1FIREWALL-CMD(1) firewall-cmd FIREWALL-CMD(1)
2
6 firewall-cmd - firewalld command line client
7
9 firewall-cmd [OPTIONS...]
10
12 firewall-cmd is the command line client of the firewalld daemon. It
13 provides an interface to manage the runtime and permanent
14 configurations.
15 The runtime configuration in firewalld is separated from the permanent
17 configuration. This means that things can get changed in the runtime or
18 permanent configuration.
19
21 Sequence options are the options that can be specified multiple times,
22 the exit code is 0 if there is at least one item that succeeded. The
23 ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
24 errors are treated as succeeded. If there are issues while parsing the
25 items, then these are treated as warnings and will not change the
26 result as long as there is a succeeded one. Without any succeeded item,
27 the exit code will depend on the error codes. If there is exactly one
28 error code, then this is used. If there are more than one then
29 UNKNOWN_ERROR (254) will be used.
30 The following options are supported:
32 General Options
34 -h, --help
35 Prints a short help text and exits.
36 -V, --version
38 Print the version string of firewalld. This option is not
39 combinable with other options.
40 -q, --quiet
42 Do not print status messages.
43 Status Options
45 --state
46 Check whether the firewalld daemon is active (i.e. running).
47 Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
48 failure occurred on startup, NOT_RUNNING otherwise. See the section
49 called “EXIT CODES”. This will also print the state to STDOUT.
50 --reload
52 Reload firewall rules and keep state information. Current permanent
53 configuration will become new runtime configuration, i.e. all
54 runtime only changes done until reload are lost with reload if they
55 have not been also in permanent configuration.
56 Note: If FlushAllOnReload=no, runtime changes applied via the
58 direct interface are not affected and will therefore stay in place
59 until firewalld daemon is restarted completely. For
60 FlushAllOnReload, see firewalld.conf(5).
61 --complete-reload
63 Reload firewall completely, even netfilter kernel modules. This
64 will most likely terminate active connections, because state
65 information is lost. This option should only be used in case of
66 severe firewall problems. For example if there are state
67 information problems that no connection can be established with
68 correct firewall rules.
69 Note: If FlushAllOnReload=no, runtime changes applied via the
71 direct interface are not affected and will therefore stay in place
72 until firewalld daemon is restarted completely. For
73 FlushAllOnReload, see firewalld.conf(5).
74 --runtime-to-permanent
76 Save active runtime configuration and overwrite permanent
77 configuration with it. The way this is supposed to work is that
78 when configuring firewalld you do runtime changes only and once
79 you're happy with the configuration and you tested that it works
80 the way you want, you save the configuration to disk.
81 --check-config
83 Run checks on the permanent configuration. This includes XML
84 validity and semantics.
85 Log Denied Options
87 --get-log-denied
88 Print the log denied setting.
89 --set-log-denied=value
91 Add logging rules right before reject and drop rules in the INPUT,
92 FORWARD and OUTPUT chains for the default rules and also final
93 reject and drop rules in zones for the configured link-layer packet
94 type. The possible values are: all, unicast, broadcast, multicast
95 and off. The default setting is off, which disables the logging.
96 This is a runtime and permanent change and will also reload the
98 firewall to be able to add the logging rules.
99 Permanent Options
101 --permanent
102 The permanent option --permanent can be used to set options
103 permanently. These changes are not effective immediately, only
104 after service restart/reload or system reboot. Without the
105 --permanent option, a change will only be part of the runtime
106 configuration.
107 If you want to make a change in runtime and permanent
109 configuration, use the same call with and without the --permanent
110 option.
111 The --permanent option can be optionally added to all options
113 further down where it is supported.
114 Zone Options
116 --get-default-zone
117 Print default zone for connections and interfaces.
118 --set-default-zone=zone
120 Set default zone for connections and interfaces where no zone has
121 been selected. Setting the default zone changes the zone for the
122 connections or interfaces, that are using the default zone.
123 This is a runtime and permanent change.
125 --get-active-zones
127 Print currently active zones altogether with interfaces and sources
128 used in these zones. Active zones are zones, that have a binding to
129 an interface or source. The output format is:
130 zone1
132 interfaces: interface1 interface2 ..
133 sources: source1 ..
134 zone2
135 interfaces: interface3 ..
136 zone3
137 sources: source2 ..
138 If there are no interfaces or sources bound to the zone, the
141 corresponding line will be omitted.
142 [--permanent] --get-zones
144 Print predefined zones as a space separated list.
145 [--permanent] --get-services
147 Print predefined services as a space separated list.
148 [--permanent] --get-icmptypes
150 Print predefined icmptypes as a space separated list.
151 [--permanent] --get-zone-of-interface=interface
153 Print the name of the zone the interface is bound to or no zone.
154 [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
156 Print the name of the zone the source is bound to or no zone.
157 [--permanent] --info-zone=zone
159 Print information about the zone zone. The output format is:
160 zone
162 interfaces: interface1 ..
163 sources: source1 ..
164 services: service1 ..
165 ports: port1 ..
166 protocols: protocol1 ..
167 forward-ports:
168 forward-port1
169 ..
170 source-ports: source-port1 ..
171 icmp-blocks: icmp-type1 ..
172 rich rules:
173 rich-rule1
174 ..
175 [--permanent] --list-all-zones
179 List everything added for or enabled in all zones. The output
180 format is:
181 zone1
183 interfaces: interface1 ..
184 sources: source1 ..
185 services: service1 ..
186 ports: port1 ..
187 protocols: protocol1 ..
188 forward-ports:
189 forward-port1
190 ..
191 icmp-blocks: icmp-type1 ..
192 rich rules:
193 rich-rule1
194 ..
195 ..
196 --permanent --new-zone=zone
200 Add a new permanent and empty zone.
201 Zone names must be alphanumeric and may additionally include
203 characters: '_' and '-'.
204 --permanent --new-zone-from-file=filename [--name=zone]
206 Add a new permanent zone from a prepared zone file with an optional
207 name override.
208 --permanent --delete-zone=zone
210 Delete an existing permanent zone.
211 --permanent --load-zone-defaults=zone
213 Load zone default settings or report NO_DEFAULTS error.
214 --permanent --path-zone=zone
216 Print path of the zone configuration file.
217 Policy Options
219 [--permanent] --get-policies
220 Print predefined policies as a space separated list.
221 [--permanent] --info-policy=policy
223 Print information about the policy policy.
224 [--permanent] --list-all-policies
226 List everything added for or enabled in all policies.
227 --permanent --new-policy=policy
229 Add a new permanent policy.
230 Policy names must be alphanumeric and may additionally include
232 characters: '_' and '-'.
233 --permanent --new-policy-from-file=filename [--name=policy]
235 Add a new permanent policy from a prepared policy file with an
236 optional name override.
237 --permanent --path-policy=policy
239 Print path of the policy configuration file.
240 --permanent --delete-policy=policy
242 Delete an existing permanent policy.
243 --permanent --load-policy-defaults=policy
245 Load the shipped defaults for a policy. Only applies to policies
246 shipped with firewalld. Does not apply to user defined policies.
247 Options to Adapt and Query Zones and Policies
249 Options in this section affect only one particular zone or policy. If
250 used with --zone=zone or --policy=policy option, they affect the
251 specified zone or policy. If both options are omitted, they affect the
252 default zone (see --get-default-zone).
253 [--permanent] [--zone=zone] [--policy=policy] --list-all
255 List everything added or enabled.
256 --permanent [--zone=zone] [--policy=policy] --get-target
258 Get the target.
259 --permanent [--zone=zone] [--policy=policy] --set-target=zone
261 Set the target.
262 For zones target is one of: default, ACCEPT, DROP, REJECT
264 For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
266 default is similar to REJECT, but it implicitly allows ICMP
268 packets.
269 --permanent [--zone=zone] [--policy=policy]
271 --set-description=description
272 Set description.
273 --permanent [--zone=zone] [--policy=policy] --get-description
275 Print description.
276 --permanent [--zone=zone] [--policy=policy] --set-short=description
278 Set short description.
279 --permanent [--zone=zone] [--policy=policy] --get-short
281 Print short description.
282 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
284 --list-services
285 List services added as a space separated list.
286 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
288 --add-service=service [--timeout=timeval]
289 Add a service. This option can be specified multiple times. If a
290 timeout is supplied, the rule will be active for the specified
291 amount of time and will be removed automatically afterwards.
292 timeval is either a number (of seconds) or number followed by one
293 of characters s (seconds), m (minutes), h (hours), for example 20m
294 or 1h.
295 The service is one of the firewalld provided services. To get a
297 list of the supported services, use firewall-cmd --get-services.
298 The --timeout option is not combinable with the --permanent option.
300 Note: Some services define connection tracking helpers. Helpers
302 that may operate in client mode (e.g. tftp) must be added to an
303 outbound policy instead of a zone to take effect for clients.
304 Otherwise the helper will not be applied to the outbound traffic.
305 The related traffic, as defined by the connection tracking helper,
306 on the return path (ingress) will be allowed by the stateful
307 firewall rules.
308 An example of an outbound policy for connection tracking helpers:
310 # firewall-cmd --permanent --new-policy clientConntrack
312 # firewall-cmd --permanent --policy clientConntrack --add-ingress-zone HOST
313 # firewall-cmd --permanent --policy clientConntrack --add-egress-zone ANY
314 # firewall-cmd --permanent --policy clientConntrack --add-service tftp
315 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
319 --remove-service=service
320 Remove a service. This option can be specified multiple times.
321 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
323 --query-service=service
324 Return whether service has been added. Returns 0 if true, 1
325 otherwise.
326 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
328 --list-ports
329 List ports added as a space separated list. A port is of the form
330 portid[-portid]/protocol, it can be either a port and protocol pair
331 or a port range with a protocol.
332 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
334 --add-port=portid[-portid]/protocol [--timeout=timeval]
335 Add the port. This option can be specified multiple times. If a
336 timeout is supplied, the rule will be active for the specified
337 amount of time and will be removed automatically afterwards.
338 timeval is either a number (of seconds) or number followed by one
339 of characters s (seconds), m (minutes), h (hours), for example 20m
340 or 1h.
341 The port can either be a single port number or a port range
343 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
344 The --timeout option is not combinable with the --permanent option.
346 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
348 --remove-port=portid[-portid]/protocol
349 Remove the port. This option can be specified multiple times.
350 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
352 --query-port=portid[-portid]/protocol
353 Return whether the port has been added. Returns 0 if true, 1
354 otherwise.
355 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
357 --list-protocols
358 List protocols added as a space separated list.
359 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
361 --add-protocol=protocol [--timeout=timeval]
362 Add the protocol. This option can be specified multiple times. If a
363 timeout is supplied, the rule will be active for the specified
364 amount of time and will be removed automatically afterwards.
365 timeval is either a number (of seconds) or number followed by one
366 of characters s (seconds), m (minutes), h (hours), for example 20m
367 or 1h.
368 The protocol can be any protocol supported by the system. Please
370 have a look at /etc/protocols for supported protocols.
371 The --timeout option is not combinable with the --permanent option.
373 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
375 --remove-protocol=protocol
376 Remove the protocol. This option can be specified multiple times.
377 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
379 --query-protocol=protocol
380 Return whether the protocol has been added. Returns 0 if true, 1
381 otherwise.
382 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
384 --list-source-ports
385 List source ports added as a space separated list. A port is of the
386 form portid[-portid]/protocol.
387 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
389 --add-source-port=portid[-portid]/protocol [--timeout=timeval]
390 Add the source port. This option can be specified multiple times.
391 If a timeout is supplied, the rule will be active for the specified
392 amount of time and will be removed automatically afterwards.
393 timeval is either a number (of seconds) or number followed by one
394 of characters s (seconds), m (minutes), h (hours), for example 20m
395 or 1h.
396 The port can either be a single port number or a port range
398 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
399 The --timeout option is not combinable with the --permanent option.
401 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
403 --remove-source-port=portid[-portid]/protocol
404 Remove the source port. This option can be specified multiple
405 times.
406 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
408 --query-source-port=portid[-portid]/protocol
409 Return whether the source port has been added. Returns 0 if true, 1
410 otherwise.
411 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
413 --list-icmp-blocks
414 List Internet Control Message Protocol (ICMP) type blocks added as
415 a space separated list.
416 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
418 --add-icmp-block=icmptype [--timeout=timeval]
419 Add an ICMP block for icmptype. This option can be specified
420 multiple times. If a timeout is supplied, the rule will be active
421 for the specified amount of time and will be removed automatically
422 afterwards. timeval is either a number (of seconds) or number
423 followed by one of characters s (seconds), m (minutes), h (hours),
424 for example 20m or 1h.
425 The icmptype is the one of the icmp types firewalld supports. To
427 get a listing of supported icmp types: firewall-cmd --get-icmptypes
428 The --timeout option is not combinable with the --permanent option.
430 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
432 --remove-icmp-block=icmptype
433 Remove the ICMP block for icmptype. This option can be specified
434 multiple times.
435 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
437 --query-icmp-block=icmptype
438 Return whether an ICMP block for icmptype has been added. Returns 0
439 if true, 1 otherwise.
440 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
442 --list-forward-ports
443 List IPv4 forward ports added as a space separated list.
444 For IPv6 forward ports, please use the rich language.
446 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
448 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
449 [--timeout=timeval]
450 Add the IPv4 forward port. This option can be specified multiple
451 times. If a timeout is supplied, the rule will be active for the
452 specified amount of time and will be removed automatically
453 afterwards. timeval is either a number (of seconds) or number
454 followed by one of characters s (seconds), m (minutes), h (hours),
455 for example 20m or 1h.
456 The port can either be a single port number portid or a port range
458 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
459 The destination address is a simple IP address.
460 The --timeout option is not combinable with the --permanent option.
462 For IPv6 forward ports, please use the rich language.
464 Note: IP forwarding will be implicitly enabled if toaddr is
466 specified.
467 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
469 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
470 Remove the IPv4 forward port. This option can be specified multiple
471 times.
472 For IPv6 forward ports, please use the rich language.
474 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
476 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
477 Return whether the IPv4 forward port has been added. Returns 0 if
478 true, 1 otherwise.
479 For IPv6 forward ports, please use the rich language.
481 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
483 --add-masquerade [--timeout=timeval]
484 Enable IPv4 masquerade. If a timeout is supplied, masquerading will
485 be active for the specified amount of time. timeval is either a
486 number (of seconds) or number followed by one of characters s
487 (seconds), m (minutes), h (hours), for example 20m or 1h.
488 Masquerading is useful if the machine is a router and machines
489 connected over an interface in another zone should be able to use
490 the first connection.
491 The --timeout option is not combinable with the --permanent option.
493 For IPv6 masquerading, please use the rich language.
495 Note: IP forwarding will be implicitly enabled.
497 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
499 --remove-masquerade
500 Disable IPv4 masquerade. If the masquerading was enabled with a
501 timeout, it will be disabled also.
502 For IPv6 masquerading, please use the rich language.
504 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
506 --query-masquerade
507 Return whether IPv4 masquerading has been enabled. Returns 0 if
508 true, 1 otherwise.
509 For IPv6 masquerading, please use the rich language.
511 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
513 --list-rich-rules
514 List rich language rules added as a newline separated list.
515 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
517 --add-rich-rule='rule' [--timeout=timeval]
518 Add rich language rule 'rule'. This option can be specified
519 multiple times. If a timeout is supplied, the rule will be active
520 for the specified amount of time and will be removed automatically
521 afterwards. timeval is either a number (of seconds) or number
522 followed by one of characters s (seconds), m (minutes), h (hours),
523 for example 20m or 1h.
524 For the rich language rule syntax, please have a look at
526 firewalld.richlanguage(5).
527 The --timeout option is not combinable with the --permanent option.
529 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
531 --remove-rich-rule='rule'
532 Remove rich language rule 'rule'. This option can be specified
533 multiple times.
534 For the rich language rule syntax, please have a look at
536 firewalld.richlanguage(5).
537 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
539 --query-rich-rule='rule'
540 Return whether a rich language rule 'rule' has been added. Returns
541 0 if true, 1 otherwise.
542 For the rich language rule syntax, please have a look at
544 firewalld.richlanguage(5).
545 Options to Adapt and Query Zones
547 Options in this section affect only one particular zone. If used with
548 --zone=zone option, they affect the specified zone. If the option is
549 omitted, they affect default zone (see --get-default-zone).
550 [--permanent] [--zone=zone] --add-icmp-block-inversion
552 Enable ICMP block inversion.
553 [--permanent] [--zone=zone] --remove-icmp-block-inversion
555 Disable ICMP block inversion.
556 [--permanent] [--zone=zone] --query-icmp-block-inversion
558 Return whether ICMP block inversion is enabled. Returns 0 if true,
559 1 otherwise.
560 [--permanent] [--zone=zone] --add-forward
562 Enable intra zone forwarding.
563 [--permanent] [--zone=zone] --remove-forward
565 Disable intra zone forwarding.
566 [--permanent] [--zone=zone] --query-forward
568 Return whether intra zone forwarding is enabled. Returns 0 if true,
569 1 otherwise.
570 Options to Adapt and Query Policies
572 Options in this section affect only one particular policy. It's
573 required to specify --policy=policy with these options.
574 --permanent --policy=policy --get-priority
576 Get the priority.
577 --permanent --policy=policy --set-prioritypriority
579 Set the priority. The priority determines the relative ordering of
580 policies. This is an integer value between -32768 and 32767 where
581 -1 is the default value for new policies and 0 is reserved for
582 internal use.
583 If a priority is < 0, then the policy's rules will execute before
585 all rules in all zones.
586 If a priority is > 0, then the policy's rules will execute after
588 all rules in all zones.
589 [--permanent] --policy=policy --list-ingress-zones
591 List ingress zones added as a space separated list.
592 [--permanent] --policy=policy --add-ingress-zone=zone
594 Add an ingress zone. This option can be specified multiple times.
595 The ingress zone is one of the firewalld provided zones or one of
597 the pseudo-zones: HOST, ANY.
598 HOST is used for traffic originating from the host machine, i.e.
600 the host running firewalld.
601 ANY is used for traffic originating from any zone. This can be
603 thought of as a wild card for zones. However it does not include
604 traffic originating from the host machine - use HOST for that.
605 [--permanent] --policy=policy --remove-ingress-zone=zone
607 Remove an ingress zone. This option can be specified multiple
608 times.
609 [--permanent] --policy=policy --query-ingress-zone=zone
611 Return whether zone has been added. Returns 0 if true, 1 otherwise.
612 [--permanent] --policy=policy --list-egress-zones
614 List egress zones added as a space separated list.
615 [--permanent] --policy=policy --add-egress-zone=zone
617 Add an egress zone. This option can be specified multiple times.
618 The egress zone is one of the firewalld provided zones or one of
620 the pseudo-zones: HOST, ANY.
621 For clarification on HOST and ANY see option --add-ingress-zone.
623 [--permanent] --policy=policy --remove-egress-zone=zone
625 Remove an egress zone. This option can be specified multiple times.
626 [--permanent] --policy=policy --query-egress-zone=zone
628 Return whether zone has been added. Returns 0 if true, 1 otherwise.
629 Options to Handle Bindings of Interfaces
631 Binding an interface to a zone means that this zone settings are used
632 to restrict traffic via the interface.
633 Options in this section affect only one particular zone. If used with
635 --zone=zone option, they affect the zone zone. If the option is
636 omitted, they affect default zone (see --get-default-zone).
637 For a list of predefined zones use firewall-cmd --get-zones.
639 An interface name is a string up to 16 characters long, that may not
641 contain ' ', '/', '!' and '*'.
642 [--permanent] [--zone=zone] --list-interfaces
644 List interfaces that are bound to zone zone as a space separated
645 list. If zone is omitted, default zone will be used.
646 [--permanent] [--zone=zone] --add-interface=interface
648 Bind interface interface to zone zone. If zone is omitted, default
649 zone will be used.
650 If the interface is under control of NetworkManager, it is at first
652 connected to change the zone for the connection that is using the
653 interface. If this fails, the zone binding is created in firewalld
654 and the limitations below apply. For interfaces that are not under
655 control of NetworkManager, firewalld tries to change the ZONE
656 setting in the ifcfg file, if the file exists.
657 As a end user you don't need this in most cases, because
659 NetworkManager (or legacy network service) adds interfaces into
660 zones automatically (according to ZONE= option from ifcfg-interface
661 file) if NM_CONTROLLED=no is not set. You should do it only if
662 there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
663 there is such file and you add interface to zone with this
664 --add-interface option, make sure the zone is the same in both
665 cases, otherwise the behaviour would be undefined. Please also have
666 a look at the firewalld(1) man page in the Concepts section. For
667 permanent association of interface with a zone, see also 'How to
668 set or change a zone for a connection?' in firewalld.zones(5).
669 [--permanent] [--zone=zone] --change-interface=interface
671 If the interface is under control of NetworkManager, it is at first
672 connected to change the zone for the connection that is using the
673 interface. If this fails, the zone binding is created in firewalld
674 and the limitations below apply. For interfaces that are not under
675 control of NetworkManager, firewalld tries to change the ZONE
676 setting in the ifcfg file, if the file exists.
677 Change zone the interface interface is bound to to zone zone. It's
679 basically --remove-interface followed by --add-interface. If the
680 interface has not been bound to a zone before, it behaves like
681 --add-interface. If zone is omitted, default zone will be used.
682 [--permanent] [--zone=zone] --query-interface=interface
684 Query whether interface interface is bound to zone zone. Returns 0
685 if true, 1 otherwise.
686 [--permanent] --remove-interface=interface
688 If the interface is under control of NetworkManager, it is at first
689 connected to change the zone for the connection that is using the
690 interface. If this fails, the zone binding is created in firewalld
691 and the limitations below apply.
692 For the addion or change of interfaces that are not under control
694 of NetworkManager: firewalld tries to change the ZONE setting in
695 the ifcfg file, if an ifcfg file exists that is using the
696 interface.
697 Only for the removal of interfaces that are not under control of
699 NetworkManager: firewalld is not trying to change the ZONE setting
700 in the ifcfg file. This is needed to make sure that an ifdown of
701 the interface will not result in a reset of the zone setting to the
702 default zone. Only the zone binding is then removed in firewalld
703 then.
704 Remove binding of interface interface from zone it was previously
706 added to.
707 Options to Handle Bindings of Sources
709 Binding a source to a zone means that this zone settings will be used
710 to restrict traffic from this source.
711 A source address or address range is either an IP address or a network
713 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
714 with the ipset: prefix. For IPv4, the mask can be a network mask or a
715 plain number. For IPv6 the mask is a plain number. The use of host
716 names is not supported.
717 Options in this section affect only one particular zone. If used with
719 --zone=zone option, they affect the zone zone. If the option is
720 omitted, they affect default zone (see --get-default-zone).
721 For a list of predefined zones use firewall-cmd [--permanent]
723 --get-zones.
724 [--permanent] [--zone=zone] --list-sources
726 List sources that are bound to zone zone as a space separated list.
727 If zone is omitted, default zone will be used.
728 [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
730 Bind the source to zone zone. If zone is omitted, default zone will
731 be used.
732 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
734 Change zone the source is bound to to zone zone. It's basically
735 --remove-source followed by --add-source. If the source has not
736 been bound to a zone before, it behaves like --add-source. If zone
737 is omitted, default zone will be used.
738 [--permanent] [--zone=zone]
740 --query-source=source[/mask]|MAC|ipset:ipset
741 Query whether the source is bound to the zone zone. Returns 0 if
742 true, 1 otherwise.
743 [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
745 Remove binding of the source from zone it was previously added to.
746 IPSet Options
748 --get-ipset-types
749 Print the supported ipset types.
750 --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
752 [--option=key[=value]]
753 Add a new permanent and empty ipset with specifying the type and
754 optional the family and options like timeout, hashsize and maxelem.
755 For more information please have a look at ipset(8) man page.
756 ipset names must be alphanumeric and may additionally include
758 characters: '_' and '-'.
759 --permanent --new-ipset-from-file=filename [--name=ipset]
761 Add a new permanent ipset from a prepared ipset file with an
762 optional name override.
763 --permanent --delete-ipset=ipset
765 Delete an existing permanent ipset.
766 --permanent --load-ipset-defaults=ipset
768 Load ipset default settings or report NO_DEFAULTS error.
769 [--permanent] --info-ipset=ipset
771 Print information about the ipset ipset. The output format is:
772 ipset
774 type: type
775 options: option1[=value1] ..
776 entries: entry1 ..
777 [--permanent] --get-ipsets
781 Print predefined ipsets as a space separated list.
782 --permanent --ipset=ipset --set-description=description
784 Set new description to ipset
785 --permanent --ipset=ipset --get-description
787 Print description for ipset
788 --permanent --ipset=ipset --set-short=description
790 Set short description to ipset
791 --permanent --ipset=ipset --get-short
793 Print short description for ipset
794 [--permanent] --ipset=ipset --add-entry=entry
796 Add a new entry to the ipset.
797 Adding an entry to an ipset with option timeout is permitted, but
799 these entries are not tracked by firewalld.
800 [--permanent] --ipset=ipset --remove-entry=entry
802 Remove an entry from the ipset.
803 [--permanent] --ipset=ipset --query-entry=entry
805 Return whether the entry has been added to an ipset. Returns 0 if
806 true, 1 otherwise.
807 Querying an ipset with a timeout will yield an error. Entries are
809 not tracked for ipsets with a timeout.
810 [--permanent] --ipset=ipset --get-entries
812 List all entries of the ipset.
813 [--permanent] --ipset=ipset --add-entries-from-file=filename
815 Add a new entries to the ipset from the file. For all entries that
816 are listed in the file but already in the ipset, a warning will be
817 printed.
818 The file should contain an entry per line. Lines starting with an
820 hash or semicolon are ignored. Also empty lines.
821 [--permanent] --ipset=ipset --remove-entries-from-file=filename
823 Remove existing entries from the ipset from the file. For all
824 entries that are listed in the file but not in the ipset, a warning
825 will be printed.
826 The file should contain an entry per line. Lines starting with an
828 hash or semicolon are ignored. Also empty lines.
829 --permanent --path-ipset=ipset
831 Print path of the ipset configuration file.
832 Service Options
834 Options in this section affect only one particular service.
835 [--permanent] --info-service=service
837 Print information about the service service. The output format is:
838 service
840 ports: port1 ..
841 protocols: protocol1 ..
842 source-ports: source-port1 ..
843 helpers: helper1 ..
844 destination: ipv1:address1 ..
845 The following options are only usable in the permanent configuration.
849 --permanent --new-service=service
851 Add a new permanent and empty service.
852 Service names must be alphanumeric and may additionally include
854 characters: '_' and '-'.
855 --permanent --new-service-from-file=filename [--name=service]
857 Add a new permanent service from a prepared service file with an
858 optional name override.
859 --permanent --delete-service=service
861 Delete an existing permanent service.
862 --permanent --load-service-defaults=service
864 Load service default settings or report NO_DEFAULTS error.
865 --permanent --path-service=service
867 Print path of the service configuration file.
868 --permanent --service=service --set-description=description
870 Set new description to service
871 --permanent --service=service --get-description
873 Print description for service
874 --permanent --service=service --set-short=description
876 Set short description to service
877 --permanent --service=service --get-short
879 Print short description for service
880 --permanent --service=service --add-port=portid[-portid]/protocol
882 Add a new port to the permanent service.
883 --permanent --service=service --remove-port=portid[-portid]/protocol
885 Remove a port from the permanent service.
886 --permanent --service=service --query-port=portid[-portid]/protocol
888 Return wether the port has been added to the permanent service.
889 --permanent --service=service --get-ports
891 List ports added to the permanent service.
892 --permanent --service=service --add-protocol=protocol
894 Add a new protocol to the permanent service.
895 --permanent --service=service --remove-protocol=protocol
897 Remove a protocol from the permanent service.
898 --permanent --service=service --query-protocol=protocol
900 Return wether the protocol has been added to the permanent service.
901 --permanent --service=service --get-protocols
903 List protocols added to the permanent service.
904 --permanent --service=service
906 --add-source-port=portid[-portid]/protocol
907 Add a new source port to the permanent service.
908 --permanent --service=service
910 --remove-source-port=portid[-portid]/protocol
911 Remove a source port from the permanent service.
912 --permanent --service=service
914 --query-source-port=portid[-portid]/protocol
915 Return wether the source port has been added to the permanent
916 service.
917 --permanent --service=service --get-source-ports
919 List source ports added to the permanent service.
920 --permanent --service=service --add-helper=helper
922 Add a new helper to the permanent service.
923 --permanent --service=service --remove-helper=helper
925 Remove a helper from the permanent service.
926 --permanent --service=service --query-helper=helper
928 Return wether the helper has been added to the permanent service.
929 --permanent --service=service --get-service-helpers
931 List helpers added to the permanent service.
932 --permanent --service=service --set-destination=ipv:address[/mask]
934 Set destination for ipv to address[/mask] in the permanent service.
935 --permanent --service=service --remove-destination=ipv
937 Remove the destination for ipv from the permanent service.
938 --permanent --service=service --query-destination=ipv:address[/mask]
940 Return wether the destination ipv to address[/mask] has been set in
941 the permanent service.
942 --permanent --service=service --get-destinations
944 List destinations added to the permanent service.
945 --permanent --service=service --add-include=service
947 Add a new include to the permanent service.
948 --permanent --service=service --remove-include=service
950 Remove a include from the permanent service.
951 --permanent --service=service --query-include=service
953 Return wether the include has been added to the permanent service.
954 --permanent --service=service --get-includes
956 List includes added to the permanent service.
957 Helper Options
959 Options in this section affect only one particular helper.
960 [--permanent] --info-helper=helper
962 Print information about the helper helper. The output format is:
963 helper
965 family: family
966 module: module
967 ports: port1 ..
968 The following options are only usable in the permanent configuration.
972 --permanent --new-helper=helper --module=nf_conntrack_module
974 [--family=ipv4|ipv6]
975 Add a new permanent helper with module and optionally family
976 defined.
977 Helper names must be alphanumeric and may additionally include
979 characters: '-'.
980 --permanent --new-helper-from-file=filename [--name=helper]
982 Add a new permanent helper from a prepared helper file with an
983 optional name override.
984 --permanent --delete-helper=helper
986 Delete an existing permanent helper.
987 --permanent --load-helper-defaults=helper
989 Load helper default settings or report NO_DEFAULTS error.
990 --permanent --path-helper=helper
992 Print path of the helper configuration file.
993 [--permanent] --get-helpers
995 Print predefined helpers as a space separated list.
996 --permanent --helper=helper --set-description=description
998 Set new description to helper
999 --permanent --helper=helper --get-description
1001 Print description for helper
1002 --permanent --helper=helper --set-short=description
1004 Set short description to helper
1005 --permanent --helper=helper --get-short
1007 Print short description for helper
1008 --permanent --helper=helper --add-port=portid[-portid]/protocol
1010 Add a new port to the permanent helper.
1011 --permanent --helper=helper --remove-port=portid[-portid]/protocol
1013 Remove a port from the permanent helper.
1014 --permanent --helper=helper --query-port=portid[-portid]/protocol
1016 Return wether the port has been added to the permanent helper.
1017 --permanent --helper=helper --get-ports
1019 List ports added to the permanent helper.
1020 --permanent --helper=helper --set-module=description
1022 Set module description for helper
1023 --permanent --helper=helper --get-module
1025 Print module description for helper
1026 --permanent --helper=helper --set-family=description
1028 Set family description for helper
1029 --permanent --helper=helper --get-family
1031 Print family description of helper
1032 Internet Control Message Protocol (ICMP) type Options
1034 Options in this section affect only one particular icmptype.
1035 [--permanent] --info-icmptype=icmptype
1037 Print information about the icmptype icmptype. The output format
1038 is:
1039 icmptype
1041 destination: ipv1 ..
1042 The following options are only usable in the permanent configuration.
1046 --permanent --new-icmptype=icmptype
1048 Add a new permanent and empty icmptype.
1049 ICMP type names must be alphanumeric and may additionally include
1051 characters: '_' and '-'.
1052 --permanent --new-icmptype-from-file=filename [--name=icmptype]
1054 Add a new permanent icmptype from a prepared icmptype file with an
1055 optional name override.
1056 --permanent --delete-icmptype=icmptype
1058 Delete an existing permanent icmptype.
1059 --permanent --load-icmptype-defaults=icmptype
1061 Load icmptype default settings or report NO_DEFAULTS error.
1062 --permanent --icmptype=icmptype --set-description=description
1064 Set new description to icmptype
1065 --permanent --icmptype=icmptype --get-description
1067 Print description for icmptype
1068 --permanent --icmptype=icmptype --set-short=description
1070 Set short description to icmptype
1071 --permanent --icmptype=icmptype --get-short
1073 Print short description for icmptype
1074 --permanent --icmptype=icmptype --add-destination=ipv
1076 Enable destination for ipv in permanent icmptype. ipv is one of
1077 ipv4 or ipv6.
1078 --permanent --icmptype=icmptype --remove-destination=ipv
1080 Disable destination for ipv in permanent icmptype. ipv is one of
1081 ipv4 or ipv6.
1082 --permanent --icmptype=icmptype --query-destination=ipv
1084 Return whether destination for ipv is enabled in permanent
1085 icmptype. ipv is one of ipv4 or ipv6.
1086 --permanent --icmptype=icmptype --get-destinations
1088 List destinations in permanent icmptype.
1089 --permanent --path-icmptype=icmptype
1091 Print path of the icmptype configuration file.
1092 Direct Options
1094 DEPRECATED
1095 The direct interface has been deprecated. It will be removed in a
1096 future release. It is superseded by policies, see
1097 firewalld.policies(5).
1098 The direct options give a more direct access to the firewall. These
1100 options require user to know basic iptables concepts, i.e. table
1101 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
1102 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
1103 (ACCEPT/DROP/REJECT/...).
1104 Direct options should be used only as a last resort when it's not
1106 possible to use for example --add-service=service or
1107 --add-rich-rule='rule'.
1108 Warning: Direct rules behavior is different depending on the value of
1110 FirewallBackend. See CAVEATS in firewalld.direct(5).
1111 The first argument of each option has to be ipv4 or ipv6 or eb. With
1113 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1114 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1115 [--permanent] --direct --get-all-chains
1117 Get all chains added to all tables. This option concerns only
1118 chains previously added with --direct --add-chain.
1119 [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
1121 Get all chains added to table table as a space separated list. This
1122 option concerns only chains previously added with --direct
1123 --add-chain.
1124 [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
1126 Add a new chain with name chain to table table. Make sure there's
1127 no other chain with this name already.
1128 There already exist basic chains to use with direct options, for
1130 example INPUT_direct chain (see iptables-save | grep direct output
1131 for all of them). These chains are jumped into before chains for
1132 zones, i.e. every rule put into INPUT_direct will be checked before
1133 rules in zones.
1134 [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1136 Remove chain with name chain from table table. Only chains
1137 previously added with --direct --add-chain can be removed this way.
1138 [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
1140 Return whether a chain with name chain exists in table table.
1141 Returns 0 if true, 1 otherwise. This option concerns only chains
1142 previously added with --direct --add-chain.
1143 [--permanent] --direct --get-all-rules
1145 Get all rules added to all chains in all tables as a newline
1146 separated list of the priority and arguments. This option concerns
1147 only rules previously added with --direct --add-rule.
1148 [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
1150 Get all rules added to chain chain in table table as a newline
1151 separated list of the priority and arguments. This option concerns
1152 only rules previously added with --direct --add-rule.
1153 [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
1155 priority args
1156 Add a rule with the arguments args to chain chain in table table
1157 with priority priority.
1158 The priority is used to order rules. Priority 0 means add rule on
1160 top of the chain, with a higher priority the rule will be added
1161 further down. Rules with the same priority are on the same level
1162 and the order of these rules is not fixed and may change. If you
1163 want to make sure that a rule will be added after another one, use
1164 a low priority for the first and a higher for the following.
1165 [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
1167 priority args
1168 Remove a rule with priority and the arguments args from chain chain
1169 in table table. Only rules previously added with --direct
1170 --add-rule can be removed this way.
1171 [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1173 Remove all rules in the chain with name chain exists in table
1174 table. This option concerns only rules previously added with
1175 --direct --add-rule in this chain.
1176 [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1178 priority args
1179 Return whether a rule with priority and the arguments args exists
1180 in chain chain in table table. Returns 0 if true, 1 otherwise. This
1181 option concerns only rules previously added with --direct
1182 --add-rule.
1183 --direct --passthrough { ipv4 | ipv6 | eb } args
1185 Pass a command through to the firewall. args can be all iptables,
1186 ip6tables and ebtables command line arguments. This command is
1187 untracked, which means that firewalld is not able to provide
1188 information about this command later on, also not a listing of the
1189 untracked passthoughs.
1190 [--permanent] --direct --get-all-passthroughs
1192 Get all passthrough rules as a newline separated list of the ipv
1193 value and arguments.
1194 [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1196 Get all passthrough rules for the ipv value as a newline separated
1197 list of the priority and arguments.
1198 [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1200 Add a passthrough rule with the arguments args for the ipv value.
1201 [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1203 Remove a passthrough rule with the arguments args for the ipv
1204 value.
1205 [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1207 Return whether a passthrough rule with the arguments args exists
1208 for the ipv value. Returns 0 if true, 1 otherwise.
1209 Lockdown Options
1211 Local applications or services are able to change the firewall
1212 configuration if they are running as root (example: libvirt) or are
1213 authenticated using PolicyKit. With this feature administrators can
1214 lock the firewall configuration so that only applications on lockdown
1215 whitelist are able to request firewall changes.
1216 The lockdown access check limits D-Bus methods that are changing
1218 firewall rules. Query, list and get methods are not limited.
1219 The lockdown feature is a very light version of user and application
1221 policies for firewalld and is turned off by default.
1222 --lockdown-on
1224 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1225 whitelist when you enable lockdown you won't be able to disable it
1226 again with firewall-cmd, you would need to edit firewalld.conf.
1227 This is a runtime and permanent change.
1229 --lockdown-off
1231 Disable lockdown.
1232 This is a runtime and permanent change.
1234 --query-lockdown
1236 Query whether lockdown is enabled. Returns 0 if lockdown is
1237 enabled, 1 otherwise.
1238 Lockdown Whitelist Options
1240 The lockdown whitelist can contain commands, contexts, users and user
1241 ids.
1242 If a command entry on the whitelist ends with an asterisk '*', then all
1244 command lines starting with the command will match. If the '*' is not
1245 there the absolute command inclusive arguments must match.
1246 Command paths for users are not always the same and depends on the
1248 users PATH. Some distributions symlink /bin to /usr/bin in which case
1249 it depends on the order they appear in the PATH environment variable.
1250 The context is the security (SELinux) context of a running application
1252 or service. To get the context of a running application use ps -e
1253 --context.
1254 Warning: If the context is unconfined, then this will open access for
1256 more than the desired application.
1257 The lockdown whitelist entries are checked in the following order:
1259 1. context
1260 2. uid
1261 3. user
1262 4. command
1263 [--permanent] --list-lockdown-whitelist-commands
1265 List all command lines that are on the whitelist.
1266 [--permanent] --add-lockdown-whitelist-command=command
1268 Add the command to the whitelist.
1269 [--permanent] --remove-lockdown-whitelist-command=command
1271 Remove the command from the whitelist.
1272 [--permanent] --query-lockdown-whitelist-command=command
1274 Query whether the command is on the whitelist. Returns 0 if true, 1
1275 otherwise.
1276 [--permanent] --list-lockdown-whitelist-contexts
1278 List all contexts that are on the whitelist.
1279 [--permanent] --add-lockdown-whitelist-context=context
1281 Add the context context to the whitelist.
1282 [--permanent] --remove-lockdown-whitelist-context=context
1284 Remove the context from the whitelist.
1285 [--permanent] --query-lockdown-whitelist-context=context
1287 Query whether the context is on the whitelist. Returns 0 if true, 1
1288 otherwise.
1289 [--permanent] --list-lockdown-whitelist-uids
1291 List all user ids that are on the whitelist.
1292 [--permanent] --add-lockdown-whitelist-uid=uid
1294 Add the user id uid to the whitelist.
1295 [--permanent] --remove-lockdown-whitelist-uid=uid
1297 Remove the user id uid from the whitelist.
1298 [--permanent] --query-lockdown-whitelist-uid=uid
1300 Query whether the user id uid is on the whitelist. Returns 0 if
1301 true, 1 otherwise.
1302 [--permanent] --list-lockdown-whitelist-users
1304 List all user names that are on the whitelist.
1305 [--permanent] --add-lockdown-whitelist-user=user
1307 Add the user name user to the whitelist.
1308 [--permanent] --remove-lockdown-whitelist-user=user
1310 Remove the user name user from the whitelist.
1311 [--permanent] --query-lockdown-whitelist-user=user
1313 Query whether the user name user is on the whitelist. Returns 0 if
1314 true, 1 otherwise.
1315 Panic Options
1317 --panic-on
1318 Enable panic mode. All incoming and outgoing packets are dropped,
1319 active connections will expire. Enable this only if there are
1320 serious problems with your network environment. For example if the
1321 machine is getting hacked in.
1322 This is a runtime only change.
1324 --panic-off
1326 Disable panic mode. After disabling panic mode established
1327 connections might work again, if panic mode was enabled for a short
1328 period of time.
1329 This is a runtime only change.
1331 --query-panic
1333 Returns 0 if panic mode is enabled, 1 otherwise.
1334
1336 For more examples see http://fedoraproject.org/wiki/FirewallD
1337 Example 1
1339 Enable http service in default zone. This is runtime only change, i.e.
1340 effective until restart.
1341 firewall-cmd --add-service=http
1343 Example 2
1347 Enable port 443/tcp immediately and permanently in default zone. To
1348 make the change effective immediately and also after restart we need
1349 two commands. The first command makes the change in runtime
1350 configuration, i.e. makes it effective immediately, until restart. The
1351 second command makes the change in permanent configuration, i.e. makes
1352 it effective after restart.
1353 firewall-cmd --add-port=443/tcp
1355 firewall-cmd --permanent --add-port=443/tcp
1356
1360 On success 0 is returned. On failure the output is red colored and exit
1361 code is either 2 in case of wrong command-line option usage or one of
1362 the following error codes in other cases:
1363 ┌────────────────────┬──────┐
1365 │String │ Code │
1366 ├────────────────────┼──────┤
1367 │ALREADY_ENABLED │ 11 │
1368 ├────────────────────┼──────┤
1369 │NOT_ENABLED │ 12 │
1370 ├────────────────────┼──────┤
1371 │COMMAND_FAILED │ 13 │
1372 ├────────────────────┼──────┤
1373 │NO_IPV6_NAT │ 14 │
1374 ├────────────────────┼──────┤
1375 │PANIC_MODE │ 15 │
1376 ├────────────────────┼──────┤
1377 │ZONE_ALREADY_SET │ 16 │
1378 ├────────────────────┼──────┤
1379 │UNKNOWN_INTERFACE │ 17 │
1380 ├────────────────────┼──────┤
1381 │ZONE_CONFLICT │ 18 │
1382 ├────────────────────┼──────┤
1383 │BUILTIN_CHAIN │ 19 │
1384 ├────────────────────┼──────┤
1385 │EBTABLES_NO_REJECT │ 20 │
1386 ├────────────────────┼──────┤
1387 │NOT_OVERLOADABLE │ 21 │
1388 ├────────────────────┼──────┤
1389 │NO_DEFAULTS │ 22 │
1390 ├────────────────────┼──────┤
1391 │BUILTIN_ZONE │ 23 │
1392 ├────────────────────┼──────┤
1393 │BUILTIN_SERVICE │ 24 │
1394 ├────────────────────┼──────┤
1395 │BUILTIN_ICMPTYPE │ 25 │
1396 ├────────────────────┼──────┤
1397 │NAME_CONFLICT │ 26 │
1398 ├────────────────────┼──────┤
1399 │NAME_MISMATCH │ 27 │
1400 ├────────────────────┼──────┤
1401 │PARSE_ERROR │ 28 │
1402 ├────────────────────┼──────┤
1403 │ACCESS_DENIED │ 29 │
1404 ├────────────────────┼──────┤
1405 │UNKNOWN_SOURCE │ 30 │
1406 ├────────────────────┼──────┤
1407 │RT_TO_PERM_FAILED │ 31 │
1408 ├────────────────────┼──────┤
1409 │IPSET_WITH_TIMEOUT │ 32 │
1410 ├────────────────────┼──────┤
1411 │BUILTIN_IPSET │ 33 │
1412 ├────────────────────┼──────┤
1413 │ALREADY_SET │ 34 │
1414 ├────────────────────┼──────┤
1415 │MISSING_IMPORT │ 35 │
1416 ├────────────────────┼──────┤
1417 │DBUS_ERROR │ 36 │
1418 ├────────────────────┼──────┤
1419 │BUILTIN_HELPER │ 37 │
1420 ├────────────────────┼──────┤
1421 │NOT_APPLIED │ 38 │
1422 ├────────────────────┼──────┤
1423 │INVALID_ACTION │ 100 │
1424 ├────────────────────┼──────┤
1425 │INVALID_SERVICE │ 101 │
1426 ├────────────────────┼──────┤
1427 │INVALID_PORT │ 102 │
1428 ├────────────────────┼──────┤
1429 │INVALID_PROTOCOL │ 103 │
1430 ├────────────────────┼──────┤
1431 │INVALID_INTERFACE │ 104 │
1432 ├────────────────────┼──────┤
1433 │INVALID_ADDR │ 105 │
1434 ├────────────────────┼──────┤
1435 │INVALID_FORWARD │ 106 │
1436 ├────────────────────┼──────┤
1437 │INVALID_ICMPTYPE │ 107 │
1438 ├────────────────────┼──────┤
1439 │INVALID_TABLE │ 108 │
1440 ├────────────────────┼──────┤
1441 │INVALID_CHAIN │ 109 │
1442 ├────────────────────┼──────┤
1443 │INVALID_TARGET │ 110 │
1444 ├────────────────────┼──────┤
1445 │INVALID_IPV │ 111 │
1446 ├────────────────────┼──────┤
1447 │INVALID_ZONE │ 112 │
1448 ├────────────────────┼──────┤
1449 │INVALID_PROPERTY │ 113 │
1450 ├────────────────────┼──────┤
1451 │INVALID_VALUE │ 114 │
1452 ├────────────────────┼──────┤
1453 │INVALID_OBJECT │ 115 │
1454 ├────────────────────┼──────┤
1455 │INVALID_NAME │ 116 │
1456 ├────────────────────┼──────┤
1457 │INVALID_FILENAME │ 117 │
1458 ├────────────────────┼──────┤
1459 │INVALID_DIRECTORY │ 118 │
1460 ├────────────────────┼──────┤
1461 │INVALID_TYPE │ 119 │
1462 ├────────────────────┼──────┤
1463 │INVALID_SETTING │ 120 │
1464 ├────────────────────┼──────┤
1465 │INVALID_DESTINATION │ 121 │
1466 ├────────────────────┼──────┤
1467 │INVALID_RULE │ 122 │
1468 ├────────────────────┼──────┤
1469 │INVALID_LIMIT │ 123 │
1470 ├────────────────────┼──────┤
1471 │INVALID_FAMILY │ 124 │
1472 ├────────────────────┼──────┤
1473 │INVALID_LOG_LEVEL │ 125 │
1474 ├────────────────────┼──────┤
1475 │INVALID_AUDIT_TYPE │ 126 │
1476 ├────────────────────┼──────┤
1477 │INVALID_MARK │ 127 │
1478 ├────────────────────┼──────┤
1479 │INVALID_CONTEXT │ 128 │
1480 ├────────────────────┼──────┤
1481 │INVALID_COMMAND │ 129 │
1482 ├────────────────────┼──────┤
1483 │INVALID_USER │ 130 │
1484 ├────────────────────┼──────┤
1485 │INVALID_UID │ 131 │
1486 ├────────────────────┼──────┤
1487 │INVALID_MODULE │ 132 │
1488 ├────────────────────┼──────┤
1489 │INVALID_PASSTHROUGH │ 133 │
1490 ├────────────────────┼──────┤
1491 │INVALID_MAC │ 134 │
1492 ├────────────────────┼──────┤
1493 │INVALID_IPSET │ 135 │
1494 ├────────────────────┼──────┤
1495 │INVALID_ENTRY │ 136 │
1496 ├────────────────────┼──────┤
1497 │INVALID_OPTION │ 137 │
1498 ├────────────────────┼──────┤
1499 │INVALID_HELPER │ 138 │
1500 ├────────────────────┼──────┤
1501 │INVALID_PRIORITY │ 139 │
1502 ├────────────────────┼──────┤
1503 │INVALID_POLICY │ 140 │
1504 ├────────────────────┼──────┤
1505 │MISSING_TABLE │ 200 │
1506 ├────────────────────┼──────┤
1507 │MISSING_CHAIN │ 201 │
1508 ├────────────────────┼──────┤
1509 │MISSING_PORT │ 202 │
1510 ├────────────────────┼──────┤
1511 │MISSING_PROTOCOL │ 203 │
1512 ├────────────────────┼──────┤
1513 │MISSING_ADDR │ 204 │
1514 ├────────────────────┼──────┤
1515 │MISSING_NAME │ 205 │
1516 ├────────────────────┼──────┤
1517 │MISSING_SETTING │ 206 │
1518 ├────────────────────┼──────┤
1519 │MISSING_FAMILY │ 207 │
1520 ├────────────────────┼──────┤
1521 │RUNNING_BUT_FAILED │ 251 │
1522 ├────────────────────┼──────┤
1523 │NOT_RUNNING │ 252 │
1524 ├────────────────────┼──────┤
1525 │NOT_AUTHORIZED │ 253 │
1526 ├────────────────────┼──────┤
1527 │UNKNOWN_ERROR │ 254 │
1528 └────────────────────┴──────┘
1529 Note that return codes of --query-* options are special: Successful
1531 queries return 0, unsuccessful ones return 1 unless an error occurred
1532 in which case the table above applies.
1533
1535 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1536 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1537 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1538 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1539 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
1540 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
1541
1543 firewalld home page:
1544 http://firewalld.org
1545 More documentation with examples:
1547 http://fedoraproject.org/wiki/FirewallD
1548
1550 Thomas Woerner <twoerner@redhat.com>
1551 Developer
1552 Jiri Popelka <jpopelka@redhat.com>
1554 Developer
1555 Eric Garver <eric@garver.life>
1557 Developer
1558firewalld 1.0.1 FIREWALL-CMD(1)