1FIREWALL-CMD(1) firewall-cmd FIREWALL-CMD(1)
2
6 firewall-cmd - firewalld command line client
7
9 firewall-cmd [OPTIONS...]
10
12 firewall-cmd is the command line client of the firewalld daemon. It
13 provides an interface to manage the runtime and permanent
14 configurations.
15 The runtime configuration in firewalld is separated from the permanent
17 configuration. This means that things can get changed in the runtime or
18 permanent configuration.
19
21 Sequence options are the options that can be specified multiple times,
22 the exit code is 0 if there is at least one item that succeeded. The
23 ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
24 errors are treated as succeeded. If there are issues while parsing the
25 items, then these are treated as warnings and will not change the
26 result as long as there is a succeeded one. Without any succeeded item,
27 the exit code will depend on the error codes. If there is exactly one
28 error code, then this is used. If there are more than one then
29 UNKNOWN_ERROR (254) will be used.
30 The following options are supported:
32 General Options
34 -h, --help
35 Prints a short help text and exits.
36 -V, --version
38 Print the version string of firewalld. This option is not
39 combinable with other options.
40 -q, --quiet
42 Do not print status messages.
43 Status Options
45 --state
46 Check whether the firewalld daemon is active (i.e. running).
47 Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
48 failure occurred on startup, NOT_RUNNING otherwise. See the section
49 called “EXIT CODES”. This will also print the state to STDOUT.
50 --reload
52 Reload firewall rules and keep state information. Current permanent
53 configuration will become new runtime configuration, i.e. all
54 runtime only changes done until reload are lost with reload if they
55 have not been also in permanent configuration.
56 Note: If FlushAllOnReload=no, runtime changes applied via the
58 direct interface are not affected and will therefore stay in place
59 until firewalld daemon is restarted completely. For
60 FlushAllOnReload, see firewalld.conf(5).
61 --complete-reload
63 Reload firewall completely, even netfilter kernel modules. This
64 will most likely terminate active connections, because state
65 information is lost. This option should only be used in case of
66 severe firewall problems. For example if there are state
67 information problems that no connection can be established with
68 correct firewall rules.
69 Note: If FlushAllOnReload=no, runtime changes applied via the
71 direct interface are not affected and will therefore stay in place
72 until firewalld daemon is restarted completely. For
73 FlushAllOnReload, see firewalld.conf(5).
74 --runtime-to-permanent
76 Save active runtime configuration and overwrite permanent
77 configuration with it. The way this is supposed to work is that
78 when configuring firewalld you do runtime changes only and once
79 you're happy with the configuration and you tested that it works
80 the way you want, you save the configuration to disk.
81 --check-config
83 Run checks on the permanent configuration. This includes XML
84 validity and semantics.
85 Log Denied Options
87 --get-log-denied
88 Print the log denied setting.
89 --set-log-denied=value
91 Add logging rules right before reject and drop rules in the INPUT,
92 FORWARD and OUTPUT chains for the default rules and also final
93 reject and drop rules in zones for the configured link-layer packet
94 type. The possible values are: all, unicast, broadcast, multicast
95 and off. The default setting is off, which disables the logging.
96 This is a runtime and permanent change and will also reload the
98 firewall to be able to add the logging rules.
99 Permanent Options
101 --permanent
102 The permanent option --permanent can be used to set options
103 permanently. These changes are not effective immediately, only
104 after service restart/reload or system reboot. Without the
105 --permanent option, a change will only be part of the runtime
106 configuration.
107 If you want to make a change in runtime and permanent
109 configuration, use the same call with and without the --permanent
110 option.
111 The --permanent option can be optionally added to all options
113 further down where it is supported.
114 Zone Options
116 --get-default-zone
117 Print default zone for connections and interfaces.
118 --set-default-zone=zone
120 Set default zone for connections and interfaces where no zone has
121 been selected. Setting the default zone changes the zone for the
122 connections or interfaces, that are using the default zone.
123 This is a runtime and permanent change.
125 --get-active-zones
127 Print currently active zones altogether with interfaces and sources
128 used in these zones. Active zones are zones, that have a binding to
129 an interface or source. The output format is:
130 zone1
132 interfaces: interface1 interface2 ..
133 sources: source1 ..
134 zone2
135 interfaces: interface3 ..
136 zone3
137 sources: source2 ..
138 If there are no interfaces or sources bound to the zone, the
141 corresponding line will be omitted.
142 [--permanent] --get-zones
144 Print predefined zones as a space separated list.
145 [--permanent] --get-services
147 Print predefined services as a space separated list.
148 [--permanent] --get-icmptypes
150 Print predefined icmptypes as a space separated list.
151 [--permanent] --get-zone-of-interface=interface
153 Print the name of the zone the interface is bound to or no zone.
154 [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
156 Print the name of the zone the source is bound to or no zone.
157 [--permanent] --info-zone=zone
159 Print information about the zone zone. The output format is:
160 zone
162 interfaces: interface1 ..
163 sources: source1 ..
164 services: service1 ..
165 ports: port1 ..
166 protocols: protocol1 ..
167 forward-ports:
168 forward-port1
169 ..
170 source-ports: source-port1 ..
171 icmp-blocks: icmp-type1 ..
172 rich rules:
173 rich-rule1
174 ..
175 [--permanent] --list-all-zones
179 List everything added for or enabled in all zones. The output
180 format is:
181 zone1
183 interfaces: interface1 ..
184 sources: source1 ..
185 services: service1 ..
186 ports: port1 ..
187 protocols: protocol1 ..
188 forward-ports:
189 forward-port1
190 ..
191 icmp-blocks: icmp-type1 ..
192 rich rules:
193 rich-rule1
194 ..
195 ..
196 --permanent --new-zone=zone
200 Add a new permanent and empty zone.
201 Zone names must be alphanumeric and may additionally include
203 characters: '_' and '-'.
204 --permanent --new-zone-from-file=filename [--name=zone]
206 Add a new permanent zone from a prepared zone file with an optional
207 name override.
208 --permanent --delete-zone=zone
210 Delete an existing permanent zone.
211 --permanent --load-zone-defaults=zone
213 Load zone default settings or report NO_DEFAULTS error.
214 --permanent --path-zone=zone
216 Print path of the zone configuration file.
217 Policy Options
219 [--permanent] --get-policies
220 Print predefined policies as a space separated list.
221 [--permanent] --info-policy=policy
223 Print information about the policy policy.
224 [--permanent] --list-all-policies
226 List everything added for or enabled in all policies.
227 --permanent --new-policy=policy
229 Add a new permanent policy.
230 Policy names must be alphanumeric and may additionally include
232 characters: '_' and '-'.
233 --permanent --new-policy-from-file=filename [--name=policy]
235 Add a new permanent policy from a prepared policy file with an
236 optional name override.
237 --permanent --path-policy=policy
239 Print path of the policy configuration file.
240 --permanent --delete-policy=policy
242 Delete an existing permanent policy.
243 --permanent --load-policy-defaults=policy
245 Load the shipped defaults for a policy. Only applies to policies
246 shipped with firewalld. Does not apply to user defined policies.
247 Options to Adapt and Query Zones and Policies
249 Options in this section affect only one particular zone or policy. If
250 used with --zone=zone or --policy=policy option, they affect the
251 specified zone or policy. If both options are omitted, they affect the
252 default zone (see --get-default-zone).
253 [--permanent] [--zone=zone] [--policy=policy] --list-all
255 List everything added or enabled.
256 --permanent [--zone=zone] [--policy=policy] --get-target
258 Get the target.
259 --permanent [--zone=zone] [--policy=policy] --set-target=target
261 Set the target.
262 For zones target is one of: default, ACCEPT, DROP, REJECT
264 For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
266 default is similar to REJECT, but it implicitly allows ICMP
268 packets.
269 --permanent [--zone=zone] [--policy=policy]
271 --set-description=description
272 Set description.
273 --permanent [--zone=zone] [--policy=policy] --get-description
275 Print description.
276 --permanent [--zone=zone] [--policy=policy] --set-short=description
278 Set short description.
279 --permanent [--zone=zone] [--policy=policy] --get-short
281 Print short description.
282 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
284 --list-services
285 List services added as a space separated list.
286 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
288 --add-service=service [--timeout=timeval]
289 Add a service. This option can be specified multiple times. If a
290 timeout is supplied, the rule will be active for the specified
291 amount of time and will be removed automatically afterwards.
292 timeval is either a number (of seconds) or number followed by one
293 of characters s (seconds), m (minutes), h (hours), for example 20m
294 or 1h.
295 The service is one of the firewalld provided services. To get a
297 list of the supported services, use firewall-cmd --get-services.
298 The --timeout option is not combinable with the --permanent option.
300 Note: Some services define connection tracking helpers. Helpers
302 that may operate in client mode (e.g. tftp) must be added to an
303 outbound policy instead of a zone to take effect for clients.
304 Otherwise the helper will not be applied to the outbound traffic.
305 The related traffic, as defined by the connection tracking helper,
306 on the return path (ingress) will be allowed by the stateful
307 firewall rules.
308 An example of an outbound policy for connection tracking helpers:
310 # firewall-cmd --permanent --new-policy clientConntrack
312 # firewall-cmd --permanent --policy clientConntrack --add-ingress-zone HOST
313 # firewall-cmd --permanent --policy clientConntrack --add-egress-zone ANY
314 # firewall-cmd --permanent --policy clientConntrack --add-service tftp
315 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
319 --remove-service=service
320 Remove a service. This option can be specified multiple times.
321 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
323 --query-service=service
324 Return whether service has been added. Returns 0 if true, 1
325 otherwise.
326 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
328 --list-ports
329 List ports added as a space separated list. A port is of the form
330 portid[-portid]/protocol, it can be either a port and protocol pair
331 or a port range with a protocol.
332 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
334 --add-port=portid[-portid]/protocol [--timeout=timeval]
335 Add the port. This option can be specified multiple times. If a
336 timeout is supplied, the rule will be active for the specified
337 amount of time and will be removed automatically afterwards.
338 timeval is either a number (of seconds) or number followed by one
339 of characters s (seconds), m (minutes), h (hours), for example 20m
340 or 1h.
341 The port can either be a single port number or a port range
343 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
344 The --timeout option is not combinable with the --permanent option.
346 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
348 --remove-port=portid[-portid]/protocol
349 Remove the port. This option can be specified multiple times.
350 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
352 --query-port=portid[-portid]/protocol
353 Return whether the port has been added. Returns 0 if true, 1
354 otherwise.
355 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
357 --list-protocols
358 List protocols added as a space separated list.
359 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
361 --add-protocol=protocol [--timeout=timeval]
362 Add the protocol. This option can be specified multiple times. If a
363 timeout is supplied, the rule will be active for the specified
364 amount of time and will be removed automatically afterwards.
365 timeval is either a number (of seconds) or number followed by one
366 of characters s (seconds), m (minutes), h (hours), for example 20m
367 or 1h.
368 The protocol can be any protocol supported by the system. Please
370 have a look at /etc/protocols for supported protocols.
371 The --timeout option is not combinable with the --permanent option.
373 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
375 --remove-protocol=protocol
376 Remove the protocol. This option can be specified multiple times.
377 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
379 --query-protocol=protocol
380 Return whether the protocol has been added. Returns 0 if true, 1
381 otherwise.
382 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
384 --list-source-ports
385 List source ports added as a space separated list. A port is of the
386 form portid[-portid]/protocol.
387 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
389 --add-source-port=portid[-portid]/protocol [--timeout=timeval]
390 Add the source port. This option can be specified multiple times.
391 If a timeout is supplied, the rule will be active for the specified
392 amount of time and will be removed automatically afterwards.
393 timeval is either a number (of seconds) or number followed by one
394 of characters s (seconds), m (minutes), h (hours), for example 20m
395 or 1h.
396 The port can either be a single port number or a port range
398 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
399 The --timeout option is not combinable with the --permanent option.
401 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
403 --remove-source-port=portid[-portid]/protocol
404 Remove the source port. This option can be specified multiple
405 times.
406 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
408 --query-source-port=portid[-portid]/protocol
409 Return whether the source port has been added. Returns 0 if true, 1
410 otherwise.
411 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
413 --list-icmp-blocks
414 List Internet Control Message Protocol (ICMP) type blocks added as
415 a space separated list.
416 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
418 --add-icmp-block=icmptype [--timeout=timeval]
419 Add an ICMP block for icmptype. This option can be specified
420 multiple times. If a timeout is supplied, the rule will be active
421 for the specified amount of time and will be removed automatically
422 afterwards. timeval is either a number (of seconds) or number
423 followed by one of characters s (seconds), m (minutes), h (hours),
424 for example 20m or 1h.
425 The icmptype is the one of the icmp types firewalld supports. To
427 get a listing of supported icmp types: firewall-cmd --get-icmptypes
428 The --timeout option is not combinable with the --permanent option.
430 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
432 --remove-icmp-block=icmptype
433 Remove the ICMP block for icmptype. This option can be specified
434 multiple times.
435 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
437 --query-icmp-block=icmptype
438 Return whether an ICMP block for icmptype has been added. Returns 0
439 if true, 1 otherwise.
440 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
442 --list-forward-ports
443 List IPv4 forward ports added as a space separated list.
444 For IPv6 forward ports, please use the rich language.
446 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
448 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
449 [--timeout=timeval]
450 Add the IPv4 forward port. This option can be specified multiple
451 times. If a timeout is supplied, the rule will be active for the
452 specified amount of time and will be removed automatically
453 afterwards. timeval is either a number (of seconds) or number
454 followed by one of characters s (seconds), m (minutes), h (hours),
455 for example 20m or 1h.
456 The port can either be a single port number portid or a port range
458 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
459 The destination address is a simple IP address.
460 The --timeout option is not combinable with the --permanent option.
462 For IPv6 forward ports, please use the rich language.
464 Note: IP forwarding will be implicitly enabled if toaddr is
466 specified.
467 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
469 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
470 Remove the IPv4 forward port. This option can be specified multiple
471 times.
472 For IPv6 forward ports, please use the rich language.
474 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
476 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
477 Return whether the IPv4 forward port has been added. Returns 0 if
478 true, 1 otherwise.
479 For IPv6 forward ports, please use the rich language.
481 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
483 --add-masquerade [--timeout=timeval]
484 Enable IPv4 masquerade. If a timeout is supplied, masquerading will
485 be active for the specified amount of time. timeval is either a
486 number (of seconds) or number followed by one of characters s
487 (seconds), m (minutes), h (hours), for example 20m or 1h.
488 Masquerading is useful if the machine is a router and machines
489 connected over an interface in another zone should be able to use
490 the first connection.
491 The --timeout option is not combinable with the --permanent option.
493 For IPv6 masquerading, please use the rich language.
495 Note: IP forwarding will be implicitly enabled.
497 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
499 --remove-masquerade
500 Disable IPv4 masquerade. If the masquerading was enabled with a
501 timeout, it will be disabled also.
502 For IPv6 masquerading, please use the rich language.
504 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
506 --query-masquerade
507 Return whether IPv4 masquerading has been enabled. Returns 0 if
508 true, 1 otherwise.
509 For IPv6 masquerading, please use the rich language.
511 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
513 --list-rich-rules
514 List rich language rules added as a newline separated list.
515 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
517 --add-rich-rule='rule' [--timeout=timeval]
518 Add rich language rule 'rule'. This option can be specified
519 multiple times. If a timeout is supplied, the rule will be active
520 for the specified amount of time and will be removed automatically
521 afterwards. timeval is either a number (of seconds) or number
522 followed by one of characters s (seconds), m (minutes), h (hours),
523 for example 20m or 1h.
524 For the rich language rule syntax, please have a look at
526 firewalld.richlanguage(5).
527 The --timeout option is not combinable with the --permanent option.
529 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
531 --remove-rich-rule='rule'
532 Remove rich language rule 'rule'. This option can be specified
533 multiple times.
534 For the rich language rule syntax, please have a look at
536 firewalld.richlanguage(5).
537 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
539 --query-rich-rule='rule'
540 Return whether a rich language rule 'rule' has been added. Returns
541 0 if true, 1 otherwise.
542 For the rich language rule syntax, please have a look at
544 firewalld.richlanguage(5).
545 Options to Adapt and Query Zones
547 Options in this section affect only one particular zone. If used with
548 --zone=zone option, they affect the specified zone. If the option is
549 omitted, they affect default zone (see --get-default-zone).
550 [--permanent] [--zone=zone] --add-icmp-block-inversion
552 Enable ICMP block inversion.
553 [--permanent] [--zone=zone] --remove-icmp-block-inversion
555 Disable ICMP block inversion.
556 [--permanent] [--zone=zone] --query-icmp-block-inversion
558 Return whether ICMP block inversion is enabled. Returns 0 if true,
559 1 otherwise.
560 [--permanent] [--zone=zone] --add-forward
562 Enable intra zone forwarding.
563 [--permanent] [--zone=zone] --remove-forward
565 Disable intra zone forwarding.
566 [--permanent] [--zone=zone] --query-forward
568 Return whether intra zone forwarding is enabled. Returns 0 if true,
569 1 otherwise.
570 Options to Adapt and Query Policies
572 Options in this section affect only one particular policy. It's
573 required to specify --policy=policy with these options.
574 --permanent --policy=policy --get-priority
576 Get the priority.
577 --permanent --policy=policy --set-priority=priority
579 Set the priority. The priority determines the relative ordering of
580 policies. This is an integer value between -32768 and 32767 where
581 -1 is the default value for new policies and 0 is reserved for
582 internal use.
583 If a priority is < 0, then the policy's rules will execute before
585 all rules in all zones.
586 If a priority is > 0, then the policy's rules will execute after
588 all rules in all zones.
589 [--permanent] --policy=policy --list-ingress-zones
591 List ingress zones added as a space separated list.
592 [--permanent] --policy=policy --add-ingress-zone=zone
594 Add an ingress zone. This option can be specified multiple times.
595 The ingress zone is one of the firewalld provided zones or one of
597 the pseudo-zones: HOST, ANY.
598 HOST is used for traffic originating from the host machine, i.e.
600 the host running firewalld.
601 ANY is used for traffic originating from any zone. This can be
603 thought of as a wild card for zones. However it does not include
604 traffic originating from the host machine - use HOST for that.
605 [--permanent] --policy=policy --remove-ingress-zone=zone
607 Remove an ingress zone. This option can be specified multiple
608 times.
609 [--permanent] --policy=policy --query-ingress-zone=zone
611 Return whether zone has been added. Returns 0 if true, 1 otherwise.
612 [--permanent] --policy=policy --list-egress-zones
614 List egress zones added as a space separated list.
615 [--permanent] --policy=policy --add-egress-zone=zone
617 Add an egress zone. This option can be specified multiple times.
618 The egress zone is one of the firewalld provided zones or one of
620 the pseudo-zones: HOST, ANY.
621 For clarification on HOST and ANY see option --add-ingress-zone.
623 [--permanent] --policy=policy --remove-egress-zone=zone
625 Remove an egress zone. This option can be specified multiple times.
626 [--permanent] --policy=policy --query-egress-zone=zone
628 Return whether zone has been added. Returns 0 if true, 1 otherwise.
629 Options to Handle Bindings of Interfaces
631 Binding an interface to a zone means that this zone settings are used
632 to restrict traffic via the interface.
633 Options in this section affect only one particular zone. If used with
635 --zone=zone option, they affect the zone zone. If the option is
636 omitted, they affect default zone (see --get-default-zone).
637 For a list of predefined zones use firewall-cmd --get-zones.
639 An interface name is a string up to 16 characters long, that may not
641 contain ' ', '/', '!' and '*'.
642 [--permanent] [--zone=zone] --list-interfaces
644 List interfaces that are bound to zone zone as a space separated
645 list. If zone is omitted, default zone will be used.
646 [--permanent] [--zone=zone] --add-interface=interface
648 Bind interface interface to zone zone. If zone is omitted, default
649 zone will be used.
650 If the interface is under control of NetworkManager, it is at first
652 connected to change the zone for the connection that is using the
653 interface. If this fails, the zone binding is created in firewalld
654 and the limitations below apply. For interfaces that are not under
655 control of NetworkManager, firewalld tries to change the ZONE
656 setting in the ifcfg file, if the file exists.
657 As a end user you don't need this in most cases, because
659 NetworkManager (or legacy network service) adds interfaces into
660 zones automatically (according to ZONE= option from ifcfg-interface
661 file) if NM_CONTROLLED=no is not set. You should do it only if
662 there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
663 there is such file and you add interface to zone with this
664 --add-interface option, make sure the zone is the same in both
665 cases, otherwise the behaviour would be undefined. Please also have
666 a look at the firewalld(1) man page in the Concepts section. For
667 permanent association of interface with a zone, see also 'How to
668 set or change a zone for a connection?' in firewalld.zones(5).
669 [--permanent] [--zone=zone] --change-interface=interface
671 If the interface is under control of NetworkManager, it is at first
672 connected to change the zone for the connection that is using the
673 interface. If this fails, the zone binding is created in firewalld
674 and the limitations below apply. For interfaces that are not under
675 control of NetworkManager, firewalld tries to change the ZONE
676 setting in the ifcfg file, if the file exists.
677 Change zone the interface interface is bound to to zone zone. It's
679 basically --remove-interface followed by --add-interface. If the
680 interface has not been bound to a zone before, it behaves like
681 --add-interface. If zone is omitted, default zone will be used.
682 [--permanent] [--zone=zone] --query-interface=interface
684 Query whether interface interface is bound to zone zone. Returns 0
685 if true, 1 otherwise.
686 [--permanent] --remove-interface=interface
688 If the interface is under control of NetworkManager, it is at first
689 connected to change the zone for the connection that is using the
690 interface. If this fails, the zone binding is created in firewalld
691 and the limitations below apply.
692 For the addition or change of interfaces that are not under control
694 of NetworkManager: firewalld tries to change the ZONE setting in
695 the ifcfg file, if an ifcfg file exists that is using the
696 interface.
697 Only for the removal of interfaces that are not under control of
699 NetworkManager: firewalld is not trying to change the ZONE setting
700 in the ifcfg file. This is needed to make sure that an ifdown of
701 the interface will not result in a reset of the zone setting to the
702 default zone. Only the zone binding is then removed in firewalld
703 then.
704 Remove binding of interface interface from zone it was previously
706 added to.
707 Options to Handle Bindings of Sources
709 Binding a source to a zone means that this zone settings will be used
710 to restrict traffic from this source.
711 A source address or address range is either an IP address or a network
713 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
714 with the ipset: prefix. For IPv4, the mask can be a network mask or a
715 plain number. For IPv6 the mask is a plain number. The use of host
716 names is not supported.
717 Options in this section affect only one particular zone. If used with
719 --zone=zone option, they affect the zone zone. If the option is
720 omitted, they affect default zone (see --get-default-zone).
721 For a list of predefined zones use firewall-cmd [--permanent]
723 --get-zones.
724 [--permanent] [--zone=zone] --list-sources
726 List sources that are bound to zone zone as a space separated list.
727 If zone is omitted, default zone will be used.
728 [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
730 Bind the source to zone zone. If zone is omitted, default zone will
731 be used.
732 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
734 Change zone the source is bound to to zone zone. It's basically
735 --remove-source followed by --add-source. If the source has not
736 been bound to a zone before, it behaves like --add-source. If zone
737 is omitted, default zone will be used.
738 [--permanent] [--zone=zone]
740 --query-source=source[/mask]|MAC|ipset:ipset
741 Query whether the source is bound to the zone zone. Returns 0 if
742 true, 1 otherwise.
743 [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
745 Remove binding of the source from zone it was previously added to.
746 IPSet Options
748 --get-ipset-types
749 Print the supported ipset types.
750 --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
752 [--option=key[=value]]
753 Add a new permanent and empty ipset with specifying the type and
754 optional the family and options like timeout, hashsize and maxelem.
755 For more information please have a look at ipset(8) man page.
756 ipset names must be alphanumeric and may additionally include
758 characters: '_' and '-'.
759 --permanent --new-ipset-from-file=filename [--name=ipset]
761 Add a new permanent ipset from a prepared ipset file with an
762 optional name override.
763 --permanent --delete-ipset=ipset
765 Delete an existing permanent ipset.
766 --permanent --load-ipset-defaults=ipset
768 Load ipset default settings or report NO_DEFAULTS error.
769 [--permanent] --info-ipset=ipset
771 Print information about the ipset ipset. The output format is:
772 ipset
774 type: type
775 options: option1[=value1] ..
776 entries: entry1 ..
777 [--permanent] --get-ipsets
781 Print predefined ipsets as a space separated list.
782 --permanent --ipset=ipset --set-description=description
784 Set new description to ipset
785 --permanent --ipset=ipset --get-description
787 Print description for ipset
788 --permanent --ipset=ipset --set-short=description
790 Set short description to ipset
791 --permanent --ipset=ipset --get-short
793 Print short description for ipset
794 [--permanent] --ipset=ipset --add-entry=entry
796 Add a new entry to the ipset.
797 Adding an entry to an ipset with option timeout is permitted, but
799 these entries are not tracked by firewalld.
800 [--permanent] --ipset=ipset --remove-entry=entry
802 Remove an entry from the ipset.
803 [--permanent] --ipset=ipset --query-entry=entry
805 Return whether the entry has been added to an ipset. Returns 0 if
806 true, 1 otherwise.
807 Querying an ipset with a timeout will yield an error. Entries are
809 not tracked for ipsets with a timeout.
810 [--permanent] --ipset=ipset --get-entries
812 List all entries of the ipset.
813 [--permanent] --ipset=ipset --add-entries-from-file=filename
815 Add a new entries to the ipset from the file. For all entries that
816 are listed in the file but already in the ipset, a warning will be
817 printed.
818 The file should contain an entry per line. Lines starting with an
820 hash or semicolon are ignored. Also empty lines.
821 [--permanent] --ipset=ipset --remove-entries-from-file=filename
823 Remove existing entries from the ipset from the file. For all
824 entries that are listed in the file but not in the ipset, a warning
825 will be printed.
826 The file should contain an entry per line. Lines starting with an
828 hash or semicolon are ignored. Also empty lines.
829 --permanent --path-ipset=ipset
831 Print path of the ipset configuration file.
832 Service Options
834 Options in this section affect only one particular service.
835 [--permanent] --info-service=service
837 Print information about the service service. The output format is:
838 service
840 ports: port1 ..
841 protocols: protocol1 ..
842 source-ports: source-port1 ..
843 helpers: helper1 ..
844 destination: ipv1:address1 ..
845 The following options are only usable in the permanent configuration.
849 --permanent --new-service=service
851 Add a new permanent and empty service.
852 Service names must be alphanumeric and may additionally include
854 characters: '_' and '-'.
855 --permanent --new-service-from-file=filename [--name=service]
857 Add a new permanent service from a prepared service file with an
858 optional name override.
859 --permanent --delete-service=service
861 Delete an existing permanent service.
862 --permanent --load-service-defaults=service
864 Load service default settings or report NO_DEFAULTS error.
865 --permanent --path-service=service
867 Print path of the service configuration file.
868 --permanent --service=service --set-description=description
870 Set new description to service
871 --permanent --service=service --get-description
873 Print description for service
874 --permanent --service=service --set-short=description
876 Set short description to service
877 --permanent --service=service --get-short
879 Print short description for service
880 --permanent --service=service --add-port=portid[-portid]/protocol
882 Add a new port to the permanent service.
883 --permanent --service=service --remove-port=portid[-portid]/protocol
885 Remove a port from the permanent service.
886 --permanent --service=service --query-port=portid[-portid]/protocol
888 Return whether the port has been added to the permanent service.
889 --permanent --service=service --get-ports
891 List ports added to the permanent service.
892 --permanent --service=service --add-protocol=protocol
894 Add a new protocol to the permanent service.
895 --permanent --service=service --remove-protocol=protocol
897 Remove a protocol from the permanent service.
898 --permanent --service=service --query-protocol=protocol
900 Return whether the protocol has been added to the permanent
901 service.
902 --permanent --service=service --get-protocols
904 List protocols added to the permanent service.
905 --permanent --service=service
907 --add-source-port=portid[-portid]/protocol
908 Add a new source port to the permanent service.
909 --permanent --service=service
911 --remove-source-port=portid[-portid]/protocol
912 Remove a source port from the permanent service.
913 --permanent --service=service
915 --query-source-port=portid[-portid]/protocol
916 Return whether the source port has been added to the permanent
917 service.
918 --permanent --service=service --get-source-ports
920 List source ports added to the permanent service.
921 --permanent --service=service --add-helper=helper
923 Add a new helper to the permanent service.
924 --permanent --service=service --remove-helper=helper
926 Remove a helper from the permanent service.
927 --permanent --service=service --query-helper=helper
929 Return whether the helper has been added to the permanent service.
930 --permanent --service=service --get-service-helpers
932 List helpers added to the permanent service.
933 --permanent --service=service --set-destination=ipv:address[/mask]
935 Set destination for ipv to address[/mask] in the permanent service.
936 --permanent --service=service --remove-destination=ipv
938 Remove the destination for ipv from the permanent service.
939 --permanent --service=service --query-destination=ipv:address[/mask]
941 Return whether the destination ipv to address[/mask] has been set
942 in the permanent service.
943 --permanent --service=service --get-destinations
945 List destinations added to the permanent service.
946 --permanent --service=service --add-include=service
948 Add a new include to the permanent service.
949 --permanent --service=service --remove-include=service
951 Remove a include from the permanent service.
952 --permanent --service=service --query-include=service
954 Return whether the include has been added to the permanent service.
955 --permanent --service=service --get-includes
957 List includes added to the permanent service.
958 Helper Options
960 Options in this section affect only one particular helper.
961 [--permanent] --info-helper=helper
963 Print information about the helper helper. The output format is:
964 helper
966 family: family
967 module: module
968 ports: port1 ..
969 The following options are only usable in the permanent configuration.
973 --permanent --new-helper=helper --module=nf_conntrack_module
975 [--family=ipv4|ipv6]
976 Add a new permanent helper with module and optionally family
977 defined.
978 Helper names must be alphanumeric and may additionally include
980 characters: '-'.
981 --permanent --new-helper-from-file=filename [--name=helper]
983 Add a new permanent helper from a prepared helper file with an
984 optional name override.
985 --permanent --delete-helper=helper
987 Delete an existing permanent helper.
988 --permanent --load-helper-defaults=helper
990 Load helper default settings or report NO_DEFAULTS error.
991 --permanent --path-helper=helper
993 Print path of the helper configuration file.
994 [--permanent] --get-helpers
996 Print predefined helpers as a space separated list.
997 --permanent --helper=helper --set-description=description
999 Set new description to helper
1000 --permanent --helper=helper --get-description
1002 Print description for helper
1003 --permanent --helper=helper --set-short=description
1005 Set short description to helper
1006 --permanent --helper=helper --get-short
1008 Print short description for helper
1009 --permanent --helper=helper --add-port=portid[-portid]/protocol
1011 Add a new port to the permanent helper.
1012 --permanent --helper=helper --remove-port=portid[-portid]/protocol
1014 Remove a port from the permanent helper.
1015 --permanent --helper=helper --query-port=portid[-portid]/protocol
1017 Return whether the port has been added to the permanent helper.
1018 --permanent --helper=helper --get-ports
1020 List ports added to the permanent helper.
1021 --permanent --helper=helper --set-module=description
1023 Set module description for helper
1024 --permanent --helper=helper --get-module
1026 Print module description for helper
1027 --permanent --helper=helper --set-family=description
1029 Set family description for helper
1030 --permanent --helper=helper --get-family
1032 Print family description of helper
1033 Internet Control Message Protocol (ICMP) type Options
1035 Options in this section affect only one particular icmptype.
1036 [--permanent] --info-icmptype=icmptype
1038 Print information about the icmptype icmptype. The output format
1039 is:
1040 icmptype
1042 destination: ipv1 ..
1043 The following options are only usable in the permanent configuration.
1047 --permanent --new-icmptype=icmptype
1049 Add a new permanent and empty icmptype.
1050 ICMP type names must be alphanumeric and may additionally include
1052 characters: '_' and '-'.
1053 --permanent --new-icmptype-from-file=filename [--name=icmptype]
1055 Add a new permanent icmptype from a prepared icmptype file with an
1056 optional name override.
1057 --permanent --delete-icmptype=icmptype
1059 Delete an existing permanent icmptype.
1060 --permanent --load-icmptype-defaults=icmptype
1062 Load icmptype default settings or report NO_DEFAULTS error.
1063 --permanent --icmptype=icmptype --set-description=description
1065 Set new description to icmptype
1066 --permanent --icmptype=icmptype --get-description
1068 Print description for icmptype
1069 --permanent --icmptype=icmptype --set-short=description
1071 Set short description to icmptype
1072 --permanent --icmptype=icmptype --get-short
1074 Print short description for icmptype
1075 --permanent --icmptype=icmptype --add-destination=ipv
1077 Enable destination for ipv in permanent icmptype. ipv is one of
1078 ipv4 or ipv6.
1079 --permanent --icmptype=icmptype --remove-destination=ipv
1081 Disable destination for ipv in permanent icmptype. ipv is one of
1082 ipv4 or ipv6.
1083 --permanent --icmptype=icmptype --query-destination=ipv
1085 Return whether destination for ipv is enabled in permanent
1086 icmptype. ipv is one of ipv4 or ipv6.
1087 --permanent --icmptype=icmptype --get-destinations
1089 List destinations in permanent icmptype.
1090 --permanent --path-icmptype=icmptype
1092 Print path of the icmptype configuration file.
1093 Direct Options
1095 DEPRECATED
1096 The direct interface has been deprecated. It will be removed in a
1097 future release. It is superseded by policies, see
1098 firewalld.policies(5).
1099 The direct options give a more direct access to the firewall. These
1101 options require user to know basic iptables concepts, i.e. table
1102 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
1103 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
1104 (ACCEPT/DROP/REJECT/...).
1105 Direct options should be used only as a last resort when it's not
1107 possible to use for example --add-service=service or
1108 --add-rich-rule='rule'.
1109 Warning: Direct rules behavior is different depending on the value of
1111 FirewallBackend. See CAVEATS in firewalld.direct(5).
1112 The first argument of each option has to be ipv4 or ipv6 or eb. With
1114 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1115 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1116 [--permanent] --direct --get-all-chains
1118 Get all chains added to all tables. This option concerns only
1119 chains previously added with --direct --add-chain.
1120 [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
1122 Get all chains added to table table as a space separated list. This
1123 option concerns only chains previously added with --direct
1124 --add-chain.
1125 [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
1127 Add a new chain with name chain to table table. Make sure there's
1128 no other chain with this name already.
1129 There already exist basic chains to use with direct options, for
1131 example INPUT_direct chain (see iptables-save | grep direct output
1132 for all of them). These chains are jumped into before chains for
1133 zones, i.e. every rule put into INPUT_direct will be checked before
1134 rules in zones.
1135 [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1137 Remove chain with name chain from table table. Only chains
1138 previously added with --direct --add-chain can be removed this way.
1139 [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
1141 Return whether a chain with name chain exists in table table.
1142 Returns 0 if true, 1 otherwise. This option concerns only chains
1143 previously added with --direct --add-chain.
1144 [--permanent] --direct --get-all-rules
1146 Get all rules added to all chains in all tables as a newline
1147 separated list of the priority and arguments. This option concerns
1148 only rules previously added with --direct --add-rule.
1149 [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
1151 Get all rules added to chain chain in table table as a newline
1152 separated list of the priority and arguments. This option concerns
1153 only rules previously added with --direct --add-rule.
1154 [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
1156 priority args
1157 Add a rule with the arguments args to chain chain in table table
1158 with priority priority.
1159 The priority is used to order rules. Priority 0 means add rule on
1161 top of the chain, with a higher priority the rule will be added
1162 further down. Rules with the same priority are on the same level
1163 and the order of these rules is not fixed and may change. If you
1164 want to make sure that a rule will be added after another one, use
1165 a low priority for the first and a higher for the following.
1166 [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
1168 priority args
1169 Remove a rule with priority and the arguments args from chain chain
1170 in table table. Only rules previously added with --direct
1171 --add-rule can be removed this way.
1172 [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1174 Remove all rules in the chain with name chain exists in table
1175 table. This option concerns only rules previously added with
1176 --direct --add-rule in this chain.
1177 [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1179 priority args
1180 Return whether a rule with priority and the arguments args exists
1181 in chain chain in table table. Returns 0 if true, 1 otherwise. This
1182 option concerns only rules previously added with --direct
1183 --add-rule.
1184 --direct --passthrough { ipv4 | ipv6 | eb } args
1186 Pass a command through to the firewall. args can be all iptables,
1187 ip6tables and ebtables command line arguments. This command is
1188 untracked, which means that firewalld is not able to provide
1189 information about this command later on, also not a listing of the
1190 untracked passthoughs.
1191 [--permanent] --direct --get-all-passthroughs
1193 Get all passthrough rules as a newline separated list of the ipv
1194 value and arguments.
1195 [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1197 Get all passthrough rules for the ipv value as a newline separated
1198 list of the priority and arguments.
1199 [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1201 Add a passthrough rule with the arguments args for the ipv value.
1202 [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1204 Remove a passthrough rule with the arguments args for the ipv
1205 value.
1206 [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1208 Return whether a passthrough rule with the arguments args exists
1209 for the ipv value. Returns 0 if true, 1 otherwise.
1210 Lockdown Options
1212 Local applications or services are able to change the firewall
1213 configuration if they are running as root (example: libvirt) or are
1214 authenticated using PolicyKit. With this feature administrators can
1215 lock the firewall configuration so that only applications on lockdown
1216 whitelist are able to request firewall changes.
1217 The lockdown access check limits D-Bus methods that are changing
1219 firewall rules. Query, list and get methods are not limited.
1220 The lockdown feature is a very light version of user and application
1222 policies for firewalld and is turned off by default.
1223 --lockdown-on
1225 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1226 whitelist when you enable lockdown you won't be able to disable it
1227 again with firewall-cmd, you would need to edit firewalld.conf.
1228 This is a runtime and permanent change.
1230 --lockdown-off
1232 Disable lockdown.
1233 This is a runtime and permanent change.
1235 --query-lockdown
1237 Query whether lockdown is enabled. Returns 0 if lockdown is
1238 enabled, 1 otherwise.
1239 Lockdown Whitelist Options
1241 The lockdown whitelist can contain commands, contexts, users and user
1242 ids.
1243 If a command entry on the whitelist ends with an asterisk '*', then all
1245 command lines starting with the command will match. If the '*' is not
1246 there the absolute command inclusive arguments must match.
1247 Command paths for users are not always the same and depends on the
1249 users PATH. Some distributions symlink /bin to /usr/bin in which case
1250 it depends on the order they appear in the PATH environment variable.
1251 The context is the security (SELinux) context of a running application
1253 or service. To get the context of a running application use ps -e
1254 --context.
1255 Warning: If the context is unconfined, then this will open access for
1257 more than the desired application.
1258 The lockdown whitelist entries are checked in the following order:
1260 1. context
1261 2. uid
1262 3. user
1263 4. command
1264 [--permanent] --list-lockdown-whitelist-commands
1266 List all command lines that are on the whitelist.
1267 [--permanent] --add-lockdown-whitelist-command=command
1269 Add the command to the whitelist.
1270 [--permanent] --remove-lockdown-whitelist-command=command
1272 Remove the command from the whitelist.
1273 [--permanent] --query-lockdown-whitelist-command=command
1275 Query whether the command is on the whitelist. Returns 0 if true, 1
1276 otherwise.
1277 [--permanent] --list-lockdown-whitelist-contexts
1279 List all contexts that are on the whitelist.
1280 [--permanent] --add-lockdown-whitelist-context=context
1282 Add the context context to the whitelist.
1283 [--permanent] --remove-lockdown-whitelist-context=context
1285 Remove the context from the whitelist.
1286 [--permanent] --query-lockdown-whitelist-context=context
1288 Query whether the context is on the whitelist. Returns 0 if true, 1
1289 otherwise.
1290 [--permanent] --list-lockdown-whitelist-uids
1292 List all user ids that are on the whitelist.
1293 [--permanent] --add-lockdown-whitelist-uid=uid
1295 Add the user id uid to the whitelist.
1296 [--permanent] --remove-lockdown-whitelist-uid=uid
1298 Remove the user id uid from the whitelist.
1299 [--permanent] --query-lockdown-whitelist-uid=uid
1301 Query whether the user id uid is on the whitelist. Returns 0 if
1302 true, 1 otherwise.
1303 [--permanent] --list-lockdown-whitelist-users
1305 List all user names that are on the whitelist.
1306 [--permanent] --add-lockdown-whitelist-user=user
1308 Add the user name user to the whitelist.
1309 [--permanent] --remove-lockdown-whitelist-user=user
1311 Remove the user name user from the whitelist.
1312 [--permanent] --query-lockdown-whitelist-user=user
1314 Query whether the user name user is on the whitelist. Returns 0 if
1315 true, 1 otherwise.
1316 Panic Options
1318 --panic-on
1319 Enable panic mode. All incoming and outgoing packets are dropped,
1320 active connections will expire. Enable this only if there are
1321 serious problems with your network environment. For example if the
1322 machine is getting hacked in.
1323 This is a runtime only change.
1325 --panic-off
1327 Disable panic mode. After disabling panic mode established
1328 connections might work again, if panic mode was enabled for a short
1329 period of time.
1330 This is a runtime only change.
1332 --query-panic
1334 Returns 0 if panic mode is enabled, 1 otherwise.
1335
1337 For more examples see http://fedoraproject.org/wiki/FirewallD
1338 Example 1
1340 Enable http service in default zone. This is runtime only change, i.e.
1341 effective until restart.
1342 firewall-cmd --add-service=http
1344 Example 2
1348 Enable port 443/tcp immediately and permanently in default zone. To
1349 make the change effective immediately and also after restart we need
1350 two commands. The first command makes the change in runtime
1351 configuration, i.e. makes it effective immediately, until restart. The
1352 second command makes the change in permanent configuration, i.e. makes
1353 it effective after restart.
1354 firewall-cmd --add-port=443/tcp
1356 firewall-cmd --permanent --add-port=443/tcp
1357
1361 On success 0 is returned. On failure the output is red colored and exit
1362 code is either 2 in case of wrong command-line option usage or one of
1363 the following error codes in other cases:
1364 ┌────────────────────┬──────┐
1366 │String │ Code │
1367 ├────────────────────┼──────┤
1368 │ALREADY_ENABLED │ 11 │
1369 ├────────────────────┼──────┤
1370 │NOT_ENABLED │ 12 │
1371 ├────────────────────┼──────┤
1372 │COMMAND_FAILED │ 13 │
1373 ├────────────────────┼──────┤
1374 │NO_IPV6_NAT │ 14 │
1375 ├────────────────────┼──────┤
1376 │PANIC_MODE │ 15 │
1377 ├────────────────────┼──────┤
1378 │ZONE_ALREADY_SET │ 16 │
1379 ├────────────────────┼──────┤
1380 │UNKNOWN_INTERFACE │ 17 │
1381 ├────────────────────┼──────┤
1382 │ZONE_CONFLICT │ 18 │
1383 ├────────────────────┼──────┤
1384 │BUILTIN_CHAIN │ 19 │
1385 ├────────────────────┼──────┤
1386 │EBTABLES_NO_REJECT │ 20 │
1387 ├────────────────────┼──────┤
1388 │NOT_OVERLOADABLE │ 21 │
1389 ├────────────────────┼──────┤
1390 │NO_DEFAULTS │ 22 │
1391 ├────────────────────┼──────┤
1392 │BUILTIN_ZONE │ 23 │
1393 ├────────────────────┼──────┤
1394 │BUILTIN_SERVICE │ 24 │
1395 ├────────────────────┼──────┤
1396 │BUILTIN_ICMPTYPE │ 25 │
1397 ├────────────────────┼──────┤
1398 │NAME_CONFLICT │ 26 │
1399 ├────────────────────┼──────┤
1400 │NAME_MISMATCH │ 27 │
1401 ├────────────────────┼──────┤
1402 │PARSE_ERROR │ 28 │
1403 ├────────────────────┼──────┤
1404 │ACCESS_DENIED │ 29 │
1405 ├────────────────────┼──────┤
1406 │UNKNOWN_SOURCE │ 30 │
1407 ├────────────────────┼──────┤
1408 │RT_TO_PERM_FAILED │ 31 │
1409 ├────────────────────┼──────┤
1410 │IPSET_WITH_TIMEOUT │ 32 │
1411 ├────────────────────┼──────┤
1412 │BUILTIN_IPSET │ 33 │
1413 ├────────────────────┼──────┤
1414 │ALREADY_SET │ 34 │
1415 ├────────────────────┼──────┤
1416 │MISSING_IMPORT │ 35 │
1417 ├────────────────────┼──────┤
1418 │DBUS_ERROR │ 36 │
1419 ├────────────────────┼──────┤
1420 │BUILTIN_HELPER │ 37 │
1421 ├────────────────────┼──────┤
1422 │NOT_APPLIED │ 38 │
1423 ├────────────────────┼──────┤
1424 │INVALID_ACTION │ 100 │
1425 ├────────────────────┼──────┤
1426 │INVALID_SERVICE │ 101 │
1427 ├────────────────────┼──────┤
1428 │INVALID_PORT │ 102 │
1429 ├────────────────────┼──────┤
1430 │INVALID_PROTOCOL │ 103 │
1431 ├────────────────────┼──────┤
1432 │INVALID_INTERFACE │ 104 │
1433 ├────────────────────┼──────┤
1434 │INVALID_ADDR │ 105 │
1435 ├────────────────────┼──────┤
1436 │INVALID_FORWARD │ 106 │
1437 ├────────────────────┼──────┤
1438 │INVALID_ICMPTYPE │ 107 │
1439 ├────────────────────┼──────┤
1440 │INVALID_TABLE │ 108 │
1441 ├────────────────────┼──────┤
1442 │INVALID_CHAIN │ 109 │
1443 ├────────────────────┼──────┤
1444 │INVALID_TARGET │ 110 │
1445 ├────────────────────┼──────┤
1446 │INVALID_IPV │ 111 │
1447 ├────────────────────┼──────┤
1448 │INVALID_ZONE │ 112 │
1449 ├────────────────────┼──────┤
1450 │INVALID_PROPERTY │ 113 │
1451 ├────────────────────┼──────┤
1452 │INVALID_VALUE │ 114 │
1453 ├────────────────────┼──────┤
1454 │INVALID_OBJECT │ 115 │
1455 ├────────────────────┼──────┤
1456 │INVALID_NAME │ 116 │
1457 ├────────────────────┼──────┤
1458 │INVALID_FILENAME │ 117 │
1459 ├────────────────────┼──────┤
1460 │INVALID_DIRECTORY │ 118 │
1461 ├────────────────────┼──────┤
1462 │INVALID_TYPE │ 119 │
1463 ├────────────────────┼──────┤
1464 │INVALID_SETTING │ 120 │
1465 ├────────────────────┼──────┤
1466 │INVALID_DESTINATION │ 121 │
1467 ├────────────────────┼──────┤
1468 │INVALID_RULE │ 122 │
1469 ├────────────────────┼──────┤
1470 │INVALID_LIMIT │ 123 │
1471 ├────────────────────┼──────┤
1472 │INVALID_FAMILY │ 124 │
1473 ├────────────────────┼──────┤
1474 │INVALID_LOG_LEVEL │ 125 │
1475 ├────────────────────┼──────┤
1476 │INVALID_AUDIT_TYPE │ 126 │
1477 ├────────────────────┼──────┤
1478 │INVALID_MARK │ 127 │
1479 ├────────────────────┼──────┤
1480 │INVALID_CONTEXT │ 128 │
1481 ├────────────────────┼──────┤
1482 │INVALID_COMMAND │ 129 │
1483 ├────────────────────┼──────┤
1484 │INVALID_USER │ 130 │
1485 ├────────────────────┼──────┤
1486 │INVALID_UID │ 131 │
1487 ├────────────────────┼──────┤
1488 │INVALID_MODULE │ 132 │
1489 ├────────────────────┼──────┤
1490 │INVALID_PASSTHROUGH │ 133 │
1491 ├────────────────────┼──────┤
1492 │INVALID_MAC │ 134 │
1493 ├────────────────────┼──────┤
1494 │INVALID_IPSET │ 135 │
1495 ├────────────────────┼──────┤
1496 │INVALID_ENTRY │ 136 │
1497 ├────────────────────┼──────┤
1498 │INVALID_OPTION │ 137 │
1499 ├────────────────────┼──────┤
1500 │INVALID_HELPER │ 138 │
1501 ├────────────────────┼──────┤
1502 │INVALID_PRIORITY │ 139 │
1503 ├────────────────────┼──────┤
1504 │INVALID_POLICY │ 140 │
1505 ├────────────────────┼──────┤
1506 │MISSING_TABLE │ 200 │
1507 ├────────────────────┼──────┤
1508 │MISSING_CHAIN │ 201 │
1509 ├────────────────────┼──────┤
1510 │MISSING_PORT │ 202 │
1511 ├────────────────────┼──────┤
1512 │MISSING_PROTOCOL │ 203 │
1513 ├────────────────────┼──────┤
1514 │MISSING_ADDR │ 204 │
1515 ├────────────────────┼──────┤
1516 │MISSING_NAME │ 205 │
1517 ├────────────────────┼──────┤
1518 │MISSING_SETTING │ 206 │
1519 ├────────────────────┼──────┤
1520 │MISSING_FAMILY │ 207 │
1521 ├────────────────────┼──────┤
1522 │RUNNING_BUT_FAILED │ 251 │
1523 ├────────────────────┼──────┤
1524 │NOT_RUNNING │ 252 │
1525 ├────────────────────┼──────┤
1526 │NOT_AUTHORIZED │ 253 │
1527 ├────────────────────┼──────┤
1528 │UNKNOWN_ERROR │ 254 │
1529 └────────────────────┴──────┘
1530 Note that return codes of --query-* options are special: Successful
1532 queries return 0, unsuccessful ones return 1 unless an error occurred
1533 in which case the table above applies.
1534
1536 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1537 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1538 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1539 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1540 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
1541 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
1542
1544 firewalld home page:
1545 http://firewalld.org
1546 More documentation with examples:
1548 http://fedoraproject.org/wiki/FirewallD
1549
1551 Thomas Woerner <twoerner@redhat.com>
1552 Developer
1553 Jiri Popelka <jpopelka@redhat.com>
1555 Developer
1556 Eric Garver <eric@garver.life>
1558 Developer
1559firewalld 1.0.5 FIREWALL-CMD(1)