shorewall_code/Shorewall6-lite/manpages/shorewall6-lite.xml
Tom Eastep f9932d2b08 Correct typos in the -lite manpages
- Remove redundant 'a specify'.
- Change reference to /etc/shorewall[6]/started.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2014-11-11 07:48:57 -08:00

1248 lines
43 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall6-lite</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>Administrative Commands</refmiscinfo>
</refmeta>
<refnamediv>
<refname>shorewall6-lite</refname>
<refpurpose>Administration tool for Shoreline 6 Firewall Lite (Shorewall6
Lite)</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg rep="norepeat">-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>add</option></arg>
<arg choice="plain"
rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
<arg choice="plain"><replaceable>zone</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>allow</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg
choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg rep="norepeat">-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>delete</option></arg>
<arg choice="plain"
rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
<arg choice="plain"><replaceable>zone</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>disable</option></arg>
<arg choice="plain">{ <replaceable>interface</replaceable> |
<replaceable>provider</replaceable> }</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>drop</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>dump</option></arg>
<arg><option>-x</option></arg>
<arg><option>-l</option></arg>
<arg><option>-m</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>enable</option></arg>
<arg choice="plain">{ <replaceable>interface</replaceable> |
<replaceable>provider</replaceable> }</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>forget</option></arg>
<arg><replaceable>filename</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>help</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg
choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>ipcalc</option></arg>
<group choice="req">
<arg choice="plain"><replaceable>address</replaceable>
<replaceable>mask</replaceable></arg>
<arg
choice="plain"><replaceable>address</replaceable>/<replaceable>vlsm</replaceable></arg>
</group>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>iprange</option></arg>
<arg
choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>iptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>logdrop</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>logwatch</option></arg>
<arg><option>-m</option></arg>
<arg><replaceable>refresh-interval</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>logreject</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>noiptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reject</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reset</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>restart</option></arg>
<arg><option>-n</option></arg>
<arg><option>-p</option></arg>
<arg><option>-C</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>restore</option></arg>
<arg><option>-C</option></arg>
<arg><replaceable>filename</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>run</option></arg>
<arg choice="plain">command</arg>
<arg><replaceable>parameter ...</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>save</option></arg>
<arg><option>-C</option></arg>
<arg choice="opt"><replaceable>filename</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="opt"><option>show | list | ls </option></arg>
<arg><option>-b</option></arg>
<arg><option>-x</option></arg>
<arg><option>-l</option></arg>
<arg><option>-t</option>
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>
<arg><arg><option>chain</option></arg><arg choice="plain"
rep="repeat"><replaceable>chain</replaceable></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="opt"><option>show | list | ls </option></arg>
<arg><option>-f</option></arg>
<arg choice="plain"><option>capabilities</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="opt"><option>show | list | ls </option></arg>
<arg><option>-x</option></arg>
<arg choice="plain"><option>{bl|blacklists}</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="opt"><option>show | list | ls </option></arg>
<arg
choice="req"><option>classifiers|connections|config|events|filters|ip|ipa|zones|policies|marks</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="opt"><option>show | list | ls </option></arg>
<arg choice="plain"><option>event</option><arg
choice="plain"><replaceable>event</replaceable></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="opt"><option>show | list | ls </option></arg>
<arg><option>-x</option></arg>
<arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="opt"><option>show | list | ls </option></arg>
<arg choice="plain"><option>tc</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="opt"><option>show | list | ls </option></arg>
<arg><option>-m</option></arg>
<arg choice="plain"><option>log</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>start</option></arg>
<arg><option>-n</option></arg>
<arg><option>-p</option></arg>
<arg><option>-f</option></arg>
<arg><option>-C</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>stop</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><arg
choice="plain"><option>status</option><arg><option>-i</option></arg></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall6-lite</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg
choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The shorewall6-lite utility is used to control the Shoreline
Firewall Lite (Shorewall Lite).</para>
</refsect1>
<refsect1>
<title>Options</title>
<para>The <option>trace</option> and <option>debug</option> options are
used for debugging. See <ulink
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
<para>The <option>nolock</option> option prevents the command from
attempting to acquire the shorewall6-lite lockfile. It is useful if you
need to include <command>shorewall</command> commands in the
<filename>started</filename> <ulink
url="../shorewall_extension_scripts.html">extension script</ulink>.</para>
<para>The <emphasis>options</emphasis> control the amount of output that
the command produces. They consist of a sequence of the letters <emphasis
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
options are omitted, the amount of output is determined by the setting of
the VERBOSITY parameter in <ulink
url="shorewall.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
role="bold">v</emphasis> adds one to the effective verbosity and each
<emphasis role="bold">q</emphasis> subtracts one from the effective
VERBOSITY. Alternately, <emphasis role="bold">v</emphasis> may be followed
immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no
white-space between <emphasis role="bold">v</emphasis> and the
VERBOSITY.</para>
<para>The <emphasis>options</emphasis> may also include the letter
<option>t</option> which causes all progress messages to be
timestamped.</para>
</refsect1>
<refsect1>
<title>Commands</title>
<para>The available commands are listed below.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">add</emphasis></term>
<listitem>
<para>Adds a list of hosts or subnets to a dynamic zone usually used
with VPN's.</para>
<para>The <replaceable>interface</replaceable> argument names an
interface defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file. A <replaceable>host-list</replaceable> is comma-separated list
whose elements are host or network addresses.</para>
<caution>
<para>The <command>add</command> command is not very robust. If
there are errors in the <replaceable>host-list</replaceable>, you
may see a large number of error messages yet a subsequent
<command>shorewall6-lite show zones</command> command will
indicate that all hosts were added. If this happens, replace
<command>add</command> by <command>delete</command> and run the
same command again. Then enter the correct command.</para>
</caution>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">allow</emphasis></term>
<listitem>
<para>Re-enables receipt of packets from hosts previously
blacklisted by a <command>drop</command>,
<command>logdrop</command>, <command>reject</command>, or
<command>logreject</command> command.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">clear</emphasis></term>
<listitem>
<para>Clear will remove all rules and chains installed by
shorewall6-lite. The firewall is then wide open and unprotected.
Existing connections are untouched. Clear is often used to see if
the firewall is causing connection problems.</para>
<para>If <option>-f</option> is given, the command will be processed
by the compiled script that executed the last successful
<command>start</command>, <command>restart</command> or
<command>refresh</command> command if that script exists.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">delete</emphasis></term>
<listitem>
<para>The delete command reverses the effect of an earlier
<command>add</command> command.</para>
<para>The <replaceable>interface</replaceable> argument names an
interface defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file. A <replaceable>host-list</replaceable> is comma-separated list
whose elements are a host or network address.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">disable</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.26. Disables the optional provider
associated with the specified <replaceable>interface</replaceable>
or <replaceable>provider</replaceable>. Where more than one provider
share a single network interface, a
<replaceable>provider</replaceable> name must be given.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">drop</emphasis></term>
<listitem>
<para>Causes traffic from the listed
<replaceable>address</replaceable>es to be silently dropped.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">dump</emphasis></term>
<listitem>
<para>Produces a verbose report about the firewall configuration for
the purpose of problem analysis.</para>
<para>The <option>-x</option> option causes actual packet and byte
counts to be displayed. Without that option, these counts are
abbreviated.</para>
<para>The <option>-m</option> option causes any MAC addresses
included in shorewall6-lite log messages to be displayed.</para>
<para>The <option>-l</option> option causes the rule number for each
Netfilter rule to be displayed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">enable</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.26. Enables the optional provider
associated with the specified <replaceable>interface</replaceable>
or <replaceable>provider</replaceable>. Where more than one provider
share a single network interface, a
<replaceable>provider</replaceable> name must be given.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">forget</emphasis></term>
<listitem>
<para>Deletes
<filename>/var/lib/shorewall6-lite/<replaceable>filename</replaceable></filename>
and <filename>/var/lib/shorewall6-lite/save</filename>. If no
<replaceable>filename</replaceable> is given then the file specified
by RESTOREFILE in <ulink
url="shorewall.conf.html">shorewall6.conf</ulink>(5) is
assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">help</emphasis></term>
<listitem>
<para>Displays a syntax summary.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hits</emphasis></term>
<listitem>
<para>Generates several reports from shorewall6-lite log messages in
the current log file. If the <option>-t</option> option is included,
the reports are restricted to log messages generated today.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ipcalc</emphasis></term>
<listitem>
<para>Ipcalc displays the network address, broadcast address,
network in CIDR notation and netmask corresponding to the
input[s].</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">iprange</emphasis></term>
<listitem>
<para>Iprange decomposes the specified range of IP addresses into
the equivalent list of network/host addresses.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">iptrace</emphasis></term>
<listitem>
<para>This is a low-level debugging command that causes iptables
TRACE log records to be created. See iptables(8) for details.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one or more matches that may appear in both the raw table OUTPUT
and raw table PREROUTING chains.</para>
<para>The trace records are written to the kernel's log buffer with
facility = kernel and priority = warning, and they are routed from
there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
shorewall6-lite has no control over where the messages go; consult
your logging daemon's documentation.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">logdrop</emphasis></term>
<listitem>
<para>Causes traffic from the listed
<replaceable>address</replaceable>es to be logged then discarded.
Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL
setting in <ulink url="shorewall.conf.html">shorewall6.conf</ulink>
(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">logwatch</emphasis></term>
<listitem>
<para>Monitors the log file specified by the LOGFILE option in
<ulink url="shorewall.conf.html">shorewall6.conf</ulink>(5) and
produces an audible alarm when new shorewall6-lite messages are
logged.</para>
<para>The <option>-m</option> option causes the MAC address of each
packet source to be displayed if that information is
available.</para>
<para>The <replaceable>refresh-interval</replaceable> specifies the
time in seconds between screen refreshes. You can enter a negative
number by preceding the number with "--" (e.g.,
<command>shorewall6-lite logwatch -- -30</command>). In this case,
when a packet count changes, you will be prompted to hit any key to
resume screen refreshes.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">logreject</emphasis></term>
<listitem>
<para>Causes traffic from the listed
<replaceable>address</replaceable>es to be logged then rejected.
Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL
setting in <ulink url="shorewall.conf.html">shorewall6.conf</ulink>
(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">noiptrace</emphasis></term>
<listitem>
<para>This is a low-level debugging command that cancels a trace
started by a preceding <command>iptrace</command> command.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one given in the <command>iptrace</command> command being
canceled.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reset</emphasis></term>
<listitem>
<para>All the packet and byte counters in the firewall are
reset.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">restart</emphasis></term>
<listitem>
<para>Restart is similar to <command>shorewall6-lite start</command>
except that it assumes that the firewall is already started.
Existing connections are maintained.</para>
<caution>
<para>If your ip6tables ruleset depends on variables that are
detected at run-time, either in your params file or by
Shorewall-generated code, <command>restore</command> will use the
values that were current when the ruleset was saved, which may be
different from the current values.</para>
</caution>
<para>The <option>-n</option> option causes shorewall6-lite to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the specified (or implicit) firewall script is the one that
generated the current running configuration, then the running
netfilter configuration will be reloaded as is so as to preserve the
iptables packet and byte counters.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">restore</emphasis></term>
<listitem>
<para>Restore shorewall6-lite to a state saved using the
<command>shorewall6-lite save</command> command. Existing
connections are maintained. The <replaceable>filename</replaceable>
names a restore file in <filename
class="directory">/var/lib/shorewall6-lite</filename> created using
<command>shorewall6-lite save</command>; if no
<replaceable>filename</replaceable> is given then shorewall6-lite
will be restored from the file specified by the RESTOREFILE option
in <ulink
url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5.
If the <option>-C</option> option was specified during
<command>shorewall7-lite save</command>, then the counters saved by
that operation will be restored.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">run</emphasis></term>
<listitem>
<para>Added in Shorewall 4.6.3. Executes
<replaceable>command</replaceable> in the context of the generated
script passing the supplied <replaceable>parameter</replaceable>s.
Normally, the <replaceable>command</replaceable> will be a function
declared in <filename>lib.private</filename>.</para>
<para>Before executing the command, the script will detect the
configuration, setting all SW_* variables and will run your
<filename>init</filename> extension script with $COMMAND =
'run'.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">save</emphasis></term>
<listitem>
<para>The dynamic blacklist is stored in
<filename>/var/lib/shorewall6-lite/save</filename>. The state of the
firewall is stored in
<filename>/var/lib/shorewall6-lite/<replaceable>filename</replaceable></filename>
for use by the <command>shorewall6-lite restore</command> command.
If <replaceable>filename</replaceable> is not given then the state
is saved in the file specified by the RESTOREFILE option in <ulink
url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <option>-C</option> option, added in Shorewall 4.6.5,
causes the ip6tables packet and byte counters to be saved along with
the chains and rules.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">show</emphasis></term>
<listitem>
<para>The show command can have a number of different
arguments:</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">bl|blacklists</emphasis></term>
<listitem>
<para>Added in Shorewall 4.6.2. Displays the dynamic chain
along with any chains produced by entries in
shorewall6-blrules(5).The <option>-x</option> option is passed
directly through to ip6tables and causes actual packet and
byte counts to be displayed. Without this option, those counts
are abbreviated.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">capabilities</emphasis></term>
<listitem>
<para>Displays your kernel/iptables capabilities. The
<option>-f</option> option causes the display to be formatted
as a capabilities file for use with <command>compile
-e</command>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
]</term>
<listitem>
<para>The rules in each <emphasis>chain</emphasis> are
displayed using the <emphasis role="bold">iptables
-L</emphasis> <emphasis>chain</emphasis> <emphasis
role="bold">-n -v</emphasis> command. If no
<emphasis>chain</emphasis> is given, all of the chains in the
filter table are displayed.</para>
<para>The <option>-x</option> option is passed directly
through to iptables and causes actual packet and byte counts
to be displayed. Without this option, those counts are
abbreviated.</para>
<para>The <option>-t</option> option specifies the Netfilter
table to display. The default is <emphasis
role="bold">filter</emphasis>.</para>
<para>The <option>-b</option> ('brief') option causes rules
which have not been used (i.e. which have zero packet and byte
counts) to be omitted from the output. Chains with no rules
displayed are also omitted from the output.</para>
<para>The <option>-l</option> option causes the rule number
for each Netfilter rule to be displayed.</para>
<para>If the <option>-t</option> option and the
<option>chain</option> keyword are both omitted and any of the
listed <replaceable>chain</replaceable>s do not exist, a usage
message is displayed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">classifiers|filters</emphasis></term>
<listitem>
<para>Displays information about the packet classifiers
defined on the system as a result of traffic shaping
configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">config</emphasis></term>
<listitem>
<para>Displays distribution-specific defaults.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">connections</emphasis></term>
<listitem>
<para>Displays the IP connections currently being tracked by
the firewall.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">event</emphasis><replaceable>
event</replaceable></term>
<listitem>
<para>Added in Shorewall 4.5.19. Displays the named
event.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">events</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.19. Displays all events.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ip</emphasis></term>
<listitem>
<para>Displays the system's IPv4 configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ipa</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.17. Displays the per-IP
accounting counters (<ulink
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">log</emphasis></term>
<listitem>
<para>Displays the last 20 shorewall6-lite messages from the
log file specified by the LOGFILE option in <ulink
url="shorewall.conf.html">shorewall6.conf</ulink>(5).</para>
<para>The <option>-m</option> option causes the MAC address of
each packet source to be displayed if that information is
available.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">marks</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.26. Displays the various fields
in packet marks giving the min and max value (in both decimal
and hex) and the applicable mask (in hex).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nat</emphasis></term>
<listitem>
<para>Displays the Netfilter nat table using the command
<command>iptables -t nat -L -n -v</command>.The
<option>-x</option> option is passed directly through to
iptables and causes actual packet and byte counts to be
displayed. Without this option, those counts are
abbreviated.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">policies</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.4. Displays the applicable policy
between each pair of zones. Note that implicit intrazone
ACCEPT policies are not displayed for zones associated with a
single network where that network doesn't specify
<option>routeback</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routing</emphasis></term>
<listitem>
<para>Displays the system's IPv4 routing configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">raw</emphasis></term>
<listitem>
<para>Displays the Netfilter raw table using the command
<command>iptables -t raw -L -n -v</command>.The
<option>-x</option> option is passed directly through to
iptables and causes actual packet and byte counts to be
displayed. Without this option, those counts are
abbreviated.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">tc</emphasis></term>
<listitem>
<para>Displays information about queuing disciplines, classes
and filters.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">zones</emphasis></term>
<listitem>
<para>Displays the current composition of the Shorewall zones
on the system.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">start</emphasis></term>
<listitem>
<para>Start Shorewall6 Lite. Existing connections through
shorewall6-lite managed interfaces are untouched. New connections
will be allowed only if they are allowed by the firewall rules or
policies.</para>
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
<para>The <option>-m</option> option prevents the firewall script
from modifying the current routing configuration.</para>
<para>The <option>-f</option> option was added in Shorewall 4.6.5.
If the RESTOREFILE named in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) exists, is
executable and is not older than the current filewall script, then
that saved configuration is restored.</para>
<para>The <option>-C</option> option was added in Shorewall 4.6.5
and is only meaningful when the <option>-f</option> option is also
specified. If the previously-saved configuration is restored, and if
the <option>-C</option> option was also specified in the
<command>save</command> command, then the packet and byte counters
will be restored.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">stop</emphasis></term>
<listitem>
<para>Stops the firewall. All existing connections, except those
listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or permitted by the ADMINISABSENTMINDED option in <ulink
url="shorewall.conf.html">shorewall6.conf</ulink>(5), are taken
down. The only new traffic permitted through the firewall is from
systems listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or by ADMINISABSENTMINDED.</para>
<para>If <option>-f</option> is given, the command will be processed
by the compiled script that executed the last successful
<command>start</command>, <command>restart</command> or
<command>refresh</command> command if that script exists.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">status</emphasis></term>
<listitem>
<para>Produces a short report about the state of the
Shorewall-configured firewall.</para>
<para>The <option>-i</option> option was added in Shorewall 4.6.2
and causes the status of each optional or provider interface to be
displayed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">version</emphasis></term>
<listitem>
<para>Displays Shorewall's version. The <option>-a</option> option
is included for compatibility with earlier Shorewall releases and is
ignored.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXIT STATUS</title>
<para>In general, when a command succeeds, status 0 is returned; when the
command fails, a non-zero status is returned.</para>
<para>The <command>status</command> command returns exit status as
follows:</para>
<para>0 - Firewall is started.</para>
<para>3 - Firewall is stopped or cleared</para>
<para>4 - Unknown state; usually means that the firewall has never been
started.</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
<para>shorewall6-accounting(5), shorewall6-actions(5),
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall_interfaces(5),
shorewall6-ipsets(5), shorewall6-maclist(5), shorewall6-masq(5),
shorewall6-netmap(5), shorewall6-params(5), shorewall6-policy(5),
shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5),
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5),
shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
shorewall6-zones(5)</para>
</refsect1>
</refentry>