'\" t .\" Title: firewall-cmd .\" Author: Thomas Woerner .\" Generator: DocBook XSL Stylesheets v1.78.1 .\" Date: .\" Manual: firewall-cmd .\" Source: firewalld 0.3.12 .\" Language: English .\" .TH "FIREWALL\-CMD" "1" "" "firewalld 0.3.12" "firewall-cmd" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" firewall-cmd \- firewalld command line client .SH "SYNOPSIS" .HP \w'\fBfirewall\-cmd\fR\ 'u \fBfirewall\-cmd\fR [OPTIONS...] .SH "DESCRIPTION" .PP firewall\-cmd is the command line client of the firewalld daemon\&. It provides interface to manage runtime and permanent configuration\&. .PP The runtime configuration in firewalld is separated from the permanent configuration\&. This means that things can get changed in the runtime or permanent configuration\&. .SH "OPTIONS" .PP The following options are supported: .SS "General Options" .PP \fB\-h\fR, \fB\-\-help\fR .RS 4 Prints a short help text and exits\&. .RE .PP \fB\-V\fR, \fB\-\-version\fR .RS 4 Print the version string of firewalld\&. This option is not combinable with other options\&. .RE .PP \fB\-q\fR, \fB\-\-quiet\fR .RS 4 Do not print status messages\&. .RE .SS "Status Options" .PP \fB\-\-state\fR .RS 4 Check whether the firewalld daemon is active (i\&.e\&. running)\&. Returns an exit code 0 if it is active, \fINOT_RUNNING\fR otherwise (see the section called \(lqEXIT CODES\(rq)\&. This will also print the state to \fISTDOUT\fR\&. .RE .PP \fB\-\-reload\fR .RS 4 Reload firewall rules and keep state information\&. Current permanent configuration will become new runtime configuration, i\&.e\&. all runtime only changes done until reload are lost with reload if they have not been also in permanent configuration\&. .RE .PP \fB\-\-complete\-reload\fR .RS 4 Reload firewall completely, even netfilter kernel modules\&. This will most likely terminate active connections, because state information is lost\&. This option should only be used in case of severe firewall problems\&. For example if there are state information problems that no connection can be established with correct firewall rules\&. .RE .SS "Permanent Options" .PP \fB\-\-permanent\fR .RS 4 The permanent option \fB\-\-permanent\fR can be used to set options permanently\&. These changes are not effective immediately, only after service restart/reload or system reboot\&. Without the \fB\-\-permanent\fR option, a change will only be part of the runtime configuration\&. The \fB\-\-permanent\fR option can not be used with all options\&. .sp If you want to make a change in runtime and permanent configuration, use the same call with and without the\fB\-\-permanent\fR option\&. .sp The \fB\-\-permanent\fR option can be optionally added to all options further down where it is supported\&. .RE .SS "Zone Options" .PP \fB\-\-get\-default\-zone\fR .RS 4 Print default zone for connections and interfaces\&. .RE .PP \fB\-\-set\-default\-zone\fR=\fIzone\fR .RS 4 Set default zone for connections and interfaces where no zone has been selected\&. Setting the default zone changes the zone for the connections or interfaces, that are using the default zone\&. .sp This is a runtime and permanent change\&. .RE .PP \fB\-\-get\-active\-zones\fR .RS 4 Print currently active zones altogether with interfaces and sources used in these zones\&. Active zones are zones, that have a binding to an interface or source\&. The output format is: .sp .if n \{\ .RS 4 .\} .nf \fIzone1\fR interfaces: \fIinterface1\fR \fIinterface2\fR \&.\&. sources: \fIsource1\fR \&.\&. \fIzone2\fR interfaces: \fIinterface3\fR \&.\&. \fIzone3\fR sources: \fIsource2\fR \&.\&. .fi .if n \{\ .RE .\} .sp If there are no interfaces or sources bound to the zone, the corresponding line will be omitted\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-get\-zones\fR .RS 4 Print predefined zones as a space separated list\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-get\-services\fR .RS 4 Print predefined services as a space separated list\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-get\-icmptypes\fR .RS 4 Print predefined icmptypes as a space separated list\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-get\-zone\-of\-interface\fR=\fIinterface\fR .RS 4 Print the name of the zone the \fIinterface\fR is bound to or \fIno zone\fR\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-get\-zone\-of\-source\fR=\fIsource\fR[/\fImask\fR] .RS 4 Print the name of the zone the \fIsource\fR[/\fImask\fR] is bound to or \fIno zone\fR\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-list\-all\-zones\fR .RS 4 List everything added for or enabled in all zones\&. The output format is: .sp .if n \{\ .RS 4 .\} .nf \fIzone1\fR interfaces: \fIinterface1\fR \&.\&. sources: \fIsource1\fR \&.\&. services: \fIservice1\fR \&.\&. ports: \fIport1\fR \&.\&. forward\-ports: \fIforward\-port1\fR \&.\&. icmp\-blocks: \fIicmp\-type1\fR \&.\&. rich rules: \fIrich\-rule1\fR \&.\&. \&.\&. .fi .if n \{\ .RE .\} .sp .RE .PP \fB\-\-permanent\fR \fB\-\-new\-zone\fR=\fIzone\fR .RS 4 Add a new permanent zone\&. .RE .PP \fB\-\-permanent\fR \fB\-\-delete\-zone\fR=\fIzone\fR .RS 4 Delete an existing permanent zone\&. .RE .PP \fB\-\-permanent\fR [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-get\-target\fR .RS 4 Get the target of a permanent zone\&. .RE .PP \fB\-\-permanent\fR [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-set\-target\fR=\fItarget\fR .RS 4 Set the target of a permanent zone\&. \fItarget\fR is one of: \fIdefault\fR, \fIACCEPT\fR, \fIDROP\fR, \fIREJECT\fR .RE .SS "Options to Adapt and Query Zones" .PP Options in this section affect only one particular zone\&. If used with \fB\-\-zone\fR=\fIzone\fR option, they affect the zone \fIzone\fR\&. If the option is omitted, they affect default zone (see \fB\-\-get\-default\-zone\fR)\&. .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-all\fR .RS 4 List everything added for or enabled in \fIzone\fR\&. If zone is omitted, default zone will be used\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-services\fR .RS 4 List services added for \fIzone\fR as a space separated list\&. If zone is omitted, default zone will be used\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-service\fR=\fIservice\fR [\fB\-\-timeout\fR=\fItimeval\fR] .RS 4 Add a service for \fIzone\fR\&. If zone is omitted, default zone will be used\&. This option can be specified multiple times\&. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards\&. \fItimeval\fR is either a number (of seconds) or number followed by one of characters \fIs\fR (seconds), \fIm\fR (minutes), \fIh\fR (hours), for example \fI20m\fR or \fI1h\fR\&. .sp The service is one of the firewalld provided services\&. To get a list of the supported services, use \fBfirewall\-cmd \-\-get\-services\fR\&. .sp The \fB\-\-timeout\fR option is not combinable with the \fB\-\-permanent\fR option\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-remove\-service\fR=\fIservice\fR .RS 4 Remove a service from \fIzone\fR\&. This option can be specified multiple times\&. If zone is omitted, default zone will be used\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-service\fR=\fIservice\fR .RS 4 Return whether \fIservice\fR has been added for \fIzone\fR\&. If zone is omitted, default zone will be used\&. Returns 0 if true, 1 otherwise\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-ports\fR .RS 4 List ports added for \fIzone\fR as a space separated list\&. A port is of the form \fIportid\fR[\-\fIportid\fR]/\fIprotocol\fR, it can be either a port and protocol pair or a port range with a protocol\&. If zone is omitted, default zone will be used\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-port\fR=\fIportid\fR[\-\fIportid\fR]/\fIprotocol\fR [\fB\-\-timeout\fR=\fItimeval\fR] .RS 4 Add the port for \fIzone\fR\&. If zone is omitted, default zone will be used\&. This option can be specified multiple times\&. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards\&. \fItimeval\fR is either a number (of seconds) or number followed by one of characters \fIs\fR (seconds), \fIm\fR (minutes), \fIh\fR (hours), for example \fI20m\fR or \fI1h\fR\&. .sp The port can either be a single port number or a port range \fIportid\fR\-\fIportid\fR\&. The protocol can either be \fItcp\fR or \fIudp\fR\&. .sp The \fB\-\-timeout\fR option is not combinable with the \fB\-\-permanent\fR option\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-remove\-port\fR=\fIportid\fR[\-\fIportid\fR]/\fIprotocol\fR .RS 4 Remove the port from \fIzone\fR\&. If zone is omitted, default zone will be used\&. This option can be specified multiple times\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-port\fR=\fIportid\fR[\-\fIportid\fR]/\fIprotocol\fR .RS 4 Return whether the port has been added for \fIzone\fR\&. If zone is omitted, default zone will be used\&. Returns 0 if true, 1 otherwise\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-icmp\-blocks\fR .RS 4 List Internet Control Message Protocol (ICMP) type blocks added for \fIzone\fR as a space separated list\&. If zone is omitted, default zone will be used\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-icmp\-block\fR=\fIicmptype\fR [\fB\-\-timeout\fR=\fItimeval\fR] .RS 4 Add an ICMP block for \fIicmptype\fR for \fIzone\fR\&. If zone is omitted, default zone will be used\&. This option can be specified multiple times\&. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards\&. \fItimeval\fR is either a number (of seconds) or number followed by one of characters \fIs\fR (seconds), \fIm\fR (minutes), \fIh\fR (hours), for example \fI20m\fR or \fI1h\fR\&. .sp The \fIicmptype\fR is the one of the icmp types firewalld supports\&. To get a listing of supported icmp types: \fBfirewall\-cmd \-\-get\-icmptypes\fR .sp The \fB\-\-timeout\fR option is not combinable with the \fB\-\-permanent\fR option\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-remove\-icmp\-block\fR=\fIicmptype\fR .RS 4 Remove the ICMP block for \fIicmptype\fR from \fIzone\fR\&. If zone is omitted, default zone will be used\&. This option can be specified multiple times\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-icmp\-block\fR=\fIicmptype\fR .RS 4 Return whether an ICMP block for \fIicmptype\fR has been added for \fIzone\fR\&. If zone is omitted, default zone will be used\&. Returns 0 if true, 1 otherwise\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-forward\-ports\fR .RS 4 List \fIIPv4\fR forward ports added for \fIzone\fR as a space separated list\&. If zone is omitted, default zone will be used\&. .sp For \fIIPv6\fR forward ports, please use the rich language\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-forward\-port\fR=port=\fIportid\fR[\-\fIportid\fR]:proto=\fIprotocol\fR[:toport=\fIportid\fR[\-\fIportid\fR]][:toaddr=\fIaddress\fR[/\fImask\fR]] [\fB\-\-timeout\fR=\fItimeval\fR] .RS 4 Add the \fIIPv4\fR forward port for \fIzone\fR\&. If zone is omitted, default zone will be used\&. This option can be specified multiple times\&. If a timeout is supplied, the rule will be active for the specified amount of time and will be removed automatically afterwards\&. \fItimeval\fR is either a number (of seconds) or number followed by one of characters \fIs\fR (seconds), \fIm\fR (minutes), \fIh\fR (hours), for example \fI20m\fR or \fI1h\fR\&. .sp The port can either be a single port number \fIportid\fR or a port range \fIportid\fR\-\fIportid\fR\&. The protocol can either be \fItcp\fR or \fIudp\fR\&. The destination address is a simple IP address\&. .sp The \fB\-\-timeout\fR option is not combinable with the \fB\-\-permanent\fR option\&. .sp For \fIIPv6\fR forward ports, please use the rich language\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-remove\-forward\-port\fR=port=\fIportid\fR[\-\fIportid\fR]:proto=\fIprotocol\fR[:toport=\fIportid\fR[\-\fIportid\fR]][:toaddr=\fIaddress\fR[/\fImask\fR]] .RS 4 Remove the \fIIPv4\fR forward port from \fIzone\fR\&. If zone is omitted, default zone will be used\&. This option can be specified multiple times\&. .sp For \fIIPv6\fR forward ports, please use the rich language\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-forward\-port\fR=port=\fIportid\fR[\-\fIportid\fR]:proto=\fIprotocol\fR[:toport=\fIportid\fR[\-\fIportid\fR]][:toaddr=\fIaddress\fR[/\fImask\fR]] .RS 4 Return whether the \fIIPv4\fR forward port has been added for \fIzone\fR\&. If zone is omitted, default zone will be used\&. Returns 0 if true, 1 otherwise\&. .sp For \fIIPv6\fR forward ports, please use the rich language\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-masquerade\fR [\fB\-\-timeout\fR=\fItimeval\fR] .RS 4 Enable \fIIPv4\fR masquerade for \fIzone\fR\&. If zone is omitted, default zone will be used\&. If a timeout is supplied, masquerading will be active for the specified amount of time\&. \fItimeval\fR is either a number (of seconds) or number followed by one of characters \fIs\fR (seconds), \fIm\fR (minutes), \fIh\fR (hours), for example \fI20m\fR or \fI1h\fR\&. Masquerading is useful if the machine is a router and machines connected over an interface in another zone should be able to use the first connection\&. .sp The \fB\-\-timeout\fR option is not combinable with the \fB\-\-permanent\fR option\&. .sp For \fIIPv6\fR masquerading, please use the rich language\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-remove\-masquerade\fR .RS 4 Disable \fIIPv4\fR masquerade for \fIzone\fR\&. If zone is omitted, default zone will be used\&. If the masquerading was enabled with a timeout, it will be disabled also\&. .sp For \fIIPv6\fR masquerading, please use the rich language\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-masquerade\fR .RS 4 Return whether \fIIPv4\fR masquerading has been enabled for \fIzone\fR\&. If zone is omitted, default zone will be used\&. Returns 0 if true, 1 otherwise\&. .sp For \fIIPv6\fR masquerading, please use the rich language\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-rich\-rules\fR .RS 4 List rich language rules added for \fIzone\fR as a newline separated list\&. If zone is omitted, default zone will be used\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-rich\-rule\fR=\*(Aq\fIrule\fR\*(Aq [\fB\-\-timeout\fR=\fItimeval\fR] .RS 4 Add rich language rule \*(Aq\fIrule\fR\*(Aq for \fIzone\fR\&. This option can be specified multiple times\&. If zone is omitted, default zone will be used\&. If a timeout is supplied, the \fIrule\fR will be active for the specified amount of time and will be removed automatically afterwards\&. \fItimeval\fR is either a number (of seconds) or number followed by one of characters \fIs\fR (seconds), \fIm\fR (minutes), \fIh\fR (hours), for example \fI20m\fR or \fI1h\fR\&. .sp For the rich language rule syntax, please have a look at \fBfirewalld.richlanguage\fR(5)\&. .sp The \fB\-\-timeout\fR option is not combinable with the \fB\-\-permanent\fR option\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-remove\-rich\-rule\fR=\*(Aq\fIrule\fR\*(Aq .RS 4 Remove rich language rule \*(Aq\fIrule\fR\*(Aq from \fIzone\fR\&. This option can be specified multiple times\&. If zone is omitted, default zone will be used\&. .sp For the rich language rule syntax, please have a look at \fBfirewalld.richlanguage\fR(5)\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-rich\-rule\fR=\*(Aq\fIrule\fR\*(Aq .RS 4 Return whether a rich language rule \*(Aq\fIrule\fR\*(Aq has been added for \fIzone\fR\&. If zone is omitted, default zone will be used\&. Returns 0 if true, 1 otherwise\&. .sp For the rich language rule syntax, please have a look at \fBfirewalld.richlanguage\fR(5)\&. .RE .SS "Options to Handle Bindings of Interfaces" .PP Binding an interface to a zone means that this zone settings are used to restrict traffic via the interface\&. .PP Options in this section affect only one particular zone\&. If used with \fB\-\-zone\fR=\fIzone\fR option, they affect the zone \fIzone\fR\&. If the option is omitted, they affect default zone (see \fB\-\-get\-default\-zone\fR)\&. .PP For a list of predefined zones use \fBfirewall\-cmd \-\-get\-zones\fR\&. .PP An interface name is a string up to 16 characters long, that may not contain \fB\*(Aq \*(Aq\fR, \fB\*(Aq/\*(Aq\fR, \fB\*(Aq!\*(Aq\fR and \fB\*(Aq*\*(Aq\fR\&. .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-interfaces\fR .RS 4 List interfaces that are bound to zone \fIzone\fR as a space separated list\&. If zone is omitted, default zone will be used\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-interface\fR=\fIinterface\fR .RS 4 Bind interface \fIinterface\fR to zone \fIzone\fR\&. If zone is omitted, default zone will be used\&. .sp As a end user you don\*(Aqt need this in most cases, because NetworkManager (or legacy network service) adds interfaces into zones automatically (according to \fBZONE=\fR option from ifcfg\-\fIinterface\fR file)\&. You should do it only if there\*(Aqs no /etc/sysconfig/network\-scripts/ifcfg\-\fIinterface\fR file\&. If there is such file and you add interface to zone with this \fB\-\-add\-interface\fR option, make sure the zone is the same in both cases, otherwise the behaviour would be undefined\&. For permanent association of interface with a zone, see also \*(AqHow to set or change a zone for a connection?\*(Aq in \fBfirewalld.zones\fR(5)\&. .RE .PP [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-change\-interface\fR=\fIinterface\fR .RS 4 Change zone the interface \fIinterface\fR is bound to to zone \fIzone\fR\&. It\*(Aqs basically \fB\-\-remove\-interface\fR followed by \fB\-\-add\-interface\fR\&. If the interface has not been bound to a zone before, it behaves like \fB\-\-add\-interface\fR\&. If zone is omitted, default zone will be used\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-interface\fR=\fIinterface\fR .RS 4 Query whether interface \fIinterface\fR is bound to zone \fIzone\fR\&. Returns 0 if true, 1 otherwise\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-remove\-interface\fR=\fIinterface\fR .RS 4 Remove binding of interface \fIinterface\fR from zone it was previously added to\&. .RE .SS "Options to Handle Bindings of Sources" .PP Binding a source to a zone means that this zone settings will be used to restrict traffic from this source\&. .PP A source address or address range is either an IP address or a network IP address with a mask for IPv4 or IPv6\&. For IPv4, the mask can be a network mask or a plain number\&. For IPv6 the mask is a plain number\&. The use of host names is not supported\&. .PP Options in this section affect only one particular zone\&. If used with \fB\-\-zone\fR=\fIzone\fR option, they affect the zone \fIzone\fR\&. If the option is omitted, they affect default zone (see \fB\-\-get\-default\-zone\fR)\&. .PP For a list of predefined zones use \fBfirewall\-cmd \fR\fB[\fB\-\-permanent\fR]\fR\fB \-\-get\-zones\fR\&. .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-list\-sources\fR .RS 4 List sources that are bound to zone \fIzone\fR as a space separated list\&. If zone is omitted, default zone will be used\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-add\-source\fR=\fIsource\fR[/\fImask\fR] .RS 4 Bind source \fIsource\fR[/\fImask\fR] to zone \fIzone\fR\&. If zone is omitted, default zone will be used\&. .RE .PP [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-change\-source\fR=\fIsource\fR[/\fImask\fR] .RS 4 Change zone the source \fIsource\fR[/\fImask\fR] is bound to to zone \fIzone\fR\&. It\*(Aqs basically \fB\-\-remove\-source\fR followed by \fB\-\-add\-source\fR\&. If the source has not been bound to a zone before, it behaves like \fB\-\-add\-source\fR\&. If zone is omitted, default zone will be used\&. .RE .PP [\fB\-\-permanent\fR] [\fB\-\-zone\fR=\fIzone\fR] \fB\-\-query\-source\fR=\fIsource\fR[/\fImask\fR] .RS 4 Query whether the source \fIsource\fR[/\fImask\fR] is bound to the zone \fIzone\fR\&. Returns 0 if true, 1 otherwise\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-remove\-source\fR=\fIsource\fR[/\fImask\fR] .RS 4 Remove binding of source \fIsource\fR[/\fImask\fR] from zone it was previously added to\&. .RE .SS "Service Options" .PP \fB\-\-permanent\fR \fB\-\-new\-service\fR=\fIservice\fR .RS 4 Add a new permanent service\&. .RE .PP \fB\-\-permanent\fR \fB\-\-delete\-service\fR=\fIservice\fR .RS 4 Delete an existing permanent service\&. .RE .SS "Internet Control Message Protocol (ICMP) type Options" .PP \fB\-\-permanent\fR \fB\-\-new\-icmptype\fR=\fIicmptype\fR .RS 4 Add a new permanent icmptype\&. .RE .PP \fB\-\-permanent\fR \fB\-\-delete\-icmptype\fR=\fIicmptype\fR .RS 4 Delete an existing permanent icmptype\&. .RE .SS "Direct Options" .PP The direct options give a more direct access to the firewall\&. These options require user to know basic iptables concepts, i\&.e\&. \fItable\fR (filter/mangle/nat/\&.\&.\&.), \fIchain\fR (INPUT/OUTPUT/FORWARD/\&.\&.\&.), \fIcommands\fR (\-A/\-D/\-I/\&.\&.\&.), \fIparameters\fR (\-p/\-s/\-d/\-j/\&.\&.\&.) and \fItargets\fR (ACCEPT/DROP/REJECT/\&.\&.\&.)\&. .PP Direct options should be used only as a last resort when it\*(Aqs not possible to use for example \fB\-\-add\-service\fR=\fIservice\fR or \fB\-\-add\-rich\-rule\fR=\*(Aq\fIrule\fR\*(Aq\&. .PP The first argument of each option has to be \fIipv4\fR or \fIipv6\fR or \fIeb\fR\&. With \fIipv4\fR it will be for IPv4 (\fBiptables\fR(8)), with \fIipv6\fR for IPv6 (\fBip6tables\fR(8)) and with \fIeb\fR for ethernet bridges (\fBebtables\fR(8))\&. .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-get\-all\-chains\fR .RS 4 Get all chains added to all tables\&. This option concerns only chains previously added with \fB\-\-direct \-\-add\-chain\fR\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-get\-chains\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR .RS 4 Get all chains added to table \fItable\fR as a space separated list\&. This option concerns only chains previously added with \fB\-\-direct \-\-add\-chain\fR\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-add\-chain\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR .RS 4 Add a new chain with name \fIchain\fR to table \fItable\fR\&. Make sure there\*(Aqs no other chain with this name already\&. .sp There already exist basic chains to use with direct options, for example \fIINPUT_direct\fR chain (see \fIiptables\-save | grep direct\fR output for all of them)\&. These chains are jumped into before chains for zones, i\&.e\&. every rule put into \fIINPUT_direct\fR will be checked before rules in zones\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-remove\-chain\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR .RS 4 Remove chain with name \fIchain\fR from table \fItable\fR\&. Only chains previously added with \fB\-\-direct \-\-add\-chain\fR can be removed this way\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-query\-chain\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR .RS 4 Return whether a chain with name \fIchain\fR exists in table \fItable\fR\&. Returns 0 if true, 1 otherwise\&. This option concerns only chains previously added with \fB\-\-direct \-\-add\-chain\fR\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-get\-all\-rules\fR .RS 4 Get all rules added to all chains in all tables as a newline separated list of the priority and arguments\&. This option concerns only rules previously added with \fB\-\-direct \-\-add\-rule\fR\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-get\-rules\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR .RS 4 Get all rules added to chain \fIchain\fR in table \fItable\fR as a newline separated list of the priority and arguments\&. This option concerns only rules previously added with \fB\-\-direct \-\-add\-rule\fR\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-add\-rule\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR \fIpriority\fR \fIargs\fR .RS 4 Add a rule with the arguments \fIargs\fR to chain \fIchain\fR in table \fItable\fR with priority \fIpriority\fR\&. .sp The \fIpriority\fR is used to order rules\&. Priority 0 means add rule on top of the chain, with a higher priority the rule will be added further down\&. Rules with the same priority are on the same level and the order of these rules is not fixed and may change\&. If you want to make sure that a rule will be added after another one, use a low priority for the first and a higher for the following\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-remove\-rule\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR \fIpriority\fR \fIargs\fR .RS 4 Remove a rule with \fIpriority\fR and the arguments \fIargs\fR from chain \fIchain\fR in table \fItable\fR\&. Only rules previously added with \fB\-\-direct \-\-add\-rule\fR can be removed this way\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-remove\-rules\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR .RS 4 Remove all rules in the chain with name \fIchain\fR exists in table \fItable\fR\&. This option concerns only rules previously added with \fB\-\-direct \-\-add\-rule\fR in this chain\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-query\-rule\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fItable\fR \fIchain\fR \fIpriority\fR \fIargs\fR .RS 4 Return whether a rule with \fIpriority\fR and the arguments \fIargs\fR exists in chain \fIchain\fR in table \fItable\fR\&. Returns 0 if true, 1 otherwise\&. This option concerns only rules previously added with \fB\-\-direct \-\-add\-rule\fR\&. .RE .PP \fB\-\-direct\fR \fB\-\-passthrough\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fIargs\fR .RS 4 Pass a command through to the firewall\&. \fIargs\fR can be all \fBiptables\fR, \fBip6tables\fR and \fBebtables\fR command line arguments\&. This command is untracked, which means that firewalld is not able to provide information about this command later on, also not a listing of the untracked passthoughs\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-get\-all\-passthroughs\fR .RS 4 Get all passthrough rules as a newline separated list of the ipv value and arguments\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-get\-passthroughs\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } .RS 4 Get all passthrough rules for the ipv value as a newline separated list of the priority and arguments\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-add\-passthrough\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fIargs\fR .RS 4 Add a passthrough rule with the arguments \fIargs\fR for the ipv value\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-remove\-passthrough\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fIargs\fR .RS 4 Remove a passthrough rule with the arguments \fIargs\fR for the ipv value\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-direct\fR \fB\-\-query\-passthrough\fR { \fIipv4\fR | \fIipv6\fR | \fIeb\fR } \fIargs\fR .RS 4 Return whether a passthrough rule with the arguments \fIargs\fR exists for the ipv value\&. Returns 0 if true, 1 otherwise\&. .RE .SS "Lockdown Options" .PP Local applications or services are able to change the firewall configuration if they are running as root (example: libvirt) or are authenticated using PolicyKit\&. With this feature administrators can lock the firewall configuration so that only applications on lockdown whitelist are able to request firewall changes\&. .PP The lockdown access check limits D\-Bus methods that are changing firewall rules\&. Query, list and get methods are not limited\&. .PP The lockdown feature is a very light version of user and application policies for firewalld and is turned off by default\&. .PP \fB\-\-lockdown\-on\fR .RS 4 Enable lockdown\&. Be careful \- if firewall\-cmd is not on lockdown whitelist when you enable lockdown you won\*(Aqt be able to disable it again with firewall\-cmd, you would need to edit firewalld\&.conf\&. .sp This is a runtime and permanent change\&. .RE .PP \fB\-\-lockdown\-off\fR .RS 4 Disable lockdown\&. .sp This is a runtime and permanent change\&. .RE .PP \fB\-\-query\-lockdown\fR .RS 4 Query whether lockdown is enabled\&. Returns 0 if lockdown is enabled, 1 otherwise\&. .RE .SS "Lockdown Whitelist Options" .PP The lockdown whitelist can contain \fIcommands\fR, \fIcontexts\fR, \fIusers\fR and \fIuser ids\fR\&. .PP If a command entry on the whitelist ends with an asterisk \*(Aq*\*(Aq, then all command lines starting with the command will match\&. If the \*(Aq*\*(Aq is not there the absolute command inclusive arguments must match\&. .PP Commands for user root and others is not always the same\&. Example: As root \fB/bin/firewall\-cmd\fR is used, as a normal user \fB/usr/bin/firewall\-cmd\fR is be used on Fedora\&. .PP The context is the security (SELinux) context of a running application or service\&. To get the context of a running application use \fBps \-e \-\-context\fR\&. .PP \fBWarning:\fR If the context is unconfined, then this will open access for more than the desired application\&. .PP The lockdown whitelist entries are checked in the following order: .RS 4 1\&. \fIcontext\fR .RE .RS 4 2\&. \fIuid\fR .RE .RS 4 3\&. \fIuser\fR .RE .RS 4 4\&. \fIcommand\fR .RE .PP [\fB\-\-permanent\fR] \fB\-\-list\-lockdown\-whitelist\-commands\fR .RS 4 List all command lines that are on the whitelist\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-add\-lockdown\-whitelist\-command\fR=\fIcommand\fR .RS 4 Add the \fIcommand\fR to the whitelist\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-remove\-lockdown\-whitelist\-command\fR=\fIcommand\fR .RS 4 Remove the \fIcommand\fR from the whitelist\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-query\-lockdown\-whitelist\-command\fR=\fIcommand\fR .RS 4 Query whether the \fIcommand\fR is on the whitelist\&. Returns 0 if true, 1 otherwise\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-list\-lockdown\-whitelist\-contexts\fR .RS 4 List all contexts that are on the whitelist\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-add\-lockdown\-whitelist\-context\fR=\fIcontext\fR .RS 4 Add the context \fIcontext\fR to the whitelist\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-remove\-lockdown\-whitelist\-context\fR=\fIcontext\fR .RS 4 Remove the \fIcontext\fR from the whitelist\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-query\-lockdown\-whitelist\-context\fR=\fIcontext\fR .RS 4 Query whether the \fIcontext\fR is on the whitelist\&. Returns 0 if true, 1 otherwise\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-list\-lockdown\-whitelist\-uids\fR .RS 4 List all user ids that are on the whitelist\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-add\-lockdown\-whitelist\-uid\fR=\fIuid\fR .RS 4 Add the user id \fIuid\fR to the whitelist\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-remove\-lockdown\-whitelist\-uid\fR=\fIuid\fR .RS 4 Remove the user id \fIuid\fR from the whitelist\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-query\-lockdown\-whitelist\-uid\fR=\fIuid\fR .RS 4 Query whether the user id \fIuid\fR is on the whitelist\&. Returns 0 if true, 1 otherwise\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-list\-lockdown\-whitelist\-users\fR .RS 4 List all user names that are on the whitelist\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-add\-lockdown\-whitelist\-user\fR=\fIuser\fR .RS 4 Add the user name \fIuser\fR to the whitelist\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-remove\-lockdown\-whitelist\-user\fR=\fIuser\fR .RS 4 Remove the user name \fIuser\fR from the whitelist\&. .RE .PP [\fB\-\-permanent\fR] \fB\-\-query\-lockdown\-whitelist\-user\fR=\fIuser\fR .RS 4 Query whether the user name \fIuser\fR is on the whitelist\&. Returns 0 if true, 1 otherwise\&. .RE .SS "Panic Options" .PP \fB\-\-panic\-on\fR .RS 4 Enable panic mode\&. All incoming and outgoing packets are dropped, active connections will expire\&. Enable this only if there are serious problems with your network environment\&. For example if the machine is getting hacked in\&. .sp This is a runtime only change\&. .RE .PP \fB\-\-panic\-off\fR .RS 4 Disable panic mode\&. After disabling panic mode established connections might work again, if panic mode was enabled for a short period of time\&. .sp This is a runtime only change\&. .RE .PP \fB\-\-query\-panic\fR .RS 4 Returns 0 if panic mode is enabled, 1 otherwise\&. .RE .SH "EXAMPLES" .PP For more examples see \m[blue]\fB\%http://fedoraproject.org/wiki/FirewallD\fR\m[] .SS "Example 1" .PP Enable http service in default zone\&. This is runtime only change, i\&.e\&. effective until restart\&. .PP .if n \{\ .RS 4 .\} .nf firewall\-cmd \-\-add\-service=http .fi .if n \{\ .RE .\} .sp .SS "Example 2" .PP Enable port 443/tcp immediately and permanently in default zone\&. To make the change effective immediately and also after restart we need two commands\&. The first command makes the change in runtime configuration, i\&.e\&. makes it effective immediately, until restart\&. The second command makes the change in permanent configuration, i\&.e\&. makes it effective after restart\&. .PP .if n \{\ .RS 4 .\} .nf firewall\-cmd \-\-add\-port=443/tcp firewall\-cmd \-\-permanent \-\-add\-port=443/tcp .fi .if n \{\ .RE .\} .sp .SH "EXIT CODES" .PP On success 0 is returned\&. On failure the output is red colored and exit code is either 2 in case of wrong command\-line option usage or one of the following error codes in other cases: .TS allbox tab(:); lB rB. T{ String T}:T{ Code T} .T& l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r l r. T{ ALREADY_ENABLED T}:T{ 11 T} T{ NOT_ENABLED T}:T{ 12 T} T{ COMMAND_FAILED T}:T{ 13 T} T{ NO_IPV6_NAT T}:T{ 14 T} T{ PANIC_MODE T}:T{ 15 T} T{ ZONE_ALREADY_SET T}:T{ 16 T} T{ UNKNOWN_INTERFACE T}:T{ 17 T} T{ ZONE_CONFLICT T}:T{ 18 T} T{ BUILTIN_CHAIN T}:T{ 19 T} T{ EBTABLES_NO_REJECT T}:T{ 20 T} T{ NOT_OVERLOADABLE T}:T{ 21 T} T{ NO_DEFAULTS T}:T{ 22 T} T{ BUILTIN_ZONE T}:T{ 23 T} T{ BUILTIN_SERVICE T}:T{ 24 T} T{ BUILTIN_ICMPTYPE T}:T{ 25 T} T{ NAME_CONFLICT T}:T{ 26 T} T{ NAME_MISMATCH T}:T{ 27 T} T{ PARSE_ERROR T}:T{ 28 T} T{ ACCESS_DENIED T}:T{ 29 T} T{ UNKNOWN_SOURCE T}:T{ 30 T} T{ RT_TO_PERM_FAILED T}:T{ 31 T} T{ INVALID_ACTION T}:T{ 100 T} T{ INVALID_SERVICE T}:T{ 101 T} T{ INVALID_PORT T}:T{ 102 T} T{ INVALID_PROTOCOL T}:T{ 103 T} T{ INVALID_INTERFACE T}:T{ 104 T} T{ INVALID_ADDR T}:T{ 105 T} T{ INVALID_FORWARD T}:T{ 106 T} T{ INVALID_ICMPTYPE T}:T{ 107 T} T{ INVALID_TABLE T}:T{ 108 T} T{ INVALID_CHAIN T}:T{ 109 T} T{ INVALID_TARGET T}:T{ 110 T} T{ INVALID_IPV T}:T{ 111 T} T{ INVALID_ZONE T}:T{ 112 T} T{ INVALID_PROPERTY T}:T{ 113 T} T{ INVALID_VALUE T}:T{ 114 T} T{ INVALID_OBJECT T}:T{ 115 T} T{ INVALID_NAME T}:T{ 116 T} T{ INVALID_FILENAME T}:T{ 117 T} T{ INVALID_DIRECTORY T}:T{ 118 T} T{ INVALID_TYPE T}:T{ 119 T} T{ INVALID_SETTING T}:T{ 120 T} T{ INVALID_DESTINATION T}:T{ 121 T} T{ INVALID_RULE T}:T{ 122 T} T{ INVALID_LIMIT T}:T{ 123 T} T{ INVALID_FAMILY T}:T{ 124 T} T{ INVALID_LOG_LEVEL T}:T{ 125 T} T{ INVALID_AUDIT_TYPE T}:T{ 126 T} T{ INVALID_MARK T}:T{ 127 T} T{ INVALID_CONTEXT T}:T{ 128 T} T{ INVALID_COMMAND T}:T{ 129 T} T{ INVALID_USER T}:T{ 130 T} T{ INVALID_UID T}:T{ 131 T} T{ INVALID_MODULE T}:T{ 132 T} T{ INVALID_PASSTHROUGH T}:T{ 133 T} T{ MISSING_TABLE T}:T{ 200 T} T{ MISSING_CHAIN T}:T{ 201 T} T{ MISSING_PORT T}:T{ 202 T} T{ MISSING_PROTOCOL T}:T{ 203 T} T{ MISSING_ADDR T}:T{ 204 T} T{ MISSING_NAME T}:T{ 205 T} T{ MISSING_SETTING T}:T{ 206 T} T{ MISSING_FAMILY T}:T{ 207 T} T{ NOT_RUNNING T}:T{ 252 T} T{ NOT_AUTHORIZED T}:T{ 253 T} T{ UNKNOWN_ERROR T}:T{ 254 T} .TE .sp 1 .SH "SEE ALSO" \fBfirewall-applet\fR(1), \fBfirewalld\fR(1), \fBfirewall-cmd\fR(1), \fBfirewall-config\fR(1), \fBfirewalld.conf\fR(5), \fBfirewalld.direct\fR(5), \fBfirewalld.icmptype\fR(5), \fBfirewalld.lockdown-whitelist\fR(5), \fBfirewall-offline-cmd\fR(1), \fBfirewalld.richlanguage\fR(5), \fBfirewalld.service\fR(5), \fBfirewalld.zone\fR(5), \fBfirewalld.zones\fR(5) .SH "NOTES" .PP firewalld home page: .RS 4 \m[blue]\fB\%http://www.firewalld.org\fR\m[] .RE .PP More documentation with examples: .RS 4 \m[blue]\fB\%http://fedoraproject.org/wiki/FirewallD\fR\m[] .RE .SH "AUTHORS" .PP \fBThomas Woerner\fR <\&twoerner@redhat\&.com\&> .RS 4 Developer .RE .PP \fBJiri Popelka\fR <\&jpopelka@redhat\&.com\&> .RS 4 Developer .RE