extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-18 19:48:19 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch '4.5.0'

Browse Source
This commit is contained in:
Tom Eastep 2012-02-11 11:36:38 -08:00
commit 460efbac77
3 changed files with 673 additions and 186 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

369
Shorewall-lite/manpages/shorewall-lite.xml
View File

@ -11,11 +11,27 @@
<refnamediv> <refnamediv>
<refname>shorewall-lite</refname> <refname>shorewall-lite</refname>
<refpurpose>Administration tool for Shoreline Firewall Lite <refpurpose>Administration tool for Shoreline Firewall Lite (Shorewall
(Shorewall-lite)</refpurpose> Lite)</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis>
<command>shorewall-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg rep="norepeat">-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>add</option></arg>
<arg choice="plain"
rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
<arg choice="plain"><replaceable>zone</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall-lite</command> <command>shorewall-lite</command>
@ -37,11 +53,28 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>clear</option></arg> <arg
choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall</command> <command>shorewall-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg rep="norepeat">-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>delete</option></arg>
<arg choice="plain"
rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
<arg choice="plain"><replaceable>zone</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<arg <arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -50,7 +83,8 @@
<arg choice="plain"><option>disable</option></arg> <arg choice="plain"><option>disable</option></arg>
<arg choice="plain"><replaceable>interface</replaceable></arg> <arg choice="plain">{ <replaceable>interface</replaceable> |
<replaceable>provider</replaceable> }</arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -63,8 +97,7 @@
<arg choice="plain"><option>drop</option></arg> <arg choice="plain"><option>drop</option></arg>
<arg choice="plain">{ <replaceable>interface</replaceable> | <arg choice="plain"><replaceable>address</replaceable></arg>
<replaceable>provider</replaceable> }</arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -78,11 +111,13 @@
<arg><option>-x</option></arg> <arg><option>-x</option></arg>
<arg><option>-l</option></arg>
<arg><option>-m</option></arg> <arg><option>-m</option></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall</command> <command>shorewall-lite</command>
<arg <arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -98,7 +133,8 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall-lite</command> <command>shorewall-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
@ -124,7 +160,8 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>hits</option></arg> <arg
choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -158,6 +195,19 @@
choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg> choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>iptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall-lite</command> <command>shorewall-lite</command>
@ -198,6 +248,19 @@
<arg choice="plain"><replaceable>address</replaceable></arg> <arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>noiptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall-lite</command> <command>shorewall-lite</command>
@ -219,8 +282,24 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reset</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall-lite</command>
<arg <arg
choice="plain"><option>restart</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg> choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>restart</option></arg>
<arg><option>-n</option></arg>
<arg><option>-p</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -260,8 +339,10 @@
<arg><option>-x</option></arg> <arg><option>-x</option></arg>
<arg><option>-l</option></arg>
<arg><option>-t</option> <arg><option>-t</option>
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>}</arg> {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>
<arg><arg><option>chain</option></arg><arg choice="plain" <arg><arg><option>chain</option></arg><arg choice="plain"
rep="repeat"><replaceable>chain</replaceable></arg></arg> rep="repeat"><replaceable>chain</replaceable></arg></arg>
@ -291,7 +372,7 @@
<arg choice="plain"><option>show</option></arg> <arg choice="plain"><option>show</option></arg>
<arg <arg
choice="req"><option>actions|classifiers|connections|config|zones</option></arg> choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -305,7 +386,7 @@
<arg><option>-x</option></arg> <arg><option>-x</option></arg>
<arg choice="req"><option>mangle|nat</option></arg> <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -346,7 +427,7 @@
<arg><option>-n</option></arg> <arg><option>-n</option></arg>
<arg><option>-f</option><arg><option>-p</option></arg></arg> <arg><option>-p</option></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -377,7 +458,8 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>version</option></arg> <arg
choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -385,7 +467,7 @@
<title>Description</title> <title>Description</title>
<para>The shorewall-lite utility is used to control the Shoreline Firewall <para>The shorewall-lite utility is used to control the Shoreline Firewall
(Shorewall) Lite.</para> Lite (Shorewall Lite).</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
@ -393,12 +475,12 @@
<para>The <option>trace</option> and <option>debug</option> options are <para>The <option>trace</option> and <option>debug</option> options are
used for debugging. See <ulink used for debugging. See <ulink
url="http://www.shorewall.net/starting_and_stopping.htm#Trace">http://www.shorewall.net/starting_and_stopping.htm#Trace</ulink>.</para> url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
<para>The nolock <option>option</option> prevents the command from <para>The nolock <option>option</option> prevents the command from
attempting to acquire the Shorewall Lite lockfile. It is useful if you attempting to acquire the Shorewall-lite lockfile. It is useful if you
need to include <command>shorewall-lite</command> commands in the need to include <command>shorewall</command> commands in
<filename>started</filename> extension script.</para> <filename>/etc/shorewall/started</filename>.</para>
<para>The <emphasis>options</emphasis> control the amount of output that <para>The <emphasis>options</emphasis> control the amount of output that
the command produces. They consist of a sequence of the letters <emphasis the command produces. They consist of a sequence of the letters <emphasis
@ -435,12 +517,12 @@
defined in the <ulink defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file. A <emphasis>host-list</emphasis> is comma-separated list whose file. A <emphasis>host-list</emphasis> is comma-separated list whose
elements are a host or network address.<caution> elements are host or network addresses.<caution>
<para>The <command>add</command> command is not very robust. If <para>The <command>add</command> command is not very robust. If
there are errors in the <replaceable>host-list</replaceable>, there are errors in the <replaceable>host-list</replaceable>,
you may see a large number of error messages yet a subsequent you may see a large number of error messages yet a subsequent
<command>shorewall show zones</command> command will indicate <command>shorewall-lite show zones</command> command will
that all hosts were added. If this happens, replace indicate that all hosts were added. If this happens, replace
<command>add</command> by <command>delete</command> and run the <command>add</command> by <command>delete</command> and run the
same command again. Then enter the correct command.</para> same command again. Then enter the correct command.</para>
</caution></para> </caution></para>
@ -463,10 +545,16 @@
<term><emphasis role="bold">clear</emphasis></term> <term><emphasis role="bold">clear</emphasis></term>
<listitem> <listitem>
<para>Clear will remove all rules and chains installed by Shorewall <para>Clear will remove all rules and chains installed by
Lite. The firewall is then wide open and unprotected. Existing Shorewall-lite. The firewall is then wide open and unprotected.
connections are untouched. Clear is often used to see if the Existing connections are untouched. Clear is often used to see if
firewall is causing connection problems.</para> the firewall is causing connection problems.</para>
<para>If <option>-f</option> is given, the command will be processed
by the compiled script that executed the last successful <emphasis
role="bold">start</emphasis>, <emphasis
role="bold">restart</emphasis> or <emphasis
role="bold">refresh</emphasis> command if that script exists.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -516,8 +604,11 @@
<para>The <emphasis role="bold">-x</emphasis> option causes actual <para>The <emphasis role="bold">-x</emphasis> option causes actual
packet and byte counts to be displayed. Without that option, these packet and byte counts to be displayed. Without that option, these
counts are abbreviated. The <emphasis role="bold">-m</emphasis> counts are abbreviated. The <emphasis role="bold">-m</emphasis>
option causes any MAC addresses included in Shorewall Lite log option causes any MAC addresses included in Shorewall-lite log
messages to be displayed.</para> messages to be displayed.</para>
<para>The <emphasis role="bold">-l</emphasis> option causes the rule
number for each Netfilter rule to be displayed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -541,7 +632,7 @@
and /var/lib/shorewall-lite/save. If no and /var/lib/shorewall-lite/save. If no
<emphasis>filename</emphasis> is given then the file specified by <emphasis>filename</emphasis> is given then the file specified by
RESTOREFILE in <ulink RESTOREFILE in <ulink
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) is url="shorewall.conf.html">shorewall.conf</ulink>(5) is
assumed.</para> assumed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -558,8 +649,9 @@
<term><emphasis role="bold">hits</emphasis></term> <term><emphasis role="bold">hits</emphasis></term>
<listitem> <listitem>
<para>Generates several reports from Shorewall Lite log messages in <para>Generates several reports from Shorewall-lite log messages in
the current log file.</para> the current log file. If the <option>-t</option> option is included,
the reports are restricted to log messages generated today.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -582,12 +674,33 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">iptrace</emphasis></term>
<listitem>
<para>This is a low-level debugging command that causes iptables
TRACE log records to be created. See iptables(8) for details.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one or more matches that may appear in both the raw table OUTPUT
and raw table PREROUTING chains.</para>
<para>The trace records are written to the kernel's log buffer with
faciility = kernel and priority = warning, and they are routed from
there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
Shorewall-lite has no control over where the messages go; consult
your logging daemon's documentation.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">logdrop</emphasis></term> <term><emphasis role="bold">logdrop</emphasis></term>
<listitem> <listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es <para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then discarded.</para> to be logged then discarded. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -595,9 +708,9 @@
<term><emphasis role="bold">logwatch</emphasis></term> <term><emphasis role="bold">logwatch</emphasis></term>
<listitem> <listitem>
<para>Monitors the log file specified by theLOGFILE option in <ulink <para>Monitors the log file specified by the LOGFILE option in
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) and <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) and
produces an audible alarm when new Shorewall Lite messages are produces an audible alarm when new Shorewall-lite messages are
logged. The <emphasis role="bold">-m</emphasis> option causes the logged. The <emphasis role="bold">-m</emphasis> option causes the
MAC address of each packet source to be displayed if that MAC address of each packet source to be displayed if that
information is available. The information is available. The
@ -615,7 +728,22 @@
<listitem> <listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es <para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then rejected.</para> to be logged then rejected. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">noiptrace</emphasis></term>
<listitem>
<para>This is a low-level debugging command that cancels a trace
started by a preceding <command>iptrace</command> command.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one given in the <command>iptrace</command> command being
cancelled.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -633,10 +761,10 @@
<listitem> <listitem>
<para>Restart is similar to <emphasis role="bold">shorewall-lite <para>Restart is similar to <emphasis role="bold">shorewall-lite
start</emphasis> but assumes that the firewall is already started. start</emphasis> except that it assumes that the firewall is already
Existing connections are maintained.</para> started. Existing connections are maintained.</para>
<para>The <option>-n</option> option causes Shorewall to avoid <para>The <option>-n</option> option causes Shorewall-lite to avoid
updating the routing table(s).</para> updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking <para>The <option>-p</option> option causes the connection tracking
@ -649,14 +777,14 @@
<term><emphasis role="bold">restore</emphasis></term> <term><emphasis role="bold">restore</emphasis></term>
<listitem> <listitem>
<para>Restore Shorewall Lite to a state saved using the <emphasis <para>Restore Shorewall-lite to a state saved using the <emphasis
role="bold">shorewall-lite save</emphasis> command. Existing role="bold">shorewall-lite save</emphasis> command. Existing
connections are maintained. The <emphasis>filename</emphasis> names connections are maintained. The <emphasis>filename</emphasis> names
a restore file in /var/lib/shorewall-lite created using <emphasis a restore file in /var/lib/shorewall-lite created using <emphasis
role="bold">shorewall-lite save</emphasis>; if no role="bold">shorewall-lite save</emphasis>; if no
<emphasis>filename</emphasis> is given then Shorewall Lite will be <emphasis>filename</emphasis> is given then Shorewall-lite will be
restored from the file specified by the RESTOREFILE option in <ulink restored from the file specified by the RESTOREFILE option in <ulink
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para> url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -667,11 +795,10 @@
<para>The dynamic blacklist is stored in <para>The dynamic blacklist is stored in
/var/lib/shorewall-lite/save. The state of the firewall is stored in /var/lib/shorewall-lite/save. The state of the firewall is stored in
/var/lib/shorewall-lite/<emphasis>filename</emphasis> for use by the /var/lib/shorewall-lite/<emphasis>filename</emphasis> for use by the
<emphasis role="bold">shorewall-lite restore</emphasis> and <emphasis role="bold">shorewall-lite restore</emphasis>. If
<emphasis role="bold">shorewall-lite -f start</emphasis> commands. <emphasis>filename</emphasis> is not given then the state is saved
If <emphasis>filename</emphasis> is not given then the state is in the file specified by the RESTOREFILE option in <ulink
saved in the file specified by the RESTOREFILE option in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -683,15 +810,6 @@
arguments:</para> arguments:</para>
<variablelist> <variablelist>
<varlistentry>
<term><emphasis role="bold">actions</emphasis></term>
<listitem>
<para>Produces a report about the available actions (built-in,
standard and user-defined).</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">capabilities</emphasis></term> <term><emphasis role="bold">capabilities</emphasis></term>
@ -704,8 +822,8 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>[ [ <option>chain</option> ] <emphasis>chain</emphasis> <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
... ]</term> ]</term>
<listitem> <listitem>
<para>The rules in each <emphasis>chain</emphasis> are <para>The rules in each <emphasis>chain</emphasis> are
@ -721,20 +839,25 @@
Netfilter table to display. The default is <emphasis Netfilter table to display. The default is <emphasis
role="bold">filter</emphasis>.</para> role="bold">filter</emphasis>.</para>
<para>The <emphasis role="bold">-l</emphasis> option causes
the rule number for each Netfilter rule to be
displayed.</para>
<para>If the <emphasis role="bold">t</emphasis> option and the <para>If the <emphasis role="bold">t</emphasis> option and the
<option>chain</option> keyword are both omitted and any of the <option>chain</option> keyword are both omitted and any of the
listed <replaceable>chain</replaceable>s do not exist, a usage listed <replaceable>chain</replaceable>s do not exist, a usage
message will be displayed.</para> message is displayed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">classifiers</emphasis></term> <term><emphasis
role="bold">classifiers|filters</emphasis></term>
<listitem> <listitem>
<para>Displays information about the packet classifiers <para>Displays information about the packet classifiers
defined on the system 10-080213-8397as a result of traffic defined on the system as a result of traffic shaping
shaping configuration.</para> configuration.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -756,15 +879,44 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">mangle</emphasis></term> <term><emphasis role="bold">ip</emphasis></term>
<listitem> <listitem>
<para>Displays the Netfilter mangle table using the command <para>Displays the system's IPv4 configuration.</para>
<emphasis role="bold">iptables -t mangle -L -n </listitem>
-v</emphasis>.The <emphasis role="bold">-x</emphasis> option </varlistentry>
is passed directly through to iptables and causes actual
packet and byte counts to be displayed. Without this option, <varlistentry>
those counts are abbreviated.</para> <term><emphasis role="bold">ipa</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.17. Displays the per-IP
accounting counters (<ulink
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">log</emphasis></term>
<listitem>
<para>Displays the last 20 Shorewall-lite messages from the
log file specified by the LOGFILE option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). The
<emphasis role="bold">-m</emphasis> option causes the MAC
address of each packet source to be displayed if that
information is available.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">marks</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.26. Displays the various fields
in packet marks giving the min and max value (in both decimal
and hex) and the applicable mask (in hex).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -781,6 +933,39 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">policies</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.4. Displays the applicable policy
between each pair of zones. Note that implicit intrazone
ACCEPT policies are not displayed for zones associated with a
single network where that network doesn't specify
<option>routeback</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routing</emphasis></term>
<listitem>
<para>Displays the system's IPv4 routing configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">raw</emphasis></term>
<listitem>
<para>Displays the Netfilter raw table using the command
<emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
<emphasis role="bold">-x</emphasis> option is passed directly
through to iptables and causes actual packet and byte counts
to be displayed. Without this option, those counts are
abbreviated.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">tc</emphasis></term> <term><emphasis role="bold">tc</emphasis></term>
@ -794,8 +979,8 @@
<term><emphasis role="bold">zones</emphasis></term> <term><emphasis role="bold">zones</emphasis></term>
<listitem> <listitem>
<para>Displays the current composition of the Shorewall Lite <para>Displays the current composition of the Shorewall zones
zones on the system.</para> on the system.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -806,17 +991,10 @@
<term><emphasis role="bold">start</emphasis></term> <term><emphasis role="bold">start</emphasis></term>
<listitem> <listitem>
<para>Start shorewall Lite. Existing connections through <para>Start Shorewall Lite. Existing connections through
shorewall-lite managed interfaces are untouched. New connections shorewall-lite managed interfaces are untouched. New connections
will be allowed only if they are allowed by the firewall rules or will be allowed only if they are allowed by the firewall rules or
policies. If <emphasis role="bold">-f</emphasis> is specified, the policies.</para>
saved configuration specified by the RESTOREFILE option in <ulink
url="shorewall-lite.conf.html">shorewall-lite.conf</ulink>(5) will
be restored if that saved configuration exists and has been modified
more recently than the files in /etc/shorewall.</para>
<para>The <option>-n</option> option causes Shorewall to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking <para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must table to be flushed; the <command>conntrack</command> utility must
@ -831,11 +1009,18 @@
<para>Stops the firewall. All existing connections, except those <para>Stops the firewall. All existing connections, except those
listed in <ulink listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5) url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5), or permitted by the ADMINISABSENTMINDED option in <ulink
are taken down. The only new traffic permitted through the firewall url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
is from systems listed in <ulink The only new traffic permitted through the firewall is from systems
listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5) url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or by ADMINISABSENTMINDED.</para> or by ADMINISABSENTMINDED.</para>
<para>If <option>-f</option> is given, the command will be processed
by the compiled script that executed the last successful <emphasis
role="bold">start</emphasis>, <emphasis
role="bold">restart</emphasis> or <emphasis
role="bold">refresh</emphasis> command if that script exists.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -852,7 +1037,9 @@
<term><emphasis role="bold">version</emphasis></term> <term><emphasis role="bold">version</emphasis></term>
<listitem> <listitem>
<para>Displays Shorewall-lite's version.</para> <para>Displays Shorewall's version. The <option>-a</option> option
is included for compatibility with earlier Shorewall releases and is
ignored.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -871,13 +1058,13 @@
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para> url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
<para>shorewall-accounting(5), shorewall-actions(5), <para>shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
shorewall-zones(5)</para> shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>

17
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -5856,11 +5856,14 @@ sub copy_options( $ ) {
# #
# This function is called after the blacklist rules have been added to the canonical chains. It # This function is called after the blacklist rules have been added to the canonical chains. It
# either copies the relevant interface option rules into each canonocal chain, or it inserts one # either copies the relevant interface option rules into each canonocal chain, or it inserts one
# or more jumps to the relevant option chains. # or more jumps to the relevant option chains. The argument indicates whether blacklist rules are
# present.
# #
sub add_interface_options( $ ) { sub add_interface_options( $ ) {
if ( $_[0] ) { if ( $_[0] ) {
#
# We have blacklist rules.
my %input_chains; my %input_chains;
my %forward_chains; my %forward_chains;
@ -5887,7 +5890,7 @@ sub add_interface_options( $ ) {
$chainref->{digest} = sha1 $digest; $chainref->{digest} = sha1 $digest;
} }
# #
# Insert all interface option rules into the rules chains # Insert jumps to the interface chains into the rules chains
# #
for my $zone1 ( off_firewall_zones ) { for my $zone1 ( off_firewall_zones ) {
my @input_interfaces = keys %{zone_interfaces( $zone1 )}; my @input_interfaces = keys %{zone_interfaces( $zone1 )};
@ -5927,7 +5930,9 @@ sub add_interface_options( $ ) {
@forward_interfaces = ( $forward_interfaces[0] ); @forward_interfaces = ( $forward_interfaces[0] );
} }
} }
#
# Now insert the jumps
#
for my $zone2 ( all_zones ) { for my $zone2 ( all_zones ) {
my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )}; my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
my $chain1ref; my $chain1ref;
@ -5962,7 +5967,9 @@ sub add_interface_options( $ ) {
} }
} }
} }
#
# Now take care of jumps to the interface output option chains
#
for my $zone1 ( firewall_zone, vserver_zones ) { for my $zone1 ( firewall_zone, vserver_zones ) {
for my $zone2 ( off_firewall_zones ) { for my $zone2 ( off_firewall_zones ) {
my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )}; my $chainref = $filter_table->{rules_chain( $zone1, $zone2 )};
@ -5981,7 +5988,7 @@ sub add_interface_options( $ ) {
} }
} else { } else {
# #
# Simply move the option chain rules to the interface chains # No Blacklisting - simply move the option chain rules to the interface chains
# #
for my $interface ( all_real_interfaces ) { for my $interface ( all_real_interfaces ) {
my $chainref; my $chainref;

473
Shorewall6-lite/manpages/shorewall6-lite.xml
View File

@ -11,11 +11,27 @@
<refnamediv> <refnamediv>
<refname>shorewall6-lite</refname> <refname>shorewall6-lite</refname>
<refpurpose>Administration tool for Shoreline Firewall 6 Lite <refpurpose>Administration tool for Shoreline 6 Firewall Lite (Shorewall6
(Shorewall6-lite)</refpurpose> Lite)</refpurpose>
</refnamediv> </refnamediv>
<refsynopsisdiv> <refsynopsisdiv>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg rep="norepeat">-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>add</option></arg>
<arg choice="plain"
rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
<arg choice="plain"><replaceable>zone</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall6-lite</command> <command>shorewall6-lite</command>
@ -37,11 +53,28 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>clear</option></arg> <arg
choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall</command> <command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg rep="norepeat">-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>delete</option></arg>
<arg choice="plain"
rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
<arg choice="plain"><replaceable>zone</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg <arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -78,11 +111,13 @@
<arg><option>-x</option></arg> <arg><option>-x</option></arg>
<arg><option>-l</option></arg>
<arg><option>-m</option></arg> <arg><option>-m</option></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall</command> <command>shorewall6-lite</command>
<arg <arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
@ -98,7 +133,8 @@
<cmdsynopsis> <cmdsynopsis>
<command>shorewall6-lite</command> <command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
@ -124,7 +160,52 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>hits</option></arg> <arg
choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>ipcalc</option></arg>
<group choice="req">
<arg choice="plain"><replaceable>address</replaceable>
<replaceable>mask</replaceable></arg>
<arg
choice="plain"><replaceable>address</replaceable>/<replaceable>vlsm</replaceable></arg>
</group>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>iprange</option></arg>
<arg
choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>iptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -167,6 +248,19 @@
<arg choice="plain"><replaceable>address</replaceable></arg> <arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>noiptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
<command>shorewall6-lite</command> <command>shorewall6-lite</command>
@ -188,8 +282,24 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reset</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg <arg
choice="plain"><option>restart</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg> choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>restart</option></arg>
<arg><option>-n</option></arg>
<arg><option>-p</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -229,8 +339,10 @@
<arg><option>-x</option></arg> <arg><option>-x</option></arg>
<arg><option>-l</option></arg>
<arg><option>-t</option> <arg><option>-t</option>
{<option>filter</option>|<option>mangle</option>|<option>raw</option>}</arg> {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>
<arg><arg><option>chain</option></arg><arg choice="plain" <arg><arg><option>chain</option></arg><arg choice="plain"
rep="repeat"><replaceable>chain</replaceable></arg></arg> rep="repeat"><replaceable>chain</replaceable></arg></arg>
@ -260,7 +372,7 @@
<arg choice="plain"><option>show</option></arg> <arg choice="plain"><option>show</option></arg>
<arg <arg
choice="req"><option>actions|classifiers|connections|config|zones</option></arg> choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -274,7 +386,7 @@
<arg><option>-x</option></arg> <arg><option>-x</option></arg>
<arg choice="plain"><option>mangle</option></arg> <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -311,8 +423,11 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg <arg choice="plain"><option>start</option></arg>
choice="plain"><option>start</option><arg>-<option>n</option></arg><arg>-<option>p</option></arg><arg>-<option>f</option></arg></arg>
<arg><option>-n</option></arg>
<arg><option>-p</option></arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis> <cmdsynopsis>
@ -343,7 +458,8 @@
<arg>-<replaceable>options</replaceable></arg> <arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>version</option></arg> <arg
choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
</cmdsynopsis> </cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -351,7 +467,7 @@
<title>Description</title> <title>Description</title>
<para>The shorewall6-lite utility is used to control the Shoreline <para>The shorewall6-lite utility is used to control the Shoreline
Firewall 6 (Shorewall6) Lite.</para> Firewall Lite (Shorewall Lite).</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
@ -359,19 +475,19 @@
<para>The <option>trace</option> and <option>debug</option> options are <para>The <option>trace</option> and <option>debug</option> options are
used for debugging. See <ulink used for debugging. See <ulink
url="http://www.shorewall.net/starting_and_stopping.htm#Trace">http://www.shorewall.net/starting_and_stopping.htm#Trace</ulink>.</para> url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
<para>The nolock <option>option</option> prevents the command from <para>The nolock <option>option</option> prevents the command from
attempting to acquire the Shorewall6 Lite lockfile. It is useful if you attempting to acquire the shorewall6-lite lockfile. It is useful if you
need to include <command>shorewall6-lite</command> commands in the need to include <command>shorewall</command> commands in
<filename>started</filename> extension script.</para> <filename>/etc/shorewall/started</filename>.</para>
<para>The <emphasis>options</emphasis> control the amount of output that <para>The <emphasis>options</emphasis> control the amount of output that
the command produces. They consist of a sequence of the letters <emphasis the command produces. They consist of a sequence of the letters <emphasis
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
options are omitted, the amount of output is determined by the setting of options are omitted, the amount of output is determined by the setting of
the VERBOSITY parameter in <ulink the VERBOSITY parameter in <ulink
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Each <emphasis url="shorewall.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
role="bold">v</emphasis> adds one to the effective verbosity and each role="bold">v</emphasis> adds one to the effective verbosity and each
<emphasis role="bold">q</emphasis> subtracts one from the effective <emphasis role="bold">q</emphasis> subtracts one from the effective
VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
@ -390,6 +506,29 @@
<para>The available commands are listed below.</para> <para>The available commands are listed below.</para>
<variablelist> <variablelist>
<varlistentry>
<term><emphasis role="bold">add</emphasis></term>
<listitem>
<para>Adds a list of hosts or subnets to a dynamic zone usually used
with VPN's.</para>
<para>The <emphasis>interface</emphasis> argument names an interface
defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file. A <emphasis>host-list</emphasis> is comma-separated list whose
elements are host or network addresses.<caution>
<para>The <command>add</command> command is not very robust. If
there are errors in the <replaceable>host-list</replaceable>,
you may see a large number of error messages yet a subsequent
<command>shorewall6-lite show zones</command> command will
indicate that all hosts were added. If this happens, replace
<command>add</command> by <command>delete</command> and run the
same command again. Then enter the correct command.</para>
</caution></para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">allow</emphasis></term> <term><emphasis role="bold">allow</emphasis></term>
@ -406,10 +545,31 @@
<term><emphasis role="bold">clear</emphasis></term> <term><emphasis role="bold">clear</emphasis></term>
<listitem> <listitem>
<para>Clear will remove all rules and chains installed by Shorewall6 <para>Clear will remove all rules and chains installed by
Lite. The firewall is then wide open and unprotected. Existing shorewall6-lite. The firewall is then wide open and unprotected.
connections are untouched. Clear is often used to see if the Existing connections are untouched. Clear is often used to see if
firewall is causing connection problems.</para> the firewall is causing connection problems.</para>
<para>If <option>-f</option> is given, the command will be processed
by the compiled script that executed the last successful <emphasis
role="bold">start</emphasis>, <emphasis
role="bold">restart</emphasis> or <emphasis
role="bold">refresh</emphasis> command if that script exists.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">delete</emphasis></term>
<listitem>
<para>The delete command reverses the effect of an earlier <emphasis
role="bold">add</emphasis> command.</para>
<para>The <emphasis>interface</emphasis> argument names an interface
defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file. A <emphasis>host-list</emphasis> is comma-separated list whose
elements are a host or network address.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -444,8 +604,11 @@
<para>The <emphasis role="bold">-x</emphasis> option causes actual <para>The <emphasis role="bold">-x</emphasis> option causes actual
packet and byte counts to be displayed. Without that option, these packet and byte counts to be displayed. Without that option, these
counts are abbreviated. The <emphasis role="bold">-m</emphasis> counts are abbreviated. The <emphasis role="bold">-m</emphasis>
option causes any MAC addresses included in Shorewall6 Lite log option causes any MAC addresses included in shorewall6-lite log
messages to be displayed.</para> messages to be displayed.</para>
<para>The <emphasis role="bold">-l</emphasis> option causes the rule
number for each Netfilter rule to be displayed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -469,7 +632,7 @@
and /var/lib/shorewall6-lite/save. If no and /var/lib/shorewall6-lite/save. If no
<emphasis>filename</emphasis> is given then the file specified by <emphasis>filename</emphasis> is given then the file specified by
RESTOREFILE in <ulink RESTOREFILE in <ulink
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) is url="shorewall.conf.html">shorewall6.conf</ulink>(5) is
assumed.</para> assumed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -486,8 +649,47 @@
<term><emphasis role="bold">hits</emphasis></term> <term><emphasis role="bold">hits</emphasis></term>
<listitem> <listitem>
<para>Generates several reports from Shorewall6 Lite log messages in <para>Generates several reports from shorewall6-lite log messages in
the current log file.</para> the current log file. If the <option>-t</option> option is included,
the reports are restricted to log messages generated today.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ipcalc</emphasis></term>
<listitem>
<para>Ipcalc displays the network address, broadcast address,
network in CIDR notation and netmask corresponding to the
input[s].</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">iprange</emphasis></term>
<listitem>
<para>Iprange decomposes the specified range of IP addresses into
the equivalent list of network/host addresses.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">iptrace</emphasis></term>
<listitem>
<para>This is a low-level debugging command that causes iptables
TRACE log records to be created. See iptables(8) for details.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one or more matches that may appear in both the raw table OUTPUT
and raw table PREROUTING chains.</para>
<para>The trace records are written to the kernel's log buffer with
faciility = kernel and priority = warning, and they are routed from
there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
shorewall6-lite has no control over where the messages go; consult
your logging daemon's documentation.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -496,7 +698,9 @@
<listitem> <listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es <para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then discarded.</para> to be logged then discarded. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall.conf.html">shorewall6.conf</ulink> (5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -504,9 +708,9 @@
<term><emphasis role="bold">logwatch</emphasis></term> <term><emphasis role="bold">logwatch</emphasis></term>
<listitem> <listitem>
<para>Monitors the log file specified by theLOGFILE option in <ulink <para>Monitors the log file specified by the LOGFILE option in
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) and <ulink url="shorewall.conf.html">shorewall6.conf</ulink>(5) and
produces an audible alarm when new Shorewall6 Lite messages are produces an audible alarm when new shorewall6-lite messages are
logged. The <emphasis role="bold">-m</emphasis> option causes the logged. The <emphasis role="bold">-m</emphasis> option causes the
MAC address of each packet source to be displayed if that MAC address of each packet source to be displayed if that
information is available. The information is available. The
@ -524,7 +728,22 @@
<listitem> <listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es <para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then rejected.</para> to be logged then rejected. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall.conf.html">shorewall6.conf</ulink> (5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">noiptrace</emphasis></term>
<listitem>
<para>This is a low-level debugging command that cancels a trace
started by a preceding <command>iptrace</command> command.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one given in the <command>iptrace</command> command being
cancelled.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -542,10 +761,10 @@
<listitem> <listitem>
<para>Restart is similar to <emphasis role="bold">shorewall6-lite <para>Restart is similar to <emphasis role="bold">shorewall6-lite
stop</emphasis> followed by <emphasis role="bold">shorewall6-lite start</emphasis> except that it assumes that the firewall is already
start</emphasis>. Existing connections are maintained.</para> started. Existing connections are maintained.</para>
<para>The <option>-n</option> option causes Shorewall6 to avoid <para>The <option>-n</option> option causes shorewall6-lite to avoid
updating the routing table(s).</para> updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking <para>The <option>-p</option> option causes the connection tracking
@ -558,14 +777,14 @@
<term><emphasis role="bold">restore</emphasis></term> <term><emphasis role="bold">restore</emphasis></term>
<listitem> <listitem>
<para>Restore Shorewall6 Lite to a state saved using the <emphasis <para>Restore shorewall6-lite to a state saved using the <emphasis
role="bold">shorewall6-lite save</emphasis> command. Existing role="bold">shorewall6-lite save</emphasis> command. Existing
connections are maintained. The <emphasis>filename</emphasis> names connections are maintained. The <emphasis>filename</emphasis> names
a restore file in /var/lib/shorewall6-lite created using <emphasis a restore file in /var/lib/shorewall6-lite created using <emphasis
role="bold">shorewall6-lite save</emphasis>; if no role="bold">shorewall6-lite save</emphasis>; if no
<emphasis>filename</emphasis> is given then Shorewall6 Lite will be <emphasis>filename</emphasis> is given then shorewall6-lite will be
restored from the file specified by the RESTOREFILE option in <ulink restored from the file specified by the RESTOREFILE option in <ulink
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5).</para> url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -576,11 +795,10 @@
<para>The dynamic blacklist is stored in <para>The dynamic blacklist is stored in
/var/lib/shorewall6-lite/save. The state of the firewall is stored /var/lib/shorewall6-lite/save. The state of the firewall is stored
in /var/lib/shorewall6-lite/<emphasis>filename</emphasis> for use by in /var/lib/shorewall6-lite/<emphasis>filename</emphasis> for use by
the <emphasis role="bold">shorewall6-lite restore</emphasis> and the <emphasis role="bold">shorewall6-lite restore</emphasis>. If
<emphasis role="bold">shorewall6-lite -f start</emphasis> commands. <emphasis>filename</emphasis> is not given then the state is saved
If <emphasis>filename</emphasis> is not given then the state is in the file specified by the RESTOREFILE option in <ulink
saved in the file specified by the RESTOREFILE option in <ulink url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -592,15 +810,6 @@
arguments:</para> arguments:</para>
<variablelist> <variablelist>
<varlistentry>
<term><emphasis role="bold">actions</emphasis></term>
<listitem>
<para>Produces a report about the available actions (built-in,
standard and user-defined).</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">capabilities</emphasis></term> <term><emphasis role="bold">capabilities</emphasis></term>
@ -613,12 +822,12 @@
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term>[ [ <option>chain</option> ] <emphasis>chain</emphasis> <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
... ]</term> ]</term>
<listitem> <listitem>
<para>The rules in each <emphasis>chain</emphasis> are <para>The rules in each <emphasis>chain</emphasis> are
displayed using the <emphasis role="bold">ip6tables displayed using the <emphasis role="bold">iptables
-L</emphasis> <emphasis>chain</emphasis> <emphasis -L</emphasis> <emphasis>chain</emphasis> <emphasis
role="bold">-n -v</emphasis> command. If no role="bold">-n -v</emphasis> command. If no
<emphasis>chain</emphasis> is given, all of the chains in the <emphasis>chain</emphasis> is given, all of the chains in the
@ -630,15 +839,20 @@
Netfilter table to display. The default is <emphasis Netfilter table to display. The default is <emphasis
role="bold">filter</emphasis>.</para> role="bold">filter</emphasis>.</para>
<para>The <emphasis role="bold">-l</emphasis> option causes
the rule number for each Netfilter rule to be
displayed.</para>
<para>If the <emphasis role="bold">t</emphasis> option and the <para>If the <emphasis role="bold">t</emphasis> option and the
<option>chain</option> keyword are both omitted and any of the <option>chain</option> keyword are both omitted and any of the
listed <replaceable>chain</replaceable>s do not exist, a usage listed <replaceable>chain</replaceable>s do not exist, a usage
message will be displayed.</para> message is displayed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">classifiers</emphasis></term> <term><emphasis
role="bold">classifiers|filters</emphasis></term>
<listitem> <listitem>
<para>Displays information about the packet classifiers <para>Displays information about the packet classifiers
@ -659,21 +873,96 @@
<term><emphasis role="bold">connections</emphasis></term> <term><emphasis role="bold">connections</emphasis></term>
<listitem> <listitem>
<para>Displays the IPv6 connections currently being tracked by <para>Displays the IP connections currently being tracked by
the firewall.</para> the firewall.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
<term><emphasis role="bold">mangle</emphasis></term> <term><emphasis role="bold">ip</emphasis></term>
<listitem> <listitem>
<para>Displays the Netfilter mangle table using the command <para>Displays the system's IPv4 configuration.</para>
<emphasis role="bold">ip6tables -t mangle -L -n </listitem>
-v</emphasis>.The <emphasis role="bold">-x</emphasis> option </varlistentry>
is passed directly through to iptables and causes actual
packet and byte counts to be displayed. Without this option, <varlistentry>
those counts are abbreviated.</para> <term><emphasis role="bold">ipa</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.17. Displays the per-IP
accounting counters (<ulink
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">log</emphasis></term>
<listitem>
<para>Displays the last 20 shorewall6-lite messages from the
log file specified by the LOGFILE option in <ulink
url="shorewall.conf.html">shorewall6.conf</ulink>(5). The
<emphasis role="bold">-m</emphasis> option causes the MAC
address of each packet source to be displayed if that
information is available.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">marks</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.26. Displays the various fields
in packet marks giving the min and max value (in both decimal
and hex) and the applicable mask (in hex).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nat</emphasis></term>
<listitem>
<para>Displays the Netfilter nat table using the command
<emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
<emphasis role="bold">-x</emphasis> option is passed directly
through to iptables and causes actual packet and byte counts
to be displayed. Without this option, those counts are
abbreviated.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">policies</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.4. Displays the applicable policy
between each pair of zones. Note that implicit intrazone
ACCEPT policies are not displayed for zones associated with a
single network where that network doesn't specify
<option>routeback</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routing</emphasis></term>
<listitem>
<para>Displays the system's IPv4 routing configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">raw</emphasis></term>
<listitem>
<para>Displays the Netfilter raw table using the command
<emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
<emphasis role="bold">-x</emphasis> option is passed directly
through to iptables and causes actual packet and byte counts
to be displayed. Without this option, those counts are
abbreviated.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -690,8 +979,8 @@
<term><emphasis role="bold">zones</emphasis></term> <term><emphasis role="bold">zones</emphasis></term>
<listitem> <listitem>
<para>Displays the current composition of the Shorewall6 Lite <para>Displays the current composition of the Shorewall zones
zones on the system.</para> on the system.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -702,17 +991,10 @@
<term><emphasis role="bold">start</emphasis></term> <term><emphasis role="bold">start</emphasis></term>
<listitem> <listitem>
<para>Start shorewall6 Lite. Existing connections through <para>Start Shorewall Lite. Existing connections through
shorewall6-lite managed interfaces are untouched. New connections shorewall6-lite managed interfaces are untouched. New connections
will be allowed only if they are allowed by the firewall rules or will be allowed only if they are allowed by the firewall rules or
policies. If <emphasis role="bold">-f</emphasis> is specified, the policies.</para>
saved configuration specified by the RESTOREFILE option in <ulink
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) will
be restored if that saved configuration exists and has been modified
more recently than the files in /etc/shorewall6.</para>
<para>The <option>-n</option> option causes Shorewall6 to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking <para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must table to be flushed; the <command>conntrack</command> utility must
@ -726,12 +1008,19 @@
<listitem> <listitem>
<para>Stops the firewall. All existing connections, except those <para>Stops the firewall. All existing connections, except those
listed in <ulink listed in <ulink
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5) url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or permitted by the ADMINISABSENTMINDED option in or permitted by the ADMINISABSENTMINDED option in <ulink
shorewall6.conf(5), are taken down. The only new traffic permitted url="shorewall.conf.html">shorewall6.conf</ulink>(5), are taken
through the firewall is from systems listed in <ulink down. The only new traffic permitted through the firewall is from
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5) systems listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or by ADMINISABSENTMINDED.</para> or by ADMINISABSENTMINDED.</para>
<para>If <option>-f</option> is given, the command will be processed
by the compiled script that executed the last successful <emphasis
role="bold">start</emphasis>, <emphasis
role="bold">restart</emphasis> or <emphasis
role="bold">refresh</emphasis> command if that script exists.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -740,7 +1029,7 @@
<listitem> <listitem>
<para>Produces a short report about the state of the <para>Produces a short report about the state of the
Shorewall6-configured firewall.</para> Shorewall-configured firewall.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@ -748,7 +1037,9 @@
<term><emphasis role="bold">version</emphasis></term> <term><emphasis role="bold">version</emphasis></term>
<listitem> <listitem>
<para>Displays Shorewall6-lite's version.</para> <para>Displays Shorewall's version. The <option>-a</option> option
is included for compatibility with earlier Shorewall releases and is
ignored.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
</variablelist> </variablelist>
@ -764,14 +1055,16 @@
<title>See ALSO</title> <title>See ALSO</title>
<para><ulink <para><ulink
url="http://www.shorewall.net/starting_and_stopping_shorewall6.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para> url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
<para>shorewall6-accounting(5), shorewall6-actions(5), <para>shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), shorewall6-blacklist(5), shorewall6-hosts(5), shorewall_interfaces(5),
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5), shorewall6-ipsets(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-providers(5), shorewall6-route_rules(5), shorewall6-netmap(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para> shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1> </refsect1>
</refentry> </refentry>