1FIREWALL-CMD(1) firewall-cmd FIREWALL-CMD(1)
2
6 firewall-cmd - firewalld command line client
7
9 firewall-cmd [OPTIONS...]
10
12 firewall-cmd is the command line client of the firewalld daemon. It
13 provides an interface to manage the runtime and permanent
14 configurations.
15 The runtime configuration in firewalld is separated from the permanent
17 configuration. This means that things can get changed in the runtime or
18 permanent configuration.
19
21 Sequence options are the options that can be specified multiple times,
22 the exit code is 0 if there is at least one item that succeeded. The
23 ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
24 errors are treated as succeeded. If there are issues while parsing the
25 items, then these are treated as warnings and will not change the
26 result as long as there is a succeeded one. Without any succeeded item,
27 the exit code will depend on the error codes. If there is exactly one
28 error code, then this is used. If there are more than one then
29 UNKNOWN_ERROR (254) will be used.
30 The following options are supported:
32 General Options
34 -h, --help
35 Prints a short help text and exits.
36 -V, --version
38 Print the version string of firewalld. This option is not
39 combinable with other options.
40 -q, --quiet
42 Do not print status messages.
43 Status Options
45 --state
46 Check whether the firewalld daemon is active (i.e. running).
47 Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
48 failure occurred on startup, NOT_RUNNING otherwise. See the section
49 called “EXIT CODES”. This will also print the state to STDOUT.
50 --reload
52 Reload firewall rules and keep state information. Current permanent
53 configuration will become new runtime configuration, i.e. all
54 runtime only changes done until reload are lost with reload if they
55 have not been also in permanent configuration.
56 Note: If FlushAllOnReload=no, runtime changes applied via the
58 direct interface are not affected and will therefore stay in place
59 until firewalld daemon is restarted completely. For
60 FlushAllOnReload, see firewalld.conf(5).
61 --complete-reload
63 Reload firewall completely, even netfilter kernel modules. This
64 will most likely terminate active connections, because state
65 information is lost. This option should only be used in case of
66 severe firewall problems. For example if there are state
67 information problems that no connection can be established with
68 correct firewall rules.
69 Note: If FlushAllOnReload=no, runtime changes applied via the
71 direct interface are not affected and will therefore stay in place
72 until firewalld daemon is restarted completely. For
73 FlushAllOnReload, see firewalld.conf(5).
74 --runtime-to-permanent
76 Save active runtime configuration and overwrite permanent
77 configuration with it. The way this is supposed to work is that
78 when configuring firewalld you do runtime changes only and once
79 you're happy with the configuration and you tested that it works
80 the way you want, you save the configuration to disk.
81 --check-config
83 Run checks on the permanent configuration. This includes XML
84 validity and semantics.
85 --reset-to-defaults
87 Reset configuration to firewalld's default configuration.
88 Log Denied Options
90 --get-log-denied
91 Print the log denied setting.
92 --set-log-denied=value
94 Add logging rules right before reject and drop rules in the INPUT,
95 FORWARD and OUTPUT chains for the default rules and also final
96 reject and drop rules in zones for the configured link-layer packet
97 type. The possible values are: all, unicast, broadcast, multicast
98 and off. The default setting is off, which disables the logging.
99 This is a runtime and permanent change and will also reload the
101 firewall to be able to add the logging rules.
102 Permanent Options
104 --permanent
105 The permanent option --permanent can be used to set options
106 permanently. These changes are not effective immediately, only
107 after service restart/reload or system reboot. Without the
108 --permanent option, a change will only be part of the runtime
109 configuration.
110 If you want to make a change in runtime and permanent
112 configuration, use the same call with and without the --permanent
113 option.
114 The --permanent option can be optionally added to all options
116 further down where it is supported.
117 Zone Options
119 --get-default-zone
120 Print default zone for connections and interfaces.
121 --set-default-zone=zone
123 Set default zone for connections and interfaces where no zone has
124 been selected. Setting the default zone changes the zone for the
125 connections or interfaces, that are using the default zone.
126 This is a runtime and permanent change.
128 --get-active-zones
130 Print currently active zones altogether with interfaces and sources
131 used in these zones. Active zones are zones, that have a binding to
132 an interface or source. The output format is:
133 zone1
135 interfaces: interface1 interface2 ..
136 sources: source1 ..
137 zone2
138 interfaces: interface3 ..
139 zone3
140 sources: source2 ..
141 If there are no interfaces or sources bound to the zone, the
144 corresponding line will be omitted.
145 [--permanent] --get-zones
147 Print predefined zones as a space separated list.
148 [--permanent] --get-services
150 Print predefined services as a space separated list.
151 [--permanent] --get-icmptypes
153 Print predefined icmptypes as a space separated list.
154 [--permanent] --get-zone-of-interface=interface
156 Print the name of the zone the interface is bound to or no zone.
157 [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
159 Print the name of the zone the source is bound to or no zone.
160 [--permanent] --info-zone=zone
162 Print information about the zone zone. The output format is:
163 zone
165 interfaces: interface1 ..
166 sources: source1 ..
167 services: service1 ..
168 ports: port1 ..
169 protocols: protocol1 ..
170 forward-ports:
171 forward-port1
172 ..
173 source-ports: source-port1 ..
174 icmp-blocks: icmp-type1 ..
175 rich rules:
176 rich-rule1
177 ..
178 [--permanent] --list-all-zones
182 List everything added for or enabled in all zones. The output
183 format is:
184 zone1
186 interfaces: interface1 ..
187 sources: source1 ..
188 services: service1 ..
189 ports: port1 ..
190 protocols: protocol1 ..
191 forward-ports:
192 forward-port1
193 ..
194 icmp-blocks: icmp-type1 ..
195 rich rules:
196 rich-rule1
197 ..
198 ..
199 --permanent --new-zone=zone
203 Add a new permanent and empty zone.
204 Zone names must be alphanumeric and may additionally include
206 characters: '_' and '-'.
207 --permanent --new-zone-from-file=filename [--name=zone]
209 Add a new permanent zone from a prepared zone file with an optional
210 name override.
211 --permanent --delete-zone=zone
213 Delete an existing permanent zone.
214 --permanent --load-zone-defaults=zone
216 Load zone default settings or report NO_DEFAULTS error.
217 --permanent --path-zone=zone
219 Print path of the zone configuration file.
220 Policy Options
222 [--permanent] --get-policies
223 Print predefined policies as a space separated list.
224 [--permanent] --info-policy=policy
226 Print information about the policy policy.
227 [--permanent] --list-all-policies
229 List everything added for or enabled in all policies.
230 --permanent --new-policy=policy
232 Add a new permanent policy.
233 Policy names must be alphanumeric and may additionally include
235 characters: '_' and '-'.
236 --permanent --new-policy-from-file=filename [--name=policy]
238 Add a new permanent policy from a prepared policy file with an
239 optional name override.
240 --permanent --path-policy=policy
242 Print path of the policy configuration file.
243 --permanent --delete-policy=policy
245 Delete an existing permanent policy.
246 --permanent --load-policy-defaults=policy
248 Load the shipped defaults for a policy. Only applies to policies
249 shipped with firewalld. Does not apply to user defined policies.
250 Options to Adapt and Query Zones and Policies
252 Options in this section affect only one particular zone or policy. If
253 used with --zone=zone or --policy=policy option, they affect the
254 specified zone or policy. If both options are omitted, they affect the
255 default zone (see --get-default-zone).
256 [--permanent] [--zone=zone] [--policy=policy] --list-all
258 List everything added or enabled.
259 --permanent [--zone=zone] [--policy=policy] --get-target
261 Get the target.
262 --permanent [--zone=zone] [--policy=policy] --set-target=target
264 Set the target.
265 For zones target is one of: default, ACCEPT, DROP, REJECT
267 For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
269 default is similar to REJECT, but it implicitly allows ICMP
271 packets.
272 --permanent [--zone=zone] [--policy=policy]
274 --set-description=description
275 Set description.
276 --permanent [--zone=zone] [--policy=policy] --get-description
278 Print description.
279 --permanent [--zone=zone] [--policy=policy] --set-short=description
281 Set short description.
282 --permanent [--zone=zone] [--policy=policy] --get-short
284 Print short description.
285 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
287 --list-services
288 List services added as a space separated list.
289 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
291 --add-service=service [--timeout=timeval]
292 Add a service. This option can be specified multiple times. If a
293 timeout is supplied, the rule will be active for the specified
294 amount of time and will be removed automatically afterwards.
295 timeval is either a number (of seconds) or number followed by one
296 of characters s (seconds), m (minutes), h (hours), for example 20m
297 or 1h.
298 The service is one of the firewalld provided services. To get a
300 list of the supported services, use firewall-cmd --get-services.
301 The --timeout option is not combinable with the --permanent option.
303 Note: Some services define connection tracking helpers. Helpers
305 that may operate in client mode (e.g. tftp) must be added to an
306 outbound policy instead of a zone to take effect for clients.
307 Otherwise the helper will not be applied to the outbound traffic.
308 The related traffic, as defined by the connection tracking helper,
309 on the return path (ingress) will be allowed by the stateful
310 firewall rules.
311 An example of an outbound policy for connection tracking helpers:
313 # firewall-cmd --permanent --new-policy clientConntrack
315 # firewall-cmd --permanent --policy clientConntrack --add-ingress-zone HOST
316 # firewall-cmd --permanent --policy clientConntrack --add-egress-zone ANY
317 # firewall-cmd --permanent --policy clientConntrack --add-service tftp
318 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
322 --remove-service=service
323 Remove a service. This option can be specified multiple times.
324 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
326 --query-service=service
327 Return whether service has been added. Returns 0 if true, 1
328 otherwise.
329 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
331 --list-ports
332 List ports added as a space separated list. A port is of the form
333 portid[-portid]/protocol, it can be either a port and protocol pair
334 or a port range with a protocol.
335 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
337 --add-port=portid[-portid]/protocol [--timeout=timeval]
338 Add the port. This option can be specified multiple times. If a
339 timeout is supplied, the rule will be active for the specified
340 amount of time and will be removed automatically afterwards.
341 timeval is either a number (of seconds) or number followed by one
342 of characters s (seconds), m (minutes), h (hours), for example 20m
343 or 1h.
344 The port can either be a single port number or a port range
346 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
347 The --timeout option is not combinable with the --permanent option.
349 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
351 --remove-port=portid[-portid]/protocol
352 Remove the port. This option can be specified multiple times.
353 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
355 --query-port=portid[-portid]/protocol
356 Return whether the port has been added. Returns 0 if true, 1
357 otherwise.
358 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
360 --list-protocols
361 List protocols added as a space separated list.
362 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
364 --add-protocol=protocol [--timeout=timeval]
365 Add the protocol. This option can be specified multiple times. If a
366 timeout is supplied, the rule will be active for the specified
367 amount of time and will be removed automatically afterwards.
368 timeval is either a number (of seconds) or number followed by one
369 of characters s (seconds), m (minutes), h (hours), for example 20m
370 or 1h.
371 The protocol can be any protocol supported by the system. Please
373 have a look at /etc/protocols for supported protocols.
374 The --timeout option is not combinable with the --permanent option.
376 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
378 --remove-protocol=protocol
379 Remove the protocol. This option can be specified multiple times.
380 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
382 --query-protocol=protocol
383 Return whether the protocol has been added. Returns 0 if true, 1
384 otherwise.
385 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
387 --list-source-ports
388 List source ports added as a space separated list. A port is of the
389 form portid[-portid]/protocol.
390 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
392 --add-source-port=portid[-portid]/protocol [--timeout=timeval]
393 Add the source port. This option can be specified multiple times.
394 If a timeout is supplied, the rule will be active for the specified
395 amount of time and will be removed automatically afterwards.
396 timeval is either a number (of seconds) or number followed by one
397 of characters s (seconds), m (minutes), h (hours), for example 20m
398 or 1h.
399 The port can either be a single port number or a port range
401 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
402 The --timeout option is not combinable with the --permanent option.
404 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
406 --remove-source-port=portid[-portid]/protocol
407 Remove the source port. This option can be specified multiple
408 times.
409 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
411 --query-source-port=portid[-portid]/protocol
412 Return whether the source port has been added. Returns 0 if true, 1
413 otherwise.
414 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
416 --list-icmp-blocks
417 List Internet Control Message Protocol (ICMP) type blocks added as
418 a space separated list.
419 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
421 --add-icmp-block=icmptype [--timeout=timeval]
422 Add an ICMP block for icmptype. This option can be specified
423 multiple times. If a timeout is supplied, the rule will be active
424 for the specified amount of time and will be removed automatically
425 afterwards. timeval is either a number (of seconds) or number
426 followed by one of characters s (seconds), m (minutes), h (hours),
427 for example 20m or 1h.
428 The icmptype is the one of the icmp types firewalld supports. To
430 get a listing of supported icmp types: firewall-cmd --get-icmptypes
431 The --timeout option is not combinable with the --permanent option.
433 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
435 --remove-icmp-block=icmptype
436 Remove the ICMP block for icmptype. This option can be specified
437 multiple times.
438 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
440 --query-icmp-block=icmptype
441 Return whether an ICMP block for icmptype has been added. Returns 0
442 if true, 1 otherwise.
443 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
445 --list-forward-ports
446 List IPv4 forward ports added as a space separated list.
447 For IPv6 forward ports, please use the rich language.
449 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
451 --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
452 [--timeout=timeval]
453 Add the IPv4 forward port. This option can be specified multiple
454 times. If a timeout is supplied, the rule will be active for the
455 specified amount of time and will be removed automatically
456 afterwards. timeval is either a number (of seconds) or number
457 followed by one of characters s (seconds), m (minutes), h (hours),
458 for example 20m or 1h.
459 The port can either be a single port number portid or a port range
461 portid-portid. The protocol can either be tcp, udp, sctp or dccp.
462 The destination address is a simple IP address.
463 The --timeout option is not combinable with the --permanent option.
465 For IPv6 forward ports, please use the rich language.
467 Note: IP forwarding will be implicitly enabled if toaddr is
469 specified.
470 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
472 --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
473 Remove the IPv4 forward port. This option can be specified multiple
474 times.
475 For IPv6 forward ports, please use the rich language.
477 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
479 --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
480 Return whether the IPv4 forward port has been added. Returns 0 if
481 true, 1 otherwise.
482 For IPv6 forward ports, please use the rich language.
484 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
486 --add-masquerade [--timeout=timeval]
487 Enable IPv4 masquerade. If a timeout is supplied, masquerading will
488 be active for the specified amount of time. timeval is either a
489 number (of seconds) or number followed by one of characters s
490 (seconds), m (minutes), h (hours), for example 20m or 1h.
491 Masquerading is useful if the machine is a router and machines
492 connected over an interface in another zone should be able to use
493 the first connection.
494 The --timeout option is not combinable with the --permanent option.
496 For IPv6 masquerading, please use the rich language.
498 Note: IP forwarding will be implicitly enabled.
500 Note (Linux < 5.5): For the iptables backend, a policy may not
502 enable masquerade if an ingress zone has assigned interfaces. This
503 restriction does not exist for the nftables backend, but does
504 require Linux v5.5+ to function properly; otherwise it will
505 silently fail.
506 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
508 --remove-masquerade
509 Disable IPv4 masquerade. If the masquerading was enabled with a
510 timeout, it will be disabled also.
511 For IPv6 masquerading, please use the rich language.
513 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
515 --query-masquerade
516 Return whether IPv4 masquerading has been enabled. Returns 0 if
517 true, 1 otherwise.
518 For IPv6 masquerading, please use the rich language.
520 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
522 --list-rich-rules
523 List rich language rules added as a newline separated list.
524 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
526 --add-rich-rule='rule' [--timeout=timeval]
527 Add rich language rule 'rule'. This option can be specified
528 multiple times. If a timeout is supplied, the rule will be active
529 for the specified amount of time and will be removed automatically
530 afterwards. timeval is either a number (of seconds) or number
531 followed by one of characters s (seconds), m (minutes), h (hours),
532 for example 20m or 1h.
533 For the rich language rule syntax, please have a look at
535 firewalld.richlanguage(5).
536 The --timeout option is not combinable with the --permanent option.
538 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
540 --remove-rich-rule='rule'
541 Remove rich language rule 'rule'. This option can be specified
542 multiple times.
543 For the rich language rule syntax, please have a look at
545 firewalld.richlanguage(5).
546 [--permanent] [--zone=zone] [--permanent] [--policy=policy]
548 --query-rich-rule='rule'
549 Return whether a rich language rule 'rule' has been added. Returns
550 0 if true, 1 otherwise.
551 For the rich language rule syntax, please have a look at
553 firewalld.richlanguage(5).
554 Options to Adapt and Query Zones
556 Options in this section affect only one particular zone. If used with
557 --zone=zone option, they affect the specified zone. If the option is
558 omitted, they affect default zone (see --get-default-zone).
559 [--permanent] [--zone=zone] --add-icmp-block-inversion
561 Enable ICMP block inversion.
562 [--permanent] [--zone=zone] --remove-icmp-block-inversion
564 Disable ICMP block inversion.
565 [--permanent] [--zone=zone] --query-icmp-block-inversion
567 Return whether ICMP block inversion is enabled. Returns 0 if true,
568 1 otherwise.
569 [--permanent] [--zone=zone] --add-forward
571 Enable intra zone forwarding.
572 [--permanent] [--zone=zone] --remove-forward
574 Disable intra zone forwarding.
575 [--permanent] [--zone=zone] --query-forward
577 Return whether intra zone forwarding is enabled. Returns 0 if true,
578 1 otherwise.
579 --permanent [--zone=zone] --get-priority
581 Get the priority of the zone.
582 --permanent [--zone=zone] --set-priority
584 Set the zone's priority for packet classification. This will set
585 both the ingress and egress priority.
586 --permanent [--zone=zone] --get-ingress-priority
588 Get the ingress priority of the zone.
589 --permanent [--zone=zone] --set-ingress-priority
591 Set the zone's ingress priority for packet classification.
592 --permanent [--zone=zone] --get-egress-priority
594 Get the egress priority of the zone.
595 --permanent [--zone=zone] --set-egress-priority
597 Set the zone's egress priority for packet classification.
598 Options to Adapt and Query Policies
600 Options in this section affect only one particular policy. It's
601 required to specify --policy=policy with these options.
602 --permanent --policy=policy --get-priority
604 Get the priority.
605 --permanent --policy=policy --set-priority=priority
607 Set the priority. The priority determines the relative ordering of
608 policies. This is an integer value between -32768 and 32767 where
609 -1 is the default value for new policies and 0 is reserved for
610 internal use.
611 If a priority is < 0, then the policy's rules will execute before
613 all rules in all zones.
614 If a priority is > 0, then the policy's rules will execute after
616 all rules in all zones.
617 [--permanent] --policy=policy --list-ingress-zones
619 List ingress zones added as a space separated list.
620 [--permanent] --policy=policy --add-ingress-zone=zone
622 Add an ingress zone. This option can be specified multiple times.
623 The ingress zone is one of the firewalld provided zones or one of
625 the pseudo-zones: HOST, ANY.
626 HOST is used for traffic originating from the host machine, i.e.
628 the host running firewalld.
629 ANY is used for traffic originating from any zone. This can be
631 thought of as a wild card for zones. However it does not include
632 traffic originating from the host machine - use HOST for that.
633 [--permanent] --policy=policy --remove-ingress-zone=zone
635 Remove an ingress zone. This option can be specified multiple
636 times.
637 [--permanent] --policy=policy --query-ingress-zone=zone
639 Return whether zone has been added. Returns 0 if true, 1 otherwise.
640 [--permanent] --policy=policy --list-egress-zones
642 List egress zones added as a space separated list.
643 [--permanent] --policy=policy --add-egress-zone=zone
645 Add an egress zone. This option can be specified multiple times.
646 The egress zone is one of the firewalld provided zones or one of
648 the pseudo-zones: HOST, ANY.
649 For clarification on HOST and ANY see option --add-ingress-zone.
651 [--permanent] --policy=policy --remove-egress-zone=zone
653 Remove an egress zone. This option can be specified multiple times.
654 [--permanent] --policy=policy --query-egress-zone=zone
656 Return whether zone has been added. Returns 0 if true, 1 otherwise.
657 Options to Handle Bindings of Interfaces
659 Binding an interface to a zone means that this zone settings are used
660 to restrict traffic via the interface.
661 Options in this section affect only one particular zone. If used with
663 --zone=zone option, they affect the zone zone. If the option is
664 omitted, they affect default zone (see --get-default-zone).
665 For a list of predefined zones use firewall-cmd --get-zones.
667 An interface name is a string up to 16 characters long, that may not
669 contain ' ', '/', '!' and '*'.
670 [--permanent] [--zone=zone] --list-interfaces
672 List interfaces that are bound to zone zone as a space separated
673 list. If zone is omitted, default zone will be used.
674 [--permanent] [--zone=zone] --add-interface=interface
676 Bind interface interface to zone zone. If zone is omitted, default
677 zone will be used.
678 If the interface is under control of NetworkManager, it is at first
680 connected to change the zone for the connection that is using the
681 interface. If this fails, the zone binding is created in firewalld
682 and the limitations below apply. For interfaces that are not under
683 control of NetworkManager, firewalld tries to change the ZONE
684 setting in the ifcfg file, if the file exists.
685 As a end user you don't need this in most cases, because
687 NetworkManager (or legacy network service) adds interfaces into
688 zones automatically (according to ZONE= option from ifcfg-interface
689 file) if NM_CONTROLLED=no is not set. You should do it only if
690 there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
691 there is such file and you add interface to zone with this
692 --add-interface option, make sure the zone is the same in both
693 cases, otherwise the behaviour would be undefined. Please also have
694 a look at the firewalld(1) man page in the Concepts section. For
695 permanent association of interface with a zone, see also 'How to
696 set or change a zone for a connection?' in firewalld.zones(5).
697 [--permanent] [--zone=zone] --change-interface=interface
699 If the interface is under control of NetworkManager, it is at first
700 connected to change the zone for the connection that is using the
701 interface. If this fails, the zone binding is created in firewalld
702 and the limitations below apply. For interfaces that are not under
703 control of NetworkManager, firewalld tries to change the ZONE
704 setting in the ifcfg file, if the file exists.
705 Change zone the interface interface is bound to to zone zone. It's
707 basically --remove-interface followed by --add-interface. If the
708 interface has not been bound to a zone before, it behaves like
709 --add-interface. If zone is omitted, default zone will be used.
710 [--permanent] [--zone=zone] --query-interface=interface
712 Query whether interface interface is bound to zone zone. Returns 0
713 if true, 1 otherwise.
714 [--permanent] --remove-interface=interface
716 If the interface is under control of NetworkManager, it is at first
717 connected to change the zone for the connection that is using the
718 interface. If this fails, the zone binding is created in firewalld
719 and the limitations below apply.
720 For the addition or change of interfaces that are not under control
722 of NetworkManager: firewalld tries to change the ZONE setting in
723 the ifcfg file, if an ifcfg file exists that is using the
724 interface.
725 Only for the removal of interfaces that are not under control of
727 NetworkManager: firewalld is not trying to change the ZONE setting
728 in the ifcfg file. This is needed to make sure that an ifdown of
729 the interface will not result in a reset of the zone setting to the
730 default zone. Only the zone binding is then removed in firewalld
731 then.
732 Remove binding of interface interface from zone it was previously
734 added to.
735 Options to Handle Bindings of Sources
737 Binding a source to a zone means that this zone settings will be used
738 to restrict traffic from this source.
739 A source address or address range is either an IP address or a network
741 IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
742 with the ipset: prefix. For IPv4, the mask can be a network mask or a
743 plain number. For IPv6 the mask is a plain number. The use of host
744 names is not supported.
745 Options in this section affect only one particular zone. If used with
747 --zone=zone option, they affect the zone zone. If the option is
748 omitted, they affect default zone (see --get-default-zone).
749 For a list of predefined zones use firewall-cmd [--permanent]
751 --get-zones.
752 [--permanent] [--zone=zone] --list-sources
754 List sources that are bound to zone zone as a space separated list.
755 If zone is omitted, default zone will be used.
756 [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
758 Bind the source to zone zone. If zone is omitted, default zone will
759 be used.
760 [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
762 Change zone the source is bound to to zone zone. It's basically
763 --remove-source followed by --add-source. If the source has not
764 been bound to a zone before, it behaves like --add-source. If zone
765 is omitted, default zone will be used.
766 [--permanent] [--zone=zone]
768 --query-source=source[/mask]|MAC|ipset:ipset
769 Query whether the source is bound to the zone zone. Returns 0 if
770 true, 1 otherwise.
771 [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
773 Remove binding of the source from zone it was previously added to.
774 IPSet Options
776 --get-ipset-types
777 Print the supported ipset types.
778 --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
780 [--option=key[=value]]
781 Add a new permanent and empty ipset with specifying the type and
782 optional the family and options like timeout, hashsize and maxelem.
783 For more information please have a look at ipset(8) man page.
784 ipset names must be alphanumeric and may additionally include
786 characters: '_' and '-'.
787 --permanent --new-ipset-from-file=filename [--name=ipset]
789 Add a new permanent ipset from a prepared ipset file with an
790 optional name override.
791 --permanent --delete-ipset=ipset
793 Delete an existing permanent ipset.
794 --permanent --load-ipset-defaults=ipset
796 Load ipset default settings or report NO_DEFAULTS error.
797 [--permanent] --info-ipset=ipset
799 Print information about the ipset ipset. The output format is:
800 ipset
802 type: type
803 options: option1[=value1] ..
804 entries: entry1 ..
805 [--permanent] --get-ipsets
809 Print predefined ipsets as a space separated list.
810 --permanent --ipset=ipset --set-description=description
812 Set new description to ipset
813 --permanent --ipset=ipset --get-description
815 Print description for ipset
816 --permanent --ipset=ipset --set-short=description
818 Set short description to ipset
819 --permanent --ipset=ipset --get-short
821 Print short description for ipset
822 [--permanent] --ipset=ipset --add-entry=entry
824 Add a new entry to the ipset.
825 Adding an entry to an ipset with option timeout is permitted, but
827 these entries are not tracked by firewalld.
828 [--permanent] --ipset=ipset --remove-entry=entry
830 Remove an entry from the ipset.
831 [--permanent] --ipset=ipset --query-entry=entry
833 Return whether the entry has been added to an ipset. Returns 0 if
834 true, 1 otherwise.
835 Querying an ipset with a timeout will yield an error. Entries are
837 not tracked for ipsets with a timeout.
838 [--permanent] --ipset=ipset --get-entries
840 List all entries of the ipset.
841 [--permanent] --ipset=ipset --add-entries-from-file=filename
843 Add a new entries to the ipset from the file. For all entries that
844 are listed in the file but already in the ipset, a warning will be
845 printed.
846 The file should contain an entry per line. Lines starting with an
848 hash or semicolon are ignored. Also empty lines.
849 [--permanent] --ipset=ipset --remove-entries-from-file=filename
851 Remove existing entries from the ipset from the file. For all
852 entries that are listed in the file but not in the ipset, a warning
853 will be printed.
854 The file should contain an entry per line. Lines starting with an
856 hash or semicolon are ignored. Also empty lines.
857 --permanent --path-ipset=ipset
859 Print path of the ipset configuration file.
860 Service Options
862 Options in this section affect only one particular service.
863 [--permanent] --info-service=service
865 Print information about the service service. The output format is:
866 service
868 ports: port1 ..
869 protocols: protocol1 ..
870 source-ports: source-port1 ..
871 helpers: helper1 ..
872 destination: ipv1:address1 ..
873 The following options are only usable in the permanent configuration.
877 --permanent --new-service=service
879 Add a new permanent and empty service.
880 Service names must be alphanumeric and may additionally include
882 characters: '_' and '-'.
883 --permanent --new-service-from-file=filename [--name=service]
885 Add a new permanent service from a prepared service file with an
886 optional name override.
887 --permanent --delete-service=service
889 Delete an existing permanent service.
890 --permanent --load-service-defaults=service
892 Load service default settings or report NO_DEFAULTS error.
893 --permanent --path-service=service
895 Print path of the service configuration file.
896 --permanent --service=service --set-description=description
898 Set new description to service
899 --permanent --service=service --get-description
901 Print description for service
902 --permanent --service=service --set-short=description
904 Set short description to service
905 --permanent --service=service --get-short
907 Print short description for service
908 --permanent --service=service --add-port=portid[-portid]/protocol
910 Add a new port to the permanent service.
911 --permanent --service=service --remove-port=portid[-portid]/protocol
913 Remove a port from the permanent service.
914 --permanent --service=service --query-port=portid[-portid]/protocol
916 Return whether the port has been added to the permanent service.
917 --permanent --service=service --get-ports
919 List ports added to the permanent service.
920 --permanent --service=service --add-protocol=protocol
922 Add a new protocol to the permanent service.
923 --permanent --service=service --remove-protocol=protocol
925 Remove a protocol from the permanent service.
926 --permanent --service=service --query-protocol=protocol
928 Return whether the protocol has been added to the permanent
929 service.
930 --permanent --service=service --get-protocols
932 List protocols added to the permanent service.
933 --permanent --service=service
935 --add-source-port=portid[-portid]/protocol
936 Add a new source port to the permanent service.
937 --permanent --service=service
939 --remove-source-port=portid[-portid]/protocol
940 Remove a source port from the permanent service.
941 --permanent --service=service
943 --query-source-port=portid[-portid]/protocol
944 Return whether the source port has been added to the permanent
945 service.
946 --permanent --service=service --get-source-ports
948 List source ports added to the permanent service.
949 --permanent --service=service --add-helper=helper
951 Add a new helper to the permanent service.
952 --permanent --service=service --remove-helper=helper
954 Remove a helper from the permanent service.
955 --permanent --service=service --query-helper=helper
957 Return whether the helper has been added to the permanent service.
958 --permanent --service=service --get-service-helpers
960 List helpers added to the permanent service.
961 --permanent --service=service --set-destination=ipv:address[/mask]
963 Set destination for ipv to address[/mask] in the permanent service.
964 --permanent --service=service --remove-destination=ipv
966 Remove the destination for ipv from the permanent service.
967 --permanent --service=service --query-destination=ipv:address[/mask]
969 Return whether the destination ipv to address[/mask] has been set
970 in the permanent service.
971 --permanent --service=service --get-destinations
973 List destinations added to the permanent service.
974 --permanent --service=service --add-include=service
976 Add a new include to the permanent service.
977 --permanent --service=service --remove-include=service
979 Remove a include from the permanent service.
980 --permanent --service=service --query-include=service
982 Return whether the include has been added to the permanent service.
983 --permanent --service=service --get-includes
985 List includes added to the permanent service.
986 Helper Options
988 Options in this section affect only one particular helper.
989 [--permanent] --info-helper=helper
991 Print information about the helper helper. The output format is:
992 helper
994 family: family
995 module: module
996 ports: port1 ..
997 The following options are only usable in the permanent configuration.
1001 --permanent --new-helper=helper --module=nf_conntrack_module
1003 [--family=ipv4|ipv6]
1004 Add a new permanent helper with module and optionally family
1005 defined.
1006 Helper names must be alphanumeric and may additionally include
1008 characters: '-'.
1009 --permanent --new-helper-from-file=filename [--name=helper]
1011 Add a new permanent helper from a prepared helper file with an
1012 optional name override.
1013 --permanent --delete-helper=helper
1015 Delete an existing permanent helper.
1016 --permanent --load-helper-defaults=helper
1018 Load helper default settings or report NO_DEFAULTS error.
1019 --permanent --path-helper=helper
1021 Print path of the helper configuration file.
1022 [--permanent] --get-helpers
1024 Print predefined helpers as a space separated list.
1025 --permanent --helper=helper --set-description=description
1027 Set new description to helper
1028 --permanent --helper=helper --get-description
1030 Print description for helper
1031 --permanent --helper=helper --set-short=description
1033 Set short description to helper
1034 --permanent --helper=helper --get-short
1036 Print short description for helper
1037 --permanent --helper=helper --add-port=portid[-portid]/protocol
1039 Add a new port to the permanent helper.
1040 --permanent --helper=helper --remove-port=portid[-portid]/protocol
1042 Remove a port from the permanent helper.
1043 --permanent --helper=helper --query-port=portid[-portid]/protocol
1045 Return whether the port has been added to the permanent helper.
1046 --permanent --helper=helper --get-ports
1048 List ports added to the permanent helper.
1049 --permanent --helper=helper --set-module=description
1051 Set module description for helper
1052 --permanent --helper=helper --get-module
1054 Print module description for helper
1055 --permanent --helper=helper --set-family=description
1057 Set family description for helper
1058 --permanent --helper=helper --get-family
1060 Print family description of helper
1061 Internet Control Message Protocol (ICMP) type Options
1063 Options in this section affect only one particular icmptype.
1064 [--permanent] --info-icmptype=icmptype
1066 Print information about the icmptype icmptype. The output format
1067 is:
1068 icmptype
1070 destination: ipv1 ..
1071 The following options are only usable in the permanent configuration.
1075 --permanent --new-icmptype=icmptype
1077 Add a new permanent and empty icmptype.
1078 ICMP type names must be alphanumeric and may additionally include
1080 characters: '_' and '-'.
1081 --permanent --new-icmptype-from-file=filename [--name=icmptype]
1083 Add a new permanent icmptype from a prepared icmptype file with an
1084 optional name override.
1085 --permanent --delete-icmptype=icmptype
1087 Delete an existing permanent icmptype.
1088 --permanent --load-icmptype-defaults=icmptype
1090 Load icmptype default settings or report NO_DEFAULTS error.
1091 --permanent --icmptype=icmptype --set-description=description
1093 Set new description to icmptype
1094 --permanent --icmptype=icmptype --get-description
1096 Print description for icmptype
1097 --permanent --icmptype=icmptype --set-short=description
1099 Set short description to icmptype
1100 --permanent --icmptype=icmptype --get-short
1102 Print short description for icmptype
1103 --permanent --icmptype=icmptype --add-destination=ipv
1105 Enable destination for ipv in permanent icmptype. ipv is one of
1106 ipv4 or ipv6.
1107 --permanent --icmptype=icmptype --remove-destination=ipv
1109 Disable destination for ipv in permanent icmptype. ipv is one of
1110 ipv4 or ipv6.
1111 --permanent --icmptype=icmptype --query-destination=ipv
1113 Return whether destination for ipv is enabled in permanent
1114 icmptype. ipv is one of ipv4 or ipv6.
1115 --permanent --icmptype=icmptype --get-destinations
1117 List destinations in permanent icmptype.
1118 --permanent --path-icmptype=icmptype
1120 Print path of the icmptype configuration file.
1121 Direct Options
1123 DEPRECATED
1124 The direct interface has been deprecated. It will be removed in a
1125 future release. It is superseded by policies, see
1126 firewalld.policies(5).
1127 The direct options give a more direct access to the firewall. These
1129 options require user to know basic iptables concepts, i.e. table
1130 (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
1131 (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
1132 (ACCEPT/DROP/REJECT/...).
1133 Direct options should be used only as a last resort when it's not
1135 possible to use for example --add-service=service or
1136 --add-rich-rule='rule'.
1137 Warning: Direct rules behavior is different depending on the value of
1139 FirewallBackend. See CAVEATS in firewalld.direct(5).
1140 The first argument of each option has to be ipv4 or ipv6 or eb. With
1142 ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1143 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1144 [--permanent] --direct --get-all-chains
1146 Get all chains added to all tables. This option concerns only
1147 chains previously added with --direct --add-chain.
1148 [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
1150 Get all chains added to table table as a space separated list. This
1151 option concerns only chains previously added with --direct
1152 --add-chain.
1153 [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
1155 Add a new chain with name chain to table table. Make sure there's
1156 no other chain with this name already.
1157 There already exist basic chains to use with direct options, for
1159 example INPUT_direct chain (see iptables-save | grep direct output
1160 for all of them). These chains are jumped into before chains for
1161 zones, i.e. every rule put into INPUT_direct will be checked before
1162 rules in zones.
1163 [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1165 Remove chain with name chain from table table. Only chains
1166 previously added with --direct --add-chain can be removed this way.
1167 [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
1169 Return whether a chain with name chain exists in table table.
1170 Returns 0 if true, 1 otherwise. This option concerns only chains
1171 previously added with --direct --add-chain.
1172 [--permanent] --direct --get-all-rules
1174 Get all rules added to all chains in all tables as a newline
1175 separated list of the priority and arguments. This option concerns
1176 only rules previously added with --direct --add-rule.
1177 [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
1179 Get all rules added to chain chain in table table as a newline
1180 separated list of the priority and arguments. This option concerns
1181 only rules previously added with --direct --add-rule.
1182 [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
1184 priority args
1185 Add a rule with the arguments args to chain chain in table table
1186 with priority priority.
1187 The priority is used to order rules. Priority 0 means add rule on
1189 top of the chain, with a higher priority the rule will be added
1190 further down. Rules with the same priority are on the same level
1191 and the order of these rules is not fixed and may change. If you
1192 want to make sure that a rule will be added after another one, use
1193 a low priority for the first and a higher for the following.
1194 [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
1196 priority args
1197 Remove a rule with priority and the arguments args from chain chain
1198 in table table. Only rules previously added with --direct
1199 --add-rule can be removed this way.
1200 [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1202 Remove all rules in the chain with name chain exists in table
1203 table. This option concerns only rules previously added with
1204 --direct --add-rule in this chain.
1205 [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1207 priority args
1208 Return whether a rule with priority and the arguments args exists
1209 in chain chain in table table. Returns 0 if true, 1 otherwise. This
1210 option concerns only rules previously added with --direct
1211 --add-rule.
1212 --direct --passthrough { ipv4 | ipv6 | eb } args
1214 Pass a command through to the firewall. args can be all iptables,
1215 ip6tables and ebtables command line arguments. This command is
1216 untracked, which means that firewalld is not able to provide
1217 information about this command later on, also not a listing of the
1218 untracked passthoughs.
1219 [--permanent] --direct --get-all-passthroughs
1221 Get all passthrough rules as a newline separated list of the ipv
1222 value and arguments.
1223 [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1225 Get all passthrough rules for the ipv value as a newline separated
1226 list of the priority and arguments.
1227 [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1229 Add a passthrough rule with the arguments args for the ipv value.
1230 [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1232 Remove a passthrough rule with the arguments args for the ipv
1233 value.
1234 [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1236 Return whether a passthrough rule with the arguments args exists
1237 for the ipv value. Returns 0 if true, 1 otherwise.
1238 Lockdown Options
1240 Local applications or services are able to change the firewall
1241 configuration if they are running as root (example: libvirt) or are
1242 authenticated using PolicyKit. With this feature administrators can
1243 lock the firewall configuration so that only applications on lockdown
1244 whitelist are able to request firewall changes.
1245 The lockdown access check limits D-Bus methods that are changing
1247 firewall rules. Query, list and get methods are not limited.
1248 The lockdown feature is a very light version of user and application
1250 policies for firewalld and is turned off by default.
1251 --lockdown-on
1253 Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1254 whitelist when you enable lockdown you won't be able to disable it
1255 again with firewall-cmd, you would need to edit firewalld.conf.
1256 This is a runtime and permanent change.
1258 --lockdown-off
1260 Disable lockdown.
1261 This is a runtime and permanent change.
1263 --query-lockdown
1265 Query whether lockdown is enabled. Returns 0 if lockdown is
1266 enabled, 1 otherwise.
1267 Lockdown Whitelist Options
1269 The lockdown whitelist can contain commands, contexts, users and user
1270 ids.
1271 If a command entry on the whitelist ends with an asterisk '*', then all
1273 command lines starting with the command will match. If the '*' is not
1274 there the absolute command inclusive arguments must match.
1275 Command paths for users are not always the same and depends on the
1277 users PATH. Some distributions symlink /bin to /usr/bin in which case
1278 it depends on the order they appear in the PATH environment variable.
1279 The context is the security (SELinux) context of a running application
1281 or service. To get the context of a running application use ps -e
1282 --context.
1283 Warning: If the context is unconfined, then this will open access for
1285 more than the desired application.
1286 The lockdown whitelist entries are checked in the following order:
1288 1. context
1289 2. uid
1290 3. user
1291 4. command
1292 [--permanent] --list-lockdown-whitelist-commands
1294 List all command lines that are on the whitelist.
1295 [--permanent] --add-lockdown-whitelist-command=command
1297 Add the command to the whitelist.
1298 [--permanent] --remove-lockdown-whitelist-command=command
1300 Remove the command from the whitelist.
1301 [--permanent] --query-lockdown-whitelist-command=command
1303 Query whether the command is on the whitelist. Returns 0 if true, 1
1304 otherwise.
1305 [--permanent] --list-lockdown-whitelist-contexts
1307 List all contexts that are on the whitelist.
1308 [--permanent] --add-lockdown-whitelist-context=context
1310 Add the context context to the whitelist.
1311 [--permanent] --remove-lockdown-whitelist-context=context
1313 Remove the context from the whitelist.
1314 [--permanent] --query-lockdown-whitelist-context=context
1316 Query whether the context is on the whitelist. Returns 0 if true, 1
1317 otherwise.
1318 [--permanent] --list-lockdown-whitelist-uids
1320 List all user ids that are on the whitelist.
1321 [--permanent] --add-lockdown-whitelist-uid=uid
1323 Add the user id uid to the whitelist.
1324 [--permanent] --remove-lockdown-whitelist-uid=uid
1326 Remove the user id uid from the whitelist.
1327 [--permanent] --query-lockdown-whitelist-uid=uid
1329 Query whether the user id uid is on the whitelist. Returns 0 if
1330 true, 1 otherwise.
1331 [--permanent] --list-lockdown-whitelist-users
1333 List all user names that are on the whitelist.
1334 [--permanent] --add-lockdown-whitelist-user=user
1336 Add the user name user to the whitelist.
1337 [--permanent] --remove-lockdown-whitelist-user=user
1339 Remove the user name user from the whitelist.
1340 [--permanent] --query-lockdown-whitelist-user=user
1342 Query whether the user name user is on the whitelist. Returns 0 if
1343 true, 1 otherwise.
1344 Panic Options
1346 --panic-on
1347 Enable panic mode. All incoming and outgoing packets are dropped,
1348 active connections will expire. Enable this only if there are
1349 serious problems with your network environment. For example if the
1350 machine is getting hacked in.
1351 This is a runtime only change.
1353 --panic-off
1355 Disable panic mode. After disabling panic mode established
1356 connections might work again, if panic mode was enabled for a short
1357 period of time.
1358 This is a runtime only change.
1360 --query-panic
1362 Returns 0 if panic mode is enabled, 1 otherwise.
1363
1365 For more examples see http://fedoraproject.org/wiki/FirewallD
1366 Example 1
1368 Enable http service in default zone. This is runtime only change, i.e.
1369 effective until restart.
1370 firewall-cmd --add-service=http
1372 Example 2
1376 Enable port 443/tcp immediately and permanently in default zone. To
1377 make the change effective immediately and also after restart we need
1378 two commands. The first command makes the change in runtime
1379 configuration, i.e. makes it effective immediately, until restart. The
1380 second command makes the change in permanent configuration, i.e. makes
1381 it effective after restart.
1382 firewall-cmd --add-port=443/tcp
1384 firewall-cmd --permanent --add-port=443/tcp
1385
1389 On success 0 is returned. On failure the output is red colored and exit
1390 code is either 2 in case of wrong command-line option usage or one of
1391 the following error codes in other cases:
1392 ┌────────────────────┬──────┐
1394 │String │ Code │
1395 ├────────────────────┼──────┤
1396 │ALREADY_ENABLED │ 11 │
1397 ├────────────────────┼──────┤
1398 │NOT_ENABLED │ 12 │
1399 ├────────────────────┼──────┤
1400 │COMMAND_FAILED │ 13 │
1401 ├────────────────────┼──────┤
1402 │NO_IPV6_NAT │ 14 │
1403 ├────────────────────┼──────┤
1404 │PANIC_MODE │ 15 │
1405 ├────────────────────┼──────┤
1406 │ZONE_ALREADY_SET │ 16 │
1407 ├────────────────────┼──────┤
1408 │UNKNOWN_INTERFACE │ 17 │
1409 ├────────────────────┼──────┤
1410 │ZONE_CONFLICT │ 18 │
1411 ├────────────────────┼──────┤
1412 │BUILTIN_CHAIN │ 19 │
1413 ├────────────────────┼──────┤
1414 │EBTABLES_NO_REJECT │ 20 │
1415 ├────────────────────┼──────┤
1416 │NOT_OVERLOADABLE │ 21 │
1417 ├────────────────────┼──────┤
1418 │NO_DEFAULTS │ 22 │
1419 ├────────────────────┼──────┤
1420 │BUILTIN_ZONE │ 23 │
1421 ├────────────────────┼──────┤
1422 │BUILTIN_SERVICE │ 24 │
1423 ├────────────────────┼──────┤
1424 │BUILTIN_ICMPTYPE │ 25 │
1425 ├────────────────────┼──────┤
1426 │NAME_CONFLICT │ 26 │
1427 ├────────────────────┼──────┤
1428 │NAME_MISMATCH │ 27 │
1429 ├────────────────────┼──────┤
1430 │PARSE_ERROR │ 28 │
1431 ├────────────────────┼──────┤
1432 │ACCESS_DENIED │ 29 │
1433 ├────────────────────┼──────┤
1434 │UNKNOWN_SOURCE │ 30 │
1435 ├────────────────────┼──────┤
1436 │RT_TO_PERM_FAILED │ 31 │
1437 ├────────────────────┼──────┤
1438 │IPSET_WITH_TIMEOUT │ 32 │
1439 ├────────────────────┼──────┤
1440 │BUILTIN_IPSET │ 33 │
1441 ├────────────────────┼──────┤
1442 │ALREADY_SET │ 34 │
1443 ├────────────────────┼──────┤
1444 │MISSING_IMPORT │ 35 │
1445 ├────────────────────┼──────┤
1446 │DBUS_ERROR │ 36 │
1447 ├────────────────────┼──────┤
1448 │BUILTIN_HELPER │ 37 │
1449 ├────────────────────┼──────┤
1450 │NOT_APPLIED │ 38 │
1451 ├────────────────────┼──────┤
1452 │INVALID_ACTION │ 100 │
1453 ├────────────────────┼──────┤
1454 │INVALID_SERVICE │ 101 │
1455 ├────────────────────┼──────┤
1456 │INVALID_PORT │ 102 │
1457 ├────────────────────┼──────┤
1458 │INVALID_PROTOCOL │ 103 │
1459 ├────────────────────┼──────┤
1460 │INVALID_INTERFACE │ 104 │
1461 ├────────────────────┼──────┤
1462 │INVALID_ADDR │ 105 │
1463 ├────────────────────┼──────┤
1464 │INVALID_FORWARD │ 106 │
1465 ├────────────────────┼──────┤
1466 │INVALID_ICMPTYPE │ 107 │
1467 ├────────────────────┼──────┤
1468 │INVALID_TABLE │ 108 │
1469 ├────────────────────┼──────┤
1470 │INVALID_CHAIN │ 109 │
1471 ├────────────────────┼──────┤
1472 │INVALID_TARGET │ 110 │
1473 ├────────────────────┼──────┤
1474 │INVALID_IPV │ 111 │
1475 ├────────────────────┼──────┤
1476 │INVALID_ZONE │ 112 │
1477 ├────────────────────┼──────┤
1478 │INVALID_PROPERTY │ 113 │
1479 ├────────────────────┼──────┤
1480 │INVALID_VALUE │ 114 │
1481 ├────────────────────┼──────┤
1482 │INVALID_OBJECT │ 115 │
1483 ├────────────────────┼──────┤
1484 │INVALID_NAME │ 116 │
1485 ├────────────────────┼──────┤
1486 │INVALID_FILENAME │ 117 │
1487 ├────────────────────┼──────┤
1488 │INVALID_DIRECTORY │ 118 │
1489 ├────────────────────┼──────┤
1490 │INVALID_TYPE │ 119 │
1491 ├────────────────────┼──────┤
1492 │INVALID_SETTING │ 120 │
1493 ├────────────────────┼──────┤
1494 │INVALID_DESTINATION │ 121 │
1495 ├────────────────────┼──────┤
1496 │INVALID_RULE │ 122 │
1497 ├────────────────────┼──────┤
1498 │INVALID_LIMIT │ 123 │
1499 ├────────────────────┼──────┤
1500 │INVALID_FAMILY │ 124 │
1501 ├────────────────────┼──────┤
1502 │INVALID_LOG_LEVEL │ 125 │
1503 ├────────────────────┼──────┤
1504 │INVALID_AUDIT_TYPE │ 126 │
1505 ├────────────────────┼──────┤
1506 │INVALID_MARK │ 127 │
1507 ├────────────────────┼──────┤
1508 │INVALID_CONTEXT │ 128 │
1509 ├────────────────────┼──────┤
1510 │INVALID_COMMAND │ 129 │
1511 ├────────────────────┼──────┤
1512 │INVALID_USER │ 130 │
1513 ├────────────────────┼──────┤
1514 │INVALID_UID │ 131 │
1515 ├────────────────────┼──────┤
1516 │INVALID_MODULE │ 132 │
1517 ├────────────────────┼──────┤
1518 │INVALID_PASSTHROUGH │ 133 │
1519 ├────────────────────┼──────┤
1520 │INVALID_MAC │ 134 │
1521 ├────────────────────┼──────┤
1522 │INVALID_IPSET │ 135 │
1523 ├────────────────────┼──────┤
1524 │INVALID_ENTRY │ 136 │
1525 ├────────────────────┼──────┤
1526 │INVALID_OPTION │ 137 │
1527 ├────────────────────┼──────┤
1528 │INVALID_HELPER │ 138 │
1529 ├────────────────────┼──────┤
1530 │INVALID_PRIORITY │ 139 │
1531 ├────────────────────┼──────┤
1532 │INVALID_POLICY │ 140 │
1533 ├────────────────────┼──────┤
1534 │INVALID_LOG_PREFIX │ 141 │
1535 ├────────────────────┼──────┤
1536 │INVALID_NFLOG_GROUP │ 142 │
1537 ├────────────────────┼──────┤
1538 │INVALID_NFLOG_QUEUE │ 143 │
1539 ├────────────────────┼──────┤
1540 │MISSING_TABLE │ 200 │
1541 ├────────────────────┼──────┤
1542 │MISSING_CHAIN │ 201 │
1543 ├────────────────────┼──────┤
1544 │MISSING_PORT │ 202 │
1545 ├────────────────────┼──────┤
1546 │MISSING_PROTOCOL │ 203 │
1547 ├────────────────────┼──────┤
1548 │MISSING_ADDR │ 204 │
1549 ├────────────────────┼──────┤
1550 │MISSING_NAME │ 205 │
1551 ├────────────────────┼──────┤
1552 │MISSING_SETTING │ 206 │
1553 ├────────────────────┼──────┤
1554 │MISSING_FAMILY │ 207 │
1555 ├────────────────────┼──────┤
1556 │RUNNING_BUT_FAILED │ 251 │
1557 ├────────────────────┼──────┤
1558 │NOT_RUNNING │ 252 │
1559 ├────────────────────┼──────┤
1560 │NOT_AUTHORIZED │ 253 │
1561 ├────────────────────┼──────┤
1562 │UNKNOWN_ERROR │ 254 │
1563 └────────────────────┴──────┘
1564 Note that return codes of --query-* options are special: Successful
1566 queries return 0, unsuccessful ones return 1 unless an error occurred
1567 in which case the table above applies.
1568
1570 firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1571 firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1572 firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1573 offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1574 firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
1575 firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
1576
1578 firewalld home page:
1579 http://firewalld.org
1580 More documentation with examples:
1582 http://fedoraproject.org/wiki/FirewallD
1583
1585 Thomas Woerner <twoerner@redhat.com>
1586 Developer
1587 Jiri Popelka <jpopelka@redhat.com>
1589 Developer
1590 Eric Garver <eric@garver.life>
1592 Developer
1593firewalld 2.0.2 FIREWALL-CMD(1)