shorewall_code/docs/Anatomy.xml
Jeremy Sowden c93817f30b Correct GFDL text embedded in document sources
The invariant sections clause doesn't quite match the official text.  It should
read:

  with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts

not:

  with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts

Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
2023-01-31 22:50:37 +00:00

926 lines
34 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<article>
<!--$Id$-->
<articleinfo>
<title>Anatomy of Shorewall 5.0/5.1</title>
<authorgroup>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
</authorgroup>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<copyright>
<year>2007</year>
<year>2009</year>
<year>2012</year>
<year>2015</year>
<year>2017</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, no Front-Cover Texts, and no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<section id="Products">
<title>Products</title>
<para>Shorewall 5.0 consists of six packages.</para>
<orderedlist>
<listitem>
<para><emphasis role="bold">Shorewall Core</emphasis>. This package
contains the core Shorewall shell libraries and is required to install
any of the other packages. Beginning with Shorewall 5.1.0, it also
includes the Command Line Interface (CLI) program common to all of the
packages.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall</emphasis>. This package must be
installed on at least one system in your network. It contains
everything needed to create an IPv4 firewall.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall6</emphasis>. This package
requires the Shorewall package and adds those components needed to
create an IPv6 firewall.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall-lite</emphasis>. Shorewall
allows for central administration of multiple IPv4 firewalls through
use of Shorewall lite. The full Shorewall product is installed on a
central administrative system where compiled Shorewall scripts are
generated. These scripts are copied to the firewall systems where they
run under the control of Shorewall-lite.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall6-lite</emphasis>. Shorewall
allows for central administration of multiple IPv4 firewalls through
use of Shorewall lite. The full Shorewall product is installed on a
central administrative system where compiled Shorewall scripts are
generated. These scripts are copied to the firewall systems where they
run under the control of Shorewall-lite.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall-init</emphasis>. An add-on to
any of the above packages that allows the firewall state to be altered
in reaction to interfaces coming up and going down. Where Upstart is
not being used, this package can also be configured to place the
firewall in a safe state prior to bringing up the network
interfaces.</para>
</listitem>
</orderedlist>
</section>
<section id="Shorewall">
<title>Shorewall</title>
<para>The Shorewall package includes a large number of files which were
traditionally installed in <filename class="directory">/sbin</filename>,
<filename class="directory">/usr/share/shorewall</filename>, <filename
class="directory">/etc/shorewall</filename>,
<filename>/etc/init.d</filename> and <filename
class="directory">/var/lib/shorewall/</filename>. These are described in
the sub-sections that follow. </para>
<important>
<para>Since Shorewall 4.5.2, each of these directories is now
relocatable using the <ulink url="Install.htm#idp8774904608">configure
scripts included with Shorewall Core</ulink>. These scripts set shell
variables in the shorewallrc file which is normally installed in
/usr/share/shorewall/. The name of the variable is included in
parentheses in the section headings below.</para>
</important>
<section id="sbin">
<title>/sbin ($SBINDIR)</title>
<para>The <filename>/sbin/shorewall</filename> shell program is used to
interact with Shorewall. See <ulink
url="manpages/shorewall.html">shorewall</ulink>(8).</para>
</section>
<section id="share-shorewall">
<title>/usr/share/shorewall (${SHAREDIR}/shorewall)</title>
<para>The bulk of Shorewall is installed here.</para>
<itemizedlist>
<listitem>
<para><filename>action.template</filename> - template file for
creating <ulink url="Actions.html">actions</ulink>.</para>
</listitem>
<listitem>
<para><filename>action.*</filename> - standard Shorewall
actions.</para>
</listitem>
<listitem>
<para><filename>actions.std</filename> - file listing the standard
actions.</para>
</listitem>
<listitem>
<para><filename>compiler.pl</filename> - The configuration compiler
perl program.</para>
</listitem>
<listitem>
<para><filename class="directory">configfiles</filename> - A
directory containing configuration files to copy to create a <ulink
url="Shorewall-Lite.html">Shorewall-lite export
directory.</ulink></para>
</listitem>
<listitem>
<para><filename><filename>configpath</filename></filename> - A file
containing distribution-specific path assignments.</para>
</listitem>
<listitem>
<para><filename>firewall</filename> - A shell program that handles
the <command>add</command> and <command>delete</command> commands
(see <ulink url="manpages/shorewall.html">shorewall</ulink>(8)). It
also handles the <command>stop</command> and
<command>clear</command> commands when there is no current compiled
firewall script on the system.</para>
</listitem>
<listitem>
<para><filename class="symlink">functions</filename> - A symbolic
link to <filename>lib.base</filename> that provides for
compatibility with older versions of Shorewall.</para>
</listitem>
<listitem>
<para><filename class="symlink">init</filename> - A symbolic link to
the init script (usually
<filename>/etc/init.d/shorewall</filename>).</para>
</listitem>
<listitem>
<para><filename>lib.*</filename> - Shell function libraries used by
the other shell programs. Most of these are actually provided by
Shorewall-core.</para>
</listitem>
<listitem>
<para><filename>macro.*</filename> - The standard Shorewall <ulink
url="Macros.html">macros</ulink>.</para>
</listitem>
<listitem>
<para><filename>modules.*</filename> - File that drives the loading
of Netfilter kernel modules. May be overridden by
<filename>/etc/shorewall/modules</filename>.</para>
</listitem>
<listitem>
<para><filename>prog.*</filename> - Shell program fragments used as
input to the compiler.</para>
</listitem>
<listitem>
<para><filename class="directory">Shorewall</filename> - Directory
containing the Shorewall Perl modules used by the compiler.</para>
</listitem>
<listitem>
<para><filename>shorewallrc</filename> - A file that specifies where
all of the other installed components (from all packages) are
installed.</para>
</listitem>
<listitem>
<para><filename>version</filename> - A file containing the currently
install version of Shorewall.</para>
</listitem>
<listitem>
<para><filename>wait4ifup</filename> - A shell program that <ulink
url="shorewall_extension_scripts.htm">extension scripts</ulink> can
use to delay until a network interface is available.</para>
</listitem>
</itemizedlist>
</section>
<section id="shorewall">
<title>/etc/shorewall (${CONFDIR}/shorewall)</title>
<para>This is where the modifiable IPv4 configuration files are
installed.</para>
</section>
<section id="init">
<title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
/lib/systemd/system ($SERVICEDIR)</title>
<para>An init script is installed here. Depending on the distribution,
it is named <filename>shorewall</filename> or
<filename>rc.firewall</filename>. Only installed on systems where
systemd is not installed.</para>
<para>When systemd is installed, the Shorewall .service files are
installed in the directory specified by the SERVICEDIR variable in
<filename>/usr/share/shorewall/shorewallrc</filename>.</para>
</section>
<section id="var">
<title>/var/lib/shorewall (${VARLIB}/shorewall)</title>
<para>Shorewall doesn't install any files in this directory but rather
uses the directory for storing state information. This directory may be
relocated using <ulink
url="manpages/shorewall-vardir.html">shorewall-vardir</ulink>(5).</para>
<itemizedlist>
<listitem>
<para><filename>.iptables-restore-input</filename> - The file passed
as input to the iptables-restore program to initialize the firewall
during the last <command>start</command> or
<command>restart</command> command (see <ulink
url="manpages/shorewall.html">shorewall</ulink>(8)).</para>
</listitem>
<listitem>
<para><filename>.modules</filename> - The contents of the modules
file used during the last <command>start</command> or
<command>restart</command> command (see <ulink
url="manpages/shorewall.html">shorewall</ulink>(8) for command
information).</para>
</listitem>
<listitem>
<para><filename>.modulesdir</filename> - The MODULESDIR setting
(<ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5)) at the
last <command>start</command> or <command>restart</command>.</para>
</listitem>
<listitem>
<para><filename>nat</filename> - This unfortunately-named file
records the IP addresses added by ADD_SNAT_ALIASES=Yes and
ADD_IP_ALIASES=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
<listitem>
<para><filename>proxyarp</filename> - Records the arp entries added
by entries in <ulink
url="manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).</para>
</listitem>
<listitem>
<para><filename>.refresh</filename> - The shell program that
performed the last successful <command>refresh</command>
command.</para>
</listitem>
<listitem>
<para><filename>.restart</filename> - The shell program that
performed the last successful <command>restart</command>
command.</para>
</listitem>
<listitem>
<para><filename>restore</filename> - The default shell program used
to execute <command>restore</command> commands.</para>
</listitem>
<listitem>
<para><filename>.restore</filename> - The shell program that
performed the last successful <command>refresh, restart</command> or
<command>start</command> command.</para>
</listitem>
<listitem>
<para><filename>save</filename> - File created by the
<command>save</command> command and used to restore the dynamic
blacklist during <command>start/restart</command>.</para>
</listitem>
<listitem>
<para><filename>.start</filename> - The shell program that performed
the last successful <command>start</command> command.</para>
</listitem>
<listitem>
<para><filename>state</filename> - Records the current firewall
state.</para>
</listitem>
<listitem>
<para><filename>zones</filename> - Records the current zone
contents.</para>
</listitem>
</itemizedlist>
</section>
</section>
<section id="Shorewall-perl">
<title>Shorewall6</title>
<para>Shorewall6 installs its files in a number of directories:</para>
<section id="sbin6">
<title>/sbin ($SBINDIR)</title>
<para>Prior to Shorewall 5.1.0, the
<filename>/sbin/shorewall6</filename> shell program is used to interact
with Shorewall6. See <ulink
url="manpages6/shorewall6.html">shorewall6</ulink>(8). Beginning with
Shorewall 5.1.0, <filename>/sbin/shorewall6</filename> is a symbolic
link to <filename>/sbin/shorewall</filename>. See <ulink
url="manpages/shorewall.html">shorewall</ulink>(8).</para>
</section>
<section id="share-shorewall6">
<title>/usr/share/shorewall6 (${SHAREDIR}/shorewall6)</title>
<para>The bulk of Shorewall6 is installed here.</para>
<itemizedlist>
<listitem>
<para><filename>action.template</filename> - template file for
creating <ulink url="Actions.html">actions</ulink>.</para>
</listitem>
<listitem>
<para><filename>action.*</filename> - standard Shorewall
actions.</para>
</listitem>
<listitem>
<para><filename>actions.std</filename> - file listing the standard
actions.</para>
</listitem>
<listitem>
<para><filename class="directory">configfiles</filename> - A
directory containing configuration files to copy to create a <ulink
url="Shorewall-Lite.html">Shorewall6-lite export
directory.</ulink></para>
</listitem>
<listitem>
<para><filename><filename>configpath</filename></filename> - A file
containing distribution-specific path assignments.</para>
</listitem>
<listitem>
<para><filename>firewall</filename> - A shell program that handles
the <command>add</command> and <command>delete</command> commands
(see <ulink url="manpages/shorewall.html">shorewall</ulink>(8)). It
also handles the <command>stop</command> and
<command>clear</command> commands when there is no current compiled
firewall script on the system.</para>
</listitem>
<listitem>
<para><filename class="symlink">functions</filename> - A symbolic
link to <filename>lib.base</filename> that provides for
compatibility with older versions of Shorewall.</para>
</listitem>
<listitem>
<para><filename>lib.*</filename> - Shell function libraries used by
the other shell programs.</para>
</listitem>
<listitem>
<para><filename>Macros/*</filename> - The standard Shorewall6 <ulink
url="Macros.html">macros</ulink>.</para>
</listitem>
<listitem>
<para><filename>modules</filename> - File that drives the loading of
Netfilter kernel modules. May be overridden by
<filename>/etc/shorewall/modules</filename>.</para>
</listitem>
<listitem>
<para><filename>version</filename> - A file containing the currently
install version of Shorewall.</para>
</listitem>
<listitem>
<para><filename>wait4ifup</filename> - A shell program that <ulink
url="shorewall_extension_scripts.htm">extension scripts</ulink> can
use to delay until a network interface is available.</para>
</listitem>
</itemizedlist>
</section>
<section id="etc-shorewall6">
<title>/etc/shorewall6 (${CONFDIR}/shorewall6)</title>
<para>This is where the modifiable IPv6 configuration files are
installed.</para>
</section>
<section id="init6">
<title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
/lib/systemd/system ($SERVICEDIR)</title>
<para>An init script is installed here. Depending on the distribution,
it is named <filename>shorewall6</filename> or
<filename>rc.firewall</filename>. Only installed on systems where
systemd is not installed.</para>
<para>When systemd is installed, the Shorewall .service files are
installed in the directory specified by the SERVICEDIR variable in
<filename>/usr/share/shorewall/shorewallrc</filename>.</para>
</section>
<section id="var-shorewall6">
<title>/var/lib/shorewall6 (${VARLIB}/shorewall6)</title>
<para>Shorewall6 doesn't install any files in this directory but rather
uses the directory for storing state information. This directory may be
relocated using <ulink
url="manpages/shorewall-vardir.html">shorewall-vardir</ulink>(5).</para>
<itemizedlist>
<listitem>
<para><filename>.ip6tables-restore-input</filename> - The file
passed as input to the ip6tables-restore program to initialize the
firewall during the last <command>start</command> or
<command>restart</command> command (see <ulink
url="manpages6/shorewall6.html">shorewall6</ulink>(8)).</para>
</listitem>
<listitem>
<para><filename>.modules</filename> - The contents of the modules
file used during the last <command>start</command> or
<command>restart</command> command (see <ulink
url="manpages6/shorewall6.html">shorewall</ulink>(8) for command
information).</para>
</listitem>
<listitem>
<para><filename>.modulesdir</filename> - The MODULESDIR setting
(<ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5)) at the
last <command>start</command> or <command>restart</command>.</para>
</listitem>
<listitem>
<para><filename>.refresh</filename> - The shell program that
performed the last successful <command>refresh</command>
command.</para>
</listitem>
<listitem>
<para><filename>.restart</filename> - The shell program that
performed the last successful <command>restart</command>
command.</para>
</listitem>
<listitem>
<para><filename>restore</filename> - The default shell program used
to execute <command>restore</command> commands.</para>
</listitem>
<listitem>
<para><filename>.restore</filename> - The shell program that
performed the last successful <command>refresh, restart</command> or
<command>start</command> command.</para>
</listitem>
<listitem>
<para><filename>save</filename> - File created by the
<command>save</command> command and used to restore the dynamic
blacklist during <command>start/restart</command>.</para>
</listitem>
<listitem>
<para><filename>.start</filename> - The shell program that performed
the last successful <command>start</command> command.</para>
</listitem>
<listitem>
<para><filename>state</filename> - Records the current firewall
state.</para>
</listitem>
<listitem>
<para><filename>zones</filename> - Records the current zone
contents.</para>
</listitem>
</itemizedlist>
</section>
</section>
<section id="Shorewall-lite">
<title>Shorewall-lite</title>
<para>The Shorewall-lite product includes files installed in <filename
class="directory">/sbin</filename>, <filename
class="directory">/usr/share/shorewall-lite</filename>, <filename
class="directory">/etc/shorewall-lite</filename>,
<filename>/etc/init.d</filename> and <filename
class="directory">/var/lib/shorewall-lite/</filename>. These are described
in the sub-sections that follow.</para>
<section id="sbin-lite">
<title>/sbin ($SBINDIR)</title>
<para>The <filename>/sbin/shorewall-lite</filename> shell program is
used to interact with Shorewall lite. See <ulink
url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8). Beginning
with Shorewall 5.1.0, <filename>/sbin/shorewall-lite</filename> is a
symbolic link to <filename>/sbin/shorewall</filename>. See <ulink
url="manpages/shorewall.html">shorewall</ulink>(8).</para>
</section>
<section id="init-lite">
<title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
/lib/systemd/system ($SERVICEDIR)</title>
<para>An init script is installed here. Depending on the distribution,
it is named <filename>shorewall-lite</filename> or
<filename>rc.firewall</filename>. Only installed on systems where
systemd is not installed.</para>
<para>When systemd is installed, the Shorewall .service files are
installed in the directory specified by the SERVICEDIR variable in
<filename>/usr/share/shorewall/shorewallrc</filename>.</para>
</section>
<section id="shorewall-lite">
<title>/etc/shorewall-lite (${CONFDIR}/shorewall-lite)</title>
<para>This is where the modifiable configuration files are
installed.</para>
</section>
<section id="share-lite">
<title>/usr/share/shorewall-lite (${SHAREDIR}/shorewall-lite)</title>
<para>The bulk of Shorewall-lite is installed here.</para>
<itemizedlist>
<listitem>
<para><filename><filename>configpath</filename></filename> - A file
containing distribution-specific path assignments.</para>
</listitem>
<listitem>
<para><filename class="symlink">functions</filename> - A symbolic
link to <filename>lib.base</filename> that provides for
compatibility with older versions of Shorewall.</para>
</listitem>
<listitem>
<para><filename>lib.base</filename> - Shell function librarie used
by the other shell programs. This is a thin wrapper around
<filename>/usr/share/shorewall/lib.base</filename>.</para>
</listitem>
<listitem>
<para><filename>modules</filename>* - Files that drive the loading
of Netfilter kernel modules. May be overridden by
<filename>/etc/shorewall-lite/modules</filename>.</para>
</listitem>
<listitem>
<para><filename>shorecap</filename> - A shell program used for
generating capabilities files. See the <ulink
url="Shorewall-Lite.html">Shorewall-lite
documentation</ulink>.</para>
</listitem>
<listitem>
<para><filename>version</filename> - A file containing the currently
install version of Shorewall.</para>
</listitem>
<listitem>
<para><filename>wait4ifup</filename> - A shell program that <ulink
url="shorewall_extension_scripts.htm">extension scripts</ulink> can
use to delay until a network interface is available.</para>
</listitem>
</itemizedlist>
</section>
<section id="var-lite">
<title>/var/lib/shorewall-lite (${VARLIB}/shorewall-lite)</title>
<para>Shorewall-lite doesn't install any files in this directory but
rather uses the directory for storing state information. This directory
may be relocated using <ulink
url="manpages/shorewall-lite-vardir.html">shorewall-lite-vardir</ulink>(5).</para>
<itemizedlist>
<listitem>
<para><filename>firewall</filename> - Compiled shell script
installed by running the load or reload command on the
administrative system (see <ulink
url="manpages/shorewall.html">shorewall</ulink>(8)).</para>
</listitem>
<listitem>
<para><filename>firewall.conf</filename> - Digest of the
shorewall.conf file used to compile the firewall script on the
administrative system.</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para><filename>.iptables-restore-input</filename> - The file passed
as input to the iptables-restore program to initialize the firewall
during the last <command>start</command> or
<command>restart</command> command (see <ulink
url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8)).</para>
</listitem>
<listitem>
<para><filename>.modules</filename> - The contents of the modules
file used during the last <command>start</command> or
<command>restart</command> command (see <ulink
url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8) for
command information).</para>
</listitem>
<listitem>
<para><filename>.modulesdir</filename> - The MODULESDIR setting
(<ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5)) at the
last <command>start</command> or <command>restart.</command></para>
</listitem>
<listitem>
<para><filename>nat</filename> - This unfortunately-named file
records the IP addresses added by ADD_SNAT_ALIASES=Yes and
ADD_IP_ALIASES=Yes in <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
<listitem>
<para><filename>proxyarp</filename> - Records the arp entries added
by entries in <ulink
url="manpages/shorewall-proxyarp.html">shorewall-proxyarp</ulink>(5).</para>
</listitem>
<listitem>
<para><filename>.refresh</filename> - The shell program that
performed the last successful <command>refresh</command>
command.</para>
</listitem>
<listitem>
<para><filename>.restart</filename> - The shell program that
performed the last successful <command>restart</command>
command.</para>
</listitem>
<listitem>
<para><filename>restore</filename> - The default shell program used
to execute <command>restore</command> commands.</para>
</listitem>
<listitem>
<para><filename>.restore</filename> - The shell program that
performed the last successful <command>refresh, restart</command> or
<command>start</command> command.</para>
</listitem>
<listitem>
<para><filename>save</filename> - File created by the
<command>save</command> command and used to restore the dynamic
blacklist during <command>start/restart</command>.</para>
</listitem>
<listitem>
<para><filename>.start</filename> - The shell program that performed
the last successful <command>start</command> command.</para>
</listitem>
<listitem>
<para><filename>state</filename> - Records the current firewall
state.</para>
</listitem>
<listitem>
<para><filename>zones</filename> - Records the current zone
contents.</para>
</listitem>
</itemizedlist>
</section>
</section>
<section id="Shorewall6-lite">
<title>Shorewall6-lite</title>
<para>The Shorewall6-lite product includes files installed in <filename
class="directory">/sbin</filename>, <filename
class="directory">/usr/share/shorewall6-lite</filename>, <filename
class="directory">/etc/shorewall6-lite</filename>,
<filename>/etc/init.d</filename> and <filename
class="directory">/var/lib/shorewall6-lite/</filename>. These are
described in the sub-sections that follow.</para>
<section id="sbin-lite6">
<title>/sbin</title>
<para>The <filename>/sbin/shorewall6-lite</filename> shell program is
use to interact with Shorewall lite. See <ulink
url="manpages6/shorewall6-lite.html">shorewall6-lite</ulink>(8).
Beginning with Shorewall 5.1.0,
<filename>/sbin/shorewall6</filename>-lite is a symbolic link to
<filename>/sbin/shorewall</filename>. See <ulink
url="manpages/shorewall.html">shorewall</ulink>(8).</para>
</section>
<section id="init-6lite">
<title>/etc/init.d or /etc/rc.d (depends on distribution) ($INITDIR) or
/lib/systemd/system ($SERVICEDIR)</title>
<para>An init script is installed here. Depending on the distribution,
it is named <filename>shorewall</filename>6-lite or
<filename>rc.firewall</filename>. Only installed on systems where
systemd is not installed.</para>
<para>When systemd is installed, the Shorewall .service files are
installed in the directory specified by the SERVICEDIR variable in
<filename>/usr/share/shorewall/shorewallrc</filename>.</para>
</section>
<section id="etc-shorewall6-lite">
<title>/etc/shorewall6-lite (${CONFDIR}/shorewall6-lite)</title>
<para>This is where the modifiable configuration files are
installed.</para>
</section>
<section id="share-lite6">
<title>/usr/share/shorewall6-lite (${SHAREDIR}/shorewall6-lite)</title>
<para>The bulk of Shorewall-lite is installed here.</para>
<itemizedlist>
<listitem>
<para><filename><filename>configpath</filename></filename> - A file
containing distribution-specific path assignments.</para>
</listitem>
<listitem>
<para><filename class="symlink">functions</filename> - A symbolic
link to <filename>lib.base</filename> that provides for
compatibility with older versions of Shorewall.</para>
</listitem>
<listitem>
<para><filename>lib.base</filename> - Shell function librarie used
by the other shell programs. This is a thin wrapper around
<filename>/usr/share/shorewall/lib.base</filename>.</para>
</listitem>
<listitem>
<para><filename>modules</filename>* - Files that drive the loading
of Netfilter kernel modules. May be overridden by
<filename>/etc/shorewall-lite/modules</filename>.</para>
</listitem>
<listitem>
<para><filename>shorecap</filename> - A shell program used for
generating capabilities files. See the <ulink
url="Shorewall-Lite.html">Shorewall-lite
documentation</ulink>.</para>
</listitem>
<listitem>
<para><filename>version</filename> - A file containing the currently
install version of Shorewall.</para>
</listitem>
<listitem>
<para><filename>wait4ifup</filename> - A shell program that <ulink
url="shorewall_extension_scripts.htm">extension scripts</ulink> can
use to delay until a network interface is available.</para>
</listitem>
</itemizedlist>
</section>
<section id="var-lite6">
<title>/var/lib/shorewall6-lite (${VARLIB}/shorewall6-lite)</title>
<para>Shorewall6-lite doesn't install any files in this directory but
rather uses the directory for storing state information. This directory
may be relocated using <ulink
url="manpages/shorewall-lite-vardir.html">shorewall-lite-vardir</ulink>(5).</para>
<itemizedlist>
<listitem>
<para><filename>firewall</filename> - Compiled shell script
installed by running the load or reload command on the
administrative system (see <ulink
url="manpages/shorewall.html">shorewall6</ulink>(8)).</para>
</listitem>
<listitem>
<para><filename>firewall.conf</filename> - Digest of the
shorewall.conf file used to compile the firewall script on the
administrative system.</para>
</listitem>
</itemizedlist>
<itemizedlist>
<listitem>
<para><filename>.ip6tables-restore-input</filename> - The file
passed as input to the ip6tables-restore program to initialize the
firewall during the last <command>start</command> or
<command>restart</command> command (see <ulink
url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8)).</para>
</listitem>
<listitem>
<para><filename>.modules</filename> - The contents of the modules
file used during the last <command>start</command> or
<command>restart</command> command (see <ulink
url="manpages/shorewall-lite.html">shorewall-lite</ulink>(8) for
command information).</para>
</listitem>
<listitem>
<para><filename>.modulesdir</filename> - The MODULESDIR setting
(<ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5)) at the
last <command>start</command> or <command>restart.</command></para>
</listitem>
<listitem>
<para><filename>.refresh</filename> - The shell program that
performed the last successful <command>refresh</command>
command.</para>
</listitem>
<listitem>
<para><filename>.restart</filename> - The shell program that
performed the last successful <command>restart</command>
command.</para>
</listitem>
<listitem>
<para><filename>restore</filename> - The default shell program used
to execute <command>restore</command> commands.</para>
</listitem>
<listitem>
<para><filename>.restore</filename> - The shell program that
performed the last successful <command>refresh, restart</command> or
<command>start</command> command.</para>
</listitem>
<listitem>
<para><filename>save</filename> - File created by the
<command>save</command> command and used to restore the dynamic
blacklist during <command>start/restart</command>.</para>
</listitem>
<listitem>
<para><filename>.start</filename> - The shell program that performed
the last successful <command>start</command> command.</para>
</listitem>
<listitem>
<para><filename>state</filename> - Records the current firewall
state.</para>
</listitem>
<listitem>
<para><filename>zones</filename> - Records the current zone
contents.</para>
</listitem>
</itemizedlist>
</section>
</section>
</article>