diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml index fcccd1516..b1d315634 100644 --- a/docs/starting_and_stopping_shorewall.xml +++ b/docs/starting_and_stopping_shorewall.xml @@ -15,13 +15,15 @@ - 2005-12-09 + 2006-02-27 2004 2005 + 2006 + Thomas M. Eastep @@ -122,9 +124,16 @@ - /usr/share/shorewall/firewall — The program - responsible for configuring Netfilter based on your configuration - files. + /usr/share/shorewall/compiler — In + Shorewall 3.1 and later, the program that processes your Shorewall + configuration files and creates a script to start, stop, restart, + restore and clear the firewall. + + + + /usr/share/shorewall/firewall — In + Shorewall 3.0 and earlier, the program responsible for configuring + Netfilter based on your configuration files. @@ -156,6 +165,15 @@ configuration then that configuration is restored. Otherwise, an implicit shorewall stop is executed. + + + Beginning with Shorewall 3.1, shorewall + start is implemented as a compile and + go; that is, the configuration is compiled and if there + are no compilation errors then the resulting compiled script is + executed. If there are compilation errors, the command is aborted + and the state of the firewall is not altered. + @@ -434,6 +452,103 @@
Command Reference + The general form of a command in Shorewall 3.0 is: + +
+ shorewall [ <options> ] <command> [ + <argument> ... ] + + Available options are: + + + + -c <directory> + + + Specifies an alternate + configuration directory. + + + + + -f + + + Specifies fast restart. See the start + command below. + + + + + -n + + + Prevents the command from changing the firewall system's + routing configuration. + + + + + -q + + + Causes some of the output to be suppressed. + + + + + -v + + + Causes Ethernet MAC addresses to be included in log message + displays. + + + + + -x + + + Causes all iptables -L commands to display actual packet and + byte counts. + + + +
+ + The general form of a command in Shorewall 3.1 and later is: + +
+ shorewall [ <options> ] <command> [ + <command options> ] [ <argument> ... ] + + For compatibility, Shorewall 3.1 and later accept all of the 3.0 + command options. In addition, 3.1 defines some new options and also + defines command-specific options that are entered after the command on + the run-line. + + New options are: + + + + -t + + + All progress messages are timestamped with the date and + time. + + + + + In addition, the -q and -v + options may be repeated to make the output less or more verbose + respectively. The default level of verbosity is determined by the + setting of the VERBOSITY option in + /etc/shorewall/shorewall.conf. +
+ + Following in alphabetical order are the supported commands. + add @@ -489,8 +604,8 @@ check - shorewall [-q] check [ - <configuration-directory> ] + shorewall check [ <configuration-directory> + ] Performs a cursory validation of the zones, interfaces, hosts, rules, policy, masq, blacklist, proxyarp, nat and provider files. @@ -513,6 +628,71 @@ + + compile (Shorewall 3.1 and later) + + + shorewall compile [ -e ] [ -d <distro> ] [ + <directory name> ] <path name> + + Compiles the current configuration into the executable file + <path name>. If <path name> names a file in + /var/lib/shorewall then the file may be executed using the "restore" + command. + + When -e is specified, the compilation is being performed on a + system other than where the compiled script will run. This option + disables certain configuration options that require the script to be + compiled where it is to be run and allows the script to be run on a + system that does not have Shorewall installed at all. The file + /etc/shorewall/capabilities must be present when -e is used; that + file specifies the iptables/kernel capabilities on the target + system. + + When -d <distribution> is given, the script is built for + execution on the distribution specified by <distro>. + Currently, 'suse' is the only valid <distro>. Usually + specified together with -e. + + Example:
+ shorewall compile -ed suse foo +
Additional distributions are expected to be supported + shortly. + + The compiled script is a complete program that supports the + following commands: + +
+ + <program> [ -q ] [ -v ] [ -n ] + start + + <program> [ -q ] [ -v ] [ -n ] + stop + + <program> [ -q ] [ -v ] [ -n ] + clear + + <program> [ -q ] [ -v ] [ -n ] + restart + + <program> [ -q ] [ -v ] [ -n ] + status + + <program> [ -q ] [ -v ] [ -n ] + version + +
+ + The options have their same meaning is when they are passed to + /sbin/shorewall itself. + + When the '-e' option is specified during compilation, the + program may be installed in /etc/init.d/ and serve as the firewall + on a system without Shorewall installed. + + + delete @@ -905,7 +1085,7 @@
- Shorewall State Diagram + Shorewall State Diagram (Shorewall 3.0 and earlier) The Shorewall State Diargram is depicted below.