mirror of
https://gitlab.com/shorewall/code.git
synced 2025-01-05 21:18:49 +01:00
b66929a65e
1) Elimination of the "shorewall monitor" command. 2) The /etc/shorewall/ipsec and /etc/shorewall/zones file are combined into a single /etc/shorewall/zones file. This is done in an upwardly-compatible way so that current users can continue to use their existing files. 3) Support has been added for the arp_ignore interface option. 4) DROPINVALID has been removed from shorewall.conf. Behavior is as if DROPINVALID=No was specified. 5) The 'nobogons' option and BOGON_LOG_LEVEL are removed. 6) Error and warning messages have been made easier to spot by using capitalization (e.g., ERROR: and WARNING:). 7) The /etc/shorewall/policy file now contains a new connection policy and a policy for ESTABLISHED packets. Useful for users of snort-inline who want to pass all packets to the QUEUE target. 8) A new 'critical' option has been added to /etc/shorewall/routestopped. Shorewall insures communication between the firewall and 'critical' hosts throughout start, restart, stop and clear. Useful for diskless firewall's with NFS-mounted file systems, LDAP servers, Crossbow, etc. 9) Macros. Macros are very similar to actions but are easier to use, allow parameter substitution and are more efficient. Almost all of the standard actions have been converted to macros in the EXPERIMENTAL branch. 10) The default value of ADD_IP_ALIASES in shorewall.conf is changed to No. 11) If you have 'make' installed on your firewall, then when you use the '-f' option to 'shorewall start' (as happens when you reboot), if your /etc/shorewall/ directory contains files that were modified after Shorewall was last restarted then Shorewall is started using the config files rather than using the saved configuration. git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2409 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
339 lines
11 KiB
Bash
Executable File
339 lines
11 KiB
Bash
Executable File
#!/bin/sh
|
|
#
|
|
# Shorewall help subsystem - V2.6
|
|
#
|
|
#
|
|
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
|
#
|
|
# (c) 2003-2005 - Tom Eastep (teastep@shorewall.net)
|
|
# Steve Herber (herber@thing.com)
|
|
#
|
|
# This file should be placed in /usr/share/shorewall/help
|
|
#
|
|
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
|
#
|
|
# This program is free software; you can redistribute it and/or modify
|
|
# it under the terms of Version 2 of the GNU General Public License
|
|
# as published by the Free Software Foundation.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with this program; if not, write to the Free Software
|
|
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
|
|
##################################################################################
|
|
|
|
case $1 in
|
|
|
|
add)
|
|
echo "add: add <interface>[:<host-list>] ... <zone>
|
|
Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.
|
|
|
|
shorewall add interface:host-list ... zone - Adds the specified interface
|
|
(and host-list if included) to the specified zone.
|
|
|
|
A host-list is a comma-separated list whose elements are:
|
|
|
|
A host or network address
|
|
The name of a bridge port
|
|
The name of a bridge port followed by a colon (":") and a host or
|
|
network address.
|
|
|
|
Example:
|
|
|
|
shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
|
|
from interface ipsec0 to the zone vpn1.
|
|
|
|
See also \"help host\""
|
|
;;
|
|
|
|
address|host)
|
|
echo "<$1>:
|
|
May be either a host IP address such as 192.168.1.4 or a network address in
|
|
CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange
|
|
match support then IP address ranges of the form <low address>-<high address>
|
|
are also permitted. If your kernel and iptables contain ipset match support
|
|
then you may specify the name of an ipset prefaced by "+". The name of the
|
|
ipsec may be optionally followed by a number of levels of ipset bindings
|
|
(1 - 6) that are to be followed"
|
|
;;
|
|
|
|
allow)
|
|
echo "allow: allow <address> ...
|
|
Re-enables receipt of packets from hosts previously blacklisted
|
|
by a drop or reject command.
|
|
|
|
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
|
|
|
See also \"help address\""
|
|
;;
|
|
|
|
check)
|
|
echo "check: check [ <configuration-directory> ]
|
|
Performs a cursory validation of the zones, interfaces, hosts,
|
|
rules and policy files. Use this if you are unsure of any edits
|
|
you have made to the shorewall configuration. See the try command
|
|
examples for a recommended way to make changes."
|
|
;;
|
|
|
|
clear)
|
|
echo "clear: clear
|
|
Clear will remove all rules and chains installed by Shoreline.
|
|
The firewall is then wide open and unprotected. Existing
|
|
connections are untouched. Clear is often used to see if the
|
|
firewall is causing connection problems."
|
|
;;
|
|
|
|
debug)
|
|
echo "debug: debug
|
|
If you include the keyword debug as the first argument to any
|
|
of these commands:
|
|
|
|
start|stop|restart|reset|clear|refresh|check|add|delete
|
|
|
|
then a shell trace of the command is produced. For example:
|
|
|
|
shorewall debug start 2> /tmp/trace
|
|
|
|
The above command would trace the 'start' command and
|
|
place the trace information in the file /tmp/trace.
|
|
|
|
The word 'trace' is a synonym for 'debug'."
|
|
;;
|
|
|
|
delete)
|
|
echo "delete: delete <interface>[:<host-list>] ... <zone>
|
|
Deletes a list of hosts or networks from a dynamic zone usually used with VPN's.
|
|
|
|
shorewall delete interface[:host-list] ... zone - Deletes the specified
|
|
interfaces (and host list if included) from the specified zone.
|
|
|
|
A host-list is a comma-separated list whose elements are:
|
|
|
|
A host or network address
|
|
The name of a bridge port
|
|
The name of a bridge port followed by a colon (":") and a host or
|
|
network address.
|
|
|
|
Example:
|
|
|
|
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address
|
|
192.0.2.24 from interface ipsec0 from zone vpn1
|
|
|
|
See also \"help host\""
|
|
;;
|
|
|
|
drop)
|
|
echo "$1: $1 <address> ...
|
|
Causes packets from the specified <address> to be ignored
|
|
|
|
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
|
|
|
See also \"help address\""
|
|
;;
|
|
|
|
forget)
|
|
echo "forget: forget [ <file name> ]
|
|
Deletes /var/lib/shorewall/<file name>. If no <file name> is given then
|
|
the file specified by RESTOREFILE in shorewall.conf is removed.
|
|
|
|
See also \"help save\""
|
|
;;
|
|
|
|
help)
|
|
echo "help: help [<command> | host | address ]
|
|
Display helpful information about the shorewall commands."
|
|
;;
|
|
|
|
hits)
|
|
echo "hits: hits
|
|
Produces several reports about the Shorewall packet log messages
|
|
in the current /var/log/messages file."
|
|
;;
|
|
|
|
ipcalc)
|
|
echo "ipcalc: ipcalc [ address mask | address/vlsm ]
|
|
Ipcalc displays the network address, broadcast address,
|
|
network in CIDR notation and netmask corresponding to the input[s]."
|
|
;;
|
|
|
|
iprange)
|
|
echo "iprange: iprange address1-address2
|
|
Iprange decomposes the specified range of IP addresses into the
|
|
equivalent list of network/host addresses."
|
|
;;
|
|
|
|
logwatch)
|
|
echo "logwatch: logwatch [<refresh interval>]
|
|
Monitors the LOGFILE, $LOGFILE,
|
|
and produces an audible alarm when new Shorewall messages are logged."
|
|
;;
|
|
|
|
refresh)
|
|
echo "refresh: [ -q ] refresh
|
|
The rules involving the broadcast addresses of firewall interfaces,
|
|
the black list, traffic control rules and ECN control rules are recreated
|
|
to reflect any changes made. Existing connections are untouched
|
|
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
|
;;
|
|
|
|
reject)
|
|
echo "$1: $1 <address> ...
|
|
Causes packets from the specified <address> to be rejected
|
|
|
|
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
|
|
|
See also \"help address\""
|
|
;;
|
|
|
|
reset)
|
|
echo "reset: reset
|
|
All the packet and byte counters in the firewall are reset."
|
|
;;
|
|
|
|
restart)
|
|
echo "restart: [ -q ] restart [ <configuration-directory> ]
|
|
Restart is the same as a shorewall stop && shorewall start.
|
|
Existing connections are maintained.
|
|
If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
|
|
;;
|
|
|
|
safe-restart)
|
|
echo "safe-restart: safe-restart
|
|
Restart the same way as a shorewall restart except that previous firewall
|
|
configuration is backed up and will be restored if you notice any anomalies
|
|
or you are not able to reach the firewall any more."
|
|
;;
|
|
|
|
safe-start)
|
|
echo "safe-start: safe-start
|
|
Start the same way as a shorewall start except that in case of anomalies
|
|
shorewall clear is issued. "
|
|
;;
|
|
|
|
restore)
|
|
echo "restore: restore [ <file name> ]
|
|
Restore Shorewall to a state saved using the 'save' command
|
|
Existing connections are maintained. The <file name> names a restore file in
|
|
/var/lib/shorewall created using "shorewall save"; if no <file name> is given
|
|
then Shorewall will be restored from the file specified by the RESTOREFILE
|
|
option in shorewall.conf.
|
|
|
|
See also \"help save\" and \"help forget\""
|
|
;;
|
|
|
|
save)
|
|
echo "save: save [ <file name> ]
|
|
The dynamic data is stored in /var/lib/shorewall/save. The state of the
|
|
firewall is stored in /var/lib/shorewall/<file name> for use by the 'shorewall restore'
|
|
and 'shorewall -f start' commands. If <file name> is not given then the state is saved
|
|
in the file specified by the RESTOREFILE option in shorewall.conf.
|
|
|
|
Shorewall allow, drop, rejct and save implement dynamic blacklisting.
|
|
|
|
See also \"help restore\" and \"help forget\""
|
|
;;
|
|
|
|
show)
|
|
echo "show: show [ <chain> [ <chain> ...] |actions|classifiers|connections|log|nat|tc|tos|zones]
|
|
|
|
shorewall [-x] show <chain> [ <chain> ... ] - produce a verbose report about the IPtable chain(s).
|
|
(iptables -L chain -n -v)
|
|
|
|
shorewall show actions - produce a list of builtin actions and actions defined in /usr/share/shorewall/actions.std and /etc/shorewall
|
|
|
|
shorewall [-x] show nat - produce a verbose report about the nat table.
|
|
(iptables -t nat -L -n -v)
|
|
|
|
shorewall [-x] show tos - produce a verbose report about the mangle table.
|
|
(iptables -t mangle -L -n -v)
|
|
|
|
shorewall show log - display the last 20 packet log entries.
|
|
|
|
shorewall show connections - displays the IP connections currently
|
|
being tracked by the firewall.
|
|
|
|
shorewall show tc - displays information about the traffic
|
|
control/shaping configuration.
|
|
|
|
shorewall show zones - displays the contents of all zones.
|
|
|
|
shorewall show capabilities - displays your kernel/iptables capabilities
|
|
|
|
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
|
;;
|
|
|
|
start)
|
|
echo "start: [ -q ] [ -f ] start [ <configuration-directory> ]
|
|
Start shorewall. Existing connections through shorewall managed
|
|
interfaces are untouched. New connections will be allowed only
|
|
if they are allowed by the firewall rules or policies.
|
|
If \"-q\" is specified, less detail is displayed making it easier to spot warnings
|
|
If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option
|
|
in shorewall.conf will be restored if that saved configuration exists. In that
|
|
case, a <configuration-directory> may not be specified".
|
|
;;
|
|
|
|
stop)
|
|
echo "stop: stop
|
|
Stops the firewall. All existing connections, except those
|
|
listed in /etc/shorewall/routestopped, are taken down.
|
|
The only new traffic permitted through the firewall
|
|
is from systems listed in /etc/shorewall/routestopped."
|
|
;;
|
|
|
|
status)
|
|
echo "status: status
|
|
|
|
shorewall [-x] status
|
|
|
|
Produce a verbose report about the firewall.
|
|
|
|
(iptables -L -n -)
|
|
|
|
When -x is given, that option is also passed to iptables to display actual packet and byte counts."
|
|
;;
|
|
|
|
trace)
|
|
echo "trace: trace
|
|
If you include the keyword trace as the first argument to any
|
|
of these commands:
|
|
|
|
start|stop|restart|reset|clear|refresh|check|add|delete
|
|
|
|
then a shell trace of the command is produced. For example:
|
|
|
|
shorewall trace start 2> /tmp/trace
|
|
|
|
The above command would trace the 'start' command and
|
|
place the trace information in the file /tmp/trace.
|
|
|
|
The word 'debug' is a synonym for 'trace'."
|
|
;;
|
|
|
|
try)
|
|
echo "try: try <configuration-directory> [ <timeout> ]
|
|
Restart shorewall using the specified configuration. If an error
|
|
occurs during the restart, then another shorewall restart is performed
|
|
using the default configuration. If a timeout is specified then
|
|
the restart is always performed after the timeout occurs and uses
|
|
the default configuration."
|
|
;;
|
|
|
|
version)
|
|
echo "version: version
|
|
Show the current shorewall version which is: $version"
|
|
;;
|
|
|
|
*)
|
|
echo "$1: $1 is not recognized by the help command"
|
|
;;
|
|
|
|
esac
|
|
|
|
exit 0 # always ok
|
|
|