1FIREWALL-CMD(1)                  firewall-cmd                  FIREWALL-CMD(1)
2
3
4

NAME

6       firewall-cmd - firewalld command line client
7

SYNOPSIS

9       firewall-cmd [OPTIONS...]
10

DESCRIPTION

12       firewall-cmd is the command line client of the firewalld daemon. It
13       provides an interface to manage the runtime and permanent
14       configurations.
15
16       The runtime configuration in firewalld is separated from the permanent
17       configuration. This means that things can get changed in the runtime or
18       permanent configuration.
19

OPTIONS

21       Sequence options are the options that can be specified multiple times,
22       the exit code is 0 if there is at least one item that succeeded. The
23       ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
24       errors are treated as succeeded. If there are issues while parsing the
25       items, then these are treated as warnings and will not change the
26       result as long as there is a succeeded one. Without any succeeded item,
27       the exit code will depend on the error codes. If there is exactly one
28       error code, then this is used. If there are more than one then
29       UNKNOWN_ERROR (254) will be used.
30
31       The following options are supported:
32
33   General Options
34       -h, --help
35           Prints a short help text and exits.
36
37       -V, --version
38           Print the version string of firewalld. This option is not
39           combinable with other options.
40
41       -q, --quiet
42           Do not print status messages.
43
44   Status Options
45       --state
46           Check whether the firewalld daemon is active (i.e. running).
47           Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
48           failure occurred on startup, NOT_RUNNING otherwise. See the section
49           called “EXIT CODES”. This will also print the state to STDOUT.
50
51       --reload
52           Reload firewall rules and keep state information. Current permanent
53           configuration will become new runtime configuration, i.e. all
54           runtime only changes done until reload are lost with reload if they
55           have not been also in permanent configuration.
56
57           Note: Runtime changes applied via the direct interface are not
58           affected and will therefore stay in place until firewalld daemon is
59           restarted completely.
60
61       --complete-reload
62           Reload firewall completely, even netfilter kernel modules. This
63           will most likely terminate active connections, because state
64           information is lost. This option should only be used in case of
65           severe firewall problems. For example if there are state
66           information problems that no connection can be established with
67           correct firewall rules.
68
69           Note: Runtime changes applied via the direct interface are not
70           affected and will therefore stay in place until firewalld daemon is
71           restarted completely.
72
73       --runtime-to-permanent
74           Save active runtime configuration and overwrite permanent
75           configuration with it. The way this is supposed to work is that
76           when configuring firewalld you do runtime changes only and once
77           you're happy with the configuration and you tested that it works
78           the way you want, you save the configuration to disk.
79
80       --check-config
81           Run checks on the permanent configuration. This includes XML
82           validity and semantics.
83
84   Log Denied Options
85       --get-log-denied
86           Print the log denied setting.
87
88       --set-log-denied=value
89           Add logging rules right before reject and drop rules in the INPUT,
90           FORWARD and OUTPUT chains for the default rules and also final
91           reject and drop rules in zones for the configured link-layer packet
92           type. The possible values are: all, unicast, broadcast, multicast
93           and off. The default setting is off, which disables the logging.
94
95           This is a runtime and permanent change and will also reload the
96           firewall to be able to add the logging rules.
97
98   Permanent Options
99       --permanent
100           The permanent option --permanent can be used to set options
101           permanently. These changes are not effective immediately, only
102           after service restart/reload or system reboot. Without the
103           --permanent option, a change will only be part of the runtime
104           configuration.
105
106           If you want to make a change in runtime and permanent
107           configuration, use the same call with and without the --permanent
108           option.
109
110           The --permanent option can be optionally added to all options
111           further down where it is supported.
112
113   Zone Options
114       --get-default-zone
115           Print default zone for connections and interfaces.
116
117       --set-default-zone=zone
118           Set default zone for connections and interfaces where no zone has
119           been selected. Setting the default zone changes the zone for the
120           connections or interfaces, that are using the default zone.
121
122           This is a runtime and permanent change.
123
124       --get-active-zones
125           Print currently active zones altogether with interfaces and sources
126           used in these zones. Active zones are zones, that have a binding to
127           an interface or source. The output format is:
128
129               zone1
130                 interfaces: interface1 interface2 ..
131                 sources: source1 ..
132               zone2
133                 interfaces: interface3 ..
134               zone3
135                 sources: source2 ..
136
137
138           If there are no interfaces or sources bound to the zone, the
139           corresponding line will be omitted.
140
141       [--permanent] --get-zones
142           Print predefined zones as a space separated list.
143
144       [--permanent] --get-services
145           Print predefined services as a space separated list.
146
147       [--permanent] --get-icmptypes
148           Print predefined icmptypes as a space separated list.
149
150       [--permanent] --get-zone-of-interface=interface
151           Print the name of the zone the interface is bound to or no zone.
152
153       [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
154           Print the name of the zone the source is bound to or no zone.
155
156       [--permanent] --info-zone=zone
157           Print information about the zone zone. The output format is:
158
159               zone
160                 interfaces: interface1 ..
161                 sources: source1 ..
162                 services: service1 ..
163                 ports: port1 ..
164                 protocols: protocol1 ..
165                 forward-ports:
166                       forward-port1
167                       ..
168                 source-ports: source-port1 ..
169                 icmp-blocks: icmp-type1 ..
170                 rich rules:
171                       rich-rule1
172                       ..
173
174
175
176       [--permanent] --list-all-zones
177           List everything added for or enabled in all zones. The output
178           format is:
179
180               zone1
181                 interfaces: interface1 ..
182                 sources: source1 ..
183                 services: service1 ..
184                 ports: port1 ..
185                 protocols: protocol1 ..
186                 forward-ports:
187                       forward-port1
188                       ..
189                 icmp-blocks: icmp-type1 ..
190                 rich rules:
191                       rich-rule1
192                       ..
193               ..
194
195
196
197       --permanent --new-zone=zone
198           Add a new permanent and empty zone.
199
200           Zone names must be alphanumeric and may additionally include
201           characters: '_' and '-'.
202
203       --permanent --new-zone-from-file=filename [--name=zone]
204           Add a new permanent zone from a prepared zone file with an optional
205           name override.
206
207       --permanent --delete-zone=zone
208           Delete an existing permanent zone.
209
210       --permanent --load-zone-defaults=zone
211           Load zone default settings or report NO_DEFAULTS error.
212
213       --permanent --path-zone=zone
214           Print path of the zone configuration file.
215
216       --permanent --zone=zone --set-description=description
217           Set new description to zone
218
219       --permanent --zone=zone --get-description
220           Print description for zone
221
222       --permanent --zone=zone --set-short=description
223           Set short description to zone
224
225       --permanent --zone=zone --get-short
226           Print short description for zone
227
228       --permanent [--zone=zone] --get-target
229           Get the target of a permanent zone.
230
231       --permanent [--zone=zone] --set-target=target
232           Set the target of a permanent zone.  target is one of: default,
233           ACCEPT, DROP, REJECT
234
235           default is similar to REJECT, but has special meaning in the
236           following scenarios:
237
238            1. ICMP explicitly allowed
239
240               At the end of the zone's ruleset ICMP packets are explicitly
241               allowed.
242
243            2. forwarded packets follow the target of the egress zone
244
245               In the case of forwarded packets, if the ingress zone uses
246               default then whether or not the packet will be allowed is
247               determined by the egress zone.
248
249               For a forwarded packet that ingresses zoneA and egresses zoneB:
250
251               ·   if zoneA's target is ACCEPT, DROP, or REJECT then the
252                   packet is accepted, dropped, or rejected respectively.
253
254               ·   if zoneA's target is default, then the packet is accepted,
255                   dropped, or rejected based on zoneB's target. If zoneB's
256                   target is also default, then the packet will be rejected by
257                   firewalld's catchall reject.
258
259            3. Zone drifting from source-based zone to interface-based zone
260
261               This only applies if AllowZoneDrifting is enabled. See
262               firewalld.conf(5).
263
264               If a packet ingresses a source-based zone with a target of
265               default, it may still enter an interface-based zone (including
266               the default zone).
267
268
269   Options to Adapt and Query Zones
270       Options in this section affect only one particular zone. If used with
271       --zone=zone option, they affect the zone zone. If the option is
272       omitted, they affect default zone (see --get-default-zone).
273
274       [--permanent] [--zone=zone] --list-all
275           List everything added for or enabled in zone. If zone is omitted,
276           default zone will be used.
277
278       [--permanent] [--zone=zone] --list-services
279           List services added for zone as a space separated list. If zone is
280           omitted, default zone will be used.
281
282       [--permanent] [--zone=zone] --add-service=service [--timeout=timeval]
283           Add a service for zone. If zone is omitted, default zone will be
284           used. This option can be specified multiple times. If a timeout is
285           supplied, the rule will be active for the specified amount of time
286           and will be removed automatically afterwards.  timeval is either a
287           number (of seconds) or number followed by one of characters s
288           (seconds), m (minutes), h (hours), for example 20m or 1h.
289
290           The service is one of the firewalld provided services. To get a
291           list of the supported services, use firewall-cmd --get-services.
292
293           The --timeout option is not combinable with the --permanent option.
294
295       [--permanent] [--zone=zone] --remove-service=service
296           Remove a service from zone. This option can be specified multiple
297           times. If zone is omitted, default zone will be used.
298
299       [--permanent] [--zone=zone] --query-service=service
300           Return whether service has been added for zone. If zone is omitted,
301           default zone will be used. Returns 0 if true, 1 otherwise.
302
303       [--permanent] [--zone=zone] --list-ports
304           List ports added for zone as a space separated list. A port is of
305           the form portid[-portid]/protocol, it can be either a port and
306           protocol pair or a port range with a protocol. If zone is omitted,
307           default zone will be used.
308
309       [--permanent] [--zone=zone] --add-port=portid[-portid]/protocol
310       [--timeout=timeval]
311           Add the port for zone. If zone is omitted, default zone will be
312           used. This option can be specified multiple times. If a timeout is
313           supplied, the rule will be active for the specified amount of time
314           and will be removed automatically afterwards.  timeval is either a
315           number (of seconds) or number followed by one of characters s
316           (seconds), m (minutes), h (hours), for example 20m or 1h.
317
318           The port can either be a single port number or a port range
319           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
320
321           The --timeout option is not combinable with the --permanent option.
322
323       [--permanent] [--zone=zone] --remove-port=portid[-portid]/protocol
324           Remove the port from zone. If zone is omitted, default zone will be
325           used. This option can be specified multiple times.
326
327       [--permanent] [--zone=zone] --query-port=portid[-portid]/protocol
328           Return whether the port has been added for zone. If zone is
329           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
330
331       [--permanent] [--zone=zone] --list-protocols
332           List protocols added for zone as a space separated list. If zone is
333           omitted, default zone will be used.
334
335       [--permanent] [--zone=zone] --add-protocol=protocol [--timeout=timeval]
336           Add the protocol for zone. If zone is omitted, default zone will be
337           used. This option can be specified multiple times. If a timeout is
338           supplied, the rule will be active for the specified amount of time
339           and will be removed automatically afterwards.  timeval is either a
340           number (of seconds) or number followed by one of characters s
341           (seconds), m (minutes), h (hours), for example 20m or 1h.
342
343           The protocol can be any protocol supported by the system. Please
344           have a look at /etc/protocols for supported protocols.
345
346           The --timeout option is not combinable with the --permanent option.
347
348       [--permanent] [--zone=zone] --remove-protocol=protocol
349           Remove the protocol from zone. If zone is omitted, default zone
350           will be used. This option can be specified multiple times.
351
352       [--permanent] [--zone=zone] --query-protocol=protocol
353           Return whether the protocol has been added for zone. If zone is
354           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
355
356       [--permanent] [--zone=zone] --list-source-ports
357           List source ports added for zone as a space separated list. A port
358           is of the form portid[-portid]/protocol. If zone is omitted,
359           default zone will be used.
360
361       [--permanent] [--zone=zone] --add-source-port=portid[-portid]/protocol
362       [--timeout=timeval]
363           Add the source port for zone. If zone is omitted, default zone will
364           be used. This option can be specified multiple times. If a timeout
365           is supplied, the rule will be active for the specified amount of
366           time and will be removed automatically afterwards.  timeval is
367           either a number (of seconds) or number followed by one of
368           characters s (seconds), m (minutes), h (hours), for example 20m or
369           1h.
370
371           The port can either be a single port number or a port range
372           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
373
374           The --timeout option is not combinable with the --permanent option.
375
376       [--permanent] [--zone=zone]
377       --remove-source-port=portid[-portid]/protocol
378           Remove the source port from zone. If zone is omitted, default zone
379           will be used. This option can be specified multiple times.
380
381       [--permanent] [--zone=zone]
382       --query-source-port=portid[-portid]/protocol
383           Return whether the source port has been added for zone. If zone is
384           omitted, default zone will be used. Returns 0 if true, 1 otherwise.
385
386       [--permanent] [--zone=zone] --list-icmp-blocks
387           List Internet Control Message Protocol (ICMP) type blocks added for
388           zone as a space separated list. If zone is omitted, default zone
389           will be used.
390
391       [--permanent] [--zone=zone] --add-icmp-block=icmptype
392       [--timeout=timeval]
393           Add an ICMP block for icmptype for zone. If zone is omitted,
394           default zone will be used. This option can be specified multiple
395           times. If a timeout is supplied, the rule will be active for the
396           specified amount of time and will be removed automatically
397           afterwards.  timeval is either a number (of seconds) or number
398           followed by one of characters s (seconds), m (minutes), h (hours),
399           for example 20m or 1h.
400
401           The icmptype is the one of the icmp types firewalld supports. To
402           get a listing of supported icmp types: firewall-cmd --get-icmptypes
403
404           The --timeout option is not combinable with the --permanent option.
405
406       [--permanent] [--zone=zone] --remove-icmp-block=icmptype
407           Remove the ICMP block for icmptype from zone. If zone is omitted,
408           default zone will be used. This option can be specified multiple
409           times.
410
411       [--permanent] [--zone=zone] --query-icmp-block=icmptype
412           Return whether an ICMP block for icmptype has been added for zone.
413           If zone is omitted, default zone will be used. Returns 0 if true, 1
414           otherwise.
415
416       [--permanent] [--zone=zone] --list-forward-ports
417           List IPv4 forward ports added for zone as a space separated list.
418           If zone is omitted, default zone will be used.
419
420           For IPv6 forward ports, please use the rich language.
421
422       [--permanent] [--zone=zone]
423       --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
424       [--timeout=timeval]
425           Add the IPv4 forward port for zone. If zone is omitted, default
426           zone will be used. This option can be specified multiple times. If
427           a timeout is supplied, the rule will be active for the specified
428           amount of time and will be removed automatically afterwards.
429           timeval is either a number (of seconds) or number followed by one
430           of characters s (seconds), m (minutes), h (hours), for example 20m
431           or 1h.
432
433           The port can either be a single port number portid or a port range
434           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
435           The destination address is a simple IP address.
436
437           The --timeout option is not combinable with the --permanent option.
438
439           For IPv6 forward ports, please use the rich language.
440
441           Note: IP forwarding will be implicitly enabled if toaddr is
442           specified.
443
444       [--permanent] [--zone=zone]
445       --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
446           Remove the IPv4 forward port from zone. If zone is omitted, default
447           zone will be used. This option can be specified multiple times.
448
449           For IPv6 forward ports, please use the rich language.
450
451       [--permanent] [--zone=zone]
452       --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
453           Return whether the IPv4 forward port has been added for zone. If
454           zone is omitted, default zone will be used. Returns 0 if true, 1
455           otherwise.
456
457           For IPv6 forward ports, please use the rich language.
458
459       [--permanent] [--zone=zone] --add-masquerade [--timeout=timeval]
460           Enable IPv4 masquerade for zone. If zone is omitted, default zone
461           will be used. If a timeout is supplied, masquerading will be active
462           for the specified amount of time.  timeval is either a number (of
463           seconds) or number followed by one of characters s (seconds), m
464           (minutes), h (hours), for example 20m or 1h. Masquerading is useful
465           if the machine is a router and machines connected over an interface
466           in another zone should be able to use the first connection.
467
468           The --timeout option is not combinable with the --permanent option.
469
470           For IPv6 masquerading, please use the rich language.
471
472           Note: IP forwarding will be implicitly enabled.
473
474       [--permanent] [--zone=zone] --remove-masquerade
475           Disable IPv4 masquerade for zone. If zone is omitted, default zone
476           will be used. If the masquerading was enabled with a timeout, it
477           will be disabled also.
478
479           For IPv6 masquerading, please use the rich language.
480
481       [--permanent] [--zone=zone] --query-masquerade
482           Return whether IPv4 masquerading has been enabled for zone. If zone
483           is omitted, default zone will be used. Returns 0 if true, 1
484           otherwise.
485
486           For IPv6 masquerading, please use the rich language.
487
488       [--permanent] [--zone=zone] --list-rich-rules
489           List rich language rules added for zone as a newline separated
490           list. If zone is omitted, default zone will be used.
491
492       [--permanent] [--zone=zone] --add-rich-rule='rule' [--timeout=timeval]
493           Add rich language rule 'rule' for zone. This option can be
494           specified multiple times. If zone is omitted, default zone will be
495           used. If a timeout is supplied, the rule will be active for the
496           specified amount of time and will be removed automatically
497           afterwards.  timeval is either a number (of seconds) or number
498           followed by one of characters s (seconds), m (minutes), h (hours),
499           for example 20m or 1h.
500
501           For the rich language rule syntax, please have a look at
502           firewalld.richlanguage(5).
503
504           The --timeout option is not combinable with the --permanent option.
505
506       [--permanent] [--zone=zone] --remove-rich-rule='rule'
507           Remove rich language rule 'rule' from zone. This option can be
508           specified multiple times. If zone is omitted, default zone will be
509           used.
510
511           For the rich language rule syntax, please have a look at
512           firewalld.richlanguage(5).
513
514       [--permanent] [--zone=zone] --query-rich-rule='rule'
515           Return whether a rich language rule 'rule' has been added for zone.
516           If zone is omitted, default zone will be used. Returns 0 if true, 1
517           otherwise.
518
519           For the rich language rule syntax, please have a look at
520           firewalld.richlanguage(5).
521
522   Options to Handle Bindings of Interfaces
523       Binding an interface to a zone means that this zone settings are used
524       to restrict traffic via the interface.
525
526       Options in this section affect only one particular zone. If used with
527       --zone=zone option, they affect the zone zone. If the option is
528       omitted, they affect default zone (see --get-default-zone).
529
530       For a list of predefined zones use firewall-cmd --get-zones.
531
532       An interface name is a string up to 16 characters long, that may not
533       contain ' ', '/', '!' and '*'.
534
535       [--permanent] [--zone=zone] --list-interfaces
536           List interfaces that are bound to zone zone as a space separated
537           list. If zone is omitted, default zone will be used.
538
539       [--permanent] [--zone=zone] --add-interface=interface
540           Bind interface interface to zone zone. If zone is omitted, default
541           zone will be used.
542
543           If the interface is under control of NetworkManager, it is at first
544           connected to change the zone for the connection that is using the
545           interface. If this fails, the zone binding is created in firewalld
546           and the limitations below apply. For interfaces that are not under
547           control of NetworkManager, firewalld tries to change the ZONE
548           setting in the ifcfg file, if the file exists.
549
550           As a end user you don't need this in most cases, because
551           NetworkManager (or legacy network service) adds interfaces into
552           zones automatically (according to ZONE= option from ifcfg-interface
553           file) if NM_CONTROLLED=no is not set. You should do it only if
554           there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
555           there is such file and you add interface to zone with this
556           --add-interface option, make sure the zone is the same in both
557           cases, otherwise the behaviour would be undefined. Please also have
558           a look at the firewalld(1) man page in the Concepts section. For
559           permanent association of interface with a zone, see also 'How to
560           set or change a zone for a connection?' in firewalld.zones(5).
561
562       [--permanent] [--zone=zone] --change-interface=interface
563           If the interface is under control of NetworkManager, it is at first
564           connected to change the zone for the connection that is using the
565           interface. If this fails, the zone binding is created in firewalld
566           and the limitations below apply. For interfaces that are not under
567           control of NetworkManager, firewalld tries to change the ZONE
568           setting in the ifcfg file, if the file exists.
569
570           Change zone the interface interface is bound to to zone zone. It's
571           basically --remove-interface followed by --add-interface. If the
572           interface has not been bound to a zone before, it behaves like
573           --add-interface. If zone is omitted, default zone will be used.
574
575       [--permanent] [--zone=zone] --query-interface=interface
576           Query whether interface interface is bound to zone zone. Returns 0
577           if true, 1 otherwise.
578
579       [--permanent] --remove-interface=interface
580           If the interface is under control of NetworkManager, it is at first
581           connected to change the zone for the connection that is using the
582           interface. If this fails, the zone binding is created in firewalld
583           and the limitations below apply.
584
585           For the addion or change of interfaces that are not under control
586           of NetworkManager: firewalld tries to change the ZONE setting in
587           the ifcfg file, if an ifcfg file exists that is using the
588           interface.
589
590           Only for the removal of interfaces that are not under control of
591           NetworkManager: firewalld is not trying to change the ZONE setting
592           in the ifcfg file. This is needed to make sure that an ifdown of
593           the interface will not result in a reset of the zone setting to the
594           default zone. Only the zone binding is then removed in firewalld
595           then.
596
597           Remove binding of interface interface from zone it was previously
598           added to.
599
600   Options to Handle Bindings of Sources
601       Binding a source to a zone means that this zone settings will be used
602       to restrict traffic from this source.
603
604       A source address or address range is either an IP address or a network
605       IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
606       with the ipset: prefix. For IPv4, the mask can be a network mask or a
607       plain number. For IPv6 the mask is a plain number. The use of host
608       names is not supported.
609
610       Options in this section affect only one particular zone. If used with
611       --zone=zone option, they affect the zone zone. If the option is
612       omitted, they affect default zone (see --get-default-zone).
613
614       For a list of predefined zones use firewall-cmd [--permanent]
615       --get-zones.
616
617       [--permanent] [--zone=zone] --list-sources
618           List sources that are bound to zone zone as a space separated list.
619           If zone is omitted, default zone will be used.
620
621       [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
622           Bind the source to zone zone. If zone is omitted, default zone will
623           be used.
624
625       [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
626           Change zone the source is bound to to zone zone. It's basically
627           --remove-source followed by --add-source. If the source has not
628           been bound to a zone before, it behaves like --add-source. If zone
629           is omitted, default zone will be used.
630
631       [--permanent] [--zone=zone]
632       --query-source=source[/mask]|MAC|ipset:ipset
633           Query whether the source is bound to the zone zone. Returns 0 if
634           true, 1 otherwise.
635
636       [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
637           Remove binding of the source from zone it was previously added to.
638
639   IPSet Options
640       --get-ipset-types
641           Print the supported ipset types.
642
643       --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
644       [--option=key[=value]]
645           Add a new permanent and empty ipset with specifying the type and
646           optional the family and options like timeout, hashsize and maxelem.
647           For more information please have a look at ipset(8) man page.
648
649           ipset names must be alphanumeric and may additionally include
650           characters: '_' and '-'.
651
652       --permanent --new-ipset-from-file=filename [--name=ipset]
653           Add a new permanent ipset from a prepared ipset file with an
654           optional name override.
655
656       --permanent --delete-ipset=ipset
657           Delete an existing permanent ipset.
658
659       --permanent --load-ipset-defaults=ipset
660           Load ipset default settings or report NO_DEFAULTS error.
661
662       [--permanent] --info-ipset=ipset
663           Print information about the ipset ipset. The output format is:
664
665               ipset
666                 type: type
667                 options: option1[=value1] ..
668                 entries: entry1 ..
669
670
671
672       [--permanent] --get-ipsets
673           Print predefined ipsets as a space separated list.
674
675       --permanent --ipset=ipset --set-description=description
676           Set new description to ipset
677
678       --permanent --ipset=ipset --get-description
679           Print description for ipset
680
681       --permanent --ipset=ipset --set-short=description
682           Set short description to ipset
683
684       --permanent --ipset=ipset --get-short
685           Print short description for ipset
686
687       [--permanent] --ipset=ipset --add-entry=entry
688           Add a new entry to the ipset.
689
690           Adding an entry to an ipset with option timeout is permitted, but
691           these entries are not tracked by firewalld.
692
693       [--permanent] --ipset=ipset --remove-entry=entry
694           Remove an entry from the ipset.
695
696       [--permanent] --ipset=ipset --query-entry=entry
697           Return whether the entry has been added to an ipset. Returns 0 if
698           true, 1 otherwise.
699
700           Querying an ipset with a timeout will yield an error. Entries are
701           not tracked for ipsets with a timeout.
702
703       [--permanent] --ipset=ipset --get-entries
704           List all entries of the ipset.
705
706       [--permanent] --ipset=ipset --add-entries-from-file=filename
707           Add a new entries to the ipset from the file. For all entries that
708           are listed in the file but already in the ipset, a warning will be
709           printed.
710
711           The file should contain an entry per line. Lines starting with an
712           hash or semicolon are ignored. Also empty lines.
713
714       [--permanent] --ipset=ipset --remove-entries-from-file=filename
715           Remove existing entries from the ipset from the file. For all
716           entries that are listed in the file but not in the ipset, a warning
717           will be printed.
718
719           The file should contain an entry per line. Lines starting with an
720           hash or semicolon are ignored. Also empty lines.
721
722       --permanent --path-ipset=ipset
723           Print path of the ipset configuration file.
724
725   Service Options
726       Options in this section affect only one particular service.
727
728       [--permanent] --info-service=service
729           Print information about the service service. The output format is:
730
731               service
732                 ports: port1 ..
733                 protocols: protocol1 ..
734                 source-ports: source-port1 ..
735                 helpers: helper1 ..
736                 destination: ipv1:address1 ..
737
738
739
740       The following options are only usable in the permanent configuration.
741
742       --permanent --new-service=service
743           Add a new permanent and empty service.
744
745           Service names must be alphanumeric and may additionally include
746           characters: '_' and '-'.
747
748       --permanent --new-service-from-file=filename [--name=service]
749           Add a new permanent service from a prepared service file with an
750           optional name override.
751
752       --permanent --delete-service=service
753           Delete an existing permanent service.
754
755       --permanent --load-service-defaults=service
756           Load service default settings or report NO_DEFAULTS error.
757
758       --permanent --path-service=service
759           Print path of the service configuration file.
760
761       --permanent --service=service --set-description=description
762           Set new description to service
763
764       --permanent --service=service --get-description
765           Print description for service
766
767       --permanent --service=service --set-short=description
768           Set short description to service
769
770       --permanent --service=service --get-short
771           Print short description for service
772
773       --permanent --service=service --add-port=portid[-portid]/protocol
774           Add a new port to the permanent service.
775
776       --permanent --service=service --remove-port=portid[-portid]/protocol
777           Remove a port from the permanent service.
778
779       --permanent --service=service --query-port=portid[-portid]/protocol
780           Return wether the port has been added to the permanent service.
781
782       --permanent --service=service --get-ports
783           List ports added to the permanent service.
784
785       --permanent --service=service --add-protocol=protocol
786           Add a new protocol to the permanent service.
787
788       --permanent --service=service --remove-protocol=protocol
789           Remove a protocol from the permanent service.
790
791       --permanent --service=service --query-protocol=protocol
792           Return wether the protocol has been added to the permanent service.
793
794       --permanent --service=service --get-protocols
795           List protocols added to the permanent service.
796
797       --permanent --service=service
798       --add-source-port=portid[-portid]/protocol
799           Add a new source port to the permanent service.
800
801       --permanent --service=service
802       --remove-source-port=portid[-portid]/protocol
803           Remove a source port from the permanent service.
804
805       --permanent --service=service
806       --query-source-port=portid[-portid]/protocol
807           Return wether the source port has been added to the permanent
808           service.
809
810       --permanent --service=service --get-source-ports
811           List source ports added to the permanent service.
812
813       --permanent --service=service --add-helper=helper
814           Add a new helper to the permanent service.
815
816       --permanent --service=service --remove-helper=helper
817           Remove a helper from the permanent service.
818
819       --permanent --service=service --query-helper=helper
820           Return wether the helper has been added to the permanent service.
821
822       --permanent --service=service --get-service-helpers
823           List helpers added to the permanent service.
824
825       --permanent --service=service --set-destination=ipv:address[/mask]
826           Set destination for ipv to address[/mask] in the permanent service.
827
828       --permanent --service=service --remove-destination=ipv
829           Remove the destination for ipv from the permanent service.
830
831       --permanent --service=service --query-destination=ipv:address[/mask]
832           Return wether the destination ipv to address[/mask] has been set in
833           the permanent service.
834
835       --permanent --service=service --get-destinations
836           List destinations added to the permanent service.
837
838       --permanent --service=service --add-include=service
839           Add a new include to the permanent service.
840
841       --permanent --service=service --remove-include=service
842           Remove a include from the permanent service.
843
844       --permanent --service=service --query-include=service
845           Return wether the include has been added to the permanent service.
846
847       --permanent --service=service --get-includes
848           List includes added to the permanent service.
849
850   Helper Options
851       Options in this section affect only one particular helper.
852
853       [--permanent] --info-helper=helper
854           Print information about the helper helper. The output format is:
855
856               helper
857                 family: family
858                 module: module
859                 ports: port1 ..
860
861
862
863       The following options are only usable in the permanent configuration.
864
865       --permanent --new-helper=helper --module=nf_conntrack_module
866       [--family=ipv4|ipv6]
867           Add a new permanent helper with module and optionally family
868           defined.
869
870           Helper names must be alphanumeric and may additionally include
871           characters: '-'.
872
873       --permanent --new-helper-from-file=filename [--name=helper]
874           Add a new permanent helper from a prepared helper file with an
875           optional name override.
876
877       --permanent --delete-helper=helper
878           Delete an existing permanent helper.
879
880       --permanent --load-helper-defaults=helper
881           Load helper default settings or report NO_DEFAULTS error.
882
883       --permanent --path-helper=helper
884           Print path of the helper configuration file.
885
886       [--permanent] --get-helpers
887           Print predefined helpers as a space separated list.
888
889       --permanent --helper=helper --set-description=description
890           Set new description to helper
891
892       --permanent --helper=helper --get-description
893           Print description for helper
894
895       --permanent --helper=helper --set-short=description
896           Set short description to helper
897
898       --permanent --helper=helper --get-short
899           Print short description for helper
900
901       --permanent --helper=helper --add-port=portid[-portid]/protocol
902           Add a new port to the permanent helper.
903
904       --permanent --helper=helper --remove-port=portid[-portid]/protocol
905           Remove a port from the permanent helper.
906
907       --permanent --helper=helper --query-port=portid[-portid]/protocol
908           Return wether the port has been added to the permanent helper.
909
910       --permanent --helper=helper --get-ports
911           List ports added to the permanent helper.
912
913       --permanent --helper=helper --set-module=description
914           Set module description for helper
915
916       --permanent --helper=helper --get-module
917           Print module description for helper
918
919       --permanent --helper=helper --set-family=description
920           Set family description for helper
921
922       --permanent --helper=helper --get-family
923           Print family description of helper
924
925   Internet Control Message Protocol (ICMP) type Options
926       Options in this section affect only one particular icmptype.
927
928       [--permanent] --info-icmptype=icmptype
929           Print information about the icmptype icmptype. The output format
930           is:
931
932               icmptype
933                 destination: ipv1 ..
934
935
936
937       The following options are only usable in the permanent configuration.
938
939       --permanent --new-icmptype=icmptype
940           Add a new permanent and empty icmptype.
941
942           ICMP type names must be alphanumeric and may additionally include
943           characters: '_' and '-'.
944
945       --permanent --new-icmptype-from-file=filename [--name=icmptype]
946           Add a new permanent icmptype from a prepared icmptype file with an
947           optional name override.
948
949       --permanent --delete-icmptype=icmptype
950           Delete an existing permanent icmptype.
951
952       --permanent --load-icmptype-defaults=icmptype
953           Load icmptype default settings or report NO_DEFAULTS error.
954
955       --permanent --icmptype=icmptype --set-description=description
956           Set new description to icmptype
957
958       --permanent --icmptype=icmptype --get-description
959           Print description for icmptype
960
961       --permanent --icmptype=icmptype --set-short=description
962           Set short description to icmptype
963
964       --permanent --icmptype=icmptype --get-short
965           Print short description for icmptype
966
967       --permanent --icmptype=icmptype --add-destination=ipv
968           Enable destination for ipv in permanent icmptype. ipv is one of
969           ipv4 or ipv6.
970
971       --permanent --icmptype=icmptype --remove-destination=ipv
972           Disable destination for ipv in permanent icmptype. ipv is one of
973           ipv4 or ipv6.
974
975       --permanent --icmptype=icmptype --query-destination=ipv
976           Return whether destination for ipv is enabled in permanent
977           icmptype. ipv is one of ipv4 or ipv6.
978
979       --permanent --icmptype=icmptype --get-destinations
980           List destinations in permanent icmptype.
981
982       --permanent --path-icmptype=icmptype
983           Print path of the icmptype configuration file.
984
985   Direct Options
986       The direct options give a more direct access to the firewall. These
987       options require user to know basic iptables concepts, i.e.  table
988       (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
989       (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
990       (ACCEPT/DROP/REJECT/...).
991
992       Direct options should be used only as a last resort when it's not
993       possible to use for example --add-service=service or
994       --add-rich-rule='rule'.
995
996       Warning: Direct rules behavior is different depending on the value of
997       FirewallBackend. See CAVEATS in firewalld.direct(5).
998
999       The first argument of each option has to be ipv4 or ipv6 or eb. With
1000       ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1001       (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1002
1003       [--permanent] --direct --get-all-chains
1004           Get all chains added to all tables. This option concerns only
1005           chains previously added with --direct --add-chain.
1006
1007       [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
1008           Get all chains added to table table as a space separated list. This
1009           option concerns only chains previously added with --direct
1010           --add-chain.
1011
1012       [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
1013           Add a new chain with name chain to table table. Make sure there's
1014           no other chain with this name already.
1015
1016           There already exist basic chains to use with direct options, for
1017           example INPUT_direct chain (see iptables-save | grep direct output
1018           for all of them). These chains are jumped into before chains for
1019           zones, i.e. every rule put into INPUT_direct will be checked before
1020           rules in zones.
1021
1022       [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1023           Remove chain with name chain from table table. Only chains
1024           previously added with --direct --add-chain can be removed this way.
1025
1026       [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
1027           Return whether a chain with name chain exists in table table.
1028           Returns 0 if true, 1 otherwise. This option concerns only chains
1029           previously added with --direct --add-chain.
1030
1031       [--permanent] --direct --get-all-rules
1032           Get all rules added to all chains in all tables as a newline
1033           separated list of the priority and arguments. This option concerns
1034           only rules previously added with --direct --add-rule.
1035
1036       [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
1037           Get all rules added to chain chain in table table as a newline
1038           separated list of the priority and arguments. This option concerns
1039           only rules previously added with --direct --add-rule.
1040
1041       [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
1042       priority args
1043           Add a rule with the arguments args to chain chain in table table
1044           with priority priority.
1045
1046           The priority is used to order rules. Priority 0 means add rule on
1047           top of the chain, with a higher priority the rule will be added
1048           further down. Rules with the same priority are on the same level
1049           and the order of these rules is not fixed and may change. If you
1050           want to make sure that a rule will be added after another one, use
1051           a low priority for the first and a higher for the following.
1052
1053       [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
1054       priority args
1055           Remove a rule with priority and the arguments args from chain chain
1056           in table table. Only rules previously added with --direct
1057           --add-rule can be removed this way.
1058
1059       [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1060           Remove all rules in the chain with name chain exists in table
1061           table. This option concerns only rules previously added with
1062           --direct --add-rule in this chain.
1063
1064       [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1065       priority args
1066           Return whether a rule with priority and the arguments args exists
1067           in chain chain in table table. Returns 0 if true, 1 otherwise. This
1068           option concerns only rules previously added with --direct
1069           --add-rule.
1070
1071       --direct --passthrough { ipv4 | ipv6 | eb } args
1072           Pass a command through to the firewall.  args can be all iptables,
1073           ip6tables and ebtables command line arguments. This command is
1074           untracked, which means that firewalld is not able to provide
1075           information about this command later on, also not a listing of the
1076           untracked passthoughs.
1077
1078       [--permanent] --direct --get-all-passthroughs
1079           Get all passthrough rules as a newline separated list of the ipv
1080           value and arguments.
1081
1082       [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1083           Get all passthrough rules for the ipv value as a newline separated
1084           list of the priority and arguments.
1085
1086       [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1087           Add a passthrough rule with the arguments args for the ipv value.
1088
1089       [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1090           Remove a passthrough rule with the arguments args for the ipv
1091           value.
1092
1093       [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1094           Return whether a passthrough rule with the arguments args exists
1095           for the ipv value. Returns 0 if true, 1 otherwise.
1096
1097   Lockdown Options
1098       Local applications or services are able to change the firewall
1099       configuration if they are running as root (example: libvirt) or are
1100       authenticated using PolicyKit. With this feature administrators can
1101       lock the firewall configuration so that only applications on lockdown
1102       whitelist are able to request firewall changes.
1103
1104       The lockdown access check limits D-Bus methods that are changing
1105       firewall rules. Query, list and get methods are not limited.
1106
1107       The lockdown feature is a very light version of user and application
1108       policies for firewalld and is turned off by default.
1109
1110       --lockdown-on
1111           Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1112           whitelist when you enable lockdown you won't be able to disable it
1113           again with firewall-cmd, you would need to edit firewalld.conf.
1114
1115           This is a runtime and permanent change.
1116
1117       --lockdown-off
1118           Disable lockdown.
1119
1120           This is a runtime and permanent change.
1121
1122       --query-lockdown
1123           Query whether lockdown is enabled. Returns 0 if lockdown is
1124           enabled, 1 otherwise.
1125
1126   Lockdown Whitelist Options
1127       The lockdown whitelist can contain commands, contexts, users and user
1128       ids.
1129
1130       If a command entry on the whitelist ends with an asterisk '*', then all
1131       command lines starting with the command will match. If the '*' is not
1132       there the absolute command inclusive arguments must match.
1133
1134       Command paths for users are not always the same and depends on the
1135       users PATH. Some distributions symlink /bin to /usr/bin in which case
1136       it depends on the order they appear in the PATH environment variable.
1137
1138       The context is the security (SELinux) context of a running application
1139       or service. To get the context of a running application use ps -e
1140       --context.
1141
1142       Warning: If the context is unconfined, then this will open access for
1143       more than the desired application.
1144
1145       The lockdown whitelist entries are checked in the following order:
1146           1. context
1147           2. uid
1148           3. user
1149           4. command
1150
1151       [--permanent] --list-lockdown-whitelist-commands
1152           List all command lines that are on the whitelist.
1153
1154       [--permanent] --add-lockdown-whitelist-command=command
1155           Add the command to the whitelist.
1156
1157       [--permanent] --remove-lockdown-whitelist-command=command
1158           Remove the command from the whitelist.
1159
1160       [--permanent] --query-lockdown-whitelist-command=command
1161           Query whether the command is on the whitelist. Returns 0 if true, 1
1162           otherwise.
1163
1164       [--permanent] --list-lockdown-whitelist-contexts
1165           List all contexts that are on the whitelist.
1166
1167       [--permanent] --add-lockdown-whitelist-context=context
1168           Add the context context to the whitelist.
1169
1170       [--permanent] --remove-lockdown-whitelist-context=context
1171           Remove the context from the whitelist.
1172
1173       [--permanent] --query-lockdown-whitelist-context=context
1174           Query whether the context is on the whitelist. Returns 0 if true, 1
1175           otherwise.
1176
1177       [--permanent] --list-lockdown-whitelist-uids
1178           List all user ids that are on the whitelist.
1179
1180       [--permanent] --add-lockdown-whitelist-uid=uid
1181           Add the user id uid to the whitelist.
1182
1183       [--permanent] --remove-lockdown-whitelist-uid=uid
1184           Remove the user id uid from the whitelist.
1185
1186       [--permanent] --query-lockdown-whitelist-uid=uid
1187           Query whether the user id uid is on the whitelist. Returns 0 if
1188           true, 1 otherwise.
1189
1190       [--permanent] --list-lockdown-whitelist-users
1191           List all user names that are on the whitelist.
1192
1193       [--permanent] --add-lockdown-whitelist-user=user
1194           Add the user name user to the whitelist.
1195
1196       [--permanent] --remove-lockdown-whitelist-user=user
1197           Remove the user name user from the whitelist.
1198
1199       [--permanent] --query-lockdown-whitelist-user=user
1200           Query whether the user name user is on the whitelist. Returns 0 if
1201           true, 1 otherwise.
1202
1203   Panic Options
1204       --panic-on
1205           Enable panic mode. All incoming and outgoing packets are dropped,
1206           active connections will expire. Enable this only if there are
1207           serious problems with your network environment. For example if the
1208           machine is getting hacked in.
1209
1210           This is a runtime only change.
1211
1212       --panic-off
1213           Disable panic mode. After disabling panic mode established
1214           connections might work again, if panic mode was enabled for a short
1215           period of time.
1216
1217           This is a runtime only change.
1218
1219       --query-panic
1220           Returns 0 if panic mode is enabled, 1 otherwise.
1221

EXAMPLES

1223       For more examples see http://fedoraproject.org/wiki/FirewallD
1224
1225   Example 1
1226       Enable http service in default zone. This is runtime only change, i.e.
1227       effective until restart.
1228
1229           firewall-cmd --add-service=http
1230
1231
1232
1233   Example 2
1234       Enable port 443/tcp immediately and permanently in default zone. To
1235       make the change effective immediately and also after restart we need
1236       two commands. The first command makes the change in runtime
1237       configuration, i.e. makes it effective immediately, until restart. The
1238       second command makes the change in permanent configuration, i.e. makes
1239       it effective after restart.
1240
1241           firewall-cmd --add-port=443/tcp
1242           firewall-cmd --permanent --add-port=443/tcp
1243
1244
1245

EXIT CODES

1247       On success 0 is returned. On failure the output is red colored and exit
1248       code is either 2 in case of wrong command-line option usage or one of
1249       the following error codes in other cases:
1250
1251       ┌────────────────────┬──────┐
1252String              Code 
1253       ├────────────────────┼──────┤
1254       │ALREADY_ENABLED     │   11 │
1255       ├────────────────────┼──────┤
1256       │NOT_ENABLED         │   12 │
1257       ├────────────────────┼──────┤
1258       │COMMAND_FAILED      │   13 │
1259       ├────────────────────┼──────┤
1260       │NO_IPV6_NAT         │   14 │
1261       ├────────────────────┼──────┤
1262       │PANIC_MODE          │   15 │
1263       ├────────────────────┼──────┤
1264       │ZONE_ALREADY_SET    │   16 │
1265       ├────────────────────┼──────┤
1266       │UNKNOWN_INTERFACE   │   17 │
1267       ├────────────────────┼──────┤
1268       │ZONE_CONFLICT       │   18 │
1269       ├────────────────────┼──────┤
1270       │BUILTIN_CHAIN       │   19 │
1271       ├────────────────────┼──────┤
1272       │EBTABLES_NO_REJECT  │   20 │
1273       ├────────────────────┼──────┤
1274       │NOT_OVERLOADABLE    │   21 │
1275       ├────────────────────┼──────┤
1276       │NO_DEFAULTS         │   22 │
1277       ├────────────────────┼──────┤
1278       │BUILTIN_ZONE        │   23 │
1279       ├────────────────────┼──────┤
1280       │BUILTIN_SERVICE     │   24 │
1281       ├────────────────────┼──────┤
1282       │BUILTIN_ICMPTYPE    │   25 │
1283       ├────────────────────┼──────┤
1284       │NAME_CONFLICT       │   26 │
1285       ├────────────────────┼──────┤
1286       │NAME_MISMATCH       │   27 │
1287       ├────────────────────┼──────┤
1288       │PARSE_ERROR         │   28 │
1289       ├────────────────────┼──────┤
1290       │ACCESS_DENIED       │   29 │
1291       ├────────────────────┼──────┤
1292       │UNKNOWN_SOURCE      │   30 │
1293       ├────────────────────┼──────┤
1294       │RT_TO_PERM_FAILED   │   31 │
1295       ├────────────────────┼──────┤
1296       │IPSET_WITH_TIMEOUT  │   32 │
1297       ├────────────────────┼──────┤
1298       │BUILTIN_IPSET       │   33 │
1299       ├────────────────────┼──────┤
1300       │ALREADY_SET         │   34 │
1301       ├────────────────────┼──────┤
1302       │MISSING_IMPORT      │   35 │
1303       ├────────────────────┼──────┤
1304       │DBUS_ERROR          │   36 │
1305       ├────────────────────┼──────┤
1306       │BUILTIN_HELPER      │   37 │
1307       ├────────────────────┼──────┤
1308       │NOT_APPLIED         │   38 │
1309       ├────────────────────┼──────┤
1310       │INVALID_ACTION      │  100 │
1311       ├────────────────────┼──────┤
1312       │INVALID_SERVICE     │  101 │
1313       ├────────────────────┼──────┤
1314       │INVALID_PORT        │  102 │
1315       ├────────────────────┼──────┤
1316       │INVALID_PROTOCOL    │  103 │
1317       ├────────────────────┼──────┤
1318       │INVALID_INTERFACE   │  104 │
1319       ├────────────────────┼──────┤
1320       │INVALID_ADDR        │  105 │
1321       ├────────────────────┼──────┤
1322       │INVALID_FORWARD     │  106 │
1323       ├────────────────────┼──────┤
1324       │INVALID_ICMPTYPE    │  107 │
1325       ├────────────────────┼──────┤
1326       │INVALID_TABLE       │  108 │
1327       ├────────────────────┼──────┤
1328       │INVALID_CHAIN       │  109 │
1329       ├────────────────────┼──────┤
1330       │INVALID_TARGET      │  110 │
1331       ├────────────────────┼──────┤
1332       │INVALID_IPV         │  111 │
1333       ├────────────────────┼──────┤
1334       │INVALID_ZONE        │  112 │
1335       ├────────────────────┼──────┤
1336       │INVALID_PROPERTY    │  113 │
1337       ├────────────────────┼──────┤
1338       │INVALID_VALUE       │  114 │
1339       ├────────────────────┼──────┤
1340       │INVALID_OBJECT      │  115 │
1341       ├────────────────────┼──────┤
1342       │INVALID_NAME        │  116 │
1343       ├────────────────────┼──────┤
1344       │INVALID_FILENAME    │  117 │
1345       ├────────────────────┼──────┤
1346       │INVALID_DIRECTORY   │  118 │
1347       ├────────────────────┼──────┤
1348       │INVALID_TYPE        │  119 │
1349       ├────────────────────┼──────┤
1350       │INVALID_SETTING     │  120 │
1351       ├────────────────────┼──────┤
1352       │INVALID_DESTINATION │  121 │
1353       ├────────────────────┼──────┤
1354       │INVALID_RULE        │  122 │
1355       ├────────────────────┼──────┤
1356       │INVALID_LIMIT       │  123 │
1357       ├────────────────────┼──────┤
1358       │INVALID_FAMILY      │  124 │
1359       ├────────────────────┼──────┤
1360       │INVALID_LOG_LEVEL   │  125 │
1361       ├────────────────────┼──────┤
1362       │INVALID_AUDIT_TYPE  │  126 │
1363       ├────────────────────┼──────┤
1364       │INVALID_MARK        │  127 │
1365       ├────────────────────┼──────┤
1366       │INVALID_CONTEXT     │  128 │
1367       ├────────────────────┼──────┤
1368       │INVALID_COMMAND     │  129 │
1369       ├────────────────────┼──────┤
1370       │INVALID_USER        │  130 │
1371       ├────────────────────┼──────┤
1372       │INVALID_UID         │  131 │
1373       ├────────────────────┼──────┤
1374       │INVALID_MODULE      │  132 │
1375       ├────────────────────┼──────┤
1376       │INVALID_PASSTHROUGH │  133 │
1377       ├────────────────────┼──────┤
1378       │INVALID_MAC         │  134 │
1379       ├────────────────────┼──────┤
1380       │INVALID_IPSET       │  135 │
1381       ├────────────────────┼──────┤
1382       │INVALID_ENTRY       │  136 │
1383       ├────────────────────┼──────┤
1384       │INVALID_OPTION      │  137 │
1385       ├────────────────────┼──────┤
1386       │INVALID_HELPER      │  138 │
1387       ├────────────────────┼──────┤
1388       │INVALID_PRIORITY    │  139 │
1389       ├────────────────────┼──────┤
1390       │MISSING_TABLE       │  200 │
1391       ├────────────────────┼──────┤
1392       │MISSING_CHAIN       │  201 │
1393       ├────────────────────┼──────┤
1394       │MISSING_PORT        │  202 │
1395       ├────────────────────┼──────┤
1396       │MISSING_PROTOCOL    │  203 │
1397       ├────────────────────┼──────┤
1398       │MISSING_ADDR        │  204 │
1399       ├────────────────────┼──────┤
1400       │MISSING_NAME        │  205 │
1401       ├────────────────────┼──────┤
1402       │MISSING_SETTING     │  206 │
1403       ├────────────────────┼──────┤
1404       │MISSING_FAMILY      │  207 │
1405       ├────────────────────┼──────┤
1406       │RUNNING_BUT_FAILED  │  251 │
1407       ├────────────────────┼──────┤
1408       │NOT_RUNNING         │  252 │
1409       ├────────────────────┼──────┤
1410       │NOT_AUTHORIZED      │  253 │
1411       ├────────────────────┼──────┤
1412       │UNKNOWN_ERROR       │  254 │
1413       └────────────────────┴──────┘
1414
1415       Note that return codes of --query-* options are special: Successful
1416       queries return 0, unsuccessful ones return 1 unless an error occurred
1417       in which case the table above applies.
1418

SEE ALSO

1420       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1421       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1422       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1423       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1424       firewalld.zone(5), firewalld.zones(5), firewalld.ipset(5),
1425       firewalld.helper(5)
1426

NOTES

1428       firewalld home page:
1429           http://firewalld.org
1430
1431       More documentation with examples:
1432           http://fedoraproject.org/wiki/FirewallD
1433

AUTHORS

1435       Thomas Woerner <twoerner@redhat.com>
1436           Developer
1437
1438       Jiri Popelka <jpopelka@redhat.com>
1439           Developer
1440
1441       Eric Garver <eric@garver.life>
1442           Developer
1443
1444
1445
1446firewalld 0.8.6                                                FIREWALL-CMD(1)
Impressum