From 90846ee68334b85eacb8c61912a2115508cf849d Mon Sep 17 00:00:00 2001 From: teastep Date: Thu, 16 Nov 2006 21:21:03 +0000 Subject: [PATCH] More work on the 'shorewall' man page git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4898 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- manpages/shorewall.xml | 410 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 387 insertions(+), 23 deletions(-) diff --git a/manpages/shorewall.xml b/manpages/shorewall.xml index 52cbdbfe5..5fb30738b 100644 --- a/manpages/shorewall.xml +++ b/manpages/shorewall.xml @@ -104,6 +104,8 @@ dump + + @@ -155,7 +157,7 @@ ipcalc - + address mask address/vlsm @@ -269,9 +271,9 @@ -options - save-restart + restore - filename + filename @@ -279,9 +281,15 @@ -options - save-start + safe-restart + - filename + + shorewall + + -options + + safe-start @@ -428,23 +436,20 @@ Commands - The available commands are listed below. The available - command-options and - command-arguments are listed with each - command. + The available commands are listed below. - add - interface[:host-list] ... - zone + add Adds a list of hosts or subnets to a dynamic zone usually used with VPN's. - A host-list is the name of an interface - followed by a comma-separated list whose elements are: + The interface argument names an interface + defined in the shorewall-interfaces(5) file. A + host-list is comma-separated list whose + elements are: A host or network address The name of a bridge port @@ -453,8 +458,7 @@ - allow - address ... + allow Re-enables receipt of packets from hosts previously @@ -466,8 +470,7 @@ - check [ -e ] [ directory ] + check Compiles the configuraton in the specified @@ -484,7 +487,7 @@ - clear + clear Clear will remove all rules and chains installed by Shorewall. @@ -495,11 +498,372 @@ - compile [ -e ] [ directory ] - filename + compile - + Compiles the current configuration into the executable file + pathname. If a directory is supplied, Shorewall + will look in that directory first for configuration files. + + When -e is specified, the compilation is being performed on a + system other than where the compiled script will run. This option + disables certain configuration options that require the script to be + compiled where it is to be run. The use of -e requires the presense + of a configuration file named capabilities which may be produced + using the command shorewall-lite show -f + capabilities > capabities on a system with Shorewall + Lite installed + + + + + delete + + + The delete command reverses the effect of an earlier add command. + + + + + drop + + + Causes traffic from the listed addresses + to be silently dropped. + + + + + dump + + + Produces a verbose report about the firewall configuration for + the purpose of problem analysis. + + The -x option causes actual + packet and byte counts to be displayed. Without that option, these + counts are abbreviated. The -m + option causes any MAC addresses included in Shorewall log messages + to be displayed. + + + + + export + + + If directory1 is omitted, the current + working directory is assumed. + + Allows a non-root user to compile a shorewall script and stage + it on a system (provided that the user has access to the system via + ssh). The command is equivalent to: + + /sbin/shorewall compile -e directory1 directory1/firewall &&\ + scp directory1/firewall directory1/firewall.conf [user@]system:[directory2] + + In other words, the configuration in the specified (or + defaulted) directory is compiled to a file called firewall in that + directory. If compilation succeeds, then firewall and firewall.conf + are copied to system using scp. + + + + + forget + + + Deletes /var/lib/shorewall/filename and + /var/lib/shorewall/save. If no filename is + given then the file specified by RESTOREFILE in shorewall.conf(5) is + assumed. + + + + + help + + + Displays information about a particular + command. If no command is + given, a syntax summary is displayed. + + + + + hits + + + Generates several reports from Shorewall log messages in the + current log file. + + + + + ipcalc + + + Ipcalc displays the network address, broadcast address, + network in CIDR notation and netmask corresponding to the + input[s]. + + + + + iprange + + + Iprange decomposes the specified range of IP addresses into + the equivalent list of network/host addresses. + + + + + load + + + If directory is omitted, the current + working directory is assumed. Allows a non-root user to compile a + shorewall script and install it on a system (provided that the user + has root access to the system via ssh). The command is equivalent + to: + + /sbin/shorewall compile -e directory directory/firewall &&\ + scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\ + ssh root@system '/sbin/shorewall-lite start' + + In other words, the configuration in the specified (or + defaulted) directory is compiled to a file called firewall in that + directory. If compilation succeeds, then firewall is copied to + system using scp. If the copy succeeds, + Shorewall Lite on system is started via + ssh. + + If -s is specified and the + start command succeeds, then the + remote Shorewall-lite configuration is saved by executing shorewall-lite save via ssh. + + if -c is included, the + command shorewall-lite show capabilities -f + > /var/lib/shorewall-lite/capabilities is executed via + ssh then the generated file is copied to + directory using scp. This step is performed + before the configuration is compiled. + + + + + logdrop + + + Causes traffic from the listed addresses + to be logged then discarded. + + + + + logwatch + + + Monitors the log file specified by theLOGFILE option in + shorewall.conf(5) and produces an audible alarm when new Shorewall + messages are logged. The -m option + causes the MAC address of each packet source to be displayed if that + information is available. + + + + + logreject + + + Causes traffic from the listed addresses + to be logged then rejected. + + + + + refresh + + + The rules involving the the black list, ECN control rules, and + traffic shaping are recreated to reflect any changes made to your + configuration files. Existing connections are untouched. + + + + + reload + + + If directory is omitted, the current + working directory is assumed. Allows a non-root user to compile a + shorewall script and install it on a system (provided that the user + has root access to the system via ssh). The command is equivalent + to: + + /sbin/shorewall compile -e directory directory/firewall &&\ + scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\ + ssh root@system '/sbin/shorewall-lite restart' + + In other words, the configuration in the specified (or + defaulted) directory is compiled to a file called firewall in that + directory. If compilation succeeds, then firewall is copied to + system using scp. If the copy succeeds, + Shorewall Lite on system is restarted via + ssh. + + If -s is specified and the + restart command succeeds, then the + remote Shorewall-lite configuration is saved by executing shorewall-lite save via ssh. + + if -c is included, the + command shorewall-lite show capabilities -f + > /var/lib/shorewall-lite/capabilities is executed via + ssh then the generated file is copied to + directory using scp. This step is performed + before the configuration is compiled. + + + + + reset + + + All the packet and byte counters in the firewall are + reset. + + + + + restart + + + Restart is similar to shorewall + stop followed by shorewall + start. Existing connections are maintained. If a + directory is included in the command, Shorewall + will look in that directory first for + configuration files. + + + + + restore + + + Restore Shorewall to a state saved using the shorewall save command. Existing connections + are maintained. The filename names a restore + file in /var/lib/shorewall created using shorewall save; if no + filename is given then Shorewall will be + restored from the file specified by the RESTOREFILE option in + shorewall.conf(5). + + + + + safe-restart + + + Only allowed if Shorewall is running. The current + configuration is saved in /var/lib/shorewall/safe-restart (see the + save command below) then a shorewall + restart is done. You will then be prompted asking if you + want to accept the new configuration or not. If you answer "n" or if + you fail to answer within 60 seconds (such as when your new + configuration has disabled communication with your terminal), the + configuration is restored from the saved configuration. + + + + + safe-start + + + Shorewall is started normally. You will then be prompted + asking if everything went all right. If you answer "n" or if you + fail to answer within 60 seconds (such as when your new + configuration has disabled communication with your terminal), a + shorewall clear is performed for you. + + + + + save + + + The dynamic blacklist is stored in /var/lib/shorewall/save. + The state of the firewall is stored in + /var/lib/shorewall/filename for use by the + shorewall restore and shorewall -f start commands. If + filename is not given then the state is saved + in the file specified by the RESTOREFILE option in + shorewall.conf(5). + + + + + show + + + The show command can have a number of different + arguments: + + + + [ chain ] ... + + + Using the iptables -L + chain -n + -v command, the rules in each + chain are displayed. If no + chain is given, all of the chains in the + filter table are displayed. The -x option is passed directly through to + iptables. + + + + + capabilities + + + Displays your kernel/iptables capabilities. The + -f option causes the display + to be formatted as a capabilities file for use with compile -e. + + + + + connections + + + Displays the IP connections currently being tracked by + the firewall. + + + @@ -514,7 +878,7 @@ See ALSO - shorewall(8), shorewall-accounting(5), shorewall-actions(5), + shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),