From f88c54ae33bc8e6b3c7053f571d2b16c860dd728 Mon Sep 17 00:00:00 2001 From: teastep Date: Mon, 29 Dec 2003 00:10:15 +0000 Subject: [PATCH] Update command page git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1016 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- .../starting_and_stopping_shorewall.xml | 203 +++++++++--------- 1 file changed, 107 insertions(+), 96 deletions(-) diff --git a/Shorewall-docs/starting_and_stopping_shorewall.xml b/Shorewall-docs/starting_and_stopping_shorewall.xml index 84e1fbc23..0d39d04cc 100755 --- a/Shorewall-docs/starting_and_stopping_shorewall.xml +++ b/Shorewall-docs/starting_and_stopping_shorewall.xml @@ -15,7 +15,7 @@ - 2003-12-12 + 2003-12-28 2001-2003 @@ -39,11 +39,12 @@ If you have a permanent internet connection such as DSL or Cable, I recommend that you start the firewall automatically at boot. Once you have installed firewall in your init.d directory, simply type - chkconfig --add firewall. This will start the firewall in - run levels 2-5 and stop it in run levels 1 and 6. If you want to configure - your firewall differently from this default, you can use the - --level option in chkconfig (see man chkconfig) - or using your favorite graphical run-level editor. + chkconfig --add firewall. + This will start the firewall in run levels 2-5 and stop it in run levels 1 + and 6. If you want to configure your firewall differently from this + default, you can use the --level option in chkconfig (see + man chkconfig) or using your favorite graphical run-level + editor. @@ -56,24 +57,24 @@ If you use dialup, you may want to start the firewall in your - /etc/ppp/ip-up.local script. I recommend just placing - shorewall restart in that script. + /etc/ppp/ip-up.local script. I recommend just + placing shorewall restart in that script. You can manually start and stop Shoreline Firewall using the - shorewall shell program. Please refer to the Shorewall - State Diagram as shown at the bottom of this page. + shorewall shell program. Please refer to the + Shorewall State Diagram as shown at the bottom of this page. - shorewall start - starts the firewall + shorewall start - starts the firewall - shorewall stop - stops the firewall; the only traffic permitted - through the firewall is from systems listed in + shorewall stop - stops the firewall; the only + traffic permitted through the firewall is from systems listed in /etc/shorewall/routestopped (Beginning with version 1.4.7, if ADMINISABSENTMINDED=Yes in /etc/shorewall/shorewall.conf then in addition, all existing connections are permitted and any new @@ -81,114 +82,118 @@ - shorewall restart - stops the firewall (if it's running) and - then starts it again + shorewall restart - stops the firewall (if + it's running) and then starts it again - shorewall reset - reset the packet and byte counters in the - firewall + shorewall reset - reset the packet and byte + counters in the firewall - shorewall clear - remove all rules and chains installed by - Shoreline Firewall. The firewall is wide open + shorewall clear - remove all rules and chains + installed by Shoreline Firewall. The firewall is wide open - shorewall refresh - refresh the rules involving the broadcast - addresses of firewall interfaces, the black list, traffic control - rules and ECN control rules. + shorewall refresh - refresh the rules + involving the broadcast addresses of firewall interfaces, the black + list, traffic control rules and ECN control rules. If you include the keyword debug as the first argument, then a shell trace of the command is produced as in: - shorewall debug start 2> /tmp/traceThe + shorewall debug start 2> /tmp/traceThe above command would trace the start command and place the trace information in the file /tmp/trace Beginning with version 1.4.7, shorewall can give detailed help about - each of its commands: shorewall help [ command | host | address ]The + each of its commands: shorewall help [ command | host | address ]The shorewall program may also be used to monitor the firewall. - shorewall status - produce a verbose report about the firewall - (iptables -L -n -v) + shorewall status - produce a verbose report + about the firewall (iptables -L -n -v) - shorewall show chain1 [ chain2 ... ] - produce a verbose report - about the listed chains (iptables -L chain -n -v) Note: You may only - list one chain in the show command when running Shorewall version - 1.4.6 and earlier. Version 1.4.7 and later allow you to list multiple - chains in one command. + shorewall show chain1 [ chain2 ... ] - + produce a verbose report about the listed chains (iptables -L chain -n + -v) Note: You may only list one chain in the show command when running + Shorewall version 1.4.6 and earlier. Version 1.4.7 and later allow you + to list multiple chains in one command. - shorewall show nat - produce a verbose report about the nat - table (iptables -t nat -L -n -v) + shorewall show nat - produce a verbose report + about the nat table (iptables -t nat -L -n -v) - shorewall show tos - produce a verbose report about the mangle - table (iptables -t mangle -L -n -v) + shorewall show tos - produce a verbose report + about the mangle table (iptables -t mangle -L -n -v) - shorewall show log - display the last 20 packet log entries. + shorewall show log - display the last 20 + packet log entries. - shorewall show connections - displays the IP connections - currently being tracked by the firewall. + shorewall show connections - displays the IP + connections currently being tracked by the firewall. - shorewall show tc - displays information about the traffic - control/shaping configuration. + shorewall show tc - displays information + about the traffic control/shaping configuration. - shorewall monitor [ delay ] - Continuously display the firewall - status, last 20 log entries and nat. When the log entry display - changes, an audible alarm is sounded. + shorewall monitor [ delay ] - Continuously + display the firewall status, last 20 log entries and nat. When the log + entry display changes, an audible alarm is sounded. - shorewall hits - Produces several reports about the Shorewall - packet log messages in the current /var/log/messages file. + shorewall hits - Produces several reports + about the Shorewall packet log messages in the current + /var/log/messages file. - shorewall version - Displays the installed version number. + shorewall version - Displays the installed + version number. - shorewall check - Performs a cursory validation of the zones, - interfaces, hosts, rules and policy files.The - check command is totally unsuppored and does not parse - and validate the generated iptables commands. Even though the - check command completes successfully, the configuration - may fail to start. Problem reports that complain about errors that the - check command does not detect will not be accepted.See - the recommended way to make configuration changes described below. + shorewall check - Performs a cursory + validation of the zones, interfaces, hosts, rules and policy files.The + check command is + totally unsuppored and does not parse and validate the generated + iptables commands. Even though the check command + completes successfully, the configuration may fail to start. Problem + reports that complain about errors that the check + command does not detect will not be accepted.See the + recommended way to make configuration changes described below. - shorewall try configuration-directory [ timeout ] - Restart - shorewall using the specified configuration and if an error occurs or - if the timeout option is given and the new configuration has been up - for that many seconds then shorewall is restarted using the standard - configuration. + shorewall try <configuration-directory> + [ timeout ] - Restart shorewall using the specified + configuration and if an error occurs or if the timeout option is given + and the new configuration has been up for that many seconds then + shorewall is restarted using the standard configuration. - shorewall logwatch (added in version 1.3.2) - Monitors the - LOGFILE and produces an audible alarm when new Shorewall messages are - logged. + shorewall logwatch (added in version 1.3.2) - + Monitors the LOGFILE and produces an audible alarm when new Shorewall + messages are logged. @@ -197,15 +202,16 @@ - shorewall ipcalc [ address mask | address/vlsm ] - displays the - network address, broadcast address, network in CIDR notation and - netmask corresponding to the input[s]. + shorewall ipcalc [ <address> <mask> | + <address>/<vlsm> ] - displays the network + address, broadcast address, network in CIDR notation and netmask + corresponding to the input[s]. - shorewall iprange address1-address2 - Decomposes the specified - range of IP addresses into the equivalent list of network/host - addresses. + shorewall iprange <address1>-<address2> + - Decomposes the specified range of IP addresses into the equivalent + list of network/host addresses. @@ -214,47 +220,52 @@ - shorewall drop <ip address list> - causes packets from - the listed IP addresses to be silently dropped by the firewall. + shorewall drop <ip address list> - + causes packets from the listed IP addresses to be silently dropped by + the firewall. - shorewall reject <ip address list> - causes packets from - the listed IP addresses to be rejected by the firewall. + shorewall reject <ip address list> - + causes packets from the listed IP addresses to be rejected by the + firewall. - shorewall allow <ip address list> - re-enables receipt - of packets from hosts previously blacklisted by a drop or reject - command. + shorewall allow <ip address list> - + re-enables receipt of packets from hosts previously blacklisted by a + drop or reject command. - shorewall save - save the dynamic blacklisting configuration so - that it will be automatically restored the next time that the firewall - is restarted. + shorewall save - save the dynamic + blacklisting configuration so that it will be automatically restored + the next time that the firewall is restarted. - show dynamic - displays the dynamic blacklisting chain. + show dynamic - displays the dynamic + blacklisting chain. - Finally, the shorewall program may be used to - dynamically alter the contents of a zone. + Finally, the shorewall program may be + used to dynamically alter the contents of a zone. - shorewall add interface[:host] zone - Adds the specified - interface (and host if included) to the specified zone. + shorewall add <interface>[:<host>] + <zone> - Adds the specified interface (and host if + included) to the specified zone. - shorewall delete interface[:host] zone - Deletes the specified - interface (and host if included) from the specified zone. + shorewall delete <interface>[:<host>] + <zone> - Deletes the specified interface (and host + if included) from the specified zone. - Examples: shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1 - shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1 + Examples: shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1 + shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1 @@ -262,8 +273,8 @@ shorewall try commands allow you to specify which Shorewall configuration to use: - shorewall [ -c configuration-directory ] {start|restart|check} - shorewall try configuration-directory + shorewall [ -c <configuration-directory> ] {start|restart|check} + shorewall try <configuration-directory> If a configuration-directory is specified, each time that Shorewall is going to use a file in /etc/shorewall it will first @@ -275,11 +286,11 @@ - mkdir /etc/test + mkdir /etc/test - cd /etc/test + cd /etc/test @@ -288,7 +299,7 @@ - shorewall -c . check + shorewall -c . check @@ -296,7 +307,7 @@ - /sbin/shorewall try . + /sbin/shorewall try ./ @@ -309,15 +320,15 @@ - cp * /etc/shorewall + cp * /etc/shorewall - cd + cd - rm -rf /etc/test + rm -rf /etc/test