2004-03-15 19:47:21 +01:00
|
|
|
#!/bin/sh
|
|
|
|
#
|
|
|
|
# Shorewall help subsystem - V2.0 - 2/14/2004
|
|
|
|
#
|
|
|
|
#
|
|
|
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
|
|
#
|
|
|
|
# (c) 2003-2004 - Tom Eastep (teastep@shorewall.net)
|
|
|
|
# Steve Herber (herber@thing.com)
|
|
|
|
#
|
|
|
|
# This file should be placed in /usr/share/shorewall/help
|
|
|
|
#
|
|
|
|
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
|
|
|
#
|
|
|
|
# This program is free software; you can redistribute it and/or modify
|
|
|
|
# it under the terms of Version 2 of the GNU General Public License
|
|
|
|
# as published by the Free Software Foundation.
|
|
|
|
#
|
|
|
|
# This program is distributed in the hope that it will be useful,
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
# GNU General Public License for more details.
|
|
|
|
#
|
|
|
|
# You should have received a copy of the GNU General Public License
|
|
|
|
# along with this program; if not, write to the Free Software
|
|
|
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
|
|
|
##################################################################################
|
|
|
|
|
|
|
|
case $1 in
|
|
|
|
|
|
|
|
add)
|
|
|
|
echo "add: add <interface>[:<host>] <zone>
|
|
|
|
Adds a host or subnet to a dynamic zone usually used with VPN's.
|
|
|
|
|
|
|
|
shorewall add interface[:host] zone - Adds the specified interface
|
|
|
|
(and host if included) to the specified zone.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
|
|
|
|
from interface ipsec0 to the zone vpn1.
|
|
|
|
|
|
|
|
See also \"help host\""
|
|
|
|
;;
|
|
|
|
|
|
|
|
address|host)
|
|
|
|
echo "<$1>:
|
|
|
|
May be either a host IP address such as 192.168.1.4 or a network address in
|
|
|
|
CIDR format like 192.168.1.0/24"
|
|
|
|
;;
|
|
|
|
|
|
|
|
allow)
|
|
|
|
echo "allow: allow <address> ...
|
|
|
|
Re-enables receipt of packets from hosts previously blacklisted
|
|
|
|
by a drop or reject command.
|
|
|
|
|
|
|
|
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
|
|
|
|
|
|
|
See also \"help address\""
|
|
|
|
;;
|
|
|
|
|
|
|
|
check)
|
|
|
|
echo "check: check [ -c <configuration-directory> ]
|
|
|
|
Performs a cursory validation of the zones, interfaces, hosts,
|
|
|
|
rules and policy files. Use this if you are unsure of any edits
|
|
|
|
you have made to the shorewall configuration. See the try command
|
|
|
|
examples for a recommended way to make changes."
|
|
|
|
;;
|
|
|
|
|
|
|
|
clear)
|
|
|
|
echo "clear: clear
|
|
|
|
Clear will remove all rules and chains installed by Shoreline.
|
|
|
|
The firewall is then wide open and unprotected. Existing
|
|
|
|
connections are untouched. Clear is often used to see if the
|
|
|
|
firewall is causing connection problems."
|
|
|
|
;;
|
|
|
|
|
|
|
|
debug)
|
|
|
|
echo "debug: debug
|
|
|
|
If you include the keyword debug as the first argument to any
|
|
|
|
of these commands:
|
|
|
|
|
|
|
|
start|stop|restart|reset|clear|refresh|check|add|delete
|
|
|
|
|
|
|
|
then a shell trace of the command is produced. For example:
|
|
|
|
|
|
|
|
shorewall debug start 2> /tmp/trace
|
|
|
|
|
|
|
|
The above command would trace the 'start' command and
|
|
|
|
place the trace information in the file /tmp/trace.
|
|
|
|
|
|
|
|
The word 'trace' is a synonym for 'debug'."
|
|
|
|
;;
|
|
|
|
|
|
|
|
delete)
|
|
|
|
echo "delete: delete <interface>[:<host>] <zone>
|
|
|
|
Deletes a host or subnet from a dynamic zone usually used with VPN's.
|
|
|
|
|
|
|
|
shorewall delete interface[:host] zone - Deletes the specified
|
|
|
|
interface (and host if included) from the specified zone.
|
|
|
|
|
|
|
|
Example:
|
|
|
|
|
|
|
|
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
|
|
|
|
192.0.2.24 from interface ipsec0 from zone vpn1
|
|
|
|
|
|
|
|
See also \"help host\""
|
|
|
|
;;
|
|
|
|
|
|
|
|
drop)
|
|
|
|
echo "$1: $1 <address> ...
|
|
|
|
Causes packets from the specified <address> to be ignored
|
|
|
|
|
|
|
|
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
|
|
|
|
|
|
|
See also \"help address\""
|
|
|
|
;;
|
|
|
|
|
2004-05-14 00:07:06 +02:00
|
|
|
forget)
|
2004-06-24 00:10:23 +02:00
|
|
|
echo "forget: forget [ <file name> ]
|
|
|
|
Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
|
|
|
|
the file specified by RESTOREFILE in shorewall.conf is removed.
|
2004-05-14 00:07:06 +02:00
|
|
|
|
|
|
|
See also \"help save\""
|
|
|
|
;;
|
|
|
|
|
2004-03-15 19:47:21 +01:00
|
|
|
help)
|
|
|
|
echo "help: help [<command> | host | address ]
|
|
|
|
Display helpful information about the shorewall commands."
|
|
|
|
;;
|
|
|
|
|
|
|
|
hits)
|
|
|
|
echo "hits: hits
|
|
|
|
Produces several reports about the Shorewall packet log messages
|
|
|
|
in the current /var/log/messages file."
|
|
|
|
;;
|
|
|
|
|
|
|
|
ipcalc)
|
|
|
|
echo "ipcalc: ipcalc [ address mask | address/vlsm ]
|
|
|
|
Ipcalc displays the network address, broadcast address,
|
|
|
|
network in CIDR notation and netmask corresponding to the input[s]."
|
|
|
|
;;
|
|
|
|
|
|
|
|
iprange)
|
|
|
|
echo "iprange: iprange address1-address2
|
|
|
|
Iprange decomposes the specified range of IP addresses into the
|
|
|
|
equivalent list of network/host addresses."
|
|
|
|
;;
|
|
|
|
|
|
|
|
logwatch)
|
|
|
|
echo "logwatch: logwatch [<refresh interval>]
|
|
|
|
Monitors the LOGFILE, $LOGFILE,
|
|
|
|
and produces an audible alarm when new Shorewall messages are logged."
|
|
|
|
;;
|
|
|
|
|
|
|
|
monitor)
|
|
|
|
echo "monitor: monitor [<refresh_interval>]
|
2004-04-05 23:13:45 +02:00
|
|
|
|
|
|
|
shorewall [-x] monitor [<refresh_interval>]
|
|
|
|
|
2004-03-15 19:47:21 +01:00
|
|
|
Continuously display the firewall status, last 20 log entries and nat.
|
2004-04-05 23:13:45 +02:00
|
|
|
When the log entry display changes, an audible alarm is sounded.
|
|
|
|
|
|
|
|
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
2004-03-15 19:47:21 +01:00
|
|
|
;;
|
|
|
|
|
|
|
|
refresh)
|
2004-05-14 00:07:06 +02:00
|
|
|
echo "refresh: [ -q ] refresh
|
2004-03-15 19:47:21 +01:00
|
|
|
The rules involving the broadcast addresses of firewall interfaces,
|
|
|
|
the black list, traffic control rules and ECN control rules are recreated
|
2004-05-14 00:07:06 +02:00
|
|
|
to reflect any changes made. Existing connections are untouched
|
|
|
|
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
2004-03-15 19:47:21 +01:00
|
|
|
;;
|
|
|
|
|
|
|
|
reject)
|
|
|
|
echo "$1: $1 <address> ...
|
|
|
|
Causes packets from the specified <address> to be rejected
|
|
|
|
|
|
|
|
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
|
|
|
|
|
|
|
See also \"help address\""
|
|
|
|
;;
|
|
|
|
|
|
|
|
reset)
|
|
|
|
echo "reset: reset
|
|
|
|
All the packet and byte counters in the firewall are reset."
|
|
|
|
;;
|
|
|
|
|
|
|
|
restart)
|
2004-05-14 00:07:06 +02:00
|
|
|
echo "restart: restart [ -q ] [ -c <configuration-directory> ]
|
2004-03-15 19:47:21 +01:00
|
|
|
Restart is the same as a shorewall stop && shorewall start.
|
2004-05-14 00:07:06 +02:00
|
|
|
Existing connections are maintained.
|
|
|
|
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
|
|
|
;;
|
|
|
|
|
|
|
|
restore)
|
2004-06-24 00:10:23 +02:00
|
|
|
echo "restore: restore [ <file name> ]
|
|
|
|
Restore Shorewall to a state saved using the 'save' command
|
|
|
|
Existing connections are maintained. The <file name> names a restore file in
|
|
|
|
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
|
|
|
|
then Shorewall will be restored from the file specified by the RESTOREFILE
|
|
|
|
option in shorewall.conf.
|
2004-05-14 00:07:06 +02:00
|
|
|
|
|
|
|
See also \"help save\" and \"help forget\""
|
2004-03-15 19:47:21 +01:00
|
|
|
;;
|
|
|
|
|
|
|
|
save)
|
2004-06-24 00:10:23 +02:00
|
|
|
echo "save: save [ <file name> ]
|
2004-05-14 00:07:06 +02:00
|
|
|
The dynamic data is stored in /var/lib/shorewall/save. The state of the
|
2004-06-24 00:10:23 +02:00
|
|
|
firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
|
|
|
|
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
|
|
|
|
in the file specified by the RESTOREFILE option in shorewall.conf.
|
2004-05-14 00:07:06 +02:00
|
|
|
|
|
|
|
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
|
|
|
|
|
|
|
See also \"help restore\" and \"help forget\""
|
2004-03-15 19:47:21 +01:00
|
|
|
;;
|
|
|
|
|
|
|
|
show)
|
2004-04-05 23:13:45 +02:00
|
|
|
echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
|
|
|
|
|
|
|
|
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
2004-03-15 19:47:21 +01:00
|
|
|
(iptables -L chain -n -v)
|
|
|
|
|
2004-04-05 23:13:45 +02:00
|
|
|
shorewall [-x] show nat - produce a verbose report about the nat table.
|
2004-03-15 19:47:21 +01:00
|
|
|
(iptables -t nat -L -n -v)
|
|
|
|
|
2004-04-05 23:13:45 +02:00
|
|
|
shorewall [-x] show tos - produce a verbose report about the mangle table.
|
2004-03-15 19:47:21 +01:00
|
|
|
(iptables -t mangle -L -n -v)
|
|
|
|
|
|
|
|
shorewall show log - display the last 20 packet log entries.
|
|
|
|
|
|
|
|
shorewall show connections - displays the IP connections currently
|
|
|
|
being tracked by the firewall.
|
|
|
|
|
|
|
|
shorewall show tc - displays information about the traffic
|
2004-04-05 23:13:45 +02:00
|
|
|
control/shaping configuration.
|
|
|
|
|
|
|
|
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
2004-03-15 19:47:21 +01:00
|
|
|
;;
|
|
|
|
|
|
|
|
start)
|
2004-05-14 00:07:06 +02:00
|
|
|
echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
|
2004-03-15 19:47:21 +01:00
|
|
|
Start shorewall. Existing connections through shorewall managed
|
|
|
|
interfaces are untouched. New connections will be allowed only
|
2004-05-14 00:07:06 +02:00
|
|
|
if they are allowed by the firewall rules or policies.
|
2004-06-24 00:10:23 +02:00
|
|
|
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
|
|
|
|
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
|
|
|
|
in shorewall.conf will be restored if that saved configuration exists"
|
2004-03-15 19:47:21 +01:00
|
|
|
;;
|
|
|
|
|
|
|
|
stop)
|
|
|
|
echo "stop: stop
|
|
|
|
Stops the firewall. All existing connections, except those
|
|
|
|
listed in /etc/shorewall/routestopped, are taken down.
|
|
|
|
The only new traffic permitted through the firewall
|
|
|
|
is from systems listed in /etc/shorewall/routestopped."
|
|
|
|
;;
|
|
|
|
|
|
|
|
status)
|
|
|
|
echo "status: status
|
2004-04-05 23:13:45 +02:00
|
|
|
|
|
|
|
shorewall [-x] status
|
|
|
|
|
2004-03-15 19:47:21 +01:00
|
|
|
Produce a verbose report about the firewall.
|
|
|
|
|
2004-04-05 23:13:45 +02:00
|
|
|
(iptables -L -n -)
|
|
|
|
|
|
|
|
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
2004-03-15 19:47:21 +01:00
|
|
|
;;
|
|
|
|
|
|
|
|
trace)
|
|
|
|
echo "trace: trace
|
|
|
|
If you include the keyword trace as the first argument to any
|
|
|
|
of these commands:
|
|
|
|
|
|
|
|
start|stop|restart|reset|clear|refresh|check|add|delete
|
|
|
|
|
|
|
|
then a shell trace of the command is produced. For example:
|
|
|
|
|
|
|
|
shorewall trace start 2> /tmp/trace
|
|
|
|
|
|
|
|
The above command would trace the 'start' command and
|
|
|
|
place the trace information in the file /tmp/trace.
|
|
|
|
|
|
|
|
The word 'debug' is a synonym for 'trace'."
|
|
|
|
;;
|
|
|
|
|
|
|
|
try)
|
|
|
|
echo "try: try <configuration-directory> [ <timeout> ]
|
|
|
|
Restart shorewall using the specified configuration. If an error
|
|
|
|
occurs during the restart, then another shorewall restart is performed
|
|
|
|
using the default configuration. If a timeout is specified then
|
|
|
|
the restart is always performed after the timeout occurs and uses
|
|
|
|
the default configuration."
|
|
|
|
;;
|
|
|
|
|
|
|
|
version)
|
|
|
|
echo "version: version
|
|
|
|
Show the current shorewall version which is: $version"
|
|
|
|
;;
|
|
|
|
|
|
|
|
*)
|
|
|
|
echo "$1: $1 is not recognized by the help command"
|
|
|
|
;;
|
|
|
|
|
|
|
|
esac
|
|
|
|
|
|
|
|
exit 0 # always ok
|
|
|
|
|