General Options
-h, --help Prints a short help text and exists
-V, --version Print the version string of firewalld
-q, --quiet Do not print status messages
Status Options
--state Return and print firewalld state
--reload Reload firewall and keep state information
--complete-reload Reload firewall and lose state information
--runtime-to-permanent
Create permanent from runtime configuration
Log Denied Options
--get-log-denied Print the log denied value
--set-log-denied=
Set log denied value
Automatic Helpers Options
--get-automatic-helpers
Print the automatic helpers value
--set-automatic-helpers=
Set automatic helpers value
Permanent Options
--permanent Set an option permanently
Usable for options marked with [P]
Zone Options
--get-default-zone Print default zone for connections and interfaces
--set-default-zone=
Set default zone
--get-active-zones Print currently active zones
--get-zones Print predefined zones [P]
--get-services Print predefined services [P]
--get-icmptypes Print predefined icmptypes [P]
--get-zone-of-interface=
Print name of the zone the interface is bound to [P]
--get-zone-of-source=[/]||ipset:
Print name of the zone the source is bound to [P]
--list-all-zones List everything added for or enabled in all zones [P]
--new-zone= Add a new zone [P only]
--new-zone-from-file= [--name=]
Add a new zone from file with optional name [P only]
--delete-zone= Delete an existing zone [P only]
--load-zone-defaults=
Load zone default settings [P only] [Z]
--zone= Use this zone to set or query options, else default zone
Usable for options marked with [Z]
--get-target Get the zone target [P only] [Z]
--set-target=
Set the zone target [P only] [Z]
--info-zone= Print information about a zone
--path-zone= Print file path of a zone [P only]
IPSet Options
--get-ipset-types Print the supported ipset types
--new-ipset= --type= [--option=[=]]..
Add a new ipset [P only]
--new-ipset-from-file= [--name=]
Add a new ipset from file with optional name [P only]
--delete-ipset=
Delete an existing ipset [P only]
--load-ipset-defaults=
Load ipset default settings [P only]
--info-ipset= Print information about an ipset
--path-ipset= Print file path of an ipset [P only]
--get-ipsets Print predefined ipsets
--ipset= --set-description=
Set new description to ipset [P only]
--ipset= --get-description
Print description for ipset [P only]
--ipset= --set-short=
Set new short description to ipset [P only]
--ipset= --get-short
Print short description for ipset [P only]
--ipset= --add-entry=
Add a new entry to an ipset [P]
--ipset= --remove-entry=
Remove an entry from an ipset [P]
--ipset= --query-entry=
Return whether ipset has an entry [P]
--ipset= --get-entries
List entries of an ipset [P]
--ipset= --add-entries-from-file=
Add a new entries to an ipset [P]
--ipset= --remove-entries-from-file=
Remove entries from an ipset [P]
IcmpType Options
--new-icmptype=
Add a new icmptype [P only]
--new-icmptype-from-file= [--name=]
Add a new icmptype from file with optional name [P only]
--delete-icmptype=
Delete an existing icmptype [P only]
--load-icmptype-defaults=
Load icmptype default settings [P only]
--info-icmptype=
Print information about an icmptype
--path-icmptype=
Print file path of an icmptype [P only]
--icmptype= --set-description=
Set new description to icmptype [P only]
--icmptype= --get-description
Print description for icmptype [P only]
--icmptype= --set-short=
Set new short description to icmptype [P only]
--icmptype= --get-short
Print short description for icmptype [P only]
--icmptype= --add-destination=
Enable destination for ipv in icmptype [P only]
--icmptype= --remove-destination=
Disable destination for ipv in icmptype [P only]
--icmptype= --query-destination=
Return whether destination ipv is enabled in icmptype [P only]
--icmptype= --get-destinations
List destinations in icmptype [P only]
Service Options
--new-service=
Add a new service [P only]
--new-service-from-file= [--name=]
Add a new service from file with optional name [P only]
--delete-service=
Delete an existing service [P only]
--load-service-defaults=
Load icmptype default settings [P only]
--info-service=
Print information about a service
--path-service=
Print file path of a service [P only]
--service= --set-description=
Set new description to service [P only]
--service= --get-description
Print description for service [P only]
--service= --set-short=
Set new short description to service [P only]
--service= --get-short
Print short description for service [P only]
--service= --add-port=[-]/
Add a new port to service [P only]
--service= --remove-port=[-]/
Remove a port from service [P only]
--service= --query-port=[-]/
Return whether the port has been added for service [P only]
--service= --get-ports
List ports of service [P only]
--service= --add-protocol=
Add a new protocol to service [P only]
--service= --remove-protocol=
Remove a protocol from service [P only]
--service= --query-protocol=
Return whether the protocol has been added for service [P only]
--service= --get-protocols
List protocols of service [P only]
--service= --add-source-port=[-]/
Add a new source port to service [P only]
--service= --remove-source-port=[-]/
Remove a source port from service [P only]
--service= --query-source-port=[-]/
Return whether the source port has been added for service [P only]
--service= --get-source-ports
List source ports of service [P only]
--service= --add-module=
Add a new module to service [P only]
--service= --remove-module=
Remove a module from service [P only]
--service= --query-module=
Return whether the module has been added for service [P only]
--service= --get-modules
List modules of service [P only]
--service= --set-destination=:[/]
Set destination for ipv to address in service [P only]
--service= --remove-destination=
Disable destination for ipv i service [P only]
--service= --query-destination=:[/]
Return whether destination ipv is set for service [P only]
--service= --get-destinations
List destinations in service [P only]
Options to Adapt and Query Zones
--list-all List everything added for or enabled in a zone [P] [Z]
--list-services List services added for a zone [P] [Z]
--timeout= Enable an option for timeval time, where timeval is
a number followed by one of letters 's' or 'm' or 'h'
Usable for options marked with [T]
--set-description=
Set new description to zone [P only] [Z]
--get-description Print description for zone [P only] [Z]
--set-short=
Set new short description to zone [P only] [Z]
--get-short Print short description for zone [P only] [Z]
--add-service=
Add a service for a zone [P] [Z] [T]
--remove-service=
Remove a service from a zone [P] [Z]
--query-service=
Return whether service has been added for a zone [P] [Z]
--list-ports List ports added for a zone [P] [Z]
--add-port=[-]/
Add the port for a zone [P] [Z] [T]
--remove-port=[-]/
Remove the port from a zone [P] [Z]
--query-port=[-]/
Return whether the port has been added for zone [P] [Z]
--list-protocols List protocols added for a zone [P] [Z]
--add-protocol=
Add the protocol for a zone [P] [Z] [T]
--remove-protocol=
Remove the protocol from a zone [P] [Z]
--query-protocol=
Return whether the protocol has been added for zone [P] [Z]
--list-source-ports List source ports added for a zone [P] [Z]
--add-source-port=[-]/
Add the source port for a zone [P] [Z] [T]
--remove-source-port=[-]/
Remove the source port from a zone [P] [Z]
--query-source-port=[-]/
Return whether the source port has been added for zone [P] [Z]
--list-icmp-blocks List Internet ICMP type blocks added for a zone [P] [Z]
--add-icmp-block=
Add an ICMP block for a zone [P] [Z] [T]
--remove-icmp-block=
Remove the ICMP block from a zone [P] [Z]
--query-icmp-block=
Return whether an ICMP block has been added for a zone
[P] [Z]
--add-icmp-block-inversion
Enable inversion of icmp blocks for a zone [P] [Z]
--remove-icmp-block-inversion
Disable inversion of icmp blocks for a zone [P] [Z]
--query-icmp-block-inversion
Return whether inversion of icmp blocks has been enabled
for a zone [P] [Z]
--list-forward-ports List IPv4 forward ports added for a zone [P] [Z]
--add-forward-port=port=[-]:proto=[:toport=[-]][:toaddr=[/]]
Add the IPv4 forward port for a zone [P] [Z] [T]
--remove-forward-port=port=[-]:proto=[:toport=[-]][:toaddr=[/]]
Remove the IPv4 forward port from a zone [P] [Z]
--query-forward-port=port=[-]:proto=[:toport=[-]][:toaddr=[/]]
Return whether the IPv4 forward port has been added for
a zone [P] [Z]
--add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T]
--remove-masquerade Disable IPv4 masquerade for a zone [P] [Z]
--query-masquerade Return whether IPv4 masquerading has been enabled for a
zone [P] [Z]
--list-rich-rules List rich language rules added for a zone [P] [Z]
--add-rich-rule=
Add rich language rule 'rule' for a zone [P] [Z] [T]
--remove-rich-rule=
Remove rich language rule 'rule' from a zone [P] [Z]
--query-rich-rule=
Return whether a rich language rule 'rule' has been
added for a zone [P] [Z]
Options to Handle Bindings of Interfaces
--list-interfaces List interfaces that are bound to a zone [P] [Z]
--add-interface=
Bind the to a zone [P] [Z]
--change-interface=
Change zone the is bound to [Z]
--query-interface=
Query whether is bound to a zone [P] [Z]
--remove-interface=
Remove binding of from a zone [P] [Z]
Options to Handle Bindings of Sources
--list-sources List sources that are bound to a zone [P] [Z]
--add-source=[/]||ipset:
Bind the source to a zone [P] [Z]
--change-source=[/]||ipset:
Change zone the source is bound to [Z]
--query-source=[/]||ipset:
Query whether the source is bound to a zone [P] [Z]
--remove-source=[/]||ipset:
Remove binding of the source from a zone [P] [Z]
Helper Options
--new-helper= --module= [--family=]
Add a new helper [P only]
--new-helper-from-file= [--name=]
Add a new helper from file with optional name [P only]
--delete-helper=
Delete an existing helper [P only]
--load-helper-defaults=
Load helper default settings [P only]
--info-helper= Print information about an helper
--path-helper= Print file path of an helper [P only]
--get-helpers Print predefined helpers
--helper= --set-description=
Set new description to helper [P only]
--helper= --get-description
Print description for helper [P only]
--helper= --set-short=
Set new short description to helper [P only]
--helper= --get-short
Print short description for helper [P only]
--helper= --add-port=[-]/
Add a new port to helper [P only]
--helper= --remove-port=[-]/
Remove a port from helper [P only]
--helper= --query-port=[-]/
Return whether the port has been added for helper [P only]
--helper= --get-ports
List ports of helper [P only]
--helper= --set-module=
Set module to helper [P only]
--helper= --get-module
Get module from helper [P only]
--helper= --set-family={ipv4|ipv6|}
Set family for helper [P only]
--helper= --get-family
Get module from helper [P only]
Direct Options
--direct First option for all direct options
--get-all-chains
Get all chains [P]
--get-chains {ipv4|ipv6|eb}
Get all chains added to the table [P]
--add-chain {ipv4|ipv6|eb}
Add a new chain to the table [P]
--remove-chain {ipv4|ipv6|eb}
