mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-20 21:30:44 +01:00
6095d05af9
Signed-off-by: Tom Eastep <teastep@shorewall.net>
2611 lines
104 KiB
XML
2611 lines
104 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<refentry>
|
|
<refmeta>
|
|
<refentrytitle>shorewall6</refentrytitle>
|
|
|
|
<manvolnum>8</manvolnum>
|
|
|
|
<refmiscinfo>Administrative Commands</refmiscinfo>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>shorewall6</refname>
|
|
|
|
<refpurpose>Administration tool for Shoreline Firewall 6
|
|
(Shorewall6)</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg rep="norepeat">-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>add {</option></arg>
|
|
|
|
<arg choice="plain"
|
|
rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
|
|
|
|
<arg choice="plain"><replaceable>zone | zone host-list
|
|
</replaceable><option>}</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>allow</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>blacklist</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable><arg
|
|
choice="plain"><arg><replaceable>option
|
|
...</replaceable></arg></arg></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>call</option></arg>
|
|
|
|
<arg
|
|
choice="plain"><replaceable>function</replaceable><arg><replaceable>parameter</replaceable>
|
|
...</arg></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="opt"><option>check | ck </option></arg>
|
|
|
|
<arg><option>-e</option></arg>
|
|
|
|
<arg><option>-d</option></arg>
|
|
|
|
<arg><option>-p</option></arg>
|
|
|
|
<arg><option>-r</option></arg>
|
|
|
|
<arg><option>-T</option></arg>
|
|
|
|
<arg><option>-i</option></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>clear</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>close</option><arg choice="req">
|
|
<replaceable>open-number</replaceable> |
|
|
<replaceable>source</replaceable><replaceable>dest</replaceable><arg><replaceable>protocol</replaceable><arg>
|
|
<replaceable>port</replaceable> </arg></arg></arg><replaceable>
|
|
</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="opt"><option>compile | co </option></arg>
|
|
|
|
<arg><option>-e</option></arg>
|
|
|
|
<arg><option>-d</option></arg>
|
|
|
|
<arg><option>-T</option></arg>
|
|
|
|
<arg><option>-i</option></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
|
|
<arg choice="opt"><replaceable>pathname</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg rep="norepeat">-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>delete {</option></arg>
|
|
|
|
<arg choice="plain"
|
|
rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
|
|
|
|
<arg choice="plain"><replaceable>zone | zone host-list
|
|
</replaceable><option>}</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>disable</option></arg>
|
|
|
|
<arg choice="plain">{ <replaceable>interface</replaceable> |
|
|
<replaceable>provider</replaceable> }</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>drop</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>dump</option></arg>
|
|
|
|
<arg><option>-x</option></arg>
|
|
|
|
<arg><option>-l</option></arg>
|
|
|
|
<arg><option>-m</option></arg>
|
|
|
|
<arg><option>-c</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>enable</option></arg>
|
|
|
|
<arg choice="plain">{ <replaceable>interface</replaceable> |
|
|
<replaceable>provider</replaceable> }</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>export</option></arg>
|
|
|
|
<arg choice="opt"><replaceable>directory1</replaceable></arg>
|
|
|
|
<arg
|
|
choice="plain">[<replaceable>user</replaceable>@]<replaceable>system</replaceable>[<option>:</option><replaceable>directory2</replaceable>]</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>forget</option></arg>
|
|
|
|
<arg><replaceable>filename</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>help</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>iptrace</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>iptables match
|
|
expression</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>logdrop</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>logwatch</option></arg>
|
|
|
|
<arg><option>-m</option></arg>
|
|
|
|
<arg><replaceable>refresh-interval</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>logreject</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>noiptrace</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>iptables match
|
|
expression</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>open</option><replaceable>
|
|
source</replaceable><replaceable> dest</replaceable><arg>
|
|
<replaceable>protocol</replaceable><arg> <replaceable>port</replaceable>
|
|
</arg> </arg></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>reenable</option></arg>
|
|
|
|
<arg choice="plain">{ <replaceable>interface</replaceable> |
|
|
<replaceable>provider</replaceable> }</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg
|
|
choice="plain"><option>refresh</option><arg><option>-n</option></arg><arg><option>-d</option></arg><arg><option>-T</option></arg><arg><option>-i</option></arg><arg>-<option>D</option>
|
|
<replaceable>directory</replaceable> </arg><arg
|
|
rep="repeat"><replaceable>chain</replaceable></arg></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>reject</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>remote-start</option></arg>
|
|
|
|
<arg><option>-s</option></arg>
|
|
|
|
<arg><option>-c</option></arg>
|
|
|
|
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
|
|
|
|
<arg><option>-T</option></arg>
|
|
|
|
<arg><option>-i</option></arg>
|
|
|
|
<arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
|
|
|
|
<arg choice="opt"><replaceable>system</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>remote-reload</option></arg>
|
|
|
|
<arg><option>-s</option></arg>
|
|
|
|
<arg><option>-c</option></arg>
|
|
|
|
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
|
|
|
|
<arg><option>-T</option></arg>
|
|
|
|
<arg><option>-i</option></arg>
|
|
|
|
<arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
|
|
|
|
<arg choice="opt"><replaceable>system</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>remote-restart</option></arg>
|
|
|
|
<arg><option>-s</option></arg>
|
|
|
|
<arg><option>-c</option></arg>
|
|
|
|
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
|
|
|
|
<arg><option>-T</option></arg>
|
|
|
|
<arg><option>-i</option></arg>
|
|
|
|
<arg><arg><option>-D</option></arg><replaceable>directory</replaceable></arg>
|
|
|
|
<arg choice="opt"><replaceable>system</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg
|
|
choice="plain"><option>reset</option><arg><replaceable>chain</replaceable>
|
|
...</arg></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>reload</option></arg>
|
|
|
|
<arg><option>-n</option></arg>
|
|
|
|
<arg><option>-f</option></arg>
|
|
|
|
<arg><option>-c</option></arg>
|
|
|
|
<arg><option>-T</option></arg>
|
|
|
|
<arg><option>-i</option><arg><option>-C</option></arg></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>restart</option></arg>
|
|
|
|
<arg><option>-n</option></arg>
|
|
|
|
<arg><option>-f</option></arg>
|
|
|
|
<arg><option>-c</option></arg>
|
|
|
|
<arg><option>-T</option></arg>
|
|
|
|
<arg><option>-i</option><arg><option>-C</option></arg></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg
|
|
choice="plain"><option>restore</option><arg><option>-C</option></arg></arg>
|
|
|
|
<arg><replaceable>filename</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>run</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>command</replaceable></arg>
|
|
|
|
<arg><replaceable>parameter ...</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>safe-reload</option></arg>
|
|
|
|
<arg><option>-d</option></arg>
|
|
|
|
<arg><option>-t</option> <replaceable>timeout</replaceable></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>safe-restart</option></arg>
|
|
|
|
<arg><option>-d</option></arg>
|
|
|
|
<arg><option>-t</option> <replaceable>timeout</replaceable></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>safe-start</option></arg>
|
|
|
|
<arg><option>-d</option></arg>
|
|
|
|
<arg><option>-t</option> <replaceable>timeout</replaceable></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg
|
|
choice="plain"><option>save</option><arg><option>-C</option></arg></arg>
|
|
|
|
<arg choice="opt"><replaceable>filename</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>savesets</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="req"><option>show | list | ls </option></arg>
|
|
|
|
<arg><option>-x</option></arg>
|
|
|
|
<arg choice="plain"><option>{bl|blacklists}</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="req"><option>show | list | ls </option></arg>
|
|
|
|
<arg><option>-b</option></arg>
|
|
|
|
<arg><option>-x</option></arg>
|
|
|
|
<arg><option>-l</option></arg>
|
|
|
|
<arg><option>-t</option>
|
|
{<option>filter</option>|<option>mangle</option>|<option>raw</option>}</arg>
|
|
|
|
<arg><arg><option>chain</option></arg><arg choice="plain"
|
|
rep="repeat"><replaceable>chain</replaceable></arg></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="req"><option>show | list | ls </option></arg>
|
|
|
|
<arg><option>-f</option></arg>
|
|
|
|
<arg choice="plain"><option>capabilities</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="req"><option>show | list | ls </option></arg>
|
|
|
|
<arg
|
|
choice="req"><option>actions|classifiers|connections|config|events|filters|ip|macros|zones|policies|tc|marks</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="req"><option>show | list | ls </option></arg>
|
|
|
|
<arg choice="plain"><option>event</option><arg
|
|
choice="plain"><replaceable>event</replaceable></arg></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="req"><option>show | list | ls </option></arg>
|
|
|
|
<arg><option>-c</option></arg>
|
|
|
|
<arg choice="plain"><option>routing</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="req"><option>show | list | ls </option></arg>
|
|
|
|
<arg><option>-x</option></arg>
|
|
|
|
<arg choice="req"><option>mangle|nat|raw|rawpost</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="req"><option>show | list | ls </option></arg>
|
|
|
|
<arg choice="plain"><option>tc</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="req"><option>show | list | ls </option></arg>
|
|
|
|
<arg><option>-m</option></arg>
|
|
|
|
<arg choice="plain"><option>log</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>start</option></arg>
|
|
|
|
<arg><option>-n</option></arg>
|
|
|
|
<arg><option>-f</option></arg>
|
|
|
|
<arg><option>-c</option></arg>
|
|
|
|
<arg><option>-T</option></arg>
|
|
|
|
<arg><option>-i</option><arg><option>-C</option></arg></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>stop</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><arg
|
|
choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>try</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>directory</replaceable></arg>
|
|
|
|
<arg><replaceable>timeout</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>update</option></arg>
|
|
|
|
<arg><option>-d</option></arg>
|
|
|
|
<arg><option>-r</option></arg>
|
|
|
|
<arg><option>-T</option></arg>
|
|
|
|
<arg><option>-a</option></arg>
|
|
|
|
<arg><option>-i</option></arg>
|
|
|
|
<arg><option>-A</option></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall6</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg
|
|
choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>The shorewall6 utility is used to control the Shoreline Firewall 6
|
|
(Shorewall6).</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
|
|
<para>The <option>trace</option> and <option>debug</option> options are
|
|
used for debugging. See <ulink
|
|
url="/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
|
|
|
|
<para>The <option>nolock</option> option prevents the command from
|
|
attempting to acquire the Shorewall6 lockfile. It is useful if you need to
|
|
include <command>shorewall6</command> commands in
|
|
<filename>/etc/shorewall6/started</filename>.</para>
|
|
|
|
<para>The <emphasis>options</emphasis> control the amount of output that
|
|
the command produces. They consist of a sequence of the letters <emphasis
|
|
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
|
|
options are omitted, the amount of output is determined by the setting of
|
|
the VERBOSITY parameter in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). Each
|
|
<emphasis role="bold">v</emphasis> adds one to the effective verbosity and
|
|
each <emphasis role="bold">q</emphasis> subtracts one from the effective
|
|
VERBOSITY. Alternatively, <emphasis role="bold">v</emphasis> may be
|
|
followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY.
|
|
There may be no white-space between <emphasis role="bold">v</emphasis> and
|
|
the VERBOSITY.</para>
|
|
|
|
<para>The <emphasis>options</emphasis> may also include the letter
|
|
<option>t</option> which causes all progress messages to be
|
|
timestamped.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Commands</title>
|
|
|
|
<para>The available commands are listed below.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">add </emphasis>{
|
|
<replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
|
|
<replaceable>zone</replaceable> | <replaceable>zone</replaceable>
|
|
<replaceable>host-list</replaceable> }</term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.21. Adds a list of hosts or subnets to
|
|
a dynamic zone usually used with VPN's.</para>
|
|
|
|
<para>The <emphasis>interface</emphasis> argument names an interface
|
|
defined in the <ulink
|
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
|
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
|
elements are host or network addresses.<caution>
|
|
<para>The <command>add</command> command is not very robust. If
|
|
there are errors in the <replaceable>host-list</replaceable>,
|
|
you may see a large number of error messages yet a subsequent
|
|
<command>shorewall show zones</command> command will indicate
|
|
that all hosts were added. If this happens, replace
|
|
<command>add</command> by <command>delete</command> and run the
|
|
same command again. Then enter the correct command.</para>
|
|
</caution></para>
|
|
|
|
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
|
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
|
|
allows a single ipset to handle entries for multiple interfaces.
|
|
When that option is specified for a zone, the <command>add</command>
|
|
command has the alternative syntax in which the
|
|
<replaceable>zone</replaceable> name precedes the
|
|
<replaceable>host-list</replaceable>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">allow
|
|
</emphasis><replaceable>address</replaceable></term>
|
|
|
|
<listitem>
|
|
<para>Re-enables receipt of packets from hosts previously
|
|
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
|
role="bold">logdrop</emphasis>, <emphasis
|
|
role="bold">reject</emphasis>, or <emphasis
|
|
role="bold">logreject</emphasis> command. Beginning with Shorewall
|
|
5.0.10, this command can also re-enable addresses blacklisted using
|
|
the <command>blacklist</command> command.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">blacklist</emphasis>
|
|
<replaceable>address</replaceable> [ <replaceable>option</replaceable>
|
|
... ]</term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 5.0.8 and requires
|
|
DYNAMIC_BLACKLIST=ipset.. in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
|
Causes packets from the given host or network
|
|
<replaceable>address</replaceable> to be dropped, based on the
|
|
setting of BLACKLIST in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
|
The <replaceable>address</replaceable> along with any
|
|
<replaceable>option</replaceable>s are passed to the <command>ipset
|
|
add</command> command.</para>
|
|
|
|
<para>If the <option>disconnect</option> option is specified in the
|
|
DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY
|
|
determines the amount of information displayed:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>If the effective verbosity is > 0, then a message
|
|
giving the number of conntrack flows deleted by the command is
|
|
displayed.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If the effective verbosity is > 1, then the conntrack
|
|
table entries deleted by the command are also displayed.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">call <replaceable>function</replaceable> [
|
|
<replaceable>parameter</replaceable> ... ]</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.6.10. Allows you to call a function in
|
|
one of the Shorewall libraries or in your compiled script. function
|
|
must name the shell function to be called. The listed parameters are
|
|
passed to the function.</para>
|
|
|
|
<para>The function is first searched for in
|
|
<filename>lib.base</filename>, <filename>lib.common</filename>,
|
|
<filename>lib.cli</filename> and <filename>lib.cli-std</filename>.
|
|
If it is not found, the call command is passed to the generated
|
|
script to be executed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">check </emphasis>[-<option>e</option>]
|
|
[-<option>d</option>] [-<option>p</option>] [-<option>r</option>]
|
|
[-<option>T</option>] [-<option>i</option>]
|
|
[<replaceable>directory</replaceable>]</term>
|
|
|
|
<listitem>
|
|
<para>Compiles the configuration in the specified
|
|
<emphasis>directory</emphasis> and discards the compiled output
|
|
script. If no <emphasis>directory</emphasis> is given, then
|
|
<filename class="directory">/etc/shorewall6</filename> is
|
|
assumed.</para>
|
|
|
|
<para>The <option>-e</option> option causes the compiler to look for
|
|
a file named capabilities. This file is produced using the command
|
|
<command>shorewall6-lite show -f capabilities >
|
|
capabilities</command> on a system with Shorewall6 Lite
|
|
installed.</para>
|
|
|
|
<para>The <option>-d</option> option causes the compiler to be run
|
|
under control of the Perl debugger.</para>
|
|
|
|
<para>The <option>-p</option> option causes the compiler to be
|
|
profiled via the Perl <option>-wd:DProf</option> command-line
|
|
option.</para>
|
|
|
|
<para>The <option>-r</option> option was added in Shorewall 4.5.2
|
|
and causes the compiler to print the generated ruleset to standard
|
|
out.</para>
|
|
|
|
<para>The <option>-T</option> option was added in Shorewall 4.4.20
|
|
and causes a Perl stack trace to be included with each
|
|
compiler-generated error and warning message.</para>
|
|
|
|
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
|
and causes a warning message to be issued if the current line
|
|
contains alternative input specifications following a semicolon
|
|
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
|
set to Yes in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">clear
|
|
</emphasis>[-<option>f</option>]</term>
|
|
|
|
<listitem>
|
|
<para>Clear will remove all rules and chains installed by
|
|
Shorewall6. The firewall is then wide open and unprotected. Existing
|
|
connections are untouched. Clear is often used to see if the
|
|
firewall is causing connection problems.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">close</emphasis> {
|
|
<replaceable>open-number</replaceable> |
|
|
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
|
|
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
|
|
] ] }</term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.5.8. This command closes a temporary open
|
|
created by the <command>open</command> command. In the first form,
|
|
an <replaceable>open-number</replaceable> specifies the open to be
|
|
closed. Open numbers are displayed in the <emphasis
|
|
role="bold">num</emphasis> column of the output of the
|
|
<command>shorewall6 show opens </command>command.</para>
|
|
|
|
<para>When the second form of the command is used, the parameters
|
|
must match those given in the earlier <command>open</command>
|
|
command.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">compile </emphasis>[-<option>e</option>]
|
|
[-<option>c</option>] [-<option>d</option>] [-<option>p</option>]
|
|
[-<option>T</option>] [-<option>i</option>]
|
|
[<replaceable>directory</replaceable>]
|
|
[<replaceable>pathname</replaceable> ]</term>
|
|
|
|
<listitem>
|
|
<para>Compiles the current configuration into the executable file
|
|
<emphasis>pathname</emphasis>. If a directory is supplied,
|
|
Shorewall6 will look in that directory first for configuration
|
|
files. If the <emphasis>pathname</emphasis> is omitted, the file
|
|
firewall in the VARDIR (normally <filename
|
|
class="directory">/var/lib/shorewall/</filename>) is assumed. A
|
|
<emphasis>pathname</emphasis> of '-' causes the compiler to send the
|
|
generated script to it's standard output file. Note that '-v-1' is
|
|
usually specified in this case (e.g., <command>shorewall6 -v-1
|
|
compile -- -</command>) to suppress the 'Compiling...' message
|
|
normally generated by <filename>/sbin/shorewall6</filename>.</para>
|
|
|
|
<para>When <option>-e</option> is specified, the compilation is
|
|
being performed on a system other than where the compiled script
|
|
will run. This option disables certain configuration options that
|
|
require the script to be compiled where it is to be run. The use of
|
|
<option>-e</option> requires the presence of a configuration file
|
|
named <filename>capabilities</filename> which may be produced using
|
|
the command <command>shorewall6-lite show -f capabilities >
|
|
capabilities</command> on a system with Shorewall6 Lite
|
|
installed.</para>
|
|
|
|
<para>The <option>-c</option> option was added in Shorewall 4.5.17
|
|
and causes conditional compilation of a script. The script specified
|
|
by <replaceable>pathname</replaceable> (or implied if <emphasis
|
|
role="bold">pathname</emphasis> is omitted) is compiled if it
|
|
doesn't exist or if there is any file in the
|
|
<replaceable>directory</replaceable> or in a directory on the
|
|
CONFIG_PATH that has a modification time later than the file to be
|
|
compiled. When no compilation is needed, a message is issued and an
|
|
exit status of zero is returned.</para>
|
|
|
|
<para>The <option>-d</option> option causes the compiler to be run
|
|
under control of the Perl debugger.</para>
|
|
|
|
<para>The <option>-p</option> option causes the compiler to be
|
|
profiled via the Perl <option>-wd:DProf</option> command-line
|
|
option.</para>
|
|
|
|
<para>The <option>-T</option> option was added in Shorewall 4.4.20
|
|
and causes a Perl stack trace to be included with each
|
|
compiler-generated error and warning message.</para>
|
|
|
|
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
|
and causes a warning message to be issued if the current line
|
|
contains alternative input specifications following a semicolon
|
|
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
|
set to Yes in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">delete </emphasis>{
|
|
<replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]...
|
|
<replaceable>zone</replaceable> | <replaceable>zone</replaceable>
|
|
<replaceable>host-list</replaceable> }</term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.21. The delete command reverses the
|
|
effect of an earlier <emphasis role="bold">add</emphasis>
|
|
command.</para>
|
|
|
|
<para>The <emphasis>interface</emphasis> argument names an interface
|
|
defined in the <ulink
|
|
url="/manpages6/shorewall6-interfaces.html">shorewall6-interfaces</ulink>(5)
|
|
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
|
elements are a host or network address.</para>
|
|
|
|
<para>Beginning with Shorewall 4.5.9, the <emphasis
|
|
role="bold">dynamic_shared</emphasis> zone option (<ulink
|
|
url="/manpages6/shorewall6-zones.html">shorewall6-zones</ulink>(5))
|
|
allows a single ipset to handle entries for multiple interfaces.
|
|
When that option is specified for a zone, the
|
|
<command>delete</command> command has the alternative syntax in
|
|
which the <replaceable>zone</replaceable> name precedes the
|
|
<replaceable>host-list</replaceable>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">disable </emphasis><emphasis role="bold">
|
|
</emphasis>{ <replaceable>interface</replaceable> |
|
|
<replaceable>provider</replaceable> }</term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.26. Disables the optional provider
|
|
associated with the specified <replaceable>interface</replaceable>
|
|
or <replaceable>provider</replaceable>. Where more than one provider
|
|
share a single network interface, a
|
|
<replaceable>provider</replaceable> name must be given.</para>
|
|
|
|
<para>Beginning with Shorewall 4.5.10, this command may be used with
|
|
any optional network interface. <replaceable>interface</replaceable>
|
|
may be either the logical or physical name of the interface. The
|
|
command removes any routes added from <ulink
|
|
url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5)
|
|
and any traffic shaping configuration for the interface.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">drop
|
|
</emphasis><replaceable>address</replaceable></term>
|
|
|
|
<listitem>
|
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
|
to be silently dropped.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">dump </emphasis>[-<option>x</option>]
|
|
[-<option>l</option>] [-<option>m</option>]
|
|
[-<option>c</option>]</term>
|
|
|
|
<listitem>
|
|
<para>Produces a verbose report about the firewall configuration for
|
|
the purpose of problem analysis.</para>
|
|
|
|
<para>The <option>-x</option> option causes actual packet and byte
|
|
counts to be displayed. Without that option, these counts are
|
|
abbreviated.</para>
|
|
|
|
<para>The <option>-m</option> option causes any MAC addresses
|
|
included in Shorewall6 log messages to be displayed.</para>
|
|
|
|
<para>The <option>-l</option> option causes the rule number for each
|
|
Netfilter rule to be displayed.</para>
|
|
|
|
<para>The <option>-c</option> option causes the route cache to be
|
|
dumped in addition to the other routing information.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">enable </emphasis>{
|
|
<replaceable>interface</replaceable> |
|
|
<replaceable>provider</replaceable> }</term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.26. Enables the optional provider
|
|
associated with the specified <replaceable>interface</replaceable>
|
|
or <replaceable>provider</replaceable>. Where more than one provider
|
|
share a single network interface, a
|
|
<replaceable>provider</replaceable> name must be given.</para>
|
|
|
|
<para>Beginning with Shorewall 4.5.10, this command may be used with
|
|
any optional network interface. <replaceable>interface</replaceable>
|
|
may be either the logical or physical name of the interface. The
|
|
command sets <filename>/proc</filename> entries for the interface,
|
|
adds any route specified in <ulink
|
|
url="/manpages6/shorewall6-routes.html">shorewall6-routes</ulink>(5)
|
|
and installs the interface's traffic shaping configuration, if
|
|
any.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">export
|
|
</emphasis>[<replaceable>directory1</replaceable> ]
|
|
[<replaceable>user</replaceable>@]<replaceable>system</replaceable>[:<replaceable>directory2</replaceable>
|
|
]</term>
|
|
|
|
<listitem>
|
|
<para>If <emphasis>directory1</emphasis> is omitted, the current
|
|
working directory is assumed.</para>
|
|
|
|
<para>Allows a non-root user to compile a shorewall6 script and
|
|
stage it on a system (provided that the user has access to the
|
|
system via ssh). The command is equivalent to:</para>
|
|
|
|
<programlisting> <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis>directory1</emphasis> <emphasis>directory1</emphasis><emphasis
|
|
role="bold">/firewall &&\</emphasis>
|
|
<emphasis role="bold">scp</emphasis> directory1<emphasis role="bold">/firewall</emphasis> <emphasis>directory1</emphasis><emphasis
|
|
role="bold">/firewall.conf</emphasis> [<emphasis>user</emphasis>@]<emphasis
|
|
role="bold">system</emphasis>:[<emphasis>directory2</emphasis>]</programlisting>
|
|
|
|
<para>In other words, the configuration in the specified (or
|
|
defaulted) directory is compiled to a file called firewall in that
|
|
directory. If compilation succeeds, then firewall and firewall.conf
|
|
are copied to <emphasis>system</emphasis> using scp.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">forget </emphasis>[
|
|
<replaceable>filename</replaceable> ]</term>
|
|
|
|
<listitem>
|
|
<para>Deletes <filename>/var/lib/shorewall6/<replaceable>filename
|
|
</replaceable></filename> and <filename>/var/lib/shorewall6/save
|
|
</filename>. If no <emphasis>filename</emphasis> is given then the
|
|
file specified by RESTOREFILE in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) is
|
|
assumed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">help</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays a syntax summary.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">iptrace </emphasis><replaceable>ip6tables
|
|
match expression</replaceable></term>
|
|
|
|
<listitem>
|
|
<para>This is a low-level debugging command that causes iptables
|
|
TRACE log records to be created. See ip6tables(8) for
|
|
details.</para>
|
|
|
|
<para>The <replaceable>ip6tables match expression</replaceable> must
|
|
be one or more matches that may appear in both the raw table OUTPUT
|
|
and raw table PREROUTING chains.</para>
|
|
|
|
<para>The log message destination is determined by the
|
|
currently-selected IPv6 <ulink
|
|
url="/shorewall_logging.html#Backends">logging
|
|
backend</ulink>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">list</emphasis></term>
|
|
|
|
<listitem>
|
|
<para><command>list</command> is a synonym for
|
|
<command>show</command> -- please see below.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">logdrop
|
|
</emphasis><replaceable>address</replaceable></term>
|
|
|
|
<listitem>
|
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
|
to be logged then discarded. Logging occurs at the log level
|
|
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
|
(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">logwatch </emphasis>[-<option>m</option>]
|
|
[<replaceable>refresh-interval</replaceable>]</term>
|
|
|
|
<listitem>
|
|
<para>Monitors the log file specified by the LOGFILE option in
|
|
<ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5) and
|
|
produces an audible alarm when new Shorewall6 messages are logged.
|
|
The <option>-m</option> option causes the MAC address of each packet
|
|
source to be displayed if that information is available. The
|
|
<replaceable>refresh-interval</replaceable> specifies the time in
|
|
seconds between screen refreshes. You can enter a negative number by
|
|
preceding the number with "--" (e.g., <command>shorewall6 logwatch
|
|
-- -30</command>). In this case, when a packet count changes, you
|
|
will be prompted to hit any key to resume screen refreshes.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">logreject</emphasis>
|
|
<replaceable>address</replaceable></term>
|
|
|
|
<listitem>
|
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
|
to be logged then rejected. Logging occurs at the log level
|
|
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>
|
|
(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ls</emphasis></term>
|
|
|
|
<listitem>
|
|
<para><command>ls</command> is a synonym for <command>show</command>
|
|
-- please see below.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">noiptrace
|
|
</emphasis><replaceable>ip6tables match
|
|
expression</replaceable></term>
|
|
|
|
<listitem>
|
|
<para>This is a low-level debugging command that cancels a trace
|
|
started by a preceding <command>iptrace</command> command.</para>
|
|
|
|
<para>The <replaceable>iptables match expression</replaceable> must
|
|
be one given in the <command>iptrace</command> command being
|
|
canceled.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">open</emphasis>
|
|
<replaceable>source</replaceable> <replaceable>dest</replaceable> [
|
|
<replaceable>protocol</replaceable> [ <replaceable>port</replaceable>
|
|
] ]</term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.6.8. This command requires that the
|
|
firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in
|
|
<ulink url="/manpages6/shorewall6.conf.html">shorewall6.conf
|
|
(5)</ulink>. The effect of the command is to temporarily open the
|
|
firewall for connections matching the parameters.</para>
|
|
|
|
<para>The <replaceable>source</replaceable> and
|
|
<replaceable>dest</replaceable> parameters may each be specified as
|
|
<emphasis role="bold">all</emphasis> if you don't wish to restrict
|
|
the connection source or destination respectively. Otherwise, each
|
|
must contain a host or network address or a valid DNS name.</para>
|
|
|
|
<para>The <replaceable>protocol</replaceable> may be specified
|
|
either as a number or as a name listed in /etc/protocols. The
|
|
<replaceable>port</replaceable> may be specified numerically or as a
|
|
name listed in /etc/services.</para>
|
|
|
|
<para>To reverse the effect of a successful <command>open</command>
|
|
command, use the <command>close</command> command with the same
|
|
parameters or simply restart the firewall.</para>
|
|
|
|
<para>Example: To open the firewall for SSH connections to address
|
|
2001:470:b:227::1, the command would be:</para>
|
|
|
|
<programlisting> shorewall6 open all 2001:470:b:227::1 tcp 22</programlisting>
|
|
|
|
<para>To reverse that command, use:</para>
|
|
|
|
<programlisting> shorewall6 close all 2001:470:b:227::1 tcp 22</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">reenable</emphasis>{
|
|
<replaceable>interface</replaceable> |
|
|
<replaceable>provider</replaceable> }</term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.6.9. This is equivalent to a
|
|
<command>disable</command> command followed by an
|
|
<command>enable</command> command on the specified
|
|
<replaceable>interface</replaceable> or
|
|
<replaceable>provider</replaceable>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">refresh </emphasis>[-<option>n</option>]
|
|
[-<option>d</option>] [-<option>T</option>] [-i]
|
|
[-<option>D</option><replaceable>directory</replaceable> ] [
|
|
<replaceable>chain</replaceable>... ]</term>
|
|
|
|
<listitem>
|
|
<para>All steps performed by <command>restart</command> are
|
|
performed by <command>refresh</command> with the exception that
|
|
<command>refresh</command> only recreates the chains specified in
|
|
the command while <command>restart</command> recreates the entire
|
|
Netfilter ruleset.When no chain name is given to the
|
|
<command>refresh</command> command, the mangle table is refreshed
|
|
along with the blacklist chain (if any). This allows you to modify
|
|
<filename>/etc/shorewall6/tcrules</filename>and install the changes
|
|
using <command>refresh</command>.</para>
|
|
|
|
<para>The listed chains are assumed to be in the filter table. You
|
|
can refresh chains in other tables by prefixing the chain name with
|
|
the table name followed by ":" (e.g., nat:net_dnat). Chain names
|
|
which follow are assumed to be in that table until the end of the
|
|
list or until an entry in the list names another table. Built-in
|
|
chains such as FORWARD may not be refreshed.</para>
|
|
|
|
<para>The <option>-n</option> option was added in Shorewall 4.5.3
|
|
causes Shorewall to avoid updating the routing table(s).</para>
|
|
|
|
<para>The <option>-d</option> option was added in Shorewall 4.5.3
|
|
causes the compiler to run under the Perl debugger.</para>
|
|
|
|
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
|
and causes a Perl stack trace to be included with each
|
|
compiler-generated error and warning message.</para>
|
|
|
|
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
|
and causes a warning message to be issued if the current line
|
|
contains alternative input specifications following a semicolon
|
|
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
|
set to Yes in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
|
|
<para>The -<option>D</option> option was added in Shorewall 4.5.3
|
|
and causes Shorewall to look in the given
|
|
<emphasis>directory</emphasis> first for configuration files.</para>
|
|
|
|
<example>
|
|
<title>Refresh the 'net-fw' chain in the filter table and the
|
|
'net_dnat' chain in the nat table</title>
|
|
|
|
<programlisting><command>shorewall6 refresh net-fw nat:net_dnat
|
|
</command></programlisting>
|
|
</example>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">reject</emphasis><replaceable>
|
|
address</replaceable></term>
|
|
|
|
<listitem>
|
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
|
to be silently rejected.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">reload </emphasis>[-<option>n</option>]
|
|
[-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
|
|
[-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
|
|
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
|
|
|
|
<listitem>
|
|
<para>This command was re-implemented in Shorewall 5.0.0. The
|
|
pre-5.0.0 <command>reload</command> command is now called
|
|
<command>remote-restart</command> (see below).</para>
|
|
|
|
<para>Reload is similar to <command>shorewall6 start</command>
|
|
except that it assumes that the firewall is already started.
|
|
Existing connections are maintained. If a
|
|
<emphasis>directory</emphasis> is included in the command,
|
|
Shorewall6 will look in that <emphasis>directory</emphasis> first
|
|
for configuration files.</para>
|
|
|
|
<para>The <option>-n</option> option causes Shorewall6 to avoid
|
|
updating the routing table(s).</para>
|
|
|
|
<para>The <option>-p</option> option causes the connection tracking
|
|
table to be flushed; the <command>conntrack</command> utility must
|
|
be installed to use this option.</para>
|
|
|
|
<para>The <option>-d</option> option causes the compiler to run
|
|
under the Perl debugger.</para>
|
|
|
|
<para>The <option>-f</option> option suppresses the compilation step
|
|
and simply reused the compiled script which last started/restarted
|
|
Shorewall, provided that <filename class="directory">/etc/shorewall6
|
|
</filename> and its contents have not been modified since the last
|
|
start/restart.</para>
|
|
|
|
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
|
and performs the compilation step unconditionally, overriding the
|
|
AUTOMAKE setting in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
|
When both <option>-f</option> and <option>-c</option> are present,
|
|
the result is determined by the option that appears last.</para>
|
|
|
|
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
|
and causes a Perl stack trace to be included with each
|
|
compiler-generated error and warning message.</para>
|
|
|
|
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
|
and causes a warning message to be issued if the current line
|
|
contains alternative input specifications following a semicolon
|
|
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
|
set to Yes in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
|
|
<para>The <option>-C</option> option was added in Shorewall 4.6.5
|
|
and is only meaningful when AUTOMAKE=Yes in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
|
|
an existing firewall script is used and if that script was the one
|
|
that generated the current running configuration, then the running
|
|
netfilter configuration will be reloaded as is so as to preserve the
|
|
iptables packet and byte counters.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">remote-reload
|
|
</emphasis>[-<option>s</option>] [-<option>c</option>]
|
|
[-<option>r</option> <replaceable>root-user-name</replaceable>]
|
|
[-<option>T</option>] [-<option>i</option>] [ [ -D ]
|
|
<replaceable>directory</replaceable> ] [
|
|
<replaceable>system</replaceable> ]</term>
|
|
|
|
<term/>
|
|
|
|
<listitem>
|
|
<para>This command was added in Shorewall 5.0.0.</para>
|
|
|
|
<para>If <emphasis>directory</emphasis> is omitted, the current
|
|
working directory is assumed. Allows a non-root user to compile a
|
|
shorewall6 script and install it on a system (provided that the user
|
|
has root access to the system via ssh). The command is equivalent
|
|
to:</para>
|
|
|
|
<programlisting> <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis
|
|
role="bold">/firewall &&\</emphasis>
|
|
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
|
|
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
|
|
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis
|
|
role="bold">:/var/lib/shorewall6-lite/ &&\</emphasis>
|
|
<emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis
|
|
role="bold">'/sbin/shorewall6-lite reload'</emphasis></programlisting>
|
|
|
|
<para>In other words, the configuration in the specified (or
|
|
defaulted) directory is compiled to a file called firewall in that
|
|
directory. If compilation succeeds, then firewall is copied to
|
|
<emphasis>system</emphasis> using scp. If the copy succeeds,
|
|
Shorewall6 Lite on <emphasis>system</emphasis> is restarted via ssh.
|
|
Beginning with Shorewall 5.0.13, if
|
|
<replaceable>system</replaceable> is omitted, then the FIREWALL
|
|
option setting in <ulink
|
|
url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
|
|
that case, if you want to specify a
|
|
<replaceable>directory</replaceable>, then the <option>-D</option>
|
|
option must be given.</para>
|
|
|
|
<para>If <option>-s</option> is specified and the
|
|
<command>restart</command> command succeeds, then the remote
|
|
Shorewall6-lite configuration is saved by executing
|
|
<command>shorewall6-lite save</command> via ssh.</para>
|
|
|
|
<para>if <option>-c</option> is included, the command
|
|
<command>shorewall6-lite show capabilities -f >
|
|
/var/lib/shorewall6-lite/capabilities</command> is executed via ssh
|
|
then the generated file is copied to <emphasis>directory</emphasis>
|
|
using scp. This step is performed before the configuration is
|
|
compiled.</para>
|
|
|
|
<para>If <option>-r</option> is included, it specifies that the root
|
|
user on <replaceable>system</replaceable> is named
|
|
<replaceable>root-user-name</replaceable> rather than "root".</para>
|
|
|
|
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
|
and causes a Perl stack trace to be included with each
|
|
compiler-generated error and warning message.</para>
|
|
|
|
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
|
and causes a warning message to be issued if the current line
|
|
contains alternative input specifications following a semicolon
|
|
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
|
set to Yes in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">remote- restart
|
|
</emphasis>[-<option>s</option>] [-<option>c</option>]
|
|
[-<option>r</option> <replaceable>root-user-name</replaceable>]
|
|
[-<option>T</option>] [-<option>i</option>] [ [ -D ]
|
|
<replaceable>directory</replaceable> ] [
|
|
<replaceable>system</replaceable> ]</term>
|
|
|
|
<listitem>
|
|
<para>This command was renamed from <command>reload</command> in
|
|
Shorewall 5.0.0.</para>
|
|
|
|
<para>If <emphasis>directory</emphasis> is omitted, the current
|
|
working directory is assumed. Allows a non-root user to compile a
|
|
shorewall6 script and install it on a system (provided that the user
|
|
has root access to the system via ssh). The command is equivalent
|
|
to:</para>
|
|
|
|
<programlisting> <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis
|
|
role="bold">/firewall &&\</emphasis>
|
|
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
|
|
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
|
|
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis
|
|
role="bold">:/var/lib/shorewall6-lite/ &&\</emphasis>
|
|
<emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis
|
|
role="bold">'/sbin/shorewall6-lite restart'</emphasis></programlisting>
|
|
|
|
<para>In other words, the configuration in the specified (or
|
|
defaulted) directory is compiled to a file called firewall in that
|
|
directory. If compilation succeeds, then firewall is copied to
|
|
<emphasis>system</emphasis> using scp. If the copy succeeds,
|
|
Shorewall6 Lite on <emphasis>system</emphasis> is restarted via
|
|
ssh.</para>
|
|
|
|
<para>Beginning with Shorewall 5.0.13, if
|
|
<replaceable>system</replaceable> is omitted, then the FIREWALL
|
|
option setting in <ulink
|
|
url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
|
|
that case, if you want to specify a
|
|
<replaceable>directory</replaceable>, then the <option>-D</option>
|
|
option must be given.</para>
|
|
|
|
<para>If <option>-s</option> is specified and the
|
|
<command>restart</command> command succeeds, then the remote
|
|
Shorewall6-lite configuration is saved by executing
|
|
<command>shorewall6-lite save</command> via ssh.</para>
|
|
|
|
<para>if <option>-c</option> is included, the command
|
|
<command>shorewall6-lite show capabilities -f >
|
|
/var/lib/shorewall6-lite/capabilities</command> is executed via ssh
|
|
then the generated file is copied to <emphasis>directory</emphasis>
|
|
using scp. This step is performed before the configuration is
|
|
compiled.</para>
|
|
|
|
<para>If <option>-r</option> is included, it specifies that the root
|
|
user on <replaceable>system</replaceable> is named
|
|
<replaceable>root-user-name</replaceable> rather than "root".</para>
|
|
|
|
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
|
and causes a Perl stack trace to be included with each
|
|
compiler-generated error and warning message.</para>
|
|
|
|
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
|
and causes a warning message to be issued if the current line
|
|
contains alternative input specifications following a semicolon
|
|
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
|
set to Yes in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">remote-start </emphasis>
|
|
[-<option>s</option>] [-<option>c</option>] [-<option>r</option>
|
|
<replaceable>root-user-name</replaceable>] [-<option>T</option>]
|
|
[-<option>i</option>] [ [-D ] <replaceable>directory</replaceable> ] [
|
|
<replaceable>system</replaceable> ]</term>
|
|
|
|
<listitem>
|
|
<para>This command was added in Shorewall 5.0.0.</para>
|
|
|
|
<para>If <emphasis>directory</emphasis> is omitted, the current
|
|
working directory is assumed. Allows a non-root user to compile a
|
|
shorewall6 script and install it on a system (provided that the user
|
|
has root access to the system via ssh). The command is equivalent
|
|
to:</para>
|
|
|
|
<programlisting> <emphasis role="bold">/sbin/shorewall6 compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
|
|
role="bold">/firewall &&\</emphasis>
|
|
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
|
|
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
|
|
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
|
|
role="bold">:/var/lib/shorewall6-lite/ &&\</emphasis>
|
|
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
|
|
role="bold">'/sbin/shorewall6-lite start'</emphasis></programlisting>
|
|
|
|
<para>In other words, the configuration in the specified (or
|
|
defaulted) directory is compiled to a file called firewall in that
|
|
directory. If compilation succeeds, then firewall is copied to
|
|
<replaceable>system</replaceable> using scp. If the copy succeeds,
|
|
Shorewall6 Lite on <replaceable>system</replaceable> is started via
|
|
ssh. Beginning with Shorewall 5.0.13, if
|
|
<replaceable>system</replaceable> is omitted, then the FIREWALL
|
|
option setting in <ulink
|
|
url="shorewall6.conf.html">shorewall6.conf(5)</ulink> is assumed. In
|
|
that case, if you want to specify a
|
|
<replaceable>directory</replaceable>, then the <option>-D</option>
|
|
option must be given.</para>
|
|
|
|
<para>If <option>-s</option> is specified and the <emphasis
|
|
role="bold">start</emphasis> command succeeds, then the remote
|
|
Shorewall6-lite configuration is saved by executing
|
|
<command>shorewall6-lite save</command> via ssh.</para>
|
|
|
|
<para>if <option>-c</option> is included, the command
|
|
<command>shorewall6-lite show capabilities -f >
|
|
/var/lib/shorewall6-lite/capabilities</command> is executed via ssh
|
|
then the generated file is copied to
|
|
<replaceable>directory</replaceable> using scp. This step is
|
|
performed before the configuration is compiled.</para>
|
|
|
|
<para>If <option>-r</option> is included, it specifies that the root
|
|
user on <replaceable>system</replaceable> is named
|
|
<replaceable>root-user-name</replaceable> rather than "root".</para>
|
|
|
|
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
|
and causes a Perl stack trace to be included with each
|
|
compiler-generated error and warning message.</para>
|
|
|
|
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
|
and causes a warning message to be issued if the current line
|
|
contains alternative input specifications following a semicolon
|
|
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
|
set to Yes in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">reset [<replaceable>chain</replaceable>,
|
|
...]</emphasis><acronym/></term>
|
|
|
|
<listitem>
|
|
<para>Resets the packet and byte counters in the specified
|
|
<replaceable>chain</replaceable>(s). If no
|
|
<replaceable>chain</replaceable> is specified, all the packet and
|
|
byte counters in the firewall are reset.</para>
|
|
|
|
<para>Beginning with Shorewall 5.0.0,
|
|
<replaceable>chain</replaceable> may be composed of both a table
|
|
name and a chain name separated by a colon (e.g.,
|
|
mangle:PREROUTING). Chain names following that don't include a table
|
|
name are assumed to be in that same table. If no table name is given
|
|
in the command, the filter table is assumed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">restart </emphasis>[-<option>n</option>]
|
|
[-<option>p</option>] [-<option>d</option>] [-<option>f</option>]
|
|
[-<option>c</option>] [-<option>T</option>] [-<option>i</option>]
|
|
[-<option>C</option>] [ <replaceable>directory</replaceable> ]</term>
|
|
|
|
<listitem>
|
|
<para>Beginning with Shorewall 5.0.0, this command performs a true
|
|
restart. The firewall is completely stopped as if a
|
|
<command>stop</command> command had been issued then it is started
|
|
again.</para>
|
|
|
|
<para>If a <emphasis>directory</emphasis> is included in the
|
|
command, Shorewall6 will look in that <emphasis>directory</emphasis>
|
|
first for configuration files.</para>
|
|
|
|
<para>The <option>-n</option> option causes Shorewall6 to avoid
|
|
updating the routing table(s).</para>
|
|
|
|
<para>The <option>-p</option> option causes the connection tracking
|
|
table to be flushed; the <command>conntrack</command> utility must
|
|
be installed to use this option.</para>
|
|
|
|
<para>The <option>-d</option> option causes the compiler to run
|
|
under the Perl debugger.</para>
|
|
|
|
<para>The <option>-f</option> option suppresses the compilation step
|
|
and simply reused the compiled script which last started/restarted
|
|
Shorewall, provided that <filename class="directory">/etc/shorewall6
|
|
</filename> and its contents have not been modified since the last
|
|
start/restart.</para>
|
|
|
|
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
|
and performs the compilation step unconditionally, overriding the
|
|
AUTOMAKE setting in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
|
When both <option>-f</option> and <option>-c</option> are present,
|
|
the result is determined by the option that appears last.</para>
|
|
|
|
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
|
and causes a Perl stack trace to be included with each
|
|
compiler-generated error and warning message.</para>
|
|
|
|
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
|
and causes a warning message to be issued if the current line
|
|
contains alternative input specifications following a semicolon
|
|
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
|
set to Yes in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
|
|
<para>The <option>-C</option> option was added in Shorewall 4.6.5
|
|
and is only meaningful when AUTOMAKE=Yes in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5). If
|
|
an existing firewall script is used and if that script was the one
|
|
that generated the current running configuration, then the running
|
|
netfilter configuration will be reloaded as is so as to preserve the
|
|
iptables packet and byte counters.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">restore </emphasis>[-<option>n</option>]
|
|
[-<option>p</option>] [-<option>C</option>] [
|
|
<replaceable>filename</replaceable> ]</term>
|
|
|
|
<listitem>
|
|
<para>Restore Shorewall6 to a state saved using the
|
|
<command>shorewall6 save</command> command. Existing connections are
|
|
maintained. The <emphasis>filename</emphasis> names a restore file
|
|
in <filename class="directory">/var/lib/shorewall6</filename>
|
|
created using <command>shorewall6 save</command>; if no
|
|
<emphasis>filename</emphasis> is given then Shorewall6 will be
|
|
restored from the file specified by the RESTOREFILE option in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
|
|
<caution>
|
|
<para>If your ip6tables ruleset depends on variables that are
|
|
detected at run-time, either in your params file or by
|
|
Shorewall-generated code, <command>restore</command> will use the
|
|
values that were current when the ruleset was saved, which may be
|
|
different from the current values.</para>
|
|
</caution>
|
|
|
|
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
|
|
If the <option>-C</option> option was specified during
|
|
<command>shorewall6 save</command>, then the counters saved by that
|
|
operation will be restored.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">run</emphasis><emphasis role="bold">
|
|
</emphasis><replaceable>command</replaceable> [
|
|
<replaceable>parameter</replaceable> ... ]</term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.6.3. Executes
|
|
<replaceable>command</replaceable> in the context of the generated
|
|
script passing the supplied <replaceable>parameter</replaceable>s.
|
|
Normally, the <replaceable>command</replaceable> will be a function
|
|
declared in <filename>lib.private</filename>.</para>
|
|
|
|
<para>Before executing the <replaceable>command</replaceable>, the
|
|
script will detect the configuration, setting all SW_* variables and
|
|
will run your <filename>init</filename> extension script with
|
|
$COMMAND = 'run'.</para>
|
|
|
|
<para>If there are files in the CONFIG_PATH that were modified after
|
|
the current firewall script was generated, the following warning
|
|
message is issued before the script's run command is executed:
|
|
<screen>WARNING: /var/lib/shorewall6/firewall is not up to
|
|
date</screen></para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">safe-restart
|
|
</emphasis>[-<option>d</option>] [-<option>p</option>]
|
|
[-<option>t</option><replaceable>timeout</replaceable> ] [
|
|
<replaceable>directory</replaceable> ]</term>
|
|
|
|
<listitem>
|
|
<para>Only allowed if Shorewall6 is running. The current
|
|
configuration is saved in <filename>/var/lib/shorewall6/safe-restart
|
|
</filename> (see the <emphasis role="bold">save</emphasis> command
|
|
below) then a <command>shorewall6 restart</command> is done. You
|
|
will then be prompted asking if you want to accept the new
|
|
configuration or not. If you answer "n" or if you fail to answer
|
|
within 60 seconds (such as when your new configuration has disabled
|
|
communication with your terminal), the configuration is restored
|
|
from the saved configuration. If a directory is given, then
|
|
Shorewall6 will look in that directory first when opening
|
|
configuration files.</para>
|
|
|
|
<para>Beginning with Shorewall 4.5.0, you may specify a different
|
|
<replaceable>timeout</replaceable> value using the
|
|
<option>-t</option> option. The numeric
|
|
<replaceable>timeout</replaceable> may optionally be followed by an
|
|
<option>s</option>, <option>m</option> or <option>h</option> suffix
|
|
(e.g., 5m) to specify seconds, minutes or hours respectively. If the
|
|
suffix is omitted, seconds is assumed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">safe-start
|
|
</emphasis>[-<option>d</option>] [-<option>p</option>]
|
|
[-<option>t</option><replaceable>timeout</replaceable> ] [
|
|
<replaceable>directory</replaceable> ]</term>
|
|
|
|
<listitem>
|
|
<para>Shorewall6 is started normally. You will then be prompted
|
|
asking if everything went all right. If you answer "n" or if you
|
|
fail to answer within 60 seconds (such as when your new
|
|
configuration has disabled communication with your terminal), a
|
|
shorewall6 clear is performed for you. If a directory is given, then
|
|
Shorewall6 will look in that directory first when opening
|
|
configuration files.</para>
|
|
|
|
<para>Beginning with Shorewall 4.5.0, you may specify a different
|
|
<replaceable>timeout</replaceable> value using the
|
|
<option>-t</option> option. The numeric
|
|
<replaceable>timeout</replaceable> may optionally be followed by an
|
|
<option>s</option>, <option>m</option> or <option>h</option> suffix
|
|
(e.g., 5m) to specify seconds, minutes or hours respectively. If the
|
|
suffix is omitted, seconds is assumed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">save </emphasis>[-<option>C</option>] [
|
|
<replaceable>filename</replaceable> ]</term>
|
|
|
|
<listitem>
|
|
<para>The dynamic blacklist is stored in <filename>
|
|
/var/lib/shorewall6/save</filename>. The state of the firewall is
|
|
stored in <filename>
|
|
/var/lib/shorewall6/<replaceable>filename</replaceable></filename>
|
|
for use by the <command>shorewall6 restore</command> and <command>
|
|
shorewall6 -f start</command> commands. If <emphasis>filename
|
|
</emphasis> is not given then the state is saved in the file
|
|
specified by the RESTOREFILE option in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
|
|
<para>The <option>-C</option> option, added in Shorewall 4.6.5,
|
|
causes the ip6tables packet and byte counters to be saved along with
|
|
the chains and rules.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">savesets</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in shorewall 4.6.8. Performs the same action as the
|
|
<command>stop</command> command with respect to saving ipsets (see
|
|
the SAVE_IPSETS option in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink> (5)).
|
|
This command may be used to proactively save your ipset contents in
|
|
the event that a system failure occurs prior to issuing a
|
|
<command>stop</command> command.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">show</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The show command can have a number of different
|
|
arguments:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">actions</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Produces a report about the available actions (built-in,
|
|
standard and user-defined).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>[-<option>x</option>] <emphasis role="bold">bl|blacklists
|
|
</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.6.2. Displays the dynamic chain
|
|
along with any chains produced by entries in
|
|
shorewall-blrules(5).The <option>-x</option> option is passed
|
|
directly through to ip6tables and causes actual packet and
|
|
byte counts to be displayed. Without this option, those counts
|
|
are abbreviated.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>[-<option>f</option>] <emphasis
|
|
role="bold">capabilities</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays your kernel/ip6tables capabilities. The
|
|
<option>-f</option> option causes the display to be formatted
|
|
as a capabilities file for use with <command>shorewall6
|
|
compile -e</command>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>[-<option>b</option>] [-<option>x</option>]
|
|
[-<option>l</option>] [-<option>t</option>
|
|
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw</option>|<option>rawpost</option>}][
|
|
<emphasis>chain</emphasis>... ]</term>
|
|
|
|
<listitem>
|
|
<para>The rules in each <emphasis>chain</emphasis> are
|
|
displayed using the <command>ip6tables -L</command>
|
|
<emphasis>chain</emphasis> <emphasis role="bold">-n
|
|
-v</emphasis> command. If no <emphasis>chain</emphasis> is
|
|
given, all of the chains in the filter table are displayed.
|
|
The <option>-x</option> option is passed directly through to
|
|
ip6tables and causes actual packet and byte counts to be
|
|
displayed. Without this option, those counts are abbreviated.
|
|
The <option>-t</option> option specifies the Netfilter table
|
|
to display. The default is <emphasis
|
|
role="bold">filter</emphasis>.</para>
|
|
|
|
<para>The <option>-b</option> ('brief') option causes rules
|
|
which have not been used (i.e. which have zero packet and byte
|
|
counts) to be omitted from the output. Chains with no rules
|
|
displayed are also omitted from the output.</para>
|
|
|
|
<para>The <option>-l</option> option causes the rule number
|
|
for each Netfilter rule to be displayed.</para>
|
|
|
|
<para>If the <option>-t</option> option and the
|
|
<option>chain</option> keyword are both omitted and any of the
|
|
listed <replaceable>chain</replaceable>s do not exist, a usage
|
|
message is displayed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis
|
|
role="bold">classifiers|filters</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays information about the packet classifiers
|
|
defined on the system as a result of traffic shaping
|
|
configuration.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">config</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays distribution-specific defaults.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">connections
|
|
[<replaceable>filter_parameter</replaceable>
|
|
...]</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the IP connections currently being tracked by
|
|
the firewall.</para>
|
|
|
|
<para>If the <command>conntrack</command> utility is
|
|
installed, beginning with Shorewall 4.6.11 the set of
|
|
connections displayed can be limited by including conntrack
|
|
filter parameters (-p , -s, --dport, etc). See conntrack(8)
|
|
for details.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">event</emphasis><replaceable>
|
|
event</replaceable></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.5.19. Displays the named
|
|
event.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">events</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.5.19. Displays all events.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ip</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the system's IPv6 configuration.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>[-<option>m</option>] <emphasis
|
|
role="bold">log</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the last 20 Shorewall6 messages from the log
|
|
file specified by the LOGFILE option in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
|
The <option>-m</option> option causes the MAC address of each
|
|
packet source to be displayed if that information is
|
|
available.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">macros</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays information about each macro defined on the
|
|
firewall system.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">macro
|
|
</emphasis><replaceable>macro</replaceable></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.6. Displays the file that
|
|
implements the specified <replaceable>macro</replaceable>
|
|
(usually
|
|
<filename>/usr/share/shorewall6/macro</filename>.<replaceable>macro</replaceable>).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>[-<option>x</option>] <emphasis
|
|
role="bold">mangle</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the Netfilter mangle table using the command
|
|
<command>ip6tables -t mangle -L -n -v</command>.The
|
|
<option>-x</option> option is passed directly through to
|
|
ip6tables and causes actual packet and byte counts to be
|
|
displayed. Without this option, those counts are
|
|
abbreviated.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">marks</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.26. Displays the various fields
|
|
in packet marks giving the min and max value (in both decimal
|
|
and hex) and the applicable mask (in hex).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>[-<option>x</option>] <emphasis
|
|
role="bold">nat</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the Netfilter nat table using the command
|
|
<emphasis role="bold">ip6tables -t nat -L -n -v</emphasis>.
|
|
The <emphasis role="bold">-x</emphasis> option is passed
|
|
directly through to ip6tables and causes actual packet and
|
|
byte counts to be displayed. Without this option, those counts
|
|
are abbreviated.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">opens</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.5.8. Displays the iptables rules in
|
|
the 'dynamic' chain created through use of the <command>open
|
|
</command>command..</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">policies</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.4. Displays the applicable policy
|
|
between each pair of zones. Note that implicit intrazone
|
|
ACCEPT policies are not displayed for zones associated with a
|
|
single network where that network doesn't specify
|
|
<option>routeback</option>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>[-<option>x</option>] <emphasis
|
|
role="bold">raw</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the Netfilter raw table using the command
|
|
<emphasis role="bold">ip6tables -t raw -L -n -v</emphasis>.
|
|
The <emphasis role="bold">-x</emphasis> option is passed
|
|
directly through to ip6tables and causes actual packet and
|
|
byte counts to be displayed. Without this option, those counts
|
|
are abbreviated.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">[-<option>c</option>]<emphasis
|
|
role="bold"> </emphasis>routing</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the system's IPv6 routing configuration. The -c
|
|
option causes the route cache to be displayed in addition to
|
|
the other routing information.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">tc</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays information about queuing disciplines, classes
|
|
and filters.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">zones</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the current composition of the Shorewall6 zones
|
|
on the system.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">start </emphasis><emphasis role="bold">
|
|
</emphasis>[-<option>n</option>] [-<option>p</option>]
|
|
[-<option>d</option>] [-<option>f</option>] [-<option>c</option>]
|
|
[-<option>T</option>] [-<option>i</option>] [-<option>C</option>] [
|
|
<replaceable>directory</replaceable> ]</term>
|
|
|
|
<listitem>
|
|
<para>Start shorewall6. Existing connections through shorewall6
|
|
managed interfaces are untouched. New connections will be allowed
|
|
only if they are allowed by the firewall rules or policies. If a
|
|
<replaceable>directory</replaceable> is included in the command,
|
|
Shorewall6 will look in that <emphasis>directory</emphasis> first
|
|
for configuration files. If <option>-f</option> is specified, the
|
|
saved configuration specified by the RESTOREFILE option in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5)
|
|
will be restored if that saved configuration exists and has been
|
|
modified more recently than the files in <filename
|
|
class="directory">/etc/shorewall6</filename>. When <option>-f
|
|
</option> is given, a <replaceable>directory</replaceable> may not
|
|
be specified.</para>
|
|
|
|
<para>Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option
|
|
was added to <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
|
When LEGACY_FASTSTART=No, the modification times of files in
|
|
<filename class="directory">/etc/shorewall6</filename> are compared
|
|
with that of <filename>/var/lib/shorewall6/firewall </filename> (the
|
|
compiled script that last started/restarted the firewall).</para>
|
|
|
|
<para>The <option>-n</option> option causes Shorewall6 to avoid
|
|
updating the routing table(s).</para>
|
|
|
|
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
|
and performs the compilation step unconditionally, overriding the
|
|
AUTOMAKE setting in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).
|
|
When both <option>-f</option> and <option>-c</option> are present,
|
|
the result is determined by the option that appears last.</para>
|
|
|
|
<para>The <option>-T</option> option was added in Shorewall 4.5.3
|
|
and causes a Perl stack trace to be included with each
|
|
compiler-generated error and warning message.</para>
|
|
|
|
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
|
and causes a warning message to be issued if the current line
|
|
contains alternative input specifications following a semicolon
|
|
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
|
set to Yes in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5).</para>
|
|
|
|
<para>The <option>-C</option> option was added in Shorewall 4.6.5
|
|
and is only meaningful when the <option>-f</option> option is also
|
|
specified. If the previously-saved configuration is restored, and if
|
|
the <option>-C</option> option was also specified in the
|
|
<command>save</command> command, then the packet and byte counters
|
|
will be restored along with the chains and rules.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">stop
|
|
</emphasis>[-<option>f</option>]</term>
|
|
|
|
<listitem>
|
|
<para>Stops the firewall. All existing connections, except those
|
|
listed in <ulink
|
|
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
|
or permitted by the ADMINISABSENTMINDED option in <ulink
|
|
url="/manpages6/shorewall6.conf.html">shorewall6.conf</ulink>(5),
|
|
are taken down. The only new traffic permitted through the firewall
|
|
is from systems listed in <ulink
|
|
url="/manpages6/shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
|
or by ADMINISABSENTMINDED.</para>
|
|
|
|
<para>If <option>-f</option> is given, the command will be processed
|
|
by the compiled script that executed the last successful <emphasis
|
|
role="bold">start</emphasis>, <emphasis
|
|
role="bold">restart</emphasis> or <emphasis
|
|
role="bold">refresh</emphasis> command if that script exists.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">status</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Produces a short report about the state of the
|
|
Shorewall6-configured firewall.</para>
|
|
|
|
<para>The <option>-i</option> option was added in Shorewall 4.6.2
|
|
and causes the status of each optional or provider interface to be
|
|
displayed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">try
|
|
</emphasis><replaceable>directory</replaceable> [
|
|
<replaceable>timeout</replaceable> ]</term>
|
|
|
|
<listitem>
|
|
<para>If Shorewall6 is started then the firewall state is saved to a
|
|
temporary saved configuration
|
|
(<filename>/var/lib/shorewall6/.try</filename>). Next, if Shorewall6
|
|
is currently started then a <emphasis role="bold">restart</emphasis>
|
|
command is issued using the specified configuration
|
|
<replaceable>directory</replaceable>; otherwise, a <emphasis
|
|
role="bold">start</emphasis> command is performed using the
|
|
specified configuration <replaceable>directory</replaceable>. If an
|
|
error occurs during the compilation phase of the <emphasis
|
|
role="bold">restart</emphasis> or <emphasis role="bold">start
|
|
</emphasis>, the command terminates without changing the Shorewall6
|
|
state. If an error occurs during the <emphasis role="bold">restart
|
|
</emphasis> phase, then a <command>shorewall6 restore</command> is
|
|
performed using the saved configuration. If an error occurs during
|
|
the <emphasis role="bold">start</emphasis> phase, then Shorewall6 is
|
|
cleared. If the <emphasis role="bold">start</emphasis>/ <emphasis
|
|
role="bold">restart</emphasis> succeeds and a
|
|
<replaceable>timeout</replaceable> is specified then a <emphasis
|
|
role="bold">clear</emphasis> or <emphasis role="bold">restore
|
|
</emphasis> is performed after <replaceable>timeout</replaceable>
|
|
seconds.</para>
|
|
|
|
<para>Beginning with Shorewall 4.5.0, the numeric
|
|
<replaceable>timeout</replaceable> may optionally be followed by an
|
|
<option>s</option>, <option>m</option> or <option>h</option> suffix
|
|
(e.g., 5m) to specify seconds, minutes or hours respectively. If the
|
|
suffix is omitted, seconds is assumed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">update</emphasis> [-<option>d</option>]
|
|
[-<option>r</option>] [-<option>T</option>] [-<option>a</option>]
|
|
[-<option>i</option>] [-<option>A</option>] [
|
|
<replaceable>directory</replaceable> ]</term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.21 and causes the compiler to update
|
|
<filename>/etc/shorewall/shorewall.conf then validate the
|
|
configuration</filename>. The update will add options not present in
|
|
the old file with their default values, and will move deprecated
|
|
options with non-defaults to a deprecated options section at the
|
|
bottom of the file. Your existing
|
|
<filename>shorewall.conf</filename> file is renamed
|
|
<filename>shorewall.conf.bak.</filename></para>
|
|
|
|
<para><filename>The command was extended over the years with a set
|
|
of options that caused additional configuration
|
|
updates.</filename></para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Convert an existing <filename>blacklist</filename> file
|
|
into an equivalent <filename>blrules</filename> file.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Convert an existing <filename>routestopped</filename> file
|
|
into an equivalent <filename>stoppedrules</filename>
|
|
file.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Convert existing <filename>tcrules</filename> and
|
|
<filename>tos</filename> files into an equivalent mangle
|
|
file.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Convert an existing <filename>notrack</filename> file into
|
|
an equivalent <filename>conntrack</filename> file.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Convert FORMAT, SECTION and COMMENT entries into ?FORMAT,
|
|
?SECTION and ?COMMENT directives.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>In each case, the old file is renamed with a .bak
|
|
suffix.</para>
|
|
|
|
<para>In Shorewall 5.0.0, the options were eliminated and the
|
|
<command>update</command> command performs all of the updates
|
|
described above.</para>
|
|
|
|
<important>
|
|
<para>There are some notable restrictions with the
|
|
<command>update</command> command:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Converted rules will be appended to the existing file;
|
|
if there is no existing file in the CONFIG_PATH, one will be
|
|
created in the directory specified in the command or in the
|
|
first entry in the CONFIG_PATH (normally <filename
|
|
class="directory">/etc/shorewall6</filename>)
|
|
otherwise.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Existing comments in the file being converted will not
|
|
be transferred to the output file.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>With the exception of the
|
|
<filename>notrack</filename>-><filename>conntrack</filename>
|
|
conversion, INCLUDEd files will be expanded inline in the
|
|
output file.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Columns in the output file will be separated by a single
|
|
tab character; there is no attempt made to otherwise align the
|
|
columns.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Prior to Shorewall 5.0.15, shell variables will be
|
|
expanded in the output file.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Prior to Shorewall 5.0.15, lines omitted by compiler
|
|
directives (?if ...., etc.) will not appear in the output
|
|
file.</para>
|
|
|
|
<important>
|
|
<para>Because the translation of the 'blacklist' and
|
|
'routestopped' files is not 1:1, omitted lines and compiler
|
|
directives are not transferred to the converted files. If
|
|
either are present, the compiler issues a warning:</para>
|
|
|
|
<programlisting> WARNING: "Omitted rules and compiler directives were not translated</programlisting>
|
|
</important>
|
|
</listitem>
|
|
</orderedlist>
|
|
</important>
|
|
|
|
<para>The <option>-a</option> option causes the updated
|
|
<filename>shorewall.conf</filename> file to be annotated with
|
|
documentation.</para>
|
|
|
|
<para>The <option>-i</option> option was added in Shorewall 4.6.0
|
|
and causes a warning message to be issued if the current line
|
|
contains alternative input specifications following a semicolon
|
|
(";"). Such lines will be handled incorrectly if INLINE_MATCHES is
|
|
set to Yes in <ulink
|
|
url="/manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
|
|
|
<para>The <option>-A</option> option is included for compatibility
|
|
with Shorewall 4.6 and is equivalent to specifying the
|
|
<option>-i</option> option.</para>
|
|
|
|
<para>For a description of the other options, see the <emphasis
|
|
role="bold">check</emphasis> command above.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">version
|
|
[-<option>a</option>]</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays Shorewall6's version. If the <option>-a</option>
|
|
option is included, the version of Shorewall will also be
|
|
displayed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>EXIT STATUS</title>
|
|
|
|
<para>In general, when a command succeeds, status 0 is returned; when the
|
|
command fails, a non-zero status is returned.</para>
|
|
|
|
<para>The <command>status</command> command returns exit status as
|
|
follows:</para>
|
|
|
|
<para>0 - Firewall is started.</para>
|
|
|
|
<para>3 - Firewall is stopped or cleared</para>
|
|
|
|
<para>4 - Unknown state; usually means that the firewall has never been
|
|
started.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>ENVIRONMENT</title>
|
|
|
|
<para>Two environmental variables are recognized by Shorewall6:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>SHOREWALL_INIT_SCRIPT</term>
|
|
|
|
<listitem>
|
|
<para>When set to 1, causes Std out to be redirected to the file
|
|
specified in the STARTUP_LOG option in <ulink
|
|
url="shorewall6.conf.html">shorewall6.conf(5)</ulink>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>SW_LOGGERTAG</term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 5.0.8. When set to a non-empty value, that
|
|
value is passed to the logger utility in its -t (--tag)
|
|
option.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See ALSO</title>
|
|
|
|
<para><ulink
|
|
url="/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
|
|
|
<para>shorewall6-accounting(5), shorewall6-actions(5),
|
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
|
shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5),
|
|
shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5),
|
|
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
|
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
|
|
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
|
|
shorewall6-zones(5)</para>
|
|
</refsect1>
|
|
</refentry>
|