#!/bin/sh
#
# Shorewall help subsystem - V2.0 - 2/14/2004
#
#
#     This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
#
#     (c) 2003-2004 - Tom Eastep (teastep@shorewall.net)
#                     Steve Herber (herber@thing.com)
#
#	This file should be placed in /usr/share/shorewall/help
#
#	Shorewall documentation is available at http://shorewall.sourceforge.net
#
#	This program is free software; you can redistribute it and/or modify
#	it under the terms of Version 2 of the GNU General Public License
#	as published by the Free Software Foundation.
#
#	This program is distributed in the hope that it will be useful,
#	but WITHOUT ANY WARRANTY; without even the implied warranty of
#	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
#	GNU General Public License for more details.
#
#	You should have received a copy of the GNU General Public License
#	along with this program; if not, write to the Free Software
#	Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
##################################################################################

case $1 in

add)
	echo "add: add <interface>[:<host>] <zone>
    Adds a host or subnet to a dynamic zone usually used with VPN's.

    shorewall add interface[:host] zone - Adds the specified interface
    (and host if included) to the specified zone.

    Example:

    shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
    from interface ipsec0 to the zone vpn1.

    See also \"help host\""
	;;

address|host)
        echo "<$1>: 
    May be either a host IP address such as 192.168.1.4 or a network address in
    CIDR format like 192.168.1.0/24"
	;;

allow)
	echo "allow: allow <address> ...
    Re-enables receipt of packets from hosts previously blacklisted
    by a drop or reject command.

    Shorewall allow, drop, rejct and save implement dynamic blacklisting.

    See also \"help address\""
	;;

check)
	echo "check: check [ -c <configuration-directory> ]
   Performs a cursory validation of the zones, interfaces, hosts,
   rules and policy files.  Use this if you are unsure of any edits
   you have made to the shorewall configuration.  See the try command
   examples for a recommended way to make changes."
	;;

clear)
	echo "clear: clear
    Clear will remove all rules and chains installed by Shoreline.
    The firewall is then wide open and unprotected.  Existing
    connections are untouched.  Clear is often used to see if the
    firewall is causing connection problems."
	;;

debug)
	echo "debug: debug
    If you include the keyword debug as the first argument to any
    of these commands:

	start|stop|restart|reset|clear|refresh|check|add|delete

    then a shell trace of the command is produced.  For example:

	shorewall debug start 2> /tmp/trace

    The above command would trace the 'start' command and
    place the trace information in the file /tmp/trace.

    The word 'trace' is a synonym for 'debug'."
	;;

delete)
	echo "delete: delete <interface>[:<host>] <zone>
    Deletes a host or subnet from a dynamic zone usually used with VPN's.

    shorewall delete interface[:host] zone - Deletes the specified
    interface (and host if included) from the specified zone.

    Example:

    shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
    192.0.2.24 from interface ipsec0 from zone vpn1

    See also \"help host\""
	;;

drop)
	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be ignored

    Shorewall allow, drop, rejct and save implement dynamic blacklisting.

    See also \"help address\""
	;;

forget)
	echo "forget: forget
    Deletes /var/lib/shorewall/save and /var/lib/shorewall/restore. Those
    files are created by the 'shorewall save' command

    See also \"help save\""
	;;

help)
	echo "help: help [<command> | host | address ]
    Display helpful information about the shorewall commands."
	;;

hits)
    echo "hits: hits
    Produces several reports about the Shorewall packet log messages
    in the current /var/log/messages file."
	;;

ipcalc)
	echo "ipcalc: ipcalc [ address mask | address/vlsm ]
    Ipcalc displays the network address, broadcast address,
    network in CIDR notation and netmask corresponding to the input[s]."
	;;

iprange)
	echo "iprange: iprange address1-address2
    Iprange decomposes the specified range of IP addresses into the
    equivalent list of network/host addresses."
	;;

logwatch)
	echo "logwatch: logwatch [<refresh interval>]
    Monitors the LOGFILE, $LOGFILE,
    and produces an audible alarm when new Shorewall messages are logged."
	;;

monitor)
	echo "monitor: monitor [<refresh_interval>]

    shorewall [-x] monitor [<refresh_interval>]

    Continuously display the firewall status, last 20 log entries and nat.
    When the log entry display changes, an audible alarm is sounded.

    When -x is given, that option is also passed to iptables to display actual packet and byte counts."
	;;

refresh)
	echo "refresh: [ -q ] refresh
    The rules involving the broadcast addresses of firewall interfaces,
    the black list, traffic control rules and ECN control rules are recreated
    to reflect any changes made.  Existing connections are untouched
    If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
	;;

reject)
	echo "$1: $1 <address> ...
    Causes packets from the specified <address> to be rejected

    Shorewall allow, drop, rejct and save implement dynamic blacklisting.

    See also \"help address\""
	;;

reset)
	echo "reset: reset
    All the packet and byte counters in the firewall are reset."
	;;

restart)
	echo "restart: restart [ -q ] [ -c <configuration-directory> ]
    Restart is the same as a shorewall stop && shorewall start.
    Existing connections are maintained.
    If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
	;;

restore)
	echo "restore: restore
    Restore Shorewall to its last state saved using the 'save' command
    Existing connections are maintained.

    See also \"help save\" and \"help forget\""
	;;

save)
	echo "save: save
    The dynamic data is stored in /var/lib/shorewall/save. The state of the 
    firewall is stored in /var/lib/shorewall/restore for use by the 'shorewall restore'
    and 'shorewall -f start' commands.

    Shorewall allow, drop, rejct and save implement dynamic blacklisting.

    See also \"help restore\" and \"help forget\""
	;;

show)
	echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]

    shorewall [-x] show <chain> [ <chain> ... ]  - produce a verbose report about the IPtable chain(s).
    (iptables -L chain -n -v)

    shorewall [-x] show nat - produce a verbose report about the nat table.
    (iptables -t nat -L -n -v)

    shorewall [-x] show tos - produce a verbose report about the mangle table.
    (iptables -t mangle -L -n -v)

    shorewall show log - display the last 20 packet log entries.

    shorewall show connections - displays the IP connections currently
	being tracked by the firewall.

    shorewall show tc - displays information about the traffic
	control/shaping configuration.

    When -x is given, that option is also passed to iptables to display actual packet and byte counts."
	;;

start)
	echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
    Start shorewall.  Existing connections through shorewall managed
    interfaces are untouched.  New connections will be allowed only
    if they are allowed by the firewall rules or policies.
    If \"-q\" is specified, less detain is displayed making it easier to spot warnings
    If \"-f\" is specified, the last saved configuraton if any will be restored"
	;;

stop)
	echo "stop: stop
    Stops the firewall.  All existing connections, except those
    listed in /etc/shorewall/routestopped, are taken down.
    The only new traffic permitted through the firewall
    is from systems listed in /etc/shorewall/routestopped."
	;;

status)
	echo "status: status

    shorewall [-x] status

    Produce a verbose report about the firewall.
   
    (iptables -L -n -)

    When -x is given, that option is also passed to iptables to display actual packet and byte counts."
	;;

trace)
	echo "trace: trace
    If you include the keyword trace as the first argument to any
    of these commands:

	start|stop|restart|reset|clear|refresh|check|add|delete

    then a shell trace of the command is produced.  For example:

	shorewall trace start 2> /tmp/trace

    The above command would trace the 'start' command and
    place the trace information in the file /tmp/trace.

    The word 'debug' is a synonym for 'trace'."
	;;

try)
	echo "try: try <configuration-directory> [ <timeout> ]
    Restart shorewall using the specified configuration.  If an error
    occurs during the restart, then another shorewall restart is performed
    using the default configuration.  If a timeout is specified then
    the restart is always performed after the timeout occurs and uses
    the default configuration."
	;;

version)
	echo "version: version
    Show the current shorewall version which is: $version"
	;;

*)
	echo "$1: $1 is not recognized by the help command"
	;;

esac

exit 0	# always ok