table of contents
FIREWALL-CMD(1) | firewall-cmd | FIREWALL-CMD(1) |
NAME¶
firewall-cmd - firewalld command line client
SYNOPSIS¶
firewall-cmd [OPTIONS...]
DESCRIPTION¶
firewall-cmd is the command line client of the firewalld daemon. It provides an interface to manage the runtime and permanent configurations.
The runtime configuration in firewalld is separated from the permanent configuration. This means that things can get changed in the runtime or permanent configuration.
OPTIONS¶
Sequence options are the options that can be specified multiple times, the exit code is 0 if there is at least one item that succeeded. The ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16) errors are treated as succeeded. If there are issues while parsing the items, then these are treated as warnings and will not change the result as long as there is a succeeded one. Without any succeeded item, the exit code will depend on the error codes. If there is exactly one error code, then this is used. If there are more than one then UNKNOWN_ERROR (254) will be used.
The following options are supported:
General Options¶
-h, --help
-V, --version
-q, --quiet
Status Options¶
--state
--reload
Note: If FlushAllOnReload=no, runtime changes applied via the direct interface are not affected and will therefore stay in place until firewalld daemon is restarted completely. For FlushAllOnReload, see firewalld.conf(5).
--complete-reload
Note: If FlushAllOnReload=no, runtime changes applied via the direct interface are not affected and will therefore stay in place until firewalld daemon is restarted completely. For FlushAllOnReload, see firewalld.conf(5).
--runtime-to-permanent
--check-config
--reset-to-defaults
Log Denied Options¶
--get-log-denied
--set-log-denied=value
This is a runtime and permanent change and will also reload the firewall to be able to add the logging rules.
Permanent Options¶
--permanent
If you want to make a change in runtime and permanent configuration, use the same call with and without the --permanent option.
The --permanent option can be optionally added to all options further down where it is supported.
Zone Options¶
--get-default-zone
--set-default-zone=zone
This is a runtime and permanent change.
--get-active-zones
zone1
interfaces: interface1 interface2 ..
sources: source1 .. zone2
interfaces: interface3 .. zone3
sources: source2 ..
If there are no interfaces or sources bound to the zone, the corresponding line will be omitted.
[--permanent] --get-zones
[--permanent] --get-services
[--permanent] --get-icmptypes
[--permanent] --get-zone-of-interface=interface
[--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
[--permanent] --info-zone=zone
zone
interfaces: interface1 ..
sources: source1 ..
services: service1 ..
ports: port1 ..
protocols: protocol1 ..
forward-ports:
forward-port1
..
source-ports: source-port1 ..
icmp-blocks: icmp-type1 ..
rich rules:
rich-rule1
..
[--permanent] --list-all-zones
zone1
interfaces: interface1 ..
sources: source1 ..
services: service1 ..
ports: port1 ..
protocols: protocol1 ..
forward-ports:
forward-port1
..
icmp-blocks: icmp-type1 ..
rich rules:
rich-rule1
.. ..
--permanent --new-zone=zone
Zone names must be alphanumeric and may additionally include characters: '_' and '-'.
--permanent --new-zone-from-file=filename [--name=zone]
--permanent --delete-zone=zone
--permanent --load-zone-defaults=zone
--permanent --path-zone=zone
Policy Options¶
[--permanent] --get-policies
[--permanent] --info-policy=policy
[--permanent] --list-all-policies
--permanent --new-policy=policy
Policy names must be alphanumeric and may additionally include characters: '_' and '-'.
--permanent --new-policy-from-file=filename [--name=policy]
--permanent --path-policy=policy
--permanent --delete-policy=policy
--permanent --load-policy-defaults=policy
Options to Adapt and Query Zones and Policies¶
Options in this section affect only one particular zone or policy. If used with --zone=zone or --policy=policy option, they affect the specified zone or policy. If both options are omitted, they affect the default zone (see --get-default-zone).
[--permanent] [--zone=zone] [--policy=policy] --list-all
--permanent [--zone=zone] [--policy=policy] --get-target
--permanent [--zone=zone] [--policy=policy] --set-target=target
For zones target is one of: default, ACCEPT, DROP, REJECT
For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
default is similar to REJECT, but it implicitly allows ICMP packets.
--permanent [--zone=zone] [--policy=policy] --set-description=description
--permanent [--zone=zone] [--policy=policy] --get-description
--permanent [--zone=zone] [--policy=policy] --set-short=description
--permanent [--zone=zone] [--policy=policy] --get-short
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --list-services
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-service=service [--timeout=timeval]
The service is one of the firewalld provided services. To get a list of the supported services, use firewall-cmd --get-services.
The --timeout option is not combinable with the --permanent option.
Note: Some services define connection tracking helpers. Helpers that may operate in client mode (e.g. tftp) must be added to an outbound policy instead of a zone to take effect for clients. Otherwise the helper will not be applied to the outbound traffic. The related traffic, as defined by the connection tracking helper, on the return path (ingress) will be allowed by the stateful firewall rules.
An example of an outbound policy for connection tracking helpers:
# firewall-cmd --permanent --new-policy clientConntrack # firewall-cmd --permanent --policy clientConntrack --add-ingress-zone HOST # firewall-cmd --permanent --policy clientConntrack --add-egress-zone ANY # firewall-cmd --permanent --policy clientConntrack --add-service tftp
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-service=service
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-service=service
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --list-ports
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-port=portid[-portid]/protocol [--timeout=timeval]
The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp.
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-port=portid[-portid]/protocol
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-port=portid[-portid]/protocol
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --list-protocols
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-protocol=protocol [--timeout=timeval]
The protocol can be any protocol supported by the system. Please have a look at /etc/protocols for supported protocols.
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-protocol=protocol
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-protocol=protocol
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --list-source-ports
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-source-port=portid[-portid]/protocol [--timeout=timeval]
The port can either be a single port number or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp.
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-source-port=portid[-portid]/protocol
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-source-port=portid[-portid]/protocol
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --list-icmp-blocks
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-icmp-block=icmptype [--timeout=timeval]
The icmptype is the one of the icmp types firewalld supports. To get a listing of supported icmp types: firewall-cmd --get-icmptypes
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-icmp-block=icmptype
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-icmp-block=icmptype
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --list-forward-ports
For IPv6 forward ports, please use the rich language.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]] [--timeout=timeval]
The port can either be a single port number portid or a port range portid-portid. The protocol can either be tcp, udp, sctp or dccp. The destination address is a simple IP address.
The --timeout option is not combinable with the --permanent option.
For IPv6 forward ports, please use the rich language.
Note: IP forwarding will be implicitly enabled if toaddr is specified.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
For IPv6 forward ports, please use the rich language.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
For IPv6 forward ports, please use the rich language.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-masquerade [--timeout=timeval]
The --timeout option is not combinable with the --permanent option.
For IPv6 masquerading, please use the rich language.
Note: IP forwarding will be implicitly enabled.
Note (Linux < 5.5): For the iptables backend, a policy may not enable masquerade if an ingress zone has assigned interfaces. This restriction does not exist for the nftables backend, but does require Linux v5.5+ to function properly; otherwise it will silently fail.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-masquerade
For IPv6 masquerading, please use the rich language.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-masquerade
For IPv6 masquerading, please use the rich language.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --list-rich-rules
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --add-rich-rule='rule' [--timeout=timeval]
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
The --timeout option is not combinable with the --permanent option.
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --remove-rich-rule='rule'
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
[--permanent] [--zone=zone] [--permanent] [--policy=policy] --query-rich-rule='rule'
For the rich language rule syntax, please have a look at firewalld.richlanguage(5).
Options to Adapt and Query Zones¶
Options in this section affect only one particular zone. If used with --zone=zone option, they affect the specified zone. If the option is omitted, they affect default zone (see --get-default-zone).
[--permanent] [--zone=zone] --add-icmp-block-inversion
[--permanent] [--zone=zone] --remove-icmp-block-inversion
[--permanent] [--zone=zone] --query-icmp-block-inversion
[--permanent] [--zone=zone] --add-forward
[--permanent] [--zone=zone] --remove-forward
[--permanent] [--zone=zone] --query-forward
--permanent [--zone=zone] --get-priority
--permanent [--zone=zone] --set-priority
--permanent [--zone=zone] --get-ingress-priority
--permanent [--zone=zone] --set-ingress-priority
--permanent [--zone=zone] --get-egress-priority
--permanent [--zone=zone] --set-egress-priority
Options to Adapt and Query Policies¶
Options in this section affect only one particular policy. It's required to specify --policy=policy with these options.
--permanent --policy=policy --get-priority
--permanent --policy=policy --set-priority=priority
If a priority is < 0, then the policy's rules will execute before all rules in all zones.
If a priority is > 0, then the policy's rules will execute after all rules in all zones.
[--permanent] --policy=policy --list-ingress-zones
[--permanent] --policy=policy --add-ingress-zone=zone
The ingress zone is one of the firewalld provided zones or one of the pseudo-zones: HOST, ANY.
HOST is used for traffic originating from the host machine, i.e. the host running firewalld.
ANY is used for traffic originating from any zone. This can be thought of as a wild card for zones. However it does not include traffic originating from the host machine - use HOST for that.
[--permanent] --policy=policy --remove-ingress-zone=zone
[--permanent] --policy=policy --query-ingress-zone=zone
[--permanent] --policy=policy --list-egress-zones
[--permanent] --policy=policy --add-egress-zone=zone
The egress zone is one of the firewalld provided zones or one of the pseudo-zones: HOST, ANY.
For clarification on HOST and ANY see option --add-ingress-zone.
[--permanent] --policy=policy --remove-egress-zone=zone
[--permanent] --policy=policy --query-egress-zone=zone
Options to Handle Bindings of Interfaces¶
Binding an interface to a zone means that this zone settings are used to restrict traffic via the interface.
Options in this section affect only one particular zone. If used with --zone=zone option, they affect the zone zone. If the option is omitted, they affect default zone (see --get-default-zone).
For a list of predefined zones use firewall-cmd --get-zones.
An interface name is a string up to 16 characters long, that may not contain ' ', '/', '!' and '*'.
[--permanent] [--zone=zone] --list-interfaces
[--permanent] [--zone=zone] --add-interface=interface
If the interface is under control of NetworkManager, it is at first connected to change the zone for the connection that is using the interface. If this fails, the zone binding is created in firewalld and the limitations below apply. For interfaces that are not under control of NetworkManager, firewalld tries to change the ZONE setting in the ifcfg file, if the file exists.
As a end user you don't need this in most cases, because NetworkManager (or legacy network service) adds interfaces into zones automatically (according to ZONE= option from ifcfg-interface file) if NM_CONTROLLED=no is not set. You should do it only if there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If there is such file and you add interface to zone with this --add-interface option, make sure the zone is the same in both cases, otherwise the behaviour would be undefined. Please also have a look at the firewalld(1) man page in the Concepts section. For permanent association of interface with a zone, see also 'How to set or change a zone for a connection?' in firewalld.zones(5).
[--permanent] [--zone=zone] --change-interface=interface
Change zone the interface interface is bound to to zone zone. It's basically --remove-interface followed by --add-interface. If the interface has not been bound to a zone before, it behaves like --add-interface. If zone is omitted, default zone will be used.
[--permanent] [--zone=zone] --query-interface=interface
[--permanent] --remove-interface=interface
For the addition or change of interfaces that are not under control of NetworkManager: firewalld tries to change the ZONE setting in the ifcfg file, if an ifcfg file exists that is using the interface.
Only for the removal of interfaces that are not under control of NetworkManager: firewalld is not trying to change the ZONE setting in the ifcfg file. This is needed to make sure that an ifdown of the interface will not result in a reset of the zone setting to the default zone. Only the zone binding is then removed in firewalld then.
Remove binding of interface interface from zone it was previously added to.
Options to Handle Bindings of Sources¶
Binding a source to a zone means that this zone settings will be used to restrict traffic from this source.
A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset with the ipset: prefix. For IPv4, the mask can be a network mask or a plain number. For IPv6 the mask is a plain number. The use of host names is not supported.
Options in this section affect only one particular zone. If used with --zone=zone option, they affect the zone zone. If the option is omitted, they affect default zone (see --get-default-zone).
For a list of predefined zones use firewall-cmd [--permanent] --get-zones.
[--permanent] [--zone=zone] --list-sources
[--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
[--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
[--permanent] [--zone=zone] --query-source=source[/mask]|MAC|ipset:ipset
[--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
IPSet Options¶
--get-ipset-types
--permanent --new-ipset=ipset --type=type [--family=inet|inet6] [--option=key[=value]]
ipset names must be alphanumeric and may additionally include characters: '_' and '-'.
--permanent --new-ipset-from-file=filename [--name=ipset]
--permanent --delete-ipset=ipset
--permanent --load-ipset-defaults=ipset
[--permanent] --info-ipset=ipset
ipset
type: type
options: option1[=value1] ..
entries: entry1 ..
[--permanent] --get-ipsets
--permanent --ipset=ipset --set-description=description
--permanent --ipset=ipset --get-description
--permanent --ipset=ipset --set-short=description
--permanent --ipset=ipset --get-short
[--permanent] --ipset=ipset --add-entry=entry
Adding an entry to an ipset with option timeout is permitted, but these entries are not tracked by firewalld.
[--permanent] --ipset=ipset --remove-entry=entry
[--permanent] --ipset=ipset --query-entry=entry
Querying an ipset with a timeout will yield an error. Entries are not tracked for ipsets with a timeout.
[--permanent] --ipset=ipset --get-entries
[--permanent] --ipset=ipset --add-entries-from-file=filename
The file should contain an entry per line. Lines starting with an hash or semicolon are ignored. Also empty lines.
[--permanent] --ipset=ipset --remove-entries-from-file=filename
The file should contain an entry per line. Lines starting with an hash or semicolon are ignored. Also empty lines.
--permanent --path-ipset=ipset
Service Options¶
Options in this section affect only one particular service.
[--permanent] --info-service=service
service
ports: port1 ..
protocols: protocol1 ..
source-ports: source-port1 ..
helpers: helper1 ..
destination: ipv1:address1 ..
The following options are only usable in the permanent configuration.
--permanent --new-service=service
Service names must be alphanumeric and may additionally include characters: '_' and '-'.
--permanent --new-service-from-file=filename [--name=service]
--permanent --delete-service=service
--permanent --load-service-defaults=service
--permanent --path-service=service
--permanent --service=service --set-description=description
--permanent --service=service --get-description
--permanent --service=service --set-short=description
--permanent --service=service --get-short
--permanent --service=service --add-port=portid[-portid]/protocol
--permanent --service=service --remove-port=portid[-portid]/protocol
--permanent --service=service --query-port=portid[-portid]/protocol
--permanent --service=service --get-ports
--permanent --service=service --add-protocol=protocol
--permanent --service=service --remove-protocol=protocol
--permanent --service=service --query-protocol=protocol
--permanent --service=service --get-protocols
--permanent --service=service --add-source-port=portid[-portid]/protocol
--permanent --service=service --remove-source-port=portid[-portid]/protocol
--permanent --service=service --query-source-port=portid[-portid]/protocol
--permanent --service=service --get-source-ports
--permanent --service=service --add-helper=helper
--permanent --service=service --remove-helper=helper
--permanent --service=service --query-helper=helper
--permanent --service=service --get-service-helpers
--permanent --service=service --set-destination=ipv:address[/mask]
--permanent --service=service --remove-destination=ipv
--permanent --service=service --query-destination=ipv:address[/mask]
--permanent --service=service --get-destinations
--permanent --service=service --add-include=service
--permanent --service=service --remove-include=service
--permanent --service=service --query-include=service
--permanent --service=service --get-includes
Helper Options¶
Options in this section affect only one particular helper.
[--permanent] --info-helper=helper
helper
family: family
module: module
ports: port1 ..
The following options are only usable in the permanent configuration.
--permanent --new-helper=helper --module=nf_conntrack_module [--family=ipv4|ipv6]
Helper names must be alphanumeric and may additionally include characters: '-'.
--permanent --new-helper-from-file=filename [--name=helper]
--permanent --delete-helper=helper
--permanent --load-helper-defaults=helper
--permanent --path-helper=helper
[--permanent] --get-helpers
--permanent --helper=helper --set-description=description
--permanent --helper=helper --get-description
--permanent --helper=helper --set-short=description
--permanent --helper=helper --get-short
--permanent --helper=helper --add-port=portid[-portid]/protocol
--permanent --helper=helper --remove-port=portid[-portid]/protocol
--permanent --helper=helper --query-port=portid[-portid]/protocol
--permanent --helper=helper --get-ports
--permanent --helper=helper --set-module=description
--permanent --helper=helper --get-module
--permanent --helper=helper --set-family=description
--permanent --helper=helper --get-family
Internet Control Message Protocol (ICMP) type Options¶
Options in this section affect only one particular icmptype.
[--permanent] --info-icmptype=icmptype
icmptype
destination: ipv1 ..
The following options are only usable in the permanent configuration.
--permanent --new-icmptype=icmptype
ICMP type names must be alphanumeric and may additionally include characters: '_' and '-'.
--permanent --new-icmptype-from-file=filename [--name=icmptype]
--permanent --delete-icmptype=icmptype
--permanent --load-icmptype-defaults=icmptype
--permanent --icmptype=icmptype --set-description=description
--permanent --icmptype=icmptype --get-description
--permanent --icmptype=icmptype --set-short=description
--permanent --icmptype=icmptype --get-short
--permanent --icmptype=icmptype --add-destination=ipv
--permanent --icmptype=icmptype --remove-destination=ipv
--permanent --icmptype=icmptype --query-destination=ipv
--permanent --icmptype=icmptype --get-destinations
--permanent --path-icmptype=icmptype
Direct Options¶
DEPRECATED
The direct interface has been deprecated. It will be removed in a future release. It is superseded by policies, see firewalld.policies(5).
The direct options give a more direct access to the firewall. These options require user to know basic iptables concepts, i.e. table (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets (ACCEPT/DROP/REJECT/...).
Direct options should be used only as a last resort when it's not possible to use for example --add-service=service or --add-rich-rule='rule'.
Warning: Direct rules behavior is different depending on the value of FirewallBackend. See CAVEATS in firewalld.direct(5).
The first argument of each option has to be ipv4 or ipv6 or eb. With ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6 (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
[--permanent] --direct --get-all-chains
[--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
[--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
There already exist basic chains to use with direct options, for example INPUT_direct chain (see iptables-save | grep direct output for all of them). These chains are jumped into before chains for zones, i.e. every rule put into INPUT_direct will be checked before rules in zones.
[--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
[--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
[--permanent] --direct --get-all-rules
[--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
[--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain priority args
The priority is used to order rules. Priority 0 means add rule on top of the chain, with a higher priority the rule will be added further down. Rules with the same priority are on the same level and the order of these rules is not fixed and may change. If you want to make sure that a rule will be added after another one, use a low priority for the first and a higher for the following.
[--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain priority args
[--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
[--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain priority args
--direct --passthrough { ipv4 | ipv6 | eb } args
[--permanent] --direct --get-all-passthroughs
[--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
[--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
[--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
[--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
Lockdown Options¶
Local applications or services are able to change the firewall configuration if they are running as root (example: libvirt) or are authenticated using PolicyKit. With this feature administrators can lock the firewall configuration so that only applications on lockdown whitelist are able to request firewall changes.
The lockdown access check limits D-Bus methods that are changing firewall rules. Query, list and get methods are not limited.
The lockdown feature is a very light version of user and application policies for firewalld and is turned off by default.
--lockdown-on
This is a runtime and permanent change.
--lockdown-off
This is a runtime and permanent change.
--query-lockdown
Lockdown Whitelist Options¶
The lockdown whitelist can contain commands, contexts, users and user ids.
If a command entry on the whitelist ends with an asterisk '*', then all command lines starting with the command will match. If the '*' is not there the absolute command inclusive arguments must match.
Command paths for users are not always the same and depends on the users PATH. Some distributions symlink /bin to /usr/bin in which case it depends on the order they appear in the PATH environment variable.
The context is the security (SELinux) context of a running application or service. To get the context of a running application use ps -e --context.
Warning: If the context is unconfined, then this will open access for more than the desired application.
The lockdown whitelist entries are checked in the following order:
[--permanent] --list-lockdown-whitelist-commands
[--permanent] --add-lockdown-whitelist-command=command
[--permanent] --remove-lockdown-whitelist-command=command
[--permanent] --query-lockdown-whitelist-command=command
[--permanent] --list-lockdown-whitelist-contexts
[--permanent] --add-lockdown-whitelist-context=context
[--permanent] --remove-lockdown-whitelist-context=context
[--permanent] --query-lockdown-whitelist-context=context
[--permanent] --list-lockdown-whitelist-uids
[--permanent] --add-lockdown-whitelist-uid=uid
[--permanent] --remove-lockdown-whitelist-uid=uid
[--permanent] --query-lockdown-whitelist-uid=uid
[--permanent] --list-lockdown-whitelist-users
[--permanent] --add-lockdown-whitelist-user=user
[--permanent] --remove-lockdown-whitelist-user=user
[--permanent] --query-lockdown-whitelist-user=user
Panic Options¶
--panic-on
This is a runtime only change.
--panic-off
This is a runtime only change.
--query-panic
EXAMPLES¶
For more examples see http://fedoraproject.org/wiki/FirewallD
Example 1¶
Enable http service in default zone. This is runtime only change, i.e. effective until restart.
firewall-cmd --add-service=http
Example 2¶
Enable port 443/tcp immediately and permanently in default zone. To make the change effective immediately and also after restart we need two commands. The first command makes the change in runtime configuration, i.e. makes it effective immediately, until restart. The second command makes the change in permanent configuration, i.e. makes it effective after restart.
firewall-cmd --add-port=443/tcp firewall-cmd --permanent --add-port=443/tcp
EXIT CODES¶
On success 0 is returned. On failure the output is red colored and exit code is either 2 in case of wrong command-line option usage or one of the following error codes in other cases:
String | Code |
ALREADY_ENABLED | 11 |
NOT_ENABLED | 12 |
COMMAND_FAILED | 13 |
NO_IPV6_NAT | 14 |
PANIC_MODE | 15 |
ZONE_ALREADY_SET | 16 |
UNKNOWN_INTERFACE | 17 |
ZONE_CONFLICT | 18 |
BUILTIN_CHAIN | 19 |
EBTABLES_NO_REJECT | 20 |
NOT_OVERLOADABLE | 21 |
NO_DEFAULTS | 22 |
BUILTIN_ZONE | 23 |
BUILTIN_SERVICE | 24 |
BUILTIN_ICMPTYPE | 25 |
NAME_CONFLICT | 26 |
NAME_MISMATCH | 27 |
PARSE_ERROR | 28 |
ACCESS_DENIED | 29 |
UNKNOWN_SOURCE | 30 |
RT_TO_PERM_FAILED | 31 |
IPSET_WITH_TIMEOUT | 32 |
BUILTIN_IPSET | 33 |
ALREADY_SET | 34 |
MISSING_IMPORT | 35 |
DBUS_ERROR | 36 |
BUILTIN_HELPER | 37 |
NOT_APPLIED | 38 |
INVALID_ACTION | 100 |
INVALID_SERVICE | 101 |
INVALID_PORT | 102 |
INVALID_PROTOCOL | 103 |
INVALID_INTERFACE | 104 |
INVALID_ADDR | 105 |
INVALID_FORWARD | 106 |
INVALID_ICMPTYPE | 107 |
INVALID_TABLE | 108 |
INVALID_CHAIN | 109 |
INVALID_TARGET | 110 |
INVALID_IPV | 111 |
INVALID_ZONE | 112 |
INVALID_PROPERTY | 113 |
INVALID_VALUE | 114 |
INVALID_OBJECT | 115 |
INVALID_NAME | 116 |
INVALID_FILENAME | 117 |
INVALID_DIRECTORY | 118 |
INVALID_TYPE | 119 |
INVALID_SETTING | 120 |
INVALID_DESTINATION | 121 |
INVALID_RULE | 122 |
INVALID_LIMIT | 123 |
INVALID_FAMILY | 124 |
INVALID_LOG_LEVEL | 125 |
INVALID_AUDIT_TYPE | 126 |
INVALID_MARK | 127 |
INVALID_CONTEXT | 128 |
INVALID_COMMAND | 129 |
INVALID_USER | 130 |
INVALID_UID | 131 |
INVALID_MODULE | 132 |
INVALID_PASSTHROUGH | 133 |
INVALID_MAC | 134 |
INVALID_IPSET | 135 |
INVALID_ENTRY | 136 |
INVALID_OPTION | 137 |
INVALID_HELPER | 138 |
INVALID_PRIORITY | 139 |
INVALID_POLICY | 140 |
INVALID_LOG_PREFIX | 141 |
INVALID_NFLOG_GROUP | 142 |
INVALID_NFLOG_QUEUE | 143 |
MISSING_TABLE | 200 |
MISSING_CHAIN | 201 |
MISSING_PORT | 202 |
MISSING_PROTOCOL | 203 |
MISSING_ADDR | 204 |
MISSING_NAME | 205 |
MISSING_SETTING | 206 |
MISSING_FAMILY | 207 |
RUNNING_BUT_FAILED | 251 |
NOT_RUNNING | 252 |
NOT_AUTHORIZED | 253 |
UNKNOWN_ERROR | 254 |
Note that return codes of --query-* options are special: Successful queries return 0, unsuccessful ones return 1 unless an error occurred in which case the table above applies.
SEE ALSO¶
firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1), firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5), firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5), firewalld.zone(5), firewalld.zones(5), firewalld.policy(5), firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
NOTES¶
firewalld home page:
More documentation with examples:
AUTHORS¶
Thomas Woerner <twoerner@redhat.com>
Jiri Popelka <jpopelka@redhat.com>
Eric Garver <eric@garver.life>
firewalld 2.0.0 |