1FIREWALL-CMD(1)                  firewall-cmd                  FIREWALL-CMD(1)
2
3
4

NAME

6       firewall-cmd - firewalld command line client
7

SYNOPSIS

9       firewall-cmd [OPTIONS...]
10

DESCRIPTION

12       firewall-cmd is the command line client of the firewalld daemon. It
13       provides an interface to manage the runtime and permanent
14       configurations.
15
16       The runtime configuration in firewalld is separated from the permanent
17       configuration. This means that things can get changed in the runtime or
18       permanent configuration.
19

OPTIONS

21       Sequence options are the options that can be specified multiple times,
22       the exit code is 0 if there is at least one item that succeeded. The
23       ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
24       errors are treated as succeeded. If there are issues while parsing the
25       items, then these are treated as warnings and will not change the
26       result as long as there is a succeeded one. Without any succeeded item,
27       the exit code will depend on the error codes. If there is exactly one
28       error code, then this is used. If there are more than one then
29       UNKNOWN_ERROR (254) will be used.
30
31       The following options are supported:
32
33   General Options
34       -h, --help
35           Prints a short help text and exits.
36
37       -V, --version
38           Print the version string of firewalld. This option is not
39           combinable with other options.
40
41       -q, --quiet
42           Do not print status messages.
43
44   Status Options
45       --state
46           Check whether the firewalld daemon is active (i.e. running).
47           Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
48           failure occurred on startup, NOT_RUNNING otherwise. See the section
49           called “EXIT CODES”. This will also print the state to STDOUT.
50
51       --reload
52           Reload firewall rules and keep state information. Current permanent
53           configuration will become new runtime configuration, i.e. all
54           runtime only changes done until reload are lost with reload if they
55           have not been also in permanent configuration.
56
57           Note: If FlushAllOnReload=no, runtime changes applied via the
58           direct interface are not affected and will therefore stay in place
59           until firewalld daemon is restarted completely. For
60           FlushAllOnReload, see firewalld.conf(5).
61
62       --complete-reload
63           Reload firewall completely, even netfilter kernel modules. This
64           will most likely terminate active connections, because state
65           information is lost. This option should only be used in case of
66           severe firewall problems. For example if there are state
67           information problems that no connection can be established with
68           correct firewall rules.
69
70           Note: If FlushAllOnReload=no, runtime changes applied via the
71           direct interface are not affected and will therefore stay in place
72           until firewalld daemon is restarted completely. For
73           FlushAllOnReload, see firewalld.conf(5).
74
75       --runtime-to-permanent
76           Save active runtime configuration and overwrite permanent
77           configuration with it. The way this is supposed to work is that
78           when configuring firewalld you do runtime changes only and once
79           you're happy with the configuration and you tested that it works
80           the way you want, you save the configuration to disk.
81
82       --check-config
83           Run checks on the permanent configuration. This includes XML
84           validity and semantics.
85
86   Log Denied Options
87       --get-log-denied
88           Print the log denied setting.
89
90       --set-log-denied=value
91           Add logging rules right before reject and drop rules in the INPUT,
92           FORWARD and OUTPUT chains for the default rules and also final
93           reject and drop rules in zones for the configured link-layer packet
94           type. The possible values are: all, unicast, broadcast, multicast
95           and off. The default setting is off, which disables the logging.
96
97           This is a runtime and permanent change and will also reload the
98           firewall to be able to add the logging rules.
99
100   Permanent Options
101       --permanent
102           The permanent option --permanent can be used to set options
103           permanently. These changes are not effective immediately, only
104           after service restart/reload or system reboot. Without the
105           --permanent option, a change will only be part of the runtime
106           configuration.
107
108           If you want to make a change in runtime and permanent
109           configuration, use the same call with and without the --permanent
110           option.
111
112           The --permanent option can be optionally added to all options
113           further down where it is supported.
114
115   Zone Options
116       --get-default-zone
117           Print default zone for connections and interfaces.
118
119       --set-default-zone=zone
120           Set default zone for connections and interfaces where no zone has
121           been selected. Setting the default zone changes the zone for the
122           connections or interfaces, that are using the default zone.
123
124           This is a runtime and permanent change.
125
126       --get-active-zones
127           Print currently active zones altogether with interfaces and sources
128           used in these zones. Active zones are zones, that have a binding to
129           an interface or source. The output format is:
130
131               zone1
132                 interfaces: interface1 interface2 ..
133                 sources: source1 ..
134               zone2
135                 interfaces: interface3 ..
136               zone3
137                 sources: source2 ..
138
139
140           If there are no interfaces or sources bound to the zone, the
141           corresponding line will be omitted.
142
143       [--permanent] --get-zones
144           Print predefined zones as a space separated list.
145
146       [--permanent] --get-services
147           Print predefined services as a space separated list.
148
149       [--permanent] --get-icmptypes
150           Print predefined icmptypes as a space separated list.
151
152       [--permanent] --get-zone-of-interface=interface
153           Print the name of the zone the interface is bound to or no zone.
154
155       [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
156           Print the name of the zone the source is bound to or no zone.
157
158       [--permanent] --info-zone=zone
159           Print information about the zone zone. The output format is:
160
161               zone
162                 interfaces: interface1 ..
163                 sources: source1 ..
164                 services: service1 ..
165                 ports: port1 ..
166                 protocols: protocol1 ..
167                 forward-ports:
168                       forward-port1
169                       ..
170                 source-ports: source-port1 ..
171                 icmp-blocks: icmp-type1 ..
172                 rich rules:
173                       rich-rule1
174                       ..
175
176
177
178       [--permanent] --list-all-zones
179           List everything added for or enabled in all zones. The output
180           format is:
181
182               zone1
183                 interfaces: interface1 ..
184                 sources: source1 ..
185                 services: service1 ..
186                 ports: port1 ..
187                 protocols: protocol1 ..
188                 forward-ports:
189                       forward-port1
190                       ..
191                 icmp-blocks: icmp-type1 ..
192                 rich rules:
193                       rich-rule1
194                       ..
195               ..
196
197
198
199       --permanent --new-zone=zone
200           Add a new permanent and empty zone.
201
202           Zone names must be alphanumeric and may additionally include
203           characters: '_' and '-'.
204
205       --permanent --new-zone-from-file=filename [--name=zone]
206           Add a new permanent zone from a prepared zone file with an optional
207           name override.
208
209       --permanent --delete-zone=zone
210           Delete an existing permanent zone.
211
212       --permanent --load-zone-defaults=zone
213           Load zone default settings or report NO_DEFAULTS error.
214
215       --permanent --path-zone=zone
216           Print path of the zone configuration file.
217
218   Policy Options
219       [--permanent] --get-policies
220           Print predefined policies as a space separated list.
221
222       [--permanent] --info-policy=policy
223           Print information about the policy policy.
224
225       [--permanent] --list-all-policies
226           List everything added for or enabled in all policies.
227
228       --permanent --new-policy=policy
229           Add a new permanent policy.
230
231           Policy names must be alphanumeric and may additionally include
232           characters: '_' and '-'.
233
234       --permanent --new-policy-from-file=filename [--name=policy]
235           Add a new permanent policy from a prepared policy file with an
236           optional name override.
237
238       --permanent --path-policy=policy
239           Print path of the policy configuration file.
240
241       --permanent --delete-policy=policy
242           Delete an existing permanent policy.
243
244       --permanent --load-policy-defaults=policy
245           Load the shipped defaults for a policy. Only applies to policies
246           shipped with firewalld. Does not apply to user defined policies.
247
248   Options to Adapt and Query Zones and Policies
249       Options in this section affect only one particular zone or policy. If
250       used with --zone=zone or --policy=policy option, they affect the
251       specified zone or policy. If both options are omitted, they affect the
252       default zone (see --get-default-zone).
253
254       [--permanent] [--zone=zone] [--policy=policy] --list-all
255           List everything added or enabled.
256
257       --permanent [--zone=zone] [--policy=policy] --get-target
258           Get the target.
259
260       --permanent [--zone=zone] [--policy=policy] --set-target=target
261           Set the target.
262
263           For zones target is one of: default, ACCEPT, DROP, REJECT
264
265           For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
266
267           default is similar to REJECT, but it implicitly allows ICMP
268           packets.
269
270       --permanent [--zone=zone] [--policy=policy]
271       --set-description=description
272           Set description.
273
274       --permanent [--zone=zone] [--policy=policy] --get-description
275           Print description.
276
277       --permanent [--zone=zone] [--policy=policy] --set-short=description
278           Set short description.
279
280       --permanent [--zone=zone] [--policy=policy] --get-short
281           Print short description.
282
283       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
284       --list-services
285           List services added as a space separated list.
286
287       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
288       --add-service=service [--timeout=timeval]
289           Add a service. This option can be specified multiple times. If a
290           timeout is supplied, the rule will be active for the specified
291           amount of time and will be removed automatically afterwards.
292           timeval is either a number (of seconds) or number followed by one
293           of characters s (seconds), m (minutes), h (hours), for example 20m
294           or 1h.
295
296           The service is one of the firewalld provided services. To get a
297           list of the supported services, use firewall-cmd --get-services.
298
299           The --timeout option is not combinable with the --permanent option.
300
301           Note: Some services define connection tracking helpers. Helpers
302           that may operate in client mode (e.g. tftp) must be added to an
303           outbound policy instead of a zone to take effect for clients.
304           Otherwise the helper will not be applied to the outbound traffic.
305           The related traffic, as defined by the connection tracking helper,
306           on the return path (ingress) will be allowed by the stateful
307           firewall rules.
308
309           An example of an outbound policy for connection tracking helpers:
310
311               # firewall-cmd --permanent --new-policy clientConntrack
312               # firewall-cmd --permanent --policy clientConntrack --add-ingress-zone HOST
313               # firewall-cmd --permanent --policy clientConntrack --add-egress-zone ANY
314               # firewall-cmd --permanent --policy clientConntrack --add-service tftp
315
316
317
318       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
319       --remove-service=service
320           Remove a service. This option can be specified multiple times.
321
322       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
323       --query-service=service
324           Return whether service has been added. Returns 0 if true, 1
325           otherwise.
326
327       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
328       --list-ports
329           List ports added as a space separated list. A port is of the form
330           portid[-portid]/protocol, it can be either a port and protocol pair
331           or a port range with a protocol.
332
333       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
334       --add-port=portid[-portid]/protocol [--timeout=timeval]
335           Add the port. This option can be specified multiple times. If a
336           timeout is supplied, the rule will be active for the specified
337           amount of time and will be removed automatically afterwards.
338           timeval is either a number (of seconds) or number followed by one
339           of characters s (seconds), m (minutes), h (hours), for example 20m
340           or 1h.
341
342           The port can either be a single port number or a port range
343           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
344
345           The --timeout option is not combinable with the --permanent option.
346
347       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
348       --remove-port=portid[-portid]/protocol
349           Remove the port. This option can be specified multiple times.
350
351       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
352       --query-port=portid[-portid]/protocol
353           Return whether the port has been added. Returns 0 if true, 1
354           otherwise.
355
356       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
357       --list-protocols
358           List protocols added as a space separated list.
359
360       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
361       --add-protocol=protocol [--timeout=timeval]
362           Add the protocol. This option can be specified multiple times. If a
363           timeout is supplied, the rule will be active for the specified
364           amount of time and will be removed automatically afterwards.
365           timeval is either a number (of seconds) or number followed by one
366           of characters s (seconds), m (minutes), h (hours), for example 20m
367           or 1h.
368
369           The protocol can be any protocol supported by the system. Please
370           have a look at /etc/protocols for supported protocols.
371
372           The --timeout option is not combinable with the --permanent option.
373
374       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
375       --remove-protocol=protocol
376           Remove the protocol. This option can be specified multiple times.
377
378       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
379       --query-protocol=protocol
380           Return whether the protocol has been added. Returns 0 if true, 1
381           otherwise.
382
383       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
384       --list-source-ports
385           List source ports added as a space separated list. A port is of the
386           form portid[-portid]/protocol.
387
388       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
389       --add-source-port=portid[-portid]/protocol [--timeout=timeval]
390           Add the source port. This option can be specified multiple times.
391           If a timeout is supplied, the rule will be active for the specified
392           amount of time and will be removed automatically afterwards.
393           timeval is either a number (of seconds) or number followed by one
394           of characters s (seconds), m (minutes), h (hours), for example 20m
395           or 1h.
396
397           The port can either be a single port number or a port range
398           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
399
400           The --timeout option is not combinable with the --permanent option.
401
402       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
403       --remove-source-port=portid[-portid]/protocol
404           Remove the source port. This option can be specified multiple
405           times.
406
407       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
408       --query-source-port=portid[-portid]/protocol
409           Return whether the source port has been added. Returns 0 if true, 1
410           otherwise.
411
412       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
413       --list-icmp-blocks
414           List Internet Control Message Protocol (ICMP) type blocks added as
415           a space separated list.
416
417       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
418       --add-icmp-block=icmptype [--timeout=timeval]
419           Add an ICMP block for icmptype. This option can be specified
420           multiple times. If a timeout is supplied, the rule will be active
421           for the specified amount of time and will be removed automatically
422           afterwards.  timeval is either a number (of seconds) or number
423           followed by one of characters s (seconds), m (minutes), h (hours),
424           for example 20m or 1h.
425
426           The icmptype is the one of the icmp types firewalld supports. To
427           get a listing of supported icmp types: firewall-cmd --get-icmptypes
428
429           The --timeout option is not combinable with the --permanent option.
430
431       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
432       --remove-icmp-block=icmptype
433           Remove the ICMP block for icmptype. This option can be specified
434           multiple times.
435
436       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
437       --query-icmp-block=icmptype
438           Return whether an ICMP block for icmptype has been added. Returns 0
439           if true, 1 otherwise.
440
441       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
442       --list-forward-ports
443           List IPv4 forward ports added as a space separated list.
444
445           For IPv6 forward ports, please use the rich language.
446
447       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
448       --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
449       [--timeout=timeval]
450           Add the IPv4 forward port. This option can be specified multiple
451           times. If a timeout is supplied, the rule will be active for the
452           specified amount of time and will be removed automatically
453           afterwards.  timeval is either a number (of seconds) or number
454           followed by one of characters s (seconds), m (minutes), h (hours),
455           for example 20m or 1h.
456
457           The port can either be a single port number portid or a port range
458           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
459           The destination address is a simple IP address.
460
461           The --timeout option is not combinable with the --permanent option.
462
463           For IPv6 forward ports, please use the rich language.
464
465           Note: IP forwarding will be implicitly enabled if toaddr is
466           specified.
467
468       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
469       --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
470           Remove the IPv4 forward port. This option can be specified multiple
471           times.
472
473           For IPv6 forward ports, please use the rich language.
474
475       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
476       --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
477           Return whether the IPv4 forward port has been added. Returns 0 if
478           true, 1 otherwise.
479
480           For IPv6 forward ports, please use the rich language.
481
482       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
483       --add-masquerade [--timeout=timeval]
484           Enable IPv4 masquerade. If a timeout is supplied, masquerading will
485           be active for the specified amount of time.  timeval is either a
486           number (of seconds) or number followed by one of characters s
487           (seconds), m (minutes), h (hours), for example 20m or 1h.
488           Masquerading is useful if the machine is a router and machines
489           connected over an interface in another zone should be able to use
490           the first connection.
491
492           The --timeout option is not combinable with the --permanent option.
493
494           For IPv6 masquerading, please use the rich language.
495
496           Note: IP forwarding will be implicitly enabled.
497
498       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
499       --remove-masquerade
500           Disable IPv4 masquerade. If the masquerading was enabled with a
501           timeout, it will be disabled also.
502
503           For IPv6 masquerading, please use the rich language.
504
505       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
506       --query-masquerade
507           Return whether IPv4 masquerading has been enabled. Returns 0 if
508           true, 1 otherwise.
509
510           For IPv6 masquerading, please use the rich language.
511
512       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
513       --list-rich-rules
514           List rich language rules added as a newline separated list.
515
516       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
517       --add-rich-rule='rule' [--timeout=timeval]
518           Add rich language rule 'rule'. This option can be specified
519           multiple times. If a timeout is supplied, the rule will be active
520           for the specified amount of time and will be removed automatically
521           afterwards.  timeval is either a number (of seconds) or number
522           followed by one of characters s (seconds), m (minutes), h (hours),
523           for example 20m or 1h.
524
525           For the rich language rule syntax, please have a look at
526           firewalld.richlanguage(5).
527
528           The --timeout option is not combinable with the --permanent option.
529
530       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
531       --remove-rich-rule='rule'
532           Remove rich language rule 'rule'. This option can be specified
533           multiple times.
534
535           For the rich language rule syntax, please have a look at
536           firewalld.richlanguage(5).
537
538       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
539       --query-rich-rule='rule'
540           Return whether a rich language rule 'rule' has been added. Returns
541           0 if true, 1 otherwise.
542
543           For the rich language rule syntax, please have a look at
544           firewalld.richlanguage(5).
545
546   Options to Adapt and Query Zones
547       Options in this section affect only one particular zone. If used with
548       --zone=zone option, they affect the specified zone. If the option is
549       omitted, they affect default zone (see --get-default-zone).
550
551       [--permanent] [--zone=zone] --add-icmp-block-inversion
552           Enable ICMP block inversion.
553
554       [--permanent] [--zone=zone] --remove-icmp-block-inversion
555           Disable ICMP block inversion.
556
557       [--permanent] [--zone=zone] --query-icmp-block-inversion
558           Return whether ICMP block inversion is enabled. Returns 0 if true,
559           1 otherwise.
560
561       [--permanent] [--zone=zone] --add-forward
562           Enable intra zone forwarding.
563
564       [--permanent] [--zone=zone] --remove-forward
565           Disable intra zone forwarding.
566
567       [--permanent] [--zone=zone] --query-forward
568           Return whether intra zone forwarding is enabled. Returns 0 if true,
569           1 otherwise.
570
571   Options to Adapt and Query Policies
572       Options in this section affect only one particular policy. It's
573       required to specify --policy=policy with these options.
574
575       --permanent --policy=policy --get-priority
576           Get the priority.
577
578       --permanent --policy=policy --set-priority=priority
579           Set the priority. The priority determines the relative ordering of
580           policies. This is an integer value between -32768 and 32767 where
581           -1 is the default value for new policies and 0 is reserved for
582           internal use.
583
584           If a priority is < 0, then the policy's rules will execute before
585           all rules in all zones.
586
587           If a priority is > 0, then the policy's rules will execute after
588           all rules in all zones.
589
590       [--permanent] --policy=policy --list-ingress-zones
591           List ingress zones added as a space separated list.
592
593       [--permanent] --policy=policy --add-ingress-zone=zone
594           Add an ingress zone. This option can be specified multiple times.
595
596           The ingress zone is one of the firewalld provided zones or one of
597           the pseudo-zones: HOST, ANY.
598
599           HOST is used for traffic originating from the host machine, i.e.
600           the host running firewalld.
601
602           ANY is used for traffic originating from any zone. This can be
603           thought of as a wild card for zones. However it does not include
604           traffic originating from the host machine - use HOST for that.
605
606       [--permanent] --policy=policy --remove-ingress-zone=zone
607           Remove an ingress zone. This option can be specified multiple
608           times.
609
610       [--permanent] --policy=policy --query-ingress-zone=zone
611           Return whether zone has been added. Returns 0 if true, 1 otherwise.
612
613       [--permanent] --policy=policy --list-egress-zones
614           List egress zones added as a space separated list.
615
616       [--permanent] --policy=policy --add-egress-zone=zone
617           Add an egress zone. This option can be specified multiple times.
618
619           The egress zone is one of the firewalld provided zones or one of
620           the pseudo-zones: HOST, ANY.
621
622           For clarification on HOST and ANY see option --add-ingress-zone.
623
624       [--permanent] --policy=policy --remove-egress-zone=zone
625           Remove an egress zone. This option can be specified multiple times.
626
627       [--permanent] --policy=policy --query-egress-zone=zone
628           Return whether zone has been added. Returns 0 if true, 1 otherwise.
629
630   Options to Handle Bindings of Interfaces
631       Binding an interface to a zone means that this zone settings are used
632       to restrict traffic via the interface.
633
634       Options in this section affect only one particular zone. If used with
635       --zone=zone option, they affect the zone zone. If the option is
636       omitted, they affect default zone (see --get-default-zone).
637
638       For a list of predefined zones use firewall-cmd --get-zones.
639
640       An interface name is a string up to 16 characters long, that may not
641       contain ' ', '/', '!' and '*'.
642
643       [--permanent] [--zone=zone] --list-interfaces
644           List interfaces that are bound to zone zone as a space separated
645           list. If zone is omitted, default zone will be used.
646
647       [--permanent] [--zone=zone] --add-interface=interface
648           Bind interface interface to zone zone. If zone is omitted, default
649           zone will be used.
650
651           If the interface is under control of NetworkManager, it is at first
652           connected to change the zone for the connection that is using the
653           interface. If this fails, the zone binding is created in firewalld
654           and the limitations below apply. For interfaces that are not under
655           control of NetworkManager, firewalld tries to change the ZONE
656           setting in the ifcfg file, if the file exists.
657
658           As a end user you don't need this in most cases, because
659           NetworkManager (or legacy network service) adds interfaces into
660           zones automatically (according to ZONE= option from ifcfg-interface
661           file) if NM_CONTROLLED=no is not set. You should do it only if
662           there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
663           there is such file and you add interface to zone with this
664           --add-interface option, make sure the zone is the same in both
665           cases, otherwise the behaviour would be undefined. Please also have
666           a look at the firewalld(1) man page in the Concepts section. For
667           permanent association of interface with a zone, see also 'How to
668           set or change a zone for a connection?' in firewalld.zones(5).
669
670       [--permanent] [--zone=zone] --change-interface=interface
671           If the interface is under control of NetworkManager, it is at first
672           connected to change the zone for the connection that is using the
673           interface. If this fails, the zone binding is created in firewalld
674           and the limitations below apply. For interfaces that are not under
675           control of NetworkManager, firewalld tries to change the ZONE
676           setting in the ifcfg file, if the file exists.
677
678           Change zone the interface interface is bound to to zone zone. It's
679           basically --remove-interface followed by --add-interface. If the
680           interface has not been bound to a zone before, it behaves like
681           --add-interface. If zone is omitted, default zone will be used.
682
683       [--permanent] [--zone=zone] --query-interface=interface
684           Query whether interface interface is bound to zone zone. Returns 0
685           if true, 1 otherwise.
686
687       [--permanent] --remove-interface=interface
688           If the interface is under control of NetworkManager, it is at first
689           connected to change the zone for the connection that is using the
690           interface. If this fails, the zone binding is created in firewalld
691           and the limitations below apply.
692
693           For the addition or change of interfaces that are not under control
694           of NetworkManager: firewalld tries to change the ZONE setting in
695           the ifcfg file, if an ifcfg file exists that is using the
696           interface.
697
698           Only for the removal of interfaces that are not under control of
699           NetworkManager: firewalld is not trying to change the ZONE setting
700           in the ifcfg file. This is needed to make sure that an ifdown of
701           the interface will not result in a reset of the zone setting to the
702           default zone. Only the zone binding is then removed in firewalld
703           then.
704
705           Remove binding of interface interface from zone it was previously
706           added to.
707
708   Options to Handle Bindings of Sources
709       Binding a source to a zone means that this zone settings will be used
710       to restrict traffic from this source.
711
712       A source address or address range is either an IP address or a network
713       IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
714       with the ipset: prefix. For IPv4, the mask can be a network mask or a
715       plain number. For IPv6 the mask is a plain number. The use of host
716       names is not supported.
717
718       Options in this section affect only one particular zone. If used with
719       --zone=zone option, they affect the zone zone. If the option is
720       omitted, they affect default zone (see --get-default-zone).
721
722       For a list of predefined zones use firewall-cmd [--permanent]
723       --get-zones.
724
725       [--permanent] [--zone=zone] --list-sources
726           List sources that are bound to zone zone as a space separated list.
727           If zone is omitted, default zone will be used.
728
729       [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
730           Bind the source to zone zone. If zone is omitted, default zone will
731           be used.
732
733       [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
734           Change zone the source is bound to to zone zone. It's basically
735           --remove-source followed by --add-source. If the source has not
736           been bound to a zone before, it behaves like --add-source. If zone
737           is omitted, default zone will be used.
738
739       [--permanent] [--zone=zone]
740       --query-source=source[/mask]|MAC|ipset:ipset
741           Query whether the source is bound to the zone zone. Returns 0 if
742           true, 1 otherwise.
743
744       [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
745           Remove binding of the source from zone it was previously added to.
746
747   IPSet Options
748       --get-ipset-types
749           Print the supported ipset types.
750
751       --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
752       [--option=key[=value]]
753           Add a new permanent and empty ipset with specifying the type and
754           optional the family and options like timeout, hashsize and maxelem.
755           For more information please have a look at ipset(8) man page.
756
757           ipset names must be alphanumeric and may additionally include
758           characters: '_' and '-'.
759
760       --permanent --new-ipset-from-file=filename [--name=ipset]
761           Add a new permanent ipset from a prepared ipset file with an
762           optional name override.
763
764       --permanent --delete-ipset=ipset
765           Delete an existing permanent ipset.
766
767       --permanent --load-ipset-defaults=ipset
768           Load ipset default settings or report NO_DEFAULTS error.
769
770       [--permanent] --info-ipset=ipset
771           Print information about the ipset ipset. The output format is:
772
773               ipset
774                 type: type
775                 options: option1[=value1] ..
776                 entries: entry1 ..
777
778
779
780       [--permanent] --get-ipsets
781           Print predefined ipsets as a space separated list.
782
783       --permanent --ipset=ipset --set-description=description
784           Set new description to ipset
785
786       --permanent --ipset=ipset --get-description
787           Print description for ipset
788
789       --permanent --ipset=ipset --set-short=description
790           Set short description to ipset
791
792       --permanent --ipset=ipset --get-short
793           Print short description for ipset
794
795       [--permanent] --ipset=ipset --add-entry=entry
796           Add a new entry to the ipset.
797
798           Adding an entry to an ipset with option timeout is permitted, but
799           these entries are not tracked by firewalld.
800
801       [--permanent] --ipset=ipset --remove-entry=entry
802           Remove an entry from the ipset.
803
804       [--permanent] --ipset=ipset --query-entry=entry
805           Return whether the entry has been added to an ipset. Returns 0 if
806           true, 1 otherwise.
807
808           Querying an ipset with a timeout will yield an error. Entries are
809           not tracked for ipsets with a timeout.
810
811       [--permanent] --ipset=ipset --get-entries
812           List all entries of the ipset.
813
814       [--permanent] --ipset=ipset --add-entries-from-file=filename
815           Add a new entries to the ipset from the file. For all entries that
816           are listed in the file but already in the ipset, a warning will be
817           printed.
818
819           The file should contain an entry per line. Lines starting with an
820           hash or semicolon are ignored. Also empty lines.
821
822       [--permanent] --ipset=ipset --remove-entries-from-file=filename
823           Remove existing entries from the ipset from the file. For all
824           entries that are listed in the file but not in the ipset, a warning
825           will be printed.
826
827           The file should contain an entry per line. Lines starting with an
828           hash or semicolon are ignored. Also empty lines.
829
830       --permanent --path-ipset=ipset
831           Print path of the ipset configuration file.
832
833   Service Options
834       Options in this section affect only one particular service.
835
836       [--permanent] --info-service=service
837           Print information about the service service. The output format is:
838
839               service
840                 ports: port1 ..
841                 protocols: protocol1 ..
842                 source-ports: source-port1 ..
843                 helpers: helper1 ..
844                 destination: ipv1:address1 ..
845
846
847
848       The following options are only usable in the permanent configuration.
849
850       --permanent --new-service=service
851           Add a new permanent and empty service.
852
853           Service names must be alphanumeric and may additionally include
854           characters: '_' and '-'.
855
856       --permanent --new-service-from-file=filename [--name=service]
857           Add a new permanent service from a prepared service file with an
858           optional name override.
859
860       --permanent --delete-service=service
861           Delete an existing permanent service.
862
863       --permanent --load-service-defaults=service
864           Load service default settings or report NO_DEFAULTS error.
865
866       --permanent --path-service=service
867           Print path of the service configuration file.
868
869       --permanent --service=service --set-description=description
870           Set new description to service
871
872       --permanent --service=service --get-description
873           Print description for service
874
875       --permanent --service=service --set-short=description
876           Set short description to service
877
878       --permanent --service=service --get-short
879           Print short description for service
880
881       --permanent --service=service --add-port=portid[-portid]/protocol
882           Add a new port to the permanent service.
883
884       --permanent --service=service --remove-port=portid[-portid]/protocol
885           Remove a port from the permanent service.
886
887       --permanent --service=service --query-port=portid[-portid]/protocol
888           Return whether the port has been added to the permanent service.
889
890       --permanent --service=service --get-ports
891           List ports added to the permanent service.
892
893       --permanent --service=service --add-protocol=protocol
894           Add a new protocol to the permanent service.
895
896       --permanent --service=service --remove-protocol=protocol
897           Remove a protocol from the permanent service.
898
899       --permanent --service=service --query-protocol=protocol
900           Return whether the protocol has been added to the permanent
901           service.
902
903       --permanent --service=service --get-protocols
904           List protocols added to the permanent service.
905
906       --permanent --service=service
907       --add-source-port=portid[-portid]/protocol
908           Add a new source port to the permanent service.
909
910       --permanent --service=service
911       --remove-source-port=portid[-portid]/protocol
912           Remove a source port from the permanent service.
913
914       --permanent --service=service
915       --query-source-port=portid[-portid]/protocol
916           Return whether the source port has been added to the permanent
917           service.
918
919       --permanent --service=service --get-source-ports
920           List source ports added to the permanent service.
921
922       --permanent --service=service --add-helper=helper
923           Add a new helper to the permanent service.
924
925       --permanent --service=service --remove-helper=helper
926           Remove a helper from the permanent service.
927
928       --permanent --service=service --query-helper=helper
929           Return whether the helper has been added to the permanent service.
930
931       --permanent --service=service --get-service-helpers
932           List helpers added to the permanent service.
933
934       --permanent --service=service --set-destination=ipv:address[/mask]
935           Set destination for ipv to address[/mask] in the permanent service.
936
937       --permanent --service=service --remove-destination=ipv
938           Remove the destination for ipv from the permanent service.
939
940       --permanent --service=service --query-destination=ipv:address[/mask]
941           Return whether the destination ipv to address[/mask] has been set
942           in the permanent service.
943
944       --permanent --service=service --get-destinations
945           List destinations added to the permanent service.
946
947       --permanent --service=service --add-include=service
948           Add a new include to the permanent service.
949
950       --permanent --service=service --remove-include=service
951           Remove a include from the permanent service.
952
953       --permanent --service=service --query-include=service
954           Return whether the include has been added to the permanent service.
955
956       --permanent --service=service --get-includes
957           List includes added to the permanent service.
958
959   Helper Options
960       Options in this section affect only one particular helper.
961
962       [--permanent] --info-helper=helper
963           Print information about the helper helper. The output format is:
964
965               helper
966                 family: family
967                 module: module
968                 ports: port1 ..
969
970
971
972       The following options are only usable in the permanent configuration.
973
974       --permanent --new-helper=helper --module=nf_conntrack_module
975       [--family=ipv4|ipv6]
976           Add a new permanent helper with module and optionally family
977           defined.
978
979           Helper names must be alphanumeric and may additionally include
980           characters: '-'.
981
982       --permanent --new-helper-from-file=filename [--name=helper]
983           Add a new permanent helper from a prepared helper file with an
984           optional name override.
985
986       --permanent --delete-helper=helper
987           Delete an existing permanent helper.
988
989       --permanent --load-helper-defaults=helper
990           Load helper default settings or report NO_DEFAULTS error.
991
992       --permanent --path-helper=helper
993           Print path of the helper configuration file.
994
995       [--permanent] --get-helpers
996           Print predefined helpers as a space separated list.
997
998       --permanent --helper=helper --set-description=description
999           Set new description to helper
1000
1001       --permanent --helper=helper --get-description
1002           Print description for helper
1003
1004       --permanent --helper=helper --set-short=description
1005           Set short description to helper
1006
1007       --permanent --helper=helper --get-short
1008           Print short description for helper
1009
1010       --permanent --helper=helper --add-port=portid[-portid]/protocol
1011           Add a new port to the permanent helper.
1012
1013       --permanent --helper=helper --remove-port=portid[-portid]/protocol
1014           Remove a port from the permanent helper.
1015
1016       --permanent --helper=helper --query-port=portid[-portid]/protocol
1017           Return whether the port has been added to the permanent helper.
1018
1019       --permanent --helper=helper --get-ports
1020           List ports added to the permanent helper.
1021
1022       --permanent --helper=helper --set-module=description
1023           Set module description for helper
1024
1025       --permanent --helper=helper --get-module
1026           Print module description for helper
1027
1028       --permanent --helper=helper --set-family=description
1029           Set family description for helper
1030
1031       --permanent --helper=helper --get-family
1032           Print family description of helper
1033
1034   Internet Control Message Protocol (ICMP) type Options
1035       Options in this section affect only one particular icmptype.
1036
1037       [--permanent] --info-icmptype=icmptype
1038           Print information about the icmptype icmptype. The output format
1039           is:
1040
1041               icmptype
1042                 destination: ipv1 ..
1043
1044
1045
1046       The following options are only usable in the permanent configuration.
1047
1048       --permanent --new-icmptype=icmptype
1049           Add a new permanent and empty icmptype.
1050
1051           ICMP type names must be alphanumeric and may additionally include
1052           characters: '_' and '-'.
1053
1054       --permanent --new-icmptype-from-file=filename [--name=icmptype]
1055           Add a new permanent icmptype from a prepared icmptype file with an
1056           optional name override.
1057
1058       --permanent --delete-icmptype=icmptype
1059           Delete an existing permanent icmptype.
1060
1061       --permanent --load-icmptype-defaults=icmptype
1062           Load icmptype default settings or report NO_DEFAULTS error.
1063
1064       --permanent --icmptype=icmptype --set-description=description
1065           Set new description to icmptype
1066
1067       --permanent --icmptype=icmptype --get-description
1068           Print description for icmptype
1069
1070       --permanent --icmptype=icmptype --set-short=description
1071           Set short description to icmptype
1072
1073       --permanent --icmptype=icmptype --get-short
1074           Print short description for icmptype
1075
1076       --permanent --icmptype=icmptype --add-destination=ipv
1077           Enable destination for ipv in permanent icmptype. ipv is one of
1078           ipv4 or ipv6.
1079
1080       --permanent --icmptype=icmptype --remove-destination=ipv
1081           Disable destination for ipv in permanent icmptype. ipv is one of
1082           ipv4 or ipv6.
1083
1084       --permanent --icmptype=icmptype --query-destination=ipv
1085           Return whether destination for ipv is enabled in permanent
1086           icmptype. ipv is one of ipv4 or ipv6.
1087
1088       --permanent --icmptype=icmptype --get-destinations
1089           List destinations in permanent icmptype.
1090
1091       --permanent --path-icmptype=icmptype
1092           Print path of the icmptype configuration file.
1093
1094   Direct Options
1095       DEPRECATED
1096           The direct interface has been deprecated. It will be removed in a
1097           future release. It is superseded by policies, see
1098           firewalld.policies(5).
1099
1100       The direct options give a more direct access to the firewall. These
1101       options require user to know basic iptables concepts, i.e.  table
1102       (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
1103       (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
1104       (ACCEPT/DROP/REJECT/...).
1105
1106       Direct options should be used only as a last resort when it's not
1107       possible to use for example --add-service=service or
1108       --add-rich-rule='rule'.
1109
1110       Warning: Direct rules behavior is different depending on the value of
1111       FirewallBackend. See CAVEATS in firewalld.direct(5).
1112
1113       The first argument of each option has to be ipv4 or ipv6 or eb. With
1114       ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1115       (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1116
1117       [--permanent] --direct --get-all-chains
1118           Get all chains added to all tables. This option concerns only
1119           chains previously added with --direct --add-chain.
1120
1121       [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
1122           Get all chains added to table table as a space separated list. This
1123           option concerns only chains previously added with --direct
1124           --add-chain.
1125
1126       [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
1127           Add a new chain with name chain to table table. Make sure there's
1128           no other chain with this name already.
1129
1130           There already exist basic chains to use with direct options, for
1131           example INPUT_direct chain (see iptables-save | grep direct output
1132           for all of them). These chains are jumped into before chains for
1133           zones, i.e. every rule put into INPUT_direct will be checked before
1134           rules in zones.
1135
1136       [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1137           Remove chain with name chain from table table. Only chains
1138           previously added with --direct --add-chain can be removed this way.
1139
1140       [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
1141           Return whether a chain with name chain exists in table table.
1142           Returns 0 if true, 1 otherwise. This option concerns only chains
1143           previously added with --direct --add-chain.
1144
1145       [--permanent] --direct --get-all-rules
1146           Get all rules added to all chains in all tables as a newline
1147           separated list of the priority and arguments. This option concerns
1148           only rules previously added with --direct --add-rule.
1149
1150       [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
1151           Get all rules added to chain chain in table table as a newline
1152           separated list of the priority and arguments. This option concerns
1153           only rules previously added with --direct --add-rule.
1154
1155       [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
1156       priority args
1157           Add a rule with the arguments args to chain chain in table table
1158           with priority priority.
1159
1160           The priority is used to order rules. Priority 0 means add rule on
1161           top of the chain, with a higher priority the rule will be added
1162           further down. Rules with the same priority are on the same level
1163           and the order of these rules is not fixed and may change. If you
1164           want to make sure that a rule will be added after another one, use
1165           a low priority for the first and a higher for the following.
1166
1167       [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
1168       priority args
1169           Remove a rule with priority and the arguments args from chain chain
1170           in table table. Only rules previously added with --direct
1171           --add-rule can be removed this way.
1172
1173       [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1174           Remove all rules in the chain with name chain exists in table
1175           table. This option concerns only rules previously added with
1176           --direct --add-rule in this chain.
1177
1178       [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1179       priority args
1180           Return whether a rule with priority and the arguments args exists
1181           in chain chain in table table. Returns 0 if true, 1 otherwise. This
1182           option concerns only rules previously added with --direct
1183           --add-rule.
1184
1185       --direct --passthrough { ipv4 | ipv6 | eb } args
1186           Pass a command through to the firewall.  args can be all iptables,
1187           ip6tables and ebtables command line arguments. This command is
1188           untracked, which means that firewalld is not able to provide
1189           information about this command later on, also not a listing of the
1190           untracked passthoughs.
1191
1192       [--permanent] --direct --get-all-passthroughs
1193           Get all passthrough rules as a newline separated list of the ipv
1194           value and arguments.
1195
1196       [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1197           Get all passthrough rules for the ipv value as a newline separated
1198           list of the priority and arguments.
1199
1200       [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1201           Add a passthrough rule with the arguments args for the ipv value.
1202
1203       [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1204           Remove a passthrough rule with the arguments args for the ipv
1205           value.
1206
1207       [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1208           Return whether a passthrough rule with the arguments args exists
1209           for the ipv value. Returns 0 if true, 1 otherwise.
1210
1211   Lockdown Options
1212       Local applications or services are able to change the firewall
1213       configuration if they are running as root (example: libvirt) or are
1214       authenticated using PolicyKit. With this feature administrators can
1215       lock the firewall configuration so that only applications on lockdown
1216       whitelist are able to request firewall changes.
1217
1218       The lockdown access check limits D-Bus methods that are changing
1219       firewall rules. Query, list and get methods are not limited.
1220
1221       The lockdown feature is a very light version of user and application
1222       policies for firewalld and is turned off by default.
1223
1224       --lockdown-on
1225           Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1226           whitelist when you enable lockdown you won't be able to disable it
1227           again with firewall-cmd, you would need to edit firewalld.conf.
1228
1229           This is a runtime and permanent change.
1230
1231       --lockdown-off
1232           Disable lockdown.
1233
1234           This is a runtime and permanent change.
1235
1236       --query-lockdown
1237           Query whether lockdown is enabled. Returns 0 if lockdown is
1238           enabled, 1 otherwise.
1239
1240   Lockdown Whitelist Options
1241       The lockdown whitelist can contain commands, contexts, users and user
1242       ids.
1243
1244       If a command entry on the whitelist ends with an asterisk '*', then all
1245       command lines starting with the command will match. If the '*' is not
1246       there the absolute command inclusive arguments must match.
1247
1248       Command paths for users are not always the same and depends on the
1249       users PATH. Some distributions symlink /bin to /usr/bin in which case
1250       it depends on the order they appear in the PATH environment variable.
1251
1252       The context is the security (SELinux) context of a running application
1253       or service. To get the context of a running application use ps -e
1254       --context.
1255
1256       Warning: If the context is unconfined, then this will open access for
1257       more than the desired application.
1258
1259       The lockdown whitelist entries are checked in the following order:
1260           1. context
1261           2. uid
1262           3. user
1263           4. command
1264
1265       [--permanent] --list-lockdown-whitelist-commands
1266           List all command lines that are on the whitelist.
1267
1268       [--permanent] --add-lockdown-whitelist-command=command
1269           Add the command to the whitelist.
1270
1271       [--permanent] --remove-lockdown-whitelist-command=command
1272           Remove the command from the whitelist.
1273
1274       [--permanent] --query-lockdown-whitelist-command=command
1275           Query whether the command is on the whitelist. Returns 0 if true, 1
1276           otherwise.
1277
1278       [--permanent] --list-lockdown-whitelist-contexts
1279           List all contexts that are on the whitelist.
1280
1281       [--permanent] --add-lockdown-whitelist-context=context
1282           Add the context context to the whitelist.
1283
1284       [--permanent] --remove-lockdown-whitelist-context=context
1285           Remove the context from the whitelist.
1286
1287       [--permanent] --query-lockdown-whitelist-context=context
1288           Query whether the context is on the whitelist. Returns 0 if true, 1
1289           otherwise.
1290
1291       [--permanent] --list-lockdown-whitelist-uids
1292           List all user ids that are on the whitelist.
1293
1294       [--permanent] --add-lockdown-whitelist-uid=uid
1295           Add the user id uid to the whitelist.
1296
1297       [--permanent] --remove-lockdown-whitelist-uid=uid
1298           Remove the user id uid from the whitelist.
1299
1300       [--permanent] --query-lockdown-whitelist-uid=uid
1301           Query whether the user id uid is on the whitelist. Returns 0 if
1302           true, 1 otherwise.
1303
1304       [--permanent] --list-lockdown-whitelist-users
1305           List all user names that are on the whitelist.
1306
1307       [--permanent] --add-lockdown-whitelist-user=user
1308           Add the user name user to the whitelist.
1309
1310       [--permanent] --remove-lockdown-whitelist-user=user
1311           Remove the user name user from the whitelist.
1312
1313       [--permanent] --query-lockdown-whitelist-user=user
1314           Query whether the user name user is on the whitelist. Returns 0 if
1315           true, 1 otherwise.
1316
1317   Panic Options
1318       --panic-on
1319           Enable panic mode. All incoming and outgoing packets are dropped,
1320           active connections will expire. Enable this only if there are
1321           serious problems with your network environment. For example if the
1322           machine is getting hacked in.
1323
1324           This is a runtime only change.
1325
1326       --panic-off
1327           Disable panic mode. After disabling panic mode established
1328           connections might work again, if panic mode was enabled for a short
1329           period of time.
1330
1331           This is a runtime only change.
1332
1333       --query-panic
1334           Returns 0 if panic mode is enabled, 1 otherwise.
1335

EXAMPLES

1337       For more examples see http://fedoraproject.org/wiki/FirewallD
1338
1339   Example 1
1340       Enable http service in default zone. This is runtime only change, i.e.
1341       effective until restart.
1342
1343           firewall-cmd --add-service=http
1344
1345
1346
1347   Example 2
1348       Enable port 443/tcp immediately and permanently in default zone. To
1349       make the change effective immediately and also after restart we need
1350       two commands. The first command makes the change in runtime
1351       configuration, i.e. makes it effective immediately, until restart. The
1352       second command makes the change in permanent configuration, i.e. makes
1353       it effective after restart.
1354
1355           firewall-cmd --add-port=443/tcp
1356           firewall-cmd --permanent --add-port=443/tcp
1357
1358
1359

EXIT CODES

1361       On success 0 is returned. On failure the output is red colored and exit
1362       code is either 2 in case of wrong command-line option usage or one of
1363       the following error codes in other cases:
1364
1365       ┌────────────────────┬──────┐
1366String              Code 
1367       ├────────────────────┼──────┤
1368       │ALREADY_ENABLED     │   11 │
1369       ├────────────────────┼──────┤
1370       │NOT_ENABLED         │   12 │
1371       ├────────────────────┼──────┤
1372       │COMMAND_FAILED      │   13 │
1373       ├────────────────────┼──────┤
1374       │NO_IPV6_NAT         │   14 │
1375       ├────────────────────┼──────┤
1376       │PANIC_MODE          │   15 │
1377       ├────────────────────┼──────┤
1378       │ZONE_ALREADY_SET    │   16 │
1379       ├────────────────────┼──────┤
1380       │UNKNOWN_INTERFACE   │   17 │
1381       ├────────────────────┼──────┤
1382       │ZONE_CONFLICT       │   18 │
1383       ├────────────────────┼──────┤
1384       │BUILTIN_CHAIN       │   19 │
1385       ├────────────────────┼──────┤
1386       │EBTABLES_NO_REJECT  │   20 │
1387       ├────────────────────┼──────┤
1388       │NOT_OVERLOADABLE    │   21 │
1389       ├────────────────────┼──────┤
1390       │NO_DEFAULTS         │   22 │
1391       ├────────────────────┼──────┤
1392       │BUILTIN_ZONE        │   23 │
1393       ├────────────────────┼──────┤
1394       │BUILTIN_SERVICE     │   24 │
1395       ├────────────────────┼──────┤
1396       │BUILTIN_ICMPTYPE    │   25 │
1397       ├────────────────────┼──────┤
1398       │NAME_CONFLICT       │   26 │
1399       ├────────────────────┼──────┤
1400       │NAME_MISMATCH       │   27 │
1401       ├────────────────────┼──────┤
1402       │PARSE_ERROR         │   28 │
1403       ├────────────────────┼──────┤
1404       │ACCESS_DENIED       │   29 │
1405       ├────────────────────┼──────┤
1406       │UNKNOWN_SOURCE      │   30 │
1407       ├────────────────────┼──────┤
1408       │RT_TO_PERM_FAILED   │   31 │
1409       ├────────────────────┼──────┤
1410       │IPSET_WITH_TIMEOUT  │   32 │
1411       ├────────────────────┼──────┤
1412       │BUILTIN_IPSET       │   33 │
1413       ├────────────────────┼──────┤
1414       │ALREADY_SET         │   34 │
1415       ├────────────────────┼──────┤
1416       │MISSING_IMPORT      │   35 │
1417       ├────────────────────┼──────┤
1418       │DBUS_ERROR          │   36 │
1419       ├────────────────────┼──────┤
1420       │BUILTIN_HELPER      │   37 │
1421       ├────────────────────┼──────┤
1422       │NOT_APPLIED         │   38 │
1423       ├────────────────────┼──────┤
1424       │INVALID_ACTION      │  100 │
1425       ├────────────────────┼──────┤
1426       │INVALID_SERVICE     │  101 │
1427       ├────────────────────┼──────┤
1428       │INVALID_PORT        │  102 │
1429       ├────────────────────┼──────┤
1430       │INVALID_PROTOCOL    │  103 │
1431       ├────────────────────┼──────┤
1432       │INVALID_INTERFACE   │  104 │
1433       ├────────────────────┼──────┤
1434       │INVALID_ADDR        │  105 │
1435       ├────────────────────┼──────┤
1436       │INVALID_FORWARD     │  106 │
1437       ├────────────────────┼──────┤
1438       │INVALID_ICMPTYPE    │  107 │
1439       ├────────────────────┼──────┤
1440       │INVALID_TABLE       │  108 │
1441       ├────────────────────┼──────┤
1442       │INVALID_CHAIN       │  109 │
1443       ├────────────────────┼──────┤
1444       │INVALID_TARGET      │  110 │
1445       ├────────────────────┼──────┤
1446       │INVALID_IPV         │  111 │
1447       ├────────────────────┼──────┤
1448       │INVALID_ZONE        │  112 │
1449       ├────────────────────┼──────┤
1450       │INVALID_PROPERTY    │  113 │
1451       ├────────────────────┼──────┤
1452       │INVALID_VALUE       │  114 │
1453       ├────────────────────┼──────┤
1454       │INVALID_OBJECT      │  115 │
1455       ├────────────────────┼──────┤
1456       │INVALID_NAME        │  116 │
1457       ├────────────────────┼──────┤
1458       │INVALID_FILENAME    │  117 │
1459       ├────────────────────┼──────┤
1460       │INVALID_DIRECTORY   │  118 │
1461       ├────────────────────┼──────┤
1462       │INVALID_TYPE        │  119 │
1463       ├────────────────────┼──────┤
1464       │INVALID_SETTING     │  120 │
1465       ├────────────────────┼──────┤
1466       │INVALID_DESTINATION │  121 │
1467       ├────────────────────┼──────┤
1468       │INVALID_RULE        │  122 │
1469       ├────────────────────┼──────┤
1470       │INVALID_LIMIT       │  123 │
1471       ├────────────────────┼──────┤
1472       │INVALID_FAMILY      │  124 │
1473       ├────────────────────┼──────┤
1474       │INVALID_LOG_LEVEL   │  125 │
1475       ├────────────────────┼──────┤
1476       │INVALID_AUDIT_TYPE  │  126 │
1477       ├────────────────────┼──────┤
1478       │INVALID_MARK        │  127 │
1479       ├────────────────────┼──────┤
1480       │INVALID_CONTEXT     │  128 │
1481       ├────────────────────┼──────┤
1482       │INVALID_COMMAND     │  129 │
1483       ├────────────────────┼──────┤
1484       │INVALID_USER        │  130 │
1485       ├────────────────────┼──────┤
1486       │INVALID_UID         │  131 │
1487       ├────────────────────┼──────┤
1488       │INVALID_MODULE      │  132 │
1489       ├────────────────────┼──────┤
1490       │INVALID_PASSTHROUGH │  133 │
1491       ├────────────────────┼──────┤
1492       │INVALID_MAC         │  134 │
1493       ├────────────────────┼──────┤
1494       │INVALID_IPSET       │  135 │
1495       ├────────────────────┼──────┤
1496       │INVALID_ENTRY       │  136 │
1497       ├────────────────────┼──────┤
1498       │INVALID_OPTION      │  137 │
1499       ├────────────────────┼──────┤
1500       │INVALID_HELPER      │  138 │
1501       ├────────────────────┼──────┤
1502       │INVALID_PRIORITY    │  139 │
1503       ├────────────────────┼──────┤
1504       │INVALID_POLICY      │  140 │
1505       ├────────────────────┼──────┤
1506       │MISSING_TABLE       │  200 │
1507       ├────────────────────┼──────┤
1508       │MISSING_CHAIN       │  201 │
1509       ├────────────────────┼──────┤
1510       │MISSING_PORT        │  202 │
1511       ├────────────────────┼──────┤
1512       │MISSING_PROTOCOL    │  203 │
1513       ├────────────────────┼──────┤
1514       │MISSING_ADDR        │  204 │
1515       ├────────────────────┼──────┤
1516       │MISSING_NAME        │  205 │
1517       ├────────────────────┼──────┤
1518       │MISSING_SETTING     │  206 │
1519       ├────────────────────┼──────┤
1520       │MISSING_FAMILY      │  207 │
1521       ├────────────────────┼──────┤
1522       │RUNNING_BUT_FAILED  │  251 │
1523       ├────────────────────┼──────┤
1524       │NOT_RUNNING         │  252 │
1525       ├────────────────────┼──────┤
1526       │NOT_AUTHORIZED      │  253 │
1527       ├────────────────────┼──────┤
1528       │UNKNOWN_ERROR       │  254 │
1529       └────────────────────┴──────┘
1530
1531       Note that return codes of --query-* options are special: Successful
1532       queries return 0, unsuccessful ones return 1 unless an error occurred
1533       in which case the table above applies.
1534

SEE ALSO

1536       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1537       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1538       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1539       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1540       firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
1541       firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
1542

NOTES

1544       firewalld home page:
1545           http://firewalld.org
1546
1547       More documentation with examples:
1548           http://fedoraproject.org/wiki/FirewallD
1549

AUTHORS

1551       Thomas Woerner <twoerner@redhat.com>
1552           Developer
1553
1554       Jiri Popelka <jpopelka@redhat.com>
1555           Developer
1556
1557       Eric Garver <eric@garver.life>
1558           Developer
1559
1560
1561
1562firewalld 1.0.5                                                FIREWALL-CMD(1)
Impressum