2008-12-11 01:03:00 +01:00
<?xml version="1.0" encoding="UTF-8"?>
< !DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry >
<refmeta >
2008-12-14 18:37:30 +01:00
<refentrytitle > shorewall6</refentrytitle>
2008-12-11 01:03:00 +01:00
<manvolnum > 8</manvolnum>
</refmeta>
<refnamediv >
2008-12-14 18:37:30 +01:00
<refname > shorewall6</refname>
2008-12-11 01:03:00 +01:00
2008-12-14 19:34:15 +01:00
<refpurpose > Administration tool for Shoreline Firewall 6
2008-12-14 18:37:30 +01:00
(Shorewall6)</refpurpose>
2008-12-11 01:03:00 +01:00
</refnamediv>
<refsynopsisdiv >
2011-06-20 23:33:49 +02:00
<cmdsynopsis >
<command > shorewall6</command>
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg rep= "norepeat" > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > add</option> </arg>
<arg choice= "plain"
rep="repeat"><replaceable > interface</replaceable> [:<replaceable > host-list</replaceable> ]</arg>
<arg choice= "plain" > <replaceable > zone</replaceable> </arg>
</cmdsynopsis>
2008-12-11 01:03:00 +01:00
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > allow</option> </arg>
<arg choice= "plain" > <replaceable > address</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > check</option> </arg>
<arg > <option > -e</option> </arg>
<arg > <option > -d</option> </arg>
<arg > <option > -p</option> </arg>
2010-01-13 00:32:50 +01:00
<arg > <option > -r</option> </arg>
2011-05-24 20:39:52 +02:00
<arg > <option > -T</option> </arg>
2008-12-11 01:03:00 +01:00
<arg > <replaceable > directory</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
2008-12-14 18:37:30 +01:00
<arg choice= "plain" > <option > clear</option> </arg>
2008-12-11 01:03:00 +01:00
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > compile</option> </arg>
<arg > <option > -e</option> </arg>
<arg > <option > -d</option> </arg>
2011-05-24 20:39:52 +02:00
<arg > <option > -T</option> </arg>
2008-12-11 01:03:00 +01:00
<arg > <replaceable > directory</replaceable> </arg>
2009-04-02 03:12:34 +02:00
<arg choice= "opt" > <replaceable > pathname</replaceable> </arg>
2008-12-11 01:03:00 +01:00
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > drop</option> </arg>
<arg choice= "plain" > <replaceable > address</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > dump</option> </arg>
<arg > <option > -x</option> </arg>
2009-11-17 00:14:24 +01:00
<arg > <option > -l</option> </arg>
2008-12-11 01:03:00 +01:00
<arg > <option > -m</option> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
2008-12-14 18:37:30 +01:00
<arg choice= "plain" > <option > export</option> </arg>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <replaceable > directory1</replaceable> </arg>
<arg
choice="plain">[<replaceable > user</replaceable> @]<replaceable > system</replaceable> [<option > :</option> <replaceable > directory2</replaceable> ]</arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > forget</option> </arg>
<arg > <replaceable > filename</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > help</option> </arg>
</cmdsynopsis>
2009-06-17 21:03:05 +02:00
<cmdsynopsis >
<command > shorewall6</command>
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > iptrace</option> </arg>
<arg choice= "plain" > <replaceable > iptables match
expression</replaceable> </arg>
</cmdsynopsis>
2008-12-11 01:03:00 +01:00
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > load</option> </arg>
<arg > <option > -s</option> </arg>
<arg > <option > -c</option> </arg>
<arg > <option > -r</option> <replaceable > root-user-name</replaceable> </arg>
<arg > <replaceable > directory</replaceable> </arg>
<arg choice= "plain" > <replaceable > system</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > logdrop</option> </arg>
<arg choice= "plain" > <replaceable > address</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > logwatch</option> </arg>
<arg > <option > -m</option> </arg>
<arg > <replaceable > refresh-interval</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > logreject</option> </arg>
<arg choice= "plain" > <replaceable > address</replaceable> </arg>
</cmdsynopsis>
2009-06-17 21:03:05 +02:00
<cmdsynopsis >
<command > shorewall6</command>
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > noiptrace</option> </arg>
<arg choice= "plain" > <replaceable > iptables match
expression</replaceable> </arg>
</cmdsynopsis>
2008-12-11 01:03:00 +01:00
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > refresh</option> <arg
rep="repeat"><replaceable > chain</replaceable> </arg> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > reject</option> </arg>
<arg choice= "plain" > <replaceable > address</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > reload</option> </arg>
<arg > <option > -s</option> </arg>
<arg > <option > -c</option> </arg>
<arg > <option > -r</option> <replaceable > root-user-name</replaceable> </arg>
<arg > <replaceable > directory</replaceable> </arg>
<arg choice= "plain" > <replaceable > system</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > reset</option> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > restart</option> </arg>
<arg > <option > -n</option> </arg>
<arg > <option > -f</option> </arg>
2011-05-24 18:13:02 +02:00
<arg > <option > -c</option> </arg>
2008-12-11 01:03:00 +01:00
<arg > <replaceable > directory</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > restore</option> </arg>
<arg > <replaceable > filename</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > safe-restart</option> </arg>
<arg > <option > -d</option> </arg>
<arg > <replaceable > directory</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > safe-start</option> </arg>
<arg > <option > -d</option> </arg>
<arg > <replaceable > directory</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > save</option> </arg>
<arg choice= "opt" > <replaceable > filename</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > show</option> </arg>
<arg > <option > -x</option> </arg>
2009-11-17 00:14:24 +01:00
<arg > <option > -l</option> </arg>
2008-12-11 01:03:00 +01:00
<arg > <option > -t</option>
2008-12-17 01:41:09 +01:00
{<option > filter</option> |<option > mangle</option> |<option > raw</option> }</arg>
2008-12-11 01:03:00 +01:00
<arg > <arg > <option > chain</option> </arg> <arg choice= "plain"
rep="repeat"><replaceable > chain</replaceable> </arg> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > show</option> </arg>
<arg > <option > -f</option> </arg>
<arg choice= "plain" > <option > capabilities</option> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > show</option> </arg>
<arg
2011-02-02 01:47:20 +01:00
choice="req"><option > actions|classifiers|connections|config|filters|ip|macros|zones</option> </arg>
2008-12-11 01:03:00 +01:00
</cmdsynopsis>
2009-11-15 18:24:56 +01:00
<cmdsynopsis >
<command > shorewall6</command>
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > show</option> </arg>
<arg choice= "plain" > <option > policies</option> </arg>
</cmdsynopsis>
2008-12-11 01:03:00 +01:00
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > show</option> </arg>
<arg choice= "plain" > <option > tc</option> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > show</option> </arg>
<arg > <option > -m</option> </arg>
<arg choice= "plain" > <option > log</option> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > start</option> </arg>
<arg > <option > -n</option> </arg>
2011-05-24 18:13:02 +02:00
<arg > <option > -f</option> <arg > <option > -c</option> </arg> </arg>
2008-12-11 01:03:00 +01:00
<arg > <replaceable > directory</replaceable> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
2008-12-14 18:37:30 +01:00
<arg choice= "plain" > <option > stop</option> </arg>
2008-12-11 01:03:00 +01:00
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > status</option> </arg>
</cmdsynopsis>
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg
choice="opt"><option > trace</option> |<option > debug</option> <arg > <option > nolock</option> </arg> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg choice= "plain" > <option > try</option> </arg>
<arg choice= "plain" > <replaceable > directory</replaceable> </arg>
<arg > <replaceable > timeout</replaceable> </arg>
</cmdsynopsis>
2011-06-19 02:39:44 +02:00
<cmdsynopsis >
<command > shorewall6</command>
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
2011-06-19 16:14:27 +02:00
<arg choice= "plain" > <option > update</option> </arg>
2011-06-19 02:39:44 +02:00
<arg > <option > -e</option> </arg>
<arg > <option > -d</option> </arg>
<arg > <option > -p</option> </arg>
<arg > <option > -r</option> </arg>
<arg > <option > -T</option> </arg>
<arg > <option > -a</option> </arg>
<arg > <replaceable > directory</replaceable> </arg>
</cmdsynopsis>
2008-12-11 01:03:00 +01:00
<cmdsynopsis >
2008-12-14 18:37:30 +01:00
<command > shorewall6</command>
2008-12-11 01:03:00 +01:00
<arg choice= "opt" > <option > trace</option> |<option > debug</option> </arg>
<arg > -<replaceable > options</replaceable> </arg>
<arg
choice="plain"><option > version</option> <arg > <option > -a</option> </arg> </arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1 >
<title > Description</title>
2008-12-14 18:37:30 +01:00
<para > The shorewall6 utility is used to control the Shoreline Firewall 6
(Shorewall6).</para>
2008-12-11 01:03:00 +01:00
</refsect1>
<refsect1 >
<title > Options</title>
<para > The <option > trace</option> and <option > debug</option> options are
used for debugging. See <ulink
2011-02-10 05:53:22 +01:00
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink> .</para>
2008-12-11 01:03:00 +01:00
<para > The nolock <option > option</option> prevents the command from
2008-12-14 18:37:30 +01:00
attempting to acquire the Shorewall6 lockfile. It is useful if you need to
include <command > shorewall6</command> commands in
<filename > /etc/shorewall6/started</filename> .</para>
2008-12-11 01:03:00 +01:00
<para > The <emphasis > options</emphasis> control the amount of output that
the command produces. They consist of a sequence of the letters <emphasis
role="bold">v</emphasis> and <emphasis role= "bold" > q</emphasis> . If the
options are omitted, the amount of output is determined by the setting of
the VERBOSITY parameter in <ulink
2008-12-14 18:37:30 +01:00
url="shorewall6.conf.html">shorewall6.conf</ulink> (5). Each <emphasis
2008-12-11 01:03:00 +01:00
role="bold">v</emphasis> adds one to the effective verbosity and each
<emphasis role= "bold" > q</emphasis> subtracts one from the effective
VERBOSITY. Anternately, <emphasis role= "bold" > v</emphasis> may be followed
immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
be no white space between <emphasis role= "bold" > v</emphasis> and the
VERBOSITY.</para>
<para > The <emphasis > options</emphasis> may also include the letter
<option > t</option> which causes all progress messages to be
timestamped.</para>
</refsect1>
<refsect1 >
<title > Commands</title>
<para > The available commands are listed below.</para>
<variablelist >
2011-06-20 23:33:49 +02:00
<varlistentry >
<term > <emphasis role= "bold" > add</emphasis> </term>
<listitem >
<para > Added in Shorewall 4.4.21. Adds a list of hosts or subnets to
a dynamic zone usually used with VPN's.</para>
<para > The <emphasis > interface</emphasis> argument names an interface
defined in the <ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink> (5)
file. A <emphasis > host-list</emphasis> is comma-separated list whose
elements are host or network addresses.<caution >
<para > The <command > add</command> command is not very robust. If
there are errors in the <replaceable > host-list</replaceable> ,
you may see a large number of error messages yet a subsequent
<command > shorewall show zones</command> command will indicate
that all hosts were added. If this happens, replace
<command > add</command> by <command > delete</command> and run the
same command again. Then enter the correct command.</para>
</caution> </para>
</listitem>
</varlistentry>
2008-12-11 01:03:00 +01:00
<varlistentry >
<term > <emphasis role= "bold" > allow</emphasis> </term>
<listitem >
<para > Re-enables receipt of packets from hosts previously
blacklisted by a <emphasis role= "bold" > drop</emphasis> , <emphasis
role="bold">logdrop</emphasis> , <emphasis
role="bold">reject</emphasis> , or <emphasis
role="bold">logreject</emphasis> command.</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > check</emphasis> </term>
<listitem >
<para > Compiles the configuraton in the specified
<emphasis > directory</emphasis> and discards the compiled output
script. If no <emphasis > directory</emphasis> is given, then
2008-12-14 18:37:30 +01:00
/etc/shorewall6 is assumed.</para>
2008-12-11 01:03:00 +01:00
<para > The <emphasis role= "bold" > -e</emphasis> option causes the
compiler to look for a file named capabilities. This file is
2008-12-14 18:37:30 +01:00
produced using the command <emphasis role= "bold" > shorewall6-lite
show -f capabilities > capabilities</emphasis> on a system with
Shorewall6 Lite installed.</para>
<para > The <option > -d</option> option causes the compiler to be run
under control of the Perl debugger.</para>
<para > The <option > -p</option> option causes the compiler to be
profiled via the Perl <option > -wd:DProf</option> command-line
option.</para>
2010-01-13 00:32:50 +01:00
<para > The <option > -r</option> option was added in Shorewall 4.5.2
and causes the compiler to print the generated ruleset to standard
out.</para>
2011-05-24 20:39:52 +02:00
<para > The <option > -T</option> option was added in Shorewall 4.4.20
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > clear</emphasis> </term>
<listitem >
2008-12-14 18:37:30 +01:00
<para > Clear will remove all rules and chains installed by
Shorewall6. The firewall is then wide open and unprotected. Existing
connections are untouched. Clear is often used to see if the
firewall is causing connection problems.</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > compile</emphasis> </term>
<listitem >
<para > Compiles the current configuration into the executable file
2008-12-14 18:37:30 +01:00
<emphasis > pathname</emphasis> . If a directory is supplied,
Shorewall6 will look in that directory first for configuration
2009-04-02 03:12:34 +02:00
files. If the <emphasis > pathname</emphasis> is omitted, the file
firewall in the VARDIR (normally <filename
2009-05-01 20:38:52 +02:00
class="directory">/var/lib/shorewall/</filename> ) is assumed. A
<emphasis > pathname</emphasis> of '-' causes the compiler to send the
generated script to it's standard output file. Note that '-v-1' is
usually specified in this case (e.g., <command > shorewall6 -v-1
compile -- -</command> ) to suppress the 'Compiling...' message
normally generated by <filename > /sbin/shorewall6</filename> .</para>
2008-12-11 01:03:00 +01:00
<para > When -e is specified, the compilation is being performed on a
system other than where the compiled script will run. This option
disables certain configuration options that require the script to be
compiled where it is to be run. The use of -e requires the presense
of a configuration file named <filename > capabilities</filename>
which may be produced using the command <emphasis
2008-12-14 18:37:30 +01:00
role="bold">shorewall6-lite show -f capabilities >
capabilities</emphasis> on a system with Shorewall6 Lite
2008-12-11 01:03:00 +01:00
installed</para>
2008-12-14 18:37:30 +01:00
<para > The <option > -d</option> option causes the compiler to be run
under control of the Perl debugger.</para>
2008-12-11 01:03:00 +01:00
2008-12-14 18:37:30 +01:00
<para > The <option > -p</option> option causes the compiler to be
profiled via the Perl <option > -wd:DProf</option> command-line
option.</para>
2011-05-24 20:39:52 +02:00
<para > The <option > -T</option> option was added in Shorewall 4.4.20
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
2011-06-20 23:33:49 +02:00
<varlistentry >
<term > <emphasis role= "bold" > delete</emphasis> </term>
<listitem >
<para > Added in Shorewall 4.4.21. The delete command reverses the
effect of an earlier <emphasis role= "bold" > add</emphasis>
command.</para>
<para > The <emphasis > interface</emphasis> argument names an interface
defined in the <ulink
url="shorewall6-interfaces.html">shorewall6-interfaces</ulink> (5)
file. A <emphasis > host-list</emphasis> is comma-separated list whose
elements are a host or network address.</para>
</listitem>
</varlistentry>
2008-12-11 01:03:00 +01:00
<varlistentry >
<term > <emphasis role= "bold" > drop</emphasis> </term>
<listitem >
<para > Causes traffic from the listed <emphasis > address</emphasis> es
to be silently dropped.</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > dump</emphasis> </term>
<listitem >
<para > Produces a verbose report about the firewall configuration for
the purpose of problem analysis.</para>
<para > The <emphasis role= "bold" > -x</emphasis> option causes actual
packet and byte counts to be displayed. Without that option, these
counts are abbreviated. The <emphasis role= "bold" > -m</emphasis>
2008-12-14 18:37:30 +01:00
option causes any MAC addresses included in Shorewall6 log messages
2008-12-11 01:03:00 +01:00
to be displayed.</para>
2009-11-17 00:14:24 +01:00
<para > The <emphasis role= "bold" > -l</emphasis> option causes the rule
number for each Netfilter rule to be displayed.</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > export</emphasis> </term>
<listitem >
<para > If <emphasis > directory1</emphasis> is omitted, the current
working directory is assumed.</para>
2008-12-14 18:37:30 +01:00
<para > Allows a non-root user to compile a shorewall6 script and
stage it on a system (provided that the user has access to the
system via ssh). The command is equivalent to:</para>
2008-12-11 01:03:00 +01:00
2008-12-14 18:37:30 +01:00
<programlisting > <emphasis role= "bold" > /sbin/shorewall6 compile -e</emphasis> <emphasis > directory1</emphasis> <emphasis > directory1</emphasis> <emphasis
2008-12-11 01:03:00 +01:00
role="bold">/firewall & & \</emphasis>
<emphasis role= "bold" > scp</emphasis> directory1<emphasis role= "bold" > /firewall</emphasis> <emphasis > directory1</emphasis> <emphasis
role="bold">/firewall.conf</emphasis> [<emphasis > user</emphasis> @]<emphasis
role="bold">system</emphasis> :[<emphasis > directory2</emphasis> ]</programlisting>
<para > In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall and firewall.conf
are copied to <emphasis > system</emphasis> using scp.</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > forget</emphasis> </term>
<listitem >
2008-12-14 18:37:30 +01:00
<para > Deletes /var/lib/shorewall6/<emphasis > filenam</emphasis> e and
/var/lib/shorewall6/save. If no <emphasis > filename</emphasis> is
2008-12-11 01:03:00 +01:00
given then the file specified by RESTOREFILE in <ulink
2008-12-14 18:37:30 +01:00
url="shorewall6.conf.html">shorewall6.conf</ulink> (5) is
2008-12-11 01:03:00 +01:00
assumed.</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > help</emphasis> </term>
<listitem >
<para > Displays a syntax summary.</para>
</listitem>
</varlistentry>
<varlistentry >
2009-06-17 21:03:05 +02:00
<term > <emphasis role= "bold" > iptrace</emphasis> </term>
2008-12-11 01:03:00 +01:00
<listitem >
2009-06-17 21:03:05 +02:00
<para > This is a low-level debugging command that causes iptables
TRACE log records to be created. See ip6tables(8) for
details.</para>
2009-06-18 01:46:20 +02:00
<para > The <replaceable > ip6tables match expression</replaceable> must
2009-06-17 21:03:05 +02:00
be one or more matches that may appear in both the raw table OUTPUT
and raw table PREROUTING chains.</para>
2009-06-18 01:46:20 +02:00
<para > The trace records are written to the kernel's log buffer with
faciility = kernel and priority = warning, and they are routed from
there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
Shorewall has no control over where the messages go; consult your
logging daemon's documentation.</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > load</emphasis> </term>
<listitem >
<para > If <emphasis > directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
2008-12-14 18:37:30 +01:00
shorewall6 script and install it on a system (provided that the user
2008-12-11 01:03:00 +01:00
has root access to the system via ssh). The command is equivalent
to:</para>
2008-12-14 18:37:30 +01:00
<programlisting > <emphasis role= "bold" > /sbin/shorewall6 compile -e</emphasis> <emphasis > <replaceable > directory</replaceable> </emphasis> <replaceable > directory</replaceable> <emphasis
2008-12-11 01:03:00 +01:00
role="bold">/firewall & & \</emphasis>
<emphasis role= "bold" > scp</emphasis> <emphasis > directory</emphasis> <emphasis
role="bold">/firewall</emphasis> <emphasis > directory</emphasis> <emphasis
role="bold">/firewall.conf</emphasis> <emphasis role= "bold" > root@</emphasis> <replaceable > system</replaceable> <emphasis
2008-12-14 18:37:30 +01:00
role="bold">:/var/lib/shorewall6-lite/ & & \</emphasis>
2008-12-11 01:03:00 +01:00
<emphasis role= "bold" > ssh root@</emphasis> <replaceable > system</replaceable> <emphasis
2008-12-14 18:37:30 +01:00
role="bold">'/sbin/shorewall6-lite start'</emphasis> </programlisting>
2008-12-11 01:03:00 +01:00
<para > In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<replaceable > system</replaceable> using scp. If the copy succeeds,
2008-12-14 18:37:30 +01:00
Shorewall6 Lite on <replaceable > system</replaceable> is started via
2008-12-11 01:03:00 +01:00
ssh.</para>
<para > If <emphasis role= "bold" > -s</emphasis> is specified and the
<emphasis role= "bold" > start</emphasis> command succeeds, then the
2008-12-14 18:37:30 +01:00
remote Shorewall6-lite configuration is saved by executing <emphasis
role="bold">shorewall6-lite save</emphasis> via ssh.</para>
2008-12-11 01:03:00 +01:00
<para > if <emphasis role= "bold" > -c</emphasis> is included, the
2008-12-14 18:37:30 +01:00
command <emphasis role= "bold" > shorewall6-lite show capabilities -f
> /var/lib/shorewall6-lite/capabilities</emphasis> is executed
via ssh then the generated file is copied to
2008-12-11 01:03:00 +01:00
<replaceable > directory</replaceable> using scp. This step is
performed before the configuration is compiled.</para>
<para > If <option > -r</option> is included, it specifies that the root
user on <replaceable > system</replaceable> is named
<replaceable > root-user-name</replaceable> rather than "root".</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > logdrop</emphasis> </term>
<listitem >
<para > Causes traffic from the listed <emphasis > address</emphasis> es
2009-01-24 17:36:43 +01:00
to be logged then discarded. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > logwatch</emphasis> </term>
<listitem >
<para > Monitors the log file specified by the LOGFILE option in
2008-12-14 18:37:30 +01:00
<ulink url= "shorewall6.conf.html" > shorewall6.conf</ulink> (5) and
produces an audible alarm when new Shorewall6 messages are logged.
2008-12-11 01:03:00 +01:00
The <emphasis role= "bold" > -m</emphasis> option causes the MAC
address of each packet source to be displayed if that information is
available. The <replaceable > refresh-interval</replaceable> specifies
the time in seconds between screen refreshes. You can enter a
negative number by preceding the number with "--" (e.g.,
2008-12-14 18:37:30 +01:00
<command > shorewall6 logwatch -- -30</command> ). In this case, when a
2008-12-11 01:03:00 +01:00
packet count changes, you will be prompted to hit any key to resume
screen refreshes.</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > logreject</emphasis> </term>
<listitem >
<para > Causes traffic from the listed <emphasis > address</emphasis> es
2009-01-24 17:36:43 +01:00
to be logged then rejected. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
2009-06-17 21:03:05 +02:00
<varlistentry >
<term > <emphasis role= "bold" > noiptrace</emphasis> </term>
<listitem >
<para > This is a low-level debugging command that cancels a trace
started by a preceding <command > iptrace</command> command.</para>
<para > The <replaceable > iptables match expression</replaceable> must
be one given in the <command > iptrace</command> command being
cancelled.</para>
</listitem>
</varlistentry>
2008-12-11 01:03:00 +01:00
<varlistentry >
<term > <emphasis role= "bold" > refresh</emphasis> </term>
<listitem >
2008-12-14 18:37:30 +01:00
<para > All steps performed by <command > restart</command> are
performed by <command > refresh</command> with the exception that
2008-12-11 01:03:00 +01:00
<command > refresh</command> only recreates the chains specified in
the command while <command > restart</command> recreates the entire
2008-12-14 18:37:30 +01:00
Netfilter ruleset.When no chain name is given to the <emphasis
role="bold">refresh</emphasis> command, the mangle table is
refreshed along with the blacklist chain (if any). This allows you
to modify <filename > /etc/shorewall6/tcrules</filename> and install
the changes using <emphasis role= "bold" > refresh</emphasis> .</para>
2008-12-11 01:03:00 +01:00
<para > The listed chains are assumed to be in the filter table. You
can refresh chains in other tables by prefixing the chain name with
the table name followed by ":" (e.g., nat:net_dnat). Chain names
which follow are assumed to be in that table until the end of the
list or until an entry in the list names another table. Built-in
chains such as FORWARD may not be refreshed.</para>
2008-12-14 18:37:30 +01:00
<para > Example:<programlisting > <command > shorewall6 refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting> </para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > reload</emphasis> </term>
<listitem >
<para > If <emphasis > directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
2008-12-14 18:37:30 +01:00
shorewall6 script and install it on a system (provided that the user
2008-12-11 01:03:00 +01:00
has root access to the system via ssh). The command is equivalent
to:</para>
2008-12-14 18:37:30 +01:00
<programlisting > <emphasis role= "bold" > /sbin/shorewall6 compile -e</emphasis> <emphasis > directory</emphasis> <emphasis > directory</emphasis> <emphasis
2008-12-11 01:03:00 +01:00
role="bold">/firewall & & \</emphasis>
<emphasis role= "bold" > scp</emphasis> <emphasis > directory</emphasis> <emphasis
role="bold">/firewall</emphasis> <emphasis > directory</emphasis> <emphasis
role="bold">/firewall.conf</emphasis> <emphasis role= "bold" > root@</emphasis> <emphasis > system</emphasis> <emphasis
2008-12-14 18:37:30 +01:00
role="bold">:/var/lib/shorewall6-lite/ & & \</emphasis>
2008-12-11 01:03:00 +01:00
<emphasis role= "bold" > ssh root@</emphasis> <emphasis > system</emphasis> <emphasis
2008-12-14 18:37:30 +01:00
role="bold">'/sbin/shorewall6-lite restart'</emphasis> </programlisting>
2008-12-11 01:03:00 +01:00
<para > In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<emphasis > system</emphasis> using scp. If the copy succeeds,
2008-12-14 18:37:30 +01:00
Shorewall6 Lite on <emphasis > system</emphasis> is restarted via
2008-12-11 01:03:00 +01:00
ssh.</para>
<para > If <emphasis role= "bold" > -s</emphasis> is specified and the
<emphasis role= "bold" > restart</emphasis> command succeeds, then the
2008-12-14 18:37:30 +01:00
remote Shorewall6-lite configuration is saved by executing <emphasis
role="bold">shorewall6-lite save</emphasis> via ssh.</para>
2008-12-11 01:03:00 +01:00
<para > if <emphasis role= "bold" > -c</emphasis> is included, the
2008-12-14 18:37:30 +01:00
command <emphasis role= "bold" > shorewall6-lite show capabilities -f
> /var/lib/shorewall6-lite/capabilities</emphasis> is executed
via ssh then the generated file is copied to
2008-12-11 01:03:00 +01:00
<emphasis > directory</emphasis> using scp. This step is performed
before the configuration is compiled.</para>
<para > If <option > -r</option> is included, it specifies that the root
user on <replaceable > system</replaceable> is named
<replaceable > root-user-name</replaceable> rather than "root".</para>
</listitem>
</varlistentry>
<varlistentry >
2008-12-14 18:37:30 +01:00
<term > <emphasis role= "bold" > reset [<replaceable > chain</replaceable> ,
...]</emphasis> <acronym > </acronym> </term>
2008-12-11 01:03:00 +01:00
<listitem >
2008-12-14 18:37:30 +01:00
<para > Resets the packet and byte counters in the specified
<replaceable > chain</replaceable> (s). If no
<replaceable > chain</replaceable> is specified, all the packet and
byte counters in the firewall are reset.</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > restart</emphasis> </term>
<listitem >
2008-12-14 18:37:30 +01:00
<para > Restart is similar to <emphasis role= "bold" > shorewall6
2008-12-18 18:48:31 +01:00
start</emphasis> except that it assumes that the firewall is already
started. Existing connections are maintained. If a
2008-12-14 18:37:30 +01:00
<emphasis > directory</emphasis> is included in the command,
Shorewall6 will look in that <emphasis > directory</emphasis> first
for configuration files.</para>
2008-12-11 01:03:00 +01:00
2008-12-14 18:37:30 +01:00
<para > The <option > -n</option> option causes Shorewall6 to avoid
2008-12-11 01:03:00 +01:00
updating the routing table(s).</para>
2011-05-23 15:39:26 +02:00
<para > The <option > -p</option> option causes the connection tracking
table to be flushed; the <command > conntrack</command> utility must
be installed to use this option.</para>
<para > The <option > -d </option> option causes the compiler to run
under the Perl debugger.</para>
2008-12-11 01:03:00 +01:00
<para > The <option > -f</option> option suppresses the compilation step
and simply reused the compiled script which last started/restarted
2011-05-23 15:39:26 +02:00
Shorewall, provided that /etc/shorewall6 and its contents have not
been modified since the last start/restart.</para>
<para > The <option > -c</option> option was added in Shorewall 4.4.20
and performs the compilation step unconditionally, overriding the
AUTOMAKE setting in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink> (5). When both
<option > -f</option> and <option > -c </option> are present, the result
is determined by the option that appears last.</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > restore</emphasis> </term>
<listitem >
2008-12-14 18:37:30 +01:00
<para > Restore Shorewall6 to a state saved using the <emphasis
role="bold">shorewall6 save</emphasis> command. Existing connections
2008-12-11 01:03:00 +01:00
are maintained. The <emphasis > filename</emphasis> names a restore
2008-12-14 18:37:30 +01:00
file in /var/lib/shorewall6 created using <emphasis
role="bold">shorewall6 save</emphasis> ; if no
<emphasis > filename</emphasis> is given then Shorewall6 will be
2008-12-11 01:03:00 +01:00
restored from the file specified by the RESTOREFILE option in <ulink
2008-12-14 18:37:30 +01:00
url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > safe-restart</emphasis> </term>
<listitem >
2008-12-14 18:37:30 +01:00
<para > Only allowed if Shorewall6 is running. The current
configuration is saved in /var/lib/shorewall6/safe-restart (see the
save command below) then a <emphasis role= "bold" > shorewall6
2008-12-11 01:03:00 +01:00
restart</emphasis> is done. You will then be prompted asking if you
want to accept the new configuration or not. If you answer "n" or if
you fail to answer within 60 seconds (such as when your new
configuration has disabled communication with your terminal), the
configuration is restored from the saved configuration. If a
2008-12-14 18:37:30 +01:00
directory is given, then Shorewall6 will look in that directory
first when opening configuration files.</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > safe-start</emphasis> </term>
<listitem >
2008-12-14 18:37:30 +01:00
<para > Shorewall6 is started normally. You will then be prompted
2008-12-11 01:03:00 +01:00
asking if everything went all right. If you answer "n" or if you
fail to answer within 60 seconds (such as when your new
configuration has disabled communication with your terminal), a
2008-12-14 18:37:30 +01:00
shorewall6 clear is performed for you. If a directory is given, then
Shorewall6 will look in that directory first when opening
2008-12-11 01:03:00 +01:00
configuration files.</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > save</emphasis> </term>
<listitem >
2008-12-14 18:37:30 +01:00
<para > The dynamic blacklist is stored in /var/lib/shorewall6/save.
2008-12-11 01:03:00 +01:00
The state of the firewall is stored in
2008-12-14 18:37:30 +01:00
/var/lib/shorewall6/<emphasis > filename</emphasis> for use by the
<emphasis role= "bold" > shorewall6 restore</emphasis> and <emphasis
role="bold">shorewall6 -f start</emphasis> commands. If
2008-12-11 01:03:00 +01:00
<emphasis > filename</emphasis> is not given then the state is saved
in the file specified by the RESTOREFILE option in <ulink
2008-12-14 18:37:30 +01:00
url="shorewall6.conf.html">shorewall6.conf</ulink> (5).</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > show</emphasis> </term>
<listitem >
<para > The show command can have a number of different
arguments:</para>
<variablelist >
<varlistentry >
<term > <emphasis role= "bold" > actions</emphasis> </term>
<listitem >
<para > Produces a report about the available actions (built-in,
standard and user-defined).</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > capabilities</emphasis> </term>
<listitem >
2008-12-14 18:37:30 +01:00
<para > Displays your kernel/ip6tables capabilities. The
2008-12-11 01:03:00 +01:00
<emphasis role= "bold" > -f</emphasis> option causes the display
to be formatted as a capabilities file for use with <emphasis
role="bold">compile -e</emphasis> .</para>
</listitem>
</varlistentry>
<varlistentry >
<term > [ [ <option > chain</option> ] <emphasis > chain</emphasis> ...
]</term>
<listitem >
<para > The rules in each <emphasis > chain</emphasis> are
2008-12-14 18:37:30 +01:00
displayed using the <emphasis role= "bold" > ip6tables
2008-12-11 01:03:00 +01:00
-L</emphasis> <emphasis > chain</emphasis> <emphasis
role="bold">-n -v</emphasis> command. If no
<emphasis > chain</emphasis> is given, all of the chains in the
filter table are displayed. The <emphasis
role="bold">-x</emphasis> option is passed directly through to
2008-12-14 18:37:30 +01:00
ip6tables and causes actual packet and byte counts to be
2008-12-11 01:03:00 +01:00
displayed. Without this option, those counts are abbreviated.
The <emphasis role= "bold" > -t</emphasis> option specifies the
Netfilter table to display. The default is <emphasis
role="bold">filter</emphasis> .</para>
2009-11-17 00:14:24 +01:00
<para > The <emphasis role= "bold" > -l</emphasis> option causes
the rule number for each Netfilter rule to be
displayed.</para>
<para > If the <emphasis role= "bold" > -t</emphasis> option and
the <option > chain</option> keyword are both omitted and any of
the listed <replaceable > chain</replaceable> s do not exist, a
usage message is displayed.</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis
role="bold">classifiers|filters</emphasis> </term>
<listitem >
<para > Displays information about the packet classifiers
defined on the system as a result of traffic shaping
configuration.</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > config</emphasis> </term>
<listitem >
<para > Dispays distribution-specific defaults.</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > connections</emphasis> </term>
<listitem >
<para > Displays the IP connections currently being tracked by
the firewall.</para>
</listitem>
</varlistentry>
2011-02-02 01:47:20 +01:00
<varlistentry >
<term > <emphasis role= "bold" > ip</emphasis> </term>
<listitem >
<para > Displays the system's IPv6 configuration.</para>
</listitem>
</varlistentry>
2008-12-11 01:03:00 +01:00
<varlistentry >
<term > <emphasis role= "bold" > log</emphasis> </term>
<listitem >
2008-12-14 18:37:30 +01:00
<para > Displays the last 20 Shorewall6 messages from the log
2008-12-11 01:03:00 +01:00
file specified by the LOGFILE option in <ulink
2008-12-14 18:37:30 +01:00
url="shorewall6.conf.html">shorewall6.conf</ulink> (5). The
2008-12-11 01:03:00 +01:00
<emphasis role= "bold" > -m</emphasis> option causes the MAC
address of each packet source to be displayed if that
information is available.</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > macros</emphasis> </term>
<listitem >
<para > Displays information about each macro defined on the
firewall system.</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > mangle</emphasis> </term>
<listitem >
<para > Displays the Netfilter mangle table using the command
2008-12-14 18:37:30 +01:00
<emphasis role= "bold" > ip6tables -t mangle -L -n
2008-12-11 01:03:00 +01:00
-v</emphasis> .The <emphasis role= "bold" > -x</emphasis> option
2008-12-14 18:37:30 +01:00
is passed directly through to ip6tables and causes actual
2008-12-11 01:03:00 +01:00
packet and byte counts to be displayed. Without this option,
those counts are abbreviated.</para>
</listitem>
</varlistentry>
<varlistentry >
2009-11-15 18:24:56 +01:00
<term > <emphasis role= "bold" > policies</emphasis> </term>
2008-12-11 01:03:00 +01:00
<listitem >
2009-11-15 18:24:56 +01:00
<para > Added in Shorewall 4.4.4. Displays the applicable policy
2009-11-16 18:30:37 +01:00
between each pair of zones. Note that implicit intrazone
ACCEPT policies are not displayed for zones associated with a
single network where that network doesn't specify
2009-11-17 00:14:24 +01:00
<option > routeback</option> .</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
2011-02-02 01:47:20 +01:00
<varlistentry >
<term > <emphasis role= "bold" > Routing</emphasis> </term>
<listitem >
<para > Displays the system's IPv6 routing configuration.</para>
</listitem>
</varlistentry>
2008-12-11 01:03:00 +01:00
<varlistentry >
<term > <emphasis role= "bold" > tc</emphasis> </term>
<listitem >
<para > Displays information about queuing disciplines, classes
and filters.</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > zones</emphasis> </term>
<listitem >
2008-12-14 18:37:30 +01:00
<para > Displays the current composition of the Shorewall6 zones
2008-12-11 01:03:00 +01:00
on the system.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > start</emphasis> </term>
<listitem >
2008-12-14 18:37:30 +01:00
<para > Start shorewall6. Existing connections through shorewall6
2008-12-11 01:03:00 +01:00
managed interfaces are untouched. New connections will be allowed
only if they are allowed by the firewall rules or policies. If a
<replaceable > directory</replaceable> is included in the command,
2008-12-14 18:37:30 +01:00
Shorewall6 will look in that <emphasis > directory</emphasis> first
for configuration files. If <emphasis role= "bold" > -f</emphasis> is
2008-12-11 01:03:00 +01:00
specified, the saved configuration specified by the RESTOREFILE
2008-12-14 18:37:30 +01:00
option in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink> (5) will be
restored if that saved configuration exists and has been modified
more recently than the files in /etc/shorewall6. When <emphasis
role="bold">-f</emphasis> is given, a
2008-12-11 01:03:00 +01:00
<replaceable > directory</replaceable> may not be specified.</para>
2011-05-23 00:36:29 +02:00
<para > Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option
was added to <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink> (5). When
LEGACY_FASTSTART=No, the modificaiotn times of files in
/etc/shorewall6 are compared with that of
/var/lib/shorewall6/firewall (the compiled script that last
started/restarted the firewall).</para>
2008-12-14 18:37:30 +01:00
<para > The <option > -n</option> option causes Shorewall6 to avoid
2008-12-11 01:03:00 +01:00
updating the routing table(s).</para>
2011-05-24 18:13:02 +02:00
<para > The <option > -c</option> option was added in Shorewall 4.4.20
and performs the compilation step unconditionally, overriding the
AUTOMAKE setting in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink> (5). When both
<option > -f</option> and <option > -c </option> are present, the result
is determined by the option that appears last.</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > stop</emphasis> </term>
<listitem >
<para > Stops the firewall. All existing connections, except those
listed in <ulink
2008-12-14 18:37:30 +01:00
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink> (5)
2008-12-11 01:03:00 +01:00
or permitted by the ADMINISABSENTMINDED option in <ulink
2008-12-14 18:37:30 +01:00
url="shorewall6.conf.html">shorewall6.conf</ulink> (5), are taken
down. The only new traffic permitted through the firewall is from
systems listed in <ulink
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink> (5)
2008-12-11 01:03:00 +01:00
or by ADMINISABSENTMINDED.</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > status</emphasis> </term>
<listitem >
<para > Produces a short report about the state of the
2008-12-14 18:37:30 +01:00
Shorewall6-configured firewall.</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
<varlistentry >
<term > <emphasis role= "bold" > try</emphasis> </term>
<listitem >
2008-12-14 18:37:30 +01:00
<para > If Shorewall6 is started then the firewall state is saved to a
2008-12-11 01:03:00 +01:00
temporary saved configuration
2008-12-14 18:37:30 +01:00
(<filename > /var/lib/shorewall6/.try</filename> ). Next, if Shorewall6
2008-12-11 01:03:00 +01:00
is currently started then a <emphasis role= "bold" > restart</emphasis>
command is issued; otherwise, a <emphasis
role="bold">start</emphasis> command is performed. if an error
occurs during the compliation phase of the <emphasis
role="bold">restart</emphasis> or <emphasis
role="bold">start</emphasis> , the command terminates without
2008-12-14 18:37:30 +01:00
changing the Shorewall6 state. If an error occurs during the
2008-12-11 01:03:00 +01:00
<emphasis role= "bold" > restart</emphasis> phase, then a <emphasis
2008-12-14 18:37:30 +01:00
role="bold">shorewall6 restore</emphasis> is performed using the
2008-12-11 01:03:00 +01:00
saved configuration. If an error occurs during the <emphasis
2008-12-14 18:37:30 +01:00
role="bold">start</emphasis> phase, then Shorewall6 is cleared. If
2008-12-11 01:03:00 +01:00
the <emphasis role= "bold" > start</emphasis> /<emphasis
role="bold">restart</emphasis> succeeds and a
<replaceable > timeout</replaceable> is specified then a <emphasis
role="bold">clear</emphasis> or <emphasis
role="bold">restore</emphasis> is performed after
<replaceable > timeout</replaceable> seconds.</para>
</listitem>
</varlistentry>
2011-06-19 02:39:44 +02:00
<varlistentry >
2011-06-19 16:14:27 +02:00
<term > <emphasis role= "bold" > update</emphasis> </term>
2011-06-19 02:39:44 +02:00
<listitem >
<para > Added in Shorewall 4.4.21 and causes the compiler to validate
2011-06-19 16:14:27 +02:00
the configuration and then update
<filename > /etc/shorewall6/shorewall6.conf</filename> . The update
2011-06-19 02:39:44 +02:00
will add new options with their default values and will move
deprecated options with non-defaults to a deprecated options section
at the bottom of the file. Your existing
<filename > shorewall6.conf</filename> file is renamed
<filename > shorewall6.conf.bak.</filename> </para>
2011-06-19 16:14:27 +02:00
<para > The <option > -a</option> option causes the updated
2011-06-19 02:39:44 +02:00
<filename > shorewall6.conf</filename> file to be annotated with
documentation.</para>
<para > For a description of the other options, see the <emphasis
role="bold">check</emphasis> command above.</para>
</listitem>
</varlistentry>
2008-12-11 01:03:00 +01:00
<varlistentry >
<term > <emphasis role= "bold" > version</emphasis> </term>
<listitem >
2008-12-14 18:37:30 +01:00
<para > Displays Shorewall6's version. If the <option > -a</option>
2009-06-17 21:42:13 +02:00
option is included, the version of Shorewall will also be
2008-12-14 18:37:30 +01:00
displayed.</para>
2008-12-11 01:03:00 +01:00
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1 >
<title > FILES</title>
2008-12-14 18:37:30 +01:00
<para > /etc/shorewall6/</para>
2008-12-11 01:03:00 +01:00
</refsect1>
<refsect1 >
<title > See ALSO</title>
<para > <ulink
2008-12-17 22:27:20 +01:00
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink> </para>
2008-12-14 18:37:30 +01:00
<para > shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-route_rules(5),
2011-02-02 01:47:20 +01:00
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
2008-12-11 01:03:00 +01:00
</refsect1>
</refentry>