mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-15 04:04:10 +01:00
011a07e367
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@3894 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
1288 lines
46 KiB
XML
1288 lines
46 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<article>
|
|
<!--$Id$-->
|
|
|
|
<articleinfo>
|
|
<title>Operating Shorewall</title>
|
|
|
|
<authorgroup>
|
|
<author>
|
|
<firstname>Tom</firstname>
|
|
|
|
<surname>Eastep</surname>
|
|
</author>
|
|
</authorgroup>
|
|
|
|
<pubdate>2006-04-17</pubdate>
|
|
|
|
<copyright>
|
|
<year>2004</year>
|
|
|
|
<year>2005</year>
|
|
|
|
<year>2006</year>
|
|
|
|
<holder>Thomas M. Eastep</holder>
|
|
</copyright>
|
|
|
|
<legalnotice>
|
|
<para>Permission is granted to copy, distribute and/or modify this
|
|
document under the terms of the GNU Free Documentation License, Version
|
|
1.2 or any later version published by the Free Software Foundation; with
|
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
|
Texts. A copy of the license is included in the section entitled
|
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
|
License</ulink></quote>.</para>
|
|
</legalnotice>
|
|
</articleinfo>
|
|
|
|
<caution>
|
|
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
|
|
later. If you are running a version of Shorewall earlier than Shorewall
|
|
3.0.0 then please see the documentation for that
|
|
release</emphasis>.</para>
|
|
</caution>
|
|
|
|
<section>
|
|
<title>Operational Components</title>
|
|
|
|
<para>There are a number of files that comprise the operational components
|
|
of Shorewall.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><filename>/sbin/shorewall</filename> — The program that you use
|
|
to interact with Shorewall. Normally the root user's PATH includes
|
|
<filename>/sbin</filename> and the program can be run from a shell
|
|
prompt by simply typing <command>shorewall</command> followed by a
|
|
command.</para>
|
|
|
|
<warning>
|
|
<para>In some releases of KDE, the default configuration of the
|
|
<emphasis role="bold">konsole</emphasis> program is brain dead with
|
|
respect to the "Root Console". It executes the command "su" where it
|
|
should execute "su -"; the latter will cause a login shell to be
|
|
created which will in turn set PATH properly. You can correct this
|
|
problem as follows:</para>
|
|
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>Click on "Settings" on the toolbar and select "Configure
|
|
Konsole"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Select the "Session" tab.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Click on "Root Console"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Change the Execute command from "su" to "su -"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Click on "Save Session"</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Click on "Ok"</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
</warning>
|
|
|
|
<para>To see a list of supported commands, use the
|
|
<command>help</command> command:</para>
|
|
|
|
<programlisting><command>shorewall help</command></programlisting>
|
|
|
|
<para>To get further information about a particular command, follow
|
|
<command>help</command> by the command:</para>
|
|
|
|
<programlisting><command>shorewall help start</command></programlisting>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><filename>/etc/shorewall</filename> — The default directory
|
|
where Shorewall looks for configuration files. See the sections
|
|
entitled <link linkend="AddDirectories">Additional Configuration
|
|
Directories</link> and <link linkend="AltConfig">Alternate
|
|
Configuration Directories</link> for information about how you can
|
|
direct Shorewall to look in other directories.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><filename>/etc/init.d/shorewall</filename>
|
|
(<filename>/etc/rc.d/firewall.rc</filename> on Slackware) — The script
|
|
run by <command>init</command> (the program responsible for startup
|
|
and shutdown of your system) to start Shorewall at boot time and to
|
|
stop Shorewall at shutdown.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><filename>/usr/share/shorewall/compiler</filename> — In
|
|
Shorewall 3.1 and later, the program that processes your Shorewall
|
|
configuration files and creates a script to start, stop, restart,
|
|
restore and clear the firewall.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><filename>/usr/share/shorewall/firewall</filename> — In
|
|
Shorewall 3.0 and earlier, the program responsible for configuring
|
|
Netfilter based on your configuration files.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><filename>/usr/share/shorewall/functions</filename> — A library
|
|
of Bourne Shell functions used by both<filename>
|
|
/sbin/shorewall</filename> and
|
|
<filename>/usr/share/shorewall/firewall</filename>.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Starting, Stopping and Clearing</title>
|
|
|
|
<para>As explained in the <ulink
|
|
url="Introduction.html">Introduction</ulink>, Shorewall is not something
|
|
that runs all of the time in your system. Nevertheless, for integrating
|
|
Shorewall into your initialization scripts it is useful to speak of
|
|
<firstterm>starting</firstterm> Shorewall and
|
|
<emphasis>stopping</emphasis> Shorewall.</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Shorewall is started using the <command>shorewall
|
|
start</command> command. Once the start command completes
|
|
successfully, Netfilter is configured as described in your Shorewall
|
|
configuration files. If there is an error during <command>shorewall
|
|
start</command>, then if you have a <firstterm>saved
|
|
configuration</firstterm> then that configuration is restored.
|
|
Otherwise, an implicit <command>shorewall stop</command> is
|
|
executed.</para>
|
|
|
|
<important>
|
|
<para>Beginning with Shorewall 3.1, <command>shorewall
|
|
start</command> is implemented as a <firstterm>compile and
|
|
go</firstterm>; that is, the configuration is compiled and if there
|
|
are no compilation errors then the resulting compiled script is
|
|
executed. If there are compilation errors, the command is aborted
|
|
and the state of the firewall is not altered.</para>
|
|
</important>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Shorewall is stopped using the <command>shorewall stop</command>
|
|
command.</para>
|
|
|
|
<important>
|
|
<para>The <command>shorewall stop</command> command does not remove
|
|
all netfilter rules and open your firewall for all traffic to pass.
|
|
It rather places your firewall in a safe state defined by the
|
|
contents of your <ulink
|
|
url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink>
|
|
file and the setting of ADMINISABSENTMINDED in <ulink
|
|
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
|
|
</important>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you want to remove all Netfilter rules and open your firewall
|
|
for all traffic to pass, use the <command>shorewall clear</command>
|
|
command.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you change your configuration and want to install the
|
|
changes, use the <command>shorewall restart </command>command.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>For additional information, see the<link linkend="State"> Shorewall
|
|
State Diagram</link> section.</para>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Tracing Command Execution</title>
|
|
|
|
<para>If you include the word <emphasis role="bold">trace</emphasis> as
|
|
the first parameter to an <filename>/sbin/shorewall</filename> command
|
|
that transfers control to
|
|
<filename>/usr/share/shorewall/firewall</filename>, execution of the
|
|
latter program will be traced to STDERR.</para>
|
|
|
|
<example>
|
|
<title>Tracing <command>shorewall start</command></title>
|
|
|
|
<para>To trace the execution of <command>shorewall start</command> and
|
|
write the trace to the file <filename>/tmp/trace</filename>, you would
|
|
enter:<programlisting><command>shorewall trace start 2> /tmp/trace</command></programlisting></para>
|
|
</example>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Having Shorewall Start Automatically at Boot Time</title>
|
|
|
|
<para>The .rpm, .deb and .tgz all try to configure your startup scripts so
|
|
that Shorewall will start automatically at boot time. If you are using the
|
|
<command>install.sh </command>script from the .tgz and it cannot determine
|
|
how to configure automatic startup, a message to that effect will be
|
|
displayed. You will need to consult your distribution's documentation to
|
|
see how to integrate the <filename>/etc/init.d/shorewall</filename> script
|
|
into the distribution's startup mechanism.<caution>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Shorewall startup is disabled by default. Once you have
|
|
configured your firewall, you can enable startup by editing
|
|
<filename>/etc/shorewall/shorewall.conf</filename> and setting
|
|
STARTUP_ENABLED=Yes.. Note: Users of the .deb package must rather
|
|
edit <filename>/etc/default/shorewall</filename> and set
|
|
<quote>startup=1</quote>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>If you use dialup or some flavor of PPP where your IP
|
|
address can change arbitrarily, you may want to start the firewall
|
|
in your <command>/etc/ppp/ip-up.local</command> script. I
|
|
recommend just placing <quote><command>/sbin/shorewall
|
|
restart</command></quote> in that script.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</caution></para>
|
|
</section>
|
|
|
|
<section id="Saved">
|
|
<title>Saving a Working Configuration for Error Recovery and Fast
|
|
Startup</title>
|
|
|
|
<para>Once you have Shorewall working the way that you want it to, you can
|
|
use <command>shorewall save</command> to <firstterm>save</firstterm> the
|
|
commands necessary to recreate that configuration in a <firstterm>restore
|
|
script</firstterm>.</para>
|
|
|
|
<para>In its simplest form, the save command is just:</para>
|
|
|
|
<programlisting><command>shorewall save</command></programlisting>
|
|
|
|
<para>That command creates the default restore script,
|
|
<filename>/var/lib/shorewall/restore</filename>. The default may be
|
|
changed using the RESTOREFILE option in <ulink
|
|
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>. A
|
|
different file name may also be specified in the <command>save</command>
|
|
command:</para>
|
|
|
|
<programlisting><command>shorewall save <filename></command></programlisting>
|
|
|
|
<para>Where <<emphasis>filename</emphasis>> is a simple file name
|
|
(no slashes).</para>
|
|
|
|
<para>Once created, the default restore script serves several useful
|
|
purposes:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>If you change your configuration and there is an error when you
|
|
try to restart Shorewall, the restore script will be run to restore
|
|
your firewall to working order.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>Bootup is faster. The -f option of the start command (e.g.,
|
|
<command>shorewall -f start</command>) causes Shorewall to look for
|
|
the default restore script and if it exists, the script is run. This
|
|
is much faster than starting Shorewall using the normal mechanism of
|
|
reading the configuration files and running
|
|
<command>iptables</command> dozens or even hundreds of times.
|
|
<filename>By default, /etc/init.d/shorewall</filename>
|
|
(<filename>/etc/rc.d/firewall.rc</filename>) uses the -f option when
|
|
it is processing a request to start Shorewall.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The <command>shorewall restore</command> command can be used at
|
|
any time to quickly configure the firewall.</para>
|
|
|
|
<programlisting><command>shorewall restore [ <filename> ]</command></programlisting>
|
|
|
|
<para>If no <<emphasis>filename</emphasis>> is given, the
|
|
default restore script is used. Otherwise, the script
|
|
<filename>/var/lib/shorewall/<filename></filename> is
|
|
used.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>The ability to have multiple restore scripts means that you can save
|
|
different Shorewall firewall configurations and switch between them
|
|
quickly using the <command>restore</command> command.</para>
|
|
|
|
<para>Restore scripts may be removed using the <command>shorewall
|
|
forget</command> command:</para>
|
|
|
|
<programlisting><command>shorewall forget [ <filename> ]</command></programlisting>
|
|
|
|
<para>If no <<emphasis>filename</emphasis>> is given, the default
|
|
restore script is removed. Otherwise,
|
|
<filename>/var/lib/shorewall/<filename></filename> is removed (of
|
|
course, you can also use the Linux <command>rm</command> command from the
|
|
shell prompt to remove these files).</para>
|
|
</section>
|
|
|
|
<section id="AddDirectories">
|
|
<title>Additional Configuration Directories</title>
|
|
|
|
<para>The CONFIG_PATH setting in
|
|
<filename>/etc/shorewall/shorewall.conf</filename> determines where
|
|
Shorewall looks for configuration files. The default setting is
|
|
CONFIG_PATH=<filename
|
|
class="directory">/etc/shorewall</filename>:<filename
|
|
class="directory">/usr/share/shorewall</filename> which means that
|
|
<filename class="directory">/etc/shorewall</filename> is searched first
|
|
and if the file is not found then <filename
|
|
class="directory">/usr/share/shorewall</filename> is searched. You can
|
|
change the value of CONFIG_PATH to cause additional directories to be
|
|
searched but CONFIG_PATH should <emphasis>always</emphasis> include both
|
|
<filename class="directory">/etc/shorewall</filename> and <filename
|
|
class="directory">/usr/share/shorewall</filename>.</para>
|
|
|
|
<para>When an alternate configuration directory is specified as described
|
|
in the <link linkend="AddDirectories">next section</link>, that directory
|
|
is searched <emphasis>before</emphasis> those directories listed in
|
|
CONFIG_PATH.</para>
|
|
|
|
<para>Example - Search <filename
|
|
class="directory">/etc/shorewall</filename>, <filename
|
|
class="directory">/etc/shorewall/actiondir</filename> and <filename
|
|
class="directory">/usr/share/shorewall</filename> in that order:</para>
|
|
|
|
<programlisting>CONFIG_PATH=/etc/shorewall:/etc/shorewall/actiondir:/usr/share/shorewall</programlisting>
|
|
|
|
<para>The above is the setting that I once used to allow me to place all
|
|
of my user-defined 'action.' files in <filename
|
|
class="directory">/etc/shorewall/actiondir</filename>.</para>
|
|
</section>
|
|
|
|
<section id="AltConfig">
|
|
<title>Alternate Configuration Directories</title>
|
|
|
|
<para>As explained <link linkend="AddDirectories">above</link>, Shorewall
|
|
normally looks for configuration files in the directories specified by the
|
|
CONFIG_PATH option in <filename
|
|
class="directory">/etc/shorewall/shorewall.conf</filename>. The
|
|
<command>shorewall start</command>, <command>shorewall restart</command>,
|
|
<command>shorewall check</command>, and <command>shorewall try
|
|
</command>commands allow you to specify an additional directory for
|
|
Shorewall to check before looking in the directories listed in
|
|
CONFIG_PATH.</para>
|
|
|
|
<programlisting> <command>shorewall {start|restart|check} <configuration-directory></command>
|
|
<command>shorewall try <configuration-directory> [ <timeout> ]</command></programlisting>
|
|
|
|
<para>If a <emphasis><configuration-directory</emphasis>> is
|
|
specified, each time that Shorewall is going to read a file, it will first
|
|
look in the<emphasis> <configuration-directory></emphasis> . If the
|
|
file is present in the
|
|
<emphasis><configuration-directory>,</emphasis> that file will be
|
|
used; otherwise, the directories in the CONFIG_PATH will be searched. When
|
|
changing the configuration of a production firewall, I recommend the
|
|
following:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>If you haven't saved the current working configuration, do so
|
|
using <command>shorewall save</command>.</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><command>mkdir /etc/test</command></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><command>cd /etc/test</command></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><copy any files that you need to change from /etc/shorewall
|
|
to . and change them here></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><command>shorewall check ./</command></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><correct any errors found by check and check again></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><command>shorewall restart ./</command></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>If the <command>restart</command> fails, your configuration will be
|
|
restored to it's state at the last <command>shorewall
|
|
save</command>.</para>
|
|
|
|
<para>When the new configuration works then just:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><command>cp -f * /etc/shorewall</command></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><command>cd</command></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><command>rm -rf /etc/test</command></para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para><command>shorewall save</command></para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
</section>
|
|
|
|
<section>
|
|
<title>Command Reference</title>
|
|
|
|
<para>The general form of a command in Shorewall 3.0 is:</para>
|
|
|
|
<blockquote>
|
|
<para><command>shorewall [ <options> ] <command> [
|
|
<argument> ... ]</command></para>
|
|
|
|
<para>Available options are:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-c <directory></term>
|
|
|
|
<listitem>
|
|
<para>Specifies an <link linkend="AltConfig">alternate
|
|
configuration directory</link>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-f</term>
|
|
|
|
<listitem>
|
|
<para>Specifies fast restart. See the <command>start</command>
|
|
command below.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-n</term>
|
|
|
|
<listitem>
|
|
<para>Prevents the command from changing the firewall system's
|
|
routing configuration.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-q</term>
|
|
|
|
<listitem>
|
|
<para>In Shorewall versions prior to 3.2.0, causes some of the
|
|
output to be suppressed.</para>
|
|
|
|
<para>In 3.2.0 and later, reduces the verbosity level (see
|
|
VERBOSITY setting in <ulink
|
|
url="Documentation.htm#Config">shorewall.conf</ulink>). May be
|
|
repeated (e.g., "-qq") with each instance reducing the verbosity
|
|
level by one.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-v</term>
|
|
|
|
<listitem>
|
|
<para>In Shorewall versions prior to 3.2.0, causes Ethernet MAC
|
|
addresses to be included in log message displays.</para>
|
|
|
|
<para>In 3.2.0 and later, increases the verbosity level (see
|
|
VERBOSITY setting in <ulink
|
|
url="Documentation.htm#Config">shorewall.conf</ulink>). May be
|
|
repeated (e.g., "-qq") with each instance increasing the verbosity
|
|
level by one.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-x</term>
|
|
|
|
<listitem>
|
|
<para>Causes all iptables -L commands to display actual packet and
|
|
byte counts.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</blockquote>
|
|
|
|
<para>The general form of a command in Shorewall 3.1 and later is:</para>
|
|
|
|
<blockquote>
|
|
<para><command>shorewall [ <options> ] <command> [
|
|
<command options> ] [ <argument> ... ]</command></para>
|
|
|
|
<para>For compatibility, Shorewall 3.1 and later accept all of the 3.0
|
|
command options. In addition, 3.1 defines some new options and also
|
|
defines command-specific options that are entered after the command on
|
|
the run-line.</para>
|
|
|
|
<para>New options are:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-t</term>
|
|
|
|
<listitem>
|
|
<para>All progress messages are timestamped with the date and
|
|
time.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>In addition, the <command>-q</command> and <command>-v</command>
|
|
options may be repeated to make the output less or more verbose
|
|
respectively. The default level of verbosity is determined by the
|
|
setting of the VERBOSITY option in
|
|
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
|
|
</blockquote>
|
|
|
|
<para>Following in alphabetical order are the supported commands.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>add</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall add <interface>[:<host-list>] …
|
|
<zone></command></para>
|
|
|
|
<para>A <host-list> is a comma-separated list whose entries
|
|
are:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>A host or network address</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The name of a bridge port</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The name of a bridge port followed by a colon (":") and a
|
|
host or network address.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Adds an interface (and list of hosts if included) to a dynamic
|
|
zone usually used with VPN's.</para>
|
|
|
|
<para>Example: <command>shorewall add ipsec0:192.0.2.24
|
|
vpn1</command></para>
|
|
|
|
<para>adds the address 192.0.2.24 from interface ipsec0 to the zone
|
|
vpn1.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>allow</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall allow <address> ...</command></para>
|
|
|
|
<para>Re-enables receipt of packets from hosts previously
|
|
blacklisted by a drop or reject command.</para>
|
|
|
|
<para>Shorewall allow, drop, rejct and save implement dynamic
|
|
blacklisting.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>check</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall check [ <configuration-directory>
|
|
]</command></para>
|
|
|
|
<para>Performs a cursory validation of the zones, interfaces, hosts,
|
|
rules, policy, masq, blacklist, proxyarp, nat and provider files.
|
|
Use this if you are unsure of any edits you have made to the
|
|
shorewall configuration. See <link linkend="AltConfig">above</link>
|
|
for a recommended way to make changes.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>clear</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall clear</command></para>
|
|
|
|
<para>Clear will remove all rules and chains installed by Shorewall.
|
|
The firewall is then wide open and unprotected. Existing connections
|
|
are untouched. Clear is often used to see if the firewall is causing
|
|
connection problems.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>compile (Shorewall 3.1 and later)</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall compile [ -e ] [ -d <distro> ] [
|
|
<directory name> ] <path name></command></para>
|
|
|
|
<para>Compiles the current configuration into the executable file
|
|
<path name>. If <path name> names a file in
|
|
/var/lib/shorewall then the file may be executed using the "restore"
|
|
command.</para>
|
|
|
|
<para>When -e is specified, the compilation is being performed on a
|
|
system other than where the compiled script will run. This option
|
|
disables certain configuration options that require the script to be
|
|
compiled where it is to be run and allows the script to be run on a
|
|
system that does not have Shorewall installed at all. The file
|
|
/etc/shorewall/capabilities must be present when -e is used; that
|
|
file specifies the iptables/kernel capabilities on the target
|
|
system.</para>
|
|
|
|
<para>When -d <distribution> is given, the script is built for
|
|
installation in <filename class="directory">/etc/init.d</filename>
|
|
on the distribution specified by <distro>. Currently supported
|
|
values for <distro>are:</para>
|
|
|
|
<simplelist>
|
|
<member>redhat (also good for Fedora Core and CentOS)</member>
|
|
|
|
<member>debian (Requires the soon to be released Shorewall-minimal
|
|
package to be run on Debian)</member>
|
|
|
|
<member>suse</member>
|
|
</simplelist>
|
|
|
|
<para>Usually specified together with -e. If not specified, the
|
|
output file is not suitable for installation into <filename
|
|
class="directory">/etc/init.d/</filename></para>
|
|
|
|
<para>Example:<blockquote>
|
|
<para><command>shorewall compile -ed redhat foo</command></para>
|
|
</blockquote>Additional distributions are expected to be supported
|
|
shortly.</para>
|
|
|
|
<para>The compiled script is a complete program that supports the
|
|
following commands:</para>
|
|
|
|
<blockquote>
|
|
<simplelist>
|
|
<member><command><program> [ -q ] [ -v ] [ -n ]
|
|
start</command></member>
|
|
|
|
<member><command><program> [ -q ] [ -v ] [ -n ]
|
|
stop</command></member>
|
|
|
|
<member><command><program> [ -q ] [ -v ] [ -n ]
|
|
clear</command></member>
|
|
|
|
<member><command><program> [ -q ] [ -v ] [ -n ]
|
|
restart</command></member>
|
|
|
|
<member><command><program> [ -q ] [ -v ] [ -n ]
|
|
status</command></member>
|
|
|
|
<member><command><program> [ -q ] [ -v ] [ -n ]
|
|
version</command></member>
|
|
</simplelist>
|
|
</blockquote>
|
|
|
|
<para>The options have their same meaning is when they are passed to
|
|
<filename>/sbin/shorewall</filename> itself.</para>
|
|
|
|
<para>When the '-e' option is specified during compilation, the
|
|
program may be installed in /etc/init.d/ and serve as the firewall
|
|
on a system without Shorewall installed.</para>
|
|
|
|
<para>For additional information about the
|
|
<command>compile</command> command, see <ulink
|
|
url="CompiledPrograms.html">this article</ulink>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>delete</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall delete
|
|
<interface>[:<host-list>] …
|
|
<zone></command></para>
|
|
|
|
<para>A <host-list> is a comma-separated list whose entries
|
|
are:</para>
|
|
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>A host or network address</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The name of a bridge port</para>
|
|
</listitem>
|
|
|
|
<listitem>
|
|
<para>The name of a bridge port followed by a colon (":") and a
|
|
host or network address.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
|
|
<para>Deletes the specified interface (and host list if included)
|
|
from the specified zone.</para>
|
|
|
|
<para>Example:</para>
|
|
|
|
<para><command>shorewall delete ipsec0:192.0.2.24
|
|
vpn1</command></para>
|
|
|
|
<para>deletes the address 192.0.2.24 from interface ipsec0 from zone
|
|
vpn1</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>drop</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall drop <address> ...</command></para>
|
|
|
|
<para>Causes packets from the specified
|
|
<<emphasis>address</emphasis>> to be ignored</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>dump</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall [ -x ] dump</command></para>
|
|
|
|
<para>Produce a verbose report about the firewall.</para>
|
|
|
|
<para>When -x is given, that option is also passed to iptables to
|
|
display actual packet and byte counts.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>forget</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall forget [ <filename>
|
|
]</command></para>
|
|
|
|
<para>Deletes<filename>
|
|
/var/lib/shorewall/<filename></filename>. If no
|
|
<<emphasis>filename</emphasis>> is given then the file
|
|
specified by RESTOREFILE in <ulink
|
|
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>
|
|
is removed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>help</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall help [<command> | host | address
|
|
]</command></para>
|
|
|
|
<para>Display helpful information about the shorewall
|
|
commands.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>hits</term>
|
|
|
|
<listitem>
|
|
<para><command>hits</command></para>
|
|
|
|
<para>Produces several reports about the Shorewall packet log
|
|
messages in the current log file specified by the LOGFILE option in
|
|
<ulink
|
|
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>ipcalc</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall ipcalc { <address> <mask> |
|
|
<address>/<vlsm> }</command></para>
|
|
|
|
<para>Ipcalc displays the network address, broadcast address,
|
|
network in CIDR notation and netmask corresponding to the
|
|
input[s].</para>
|
|
|
|
<para>Example:</para>
|
|
|
|
<para><command>ipcalc 192.168.1.0/24</command></para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>iprange</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall iprange
|
|
<address1>-<address2></command></para>
|
|
|
|
<para>Iprange decomposes the specified range of IP addresses into
|
|
the equivalent list of network/host addresses.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>logdrop</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall logdrop <address>
|
|
...</command></para>
|
|
|
|
<para>Causes packets from the specified
|
|
<<emphasis>address</emphasis>> to be ignored and logged</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>logwatch</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall logwatch [ -m ] [<refresh
|
|
interval>]</command></para>
|
|
|
|
<para>Monitors the log file specified by theLOGFILE option in <ulink
|
|
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>
|
|
and produces an audible alarm when new Shorewall messages are
|
|
logged.</para>
|
|
|
|
<para>The '-m' option is available in Shorewall version 3.2.0 Beta5
|
|
and later and causes the MAC address of each packet source to be
|
|
displayed if that information is available.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>logreject</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall logreject <address>
|
|
...</command></para>
|
|
|
|
<para>Causes packets from the specified
|
|
<<emphasis>address</emphasis>> to be rejected and
|
|
logged</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>refresh</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall [ -q ] refresh</command></para>
|
|
|
|
<para>The rules involving the broadcast addresses of firewall
|
|
interfaces, the black list and ECN control rules are recreated to
|
|
reflect any changes made to your configuration files. Shorewall
|
|
versions prior to 3.2.0 Beta 5 also recreate the traffic shaping
|
|
rules as part of processing the <command>refresh</command> command.
|
|
Existing connections are untouched. If -q is specified, less detail
|
|
is displayed making it easier to spot warnings.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>reject</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall reject <address> ...</command></para>
|
|
|
|
<para>Causes packets from the specified
|
|
<<emphasis>address</emphasis>>s to be rejected</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>reset</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall reset</command></para>
|
|
|
|
<para>All the packet and byte counters in the firewall are
|
|
reset.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>restart</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall [ -q ] restart
|
|
<configuration-directory></command></para>
|
|
|
|
<para>Restart is similar to <command>shorewall stop</command>
|
|
followed by <command>shorewall start</command>. Existing connections
|
|
are maintained. If -q is specified, less detail is displayed making
|
|
it easier to spot warnings</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>restore</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall [ -q ] restore [ <filename>
|
|
]</command></para>
|
|
|
|
<para>Restore Shorewall to a state saved using the
|
|
<command>shorewall save</command> command Existing connections are
|
|
maintained. The <<emphasis>filename</emphasis>> names a
|
|
restore file in <filename
|
|
class="directory">/var/lib/shorewall</filename> created using
|
|
<command>shorewall save</command>; if no
|
|
<<emphasis>filename</emphasis>> is given then Shorewall will
|
|
be restored from the file specified by the RESTOREFILE option in
|
|
<ulink
|
|
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>safe-restart</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall [ -q ] safe-restart [ <filename>
|
|
]</command></para>
|
|
|
|
<para>Only allowed if Shorewall is running. The current
|
|
configuration is saved in
|
|
<filename>/var/lib/shorewall/safe-restart</filename> (see the
|
|
<command>save</command> command below) that a restart is done. You
|
|
will then be prompted asking if you want to accept the new
|
|
configuration or not. If you answer "n" or if you fail to answer
|
|
within 60 seconds (such as when your new configuration has disabled
|
|
communication with your terminal), the configuration is restored
|
|
from the saved configuration.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>safe-start</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall [ -q ] safe-start [ <filename>
|
|
]</command></para>
|
|
|
|
<para>Shorewall is started normally. You will then be prompted
|
|
asking if everything went all right. If you answer "n" or if you
|
|
fail to answer within 60 seconds (such as when your new
|
|
configuration has disabled communication with your terminal), a
|
|
<command>shorewall clear</command> is performed for you.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>save</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall save [ <filename> ]</command></para>
|
|
|
|
<para>The dynamic data is stored in /var/lib/shorewall/save. The
|
|
state of the firewall is stored in
|
|
<filename>/var/lib/shorewall/<filename></filename> for use by
|
|
the <command>shorewall restore</command> and <command>shorewall -f
|
|
start</command> commands. If <<emphasis>filename</emphasis>>
|
|
is not given then the state is saved in the file specified by the
|
|
RESTOREFILE option in <ulink
|
|
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>show</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall [ -x ] show [ <chain> [ <chain>
|
|
...] |classifiers|connections|log|nat|tc|tos]</command></para>
|
|
|
|
<para><command>shorewall [ -x ] show <chain> [ <chain>
|
|
... ] </command> - produce a verbose report about the Netfilter
|
|
chain(s). (<command>iptables -L chain -n -v</command>)</para>
|
|
|
|
<para><command>shorewall [ -x ] show mangle</command> - produce a
|
|
verbose report about the mangle table. (<command>iptables -t mangle
|
|
-L -n -v</command>)</para>
|
|
|
|
<para><command>shorewall [ -x ] show nat</command> - produce a
|
|
verbose report about the nat table. (<command>iptables -t nat -L -n
|
|
-v</command>)</para>
|
|
|
|
<para><command>shorewall show [- m ] log</command> - display the
|
|
last 20 packet log entries. The '-m' option is available in
|
|
Shorewall version 3.2.0 Beta5 and later and causes the MAC address
|
|
of each packet source to be displayed if that information is
|
|
available.</para>
|
|
|
|
<para><command>shorewall show capabilities</command> - Displays your
|
|
kernel/iptables capabilities</para>
|
|
|
|
<para><command>shorewall show connections</command> - displays the
|
|
IP connections currently being tracked by the firewall.</para>
|
|
|
|
<para><command>shorewall show classifiers</command> - displays
|
|
information about the traffic control/shaping classifiers.</para>
|
|
|
|
<para><command>shorewall show tc</command> - displays information
|
|
about the traffic control/shaping configuration.</para>
|
|
|
|
<para><command>shorewall show zones</command> — Displays the
|
|
composition of each zone.</para>
|
|
|
|
<para>When -x is given, that option is also passed to iptables to
|
|
display actual packet and byte counts.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>start</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall [ -q ] [ -f ] start [
|
|
<configuration-directory> ]</command></para>
|
|
|
|
<para>Start shorewall. Existing connections through shorewall
|
|
managed interfaces are untouched. New connections will be allowed
|
|
only if they are allowed by the firewall rules or policies. If -q is
|
|
specified, less detail is displayed making it easier to spot
|
|
warnings If -f is specified, the saved configuration specified by
|
|
the RESTOREFILE option in <ulink
|
|
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>
|
|
will be restored if that saved configuration exists</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>stop</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall stop</command></para>
|
|
|
|
<para>Stops the firewall. All existing connections, except those
|
|
listed in <filename><ulink
|
|
url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink></filename>
|
|
or permitted by the ADMINISABSENTMINDED option in <ulink
|
|
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>,
|
|
are taken down. The only new traffic permitted through the firewall
|
|
is from systems listed in
|
|
<filename>/etc/shorewall/routestopped</filename> or by
|
|
ADMINISABSENTMINDED.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>status</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall status</command></para>
|
|
|
|
<para>Produce a short report about the firewall's status and state
|
|
relative to <link linkend="State">the diagram below</link>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>try (Deprecated)</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall try <configuration-directory> [
|
|
<timeout> ]</command></para>
|
|
|
|
<para>Restart shorewall using the specified configuration. If an
|
|
error occurs during the restart, then another shorewall restart is
|
|
performed using the default configuration. If a timeout is specified
|
|
then the restart is always performed after the timeout occurs and
|
|
uses the default configuration.</para>
|
|
|
|
<para>When restarting using the default configuration, if the
|
|
default restore script (as specified by the RESTOREFILE setting in
|
|
<ulink
|
|
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>)
|
|
exists. then that script is used.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>version</term>
|
|
|
|
<listitem>
|
|
<para><command>shorewall version</command></para>
|
|
|
|
<para>Show the current shorewall version</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</section>
|
|
|
|
<section id="State">
|
|
<title>Shorewall State Diagram</title>
|
|
|
|
<para>The Shorewall State Diargram is depicted below.</para>
|
|
|
|
<para><graphic align="center" fileref="images/State_Diagram.png" /></para>
|
|
|
|
<para>You will note that mose of the commands that result in state
|
|
transitions use the word <quote>firewall</quote> rather than
|
|
<quote>shorewall</quote>. That is because the actual transitions are done
|
|
by <command>/usr/share/shorewall/firewall</command>;
|
|
<command>/sbin/shorewall</command> runs <quote>firewall</quote> according
|
|
to the following table:</para>
|
|
|
|
<informaltable>
|
|
<tgroup cols="3">
|
|
<thead>
|
|
<row>
|
|
<entry align="center">/sbin/shorewall Command</entry>
|
|
|
|
<entry align="center">Resulting /usr/share/shorewall/firewall
|
|
Command</entry>
|
|
|
|
<entry align="center">Effect if the Command Succeeds</entry>
|
|
</row>
|
|
</thead>
|
|
|
|
<tbody>
|
|
<row>
|
|
<entry>shorewall start</entry>
|
|
|
|
<entry>firewall start</entry>
|
|
|
|
<entry>The system filters packets based on your current Shorewall
|
|
Configuration</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>shorewall stop</entry>
|
|
|
|
<entry>firewall stop</entry>
|
|
|
|
<entry>Only traffic to/from hosts listed in /etc/shorewall/hosts
|
|
is passed to/from/through the firewall. If ADMINISABSENTMINDED=Yes
|
|
in /etc/shorewall/shorewall.conf then in addition, all existing
|
|
connections are retained and all connection requests from the
|
|
firewall are accepted.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>shorewall restart</entry>
|
|
|
|
<entry>firewall restart</entry>
|
|
|
|
<entry>Logically equivalent to <quote>firewall stop;firewall
|
|
start</quote></entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>shorewall add</entry>
|
|
|
|
<entry>firewall add</entry>
|
|
|
|
<entry>Adds a host or subnet to a dynamic zone</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>shorewall delete</entry>
|
|
|
|
<entry>firewall delete</entry>
|
|
|
|
<entry>Deletes a host or subnet from a dynamic zone</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>shorewall refresh</entry>
|
|
|
|
<entry>firewall refresh</entry>
|
|
|
|
<entry>Reloads rules dealing with static blacklisting, traffic
|
|
control and ECN.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>shorewall reset</entry>
|
|
|
|
<entry>firewall reset</entry>
|
|
|
|
<entry>Resets traffic counters</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>shorewall clear</entry>
|
|
|
|
<entry>firewall clear</entry>
|
|
|
|
<entry>Removes all Shorewall rules, chains, addresses, routes and
|
|
ARP entries.</entry>
|
|
</row>
|
|
|
|
<row>
|
|
<entry>shorewall try</entry>
|
|
|
|
<entry>firewall -c <new configuration> restart If
|
|
unsuccessful then firewall start (standard configuration) If
|
|
timeout then firewall restart (standard configuration)</entry>
|
|
|
|
<entry></entry>
|
|
</row>
|
|
</tbody>
|
|
</tgroup>
|
|
</informaltable>
|
|
|
|
<para>The only time that a program other than
|
|
<command>/usr/share/shorewall/firewall</command> performs a state
|
|
transition itself is when it executes the <command>shorewall
|
|
restore</command> command is executed. In that case, the
|
|
<command>/var/lib/shorewall/restore</command> program sets the state to
|
|
"Started".</para>
|
|
|
|
<section>
|
|
<title>Notes for Shorewall 3.2.0 and Later</title>
|
|
|
|
<para>With any command that involves compilation, there is no state
|
|
transition while the compiler is running. If compilation fails, the
|
|
state remains unchanged.</para>
|
|
|
|
<para>Also, <command>shorewall start</command> and <command>shorewall
|
|
restart</command> involve compilation followed by execution of the
|
|
compiled script. So it is the compiled script that performs the state
|
|
transition in these commands rather than
|
|
<command>/usr/share/shorewall/firewall</command>.</para>
|
|
|
|
<para>The compiled script is placed in <filename
|
|
class="directory">/var/lib/shorewall</filename> and is named either
|
|
<filename>.start</filename> or <filename>.restart</filename> depending
|
|
on the command.</para>
|
|
</section>
|
|
</section>
|
|
</article> |