1FIREWALL-CMD(1) firewall-cmd FIREWALL-CMD(1)
2
3
4
6 firewall-cmd - firewalld command line client
7
9 firewall-cmd [OPTIONS...]
10
12 firewall-cmd is the command line client of the firewalld daemon. It
13 provides an interface to manage the runtime and permanent
14 configurations.
15
16 The runtime configuration in firewalld is separated from the permanent
17 configuration. This means that things can get changed in the runtime or
18 permanent configuration.
19
21 Sequence options are the options that can be specified multiple times,
22 the exit code is 0 if there is at least one item that succeeded. The
23 ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
24 errors are treated as succeeded. If there are issues while parsing the
25 items, then these are treated as warnings and will not change the
26 result as long as there is a succeeded one. Without any succeeded item,
27 the exit code will depend on the error codes. If there is exactly one
28 error code, then this is used. If there are more than one then
29 UNKNOWN_ERROR (254) will be used.
30
31 The following options are supported:
32
33 General Options
34 -h, --help
35 Prints a short help text and exits.
36
37 -V, --version
38 Print the version string of firewalld. This option is not
39 combinable with other options.
40
41 -q, --quiet
42 Do not print status messages.
43
44 Status Options
45 --state
46 Check whether the firewalld daemon is active (i.e. running).
47 Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
48 failure occurred on startup, NOT_RUNNING otherwise. See the section
49 called “EXIT CODES”. This will also print the state to STDOUT.
50
51 --reload
52 Reload firewall rules and keep state information. Current permanent
53 configuration will become new runtime configuration, i.e. all
54 runtime only changes done until reload are lost with reload if they
55 have not been also in permanent configuration.
56
57 Note: If FlushAllOnReload=no, runtime changes applied via the
58 direct interface are not affected and will therefore stay in place
59 until firewalld daemon is restarted completely. For
60 FlushAllOnReload, see firewalld.conf(5).
61
62 --complete-reload
63 Reload firewall completely, even netfilter kernel modules. This
64 will most likely terminate active connections, because state
65 information is lost. This option should only be used in case of
66 severe firewall problems. For example if there are state
67 information problems that no connection can be established with
68 correct firewall rules.
69
70 Note: If FlushAllOnReload=no, runtime changes applied via the
71 direct interface are not affected and will therefore stay in place
72 until firewalld daemon is restarted completely. For
73 FlushAllOnReload, see firewalld.conf(5).
74
75 --runtime-to-permanent
76 Save active runtime configuration and overwrite permanent
77 configuration with it. The way this is supposed to work is that
78 when configuring firewalld you do runtime changes only and once
79 you're happy with the configuration and you tested that it works
80 the way you want, you save the configuration to disk.
81
82 --check-config
83 Run checks on the permanent configuration. This includes XML
84 validity and semantics.
85
86 Log Denied Options
87 --get-log-denied
88 Print the log denied setting.
89
90 --set-log-denied=value
91 Add logging rules right before reject and drop rules in the INPUT,
92 FORWARD and OUTPUT chains for the default rules and also final
93 reject and drop rules in zones for the configured link-layer packet
94 type. The possible values are: all, unicast, broadcast, multicast
95 and off. The default setting is off, which disables the logging.
96
97 This is a runtime and permanent change and will also reload the
98 firewall to be able to add the logging rules.
99
100 Permanent Options
101 --permanent
102 The permanent option --permanent can be used to set options
103 permanently. These changes are not effective immediately, only
104 after service restart/reload or system reboot. Without the
105 --permanent option, a change will only be part of the runtime
106 configuration.
107
108 If you want to make a change in runtime and permanent
109 configuration, use the same call with and without the --permanent
110 option.
111
112 The --permanent option can be optionally added to all options
113 further down where it is supported.
114
115 Zone Options
116 --get-default-zone
117 Print default zone for connections and interfaces.
118
119 --set-default-zone=zone
120 Set default zone for connections and interfaces where no zone has
121 been selected. Setting the default zone changes the zone for the
122 connections or interfaces, that are using the default zone.
123
124 This is a runtime and permanent change.
125
126 --get-active-zones
127 Print currently active zones altogether with interfaces and sources
128 used in these zones. Active zones are zones, that have a binding to
129 an interface or source. The output format is:
130
131 zone1
132 interfaces: interface1 interface2 ..
133 sources: source1 ..
134 zone2
135 interfaces: interface3 ..
136 zone3
137 sources: source2 ..
138
139
140 If there are no interfaces or sources bound to the zone, the
141 corresponding line will be omitted.
142
143 [--permanent] --get-zones
144 Print predefined zones as a space separated list.
145
146 [--permanent] --get-services
147 Print predefined services as a space separated list.
148
149 [--permanent] --get-icmptypes
150 Print predefined icmptypes as a space separated list.
151
152 [--permanent] --get-zone-of-interface=interface
153 Print the name of the zone the interface is bound to or no zone.
154
155 [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
156 Print the name of the zone the source is bound to or no zone.
157
158 [--permanent] --info-zone=zone
159 Print information about the zone zone. The output format is:
160
161 zone
162 interfaces: interface1 ..
163 sources: source1 ..
164 services: service1 ..
165 ports: port1 ..
166 protocols: protocol1 ..
167 forward-ports:
168 forward-port1
169 ..
170 source-ports: source-port1 ..
171 icmp-blocks: icmp-type1 ..
172 rich rules:
173 rich-rule1
174 ..
175
176
177
178 [--permanent] --list-all-zones
179 List everything added for or enabled in all zones. The output
180 format is:
181
182 zone1
183 interfaces: interface1 ..
184 sources: source1 ..
185 services: service1 ..
186 ports: port1 ..
187 protocols: protocol1 ..
188 forward-ports:
189 forward-port1
190 ..
191 icmp-blocks: icmp-type1 ..
192 rich rules:
193 rich-rule1
194 ..
195 ..
196
197
198
199 --permanent --new-zone=zone
200 Add a new permanent and empty zone.
201
202 Zone names must be alphanumeric and may additionally include
203 characters: '_' and '-'.
204
205 --permanent --new-zone-from-file=filename [--name=zone]
206 Add a new permanent zone from a prepared zone file with an optional
207 name override.
208
209 --permanent --delete-zone=zone
210 Delete an existing permanent zone.
211
212 --permanent --load-zone-defaults=zone
213 Load zone default settings or report NO_DEFAULTS error.
214
215 --permanent --path-zone=zone
216 Print path of the zone configuration file.
217
218 Policy Options
219 [--permanent] --get-policies
220 Print predefined policies as a space separated list.
221
222 [--permanent] --info-policy=policy
223 Print information about the policy policy.
224
225 [--permanent] --list-all-policies
226 List everything added for or enabled in all policies.
227
228 --permanent --new-policy=policy
229 Add a new permanent policy.
230
231 Policy names must be alphanumeric and may additionally include
232 characters: '_' and '-'.
233
234 --permanent --new-policy-from-file=filename [--name=policy]
235 Add a new permanent policy from a prepared policy file with an
236 optional name override.
237
238 --permanent --path-policy=policy
239 Print path of the policy configuration file.
240
241 --permanent --delete-policy=policy
242 Delete an existing permanent policy.
243
244 --permanent --load-policy-defaults=policy
245 Load the shipped defaults for a policy. Only applies to policies
246 shipped with firewalld. Does not apply to user defined policies.
247
248 Options to Adapt and Query Zones and Policies
249 Options in this section affect only one particular zone or policy. If
250 used with --zone=zone or --policy=policy option, they affect the
251 specified zone or policy. If both options are omitted, they affect the
252 default zone (see --get-default-zone).
253
254 [--permanent] [--zone=zone] [--policy=policy] --list-all
255 List everything added or enabled.
256
257 --permanent [--zone=zone] [--policy=policy] --get-target
258 Get the target.
259
260 --permanent [--zone=zone] [--policy=policy] --set-target=target
261 Set the target.
262
263 For zones target is one of: default, ACCEPT, DROP, REJECT
264
265 For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
266
267 default is similar to REJECT, but it implicitly allows ICMP
268 packets.
269
270 --permanent [--zone=zone] [--policy=policy]
271 --set-description=description
272 Set description.
273
274 --permanent [--zone=zone] [--policy=policy] --get-description
275 Print description.
276
277 --permanent [--zone=zone] [--policy=policy] --set-short=description
278 Set short description.
279
280 --permanent [--zone=zone] [--policy=policy] --get-short
281 Print short description.
282
283 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
284 --list-services
285 List services added as a space separated list.
286
287 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
288 --add-service=service [--timeout=timeval]
289 Add a service. This option can be specified multiple times. If a
290 timeout is supplied, the rule will be active for the specified
291 amount of time and will be removed automatically afterwards.
292 timeval is either a number (of seconds) or number followed by one
293 of characters s (seconds), m (minutes), h (hours), for example 20m
294 or 1h.
295
296 The service is one of the firewalld provided services. To get a
297 list of the supported services, use firewall-cmd --get-services.
298
299 The --timeout option is not combinable with the --permanent option.
300
301 Note: Some services define connection tracking helpers. Helpers
302 that may operate in client mode (e.g. tftp) must be added to an
303 outbound policy instead of a zone to take effect for clients.
304 Otherwise the helper will not be applied to the outbound traffic.
305 The related traffic, as defined by the connection tracking helper,
306 on the return path (ingress) will be allowed by the stateful
307 firewall rules.
308
309 An example of an outbound policy for connection tracking helpers:
310
311 # firewall-cmd --permanent --new-policy clientConntrack
312 # firewall-cmd --permanent --policy clientConntrack --add-ingress-zone HOST
313 # firewall-cmd --permanent --policy clientConntrack --add-egress-zone ANY
314 # firewall-cmd --permanent --policy clientConntrack --add-service tftp
315
316
317
318 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
319 --remove-service=service
320 Remove a service. This option can be specified multiple times.
321
322 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
323 --query-service=service
324 Return whether service has been added. Returns 0 if true, 1
325 otherwise.
326
327 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
328 --list-ports
329 List ports added as a space separated list. A port is of the form
330 portid[-portid]/protocol, it can be either a port and protocol pair
331 or a port range with a protocol.
332
333 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
334 --add-port=portid[-portid]/protocol [--timeout=timeval]
335 Add the port. This option can be specified multiple times. If a
336 timeout is supplied, the rule will be active for the specified
337 amount of time and will be removed automatically afterwards.
338 timeval is either a number (of seconds) or number followed by one
339 of characters s (seconds), m (minutes), h (hours), for example 20m
340 or 1h.
341
342 The port can either be a single port number or a port range
343 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
344
345 The --timeout option is not combinable with the --permanent option.
346
347 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
348 --remove-port=portid[-portid]/protocol
349 Remove the port. This option can be specified multiple times.
350
351 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
352 --query-port=portid[-portid]/protocol
353 Return whether the port has been added. Returns 0 if true, 1
354 otherwise.
355
356 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
357 --list-protocols
358 List protocols added as a space separated list.
359
360 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
361 --add-protocol=protocol [--timeout=timeval]
362 Add the protocol. This option can be specified multiple times. If a
363 timeout is supplied, the rule will be active for the specified
364 amount of time and will be removed automatically afterwards.
365 timeval is either a number (of seconds) or number followed by one
366 of characters s (seconds), m (minutes), h (hours), for example 20m
367 or 1h.
368
369 The protocol can be any protocol supported by the system. Please
370 have a look at /etc/protocols for supported protocols.
371
372 The --timeout option is not combinable with the --permanent option.
373
374 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
375 --remove-protocol=protocol
376 Remove the protocol. This option can be specified multiple times.
377
378 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
379 --query-protocol=protocol
380 Return whether the protocol has been added. Returns 0 if true, 1
381 otherwise.
382
383 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
384 --list-source-ports
385 List source ports added as a space separated list. A port is of the
386 form portid[-portid]/protocol.
387
388 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
389 --add-source-port=portid[-portid]/protocol [--timeout=timeval]
390 Add the source port. This option can be specified multiple times.
391 If a timeout is supplied, the rule will be active for the specified
392 amount of time and will be removed automatically afterwards.
393 timeval is either a number (of seconds) or number followed by one
394 of characters s (seconds), m (minutes), h (hours), for example 20m
395 or 1h.
396
397 The port can either be a single port number or a port range
398 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
399
400 The --timeout option is not combinable with the --permanent option.
401
402 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
403 --remove-source-port=portid[-portid]/protocol
404 Remove the source port. This option can be specified multiple
405 times.
406
407 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
408 --query-source-port=portid[-portid]/protocol
409 Return whether the source port has been added. Returns 0 if true, 1
410 otherwise.
411
412 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
413 --list-icmp-blocks
414 List Internet Control Message Protocol (ICMP) type blocks added as
415 a space separated list.
416
417 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
418 --add-icmp-block=icmptype [--timeout=timeval]
419 Add an ICMP block for icmptype. This option can be specified
420 multiple times. If a timeout is supplied, the rule will be active
421 for the specified amount of time and will be removed automatically
422 afterwards. timeval is either a number (of seconds) or number
423 followed by one of characters s (seconds), m (minutes), h (hours),
424 for example 20m or 1h.
425
426 The icmptype is the one of the icmp types firewalld supports. To
427 get a listing of supported icmp types: firewall-cmd --get-icmptypes
428
429 The --timeout option is not combinable with the --permanent option.
430
431 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
432 --remove-icmp-block=icmptype
433 Remove the ICMP block for icmptype. This option can be specified
434 multiple times.
435
436 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
437 --query-icmp-block=icmptype
438 Return whether an ICMP block for icmptype has been added. Returns 0
439 if true, 1 otherwise.
440
441 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
442 --list-forward-ports
443 List IPv4 forward ports added as a space separated list.
444
445 For IPv6 forward ports, please use the rich language.
446
447 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
448 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
449 [--timeout=timeval]
450 Add the IPv4 forward port. This option can be specified multiple
451 times. If a timeout is supplied, the rule will be active for the
452 specified amount of time and will be removed automatically
453 afterwards. timeval is either a number (of seconds) or number
454 followed by one of characters s (seconds), m (minutes), h (hours),
455 for example 20m or 1h.
456
457 The port can either be a single port number portid or a port range
458 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
459 The destination address is a simple IP address.
460
461 The --timeout option is not combinable with the --permanent option.
462
463 For IPv6 forward ports, please use the rich language.
464
465 Note: IP forwarding will be implicitly enabled if toaddr is
466 specified.
467
468 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
469 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
470 Remove the IPv4 forward port. This option can be specified multiple
471 times.
472
473 For IPv6 forward ports, please use the rich language.
474
475 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
476 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
477 Return whether the IPv4 forward port has been added. Returns 0 if
478 true, 1 otherwise.
479
480 For IPv6 forward ports, please use the rich language.
481
482 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
483 --add-masquerade [--timeout=timeval]
484 Enable IPv4 masquerade. If a timeout is supplied, masquerading will
485 be active for the specified amount of time. timeval is either a
486 number (of seconds) or number followed by one of characters s
487 (seconds), m (minutes), h (hours), for example 20m or 1h.
488 Masquerading is useful if the machine is a router and machines
489 connected over an interface in another zone should be able to use
490 the first connection.
491
492 The --timeout option is not combinable with the --permanent option.
493
494 For IPv6 masquerading, please use the rich language.
495
496 Note: IP forwarding will be implicitly enabled.
497
498 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
499 --remove-masquerade
500 Disable IPv4 masquerade. If the masquerading was enabled with a
501 timeout, it will be disabled also.
502
503 For IPv6 masquerading, please use the rich language.
504
505 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
506 --query-masquerade
507 Return whether IPv4 masquerading has been enabled. Returns 0 if
508 true, 1 otherwise.
509
510 For IPv6 masquerading, please use the rich language.
511
512 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
513 --list-rich-rules
514 List rich language rules added as a newline separated list.
515
516 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
517 --add-rich-rule='rule' [--timeout=timeval]
518 Add rich language rule 'rule'. This option can be specified
519 multiple times. If a timeout is supplied, the rule will be active
520 for the specified amount of time and will be removed automatically
521 afterwards. timeval is either a number (of seconds) or number
522 followed by one of characters s (seconds), m (minutes), h (hours),
523 for example 20m or 1h.
524
525 For the rich language rule syntax, please have a look at
526 firewalld.richlanguage(5).
527
528 The --timeout option is not combinable with the --permanent option.
529
530 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
531 --remove-rich-rule='rule'
532 Remove rich language rule 'rule'. This option can be specified
533 multiple times.
534
535 For the rich language rule syntax, please have a look at
536 firewalld.richlanguage(5).
537
538 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
539 --query-rich-rule='rule'
540 Return whether a rich language rule 'rule' has been added. Returns
541 0 if true, 1 otherwise.
542
543 For the rich language rule syntax, please have a look at
544 firewalld.richlanguage(5).
545
546 Options to Adapt and Query Zones
547 Options in this section affect only one particular zone. If used with
548 --zone=zone option, they affect the specified zone. If the option is
549 omitted, they affect default zone (see --get-default-zone).
550
551 [--permanent] [--zone=zone] --add-icmp-block-inversion
552 Enable ICMP block inversion.
553
554 [--permanent] [--zone=zone] --remove-icmp-block-inversion
555 Disable ICMP block inversion.
556
557 [--permanent] [--zone=zone] --query-icmp-block-inversion
558 Return whether ICMP block inversion is enabled. Returns 0 if true,
559 1 otherwise.
560
561 [--permanent] [--zone=zone] --add-forward
562 Enable intra zone forwarding.
563
564 [--permanent] [--zone=zone] --remove-forward
565 Disable intra zone forwarding.
566
567 [--permanent] [--zone=zone] --query-forward
568 Return whether intra zone forwarding is enabled. Returns 0 if true,
569 1 otherwise.
570
571 Options to Adapt and Query Policies
572 Options in this section affect only one particular policy. It's
573 required to specify --policy=policy with these options.
574
575 --permanent --policy=policy --get-priority
576 Get the priority.
577
578 --permanent --policy=policy --set-priority=priority
579 Set the priority. The priority determines the relative ordering of
580 policies. This is an integer value between -32768 and 32767 where
581 -1 is the default value for new policies and 0 is reserved for
582 internal use.
583
584 If a priority is < 0, then the policy's rules will execute before
585 all rules in all zones.
586
587 If a priority is > 0, then the policy's rules will execute after
588 all rules in all zones.
589
590 [--permanent] --policy=policy --list-ingress-zones
591 List ingress zones added as a space separated list.
592
593 [--permanent] --policy=policy --add-ingress-zone=zone
594 Add an ingress zone. This option can be specified multiple times.
595
596 The ingress zone is one of the firewalld provided zones or one of
597 the pseudo-zones: HOST, ANY.
598
599 HOST is used for traffic originating from the host machine, i.e.
600 the host running firewalld.
601
602 ANY is used for traffic originating from any zone. This can be
603 thought of as a wild card for zones. However it does not include
604 traffic originating from the host machine - use HOST for that.
605
606 [--permanent] --policy=policy --remove-ingress-zone=zone
607 Remove an ingress zone. This option can be specified multiple
608 times.
609
610 [--permanent] --policy=policy --query-ingress-zone=zone
611 Return whether zone has been added. Returns 0 if true, 1 otherwise.
612
613 [--permanent] --policy=policy --list-egress-zones
614 List egress zones added as a space separated list.
615
616 [--permanent] --policy=policy --add-egress-zone=zone
617 Add an egress zone. This option can be specified multiple times.
618
619 The egress zone is one of the firewalld provided zones or one of
620 the pseudo-zones: HOST, ANY.
621
622 For clarification on HOST and ANY see option --add-ingress-zone.
623
624 [--permanent] --policy=policy --remove-egress-zone=zone
625 Remove an egress zone. This option can be specified multiple times.
626
627 [--permanent] --policy=policy --query-egress-zone=zone
628 Return whether zone has been added. Returns 0 if true, 1 otherwise.
629
630 Options to Handle Bindings of Interfaces
631 Binding an interface to a zone means that this zone settings are used
632 to restrict traffic via the interface.
633
634 Options in this section affect only one particular zone. If used with
635 --zone=zone option, they affect the zone zone. If the option is
636 omitted, they affect default zone (see --get-default-zone).
637
638 For a list of predefined zones use firewall-cmd --get-zones.
639
640 An interface name is a string up to 16 characters long, that may not
641 contain ' ', '/', '!' and '*'.
642
643 [--permanent] [--zone=zone] --list-interfaces
644 List interfaces that are bound to zone zone as a space separated
645 list. If zone is omitted, default zone will be used.
646
647 [--permanent] [--zone=zone] --add-interface=interface
648 Bind interface interface to zone zone. If zone is omitted, default
649 zone will be used.
650
651 If the interface is under control of NetworkManager, it is at first
652 connected to change the zone for the connection that is using the
653 interface. If this fails, the zone binding is created in firewalld
654 and the limitations below apply. For interfaces that are not under
655 control of NetworkManager, firewalld tries to change the ZONE
656 setting in the ifcfg file, if the file exists.
657
658 As a end user you don't need this in most cases, because
659 NetworkManager (or legacy network service) adds interfaces into
660 zones automatically (according to ZONE= option from ifcfg-interface
661 file) if NM_CONTROLLED=no is not set. You should do it only if
662 there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
663 there is such file and you add interface to zone with this
664 --add-interface option, make sure the zone is the same in both
665 cases, otherwise the behaviour would be undefined. Please also have
666 a look at the firewalld(1) man page in the Concepts section. For
667 permanent association of interface with a zone, see also 'How to
668 set or change a zone for a connection?' in firewalld.zones(5).
669
670 [--permanent] [--zone=zone] --change-interface=interface
671 If the interface is under control of NetworkManager, it is at first
672 connected to change the zone for the connection that is using the
673 interface. If this fails, the zone binding is created in firewalld
674 and the limitations below apply. For interfaces that are not under
675 control of NetworkManager, firewalld tries to change the ZONE
676 setting in the ifcfg file, if the file exists.
677
678 Change zone the interface interface is bound to to zone zone. It's
679 basically --remove-interface followed by --add-interface. If the
680 interface has not been bound to a zone before, it behaves like
681 --add-interface. If zone is omitted, default zone will be used.
682
683 [--permanent] [--zone=zone] --query-interface=interface
684 Query whether interface interface is bound to zone zone. Returns 0
685 if true, 1 otherwise.
686
687 [--permanent] --remove-interface=interface
688 If the interface is under control of NetworkManager, it is at first
689 connected to change the zone for the connection that is using the
690 interface. If this fails, the zone binding is created in firewalld
691 and the limitations below apply.
692
693 For the addition or change of interfaces that are not under control
694 of NetworkManager: firewalld tries to change the ZONE setting in
695 the ifcfg file, if an ifcfg file exists that is using the
696 interface.
697
698 Only for the removal of interfaces that are not under control of
699 NetworkManager: firewalld is not trying to change the ZONE setting
700 in the ifcfg file. This is needed to make sure that an ifdown of
701 the interface will not result in a reset of the zone setting to the
702 default zone. Only the zone binding is then removed in firewalld
703 then.
704
705 Remove binding of interface interface from zone it was previously
706 added to.
707
708 Options to Handle Bindings of Sources
709 Binding a source to a zone means that this zone settings will be used
710 to restrict traffic from this source.
711
712 A source address or address range is either an IP address or a network
713 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
714 with the ipset: prefix. For IPv4, the mask can be a network mask or a
715 plain number. For IPv6 the mask is a plain number. The use of host
716 names is not supported.
717
718 Options in this section affect only one particular zone. If used with
719 --zone=zone option, they affect the zone zone. If the option is
720 omitted, they affect default zone (see --get-default-zone).
721
722 For a list of predefined zones use firewall-cmd [--permanent]
723 --get-zones.
724
725 [--permanent] [--zone=zone] --list-sources
726 List sources that are bound to zone zone as a space separated list.
727 If zone is omitted, default zone will be used.
728
729 [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
730 Bind the source to zone zone. If zone is omitted, default zone will
731 be used.
732
733 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
734 Change zone the source is bound to to zone zone. It's basically
735 --remove-source followed by --add-source. If the source has not
736 been bound to a zone before, it behaves like --add-source. If zone
737 is omitted, default zone will be used.
738
739 [--permanent] [--zone=zone]
740 --query-source=source[/mask]|MAC|ipset:ipset
741 Query whether the source is bound to the zone zone. Returns 0 if
742 true, 1 otherwise.
743
744 [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
745 Remove binding of the source from zone it was previously added to.
746
747 IPSet Options
748 --get-ipset-types
749 Print the supported ipset types.
750
751 --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
752 [--option=key[=value]]
753 Add a new permanent and empty ipset with specifying the type and
754 optional the family and options like timeout, hashsize and maxelem.
755 For more information please have a look at ipset(8) man page.
756
757 ipset names must be alphanumeric and may additionally include
758 characters: '_' and '-'.
759
760 --permanent --new-ipset-from-file=filename [--name=ipset]
761 Add a new permanent ipset from a prepared ipset file with an
762 optional name override.
763
764 --permanent --delete-ipset=ipset
765 Delete an existing permanent ipset.
766
767 --permanent --load-ipset-defaults=ipset
768 Load ipset default settings or report NO_DEFAULTS error.
769
770 [--permanent] --info-ipset=ipset
771 Print information about the ipset ipset. The output format is:
772
773 ipset
774 type: type
775 options: option1[=value1] ..
776 entries: entry1 ..
777
778
779
780 [--permanent] --get-ipsets
781 Print predefined ipsets as a space separated list.
782
783 --permanent --ipset=ipset --set-description=description
784 Set new description to ipset
785
786 --permanent --ipset=ipset --get-description
787 Print description for ipset
788
789 --permanent --ipset=ipset --set-short=description
790 Set short description to ipset
791
792 --permanent --ipset=ipset --get-short
793 Print short description for ipset
794
795 [--permanent] --ipset=ipset --add-entry=entry
796 Add a new entry to the ipset.
797
798 Adding an entry to an ipset with option timeout is permitted, but
799 these entries are not tracked by firewalld.
800
801 [--permanent] --ipset=ipset --remove-entry=entry
802 Remove an entry from the ipset.
803
804 [--permanent] --ipset=ipset --query-entry=entry
805 Return whether the entry has been added to an ipset. Returns 0 if
806 true, 1 otherwise.
807
808 Querying an ipset with a timeout will yield an error. Entries are
809 not tracked for ipsets with a timeout.
810
811 [--permanent] --ipset=ipset --get-entries
812 List all entries of the ipset.
813
814 [--permanent] --ipset=ipset --add-entries-from-file=filename
815 Add a new entries to the ipset from the file. For all entries that
816 are listed in the file but already in the ipset, a warning will be
817 printed.
818
819 The file should contain an entry per line. Lines starting with an
820 hash or semicolon are ignored. Also empty lines.
821
822 [--permanent] --ipset=ipset --remove-entries-from-file=filename
823 Remove existing entries from the ipset from the file. For all
824 entries that are listed in the file but not in the ipset, a warning
825 will be printed.
826
827 The file should contain an entry per line. Lines starting with an
828 hash or semicolon are ignored. Also empty lines.
829
830 --permanent --path-ipset=ipset
831 Print path of the ipset configuration file.
832
833 Service Options
834 Options in this section affect only one particular service.
835
836 [--permanent] --info-service=service
837 Print information about the service service. The output format is:
838
839 service
840 ports: port1 ..
841 protocols: protocol1 ..
842 source-ports: source-port1 ..
843 helpers: helper1 ..
844 destination: ipv1:address1 ..
845
846
847
848 The following options are only usable in the permanent configuration.
849
850 --permanent --new-service=service
851 Add a new permanent and empty service.
852
853 Service names must be alphanumeric and may additionally include
854 characters: '_' and '-'.
855
856 --permanent --new-service-from-file=filename [--name=service]
857 Add a new permanent service from a prepared service file with an
858 optional name override.
859
860 --permanent --delete-service=service
861 Delete an existing permanent service.
862
863 --permanent --load-service-defaults=service
864 Load service default settings or report NO_DEFAULTS error.
865
866 --permanent --path-service=service
867 Print path of the service configuration file.
868
869 --permanent --service=service --set-description=description
870 Set new description to service
871
872 --permanent --service=service --get-description
873 Print description for service
874
875 --permanent --service=service --set-short=description
876 Set short description to service
877
878 --permanent --service=service --get-short
879 Print short description for service
880
881 --permanent --service=service --add-port=portid[-portid]/protocol
882 Add a new port to the permanent service.
883
884 --permanent --service=service --remove-port=portid[-portid]/protocol
885 Remove a port from the permanent service.
886
887 --permanent --service=service --query-port=portid[-portid]/protocol
888 Return whether the port has been added to the permanent service.
889
890 --permanent --service=service --get-ports
891 List ports added to the permanent service.
892
893 --permanent --service=service --add-protocol=protocol
894 Add a new protocol to the permanent service.
895
896 --permanent --service=service --remove-protocol=protocol
897 Remove a protocol from the permanent service.
898
899 --permanent --service=service --query-protocol=protocol
900 Return whether the protocol has been added to the permanent
901 service.
902
903 --permanent --service=service --get-protocols
904 List protocols added to the permanent service.
905
906 --permanent --service=service
907 --add-source-port=portid[-portid]/protocol
908 Add a new source port to the permanent service.
909
910 --permanent --service=service
911 --remove-source-port=portid[-portid]/protocol
912 Remove a source port from the permanent service.
913
914 --permanent --service=service
915 --query-source-port=portid[-portid]/protocol
916 Return whether the source port has been added to the permanent
917 service.
918
919 --permanent --service=service --get-source-ports
920 List source ports added to the permanent service.
921
922 --permanent --service=service --add-helper=helper
923 Add a new helper to the permanent service.
924
925 --permanent --service=service --remove-helper=helper
926 Remove a helper from the permanent service.
927
928 --permanent --service=service --query-helper=helper
929 Return whether the helper has been added to the permanent service.
930
931 --permanent --service=service --get-service-helpers
932 List helpers added to the permanent service.
933
934 --permanent --service=service --set-destination=ipv:address[/mask]
935 Set destination for ipv to address[/mask] in the permanent service.
936
937 --permanent --service=service --remove-destination=ipv
938 Remove the destination for ipv from the permanent service.
939
940 --permanent --service=service --query-destination=ipv:address[/mask]
941 Return whether the destination ipv to address[/mask] has been set
942 in the permanent service.
943
944 --permanent --service=service --get-destinations
945 List destinations added to the permanent service.
946
947 --permanent --service=service --add-include=service
948 Add a new include to the permanent service.
949
950 --permanent --service=service --remove-include=service
951 Remove a include from the permanent service.
952
953 --permanent --service=service --query-include=service
954 Return whether the include has been added to the permanent service.
955
956 --permanent --service=service --get-includes
957 List includes added to the permanent service.
958
959 Helper Options
960 Options in this section affect only one particular helper.
961
962 [--permanent] --info-helper=helper
963 Print information about the helper helper. The output format is:
964
965 helper
966 family: family
967 module: module
968 ports: port1 ..
969
970
971
972 The following options are only usable in the permanent configuration.
973
974 --permanent --new-helper=helper --module=nf_conntrack_module
975 [--family=ipv4|ipv6]
976 Add a new permanent helper with module and optionally family
977 defined.
978
979 Helper names must be alphanumeric and may additionally include
980 characters: '-'.
981
982 --permanent --new-helper-from-file=filename [--name=helper]
983 Add a new permanent helper from a prepared helper file with an
984 optional name override.
985
986 --permanent --delete-helper=helper
987 Delete an existing permanent helper.
988
989 --permanent --load-helper-defaults=helper
990 Load helper default settings or report NO_DEFAULTS error.
991
992 --permanent --path-helper=helper
993 Print path of the helper configuration file.
994
995 [--permanent] --get-helpers
996 Print predefined helpers as a space separated list.
997
998 --permanent --helper=helper --set-description=description
999 Set new description to helper
1000
1001 --permanent --helper=helper --get-description
1002 Print description for helper
1003
1004 --permanent --helper=helper --set-short=description
1005 Set short description to helper
1006
1007 --permanent --helper=helper --get-short
1008 Print short description for helper
1009
1010 --permanent --helper=helper --add-port=portid[-portid]/protocol
1011 Add a new port to the permanent helper.
1012
1013 --permanent --helper=helper --remove-port=portid[-portid]/protocol
1014 Remove a port from the permanent helper.
1015
1016 --permanent --helper=helper --query-port=portid[-portid]/protocol
1017 Return whether the port has been added to the permanent helper.
1018
1019 --permanent --helper=helper --get-ports
1020 List ports added to the permanent helper.
1021
1022 --permanent --helper=helper --set-module=description
1023 Set module description for helper
1024
1025 --permanent --helper=helper --get-module
1026 Print module description for helper
1027
1028 --permanent --helper=helper --set-family=description
1029 Set family description for helper
1030
1031 --permanent --helper=helper --get-family
1032 Print family description of helper
1033
1034 Internet Control Message Protocol (ICMP) type Options
1035 Options in this section affect only one particular icmptype.
1036
1037 [--permanent] --info-icmptype=icmptype
1038 Print information about the icmptype icmptype. The output format
1039 is:
1040
1041 icmptype
1042 destination: ipv1 ..
1043
1044
1045
1046 The following options are only usable in the permanent configuration.
1047
1048 --permanent --new-icmptype=icmptype
1049 Add a new permanent and empty icmptype.
1050
1051 ICMP type names must be alphanumeric and may additionally include
1052 characters: '_' and '-'.
1053
1054 --permanent --new-icmptype-from-file=filename [--name=icmptype]
1055 Add a new permanent icmptype from a prepared icmptype file with an
1056 optional name override.
1057
1058 --permanent --delete-icmptype=icmptype
1059 Delete an existing permanent icmptype.
1060
1061 --permanent --load-icmptype-defaults=icmptype
1062 Load icmptype default settings or report NO_DEFAULTS error.
1063
1064 --permanent --icmptype=icmptype --set-description=description
1065 Set new description to icmptype
1066
1067 --permanent --icmptype=icmptype --get-description
1068 Print description for icmptype
1069
1070 --permanent --icmptype=icmptype --set-short=description
1071 Set short description to icmptype
1072
1073 --permanent --icmptype=icmptype --get-short
1074 Print short description for icmptype
1075
1076 --permanent --icmptype=icmptype --add-destination=ipv
1077 Enable destination for ipv in permanent icmptype. ipv is one of
1078 ipv4 or ipv6.
1079
1080 --permanent --icmptype=icmptype --remove-destination=ipv
1081 Disable destination for ipv in permanent icmptype. ipv is one of
1082 ipv4 or ipv6.
1083
1084 --permanent --icmptype=icmptype --query-destination=ipv
1085 Return whether destination for ipv is enabled in permanent
1086 icmptype. ipv is one of ipv4 or ipv6.
1087
1088 --permanent --icmptype=icmptype --get-destinations
1089 List destinations in permanent icmptype.
1090
1091 --permanent --path-icmptype=icmptype
1092 Print path of the icmptype configuration file.
1093
1094 Direct Options
1095 DEPRECATED
1096 The direct interface has been deprecated. It will be removed in a
1097 future release. It is superseded by policies, see
1098 firewalld.policies(5).
1099
1100 The direct options give a more direct access to the firewall. These
1101 options require user to know basic iptables concepts, i.e. table
1102 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
1103 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
1104 (ACCEPT/DROP/REJECT/...).
1105
1106 Direct options should be used only as a last resort when it's not
1107 possible to use for example --add-service=service or
1108 --add-rich-rule='rule'.
1109
1110 Warning: Direct rules behavior is different depending on the value of
1111 FirewallBackend. See CAVEATS in firewalld.direct(5).
1112
1113 The first argument of each option has to be ipv4 or ipv6 or eb. With
1114 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1115 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1116
1117 [--permanent] --direct --get-all-chains
1118 Get all chains added to all tables. This option concerns only
1119 chains previously added with --direct --add-chain.
1120
1121 [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
1122 Get all chains added to table table as a space separated list. This
1123 option concerns only chains previously added with --direct
1124 --add-chain.
1125
1126 [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
1127 Add a new chain with name chain to table table. Make sure there's
1128 no other chain with this name already.
1129
1130 There already exist basic chains to use with direct options, for
1131 example INPUT_direct chain (see iptables-save | grep direct output
1132 for all of them). These chains are jumped into before chains for
1133 zones, i.e. every rule put into INPUT_direct will be checked before
1134 rules in zones.
1135
1136 [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1137 Remove chain with name chain from table table. Only chains
1138 previously added with --direct --add-chain can be removed this way.
1139
1140 [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
1141 Return whether a chain with name chain exists in table table.
1142 Returns 0 if true, 1 otherwise. This option concerns only chains
1143 previously added with --direct --add-chain.
1144
1145 [--permanent] --direct --get-all-rules
1146 Get all rules added to all chains in all tables as a newline
1147 separated list of the priority and arguments. This option concerns
1148 only rules previously added with --direct --add-rule.
1149
1150 [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
1151 Get all rules added to chain chain in table table as a newline
1152 separated list of the priority and arguments. This option concerns
1153 only rules previously added with --direct --add-rule.
1154
1155 [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
1156 priority args
1157 Add a rule with the arguments args to chain chain in table table
1158 with priority priority.
1159
1160 The priority is used to order rules. Priority 0 means add rule on
1161 top of the chain, with a higher priority the rule will be added
1162 further down. Rules with the same priority are on the same level
1163 and the order of these rules is not fixed and may change. If you
1164 want to make sure that a rule will be added after another one, use
1165 a low priority for the first and a higher for the following.
1166
1167 [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
1168 priority args
1169 Remove a rule with priority and the arguments args from chain chain
1170 in table table. Only rules previously added with --direct
1171 --add-rule can be removed this way.
1172
1173 [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1174 Remove all rules in the chain with name chain exists in table
1175 table. This option concerns only rules previously added with
1176 --direct --add-rule in this chain.
1177
1178 [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1179 priority args
1180 Return whether a rule with priority and the arguments args exists
1181 in chain chain in table table. Returns 0 if true, 1 otherwise. This
1182 option concerns only rules previously added with --direct
1183 --add-rule.
1184
1185 --direct --passthrough { ipv4 | ipv6 | eb } args
1186 Pass a command through to the firewall. args can be all iptables,
1187 ip6tables and ebtables command line arguments. This command is
1188 untracked, which means that firewalld is not able to provide
1189 information about this command later on, also not a listing of the
1190 untracked passthoughs.
1191
1192 [--permanent] --direct --get-all-passthroughs
1193 Get all passthrough rules as a newline separated list of the ipv
1194 value and arguments.
1195
1196 [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1197 Get all passthrough rules for the ipv value as a newline separated
1198 list of the priority and arguments.
1199
1200 [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1201 Add a passthrough rule with the arguments args for the ipv value.
1202
1203 [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1204 Remove a passthrough rule with the arguments args for the ipv
1205 value.
1206
1207 [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1208 Return whether a passthrough rule with the arguments args exists
1209 for the ipv value. Returns 0 if true, 1 otherwise.
1210
1211 Lockdown Options
1212 Local applications or services are able to change the firewall
1213 configuration if they are running as root (example: libvirt) or are
1214 authenticated using PolicyKit. With this feature administrators can
1215 lock the firewall configuration so that only applications on lockdown
1216 whitelist are able to request firewall changes.
1217
1218 The lockdown access check limits D-Bus methods that are changing
1219 firewall rules. Query, list and get methods are not limited.
1220
1221 The lockdown feature is a very light version of user and application
1222 policies for firewalld and is turned off by default.
1223
1224 --lockdown-on
1225 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1226 whitelist when you enable lockdown you won't be able to disable it
1227 again with firewall-cmd, you would need to edit firewalld.conf.
1228
1229 This is a runtime and permanent change.
1230
1231 --lockdown-off
1232 Disable lockdown.
1233
1234 This is a runtime and permanent change.
1235
1236 --query-lockdown
1237 Query whether lockdown is enabled. Returns 0 if lockdown is
1238 enabled, 1 otherwise.
1239
1240 Lockdown Whitelist Options
1241 The lockdown whitelist can contain commands, contexts, users and user
1242 ids.
1243
1244 If a command entry on the whitelist ends with an asterisk '*', then all
1245 command lines starting with the command will match. If the '*' is not
1246 there the absolute command inclusive arguments must match.
1247
1248 Command paths for users are not always the same and depends on the
1249 users PATH. Some distributions symlink /bin to /usr/bin in which case
1250 it depends on the order they appear in the PATH environment variable.
1251
1252 The context is the security (SELinux) context of a running application
1253 or service. To get the context of a running application use ps -e
1254 --context.
1255
1256 Warning: If the context is unconfined, then this will open access for
1257 more than the desired application.
1258
1259 The lockdown whitelist entries are checked in the following order:
1260 1. context
1261 2. uid
1262 3. user
1263 4. command
1264
1265 [--permanent] --list-lockdown-whitelist-commands
1266 List all command lines that are on the whitelist.
1267
1268 [--permanent] --add-lockdown-whitelist-command=command
1269 Add the command to the whitelist.
1270
1271 [--permanent] --remove-lockdown-whitelist-command=command
1272 Remove the command from the whitelist.
1273
1274 [--permanent] --query-lockdown-whitelist-command=command
1275 Query whether the command is on the whitelist. Returns 0 if true, 1
1276 otherwise.
1277
1278 [--permanent] --list-lockdown-whitelist-contexts
1279 List all contexts that are on the whitelist.
1280
1281 [--permanent] --add-lockdown-whitelist-context=context
1282 Add the context context to the whitelist.
1283
1284 [--permanent] --remove-lockdown-whitelist-context=context
1285 Remove the context from the whitelist.
1286
1287 [--permanent] --query-lockdown-whitelist-context=context
1288 Query whether the context is on the whitelist. Returns 0 if true, 1
1289 otherwise.
1290
1291 [--permanent] --list-lockdown-whitelist-uids
1292 List all user ids that are on the whitelist.
1293
1294 [--permanent] --add-lockdown-whitelist-uid=uid
1295 Add the user id uid to the whitelist.
1296
1297 [--permanent] --remove-lockdown-whitelist-uid=uid
1298 Remove the user id uid from the whitelist.
1299
1300 [--permanent] --query-lockdown-whitelist-uid=uid
1301 Query whether the user id uid is on the whitelist. Returns 0 if
1302 true, 1 otherwise.
1303
1304 [--permanent] --list-lockdown-whitelist-users
1305 List all user names that are on the whitelist.
1306
1307 [--permanent] --add-lockdown-whitelist-user=user
1308 Add the user name user to the whitelist.
1309
1310 [--permanent] --remove-lockdown-whitelist-user=user
1311 Remove the user name user from the whitelist.
1312
1313 [--permanent] --query-lockdown-whitelist-user=user
1314 Query whether the user name user is on the whitelist. Returns 0 if
1315 true, 1 otherwise.
1316
1317 Panic Options
1318 --panic-on
1319 Enable panic mode. All incoming and outgoing packets are dropped,
1320 active connections will expire. Enable this only if there are
1321 serious problems with your network environment. For example if the
1322 machine is getting hacked in.
1323
1324 This is a runtime only change.
1325
1326 --panic-off
1327 Disable panic mode. After disabling panic mode established
1328 connections might work again, if panic mode was enabled for a short
1329 period of time.
1330
1331 This is a runtime only change.
1332
1333 --query-panic
1334 Returns 0 if panic mode is enabled, 1 otherwise.
1335
1337 For more examples see http://fedoraproject.org/wiki/FirewallD
1338
1339 Example 1
1340 Enable http service in default zone. This is runtime only change, i.e.
1341 effective until restart.
1342
1343 firewall-cmd --add-service=http
1344
1345
1346
1347 Example 2
1348 Enable port 443/tcp immediately and permanently in default zone. To
1349 make the change effective immediately and also after restart we need
1350 two commands. The first command makes the change in runtime
1351 configuration, i.e. makes it effective immediately, until restart. The
1352 second command makes the change in permanent configuration, i.e. makes
1353 it effective after restart.
1354
1355 firewall-cmd --add-port=443/tcp
1356 firewall-cmd --permanent --add-port=443/tcp
1357
1358
1359
1361 On success 0 is returned. On failure the output is red colored and exit
1362 code is either 2 in case of wrong command-line option usage or one of
1363 the following error codes in other cases:
1364
1365 ┌────────────────────┬──────┐
1366 │String │ Code │
1367 ├────────────────────┼──────┤
1368 │ALREADY_ENABLED │ 11 │
1369 ├────────────────────┼──────┤
1370 │NOT_ENABLED │ 12 │
1371 ├────────────────────┼──────┤
1372 │COMMAND_FAILED │ 13 │
1373 ├────────────────────┼──────┤
1374 │NO_IPV6_NAT │ 14 │
1375 ├────────────────────┼──────┤
1376 │PANIC_MODE │ 15 │
1377 ├────────────────────┼──────┤
1378 │ZONE_ALREADY_SET │ 16 │
1379 ├────────────────────┼──────┤
1380 │UNKNOWN_INTERFACE │ 17 │
1381 ├────────────────────┼──────┤
1382 │ZONE_CONFLICT │ 18 │
1383 ├────────────────────┼──────┤
1384 │BUILTIN_CHAIN │ 19 │
1385 ├────────────────────┼──────┤
1386 │EBTABLES_NO_REJECT │ 20 │
1387 ├────────────────────┼──────┤
1388 │NOT_OVERLOADABLE │ 21 │
1389 ├────────────────────┼──────┤
1390 │NO_DEFAULTS │ 22 │
1391 ├────────────────────┼──────┤
1392 │BUILTIN_ZONE │ 23 │
1393 ├────────────────────┼──────┤
1394 │BUILTIN_SERVICE │ 24 │
1395 ├────────────────────┼──────┤
1396 │BUILTIN_ICMPTYPE │ 25 │
1397 ├────────────────────┼──────┤
1398 │NAME_CONFLICT │ 26 │
1399 ├────────────────────┼──────┤
1400 │NAME_MISMATCH │ 27 │
1401 ├────────────────────┼──────┤
1402 │PARSE_ERROR │ 28 │
1403 ├────────────────────┼──────┤
1404 │ACCESS_DENIED │ 29 │
1405 ├────────────────────┼──────┤
1406 │UNKNOWN_SOURCE │ 30 │
1407 ├────────────────────┼──────┤
1408 │RT_TO_PERM_FAILED │ 31 │
1409 ├────────────────────┼──────┤
1410 │IPSET_WITH_TIMEOUT │ 32 │
1411 ├────────────────────┼──────┤
1412 │BUILTIN_IPSET │ 33 │
1413 ├────────────────────┼──────┤
1414 │ALREADY_SET │ 34 │
1415 ├────────────────────┼──────┤
1416 │MISSING_IMPORT │ 35 │
1417 ├────────────────────┼──────┤
1418 │DBUS_ERROR │ 36 │
1419 ├────────────────────┼──────┤
1420 │BUILTIN_HELPER │ 37 │
1421 ├────────────────────┼──────┤
1422 │NOT_APPLIED │ 38 │
1423 ├────────────────────┼──────┤
1424 │INVALID_ACTION │ 100 │
1425 ├────────────────────┼──────┤
1426 │INVALID_SERVICE │ 101 │
1427 ├────────────────────┼──────┤
1428 │INVALID_PORT │ 102 │
1429 ├────────────────────┼──────┤
1430 │INVALID_PROTOCOL │ 103 │
1431 ├────────────────────┼──────┤
1432 │INVALID_INTERFACE │ 104 │
1433 ├────────────────────┼──────┤
1434 │INVALID_ADDR │ 105 │
1435 ├────────────────────┼──────┤
1436 │INVALID_FORWARD │ 106 │
1437 ├────────────────────┼──────┤
1438 │INVALID_ICMPTYPE │ 107 │
1439 ├────────────────────┼──────┤
1440 │INVALID_TABLE │ 108 │
1441 ├────────────────────┼──────┤
1442 │INVALID_CHAIN │ 109 │
1443 ├────────────────────┼──────┤
1444 │INVALID_TARGET │ 110 │
1445 ├────────────────────┼──────┤
1446 │INVALID_IPV │ 111 │
1447 ├────────────────────┼──────┤
1448 │INVALID_ZONE │ 112 │
1449 ├────────────────────┼──────┤
1450 │INVALID_PROPERTY │ 113 │
1451 ├────────────────────┼──────┤
1452 │INVALID_VALUE │ 114 │
1453 ├────────────────────┼──────┤
1454 │INVALID_OBJECT │ 115 │
1455 ├────────────────────┼──────┤
1456 │INVALID_NAME │ 116 │
1457 ├────────────────────┼──────┤
1458 │INVALID_FILENAME │ 117 │
1459 ├────────────────────┼──────┤
1460 │INVALID_DIRECTORY │ 118 │
1461 ├────────────────────┼──────┤
1462 │INVALID_TYPE │ 119 │
1463 ├────────────────────┼──────┤
1464 │INVALID_SETTING │ 120 │
1465 ├────────────────────┼──────┤
1466 │INVALID_DESTINATION │ 121 │
1467 ├────────────────────┼──────┤
1468 │INVALID_RULE │ 122 │
1469 ├────────────────────┼──────┤
1470 │INVALID_LIMIT │ 123 │
1471 ├────────────────────┼──────┤
1472 │INVALID_FAMILY │ 124 │
1473 ├────────────────────┼──────┤
1474 │INVALID_LOG_LEVEL │ 125 │
1475 ├────────────────────┼──────┤
1476 │INVALID_AUDIT_TYPE │ 126 │
1477 ├────────────────────┼──────┤
1478 │INVALID_MARK │ 127 │
1479 ├────────────────────┼──────┤
1480 │INVALID_CONTEXT │ 128 │
1481 ├────────────────────┼──────┤
1482 │INVALID_COMMAND │ 129 │
1483 ├────────────────────┼──────┤
1484 │INVALID_USER │ 130 │
1485 ├────────────────────┼──────┤
1486 │INVALID_UID │ 131 │
1487 ├────────────────────┼──────┤
1488 │INVALID_MODULE │ 132 │
1489 ├────────────────────┼──────┤
1490 │INVALID_PASSTHROUGH │ 133 │
1491 ├────────────────────┼──────┤
1492 │INVALID_MAC │ 134 │
1493 ├────────────────────┼──────┤
1494 │INVALID_IPSET │ 135 │
1495 ├────────────────────┼──────┤
1496 │INVALID_ENTRY │ 136 │
1497 ├────────────────────┼──────┤
1498 │INVALID_OPTION │ 137 │
1499 ├────────────────────┼──────┤
1500 │INVALID_HELPER │ 138 │
1501 ├────────────────────┼──────┤
1502 │INVALID_PRIORITY │ 139 │
1503 ├────────────────────┼──────┤
1504 │INVALID_POLICY │ 140 │
1505 ├────────────────────┼──────┤
1506 │MISSING_TABLE │ 200 │
1507 ├────────────────────┼──────┤
1508 │MISSING_CHAIN │ 201 │
1509 ├────────────────────┼──────┤
1510 │MISSING_PORT │ 202 │
1511 ├────────────────────┼──────┤
1512 │MISSING_PROTOCOL │ 203 │
1513 ├────────────────────┼──────┤
1514 │MISSING_ADDR │ 204 │
1515 ├────────────────────┼──────┤
1516 │MISSING_NAME │ 205 │
1517 ├────────────────────┼──────┤
1518 │MISSING_SETTING │ 206 │
1519 ├────────────────────┼──────┤
1520 │MISSING_FAMILY │ 207 │
1521 ├────────────────────┼──────┤
1522 │RUNNING_BUT_FAILED │ 251 │
1523 ├────────────────────┼──────┤
1524 │NOT_RUNNING │ 252 │
1525 ├────────────────────┼──────┤
1526 │NOT_AUTHORIZED │ 253 │
1527 ├────────────────────┼──────┤
1528 │UNKNOWN_ERROR │ 254 │
1529 └────────────────────┴──────┘
1530
1531 Note that return codes of --query-* options are special: Successful
1532 queries return 0, unsuccessful ones return 1 unless an error occurred
1533 in which case the table above applies.
1534
1536 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1537 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1538 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1539 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1540 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
1541 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
1542
1544 firewalld home page:
1545 http://firewalld.org
1546
1547 More documentation with examples:
1548 http://fedoraproject.org/wiki/FirewallD
1549
1551 Thomas Woerner <twoerner@redhat.com>
1552 Developer
1553
1554 Jiri Popelka <jpopelka@redhat.com>
1555 Developer
1556
1557 Eric Garver <eric@garver.life>
1558 Developer
1559
1560
1561
1562firewalld 1.0.5 FIREWALL-CMD(1)