1FIREWALL-CMD(1) firewall-cmd FIREWALL-CMD(1)
2
3
4
6 firewall-cmd - firewalld command line client
7
9 firewall-cmd [OPTIONS...]
10
12 firewall-cmd is the command line client of the firewalld daemon. It
13 provides an interface to manage the runtime and permanent
14 configurations.
15
16 The runtime configuration in firewalld is separated from the permanent
17 configuration. This means that things can get changed in the runtime or
18 permanent configuration.
19
21 Sequence options are the options that can be specified multiple times,
22 the exit code is 0 if there is at least one item that succeeded. The
23 ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
24 errors are treated as succeeded. If there are issues while parsing the
25 items, then these are treated as warnings and will not change the
26 result as long as there is a succeeded one. Without any succeeded item,
27 the exit code will depend on the error codes. If there is exactly one
28 error code, then this is used. If there are more than one then
29 UNKNOWN_ERROR (254) will be used.
30
31 The following options are supported:
32
33 General Options
34 -h, --help
35 Prints a short help text and exits.
36
37 -V, --version
38 Print the version string of firewalld. This option is not
39 combinable with other options.
40
41 -q, --quiet
42 Do not print status messages.
43
44 Status Options
45 --state
46 Check whether the firewalld daemon is active (i.e. running).
47 Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
48 failure occurred on startup, NOT_RUNNING otherwise. See the section
49 called “EXIT CODES”. This will also print the state to STDOUT.
50
51 --reload
52 Reload firewall rules and keep state information. Current permanent
53 configuration will become new runtime configuration, i.e. all
54 runtime only changes done until reload are lost with reload if they
55 have not been also in permanent configuration.
56
57 Note: Runtime changes applied via the direct interface are not
58 affected and will therefore stay in place until firewalld daemon is
59 restarted completely.
60
61 --complete-reload
62 Reload firewall completely, even netfilter kernel modules. This
63 will most likely terminate active connections, because state
64 information is lost. This option should only be used in case of
65 severe firewall problems. For example if there are state
66 information problems that no connection can be established with
67 correct firewall rules.
68
69 Note: Runtime changes applied via the direct interface are not
70 affected and will therefore stay in place until firewalld daemon is
71 restarted completely.
72
73 --runtime-to-permanent
74 Save active runtime configuration and overwrite permanent
75 configuration with it. The way this is supposed to work is that
76 when configuring firewalld you do runtime changes only and once
77 you're happy with the configuration and you tested that it works
78 the way you want, you save the configuration to disk.
79
80 --check-config
81 Run checks on the permanent configuration. This includes XML
82 validity and semantics.
83
84 Log Denied Options
85 --get-log-denied
86 Print the log denied setting.
87
88 --set-log-denied=value
89 Add logging rules right before reject and drop rules in the INPUT,
90 FORWARD and OUTPUT chains for the default rules and also final
91 reject and drop rules in zones for the configured link-layer packet
92 type. The possible values are: all, unicast, broadcast, multicast
93 and off. The default setting is off, which disables the logging.
94
95 This is a runtime and permanent change and will also reload the
96 firewall to be able to add the logging rules.
97
98 Permanent Options
99 --permanent
100 The permanent option --permanent can be used to set options
101 permanently. These changes are not effective immediately, only
102 after service restart/reload or system reboot. Without the
103 --permanent option, a change will only be part of the runtime
104 configuration.
105
106 If you want to make a change in runtime and permanent
107 configuration, use the same call with and without the --permanent
108 option.
109
110 The --permanent option can be optionally added to all options
111 further down where it is supported.
112
113 Zone Options
114 --get-default-zone
115 Print default zone for connections and interfaces.
116
117 --set-default-zone=zone
118 Set default zone for connections and interfaces where no zone has
119 been selected. Setting the default zone changes the zone for the
120 connections or interfaces, that are using the default zone.
121
122 This is a runtime and permanent change.
123
124 --get-active-zones
125 Print currently active zones altogether with interfaces and sources
126 used in these zones. Active zones are zones, that have a binding to
127 an interface or source. The output format is:
128
129 zone1
130 interfaces: interface1 interface2 ..
131 sources: source1 ..
132 zone2
133 interfaces: interface3 ..
134 zone3
135 sources: source2 ..
136
137
138 If there are no interfaces or sources bound to the zone, the
139 corresponding line will be omitted.
140
141 [--permanent] --get-zones
142 Print predefined zones as a space separated list.
143
144 [--permanent] --get-services
145 Print predefined services as a space separated list.
146
147 [--permanent] --get-icmptypes
148 Print predefined icmptypes as a space separated list.
149
150 [--permanent] --get-zone-of-interface=interface
151 Print the name of the zone the interface is bound to or no zone.
152
153 [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
154 Print the name of the zone the source is bound to or no zone.
155
156 [--permanent] --info-zone=zone
157 Print information about the zone zone. The output format is:
158
159 zone
160 interfaces: interface1 ..
161 sources: source1 ..
162 services: service1 ..
163 ports: port1 ..
164 protocols: protocol1 ..
165 forward-ports:
166 forward-port1
167 ..
168 source-ports: source-port1 ..
169 icmp-blocks: icmp-type1 ..
170 rich rules:
171 rich-rule1
172 ..
173
174
175
176 [--permanent] --list-all-zones
177 List everything added for or enabled in all zones. The output
178 format is:
179
180 zone1
181 interfaces: interface1 ..
182 sources: source1 ..
183 services: service1 ..
184 ports: port1 ..
185 protocols: protocol1 ..
186 forward-ports:
187 forward-port1
188 ..
189 icmp-blocks: icmp-type1 ..
190 rich rules:
191 rich-rule1
192 ..
193 ..
194
195
196
197 --permanent --new-zone=zone
198 Add a new permanent and empty zone.
199
200 Zone names must be alphanumeric and may additionally include
201 characters: '_' and '-'.
202
203 --permanent --new-zone-from-file=filename [--name=zone]
204 Add a new permanent zone from a prepared zone file with an optional
205 name override.
206
207 --permanent --delete-zone=zone
208 Delete an existing permanent zone.
209
210 --permanent --load-zone-defaults=zone
211 Load zone default settings or report NO_DEFAULTS error.
212
213 --permanent --path-zone=zone
214 Print path of the zone configuration file.
215
216 --permanent --zone=zone --set-description=description
217 Set new description to zone
218
219 --permanent --zone=zone --get-description
220 Print description for zone
221
222 --permanent --zone=zone --set-short=description
223 Set short description to zone
224
225 --permanent --zone=zone --get-short
226 Print short description for zone
227
228 --permanent [--zone=zone] --get-target
229 Get the target of a permanent zone.
230
231 --permanent [--zone=zone] --set-target=target
232 Set the target of a permanent zone. target is one of: default,
233 ACCEPT, DROP, REJECT
234
235 default is similar to REJECT, but has special meaning in the
236 following scenarios:
237
238 1. ICMP explicitly allowed
239
240 At the end of the zone's ruleset ICMP packets are explicitly
241 allowed.
242
243 2. forwarded packets follow the target of the egress zone
244
245 In the case of forwarded packets, if the ingress zone uses
246 default then whether or not the packet will be allowed is
247 determined by the egress zone.
248
249 For a forwarded packet that ingresses zoneA and egresses zoneB:
250
251 · if zoneA's target is ACCEPT, DROP, or REJECT then the
252 packet is accepted, dropped, or rejected respectively.
253
254 · if zoneA's target is default, then the packet is accepted,
255 dropped, or rejected based on zoneB's target. If zoneB's
256 target is also default, then the packet will be rejected by
257 firewalld's catchall reject.
258
259 3. Zone drifting from source-based zone to interface-based zone
260
261 This only applies if AllowZoneDrifting is enabled. See
262 firewalld.conf(5).
263
264 If a packet ingresses a source-based zone with a target of
265 default, it may still enter an interface-based zone (including
266 the default zone).
267
268
269 Options to Adapt and Query Zones
270 Options in this section affect only one particular zone. If used with
271 --zone=zone option, they affect the zone zone. If the option is
272 omitted, they affect default zone (see --get-default-zone).
273
274 [--permanent] [--zone=zone] --list-all
275 List everything added for or enabled in zone. If zone is omitted,
276 default zone will be used.
277
278 [--permanent] [--zone=zone] --list-services
279 List services added for zone as a space separated list. If zone is
280 omitted, default zone will be used.
281
282 [--permanent] [--zone=zone] --add-service=service [--timeout=timeval]
283 Add a service for zone. If zone is omitted, default zone will be
284 used. This option can be specified multiple times. If a timeout is
285 supplied, the rule will be active for the specified amount of time
286 and will be removed automatically afterwards. timeval is either a
287 number (of seconds) or number followed by one of characters s
288 (seconds), m (minutes), h (hours), for example 20m or 1h.
289
290 The service is one of the firewalld provided services. To get a
291 list of the supported services, use firewall-cmd --get-services.
292
293 The --timeout option is not combinable with the --permanent option.
294
295 [--permanent] [--zone=zone] --remove-service=service
296 Remove a service from zone. This option can be specified multiple
297 times. If zone is omitted, default zone will be used.
298
299 [--permanent] [--zone=zone] --query-service=service
300 Return whether service has been added for zone. If zone is omitted,
301 default zone will be used. Returns 0 if true, 1 otherwise.
302
303 [--permanent] [--zone=zone] --list-ports
304 List ports added for zone as a space separated list. A port is of
305 the form portid[-portid]/protocol, it can be either a port and
306 protocol pair or a port range with a protocol. If zone is omitted,
307 default zone will be used.
308
309 [--permanent] [--zone=zone] --add-port=portid[-portid]/protocol
310 [--timeout=timeval]
311 Add the port for zone. If zone is omitted, default zone will be
312 used. This option can be specified multiple times. If a timeout is
313 supplied, the rule will be active for the specified amount of time
314 and will be removed automatically afterwards. timeval is either a
315 number (of seconds) or number followed by one of characters s
316 (seconds), m (minutes), h (hours), for example 20m or 1h.
317
318 The port can either be a single port number or a port range
319 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
320
321 The --timeout option is not combinable with the --permanent option.
322
323 [--permanent] [--zone=zone] --remove-port=portid[-portid]/protocol
324 Remove the port from zone. If zone is omitted, default zone will be
325 used. This option can be specified multiple times.
326
327 [--permanent] [--zone=zone] --query-port=portid[-portid]/protocol
328 Return whether the port has been added for zone. If zone is
329 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
330
331 [--permanent] [--zone=zone] --list-protocols
332 List protocols added for zone as a space separated list. If zone is
333 omitted, default zone will be used.
334
335 [--permanent] [--zone=zone] --add-protocol=protocol [--timeout=timeval]
336 Add the protocol for zone. If zone is omitted, default zone will be
337 used. This option can be specified multiple times. If a timeout is
338 supplied, the rule will be active for the specified amount of time
339 and will be removed automatically afterwards. timeval is either a
340 number (of seconds) or number followed by one of characters s
341 (seconds), m (minutes), h (hours), for example 20m or 1h.
342
343 The protocol can be any protocol supported by the system. Please
344 have a look at /etc/protocols for supported protocols.
345
346 The --timeout option is not combinable with the --permanent option.
347
348 [--permanent] [--zone=zone] --remove-protocol=protocol
349 Remove the protocol from zone. If zone is omitted, default zone
350 will be used. This option can be specified multiple times.
351
352 [--permanent] [--zone=zone] --query-protocol=protocol
353 Return whether the protocol has been added for zone. If zone is
354 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
355
356 [--permanent] [--zone=zone] --list-source-ports
357 List source ports added for zone as a space separated list. A port
358 is of the form portid[-portid]/protocol. If zone is omitted,
359 default zone will be used.
360
361 [--permanent] [--zone=zone] --add-source-port=portid[-portid]/protocol
362 [--timeout=timeval]
363 Add the source port for zone. If zone is omitted, default zone will
364 be used. This option can be specified multiple times. If a timeout
365 is supplied, the rule will be active for the specified amount of
366 time and will be removed automatically afterwards. timeval is
367 either a number (of seconds) or number followed by one of
368 characters s (seconds), m (minutes), h (hours), for example 20m or
369 1h.
370
371 The port can either be a single port number or a port range
372 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
373
374 The --timeout option is not combinable with the --permanent option.
375
376 [--permanent] [--zone=zone]
377 --remove-source-port=portid[-portid]/protocol
378 Remove the source port from zone. If zone is omitted, default zone
379 will be used. This option can be specified multiple times.
380
381 [--permanent] [--zone=zone]
382 --query-source-port=portid[-portid]/protocol
383 Return whether the source port has been added for zone. If zone is
384 omitted, default zone will be used. Returns 0 if true, 1 otherwise.
385
386 [--permanent] [--zone=zone] --list-icmp-blocks
387 List Internet Control Message Protocol (ICMP) type blocks added for
388 zone as a space separated list. If zone is omitted, default zone
389 will be used.
390
391 [--permanent] [--zone=zone] --add-icmp-block=icmptype
392 [--timeout=timeval]
393 Add an ICMP block for icmptype for zone. If zone is omitted,
394 default zone will be used. This option can be specified multiple
395 times. If a timeout is supplied, the rule will be active for the
396 specified amount of time and will be removed automatically
397 afterwards. timeval is either a number (of seconds) or number
398 followed by one of characters s (seconds), m (minutes), h (hours),
399 for example 20m or 1h.
400
401 The icmptype is the one of the icmp types firewalld supports. To
402 get a listing of supported icmp types: firewall-cmd --get-icmptypes
403
404 The --timeout option is not combinable with the --permanent option.
405
406 [--permanent] [--zone=zone] --remove-icmp-block=icmptype
407 Remove the ICMP block for icmptype from zone. If zone is omitted,
408 default zone will be used. This option can be specified multiple
409 times.
410
411 [--permanent] [--zone=zone] --query-icmp-block=icmptype
412 Return whether an ICMP block for icmptype has been added for zone.
413 If zone is omitted, default zone will be used. Returns 0 if true, 1
414 otherwise.
415
416 [--permanent] [--zone=zone] --list-forward-ports
417 List IPv4 forward ports added for zone as a space separated list.
418 If zone is omitted, default zone will be used.
419
420 For IPv6 forward ports, please use the rich language.
421
422 [--permanent] [--zone=zone]
423 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
424 [--timeout=timeval]
425 Add the IPv4 forward port for zone. If zone is omitted, default
426 zone will be used. This option can be specified multiple times. If
427 a timeout is supplied, the rule will be active for the specified
428 amount of time and will be removed automatically afterwards.
429 timeval is either a number (of seconds) or number followed by one
430 of characters s (seconds), m (minutes), h (hours), for example 20m
431 or 1h.
432
433 The port can either be a single port number portid or a port range
434 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
435 The destination address is a simple IP address.
436
437 The --timeout option is not combinable with the --permanent option.
438
439 For IPv6 forward ports, please use the rich language.
440
441 Note: IP forwarding will be implicitly enabled if toaddr is
442 specified.
443
444 [--permanent] [--zone=zone]
445 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
446 Remove the IPv4 forward port from zone. If zone is omitted, default
447 zone will be used. This option can be specified multiple times.
448
449 For IPv6 forward ports, please use the rich language.
450
451 [--permanent] [--zone=zone]
452 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
453 Return whether the IPv4 forward port has been added for zone. If
454 zone is omitted, default zone will be used. Returns 0 if true, 1
455 otherwise.
456
457 For IPv6 forward ports, please use the rich language.
458
459 [--permanent] [--zone=zone] --add-masquerade [--timeout=timeval]
460 Enable IPv4 masquerade for zone. If zone is omitted, default zone
461 will be used. If a timeout is supplied, masquerading will be active
462 for the specified amount of time. timeval is either a number (of
463 seconds) or number followed by one of characters s (seconds), m
464 (minutes), h (hours), for example 20m or 1h. Masquerading is useful
465 if the machine is a router and machines connected over an interface
466 in another zone should be able to use the first connection.
467
468 The --timeout option is not combinable with the --permanent option.
469
470 For IPv6 masquerading, please use the rich language.
471
472 Note: IP forwarding will be implicitly enabled.
473
474 [--permanent] [--zone=zone] --remove-masquerade
475 Disable IPv4 masquerade for zone. If zone is omitted, default zone
476 will be used. If the masquerading was enabled with a timeout, it
477 will be disabled also.
478
479 For IPv6 masquerading, please use the rich language.
480
481 [--permanent] [--zone=zone] --query-masquerade
482 Return whether IPv4 masquerading has been enabled for zone. If zone
483 is omitted, default zone will be used. Returns 0 if true, 1
484 otherwise.
485
486 For IPv6 masquerading, please use the rich language.
487
488 [--permanent] [--zone=zone] --list-rich-rules
489 List rich language rules added for zone as a newline separated
490 list. If zone is omitted, default zone will be used.
491
492 [--permanent] [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
493 Add rich language rule 'rule' for zone. This option can be
494 specified multiple times. If zone is omitted, default zone will be
495 used. If a timeout is supplied, the rule will be active for the
496 specified amount of time and will be removed automatically
497 afterwards. timeval is either a number (of seconds) or number
498 followed by one of characters s (seconds), m (minutes), h (hours),
499 for example 20m or 1h.
500
501 For the rich language rule syntax, please have a look at
502 firewalld.richlanguage(5).
503
504 The --timeout option is not combinable with the --permanent option.
505
506 [--permanent] [--zone=zone] --remove-rich-rule='rule'
507 Remove rich language rule 'rule' from zone. This option can be
508 specified multiple times. If zone is omitted, default zone will be
509 used.
510
511 For the rich language rule syntax, please have a look at
512 firewalld.richlanguage(5).
513
514 [--permanent] [--zone=zone] --query-rich-rule='rule'
515 Return whether a rich language rule 'rule' has been added for zone.
516 If zone is omitted, default zone will be used. Returns 0 if true, 1
517 otherwise.
518
519 For the rich language rule syntax, please have a look at
520 firewalld.richlanguage(5).
521
522 Options to Handle Bindings of Interfaces
523 Binding an interface to a zone means that this zone settings are used
524 to restrict traffic via the interface.
525
526 Options in this section affect only one particular zone. If used with
527 --zone=zone option, they affect the zone zone. If the option is
528 omitted, they affect default zone (see --get-default-zone).
529
530 For a list of predefined zones use firewall-cmd --get-zones.
531
532 An interface name is a string up to 16 characters long, that may not
533 contain ' ', '/', '!' and '*'.
534
535 [--permanent] [--zone=zone] --list-interfaces
536 List interfaces that are bound to zone zone as a space separated
537 list. If zone is omitted, default zone will be used.
538
539 [--permanent] [--zone=zone] --add-interface=interface
540 Bind interface interface to zone zone. If zone is omitted, default
541 zone will be used.
542
543 If the interface is under control of NetworkManager, it is at first
544 connected to change the zone for the connection that is using the
545 interface. If this fails, the zone binding is created in firewalld
546 and the limitations below apply. For interfaces that are not under
547 control of NetworkManager, firewalld tries to change the ZONE
548 setting in the ifcfg file, if the file exists.
549
550 As a end user you don't need this in most cases, because
551 NetworkManager (or legacy network service) adds interfaces into
552 zones automatically (according to ZONE= option from ifcfg-interface
553 file) if NM_CONTROLLED=no is not set. You should do it only if
554 there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
555 there is such file and you add interface to zone with this
556 --add-interface option, make sure the zone is the same in both
557 cases, otherwise the behaviour would be undefined. Please also have
558 a look at the firewalld(1) man page in the Concepts section. For
559 permanent association of interface with a zone, see also 'How to
560 set or change a zone for a connection?' in firewalld.zones(5).
561
562 [--permanent] [--zone=zone] --change-interface=interface
563 If the interface is under control of NetworkManager, it is at first
564 connected to change the zone for the connection that is using the
565 interface. If this fails, the zone binding is created in firewalld
566 and the limitations below apply. For interfaces that are not under
567 control of NetworkManager, firewalld tries to change the ZONE
568 setting in the ifcfg file, if the file exists.
569
570 Change zone the interface interface is bound to to zone zone. It's
571 basically --remove-interface followed by --add-interface. If the
572 interface has not been bound to a zone before, it behaves like
573 --add-interface. If zone is omitted, default zone will be used.
574
575 [--permanent] [--zone=zone] --query-interface=interface
576 Query whether interface interface is bound to zone zone. Returns 0
577 if true, 1 otherwise.
578
579 [--permanent] --remove-interface=interface
580 If the interface is under control of NetworkManager, it is at first
581 connected to change the zone for the connection that is using the
582 interface. If this fails, the zone binding is created in firewalld
583 and the limitations below apply.
584
585 For the addion or change of interfaces that are not under control
586 of NetworkManager: firewalld tries to change the ZONE setting in
587 the ifcfg file, if an ifcfg file exists that is using the
588 interface.
589
590 Only for the removal of interfaces that are not under control of
591 NetworkManager: firewalld is not trying to change the ZONE setting
592 in the ifcfg file. This is needed to make sure that an ifdown of
593 the interface will not result in a reset of the zone setting to the
594 default zone. Only the zone binding is then removed in firewalld
595 then.
596
597 Remove binding of interface interface from zone it was previously
598 added to.
599
600 Options to Handle Bindings of Sources
601 Binding a source to a zone means that this zone settings will be used
602 to restrict traffic from this source.
603
604 A source address or address range is either an IP address or a network
605 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
606 with the ipset: prefix. For IPv4, the mask can be a network mask or a
607 plain number. For IPv6 the mask is a plain number. The use of host
608 names is not supported.
609
610 Options in this section affect only one particular zone. If used with
611 --zone=zone option, they affect the zone zone. If the option is
612 omitted, they affect default zone (see --get-default-zone).
613
614 For a list of predefined zones use firewall-cmd [--permanent]
615 --get-zones.
616
617 [--permanent] [--zone=zone] --list-sources
618 List sources that are bound to zone zone as a space separated list.
619 If zone is omitted, default zone will be used.
620
621 [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
622 Bind the source to zone zone. If zone is omitted, default zone will
623 be used.
624
625 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
626 Change zone the source is bound to to zone zone. It's basically
627 --remove-source followed by --add-source. If the source has not
628 been bound to a zone before, it behaves like --add-source. If zone
629 is omitted, default zone will be used.
630
631 [--permanent] [--zone=zone]
632 --query-source=source[/mask]|MAC|ipset:ipset
633 Query whether the source is bound to the zone zone. Returns 0 if
634 true, 1 otherwise.
635
636 [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
637 Remove binding of the source from zone it was previously added to.
638
639 IPSet Options
640 --get-ipset-types
641 Print the supported ipset types.
642
643 --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
644 [--option=key[=value]]
645 Add a new permanent and empty ipset with specifying the type and
646 optional the family and options like timeout, hashsize and maxelem.
647 For more information please have a look at ipset(8) man page.
648
649 ipset names must be alphanumeric and may additionally include
650 characters: '_' and '-'.
651
652 --permanent --new-ipset-from-file=filename [--name=ipset]
653 Add a new permanent ipset from a prepared ipset file with an
654 optional name override.
655
656 --permanent --delete-ipset=ipset
657 Delete an existing permanent ipset.
658
659 --permanent --load-ipset-defaults=ipset
660 Load ipset default settings or report NO_DEFAULTS error.
661
662 [--permanent] --info-ipset=ipset
663 Print information about the ipset ipset. The output format is:
664
665 ipset
666 type: type
667 options: option1[=value1] ..
668 entries: entry1 ..
669
670
671
672 [--permanent] --get-ipsets
673 Print predefined ipsets as a space separated list.
674
675 --permanent --ipset=ipset --set-description=description
676 Set new description to ipset
677
678 --permanent --ipset=ipset --get-description
679 Print description for ipset
680
681 --permanent --ipset=ipset --set-short=description
682 Set short description to ipset
683
684 --permanent --ipset=ipset --get-short
685 Print short description for ipset
686
687 [--permanent] --ipset=ipset --add-entry=entry
688 Add a new entry to the ipset.
689
690 Adding an entry to an ipset with option timeout is permitted, but
691 these entries are not tracked by firewalld.
692
693 [--permanent] --ipset=ipset --remove-entry=entry
694 Remove an entry from the ipset.
695
696 [--permanent] --ipset=ipset --query-entry=entry
697 Return whether the entry has been added to an ipset. Returns 0 if
698 true, 1 otherwise.
699
700 Querying an ipset with a timeout will yield an error. Entries are
701 not tracked for ipsets with a timeout.
702
703 [--permanent] --ipset=ipset --get-entries
704 List all entries of the ipset.
705
706 [--permanent] --ipset=ipset --add-entries-from-file=filename
707 Add a new entries to the ipset from the file. For all entries that
708 are listed in the file but already in the ipset, a warning will be
709 printed.
710
711 The file should contain an entry per line. Lines starting with an
712 hash or semicolon are ignored. Also empty lines.
713
714 [--permanent] --ipset=ipset --remove-entries-from-file=filename
715 Remove existing entries from the ipset from the file. For all
716 entries that are listed in the file but not in the ipset, a warning
717 will be printed.
718
719 The file should contain an entry per line. Lines starting with an
720 hash or semicolon are ignored. Also empty lines.
721
722 --permanent --path-ipset=ipset
723 Print path of the ipset configuration file.
724
725 Service Options
726 Options in this section affect only one particular service.
727
728 [--permanent] --info-service=service
729 Print information about the service service. The output format is:
730
731 service
732 ports: port1 ..
733 protocols: protocol1 ..
734 source-ports: source-port1 ..
735 helpers: helper1 ..
736 destination: ipv1:address1 ..
737
738
739
740 The following options are only usable in the permanent configuration.
741
742 --permanent --new-service=service
743 Add a new permanent and empty service.
744
745 Service names must be alphanumeric and may additionally include
746 characters: '_' and '-'.
747
748 --permanent --new-service-from-file=filename [--name=service]
749 Add a new permanent service from a prepared service file with an
750 optional name override.
751
752 --permanent --delete-service=service
753 Delete an existing permanent service.
754
755 --permanent --load-service-defaults=service
756 Load service default settings or report NO_DEFAULTS error.
757
758 --permanent --path-service=service
759 Print path of the service configuration file.
760
761 --permanent --service=service --set-description=description
762 Set new description to service
763
764 --permanent --service=service --get-description
765 Print description for service
766
767 --permanent --service=service --set-short=description
768 Set short description to service
769
770 --permanent --service=service --get-short
771 Print short description for service
772
773 --permanent --service=service --add-port=portid[-portid]/protocol
774 Add a new port to the permanent service.
775
776 --permanent --service=service --remove-port=portid[-portid]/protocol
777 Remove a port from the permanent service.
778
779 --permanent --service=service --query-port=portid[-portid]/protocol
780 Return wether the port has been added to the permanent service.
781
782 --permanent --service=service --get-ports
783 List ports added to the permanent service.
784
785 --permanent --service=service --add-protocol=protocol
786 Add a new protocol to the permanent service.
787
788 --permanent --service=service --remove-protocol=protocol
789 Remove a protocol from the permanent service.
790
791 --permanent --service=service --query-protocol=protocol
792 Return wether the protocol has been added to the permanent service.
793
794 --permanent --service=service --get-protocols
795 List protocols added to the permanent service.
796
797 --permanent --service=service
798 --add-source-port=portid[-portid]/protocol
799 Add a new source port to the permanent service.
800
801 --permanent --service=service
802 --remove-source-port=portid[-portid]/protocol
803 Remove a source port from the permanent service.
804
805 --permanent --service=service
806 --query-source-port=portid[-portid]/protocol
807 Return wether the source port has been added to the permanent
808 service.
809
810 --permanent --service=service --get-source-ports
811 List source ports added to the permanent service.
812
813 --permanent --service=service --add-helper=helper
814 Add a new helper to the permanent service.
815
816 --permanent --service=service --remove-helper=helper
817 Remove a helper from the permanent service.
818
819 --permanent --service=service --query-helper=helper
820 Return wether the helper has been added to the permanent service.
821
822 --permanent --service=service --get-service-helpers
823 List helpers added to the permanent service.
824
825 --permanent --service=service --set-destination=ipv:address[/mask]
826 Set destination for ipv to address[/mask] in the permanent service.
827
828 --permanent --service=service --remove-destination=ipv
829 Remove the destination for ipv from the permanent service.
830
831 --permanent --service=service --query-destination=ipv:address[/mask]
832 Return wether the destination ipv to address[/mask] has been set in
833 the permanent service.
834
835 --permanent --service=service --get-destinations
836 List destinations added to the permanent service.
837
838 --permanent --service=service --add-include=service
839 Add a new include to the permanent service.
840
841 --permanent --service=service --remove-include=service
842 Remove a include from the permanent service.
843
844 --permanent --service=service --query-include=service
845 Return wether the include has been added to the permanent service.
846
847 --permanent --service=service --get-includes
848 List includes added to the permanent service.
849
850 Helper Options
851 Options in this section affect only one particular helper.
852
853 [--permanent] --info-helper=helper
854 Print information about the helper helper. The output format is:
855
856 helper
857 family: family
858 module: module
859 ports: port1 ..
860
861
862
863 The following options are only usable in the permanent configuration.
864
865 --permanent --new-helper=helper --module=nf_conntrack_module
866 [--family=ipv4|ipv6]
867 Add a new permanent helper with module and optionally family
868 defined.
869
870 Helper names must be alphanumeric and may additionally include
871 characters: '-'.
872
873 --permanent --new-helper-from-file=filename [--name=helper]
874 Add a new permanent helper from a prepared helper file with an
875 optional name override.
876
877 --permanent --delete-helper=helper
878 Delete an existing permanent helper.
879
880 --permanent --load-helper-defaults=helper
881 Load helper default settings or report NO_DEFAULTS error.
882
883 --permanent --path-helper=helper
884 Print path of the helper configuration file.
885
886 [--permanent] --get-helpers
887 Print predefined helpers as a space separated list.
888
889 --permanent --helper=helper --set-description=description
890 Set new description to helper
891
892 --permanent --helper=helper --get-description
893 Print description for helper
894
895 --permanent --helper=helper --set-short=description
896 Set short description to helper
897
898 --permanent --helper=helper --get-short
899 Print short description for helper
900
901 --permanent --helper=helper --add-port=portid[-portid]/protocol
902 Add a new port to the permanent helper.
903
904 --permanent --helper=helper --remove-port=portid[-portid]/protocol
905 Remove a port from the permanent helper.
906
907 --permanent --helper=helper --query-port=portid[-portid]/protocol
908 Return wether the port has been added to the permanent helper.
909
910 --permanent --helper=helper --get-ports
911 List ports added to the permanent helper.
912
913 --permanent --helper=helper --set-module=description
914 Set module description for helper
915
916 --permanent --helper=helper --get-module
917 Print module description for helper
918
919 --permanent --helper=helper --set-family=description
920 Set family description for helper
921
922 --permanent --helper=helper --get-family
923 Print family description of helper
924
925 Internet Control Message Protocol (ICMP) type Options
926 Options in this section affect only one particular icmptype.
927
928 [--permanent] --info-icmptype=icmptype
929 Print information about the icmptype icmptype. The output format
930 is:
931
932 icmptype
933 destination: ipv1 ..
934
935
936
937 The following options are only usable in the permanent configuration.
938
939 --permanent --new-icmptype=icmptype
940 Add a new permanent and empty icmptype.
941
942 ICMP type names must be alphanumeric and may additionally include
943 characters: '_' and '-'.
944
945 --permanent --new-icmptype-from-file=filename [--name=icmptype]
946 Add a new permanent icmptype from a prepared icmptype file with an
947 optional name override.
948
949 --permanent --delete-icmptype=icmptype
950 Delete an existing permanent icmptype.
951
952 --permanent --load-icmptype-defaults=icmptype
953 Load icmptype default settings or report NO_DEFAULTS error.
954
955 --permanent --icmptype=icmptype --set-description=description
956 Set new description to icmptype
957
958 --permanent --icmptype=icmptype --get-description
959 Print description for icmptype
960
961 --permanent --icmptype=icmptype --set-short=description
962 Set short description to icmptype
963
964 --permanent --icmptype=icmptype --get-short
965 Print short description for icmptype
966
967 --permanent --icmptype=icmptype --add-destination=ipv
968 Enable destination for ipv in permanent icmptype. ipv is one of
969 ipv4 or ipv6.
970
971 --permanent --icmptype=icmptype --remove-destination=ipv
972 Disable destination for ipv in permanent icmptype. ipv is one of
973 ipv4 or ipv6.
974
975 --permanent --icmptype=icmptype --query-destination=ipv
976 Return whether destination for ipv is enabled in permanent
977 icmptype. ipv is one of ipv4 or ipv6.
978
979 --permanent --icmptype=icmptype --get-destinations
980 List destinations in permanent icmptype.
981
982 --permanent --path-icmptype=icmptype
983 Print path of the icmptype configuration file.
984
985 Direct Options
986 The direct options give a more direct access to the firewall. These
987 options require user to know basic iptables concepts, i.e. table
988 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
989 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
990 (ACCEPT/DROP/REJECT/...).
991
992 Direct options should be used only as a last resort when it's not
993 possible to use for example --add-service=service or
994 --add-rich-rule='rule'.
995
996 Warning: Direct rules behavior is different depending on the value of
997 FirewallBackend. See CAVEATS in firewalld.direct(5).
998
999 The first argument of each option has to be ipv4 or ipv6 or eb. With
1000 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1001 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1002
1003 [--permanent] --direct --get-all-chains
1004 Get all chains added to all tables. This option concerns only
1005 chains previously added with --direct --add-chain.
1006
1007 [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
1008 Get all chains added to table table as a space separated list. This
1009 option concerns only chains previously added with --direct
1010 --add-chain.
1011
1012 [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
1013 Add a new chain with name chain to table table. Make sure there's
1014 no other chain with this name already.
1015
1016 There already exist basic chains to use with direct options, for
1017 example INPUT_direct chain (see iptables-save | grep direct output
1018 for all of them). These chains are jumped into before chains for
1019 zones, i.e. every rule put into INPUT_direct will be checked before
1020 rules in zones.
1021
1022 [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1023 Remove chain with name chain from table table. Only chains
1024 previously added with --direct --add-chain can be removed this way.
1025
1026 [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
1027 Return whether a chain with name chain exists in table table.
1028 Returns 0 if true, 1 otherwise. This option concerns only chains
1029 previously added with --direct --add-chain.
1030
1031 [--permanent] --direct --get-all-rules
1032 Get all rules added to all chains in all tables as a newline
1033 separated list of the priority and arguments. This option concerns
1034 only rules previously added with --direct --add-rule.
1035
1036 [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
1037 Get all rules added to chain chain in table table as a newline
1038 separated list of the priority and arguments. This option concerns
1039 only rules previously added with --direct --add-rule.
1040
1041 [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
1042 priority args
1043 Add a rule with the arguments args to chain chain in table table
1044 with priority priority.
1045
1046 The priority is used to order rules. Priority 0 means add rule on
1047 top of the chain, with a higher priority the rule will be added
1048 further down. Rules with the same priority are on the same level
1049 and the order of these rules is not fixed and may change. If you
1050 want to make sure that a rule will be added after another one, use
1051 a low priority for the first and a higher for the following.
1052
1053 [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
1054 priority args
1055 Remove a rule with priority and the arguments args from chain chain
1056 in table table. Only rules previously added with --direct
1057 --add-rule can be removed this way.
1058
1059 [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1060 Remove all rules in the chain with name chain exists in table
1061 table. This option concerns only rules previously added with
1062 --direct --add-rule in this chain.
1063
1064 [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1065 priority args
1066 Return whether a rule with priority and the arguments args exists
1067 in chain chain in table table. Returns 0 if true, 1 otherwise. This
1068 option concerns only rules previously added with --direct
1069 --add-rule.
1070
1071 --direct --passthrough { ipv4 | ipv6 | eb } args
1072 Pass a command through to the firewall. args can be all iptables,
1073 ip6tables and ebtables command line arguments. This command is
1074 untracked, which means that firewalld is not able to provide
1075 information about this command later on, also not a listing of the
1076 untracked passthoughs.
1077
1078 [--permanent] --direct --get-all-passthroughs
1079 Get all passthrough rules as a newline separated list of the ipv
1080 value and arguments.
1081
1082 [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1083 Get all passthrough rules for the ipv value as a newline separated
1084 list of the priority and arguments.
1085
1086 [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1087 Add a passthrough rule with the arguments args for the ipv value.
1088
1089 [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1090 Remove a passthrough rule with the arguments args for the ipv
1091 value.
1092
1093 [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1094 Return whether a passthrough rule with the arguments args exists
1095 for the ipv value. Returns 0 if true, 1 otherwise.
1096
1097 Lockdown Options
1098 Local applications or services are able to change the firewall
1099 configuration if they are running as root (example: libvirt) or are
1100 authenticated using PolicyKit. With this feature administrators can
1101 lock the firewall configuration so that only applications on lockdown
1102 whitelist are able to request firewall changes.
1103
1104 The lockdown access check limits D-Bus methods that are changing
1105 firewall rules. Query, list and get methods are not limited.
1106
1107 The lockdown feature is a very light version of user and application
1108 policies for firewalld and is turned off by default.
1109
1110 --lockdown-on
1111 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1112 whitelist when you enable lockdown you won't be able to disable it
1113 again with firewall-cmd, you would need to edit firewalld.conf.
1114
1115 This is a runtime and permanent change.
1116
1117 --lockdown-off
1118 Disable lockdown.
1119
1120 This is a runtime and permanent change.
1121
1122 --query-lockdown
1123 Query whether lockdown is enabled. Returns 0 if lockdown is
1124 enabled, 1 otherwise.
1125
1126 Lockdown Whitelist Options
1127 The lockdown whitelist can contain commands, contexts, users and user
1128 ids.
1129
1130 If a command entry on the whitelist ends with an asterisk '*', then all
1131 command lines starting with the command will match. If the '*' is not
1132 there the absolute command inclusive arguments must match.
1133
1134 Command paths for users are not always the same and depends on the
1135 users PATH. Some distributions symlink /bin to /usr/bin in which case
1136 it depends on the order they appear in the PATH environment variable.
1137
1138 The context is the security (SELinux) context of a running application
1139 or service. To get the context of a running application use ps -e
1140 --context.
1141
1142 Warning: If the context is unconfined, then this will open access for
1143 more than the desired application.
1144
1145 The lockdown whitelist entries are checked in the following order:
1146 1. context
1147 2. uid
1148 3. user
1149 4. command
1150
1151 [--permanent] --list-lockdown-whitelist-commands
1152 List all command lines that are on the whitelist.
1153
1154 [--permanent] --add-lockdown-whitelist-command=command
1155 Add the command to the whitelist.
1156
1157 [--permanent] --remove-lockdown-whitelist-command=command
1158 Remove the command from the whitelist.
1159
1160 [--permanent] --query-lockdown-whitelist-command=command
1161 Query whether the command is on the whitelist. Returns 0 if true, 1
1162 otherwise.
1163
1164 [--permanent] --list-lockdown-whitelist-contexts
1165 List all contexts that are on the whitelist.
1166
1167 [--permanent] --add-lockdown-whitelist-context=context
1168 Add the context context to the whitelist.
1169
1170 [--permanent] --remove-lockdown-whitelist-context=context
1171 Remove the context from the whitelist.
1172
1173 [--permanent] --query-lockdown-whitelist-context=context
1174 Query whether the context is on the whitelist. Returns 0 if true, 1
1175 otherwise.
1176
1177 [--permanent] --list-lockdown-whitelist-uids
1178 List all user ids that are on the whitelist.
1179
1180 [--permanent] --add-lockdown-whitelist-uid=uid
1181 Add the user id uid to the whitelist.
1182
1183 [--permanent] --remove-lockdown-whitelist-uid=uid
1184 Remove the user id uid from the whitelist.
1185
1186 [--permanent] --query-lockdown-whitelist-uid=uid
1187 Query whether the user id uid is on the whitelist. Returns 0 if
1188 true, 1 otherwise.
1189
1190 [--permanent] --list-lockdown-whitelist-users
1191 List all user names that are on the whitelist.
1192
1193 [--permanent] --add-lockdown-whitelist-user=user
1194 Add the user name user to the whitelist.
1195
1196 [--permanent] --remove-lockdown-whitelist-user=user
1197 Remove the user name user from the whitelist.
1198
1199 [--permanent] --query-lockdown-whitelist-user=user
1200 Query whether the user name user is on the whitelist. Returns 0 if
1201 true, 1 otherwise.
1202
1203 Panic Options
1204 --panic-on
1205 Enable panic mode. All incoming and outgoing packets are dropped,
1206 active connections will expire. Enable this only if there are
1207 serious problems with your network environment. For example if the
1208 machine is getting hacked in.
1209
1210 This is a runtime only change.
1211
1212 --panic-off
1213 Disable panic mode. After disabling panic mode established
1214 connections might work again, if panic mode was enabled for a short
1215 period of time.
1216
1217 This is a runtime only change.
1218
1219 --query-panic
1220 Returns 0 if panic mode is enabled, 1 otherwise.
1221
1223 For more examples see http://fedoraproject.org/wiki/FirewallD
1224
1225 Example 1
1226 Enable http service in default zone. This is runtime only change, i.e.
1227 effective until restart.
1228
1229 firewall-cmd --add-service=http
1230
1231
1232
1233 Example 2
1234 Enable port 443/tcp immediately and permanently in default zone. To
1235 make the change effective immediately and also after restart we need
1236 two commands. The first command makes the change in runtime
1237 configuration, i.e. makes it effective immediately, until restart. The
1238 second command makes the change in permanent configuration, i.e. makes
1239 it effective after restart.
1240
1241 firewall-cmd --add-port=443/tcp
1242 firewall-cmd --permanent --add-port=443/tcp
1243
1244
1245
1247 On success 0 is returned. On failure the output is red colored and exit
1248 code is either 2 in case of wrong command-line option usage or one of
1249 the following error codes in other cases:
1250
1251 ┌────────────────────┬──────┐
1252 │String │ Code │
1253 ├────────────────────┼──────┤
1254 │ALREADY_ENABLED │ 11 │
1255 ├────────────────────┼──────┤
1256 │NOT_ENABLED │ 12 │
1257 ├────────────────────┼──────┤
1258 │COMMAND_FAILED │ 13 │
1259 ├────────────────────┼──────┤
1260 │NO_IPV6_NAT │ 14 │
1261 ├────────────────────┼──────┤
1262 │PANIC_MODE │ 15 │
1263 ├────────────────────┼──────┤
1264 │ZONE_ALREADY_SET │ 16 │
1265 ├────────────────────┼──────┤
1266 │UNKNOWN_INTERFACE │ 17 │
1267 ├────────────────────┼──────┤
1268 │ZONE_CONFLICT │ 18 │
1269 ├────────────────────┼──────┤
1270 │BUILTIN_CHAIN │ 19 │
1271 ├────────────────────┼──────┤
1272 │EBTABLES_NO_REJECT │ 20 │
1273 ├────────────────────┼──────┤
1274 │NOT_OVERLOADABLE │ 21 │
1275 ├────────────────────┼──────┤
1276 │NO_DEFAULTS │ 22 │
1277 ├────────────────────┼──────┤
1278 │BUILTIN_ZONE │ 23 │
1279 ├────────────────────┼──────┤
1280 │BUILTIN_SERVICE │ 24 │
1281 ├────────────────────┼──────┤
1282 │BUILTIN_ICMPTYPE │ 25 │
1283 ├────────────────────┼──────┤
1284 │NAME_CONFLICT │ 26 │
1285 ├────────────────────┼──────┤
1286 │NAME_MISMATCH │ 27 │
1287 ├────────────────────┼──────┤
1288 │PARSE_ERROR │ 28 │
1289 ├────────────────────┼──────┤
1290 │ACCESS_DENIED │ 29 │
1291 ├────────────────────┼──────┤
1292 │UNKNOWN_SOURCE │ 30 │
1293 ├────────────────────┼──────┤
1294 │RT_TO_PERM_FAILED │ 31 │
1295 ├────────────────────┼──────┤
1296 │IPSET_WITH_TIMEOUT │ 32 │
1297 ├────────────────────┼──────┤
1298 │BUILTIN_IPSET │ 33 │
1299 ├────────────────────┼──────┤
1300 │ALREADY_SET │ 34 │
1301 ├────────────────────┼──────┤
1302 │MISSING_IMPORT │ 35 │
1303 ├────────────────────┼──────┤
1304 │DBUS_ERROR │ 36 │
1305 ├────────────────────┼──────┤
1306 │BUILTIN_HELPER │ 37 │
1307 ├────────────────────┼──────┤
1308 │NOT_APPLIED │ 38 │
1309 ├────────────────────┼──────┤
1310 │INVALID_ACTION │ 100 │
1311 ├────────────────────┼──────┤
1312 │INVALID_SERVICE │ 101 │
1313 ├────────────────────┼──────┤
1314 │INVALID_PORT │ 102 │
1315 ├────────────────────┼──────┤
1316 │INVALID_PROTOCOL │ 103 │
1317 ├────────────────────┼──────┤
1318 │INVALID_INTERFACE │ 104 │
1319 ├────────────────────┼──────┤
1320 │INVALID_ADDR │ 105 │
1321 ├────────────────────┼──────┤
1322 │INVALID_FORWARD │ 106 │
1323 ├────────────────────┼──────┤
1324 │INVALID_ICMPTYPE │ 107 │
1325 ├────────────────────┼──────┤
1326 │INVALID_TABLE │ 108 │
1327 ├────────────────────┼──────┤
1328 │INVALID_CHAIN │ 109 │
1329 ├────────────────────┼──────┤
1330 │INVALID_TARGET │ 110 │
1331 ├────────────────────┼──────┤
1332 │INVALID_IPV │ 111 │
1333 ├────────────────────┼──────┤
1334 │INVALID_ZONE │ 112 │
1335 ├────────────────────┼──────┤
1336 │INVALID_PROPERTY │ 113 │
1337 ├────────────────────┼──────┤
1338 │INVALID_VALUE │ 114 │
1339 ├────────────────────┼──────┤
1340 │INVALID_OBJECT │ 115 │
1341 ├────────────────────┼──────┤
1342 │INVALID_NAME │ 116 │
1343 ├────────────────────┼──────┤
1344 │INVALID_FILENAME │ 117 │
1345 ├────────────────────┼──────┤
1346 │INVALID_DIRECTORY │ 118 │
1347 ├────────────────────┼──────┤
1348 │INVALID_TYPE │ 119 │
1349 ├────────────────────┼──────┤
1350 │INVALID_SETTING │ 120 │
1351 ├────────────────────┼──────┤
1352 │INVALID_DESTINATION │ 121 │
1353 ├────────────────────┼──────┤
1354 │INVALID_RULE │ 122 │
1355 ├────────────────────┼──────┤
1356 │INVALID_LIMIT │ 123 │
1357 ├────────────────────┼──────┤
1358 │INVALID_FAMILY │ 124 │
1359 ├────────────────────┼──────┤
1360 │INVALID_LOG_LEVEL │ 125 │
1361 ├────────────────────┼──────┤
1362 │INVALID_AUDIT_TYPE │ 126 │
1363 ├────────────────────┼──────┤
1364 │INVALID_MARK │ 127 │
1365 ├────────────────────┼──────┤
1366 │INVALID_CONTEXT │ 128 │
1367 ├────────────────────┼──────┤
1368 │INVALID_COMMAND │ 129 │
1369 ├────────────────────┼──────┤
1370 │INVALID_USER │ 130 │
1371 ├────────────────────┼──────┤
1372 │INVALID_UID │ 131 │
1373 ├────────────────────┼──────┤
1374 │INVALID_MODULE │ 132 │
1375 ├────────────────────┼──────┤
1376 │INVALID_PASSTHROUGH │ 133 │
1377 ├────────────────────┼──────┤
1378 │INVALID_MAC │ 134 │
1379 ├────────────────────┼──────┤
1380 │INVALID_IPSET │ 135 │
1381 ├────────────────────┼──────┤
1382 │INVALID_ENTRY │ 136 │
1383 ├────────────────────┼──────┤
1384 │INVALID_OPTION │ 137 │
1385 ├────────────────────┼──────┤
1386 │INVALID_HELPER │ 138 │
1387 ├────────────────────┼──────┤
1388 │INVALID_PRIORITY │ 139 │
1389 ├────────────────────┼──────┤
1390 │MISSING_TABLE │ 200 │
1391 ├────────────────────┼──────┤
1392 │MISSING_CHAIN │ 201 │
1393 ├────────────────────┼──────┤
1394 │MISSING_PORT │ 202 │
1395 ├────────────────────┼──────┤
1396 │MISSING_PROTOCOL │ 203 │
1397 ├────────────────────┼──────┤
1398 │MISSING_ADDR │ 204 │
1399 ├────────────────────┼──────┤
1400 │MISSING_NAME │ 205 │
1401 ├────────────────────┼──────┤
1402 │MISSING_SETTING │ 206 │
1403 ├────────────────────┼──────┤
1404 │MISSING_FAMILY │ 207 │
1405 ├────────────────────┼──────┤
1406 │RUNNING_BUT_FAILED │ 251 │
1407 ├────────────────────┼──────┤
1408 │NOT_RUNNING │ 252 │
1409 ├────────────────────┼──────┤
1410 │NOT_AUTHORIZED │ 253 │
1411 ├────────────────────┼──────┤
1412 │UNKNOWN_ERROR │ 254 │
1413 └────────────────────┴──────┘
1414
1415 Note that return codes of --query-* options are special: Successful
1416 queries return 0, unsuccessful ones return 1 unless an error occurred
1417 in which case the table above applies.
1418
1420 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1421 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1422 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1423 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1424 firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1425 firewalld.helper(5)
1426
1428 firewalld home page:
1429 http://firewalld.org
1430
1431 More documentation with examples:
1432 http://fedoraproject.org/wiki/FirewallD
1433
1435 Thomas Woerner <twoerner@redhat.com>
1436 Developer
1437
1438 Jiri Popelka <jpopelka@redhat.com>
1439 Developer
1440
1441 Eric Garver <eric@garver.life>
1442 Developer
1443
1444
1445
1446firewalld 0.8.6 FIREWALL-CMD(1)