalld supports. To
401 get a listing of supported icmp types: firewall-cmd --get-icmptypes
402 The --timeout option is not combinable with the --permanent option.
404 [--permanent] [--zone=zone] --remove-icmp-block=icmptype
406 Remove the ICMP block for icmptype from zone. If zone is omitted,
407 default zone will be used. This option can be specified multiple
408 times.
409 [--permanent] [--zone=zone] --query-icmp-block=icmptype
411 Return whether an ICMP block for icmptype has been added for zone.
412 If zone is omitted, default zone will be used. Returns 0 if true, 1
413 otherwise.
414 [--permanent] [--zone=zone] --list-forward-ports
416 List IPv4 forward ports added for zone as a space separated list.
417 If zone is omitted, default zone will be used.
418 For IPv6 forward ports, please use the rich language.
420 [--permanent] [--zone=zone]
422 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
423 [--timeout=timeval]
424 Add the IPv4 forward port for zone. If zone is omitted, default
425 zone will be used. This option can be specified multiple times. If
426 a timeout is supplied, the rule will be active for the specified
427 amount of time and will be removed automatically afterwards.
428 timeval is either a number (of seconds) or number followed by one
429 of characters s (seconds), m (minutes), h (hours), for example 20m
430 or 1h.
431 The port can either be a single port number portid or a port range
433 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
434 The destination address is a simple IP address.
435 The --timeout option is not combinable with the --permanent option.
437 For IPv6 forward ports, please use the rich language.
439 Note: IP forwarding will be implicitly enabled if toaddr is
441 specified.
442 [--permanent] [--zone=zone]
444 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
445 Remove the IPv4 forward port from zone. If zone is omitted, default
446 zone will be used. This option can be specified multiple times.
447 For IPv6 forward ports, please use the rich language.
449 [--permanent] [--zone=zone]
451 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
452 Return whether the IPv4 forward port has been added for zone. If
453 zone is omitted, default zone will be used. Returns 0 if true, 1
454 otherwise.
455 For IPv6 forward ports, please use the rich language.
457 [--permanent] [--zone=zone] --add-masquerade [--timeout=timeval]
459 Enable IPv4 masquerade for zone. If zone is omitted, default zone
460 will be used. If a timeout is supplied, masquerading will be active
461 for the specified amount of time. timeval is either a number (of
462 seconds) or number followed by one of characters s (seconds), m
463 (minutes), h (hours), for example 20m or 1h. Masquerading is useful
464 if the machine is a router and machines connected over an interface
465 in another zone should be able to use the first connection.
466 The --timeout option is not combinable with the --permanent option.
468 For IPv6 masquerading, please use the rich language.
470 Note: IP forwarding will be implicitly enabled.
472 [--permanent] [--zone=zone] --remove-masquerade
474 Disable IPv4 masquerade for zone. If zone is omitted, default zone
475 will be used. If the masquerading was enabled with a timeout, it
476 will be disabled also.
477 For IPv6 masquerading, please use the rich language.
479 [--permanent] [--zone=zone] --query-masquerade
481 Return whether IPv4 masquerading has been enabled for zone. If zone
482 is omitted, default zone will be used. Returns 0 if true, 1
483 otherwise.
484 For IPv6 masquerading, please use the rich language.
486 [--permanent] [--zone=zone] --list-rich-rules
488 List rich language rules added for zone as a newline separated
489 list. If zone is omitted, default zone will be used.
490 [--permanent] [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
492 Add rich language rule 'rule' for zone. This option can be
493 specified multiple times. If zone is omitted, default zone will be
494 used. If a timeout is supplied, the rule will be active for the
495 specified amount of time and will be removed automatically
496 afterwards. timeval is either a number (of seconds) or number
497 followed by one of characters s (seconds), m (minutes), h (hours),
498 for example 20m or 1h.
499 For the rich language rule syntax, please have a look at
501 firewalld.richlanguage(5).
502 The --timeout option is not combinable with the --permanent option.
504 [--permanent] [--zone=zone] --remove-rich-rule='rule'
506 Remove rich language rule 'rule' from zone. This option can be
507 specified multiple times. If zone is omitted, default zone will be
508 used.
509 For the rich language rule syntax, please have a look at
511 firewalld.richlanguage(5).
512 [--permanent] [--zone=zone] --query-rich-rule='rule'
514 Return whether a rich language rule 'rule' has been added for zone.
515 If zone is omitted, default zone will be used. Returns 0 if true, 1
516 otherwise.
517 For the rich language rule syntax, please have a look at
519 firewalld.richlanguage(5).
520 Options to Handle Bindings of Interfaces
522 Binding an interface to a zone means that this zone settings are used
523 to restrict traffic via the interface.
524 Options in this section affect only one particular zone. If used with
526 --zone=zone option, they affect the zone zone. If the option is
527 omitted, they affect default zone (see --get-default-zone).
528 For a list of predefined zones use firewall-cmd --get-zones.
530 An interface name is a string up to 16 characters long, that may not
532 contain ' ', '/', '!' and '*'.
533 [--permanent] [--zone=zone] --list-interfaces
535 List interfaces that are bound to zone zone as a space separated
536 list. If zone is omitted, default zone will be used.
537 [--permanent] [--zone=zone] --add-interface=interface
539 Bind interface interface to zone zone. If zone is omitted, default
540 zone will be used.
541 If the interface is under control of NetworkManager, it is at first
543 connected to change the zone for the connection that is using the
544 interface. If this fails, the zone binding is created in firewalld
545 and the limitations below apply. For interfaces that are not under
546 control of NetworkManager, firewalld tries to change the ZONE
547 setting in the ifcfg file, if the file exists.
548 As a end user you don't need this in most cases, because
550 NetworkManager (or legacy network service) adds interfaces into
551 zones automatically (according to ZONE= option from ifcfg-interface
552 file) if NM_CONTROLLED=no is not set. You should do it only if
553 there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
554 there is such file and you add interface to zone with this
555 --add-interface option, make sure the zone is the same in both
556 cases, otherwise the behaviour would be undefined. Please also have
557 a look at the firewalld(1) man page in the Concepts section. For
558 permanent association of interface with a zone, see also 'How to
559 set or change a zone for a connection?' in firewalld.zones(5).
560 [--permanent] [--zone=zone] --change-interface=interface
562 If the interface is under control of NetworkManager, it is at first
563 connected to change the zone for the connection that is using the
564 interface. If this fails, the zone binding is created in firewalld
565 and the limitations below apply. For interfaces that are not under
566 control of NetworkManager, firewalld tries to change the ZONE
567 setting in the ifcfg file, if the file exists.
568 Change zone the interface interface is bound to to zone zone. It's
570 basically --remove-interface followed by --add-interface. If the
571 interface has not been bound to a zone before, it behaves like
572 --add-interface. If zone is omitted, default zone will be used.
573 [--permanent] [--zone=zone] --query-interface=interface
575 Query whether interface interface is bound to zone zone. Returns 0
576 if true, 1 otherwise.
577 [--permanent] --remove-interface=interface
579 If the interface is under control of NetworkManager, it is at first
580 connected to change the zone for the connection that is using the
581 interface. If this fails, the zone binding is created in firewalld
582 and the limitations below apply.
583 For the addion or change of interfaces that are not under control
585 of NetworkManager: firewalld tries to change the ZONE setting in
586 the ifcfg file, if an ifcfg file exists that is using the
587 interface.
588 Only for the removal of interfaces that are not under control of
590 NetworkManager: firewalld is not trying to change the ZONE setting
591 in the ifcfg file. This is needed to make sure that an ifdown of
592 the interface will not result in a reset of the zone setting to the
593 default zone. Only the zone binding is then removed in firewalld
594 then.
595 Remove binding of interface interface from zone it was previously
597 added to.
598 Options to Handle Bindings of Sources
600 Binding a source to a zone means that this zone settings will be used
601 to restrict traffic from this source.
602 A source address or address range is either an IP address or a network
604 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
605 with the ipset: prefix. For IPv4, the mask can be a network mask or a
606 plain number. For IPv6 the mask is a plain number. The use of host
607 names is not supported.
608 Options in this section affect only one particular zone. If used with
610 --zone=zone option, they affect the zone zone. If the option is
611 omitted, they affect default zone (see --get-default-zone).
612 For a list of predefined zones use firewall-cmd [--permanent]
614 --get-zones.
615 [--permanent] [--zone=zone] --list-sources
617 List sources that are bound to zone zone as a space separated list.
618 If zone is omitted, default zone will be used.
619 [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
621 Bind the source to zone zone. If zone is omitted, default zone will
622 be used.
623 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
625 Change zone the source is bound to to zone zone. It's basically
626 --remove-source followed by --add-source. If the source has not
627 been bound to a zone before, it behaves like --add-source. If zone
628 is omitted, default zone will be used.
629 [--permanent] [--zone=zone]
631 --query-source=source[/mask]|MAC|ipset:ipset
632 Query whether the source is bound to the zone zone. Returns 0 if
633 true, 1 otherwise.
634 [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
636 Remove binding of the source from zone it was previously added to.
637 IPSet Options
639 --get-ipset-types
640 Print the supported ipset types.
641 --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
643 [--option=key[=value]]
644 Add a new permanent and empty ipset with specifying the type and
645 optional the family and options like timeout, hashsize and maxelem.
646 For more information please have a look at ipset(8) man page.
647 ipset names must be alphanumeric and may additionally include
649 characters: '_' and '-'.
650 --permanent --new-ipset-from-file=filename [--name=ipset]
652 Add a new permanent ipset from a prepared ipset file with an
653 optional name override.
654 --permanent --delete-ipset=ipset
656 Delete an existing permanent ipset.
657 --permanent --load-ipset-defaults=ipset
659 Load ipset default settings or report NO_DEFAULTS error.
660 [--permanent] --info-ipset=ipset
662 Print information about the ipset ipset. The output format is:
663 ipset
665 type: type
666 options: option1[=value1] ..
667 entries: entry1 ..
668 [--permanent] --get-ipsets
672 Print predefined ipsets as a space separated list.
673 --permanent --ipset=ipset --set-description=description
675 Set new description to ipset
676 --permanent --ipset=ipset --get-description
678 Print description for ipset
679 --permanent --ipset=ipset --set-short=description
681 Set short description to ipset
682 --permanent --ipset=ipset --get-short
684 Print short description for ipset
685 [--permanent] --ipset=ipset --add-entry=entry
687 Add a new entry to the ipset.
688 Adding an entry to an ipset with option timeout is permitted, but
690 these entries are not tracked by firewalld.
691 [--permanent] --ipset=ipset --remove-entry=entry
693 Remove an entry from the ipset.
694 [--permanent] --ipset=ipset --query-entry=entry
696 Return whether the entry has been added to an ipset. Returns 0 if
697 true, 1 otherwise.
698 Querying an ipset with a timeout will yield an error. Entries are
700 not tracked for ipsets with a timeout.
701 [--permanent] --ipset=ipset --get-entries
703 List all entries of the ipset.
704 [--permanent] --ipset=ipset --add-entries-from-file=filename
706 Add a new entries to the ipset from the file. For all entries that
707 are listed in the file but already in the ipset, a warning will be
708 printed.
709 The file should contain an entry per line. Lines starting with an
711 hash or semicolon are ignored. Also empty lines.
712 [--permanent] --ipset=ipset --remove-entries-from-file=filename
714 Remove existing entries from the ipset from the file. For all
715 entries that are listed in the file but not in the ipset, a warning
716 will be printed.
717 The file should contain an entry per line. Lines starting with an
719 hash or semicolon are ignored. Also empty lines.
720 --permanent --path-ipset=ipset
722 Print path of the ipset configuration file.
723 Service Options
725 Options in this section affect only one particular service.
726 [--permanent] --info-service=service
728 Print information about the service service. The output format is:
729 service
731 ports: port1 ..
732 protocols: protocol1 ..
733 source-ports: source-port1 ..
734 helpers: helper1 ..
735 destination: ipv1:address1 ..
736 The following options are only usable in the permanent configuration.
740 --permanent --new-service=service
742 Add a new permanent and empty service.
743 Service names must be alphanumeric and may additionally include
745 characters: '_' and '-'.
746 --permanent --new-service-from-file=filename [--name=service]
748 Add a new permanent service from a prepared service file with an
749 optional name override.
750 --permanent --delete-service=service
752 Delete an existing permanent service.
753 --permanent --load-service-defaults=service
755 Load service default settings or report NO_DEFAULTS error.
756 --permanent --path-service=service
758 Print path of the service configuration file.
759 --permanent --service=service --set-description=description
761 Set new description to service
762 --permanent --service=service --get-description
764 Print description for service
765 --permanent --service=service --set-short=description
767 Set short description to service
768 --permanent --service=service --get-short
770 Print short description for service
771 --permanent --service=service --add-port=portid[-portid]/protocol
773 Add a new port to the permanent service.
774 --permanent --service=service --remove-port=portid[-portid]/protocol
776 Remove a port from the permanent service.
777 --permanent --service=service --query-port=portid[-portid]/protocol
779 Return wether the port has been added to the permanent service.
780 --permanent --service=service --get-ports
782 List ports added to the permanent service.
783 --permanent --service=service --add-protocol=protocol
785 Add a new protocol to the permanent service.
786 --permanent --service=service --remove-protocol=protocol
788 Remove a protocol from the permanent service.
789 --permanent --service=service --query-protocol=protocol
791 Return wether the protocol has been added to the permanent service.
792 --permanent --service=service --get-protocols
794 List protocols added to the permanent service.
795 --permanent --service=service
797 --add-source-port=portid[-portid]/protocol
798 Add a new source port to the permanent service.
799 --permanent --service=service
801 --remove-source-port=portid[-portid]/protocol
802 Remove a source port from the permanent service.
803 --permanent --service=service
805 --query-source-port=portid[-portid]/protocol
806 Return wether the source port has been added to the permanent
807 service.
808 --permanent --service=service --get-source-ports
810 List source ports added to the permanent service.
811 --permanent --service=service --add-helper=helper
813 Add a new helper to the permanent service.
814 --permanent --service=service --remove-helper=helper
816 Remove a helper from the permanent service.
817 --permanent --service=service --query-helper=helper
819 Return wether the helper has been added to the permanent service.
820 --permanent --service=service --get-service-helpers
822 List helpers added to the permanent service.
823 --permanent --service=service --set-destination=ipv:address[/mask]
825 Set destination for ipv to address[/mask] in the permanent service.
826 --permanent --service=service --remove-destination=ipv
828 Remove the destination for ipv from the permanent service.
829 --permanent --service=service --query-destination=ipv:address[/mask]
831 Return wether the destination ipv to address[/mask] has been set in
832 the permanent service.
833 --permanent --service=service --get-destinations
835 List destinations added to the permanent service.
836 --permanent --service=service --add-include=service
838 Add a new include to the permanent service.
839 --permanent --service=service --remove-include=service
841 Remove a include from the permanent service.
842 --permanent --service=service --query-include=service
844 Return wether the include has been added to the permanent service.
845 --permanent --service=service --get-includes
847 List includes added to the permanent service.
848 Helper Options
850 Options in this section affect only one particular helper.
851 [--permanent] --info-helper=helper
853 Print information about the helper helper. The output format is:
854 helper
856 family: family
857 module: module
858 ports: port1 ..
859 The following options are only usable in the permanent configuration.
863 --permanent --new-helper=helper --module=nf_conntrack_module
865 [--family=ipv4|ipv6]
866 Add a new permanent helper with module and optionally family
867 defined.
868 Helper names must be alphanumeric and may additionally include
870 characters: '-'.
871 --permanent --new-helper-from-file=filename [--name=helper]
873 Add a new permanent helper from a prepared helper file with an
874 optional name override.
875 --permanent --delete-helper=helper
877 Delete an existing permanent helper.
878 --permanent --load-helper-defaults=helper
880 Load helper default settings or report NO_DEFAULTS error.
881 --permanent --path-helper=helper
883 Print path of the helper configuration file.
884 [--permanent] --get-helpers
886 Print predefined helpers as a space separated list.
887 --permanent --helper=helper --set-description=description
889 Set new description to helper
890 --permanent --helper=helper --get-description
892 Print description for helper
893 --permanent --helper=helper --set-short=description
895 Set short description to helper
896 --permanent --helper=helper --get-short
898 Print short description for helper
899 --permanent --helper=helper --add-port=portid[-portid]/protocol
901 Add a new port to the permanent helper.
902 --permanent --helper=helper --remove-port=portid[-portid]/protocol
904 Remove a port from the permanent helper.
905 --permanent --helper=helper --query-port=portid[-portid]/protocol
907 Return wether the port has been added to the permanent helper.
908 --permanent --helper=helper --get-ports
910 List ports added to the permanent helper.
911 --permanent --helper=helper --set-module=description
913 Set module description for helper
914 --permanent --helper=helper --get-module
916 Print module description for helper
917 --permanent --helper=helper --set-family=description
919 Set family description for helper
920 --permanent --helper=helper --get-family
922 Print family description of helper
923 Internet Control Message Protocol (ICMP) type Options
925 Options in this section affect only one particular icmptype.
926 [--permanent] --info-icmptype=icmptype
928 Print information about the icmptype icmptype. The output format
929 is:
930 icmptype
932 destination: ipv1 ..
933 The following options are only usable in the permanent configuration.
937 --permanent --new-icmptype=icmptype
939 Add a new permanent and empty icmptype.
940 ICMP type names must be alphanumeric and may additionally include
942 characters: '_' and '-'.
943 --permanent --new-icmptype-from-file=filename [--name=icmptype]
945 Add a new permanent icmptype from a prepared icmptype file with an
946 optional name override.
947 --permanent --delete-icmptype=icmptype
949 Delete an existing permanent icmptype.
950 --permanent --load-icmptype-defaults=icmptype
952 Load icmptype default settings or report NO_DEFAULTS error.
953 --permanent --icmptype=icmptype --set-description=description
955 Set new description to icmptype
956 --permanent --icmptype=icmptype --get-description
958 Print description for icmptype
959 --permanent --icmptype=icmptype --set-short=description
961 Set short description to icmptype
962 --permanent --icmptype=icmptype --get-short
964 Print short description for icmptype
965 --permanent --icmptype=icmptype --add-destination=ipv
967 Enable destination for ipv in permanent icmptype. ipv is one of
968 ipv4 or ipv6.
969 --permanent --icmptype=icmptype --remove-destination=ipv
971 Disable destination for ipv in permanent icmptype. ipv is one of
972 ipv4 or ipv6.
973 --permanent --icmptype=icmptype --query-destination=ipv
975 Return whether destination for ipv is enabled in permanent
976 icmptype. ipv is one of ipv4 or ipv6.
977 --permanent --icmptype=icmptype --get-destinations
979 List destinations in permanent icmptype.
980 --permanent --path-icmptype=icmptype
982 Print path of the icmptype configuration file.
983 Direct Options
985 The direct options give a more direct access to the firewall. These
986 options require user to know basic iptables concepts, i.e. table
987 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
988 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
989 (ACCEPT/DROP/REJECT/...).
990 Direct options should be used only as a last resort when it's not
992 possible to use for example --add-service=service or
993 --add-rich-rule='rule'.
994 Warning: Direct rules behavior is different depending on the value of
996 FirewallBackend. See CAVEATS in firewalld.direct(5).
997 The first argument of each option has to be ipv4 or ipv6 or eb. With
999 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1000 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1001 [--permanent] --direct --get-all-chains
1003 Get all chains added to all tables. This option concerns only
1004 chains previously added with --direct --add-chain.
1005 [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
1007 Get all chains added to table table as a space separated list. This
1008 option concerns only chains previously added with --direct
1009 --add-chain.
1010 [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
1012 Add a new chain with name chain to table table. Make sure there's
1013 no other chain with this name already.
1014 There already exist basic chains to use with direct options, for
1016 example INPUT_direct chain (see iptables-save | grep direct output
1017 for all of them). These chains are jumped into before chains for
1018 zones, i.e. every rule put into INPUT_direct will be checked before
1019 rules in zones.
1020 [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1022 Remove chain with name chain from table table. Only chains
1023 previously added with --direct --add-chain can be removed this way.
1024 [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
1026 Return whether a chain with name chain exists in table table.
1027 Returns 0 if true, 1 otherwise. This option concerns only chains
1028 previously added with --direct --add-chain.
1029 [--permanent] --direct --get-all-rules
1031 Get all rules added to all chains in all tables as a newline
1032 separated list of the priority and arguments. This option concerns
1033 only rules previously added with --direct --add-rule.
1034 [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
1036 Get all rules added to chain chain in table table as a newline
1037 separated list of the priority and arguments. This option concerns
1038 only rules previously added with --direct --add-rule.
1039 [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
1041 priority args
1042 Add a rule with the arguments args to chain chain in table table
1043 with priority priority.
1044 The priority is used to order rules. Priority 0 means add rule on
1046 top of the chain, with a higher priority the rule will be added
1047 further down. Rules with the same priority are on the same level
1048 and the order of these rules is not fixed and may change. If you
1049 want to make sure that a rule will be added after another one, use
1050 a low priority for the first and a higher for the following.
1051 [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
1053 priority args
1054 Remove a rule with priority and the arguments args from chain chain
1055 in table table. Only rules previously added with --direct
1056 --add-rule can be removed this way.
1057 [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1059 Remove all rules in the chain with name chain exists in table
1060 table. This option concerns only rules previously added with
1061 --direct --add-rule in this chain.
1062 [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1064 priority args
1065 Return whether a rule with priority and the arguments args exists
1066 in chain chain in table table. Returns 0 if true, 1 otherwise. This
1067 option concerns only rules previously added with --direct
1068 --add-rule.
1069 --direct --passthrough { ipv4 | ipv6 | eb } args
1071 Pass a command through to the firewall. args can be all iptables,
1072 ip6tables and ebtables command line arguments. This command is
1073 untracked, which means that firewalld is not able to provide
1074 information about this command later on, also not a listing of the
1075 untracked passthoughs.
1076 [--permanent] --direct --get-all-passthroughs
1078 Get all passthrough rules as a newline separated list of the ipv
1079 value and arguments.
1080 [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1082 Get all passthrough rules for the ipv value as a newline separated
1083 list of the priority and arguments.
1084 [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1086 Add a passthrough rule with the arguments args for the ipv value.
1087 [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1089 Remove a passthrough rule with the arguments args for the ipv
1090 value.
1091 [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1093 Return whether a passthrough rule with the arguments args exists
1094 for the ipv value. Returns 0 if true, 1 otherwise.
1095 Lockdown Options
1097 Local applications or services are able to change the firewall
1098 configuration if they are running as root (example: libvirt) or are
1099 authenticated using PolicyKit. With this feature administrators can
1100 lock the firewall configuration so that only applications on lockdown
1101 whitelist are able to request firewall changes.
1102 The lockdown access check limits D-Bus methods that are changing
1104 firewall rules. Query, list and get methods are not limited.
1105 The lockdown feature is a very light version of user and application
1107 policies for firewalld and is turned off by default.
1108 --lockdown-on
1110 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1111 whitelist when you enable lockdown you won't be able to disable it
1112 again with firewall-cmd, you would need to edit firewalld.conf.
1113 This is a runtime and permanent change.
1115 --lockdown-off
1117 Disable lockdown.
1118 This is a runtime and permanent change.
1120 --query-lockdown
1122 Query whether lockdown is enabled. Returns 0 if lockdown is
1123 enabled, 1 otherwise.
1124 Lockdown Whitelist Options
1126 The lockdown whitelist can contain commands, contexts, users and user
1127 ids.
1128 If a command entry on the whitelist ends with an asterisk '*', then all
1130 command lines starting with the command will match. If the '*' is not
1131 there the absolute command inclusive arguments must match.
1132 Commands for user root and others is not always the same. Example: As
1134 root /bin/firewall-cmd is used, as a normal user /usr/bin/firewall-cmd
1135 is be used on Fedora.
1136 The context is the security (SELinux) context of a running application
1138 or service. To get the context of a running application use ps -e
1139 --context.
1140 Warning: If the context is unconfined, then this will open access for
1142 more than the desired application.
1143 The lockdown whitelist entries are checked in the following order:
1145 1. context
1146 2. uid
1147 3. user
1148 4. command
1149 [--permanent] --list-lockdown-whitelist-commands
1151 List all command lines that are on the whitelist.
1152 [--permanent] --add-lockdown-whitelist-command=command
1154 Add the command to the whitelist.
1155 [--permanent] --remove-lockdown-whitelist-command=command
1157 Remove the command from the whitelist.
1158 [--permanent] --query-lockdown-whitelist-command=command
1160 Query whether the command is on the whitelist. Returns 0 if true, 1
1161 otherwise.
1162 [--permanent] --list-lockdown-whitelist-contexts
1164 List all contexts that are on the whitelist.
1165 [--permanent] --add-lockdown-whitelist-context=context
1167 Add the context context to the whitelist.
1168 [--permanent] --remove-lockdown-whitelist-context=context
1170 Remove the context from the whitelist.
1171 [--permanent] --query-lockdown-whitelist-context=context
1173 Query whether the context is on the whitelist. Returns 0 if true, 1
1174 otherwise.
1175 [--permanent] --list-lockdown-whitelist-uids
1177 List all user ids that are on the whitelist.
1178 [--permanent] --add-lockdown-whitelist-uid=uid
1180 Add the user id uid to the whitelist.
1181 [--permanent] --remove-lockdown-whitelist-uid=uid
1183 Remove the user id uid from the whitelist.
1184 [--permanent] --query-lockdown-whitelist-uid=uid
1186 Query whether the user id uid is on the whitelist. Returns 0 if
1187 true, 1 otherwise.
1188 [--permanent] --list-lockdown-whitelist-users
1190 List all user names that are on the whitelist.
1191 [--permanent] --add-lockdown-whitelist-user=user
1193 Add the user name user to the whitelist.
1194 [--permanent] --remove-lockdown-whitelist-user=user
1196 Remove the user name user from the whitelist.
1197 [--permanent] --query-lockdown-whitelist-user=user
1199 Query whether the user name user is on the whitelist. Returns 0 if
1200 true, 1 otherwise.
1201 Panic Options
1203 --panic-on
1204 Enable panic mode. All incoming and outgoing packets are dropped,
1205 active connections will expire. Enable this only if there are
1206 serious problems with your network environment. For example if the
1207 machine is getting hacked in.
1208 This is a runtime only change.
1210 --panic-off
1212 Disable panic mode. After disabling panic mode established
1213 connections might work again, if panic mode was enabled for a short
1214 period of time.
1215 This is a runtime only change.
1217 --query-panic
1219 Returns 0 if panic mode is enabled, 1 otherwise.
1220
1222 For more examples see http://fedoraproject.org/wiki/FirewallD
1223 Example 1
1225 Enable http service in default zone. This is runtime only change, i.e.
1226 effective until restart.
1227 firewall-cmd --add-service=http
1229 Example 2
1233 Enable port 443/tcp immediately and permanently in default zone. To
1234 make the change effective immediately and also after restart we need
1235 two commands. The first command makes the change in runtime
1236 configuration, i.e. makes it effective immediately, until restart. The
1237 second command makes the change in permanent configuration, i.e. makes
1238 it effective after restart.
1239 firewall-cmd --add-port=443/tcp
1241 firewall-cmd --permanent --add-port=443/tcp
1242
1246 On success 0 is returned. On failure the output is red colored and exit
1247 code is either 2 in case of wrong command-line option usage or one of
1248 the following error codes in other cases:
1249 ┌────────────────────┬──────┐
1251 │String │ Code │
1252 ├────────────────────┼──────┤
1253 │ALREADY_ENABLED │ 11 │
1254 ├────────────────────┼──────┤
1255 │NOT_ENABLED │ 12 │
1256 ├────────────────────┼──────┤
1257 │COMMAND_FAILED │ 13 │
1258 ├────────────────────┼──────┤
1259 │NO_IPV6_NAT │ 14 │
1260 ├────────────────────┼──────┤
1261 │PANIC_MODE │ 15 │
1262 ├────────────────────┼──────┤
1263 │ZONE_ALREADY_SET │ 16 │
1264 ├────────────────────┼──────┤
1265 │UNKNOWN_INTERFACE │ 17 │
1266 ├────────────────────┼──────┤
1267 │ZONE_CONFLICT │ 18 │
1268 ├────────────────────┼──────┤
1269 │BUILTIN_CHAIN │ 19 │
1270 ├────────────────────┼──────┤
1271 │EBTABLES_NO_REJECT │ 20 │
1272 ├────────────────────┼──────┤
1273 │NOT_OVERLOADABLE │ 21 │
1274 ├────────────────────┼──────┤
1275 │NO_DEFAULTS │ 22 │
1276 ├────────────────────┼──────┤
1277 │BUILTIN_ZONE │ 23 │
1278 ├────────────────────┼──────┤
1279 │BUILTIN_SERVICE │ 24 │
1280 ├────────────────────┼──────┤
1281 │BUILTIN_ICMPTYPE │ 25 │
1282 ├────────────────────┼──────┤
1283 │NAME_CONFLICT │ 26 │
1284 ├────────────────────┼──────┤
1285 │NAME_MISMATCH │ 27 │
1286 ├────────────────────┼──────┤
1287 │PARSE_ERROR │ 28 │
1288 ├────────────────────┼──────┤
1289 │ACCESS_DENIED │ 29 │
1290 ├────────────────────┼──────┤
1291 │UNKNOWN_SOURCE │ 30 │
1292 ├────────────────────┼──────┤
1293 │RT_TO_PERM_FAILED │ 31 │
1294 ├────────────────────┼──────┤
1295 │IPSET_WITH_TIMEOUT │ 32 │
1296 ├────────────────────┼──────┤
1297 │BUILTIN_IPSET │ 33 │
1298 ├────────────────────┼──────┤
1299 │ALREADY_SET │ 34 │
1300 ├────────────────────┼──────┤
1301 │MISSING_IMPORT │ 35 │
1302 ├────────────────────┼──────┤
1303 │DBUS_ERROR │ 36 │
1304 ├────────────────────┼──────┤
1305 │BUILTIN_HELPER │ 37 │
1306 ├────────────────────┼──────┤
1307 │NOT_APPLIED │ 38 │
1308 ├────────────────────┼──────┤
1309 │INVALID_ACTION │ 100 │
1310 ├────────────────────┼──────┤
1311 │INVALID_SERVICE │ 101 │
1312 ├────────────────────┼──────┤
1313 │INVALID_PORT │ 102 │
1314 ├────────────────────┼──────┤
1315 │INVALID_PROTOCOL │ 103 │
1316 ├────────────────────┼──────┤
1317 │INVALID_INTERFACE │ 104 │
1318 ├────────────────────┼──────┤
1319 │INVALID_ADDR │ 105 │
1320 ├────────────────────┼──────┤
1321 │INVALID_FORWARD │ 106 │
1322 ├────────────────────┼──────┤
1323 │INVALID_ICMPTYPE │ 107 │
1324 ├────────────────────┼──────┤
1325 │INVALID_TABLE │ 108 │
1326 ├────────────────────┼──────┤
1327 │INVALID_CHAIN │ 109 │
1328 ├────────────────────┼──────┤
1329 │INVALID_TARGET │ 110 │
1330 ├────────────────────┼──────┤
1331 │INVALID_IPV │ 111 │
1332 ├────────────────────┼──────┤
1333 │INVALID_ZONE │ 112 │
1334 ├────────────────────┼──────┤
1335 │INVALID_PROPERTY │ 113 │
1336 ├────────────────────┼──────┤
1337 │INVALID_VALUE │ 114 │
1338 ├────────────────────┼──────┤
1339 │INVALID_OBJECT │ 115 │
1340 ├────────────────────┼──────┤
1341 │INVALID_NAME │ 116 │
1342 ├────────────────────┼──────┤
1343 │INVALID_FILENAME │ 117 │
1344 ├────────────────────┼──────┤
1345 │INVALID_DIRECTORY │ 118 │
1346 ├────────────────────┼──────┤
1347 │INVALID_TYPE │ 119 │
1348 ├────────────────────┼──────┤
1349 │INVALID_SETTING │ 120 │
1350 ├────────────────────┼──────┤
1351 │INVALID_DESTINATION │ 121 │
1352 ├────────────────────┼──────┤
1353 │INVALID_RULE │ 122 │
1354 ├────────────────────┼──────┤
1355 │INVALID_LIMIT │ 123 │
1356 ├────────────────────┼──────┤
1357 │INVALID_FAMILY │ 124 │
1358 ├────────────────────┼──────┤
1359 │INVALID_LOG_LEVEL │ 125 │
1360 ├────────────────────┼──────┤
1361 │INVALID_AUDIT_TYPE │ 126 │
1362 ├────────────────────┼──────┤
1363 │INVALID_MARK │ 127 │
1364 ├────────────────────┼──────┤
1365 │INVALID_CONTEXT │ 128 │
1366 ├────────────────────┼──────┤
1367 │INVALID_COMMAND │ 129 │
1368 ├────────────────────┼──────┤
1369 │INVALID_USER │ 130 │
1370 ├────────────────────┼──────┤
1371 │INVALID_UID │ 131 │
1372 ├────────────────────┼──────┤
1373 │INVALID_MODULE │ 132 │
1374 ├────────────────────┼──────┤
1375 │INVALID_PASSTHROUGH │ 133 │
1376 ├────────────────────┼──────┤
1377 │INVALID_MAC │ 134 │
1378 ├────────────────────┼──────┤
1379 │INVALID_IPSET │ 135 │
1380 ├────────────────────┼──────┤
1381 │INVALID_ENTRY │ 136 │
1382 ├────────────────────┼──────┤
1383 │INVALID_OPTION │ 137 │
1384 ├────────────────────┼──────┤
1385 │INVALID_HELPER │ 138 │
1386 ├────────────────────┼──────┤
1387 │INVALID_PRIORITY │ 139 │
1388 ├────────────────────┼──────┤
1389 │MISSING_TABLE │ 200 │
1390 ├────────────────────┼──────┤
1391 │MISSING_CHAIN │ 201 │
1392 ├────────────────────┼──────┤
1393 │MISSING_PORT │ 202 │
1394 ├────────────────────┼──────┤
1395 │MISSING_PROTOCOL │ 203 │
1396 ├────────────────────┼──────┤
1397 │MISSING_ADDR │ 204 │
1398 ├────────────────────┼──────┤
1399 │MISSING_NAME │ 205 │
1400 ├────────────────────┼──────┤
1401 │MISSING_SETTING │ 206 │
1402 ├────────────────────┼──────┤
1403 │MISSING_FAMILY │ 207 │
1404 ├────────────────────┼──────┤
1405 │RUNNING_BUT_FAILED │ 251 │
1406 ├────────────────────┼──────┤
1407 │NOT_RUNNING │ 252 │
1408 ├────────────────────┼──────┤
1409 │NOT_AUTHORIZED │ 253 │
1410 ├────────────────────┼──────┤
1411 │UNKNOWN_ERROR │ 254 │
1412 └────────────────────┴──────┘
1413 Note that return codes of --query-* options are special: Successful
1415 queries return 0, unsuccessful ones return 1 unless an error occurred
1416 in which case the table above applies.
1417
1419 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1420 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1421 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1422 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1423 firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1424 firewalld.helper(5)
1425
1427 firewalld home page:
1428 http://firewalld.org
1429 More documentation with examples:
1431 http://fedoraproject.org/wiki/FirewallD
1432
1434 Thomas Woerner <twoerner@redhat.com>
1435 Developer
1436 Jiri Popelka <jpopelka@redhat.com>
1438 Developer
1439 Eric Garver <eric@garver.life>
1441 Developer
1442firewalld 0.8.2 FIREWALL-CMD(1)