diff --git a/Shorewall-docs/starting_and_stopping_shorewall.xml b/Shorewall-docs/starting_and_stopping_shorewall.xml index d356d3782..84e1fbc23 100755 --- a/Shorewall-docs/starting_and_stopping_shorewall.xml +++ b/Shorewall-docs/starting_and_stopping_shorewall.xml @@ -2,7 +2,7 @@
- + Starting/Stopping and Monitoring the Firewall @@ -38,12 +38,12 @@ If you have a permanent internet connection such as DSL or Cable, I recommend that you start the firewall automatically at boot. Once you have - installed "firewall" in your init.d directory, simply type - "chkconfig --add firewall". This will start the firewall in run - levels 2-5 and stop it in run levels 1 and 6. If you want to configure + installed firewall in your init.d directory, simply type + chkconfig --add firewall. This will start the firewall in + run levels 2-5 and stop it in run levels 1 and 6. If you want to configure your firewall differently from this default, you can use the - "--level" option in chkconfig (see "man chkconfig") or - using your favorite graphical run-level editor. + --level option in chkconfig (see man chkconfig) + or using your favorite graphical run-level editor. @@ -51,25 +51,24 @@ Shorewall startup is disabled by default. Once you have configured your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. Note: Users of the .deb - package must edit /etc/default/shorewall and set - 'startup=1'. + package must edit /etc/default/shorewall and set startup=1. If you use dialup, you may want to start the firewall in your - /etc/ppp/ip-up.local script. I recommend just placing "shorewall - restart" in that script. + /etc/ppp/ip-up.local script. I recommend just placing + shorewall restart in that script. You can manually start and stop Shoreline Firewall using the - "shorewall" shell program. Please refer to the Shorewall State - Diagram as shown at the bottom of this page. + shorewall shell program. Please refer to the Shorewall + State Diagram as shown at the bottom of this page. - shorewall start - starts the firewall + shorewall start - starts the firewall @@ -78,28 +77,28 @@ /etc/shorewall/routestopped (Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then in addition, all existing connections are permitted and any new - connections originating from the firewall itself are allowed). + connections originating from the firewall itself are allowed). shorewall restart - stops the firewall (if it's running) and - then starts it again + then starts it again shorewall reset - reset the packet and byte counters in the - firewall + firewall shorewall clear - remove all rules and chains installed by - Shoreline Firewall. The firewall is "wide open" + Shoreline Firewall. The firewall is wide open shorewall refresh - refresh the rules involving the broadcast addresses of firewall interfaces, the black list, traffic control - rules and ECN control rules. + rules and ECN control rules. @@ -107,17 +106,17 @@ trace of the command is produced as in: shorewall debug start 2> /tmp/traceThe - above command would trace the 'start' command and place the trace - information in the file /tmp/trace + above command would trace the start command and place the + trace information in the file /tmp/trace Beginning with version 1.4.7, shorewall can give detailed help about each of its commands: shorewall help [ command | host | address ]The - "shorewall" program may also be used to monitor the firewall. + shorewall program may also be used to monitor the firewall. shorewall status - produce a verbose report about the firewall - (iptables -L -n -v) + (iptables -L -n -v) @@ -130,53 +129,51 @@ shorewall show nat - produce a verbose report about the nat - table (iptables -t nat -L -n -v) + table (iptables -t nat -L -n -v) shorewall show tos - produce a verbose report about the mangle - table (iptables -t mangle -L -n -v) + table (iptables -t mangle -L -n -v) - shorewall show log - display the last 20 packet log entries. - + shorewall show log - display the last 20 packet log entries. shorewall show connections - displays the IP connections - currently being tracked by the firewall. + currently being tracked by the firewall. shorewall show tc - displays information about the traffic - control/shaping configuration. + control/shaping configuration. shorewall monitor [ delay ] - Continuously display the firewall status, last 20 log entries and nat. When the log entry display - changes, an audible alarm is sounded. + changes, an audible alarm is sounded. shorewall hits - Produces several reports about the Shorewall - packet log messages in the current /var/log/messages file. + packet log messages in the current /var/log/messages file. - shorewall version - Displays the installed version number. - + shorewall version - Displays the installed version number. shorewall check - Performs a cursory validation of the zones, interfaces, hosts, rules and policy files.The - "check" command is totally unsuppored and does not parse and - validate the generated iptables commands. Even though the - "check" command completes successfully, the configuration may - fail to start. Problem reports that complain about errors that the - 'check' command does not detect will not be accepted.See + check command is totally unsuppored and does not parse + and validate the generated iptables commands. Even though the + check command completes successfully, the configuration + may fail to start. Problem reports that complain about errors that the + check command does not detect will not be accepted.See the recommended way to make configuration changes described below. @@ -185,7 +182,7 @@ shorewall using the specified configuration and if an error occurs or if the timeout option is given and the new configuration has been up for that many seconds then shorewall is restarted using the standard - configuration. + configuration. @@ -202,13 +199,13 @@ shorewall ipcalc [ address mask | address/vlsm ] - displays the network address, broadcast address, network in CIDR notation and - netmask corresponding to the input[s]. + netmask corresponding to the input[s]. shorewall iprange address1-address2 - Decomposes the specified range of IP addresses into the equivalent list of network/host - addresses. + addresses. @@ -218,25 +215,24 @@ shorewall drop <ip address list> - causes packets from - the listed IP addresses to be silently dropped by the firewall. - + the listed IP addresses to be silently dropped by the firewall. shorewall reject <ip address list> - causes packets from - the listed IP addresses to be rejected by the firewall. + the listed IP addresses to be rejected by the firewall. shorewall allow <ip address list> - re-enables receipt of packets from hosts previously blacklisted by a drop or reject - command. + command. shorewall save - save the dynamic blacklisting configuration so that it will be automatically restored the next time that the firewall - is restarted. + is restarted. @@ -244,13 +240,13 @@ - Finally, the "shorewall" program may be used to dynamically - alter the contents of a zone. + Finally, the shorewall program may be used to + dynamically alter the contents of a zone. shorewall add interface[:host] zone - Adds the specified - interface (and host if included) to the specified zone. + interface (and host if included) to the specified zone. @@ -264,7 +260,7 @@ The shorewall start, shorewall restart, shorewall check, and shorewall try commands allow you to specify which Shorewall configuration - to use: + to use: shorewall [ -c configuration-directory ] {start|restart|check} shorewall try configuration-directory @@ -279,36 +275,35 @@ - mkdir /etc/test + mkdir /etc/test - cd /etc/test + cd /etc/test <copy any files that you need to change from /etc/shorewall - to . and change them here> + to . and change them here> - shorewall -c . check + shorewall -c . check - <correct any errors found by check and check again> - + <correct any errors found by check and check again> - /sbin/shorewall try . + /sbin/shorewall try . If the configuration starts but doesn't work, just - "shorewall restart" to restore the old configuration. If the new - configuration fails to start, the "try" command will automatically - start the old one for you. + shorewall restart to restore the old configuration. If the + new configuration fails to start, the try command will + automatically start the old one for you. When the new configuration works then just: @@ -318,11 +313,11 @@ - cd + cd - rm -rf /etc/test + rm -rf /etc/test @@ -330,9 +325,10 @@ align="center" fileref="images/State_Diagram.png" /> You will note that the commands that result in state transitions use - the word "firewall" rather than "shorewall". That is - because the actual transitions are done by /usr/share/shorewall/firewall; - /sbin/shorewall runs 'firewall" according to the following table: + the word firewall rather than shorewall. + That is because the actual transitions are done by + /usr/share/shorewall/firewall; /sbin/shorewall runs firewall + according to the following table: @@ -354,7 +350,7 @@ firewall start The system filters packets based on your current Shorewall - Configuration + Configuration @@ -367,7 +363,7 @@ beginning with 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then in addition, all existing connections are retained and all connection requests from the - firewall are accepted. + firewall are accepted. @@ -375,16 +371,15 @@ firewall restart - Logically equivalent to "firewall stop;firewall - start" + Logically equivalent to firewall stop;firewall start shorewall add - firewall add + firewall add - Adds a host or subnet to a dynamic zone + Adds a host or subnet to a dynamic zone @@ -392,13 +387,13 @@ firewall delete - Deletes a host or subnet from a dynamic zone + Deletes a host or subnet from a dynamic zone shorewall refresh - firewall refresh + firewall refresh Reloads rules dealing with static blacklisting, traffic control and ECN. @@ -409,7 +404,7 @@ firewall reset - Resets traffic counters + Resets traffic counters @@ -418,7 +413,7 @@ firewall clear Removes all Shorewall rules, chains, addresses, routes and - ARP entries. + ARP entries.