<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
  <refmeta>
    <refentrytitle>shorewall6</refentrytitle>

    <manvolnum>8</manvolnum>

    <refmiscinfo>Administrative Commands</refmiscinfo>
  </refmeta>

  <refnamediv>
    <refname>shorewall6</refname>

    <refpurpose>Administration tool for Shoreline Firewall 6
    (Shorewall6)</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg rep="norepeat">-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>add {</option></arg>

      <arg choice="plain"
      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>

      <arg choice="plain"><replaceable>zone | zone host-list
      </replaceable><option>}</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>allow</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>blacklist</option></arg>

      <arg choice="plain"><replaceable>address</replaceable><arg
      choice="plain"><arg><replaceable>option
      ...</replaceable></arg></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>call</option></arg>

      <arg
      choice="plain"><replaceable>function</replaceable><arg><replaceable>parameter</replaceable>
      ...</arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="opt"><option>check | ck </option></arg>

      <arg><option>-e</option></arg>

      <arg><option>-d</option></arg>

      <arg><option>-p</option></arg>

      <arg><option>-r</option></arg>

      <arg><option>-T</option></arg>

      <arg><option>-i</option></arg>

      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>clear</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>close</option><arg choice="req">
      <replaceable>open-number</replaceable> |
      <replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
      <replaceable>port</replaceable> </arg></arg></arg><replaceable>
      </replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="opt"><option>compile | co </option></arg>

      <arg><option>-e</option></arg>

      <arg><option>-d</option></arg>

      <arg><option>-T</option></arg>

      <arg><option>-i</option></arg>

      <arg><replaceable>directory</replaceable></arg>

      <arg choice="opt"><replaceable>pathname</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg rep="norepeat">-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>delete {</option></arg>

      <arg choice="plain"
      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>

      <arg choice="plain"><replaceable>zone | zone host-list
      </replaceable><option>}</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>disable</option></arg>

      <arg choice="plain">{ <replaceable>interface</replaceable> |
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>drop</option></arg>

      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>dump</option></arg>

      <arg><option>-x</option></arg>

      <arg><option>-l</option></arg>

      <arg><option>-m</option></arg>

      <arg><option>-c</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>enable</option></arg>

      <arg choice="plain">{ <replaceable>interface</replaceable> |
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>export</option></arg>

      <arg choice="opt"><replaceable>directory1</replaceable></arg>

      <arg
      choice="plain">[<replaceable>user</replaceable>@]<replaceable>system</replaceable>[<option>:</option><replaceable>directory2</replaceable>]</arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>forget</option></arg>

      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>help</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>iptrace</option></arg>

      <arg choice="plain"><replaceable>iptables match
      expression</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>logdrop</option></arg>

      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>logwatch</option></arg>

      <arg><option>-m</option></arg>

      <arg><replaceable>refresh-interval</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>logreject</option></arg>

      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>noiptrace</option></arg>

      <arg choice="plain"><replaceable>iptables match
      expression</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>open</option><replaceable>
      source</replaceable><replaceable> dest</replaceable><arg>
      <replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
      </arg> </arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>reenable</option></arg>

      <arg choice="plain">{ <replaceable>interface</replaceable> |
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg
      choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg><option>-i</option></arg><arg>-<option>D</option>
      <replaceable>directory</replaceable> </arg><arg
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>reject</option></arg>

      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>remote-start</option></arg>

      <arg><option>-s</option></arg>

      <arg><option>-c</option></arg>

      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>

      <arg><option>-T</option></arg>

      <arg><option>-i</option></arg>

      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>

      <arg choice="opt"><replaceable>system</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>remote-reload</option></arg>

      <arg><option>-s</option></arg>

      <arg><option>-c</option></arg>

      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>

      <arg><option>-T</option></arg>

      <arg><option>-i</option></arg>

      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>

      <arg choice="opt"><replaceable>system</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>remote-restart</option></arg>

      <arg><option>-s</option></arg>

      <arg><option>-c</option></arg>

      <arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>

      <arg><option>-T</option></arg>

      <arg><option>-i</option></arg>

      <arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>

      <arg choice="opt"><replaceable>system</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg
      choice="plain"><option>reset</option><arg><replaceable>chain</replaceable>
      ...</arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>reload</option></arg>

      <arg><option>-n</option></arg>

      <arg><option>-f</option></arg>

      <arg><option>-c</option></arg>

      <arg><option>-T</option></arg>

      <arg><option>-i</option><arg><option>-C</option></arg></arg>

      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>restart</option></arg>

      <arg><option>-n</option></arg>

      <arg><option>-f</option></arg>

      <arg><option>-c</option></arg>

      <arg><option>-T</option></arg>

      <arg><option>-i</option><arg><option>-C</option></arg></arg>

      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg
      choice="plain"><option>restore</option><arg><option>-C</option></arg></arg>

      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>run</option></arg>

      <arg choice="plain"><replaceable>command</replaceable></arg>

      <arg><replaceable>parameter ...</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>safe-reload</option></arg>

      <arg><option>-d</option></arg>

      <arg><option>-t</option> <replaceable>timeout</replaceable></arg>

      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>safe-restart</option></arg>

      <arg><option>-d</option></arg>

      <arg><option>-t</option> <replaceable>timeout</replaceable></arg>

      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>safe-start</option></arg>

      <arg><option>-d</option></arg>

      <arg><option>-t</option> <replaceable>timeout</replaceable></arg>

      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg
      choice="plain"><option>save</option><arg><option>-C</option></arg></arg>

      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>savesets</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-x</option></arg>

      <arg choice="plain"><option>{bl|blacklists}</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-b</option></arg>

      <arg><option>-x</option></arg>

      <arg><option>-l</option></arg>

      <arg><option>-t</option>
      {<option>filter</option>|<option>mangle</option>|<option>raw</option>}</arg>

      <arg><arg><option>chain</option></arg><arg choice="plain"
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-f</option></arg>

      <arg choice="plain"><option>capabilities</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="req"><option>show | list | ls </option></arg>

      <arg
      choice="req"><option>actions|classifiers|connections|config|events|filters|ip|macros|zones|policies|tc|marks</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="req"><option>show | list | ls </option></arg>

      <arg choice="plain"><option>event</option><arg
      choice="plain"><replaceable>event</replaceable></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-c</option></arg>

      <arg choice="plain"><option>routing</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-x</option></arg>

      <arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="req"><option>show | list | ls </option></arg>

      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="req"><option>show | list | ls </option></arg>

      <arg><option>-m</option></arg>

      <arg choice="plain"><option>log</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>start</option></arg>

      <arg><option>-n</option></arg>

      <arg><option>-f</option></arg>

      <arg><option>-c</option></arg>

      <arg><option>-T</option></arg>

      <arg><option>-i</option><arg><option>-C</option></arg></arg>

      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>stop</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><arg
      choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>try</option></arg>

      <arg choice="plain"><replaceable>directory</replaceable></arg>

      <arg><replaceable>timeout</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>update</option></arg>

      <arg><option>-d</option></arg>

      <arg><option>-r</option></arg>

      <arg><option>-T</option></arg>

      <arg><option>-a</option></arg>

      <arg><option>-i</option></arg>

      <arg><option>-A</option></arg>

      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall6</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg
      choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>The shorewall6 utility is used to control the Shoreline Firewall 6
    (Shorewall6).</para>
  </refsect1>

  <refsect1>
    <title>Options</title>

    <para>The <option>trace</option> and <option>debug</option> options are
    used for debugging. See <ulink
    url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>

    <para>The <option>nolock</option> option prevents the command from
    attempting to acquire the Shorewall6 lockfile. It is useful if you need to
    include <command>shorewall6</command> commands in
    <filename>/etc/shorewall6/started</filename>.</para>

    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
    role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
    options are omitted, the amount of output is determined by the setting of
    the VERBOSITY parameter in <ulink
    url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). Each
    <emphasis role="bold">v</emphasis> adds one to the effective verbosity and
    each <emphasis role="bold">q</emphasis> subtracts one from the effective
    VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
    followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY.
    There may be no white-space between <emphasis role="bold">v</emphasis> and
    the VERBOSITY.</para>

    <para>The <emphasis>options</emphasis> may also include the letter
    <option>t</option> which causes all progress messages to be
    timestamped.</para>
  </refsect1>

  <refsect1>
    <title>Commands</title>

    <para>The available commands are listed below.</para>

    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">add </emphasis>{
        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
        <replaceable>host-list</replaceable> }</term>

        <listitem>
          <para>Added in Shorewall 4.4.21. Adds a list of hosts or subnets to
          a dynamic zone usually used with VPN's.</para>

          <para>The <emphasis>interface</emphasis> argument names an interface
          defined in the <ulink
          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are host or network addresses.<caution>
              <para>The <command>add</command> command is not very robust. If
              there are errors in the <replaceable>host-list</replaceable>,
              you may see a large number of error messages yet a subsequent
              <command>shorewall show zones</command> command will indicate
              that all hosts were added. If this happens, replace
              <command>add</command> by <command>delete</command> and run the
              same command again. Then enter the correct command.</para>
            </caution></para>

          <para>Beginning with Shorewall 4.5.9, the <emphasis
          role="bold">dynamic_shared</emphasis> zone option (<ulink
          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
          allows a single ipset to handle entries for multiple interfaces.
          When that option is specified for a zone, the <command>add</command>
          command has the alternative syntax in which the
          <replaceable>zone</replaceable> name precedes the
          <replaceable>host-list</replaceable>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">allow
        </emphasis><replaceable>address</replaceable></term>

        <listitem>
          <para>Re-enables receipt of packets from hosts previously
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
          role="bold">logreject</emphasis> command. Beginning with Shorewall
          5.0.10, this command can also re-enable addresses blacklisted using
          the <command>blacklist</command> command.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">blacklist</emphasis>
        <replaceable>address</replaceable> [ <replaceable>option</replaceable>
        ... ]</term>

        <listitem>
          <para>Added in Shorewall 5.0.8 and requires
          DYNAMIC_BLACKLIST=ipset.. in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          Causes packets from the given host or network
          <replaceable>address</replaceable> to be dropped, based on the
          setting of BLACKLIST in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          The <replaceable>address</replaceable> along with any
          <replaceable>option</replaceable>s are passed to the <command>ipset
          add</command> command.</para>

          <para>If the <option>disconnect</option> option is specified in the
          DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
          determines the amount of information displayed:</para>

          <itemizedlist>
            <listitem>
              <para>If the effective verbosity is &gt; 0, then a message
              giving the number of conntrack flows deleted by the command is
              displayed.</para>
            </listitem>

            <listitem>
              <para>If the effective verbosity is &gt; 1, then the conntrack
              table entries deleted by the command are also displayed.</para>
            </listitem>
          </itemizedlist>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">call <replaceable>function</replaceable> [
        <replaceable>parameter</replaceable> ... ]</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.6.10. Allows you to call a function in
          one of the Shorewall libraries or in your compiled script. function
          must name the shell function to be called. The listed parameters are
          passed to the function.</para>

          <para>The function is first searched for in
          <filename>lib.base</filename>, <filename>lib.common</filename>,
          <filename>lib.cli</filename> and <filename>lib.cli-std</filename>.
          If it is not found, the call command is passed to the generated
          script to be executed.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">check </emphasis>[-<option>e</option>]
        [-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
        [-<option>T</option>] [-<option>i</option>]
        [<replaceable>directory</replaceable>]</term>

        <listitem>
          <para>Compiles the configuration in the specified
          <emphasis>directory</emphasis> and discards the compiled output
          script. If no <emphasis>directory</emphasis> is given, then
          <filename class="directory">/etc/shorewall6</filename> is
          assumed.</para>

          <para>The <option>-e</option> option causes the compiler to look for
          a file named capabilities. This file is produced using the command
          <command>shorewall6-lite show -f capabilities &gt;
          capabilities</command> on a system with Shorewall6 Lite
          installed.</para>

          <para>The <option>-d</option> option causes the compiler to be run
          under control of the Perl debugger.</para>

          <para>The <option>-p</option> option causes the compiler to be
          profiled via the Perl <option>-wd:DProf</option> command-line
          option.</para>

          <para>The <option>-r</option> option was added in Shorewall 4.5.2
          and causes the compiler to print the generated ruleset to standard
          out.</para>

          <para>The <option>-T</option> option was added in Shorewall 4.4.20
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">clear
        </emphasis>[-<option>f</option>]</term>

        <listitem>
          <para>Clear will remove all rules and chains installed by
          Shorewall6. The firewall is then wide open and unprotected. Existing
          connections are untouched. Clear is often used to see if the
          firewall is causing connection problems.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">close</emphasis> {
        <replaceable>open-number</replaceable> |
        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
        ] ] }</term>

        <listitem>
          <para>Added in Shorewall 4.5.8. This command closes a temporary open
          created by the <command>open</command> command. In the first form,
          an <replaceable>open-number</replaceable> specifies the open to be
          closed. Open numbers are displayed in the <emphasis
          role="bold">num</emphasis> column of the output of the
          <command>shorewall6 show opens </command>command.</para>

          <para>When the second form of the command is used, the parameters
          must match those given in the earlier <command>open</command>
          command.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
        [-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
        [-<option>T</option>] [-<option>i</option>]
        [<replaceable>directory</replaceable>]
        [<replaceable>pathname</replaceable> ]</term>

        <listitem>
          <para>Compiles the current configuration into the executable file
          <emphasis>pathname</emphasis>. If a directory is supplied,
          Shorewall6 will look in that directory first for configuration
          files. If the <emphasis>pathname</emphasis> is omitted, the file
          firewall in the VARDIR (normally <filename
          class="directory">/var/lib/shorewall/</filename>) is assumed. A
          <emphasis>pathname</emphasis> of '-' causes the compiler to send the
          generated script to it's standard output file. Note that '-v-1' is
          usually specified in this case (e.g., <command>shorewall6 -v-1
          compile -- -</command>) to suppress the 'Compiling...' message
          normally generated by <filename>/sbin/shorewall6</filename>.</para>

          <para>When <option>-e</option> is specified, the compilation is
          being performed on a system other than where the compiled script
          will run. This option disables certain configuration options that
          require the script to be compiled where it is to be run. The use of
          <option>-e</option> requires the presence of a configuration file
          named <filename>capabilities</filename> which may be produced using
          the command <command>shorewall6-lite show -f capabilities &gt;
          capabilities</command> on a system with Shorewall6 Lite
          installed.</para>

          <para>The <option>-c</option> option was added in Shorewall 4.5.17
          and causes conditional compilation of a script. The script specified
          by <replaceable>pathname</replaceable> (or implied if <emphasis
          role="bold">pathname</emphasis> is omitted) is compiled if it
          doesn't exist or if there is any file in the
          <replaceable>directory</replaceable> or in a directory on the
          CONFIG_PATH that has a modification time later than the file to be
          compiled. When no compilation is needed, a message is issued and an
          exit status of zero is returned.</para>

          <para>The <option>-d</option> option causes the compiler to be run
          under control of the Perl debugger.</para>

          <para>The <option>-p</option> option causes the compiler to be
          profiled via the Perl <option>-wd:DProf</option> command-line
          option.</para>

          <para>The <option>-T</option> option was added in Shorewall 4.4.20
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">delete </emphasis>{
        <replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
        <replaceable>zone</replaceable> | <replaceable>zone</replaceable>
        <replaceable>host-list</replaceable> }</term>

        <listitem>
          <para>Added in Shorewall 4.4.21. The delete command reverses the
          effect of an earlier <emphasis role="bold">add</emphasis>
          command.</para>

          <para>The <emphasis>interface</emphasis> argument names an interface
          defined in the <ulink
          url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are a host or network address.</para>

          <para>Beginning with Shorewall 4.5.9, the <emphasis
          role="bold">dynamic_shared</emphasis> zone option (<ulink
          url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
          allows a single ipset to handle entries for multiple interfaces.
          When that option is specified for a zone, the
          <command>delete</command> command has the alternative syntax in
          which the <replaceable>zone</replaceable> name precedes the
          <replaceable>host-list</replaceable>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">disable </emphasis><emphasis role="bold">
        </emphasis>{ <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
          associated with the specified <replaceable>interface</replaceable>
          or <replaceable>provider</replaceable>. Where more than one provider
          share a single network interface, a
          <replaceable>provider</replaceable> name must be given.</para>

          <para>Beginning with Shorewall 4.5.10, this command may be used with
          any optional network interface. <replaceable>interface</replaceable>
          may be either the logical or physical name of the interface. The
          command removes any routes added from <ulink
          url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5)
          and any traffic shaping configuration for the interface.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">drop
        </emphasis><replaceable>address</replaceable></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be silently dropped.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
        [-<option>l</option>] [-<option>m</option>]
        [-<option>c</option>]</term>

        <listitem>
          <para>Produces a verbose report about the firewall configuration for
          the purpose of problem analysis.</para>

          <para>The <option>-x</option> option causes actual packet and byte
          counts to be displayed. Without that option, these counts are
          abbreviated.</para>

          <para>The <option>-m</option> option causes any MAC addresses
          included in Shorewall6 log messages to be displayed.</para>

          <para>The <option>-l</option> option causes the rule number for each
          Netfilter rule to be displayed.</para>

          <para>The <option>-c</option> option causes the route cache to be
          dumped in addition to the other routing information.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">enable </emphasis>{
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
          associated with the specified <replaceable>interface</replaceable>
          or <replaceable>provider</replaceable>. Where more than one provider
          share a single network interface, a
          <replaceable>provider</replaceable> name must be given.</para>

          <para>Beginning with Shorewall 4.5.10, this command may be used with
          any optional network interface. <replaceable>interface</replaceable>
          may be either the logical or physical name of the interface. The
          command sets <filename>/proc</filename> entries for the interface,
          adds any route specified in <ulink
          url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5)
          and installs the interface's traffic shaping configuration, if
          any.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">export
        </emphasis>[<replaceable>directory1</replaceable> ]
        [<replaceable>user</replaceable>@]<replaceable>system</replaceable>[:<replaceable>directory2</replaceable>
        ]</term>

        <listitem>
          <para>If <emphasis>directory1</emphasis> is omitted, the current
          working directory is assumed.</para>

          <para>Allows a non-root user to compile a shorewall6 script and
          stage it on a system (provided that the user has access to the
          system via ssh). The command is equivalent to:</para>

          <programlisting>    <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis>directory1</emphasis> <emphasis>directory1</emphasis><emphasis
              role="bold">/firewall &amp;&amp;\</emphasis>
    <emphasis role="bold">scp</emphasis> directory1<emphasis role="bold">/firewall</emphasis> <emphasis>directory1</emphasis><emphasis
              role="bold">/firewall.conf</emphasis> [<emphasis>user</emphasis>@]<emphasis
              role="bold">system</emphasis>:[<emphasis>directory2</emphasis>]</programlisting>

          <para>In other words, the configuration in the specified (or
          defaulted) directory is compiled to a file called firewall in that
          directory. If compilation succeeds, then firewall and firewall.conf
          are copied to <emphasis>system</emphasis> using scp.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">forget </emphasis>[
        <replaceable>filename</replaceable> ]</term>

        <listitem>
          <para>Deletes <filename>/var/lib/shorewall6/<replaceable>filename
          </replaceable></filename> and <filename>/var/lib/shorewall6/save
          </filename>. If no <emphasis>filename</emphasis> is given then the
          file specified by RESTOREFILE in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) is
          assumed.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">help</emphasis></term>

        <listitem>
          <para>Displays a syntax summary.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">iptrace </emphasis><replaceable>ip6tables
        match expression</replaceable></term>

        <listitem>
          <para>This is a low-level debugging command that causes iptables
          TRACE log records to be created. See ip6tables(8) for
          details.</para>

          <para>The <replaceable>ip6tables match expression</replaceable> must
          be one or more matches that may appear in both the raw table OUTPUT
          and raw table PREROUTING chains.</para>

          <para>The log message destination is determined by the
          currently-selected IPv6 <ulink
          url="/shorewall_logging.html#Backends">logging
          backend</ulink>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">list</emphasis></term>

        <listitem>
          <para><command>list</command> is a synonym for
          <command>show</command> -- please see below.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">logdrop
        </emphasis><replaceable>address</replaceable></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be logged then discarded. Logging occurs at the log level
          specified by the BLACKLIST_LOGLEVEL setting in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
          (5).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
        [<replaceable>refresh-interval</replaceable>]</term>

        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
          <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
          produces an audible alarm when new Shorewall6 messages are logged.
          The <option>-m</option> option causes the MAC address of each packet
          source to be displayed if that information is available. The
          <replaceable>refresh-interval</replaceable> specifies the time in
          seconds between screen refreshes. You can enter a negative number by
          preceding the number with "--" (e.g., <command>shorewall6 logwatch
          -- -30</command>). In this case, when a packet count changes, you
          will be prompted to hit any key to resume screen refreshes.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">logreject</emphasis>
        <replaceable>address</replaceable></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be logged then rejected. Logging occurs at the log level
          specified by the BLACKLIST_LOGLEVEL setting in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
          (5).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">ls</emphasis></term>

        <listitem>
          <para><command>ls</command> is a synonym for <command>show</command>
          -- please see below.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">noiptrace
        </emphasis><replaceable>ip6tables match
        expression</replaceable></term>

        <listitem>
          <para>This is a low-level debugging command that cancels a trace
          started by a preceding <command>iptrace</command> command.</para>

          <para>The <replaceable>iptables match expression</replaceable> must
          be one given in the <command>iptrace</command> command being
          canceled.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">open</emphasis>
        <replaceable>source</replaceable> <replaceable>dest</replaceable> [
        <replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
        ] ]</term>

        <listitem>
          <para>Added in Shorewall 4.6.8. This command requires that the
          firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
          <ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
          (5)</ulink>. The effect of the command is to temporarily open the
          firewall for connections matching the parameters.</para>

          <para>The <replaceable>source</replaceable> and
          <replaceable>dest</replaceable> parameters may each be specified as
          <emphasis role="bold">all</emphasis> if you don't wish to restrict
          the connection source or destination respectively. Otherwise, each
          must contain a host or network address or a valid DNS name.</para>

          <para>The <replaceable>protocol</replaceable> may be specified
          either as a number or as a name listed in /etc/protocols. The
          <replaceable>port</replaceable> may be specified numerically or as a
          name listed in /etc/services.</para>

          <para>To reverse the effect of a successful <command>open</command>
          command, use the <command>close</command> command with the same
          parameters or simply restart the firewall.</para>

          <para>Example: To open the firewall for SSH connections to address
          2001:470:b:227::1, the command would be:</para>

          <programlisting>    shorewall6 open all 2001:470:b:227::1 tcp 22</programlisting>

          <para>To reverse that command, use:</para>

          <programlisting>    shorewall6 close all 2001:470:b:227::1 tcp 22</programlisting>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">reenable</emphasis>{
        <replaceable>interface</replaceable> |
        <replaceable>provider</replaceable> }</term>

        <listitem>
          <para>Added in Shorewall 4.6.9. This is equivalent to a
          <command>disable</command> command followed by an
          <command>enable</command> command on the specified
          <replaceable>interface</replaceable> or
          <replaceable>provider</replaceable>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">refresh </emphasis>[-<option>n</option>]
        [-<option>d</option>] [-<option>T</option>] [-i]
        [-<option>D</option><replaceable>directory</replaceable> ] [
        <replaceable>chain</replaceable>... ]</term>

        <listitem>
          <para>All steps performed by <command>restart</command> are
          performed by <command>refresh</command> with the exception that
          <command>refresh</command> only recreates the chains specified in
          the command while <command>restart</command> recreates the entire
          Netfilter ruleset.When no chain name is given to the
          <command>refresh</command> command, the mangle table is refreshed
          along with the blacklist chain (if any). This allows you to modify
          <filename>/etc/shorewall6/tcrules</filename>and install the changes
          using <command>refresh</command>.</para>

          <para>The listed chains are assumed to be in the filter table. You
          can refresh chains in other tables by prefixing the chain name with
          the table name followed by ":" (e.g., nat:net_dnat). Chain names
          which follow are assumed to be in that table until the end of the
          list or until an entry in the list names another table. Built-in
          chains such as FORWARD may not be refreshed.</para>

          <para>The <option>-n</option> option was added in Shorewall 4.5.3
          causes Shorewall to avoid updating the routing table(s).</para>

          <para>The <option>-d</option> option was added in Shorewall 4.5.3
          causes the compiler to run under the Perl debugger.</para>

          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>

          <para>The -<option>D</option> option was added in Shorewall 4.5.3
          and causes Shorewall to look in the given
          <emphasis>directory</emphasis> first for configuration files.</para>

          <example>
            <title>Refresh the 'net-fw' chain in the filter table and the
            'net_dnat' chain in the nat table</title>

            <programlisting><command>shorewall6 refresh net-fw nat:net_dnat
            </command></programlisting>
          </example>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">reject</emphasis><replaceable>
        address</replaceable></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be silently rejected.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">reload </emphasis>[-<option>n</option>]
        [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
        [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>

        <listitem>
          <para>This command was re-implemented in Shorewall 5.0.0. The
          pre-5.0.0 <command>reload</command> command is now called
          <command>remote-restart</command> (see below).</para>

          <para>Reload is similar to <command>shorewall6 start</command>
          except that it assumes that the firewall is already started.
          Existing connections are maintained. If a
          <emphasis>directory</emphasis> is included in the command,
          Shorewall6 will look in that <emphasis>directory</emphasis> first
          for configuration files.</para>

          <para>The <option>-n</option> option causes Shorewall6 to avoid
          updating the routing table(s).</para>

          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>

          <para>The <option>-d</option> option causes the compiler to run
          under the Perl debugger.</para>

          <para>The <option>-f</option> option suppresses the compilation step
          and simply reused the compiled script which last started/restarted
          Shorewall, provided that <filename class="directory">/etc/shorewall6
          </filename> and its contents have not been modified since the last
          start/restart.</para>

          <para>The <option>-c</option> option was added in Shorewall 4.4.20
          and performs the compilation step unconditionally, overriding the
          AUTOMAKE setting in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          When both <option>-f</option> and <option>-c</option> are present,
          the result is determined by the option that appears last.</para>

          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>

          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when AUTOMAKE=Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
          an existing firewall script is used and if that script was the one
          that generated the current running configuration, then the running
          netfilter configuration will be reloaded as is so as to preserve the
          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">remote-reload
        </emphasis>[-<option>s</option>] [-<option>c</option>]
        [-<option>r</option> <replaceable>root-user-name</replaceable>]
        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
        <replaceable>directory</replaceable> ] [
        <replaceable>system</replaceable> ]</term>

        <term/>

        <listitem>
          <para>This command was added in Shorewall 5.0.0.</para>

          <para>If <emphasis>directory</emphasis> is omitted, the current
          working directory is assumed. Allows a non-root user to compile a
          shorewall6 script and install it on a system (provided that the user
          has root access to the system via ssh). The command is equivalent
          to:</para>

          <programlisting>    <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis
              role="bold">/firewall &amp;&amp;\</emphasis>
    <emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
              role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
              role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis
              role="bold">:/var/lib/shorewall6-lite/ &amp;&amp;\</emphasis>
    <emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis
              role="bold">'/sbin/shorewall6-lite reload'</emphasis></programlisting>

          <para>In other words, the configuration in the specified (or
          defaulted) directory is compiled to a file called firewall in that
          directory. If compilation succeeds, then firewall is copied to
          <emphasis>system</emphasis> using scp. If the copy succeeds,
          Shorewall6 Lite on <emphasis>system</emphasis> is restarted via ssh.
          Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
          that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>

          <para>If <option>-s</option> is specified and the
          <command>restart</command> command succeeds, then the remote
          Shorewall6-lite configuration is saved by executing
          <command>shorewall6-lite save</command> via ssh.</para>

          <para>if <option>-c</option> is included, the command
          <command>shorewall6-lite show capabilities -f &gt;
          /var/lib/shorewall6-lite/capabilities</command> is executed via ssh
          then the generated file is copied to <emphasis>directory</emphasis>
          using scp. This step is performed before the configuration is
          compiled.</para>

          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>

          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">remote- restart
        </emphasis>[-<option>s</option>] [-<option>c</option>]
        [-<option>r</option> <replaceable>root-user-name</replaceable>]
        [-<option>T</option>] [-<option>i</option>] [ [ -D ]
        <replaceable>directory</replaceable> ] [
        <replaceable>system</replaceable> ]</term>

        <listitem>
          <para>This command was renamed from <command>reload</command> in
          Shorewall 5.0.0.</para>

          <para>If <emphasis>directory</emphasis> is omitted, the current
          working directory is assumed. Allows a non-root user to compile a
          shorewall6 script and install it on a system (provided that the user
          has root access to the system via ssh). The command is equivalent
          to:</para>

          <programlisting>    <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis
              role="bold">/firewall &amp;&amp;\</emphasis>
    <emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
              role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
              role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis
              role="bold">:/var/lib/shorewall6-lite/ &amp;&amp;\</emphasis>
    <emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis
              role="bold">'/sbin/shorewall6-lite restart'</emphasis></programlisting>

          <para>In other words, the configuration in the specified (or
          defaulted) directory is compiled to a file called firewall in that
          directory. If compilation succeeds, then firewall is copied to
          <emphasis>system</emphasis> using scp. If the copy succeeds,
          Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
          ssh.</para>

          <para>Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
          that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>

          <para>If <option>-s</option> is specified and the
          <command>restart</command> command succeeds, then the remote
          Shorewall6-lite configuration is saved by executing
          <command>shorewall6-lite save</command> via ssh.</para>

          <para>if <option>-c</option> is included, the command
          <command>shorewall6-lite show capabilities -f &gt;
          /var/lib/shorewall6-lite/capabilities</command> is executed via ssh
          then the generated file is copied to <emphasis>directory</emphasis>
          using scp. This step is performed before the configuration is
          compiled.</para>

          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>

          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">remote-start </emphasis>
        [-<option>s</option>] [-<option>c</option>] [-<option>r</option>
        <replaceable>root-user-name</replaceable>] [-<option>T</option>]
        [-<option>i</option>] [ [-D ] <replaceable>directory</replaceable> ] [
        <replaceable>system</replaceable> ]</term>

        <listitem>
          <para>This command was added in Shorewall 5.0.0.</para>

          <para>If <emphasis>directory</emphasis> is omitted, the current
          working directory is assumed. Allows a non-root user to compile a
          shorewall6 script and install it on a system (provided that the user
          has root access to the system via ssh). The command is equivalent
          to:</para>

          <programlisting>    <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
              role="bold">/firewall &amp;&amp;\</emphasis>
    <emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
              role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
              role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
              role="bold">:/var/lib/shorewall6-lite/ &amp;&amp;\</emphasis>
    <emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
              role="bold">'/sbin/shorewall6-lite start'</emphasis></programlisting>

          <para>In other words, the configuration in the specified (or
          defaulted) directory is compiled to a file called firewall in that
          directory. If compilation succeeds, then firewall is copied to
          <replaceable>system</replaceable> using scp. If the copy succeeds,
          Shorewall6 Lite on <replaceable>system</replaceable> is started via
          ssh. Beginning with Shorewall 5.0.13, if
          <replaceable>system</replaceable> is omitted, then the FIREWALL
          option setting in <ulink
          url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
          that case, if you want to specify a
          <replaceable>directory</replaceable>, then the <option>-D</option>
          option must be given.</para>

          <para>If <option>-s</option> is specified and the <emphasis
          role="bold">start</emphasis> command succeeds, then the remote
          Shorewall6-lite configuration is saved by executing
          <command>shorewall6-lite save</command> via ssh.</para>

          <para>if <option>-c</option> is included, the command
          <command>shorewall6-lite show capabilities -f &gt;
          /var/lib/shorewall6-lite/capabilities</command> is executed via ssh
          then the generated file is copied to
          <replaceable>directory</replaceable> using scp. This step is
          performed before the configuration is compiled.</para>

          <para>If <option>-r</option> is included, it specifies that the root
          user on <replaceable>system</replaceable> is named
          <replaceable>root-user-name</replaceable> rather than "root".</para>

          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
        ...]</emphasis><acronym/></term>

        <listitem>
          <para>Resets the packet and byte counters in the specified
          <replaceable>chain</replaceable>(s). If no
          <replaceable>chain</replaceable> is specified, all the packet and
          byte counters in the firewall are reset.</para>

          <para>Beginning with Shorewall 5.0.0,
          <replaceable>chain</replaceable> may be composed of both a table
          name and a chain name separated by a colon (e.g.,
          mangle:PREROUTING). Chain names following that don't include a table
          name are assumed to be in that same table. If no table name is given
          in the command, the filter table is assumed.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
        [-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
        [-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
        [-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>

        <listitem>
          <para>Beginning with Shorewall 5.0.0, this command performs a true
          restart. The firewall is completely stopped as if a
          <command>stop</command> command had been issued then it is started
          again.</para>

          <para>If a <emphasis>directory</emphasis> is included in the
          command, Shorewall6 will look in that <emphasis>directory</emphasis>
          first for configuration files.</para>

          <para>The <option>-n</option> option causes Shorewall6 to avoid
          updating the routing table(s).</para>

          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>

          <para>The <option>-d</option> option causes the compiler to run
          under the Perl debugger.</para>

          <para>The <option>-f</option> option suppresses the compilation step
          and simply reused the compiled script which last started/restarted
          Shorewall, provided that <filename class="directory">/etc/shorewall6
          </filename> and its contents have not been modified since the last
          start/restart.</para>

          <para>The <option>-c</option> option was added in Shorewall 4.4.20
          and performs the compilation step unconditionally, overriding the
          AUTOMAKE setting in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          When both <option>-f</option> and <option>-c</option> are present,
          the result is determined by the option that appears last.</para>

          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>

          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when AUTOMAKE=Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
          an existing firewall script is used and if that script was the one
          that generated the current running configuration, then the running
          netfilter configuration will be reloaded as is so as to preserve the
          iptables packet and byte counters.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
        [-<option>p</option>] [-<option>C</option>] [
        <replaceable>filename</replaceable> ]</term>

        <listitem>
          <para>Restore Shorewall6 to a state saved using the
          <command>shorewall6 save</command> command. Existing connections are
          maintained. The <emphasis>filename</emphasis> names a restore file
          in <filename class="directory">/var/lib/shorewall6</filename>
          created using <command>shorewall6 save</command>; if no
          <emphasis>filename</emphasis> is given then Shorewall6 will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>

          <caution>
            <para>If your ip6tables ruleset depends on variables that are
            detected at run-time, either in your params file or by
            Shorewall-generated code, <command>restore</command> will use the
            values that were current when the ruleset was saved, which may be
            different from the current values.</para>
          </caution>

          <para>The <option>-C</option> option was added in Shorewall 4.6.5.
          If the <option>-C</option> option was specified during
          <command>shorewall6 save</command>, then the counters saved by that
          operation will be restored.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">run</emphasis><emphasis role="bold">
        </emphasis><replaceable>command</replaceable> [
        <replaceable>parameter</replaceable> ... ]</term>

        <listitem>
          <para>Added in Shorewall 4.6.3. Executes
          <replaceable>command</replaceable> in the context of the generated
          script passing the supplied <replaceable>parameter</replaceable>s.
          Normally, the <replaceable>command</replaceable> will be a function
          declared in <filename>lib.private</filename>.</para>

          <para>Before executing the <replaceable>command</replaceable>, the
          script will detect the configuration, setting all SW_* variables and
          will run your <filename>init</filename> extension script with
          $COMMAND = 'run'.</para>

          <para>If there are files in the CONFIG_PATH that were modified after
          the current firewall script was generated, the following warning
          message is issued before the script's run command is executed:
          <screen>WARNING: /var/lib/shorewall6/firewall is not up to
          date</screen></para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">safe-restart
        </emphasis>[-<option>d</option>] [-<option>p</option>]
        [-<option>t</option><replaceable>timeout</replaceable> ] [
        <replaceable>directory</replaceable> ]</term>

        <listitem>
          <para>Only allowed if Shorewall6 is running. The current
          configuration is saved in <filename>/var/lib/shorewall6/safe-restart
          </filename> (see the <emphasis role="bold">save</emphasis> command
          below) then a <command>shorewall6 restart</command> is done. You
          will then be prompted asking if you want to accept the new
          configuration or not. If you answer "n" or if you fail to answer
          within 60 seconds (such as when your new configuration has disabled
          communication with your terminal), the configuration is restored
          from the saved configuration. If a directory is given, then
          Shorewall6 will look in that directory first when opening
          configuration files.</para>

          <para>Beginning with Shorewall 4.5.0, you may specify a different
          <replaceable>timeout</replaceable> value using the
          <option>-t</option> option. The numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
          <option>s</option>, <option>m</option> or <option>h</option> suffix
          (e.g., 5m) to specify seconds, minutes or hours respectively. If the
          suffix is omitted, seconds is assumed.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">safe-start
        </emphasis>[-<option>d</option>] [-<option>p</option>]
        [-<option>t</option><replaceable>timeout</replaceable> ] [
        <replaceable>directory</replaceable> ]</term>

        <listitem>
          <para>Shorewall6 is started normally. You will then be prompted
          asking if everything went all right. If you answer "n" or if you
          fail to answer within 60 seconds (such as when your new
          configuration has disabled communication with your terminal), a
          shorewall6 clear is performed for you. If a directory is given, then
          Shorewall6 will look in that directory first when opening
          configuration files.</para>

          <para>Beginning with Shorewall 4.5.0, you may specify a different
          <replaceable>timeout</replaceable> value using the
          <option>-t</option> option. The numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
          <option>s</option>, <option>m</option> or <option>h</option> suffix
          (e.g., 5m) to specify seconds, minutes or hours respectively. If the
          suffix is omitted, seconds is assumed.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
        <replaceable>filename</replaceable> ]</term>

        <listitem>
          <para>The dynamic blacklist is stored in <filename>
          /var/lib/shorewall6/save</filename>. The state of the firewall is
          stored in <filename>
          /var/lib/shorewall6/<replaceable>filename</replaceable></filename>
          for use by the <command>shorewall6 restore</command> and <command>
          shorewall6 -f start</command> commands. If <emphasis>filename
          </emphasis> is not given then the state is saved in the file
          specified by the RESTOREFILE option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>

          <para>The <option>-C</option> option, added in Shorewall 4.6.5,
          causes the ip6tables packet and byte counters to be saved along with
          the chains and rules.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">savesets</emphasis></term>

        <listitem>
          <para>Added in shorewall 4.6.8. Performs the same action as the
          <command>stop</command> command with respect to saving ipsets (see
          the SAVE_IPSETS option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)).
          This command may be used to proactively save your ipset contents in
          the event that a system failure occurs prior to issuing a
          <command>stop</command> command.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">show</emphasis></term>

        <listitem>
          <para>The show command can have a number of different
          arguments:</para>

          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">actions</emphasis></term>

              <listitem>
                <para>Produces a report about the available actions (built-in,
                standard and user-defined).</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>[-<option>x</option>] <emphasis role="bold">bl|blacklists
              </emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.6.2. Displays the dynamic chain
                along with any chains produced by entries in
                shorewall-blrules(5).The <option>-x</option> option is passed
                directly through to ip6tables and causes actual packet and
                byte counts to be displayed. Without this option, those counts
                are abbreviated.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>[-<option>f</option>] <emphasis
              role="bold">capabilities</emphasis></term>

              <listitem>
                <para>Displays your kernel/ip6tables capabilities. The
                <option>-f</option> option causes the display to be formatted
                as a capabilities file for use with <command>shorewall6
                compile -e</command>.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>[-<option>b</option>] [-<option>x</option>]
              [-<option>l</option>] [-<option>t</option>
              {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}][
              <emphasis>chain</emphasis>... ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
                displayed using the <command>ip6tables -L</command>
                <emphasis>chain</emphasis> <emphasis role="bold">-n
                -v</emphasis> command. If no <emphasis>chain</emphasis> is
                given, all of the chains in the filter table are displayed.
                The <option>-x</option> option is passed directly through to
                ip6tables and causes actual packet and byte counts to be
                displayed. Without this option, those counts are abbreviated.
                The <option>-t</option> option specifies the Netfilter table
                to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>

                <para>The <option>-b</option> ('brief') option causes rules
                which have not been used (i.e. which have zero packet and byte
                counts) to be omitted from the output. Chains with no rules
                displayed are also omitted from the output.</para>

                <para>The <option>-l</option> option causes the rule number
                for each Netfilter rule to be displayed.</para>

                <para>If the <option>-t</option> option and the
                <option>chain</option> keyword are both omitted and any of the
                listed <replaceable>chain</replaceable>s do not exist, a usage
                message is displayed.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">classifiers|filters</emphasis></term>

              <listitem>
                <para>Displays information about the packet classifiers
                defined on the system as a result of traffic shaping
                configuration.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">config</emphasis></term>

              <listitem>
                <para>Displays distribution-specific defaults.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">connections
              [<replaceable>filter_parameter</replaceable>
              ...]</emphasis></term>

              <listitem>
                <para>Displays the IP connections currently being tracked by
                the firewall.</para>

                <para>If the <command>conntrack</command> utility is
                installed, beginning with Shorewall 4.6.11 the set of
                connections displayed can be limited by including conntrack
                filter parameters (-p , -s, --dport, etc). See conntrack(8)
                for details.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">event</emphasis><replaceable>
              event</replaceable></term>

              <listitem>
                <para>Added in Shorewall 4.5.19. Displays the named
                event.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">events</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.5.19. Displays all events.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">ip</emphasis></term>

              <listitem>
                <para>Displays the system's IPv6 configuration.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>[-<option>m</option>] <emphasis
              role="bold">log</emphasis></term>

              <listitem>
                <para>Displays the last 20 Shorewall6 messages from the log
                file specified by the LOGFILE option in <ulink
                url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
                The <option>-m</option> option causes the MAC address of each
                packet source to be displayed if that information is
                available.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">macros</emphasis></term>

              <listitem>
                <para>Displays information about each macro defined on the
                firewall system.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">macro
              </emphasis><replaceable>macro</replaceable></term>

              <listitem>
                <para>Added in Shorewall 4.4.6. Displays the file that
                implements the specified <replaceable>macro</replaceable>
                (usually
                <filename>/usr/share/shorewall6/macro</filename>.<replaceable>macro</replaceable>).</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>[-<option>x</option>] <emphasis
              role="bold">mangle</emphasis></term>

              <listitem>
                <para>Displays the Netfilter mangle table using the command
                <command>ip6tables -t mangle -L -n -v</command>.The
                <option>-x</option> option is passed directly through to
                ip6tables and causes actual packet and byte counts to be
                displayed. Without this option, those counts are
                abbreviated.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.4.26. Displays the various fields
                in packet marks giving the min and max value (in both decimal
                and hex) and the applicable mask (in hex).</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>[-<option>x</option>] <emphasis
              role="bold">nat</emphasis></term>

              <listitem>
                <para>Displays the Netfilter nat table using the command
                <emphasis role="bold">ip6tables -t nat -L -n -v</emphasis>.
                The <emphasis role="bold">-x</emphasis> option is passed
                directly through to ip6tables and causes actual packet and
                byte counts to be displayed. Without this option, those counts
                are abbreviated.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">opens</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.5.8. Displays the iptables rules in
                the 'dynamic' chain created through use of the <command>open
                </command>command..</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.4.4. Displays the applicable policy
                between each pair of zones. Note that implicit intrazone
                ACCEPT policies are not displayed for zones associated with a
                single network where that network doesn't specify
                <option>routeback</option>.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>[-<option>x</option>] <emphasis
              role="bold">raw</emphasis></term>

              <listitem>
                <para>Displays the Netfilter raw table using the command
                <emphasis role="bold">ip6tables -t raw -L -n -v</emphasis>.
                The <emphasis role="bold">-x</emphasis> option is passed
                directly through to ip6tables and causes actual packet and
                byte counts to be displayed. Without this option, those counts
                are abbreviated.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">[-<option>c</option>]<emphasis
              role="bold"> </emphasis>routing</emphasis></term>

              <listitem>
                <para>Displays the system's IPv6 routing configuration. The -c
                option causes the route cache to be displayed in addition to
                the other routing information.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>

              <listitem>
                <para>Displays information about queuing disciplines, classes
                and filters.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">zones</emphasis></term>

              <listitem>
                <para>Displays the current composition of the Shorewall6 zones
                on the system.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">start </emphasis><emphasis role="bold">
        </emphasis>[-<option>n</option>] [-<option>p</option>]
        [-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
        [-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
        <replaceable>directory</replaceable> ]</term>

        <listitem>
          <para>Start shorewall6. Existing connections through shorewall6
          managed interfaces are untouched. New connections will be allowed
          only if they are allowed by the firewall rules or policies. If a
          <replaceable>directory</replaceable> is included in the command,
          Shorewall6 will look in that <emphasis>directory</emphasis> first
          for configuration files. If <option>-f</option> is specified, the
          saved configuration specified by the RESTOREFILE option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
          will be restored if that saved configuration exists and has been
          modified more recently than the files in <filename
          class="directory">/etc/shorewall6</filename>. When <option>-f
          </option> is given, a <replaceable>directory</replaceable> may not
          be specified.</para>

          <para>Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option
          was added to <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          When LEGACY_FASTSTART=No, the modification times of files in
          <filename class="directory">/etc/shorewall6</filename> are compared
          with that of <filename>/var/lib/shorewall6/firewall </filename> (the
          compiled script that last started/restarted the firewall).</para>

          <para>The <option>-n</option> option causes Shorewall6 to avoid
          updating the routing table(s).</para>

          <para>The <option>-c</option> option was added in Shorewall 4.4.20
          and performs the compilation step unconditionally, overriding the
          AUTOMAKE setting in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
          When both <option>-f</option> and <option>-c</option> are present,
          the result is determined by the option that appears last.</para>

          <para>The <option>-T</option> option was added in Shorewall 4.5.3
          and causes a Perl stack trace to be included with each
          compiler-generated error and warning message.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>

          <para>The <option>-C</option> option was added in Shorewall 4.6.5
          and is only meaningful when the <option>-f</option> option is also
          specified. If the previously-saved configuration is restored, and if
          the <option>-C</option> option was also specified in the
          <command>save</command> command, then the packet and byte counters
          will be restored along with the chains and rules.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">stop
        </emphasis>[-<option>f</option>]</term>

        <listitem>
          <para>Stops the firewall. All existing connections, except those
          listed in <ulink
          url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
          or permitted by the ADMINISABSENTMINDED option in <ulink
          url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
          are taken down. The only new traffic permitted through the firewall
          is from systems listed in <ulink
          url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
          or by ADMINISABSENTMINDED.</para>

          <para>If <option>-f</option> is given, the command will be processed
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">status</emphasis></term>

        <listitem>
          <para>Produces a short report about the state of the
          Shorewall6-configured firewall.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.2
          and causes the status of each optional or provider interface to be
          displayed.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">try
        </emphasis><replaceable>directory</replaceable> [
        <replaceable>timeout</replaceable> ]</term>

        <listitem>
          <para>If Shorewall6 is started then the firewall state is saved to a
          temporary saved configuration
          (<filename>/var/lib/shorewall6/.try</filename>). Next, if Shorewall6
          is currently started then a <emphasis role="bold">restart</emphasis>
          command is issued using the specified configuration
          <replaceable>directory</replaceable>; otherwise, a <emphasis
          role="bold">start</emphasis> command is performed using the
          specified configuration <replaceable>directory</replaceable>. If an
          error occurs during the compilation phase of the <emphasis
          role="bold">restart</emphasis> or <emphasis role="bold">start
          </emphasis>, the command terminates without changing the Shorewall6
          state. If an error occurs during the <emphasis role="bold">restart
          </emphasis> phase, then a <command>shorewall6 restore</command> is
          performed using the saved configuration. If an error occurs during
          the <emphasis role="bold">start</emphasis> phase, then Shorewall6 is
          cleared. If the <emphasis role="bold">start</emphasis>/ <emphasis
          role="bold">restart</emphasis> succeeds and a
          <replaceable>timeout</replaceable> is specified then a <emphasis
          role="bold">clear</emphasis> or <emphasis role="bold">restore
          </emphasis> is performed after <replaceable>timeout</replaceable>
          seconds.</para>

          <para>Beginning with Shorewall 4.5.0, the numeric
          <replaceable>timeout</replaceable> may optionally be followed by an
          <option>s</option>, <option>m</option> or <option>h</option> suffix
          (e.g., 5m) to specify seconds, minutes or hours respectively. If the
          suffix is omitted, seconds is assumed.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">update</emphasis> [-<option>d</option>]
        [-<option>r</option>] [-<option>T</option>] [-<option>a</option>]
        [-<option>i</option>] [-<option>A</option>] [
        <replaceable>directory</replaceable> ]</term>

        <listitem>
          <para>Added in Shorewall 4.4.21 and causes the compiler to update
          <filename>/etc/shorewall/shorewall.conf then validate the
          configuration</filename>. The update will add options not present in
          the old file with their default values, and will move deprecated
          options with non-defaults to a deprecated options section at the
          bottom of the file. Your existing
          <filename>shorewall.conf</filename> file is renamed
          <filename>shorewall.conf.bak.</filename></para>

          <para><filename>The command was extended over the years with a set
          of options that caused additional configuration
          updates.</filename></para>

          <itemizedlist>
            <listitem>
              <para>Convert an existing <filename>blacklist</filename> file
              into an equivalent <filename>blrules</filename> file.</para>
            </listitem>

            <listitem>
              <para>Convert an existing <filename>routestopped</filename> file
              into an equivalent <filename>stoppedrules</filename>
              file.</para>
            </listitem>

            <listitem>
              <para>Convert existing <filename>tcrules</filename> and
              <filename>tos</filename> files into an equivalent mangle
              file.</para>
            </listitem>

            <listitem>
              <para>Convert an existing <filename>notrack</filename> file into
              an equivalent <filename>conntrack</filename> file.</para>
            </listitem>

            <listitem>
              <para>Convert FORMAT, SECTION and COMMENT entries into ?FORMAT,
              ?SECTION and ?COMMENT directives.</para>
            </listitem>
          </itemizedlist>

          <para>In each case, the old file is renamed with a .bak
          suffix.</para>

          <para>In Shorewall 5.0.0, the options were eliminated and the
          <command>update</command> command performs all of the updates
          described above.</para>

          <important>
            <para>There are some notable restrictions with the
            <command>update</command> command:</para>

            <orderedlist>
              <listitem>
                <para>Converted rules will be appended to the existing file;
                if there is no existing file in the CONFIG_PATH, one will be
                created in the directory specified in the command or in the
                first entry in the CONFIG_PATH (normally <filename
                class="directory">/etc/shorewall6</filename>)
                otherwise.</para>
              </listitem>

              <listitem>
                <para>Existing comments in the file being converted will not
                be transferred to the output file.</para>
              </listitem>

              <listitem>
                <para>INCLUDEd files will be expanded inline in the output
                file.</para>
              </listitem>

              <listitem>
                <para>Columns in the output file will be separated by a single
                tab character; there is no attempt made to otherwise align the
                columns.</para>
              </listitem>
            </orderedlist>
          </important>

          <para>The <option>-a</option> option causes the updated
          <filename>shorewall.conf</filename> file to be annotated with
          documentation.</para>

          <para>The <option>-i</option> option was added in Shorewall 4.6.0
          and causes a warning message to be issued if the current line
          contains alternative input specifications following a semicolon
          (";"). Such lines will be handled incorrectly if INLINE_MATCHES is
          set to Yes in <ulink
          url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>

          <para>The <option>-A</option> option is included for compatibility
          with Shorewall 4.6 and is equivalent to specifying the
          <option>-i</option> option.</para>

          <para>For a description of the other options, see the <emphasis
          role="bold">check</emphasis> command above.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">version
        [-<option>a</option>]</emphasis></term>

        <listitem>
          <para>Displays Shorewall6's version. If the <option>-a</option>
          option is included, the version of Shorewall will also be
          displayed.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>EXIT STATUS</title>

    <para>In general, when a command succeeds, status 0 is returned; when the
    command fails, a non-zero status is returned.</para>

    <para>The <command>status</command> command returns exit status as
    follows:</para>

    <para>0 - Firewall is started.</para>

    <para>3 - Firewall is stopped or cleared</para>

    <para>4 - Unknown state; usually means that the firewall has never been
    started.</para>
  </refsect1>

  <refsect1>
    <title>ENVIRONMENT</title>

    <para>Two environmental variables are recognized by Shorewall6:</para>

    <variablelist>
      <varlistentry>
        <term>SHOREWALL_INIT_SCRIPT</term>

        <listitem>
          <para>When set to 1, causes Std out to be redirected to the file
          specified in the STARTUP_LOG option in <ulink
          url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>SW_LOGGERTAG</term>

        <listitem>
          <para>Added in Shorewall 5.0.8. When set to a non-empty value, that
          value is passed to the logger utility in its -t (--tag)
          option.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

    <para><ulink
    url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>

    <para>shorewall6-accounting(5), shorewall6-actions(5),
    shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
    shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
    shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
    shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
    shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
    shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
    shorewall6-zones(5)</para>
  </refsect1>
</refentry>