diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml
index a25eaa013..317db0f03 100644
--- a/docs/starting_and_stopping_shorewall.xml
+++ b/docs/starting_and_stopping_shorewall.xml
@@ -204,78 +204,57 @@
Tracing Command Execution and other Debugging Aids
- If you include the word trace as
- the first parameter to an /sbin/shorewall command
- that transfers control to
- /usr/share/shorewall/firewall, execution of the
- latter program will be traced to STDERR.
+ Shorewall includes features for tracing and debugging. Commands
+ involving the compiler can have the word trace inserted immediately after the
+ command.
-
- Tracing <command>shorewall start</command>
+ Example:
- To trace the execution of shorewall start and
- write the trace to the file /tmp/trace, you would
- enter:shorewall trace start 2> /tmp/trace
- The trace keyword does not
- result in a trace of the execution of the Shorewall rules compiler.
- It rather causes additional diagnostic information to be included in
- warning and error messages generated by the compiler.
-
+ shorewall trace check -r
- You may also include the word debug as the first argument to the
- /sbin/shorewall and
- /sbin/shorewall-lite commands.shorewall debug restartIn
- most cases, debug is a synonym for
- trace. The exceptions are:
+ This produces a large amount of diagnostic output to standard out
+ during the compilation step. If entered on a command that doesn't invoke
+ the compiler, trace is ignored.
+
+ Commands that invoke a compiled fireawll script can have the word
+ debug inserted immediately after the command.
+
+ Example:
+
+ shorewall debug restart
+
+ debug causes altered behavior of
+ scripts generated by the Shorewall compiler. These scripts normally use
+ ip[6]tables-restore to install the Netfilter ruleset, but with debug, the
+ commands normally passed to iptables-restore in its input file are passed
+ individually to ip[6]tables. This is a diagnostic aid which allows
+ identifying the individual command that is causing ip[6]tables-restore to
+ fail; it should be used when ip[6]tables-restore fails when executing a
+ COMMIT command.
+
+
+ The debug feature is strictly for problem analysis. When debug is
+ used:
- debug is ignored by the
- Shorewall-perl compiler.
+ The firewall is made 'wide open' before the rules are
+ applied.
- debug causes altered behavior
- of scripts generated by the Shorewall-perl compiler. These scripts
- normally use iptables-restore to install the
- Netfilter ruleset but with debug,
- the commands normally passed to iptables-restore
- in its input file are passed individually to
- iptables. This is a diagnostic aid which allows
- identifying the individual command that is causing
- iptables-restore to fail; it should be used when
- iptables-restore fails when executing a COMMIT
- command.
+ The stoppedrules file is not
+ consulted.
+
+
+
+ The rules are applied in the canonical ip[6]tables-restore
+ order. So if you need critical hosts to be always available during
+ start/restart, you may not be able to use debug.
-
-
- The debug feature is strictly
- for problem analysis. When debug is
- used:
-
-
-
- The firewall is made 'wide open' before the rules are
- applied.
-
-
-
- The routestopped file is not
- consulted.
-
-
-
- The rules are applied in the canonical
- iptables-restore order. So if you need
- critical hosts to be always available during start/restart, you
- may not be able to use debug.
-
-
-
-
+
@@ -629,7 +608,7 @@
The Shorewall State Diagram is depicted below.
- ![]()
+ ![]()
@@ -725,7 +704,7 @@
unsuccessful then firewall start (standard configuration) If
timeout then firewall restart (standard configuration)
-
+