2008-12-11 01:03:00 +01:00
|
|
|
<?xml version="1.0" encoding="UTF-8"?>
|
2008-12-14 18:37:30 +01:00
|
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
2008-12-11 01:03:00 +01:00
|
|
|
<refentry>
|
|
|
|
<refmeta>
|
2008-12-14 18:37:30 +01:00
|
|
|
<refentrytitle>shorewall6-lite</refentrytitle>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<manvolnum>8</manvolnum>
|
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
<refnamediv>
|
2008-12-14 18:37:30 +01:00
|
|
|
<refname>shorewall6-lite</refname>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
2008-12-14 18:37:30 +01:00
|
|
|
<refpurpose>Administration tool for Shoreline Firewall 6 Lite
|
|
|
|
(Shorewall6-lite)</refpurpose>
|
2008-12-11 01:03:00 +01:00
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg
|
|
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>allow</option></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg
|
|
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>clear</option></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg
|
|
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>drop</option></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>dump</option></arg>
|
|
|
|
|
|
|
|
<arg><option>-x</option></arg>
|
|
|
|
|
|
|
|
<arg><option>-m</option></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>forget</option></arg>
|
|
|
|
|
|
|
|
<arg><replaceable>filename</replaceable></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>help</option></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>hits</option></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg
|
|
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>logdrop</option></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>logwatch</option></arg>
|
|
|
|
|
|
|
|
<arg><option>-m</option></arg>
|
|
|
|
|
|
|
|
<arg><replaceable>refresh-interval</replaceable></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg
|
|
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>logreject</option></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg
|
|
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>reject</option></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg
|
|
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg
|
|
|
|
choice="plain"><option>restart</option><arg><option>-n</option></arg><arg><option>-p</option></arg></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg
|
|
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>restore</option></arg>
|
|
|
|
|
|
|
|
<arg><replaceable>filename</replaceable></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg
|
|
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>save</option></arg>
|
|
|
|
|
|
|
|
<arg choice="opt"><replaceable>filename</replaceable></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>show</option></arg>
|
|
|
|
|
|
|
|
<arg><option>-x</option></arg>
|
|
|
|
|
|
|
|
<arg><option>-t</option>
|
2008-12-14 18:37:30 +01:00
|
|
|
{<option>filter</option>|<option>mangle</option>|<option>raw</option>}</arg>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg><arg><option>chain</option></arg><arg choice="plain"
|
|
|
|
rep="repeat"><replaceable>chain</replaceable></arg></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>show</option></arg>
|
|
|
|
|
|
|
|
<arg><option>-f</option></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>capabilities</option></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>show</option></arg>
|
|
|
|
|
|
|
|
<arg
|
|
|
|
choice="req"><option>actions|classifiers|connections|config|macros|zones</option></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>show</option></arg>
|
|
|
|
|
|
|
|
<arg><option>-x</option></arg>
|
|
|
|
|
|
|
|
<arg choice="req"><option>mangle|nat</option></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>show</option></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>tc</option></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>show</option></arg>
|
|
|
|
|
|
|
|
<arg><option>-m</option></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>log</option></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg
|
|
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
2008-12-14 18:37:30 +01:00
|
|
|
<arg
|
|
|
|
choice="plain"><option>start</option><arg>-<option>n</option></arg><arg>-<option>p</option></arg><arg>-<option>f</option></arg></arg>
|
2008-12-11 01:03:00 +01:00
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg
|
|
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>stop</option></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>status</option></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
|
|
|
|
<cmdsynopsis>
|
2008-12-14 18:37:30 +01:00
|
|
|
<command>shorewall6-lite</command>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
|
|
|
|
<arg choice="plain"><option>version</option></arg>
|
|
|
|
</cmdsynopsis>
|
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Description</title>
|
|
|
|
|
2008-12-14 18:37:30 +01:00
|
|
|
<para>The shorewall6-lite utility is used to control the Shoreline
|
|
|
|
Firewall 6 (Shorewall6) Lite.</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Options</title>
|
|
|
|
|
|
|
|
<para>The <option>trace</option> and <option>debug</option> options are
|
|
|
|
used for debugging. See <ulink
|
|
|
|
url="http://www.shorewall.net/starting_and_stopping.htm#Trace">http://www.shorewall.net/starting_and_stopping.htm#Trace</ulink>.</para>
|
|
|
|
|
|
|
|
<para>The nolock <option>option</option> prevents the command from
|
2008-12-14 18:37:30 +01:00
|
|
|
attempting to acquire the Shorewall6 Lite lockfile. It is useful if you
|
|
|
|
need to include <command>shorewall6-lite</command> commands in the
|
2008-12-11 01:03:00 +01:00
|
|
|
<filename>started</filename> extension script.</para>
|
|
|
|
|
|
|
|
<para>The <emphasis>options</emphasis> control the amount of output that
|
|
|
|
the command produces. They consist of a sequence of the letters <emphasis
|
|
|
|
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
|
|
|
|
options are omitted, the amount of output is determined by the setting of
|
|
|
|
the VERBOSITY parameter in <ulink
|
2008-12-14 18:37:30 +01:00
|
|
|
url="shorewall6.conf.html">shorewall6.conf</ulink>(5). Each <emphasis
|
2008-12-11 01:03:00 +01:00
|
|
|
role="bold">v</emphasis> adds one to the effective verbosity and each
|
|
|
|
<emphasis role="bold">q</emphasis> subtracts one from the effective
|
|
|
|
VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
|
|
|
|
immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
|
|
|
|
be no white space between <emphasis role="bold">v</emphasis> and the
|
|
|
|
VERBOSITY.</para>
|
|
|
|
|
|
|
|
<para>The <emphasis>options</emphasis> may also include the letter
|
|
|
|
<option>t</option> which causes all progress messages to be
|
|
|
|
timestamped.</para>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>Commands</title>
|
|
|
|
|
|
|
|
<para>The available commands are listed below.</para>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">allow</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Re-enables receipt of packets from hosts previously
|
|
|
|
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
|
|
|
role="bold">logdrop</emphasis>, <emphasis
|
|
|
|
role="bold">reject</emphasis>, or <emphasis
|
|
|
|
role="bold">logreject</emphasis> command.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">clear</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
2008-12-14 18:37:30 +01:00
|
|
|
<para>Clear will remove all rules and chains installed by Shorewall6
|
2008-12-11 01:03:00 +01:00
|
|
|
Lite. The firewall is then wide open and unprotected. Existing
|
|
|
|
connections are untouched. Clear is often used to see if the
|
|
|
|
firewall is causing connection problems.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">drop</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
|
|
|
to be silently dropped.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">dump</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Produces a verbose report about the firewall configuration for
|
|
|
|
the purpose of problem analysis.</para>
|
|
|
|
|
|
|
|
<para>The <emphasis role="bold">-x</emphasis> option causes actual
|
|
|
|
packet and byte counts to be displayed. Without that option, these
|
|
|
|
counts are abbreviated. The <emphasis role="bold">-m</emphasis>
|
2008-12-14 18:37:30 +01:00
|
|
|
option causes any MAC addresses included in Shorewall6 Lite log
|
2008-12-11 01:03:00 +01:00
|
|
|
messages to be displayed.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">forget</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
2008-12-14 18:37:30 +01:00
|
|
|
<para>Deletes /var/lib/shorewall6-lite/<emphasis>filenam</emphasis>e
|
|
|
|
and /var/lib/shorewall6-lite/save. If no
|
2008-12-11 01:03:00 +01:00
|
|
|
<emphasis>filename</emphasis> is given then the file specified by
|
|
|
|
RESTOREFILE in <ulink
|
2008-12-14 18:37:30 +01:00
|
|
|
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) is
|
2008-12-11 01:03:00 +01:00
|
|
|
assumed.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">help</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Displays a syntax summary.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">hits</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
2008-12-14 18:37:30 +01:00
|
|
|
<para>Generates several reports from Shorewall6 Lite log messages in
|
2008-12-11 01:03:00 +01:00
|
|
|
the current log file.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">logdrop</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
|
|
|
to be logged then discarded.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">logwatch</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Monitors the log file specified by theLOGFILE option in <ulink
|
2008-12-14 18:37:30 +01:00
|
|
|
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) and
|
|
|
|
produces an audible alarm when new Shorewall6 Lite messages are
|
2008-12-11 01:03:00 +01:00
|
|
|
logged. The <emphasis role="bold">-m</emphasis> option causes the
|
|
|
|
MAC address of each packet source to be displayed if that
|
|
|
|
information is available. The
|
|
|
|
<replaceable>refresh-interval</replaceable> specifies the time in
|
|
|
|
seconds between screen refreshes. You can enter a negative number by
|
2008-12-14 18:37:30 +01:00
|
|
|
preceding the number with "--" (e.g., <command>shorewall6-lite
|
2008-12-11 01:03:00 +01:00
|
|
|
logwatch -- -30</command>). In this case, when a packet count
|
|
|
|
changes, you will be prompted to hit any key to resume screen
|
|
|
|
refreshes.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">logreject</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
|
|
|
to be logged then rejected.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">reset</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>All the packet and byte counters in the firewall are
|
|
|
|
reset.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">restart</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
2008-12-14 18:37:30 +01:00
|
|
|
<para>Restart is similar to <emphasis role="bold">shorewall6-lite
|
|
|
|
stop</emphasis> followed by <emphasis role="bold">shorewall6-lite
|
2008-12-11 01:03:00 +01:00
|
|
|
start</emphasis>. Existing connections are maintained.</para>
|
|
|
|
|
2008-12-14 18:37:30 +01:00
|
|
|
<para>The <option>-n</option> option causes Shorewall6 to avoid
|
2008-12-11 01:03:00 +01:00
|
|
|
updating the routing table(s).</para>
|
|
|
|
|
|
|
|
<para>The <option>-p</option> option causes the connection tracking
|
|
|
|
table to be flushed; the <command>conntrack</command> utility must
|
|
|
|
be installed to use this option.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">restore</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
2008-12-14 18:37:30 +01:00
|
|
|
<para>Restore Shorewall6 Lite to a state saved using the <emphasis
|
|
|
|
role="bold">shorewall6-lite save</emphasis> command. Existing
|
2008-12-11 01:03:00 +01:00
|
|
|
connections are maintained. The <emphasis>filename</emphasis> names
|
2008-12-14 18:37:30 +01:00
|
|
|
a restore file in /var/lib/shorewall6-lite created using <emphasis
|
|
|
|
role="bold">shorewall6-lite save</emphasis>; if no
|
|
|
|
<emphasis>filename</emphasis> is given then Shorewall6 Lite will be
|
2008-12-11 01:03:00 +01:00
|
|
|
restored from the file specified by the RESTOREFILE option in <ulink
|
2008-12-14 18:37:30 +01:00
|
|
|
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5).</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">save</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The dynamic blacklist is stored in
|
2008-12-14 18:37:30 +01:00
|
|
|
/var/lib/shorewall6-lite/save. The state of the firewall is stored
|
|
|
|
in /var/lib/shorewall6-lite/<emphasis>filename</emphasis> for use by
|
|
|
|
the <emphasis role="bold">shorewall6-lite restore</emphasis> and
|
|
|
|
<emphasis role="bold">shorewall6-lite -f start</emphasis> commands.
|
2008-12-11 01:03:00 +01:00
|
|
|
If <emphasis>filename</emphasis> is not given then the state is
|
|
|
|
saved in the file specified by the RESTOREFILE option in <ulink
|
2008-12-14 18:37:30 +01:00
|
|
|
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5).</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">show</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The show command can have a number of different
|
|
|
|
arguments:</para>
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">actions</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Produces a report about the available actions (built-in,
|
|
|
|
standard and user-defined).</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">capabilities</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Displays your kernel/iptables capabilities. The
|
|
|
|
<emphasis role="bold">-f</emphasis> option causes the display
|
|
|
|
to be formatted as a capabilities file for use with <emphasis
|
|
|
|
role="bold">compile -e</emphasis>.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>
|
|
|
|
... ]</term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>The rules in each <emphasis>chain</emphasis> are
|
2008-12-14 18:37:30 +01:00
|
|
|
displayed using the <emphasis role="bold">ip6tables
|
2008-12-11 01:03:00 +01:00
|
|
|
-L</emphasis> <emphasis>chain</emphasis> <emphasis
|
|
|
|
role="bold">-n -v</emphasis> command. If no
|
|
|
|
<emphasis>chain</emphasis> is given, all of the chains in the
|
|
|
|
filter table are displayed. The <emphasis
|
|
|
|
role="bold">-x</emphasis> option is passed directly through to
|
|
|
|
iptables and causes actual packet and byte counts to be
|
|
|
|
displayed. Without this option, those counts are abbreviated.
|
|
|
|
The <emphasis role="bold">-t</emphasis> option specifies the
|
|
|
|
Netfilter table to display. The default is <emphasis
|
|
|
|
role="bold">filter</emphasis>.</para>
|
|
|
|
|
|
|
|
<para>If the <emphasis role="bold">t</emphasis> option and the
|
|
|
|
<option>chain</option> keyword are both omitted and any of the
|
|
|
|
listed <replaceable>chain</replaceable>s do not exist, a usage
|
|
|
|
message will be displayed.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">classifiers</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Displays information about the packet classifiers
|
2008-12-14 18:37:30 +01:00
|
|
|
defined on the system as a result of traffic shaping
|
|
|
|
configuration.</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">config</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Dispays distribution-specific defaults.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">connections</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Displays the IP connections currently being tracked by
|
|
|
|
the firewall.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">macros</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Displays information about each macro defined on the
|
|
|
|
firewall system.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">mangle</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Displays the Netfilter mangle table using the command
|
2008-12-14 18:37:30 +01:00
|
|
|
<emphasis role="bold">ip6tables -t mangle -L -n
|
2008-12-11 01:03:00 +01:00
|
|
|
-v</emphasis>.The <emphasis role="bold">-x</emphasis> option
|
|
|
|
is passed directly through to iptables and causes actual
|
|
|
|
packet and byte counts to be displayed. Without this option,
|
|
|
|
those counts are abbreviated.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">nat</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Displays the Netfilter nat table using the command
|
2008-12-14 18:37:30 +01:00
|
|
|
<emphasis role="bold">ip6tables -t nat -L -n -v</emphasis>.The
|
2008-12-11 01:03:00 +01:00
|
|
|
<emphasis role="bold">-x</emphasis> option is passed directly
|
|
|
|
through to iptables and causes actual packet and byte counts
|
|
|
|
to be displayed. Without this option, those counts are
|
|
|
|
abbreviated.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">tc</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Displays information about queuing disciplines, classes
|
|
|
|
and filters.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">zones</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
2008-12-14 18:37:30 +01:00
|
|
|
<para>Displays the current composition of the Shorewall6 Lite
|
2008-12-11 01:03:00 +01:00
|
|
|
zones on the system.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">start</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
2008-12-14 18:37:30 +01:00
|
|
|
<para>Start shorewall6 Lite. Existing connections through
|
|
|
|
shorewall6-lite managed interfaces are untouched. New connections
|
2008-12-11 01:03:00 +01:00
|
|
|
will be allowed only if they are allowed by the firewall rules or
|
|
|
|
policies. If <emphasis role="bold">-f</emphasis> is specified, the
|
|
|
|
saved configuration specified by the RESTOREFILE option in <ulink
|
2008-12-14 18:37:30 +01:00
|
|
|
url="shorewall6-lite.conf.html">shorewall6-lite.conf</ulink>(5) will
|
2008-12-11 01:03:00 +01:00
|
|
|
be restored if that saved configuration exists and has been modified
|
2008-12-14 18:37:30 +01:00
|
|
|
more recently than the files in /etc/shorewall6.</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
|
2008-12-14 18:37:30 +01:00
|
|
|
<para>The <option>-n</option> option causes Shorewall6 to avoid
|
2008-12-11 01:03:00 +01:00
|
|
|
updating the routing table(s).</para>
|
|
|
|
|
|
|
|
<para>The <option>-p</option> option causes the connection tracking
|
|
|
|
table to be flushed; the <command>conntrack</command> utility must
|
|
|
|
be installed to use this option.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">stop</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Stops the firewall. All existing connections, except those
|
|
|
|
listed in <ulink
|
2008-12-14 18:37:30 +01:00
|
|
|
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
|
|
|
or permitted by the ADMINISABSENTMINDED option in
|
|
|
|
shorewall6.conf(5), are taken down. The only new traffic permitted
|
|
|
|
through the firewall is from systems listed in <ulink
|
|
|
|
url="shorewall6-routestopped.html">shorewall6-routestopped</ulink>(5)
|
2008-12-11 01:03:00 +01:00
|
|
|
or by ADMINISABSENTMINDED.</para>
|
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">status</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
|
|
|
<para>Produces a short report about the state of the
|
2008-12-14 18:37:30 +01:00
|
|
|
Shorewall6-configured firewall.</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
<term><emphasis role="bold">version</emphasis></term>
|
|
|
|
|
|
|
|
<listitem>
|
2008-12-14 18:37:30 +01:00
|
|
|
<para>Displays Shorewall6-lite's version.</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
</listitem>
|
|
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>FILES</title>
|
|
|
|
|
2008-12-14 18:37:30 +01:00
|
|
|
<para>/etc/shorewall6-lite/</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
<title>See ALSO</title>
|
|
|
|
|
|
|
|
<para><ulink
|
2008-12-14 18:37:30 +01:00
|
|
|
url="http://www.shorewall.net/starting_and_stopping_shorewall6.htm">http://www.shorewall.net/starting_and_stopping_shorewall6.htm</ulink></para>
|
|
|
|
|
|
|
|
<para>shorewall6-accounting(5), shorewall6-actions(5),
|
|
|
|
shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
|
|
|
|
shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
|
|
|
|
shorewall6-providers(5), shorewall6-route_rules(5),
|
|
|
|
shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
|
|
|
|
shorewall6-tcclasses(5), shorewall6-tcdevices(5), shorewall6-tcrules(5),
|
|
|
|
shorewall6-tos(5), shorewall6-tunnels(5), shorewall6-zones(5)</para>
|
2008-12-11 01:03:00 +01:00
|
|
|
</refsect1>
|
2008-12-14 18:37:30 +01:00
|
|
|
</refentry>
|