From 875c35247348d947311aae1cd8cd320069a376b3 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Mon, 21 Nov 2016 10:00:55 -0800 Subject: [PATCH] Unify the CLI Signed-off-by: Tom Eastep --- Shorewall-core/install.sh | 6 + Shorewall-core/lib.base | 14 +- Shorewall-core/lib.cli | 17 +- {Shorewall => Shorewall-core}/shorewall | 0 Shorewall-lite/init.debian.sh | 2 +- Shorewall-lite/init.fedora.sh | 2 +- Shorewall-lite/init.openwrt.sh | 10 +- Shorewall-lite/install.sh | 20 +- Shorewall-lite/manpages/shorewall-lite.xml | 1657 ----------- Shorewall-lite/shorewall-lite | 39 - Shorewall/install.sh | 27 +- Shorewall/lib.cli-std | 57 +- Shorewall6-lite/init.debian.sh | 2 +- Shorewall6-lite/init.fedora.sh | 2 +- Shorewall6-lite/init.openwrt.sh | 8 +- Shorewall6-lite/init.sh | 6 +- Shorewall6-lite/init.suse.sh | 6 +- Shorewall6-lite/manpages/shorewall6-lite.xml | 1614 ----------- Shorewall6-lite/shorewall6-lite | 39 - Shorewall6-lite/shorewall6-lite.service | 5 +- Shorewall6/init.debian.sh | 2 +- Shorewall6/init.fedora.sh | 2 +- Shorewall6/init.sh | 6 +- Shorewall6/init.slackware.shorewall6.sh | 8 +- Shorewall6/init.suse.sh | 11 +- Shorewall6/manpages/shorewall6.xml | 2610 ------------------ Shorewall6/shorewall6 | 39 - Shorewall6/shorewall6.service | 6 +- Shorewall6/shorewall6.service.debian | 6 +- 29 files changed, 123 insertions(+), 6100 deletions(-) rename {Shorewall => Shorewall-core}/shorewall (100%) delete mode 100644 Shorewall-lite/manpages/shorewall-lite.xml delete mode 100755 Shorewall-lite/shorewall-lite delete mode 100644 Shorewall6-lite/manpages/shorewall6-lite.xml delete mode 100755 Shorewall6-lite/shorewall6-lite delete mode 100644 Shorewall6/manpages/shorewall6.xml delete mode 100755 Shorewall6/shorewall6 diff --git a/Shorewall-core/install.sh b/Shorewall-core/install.sh index 7d3f9bae2..2d6e62216 100755 --- a/Shorewall-core/install.sh +++ b/Shorewall-core/install.sh @@ -365,6 +365,12 @@ fi # Note: ${VARDIR} is created at run-time since it has always been # a relocatable directory on a per-product basis # +# Install the CLI +# +install_file shorewall ${DESTDIR}${SBINDIR}/shorewall 0755 +[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/shorewall +echo "Shorewall CLI program installed in ${DESTDIR}${SBINDIR}/$PRODUCT" +# # Install wait4ifup # install_file wait4ifup ${DESTDIR}${LIBEXECDIR}/shorewall/wait4ifup 0755 diff --git a/Shorewall-core/lib.base b/Shorewall-core/lib.base index cf7a4d966..519100b66 100644 --- a/Shorewall-core/lib.base +++ b/Shorewall-core/lib.base @@ -35,26 +35,26 @@ fatal_error() # $@ = Message exit 2 } -setup_product_environment() { +setup_product_environment() { # $1 -- if non-empty, source shorewallrc g_basedir=${SHAREDIR}/shorewall g_sharedir="$SHAREDIR"/$PRODUCT g_confdir="$CONFDIR"/$PRODUCT - g_program=$PRODUCT - - case $g_program in + case $PRODUCT in shorewall) g_product="Shorewall" g_family=4 g_tool=iptables g_lite= + g_options=-l ;; shorewall6) g_product="Shorewall6" g_family=6 g_tool=ip6tables g_lite= + g_options=-6l ;; shorewall-lite) g_product="Shorewall Lite" @@ -74,10 +74,14 @@ setup_product_environment() { esac [ -f ${SHAREDIR}/${PRODUCT}/version ] || fatal_error "$g_product does not appear to be installed on this system" + # + # We need to do this again, now that we have the correct product + # + [ -n "$1" ] && . ${g_basedir}/shorewallrc if [ -z "${VARLIB}" ]; then VARLIB=${VARDIR} - VARDIR=${VARLIB}/$g_program + VARDIR=${VARLIB}/${PRODUCT} elif [ -z "${VARDIR}" ]; then VARDIR="${VARLIB}/${PRODUCT}" fi diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index 6d3db9dba..155b6b19e 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -1357,14 +1357,14 @@ show_command() { echo "LIBEXEC=${LIBEXECDIR}" echo "SBINDIR=${SBINDIR}" echo "CONFDIR=${CONFDIR}" - [ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR=${VARDIR}" + [ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR=${VARDIR}" else echo "Default CONFIG_PATH is $CONFIG_PATH" - echo "Default VARDIR is /var/lib/$g_program" + echo "Default VARDIR is /var/lib/$PRODUCT" echo "LIBEXEC is ${LIBEXECDIR}" echo "SBINDIR is ${SBINDIR}" echo "CONFDIR is ${CONFDIR}" - [ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$g_program ] && echo "LITEDIR is ${VARDIR}" + [ -n "$g_lite" ] && [ ${VARDIR} != /var/lib/$PRODUCT ] && echo "LITEDIR is ${VARDIR}" fi ;; chain) @@ -1428,7 +1428,7 @@ show_command() { fi ;; *) - case "$g_program" in + case "$PRODUCT" in *-lite) ;; *) @@ -3866,7 +3866,7 @@ get_config() { ensure_config_path - config=$(find_file ${g_program}.conf) + config=$(find_file ${PRODUCT}.conf) if [ -f $config ]; then if [ -r $config ]; then @@ -4362,6 +4362,7 @@ shorewall_cli() { g_nopager= g_blacklistipset= g_disconnect= + g_options= VERBOSE= VERBOSITY=1 @@ -4503,16 +4504,16 @@ shorewall_cli() { usage 1 fi - setup_product_environment + setup_product_environment 1 - [ -n "$g_lite" ] || . ${SHAREDIR}/shorewall/lib.cli-std + [ -n "$g_lite" ] || . ${SHAREDIR}/shorewall/lib.cli-std PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin MUTEX_TIMEOUT= [ -f ${g_confdir}/vardir ] && . ${g_confdir}/vardir - [ -n "${VARDIR:=/var/lib/$g_program}" ] + [ -n "${VARDIR:=/var/lib/$PRODUCT}" ] g_firewall=${VARDIR}/firewall diff --git a/Shorewall/shorewall b/Shorewall-core/shorewall similarity index 100% rename from Shorewall/shorewall rename to Shorewall-core/shorewall diff --git a/Shorewall-lite/init.debian.sh b/Shorewall-lite/init.debian.sh index b6452b7fc..731a20b0e 100755 --- a/Shorewall-lite/init.debian.sh +++ b/Shorewall-lite/init.debian.sh @@ -13,7 +13,7 @@ . /lib/lsb/init-functions -SRWL=/sbin/shorewall-lite +SRWL='/sbin/shorewall -l' SRWL_OPTS="-tvv" test -n ${INITLOG:=/var/log/shorewall-lite-init.log} diff --git a/Shorewall-lite/init.fedora.sh b/Shorewall-lite/init.fedora.sh index 3d909efb3..61d43521b 100755 --- a/Shorewall-lite/init.fedora.sh +++ b/Shorewall-lite/init.fedora.sh @@ -25,7 +25,7 @@ # . /usr/share/shorewall/shorewallrc -prog="shorewall-lite" +prog="shorewall -l" shorewall="${SBINDIR}/$prog" logger="logger -i -t $prog" lockfile="/var/lock/subsys/$prog" diff --git a/Shorewall-lite/init.openwrt.sh b/Shorewall-lite/init.openwrt.sh index fe22b304c..5a1bb1c72 100755 --- a/Shorewall-lite/init.openwrt.sh +++ b/Shorewall-lite/init.openwrt.sh @@ -69,7 +69,7 @@ SHOREWALL_INIT_SCRIPT=1 command="$action" start() { - exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STARTOPTIONS + exec ${SBINDIR}/shorewall -l $OPTIONS $command $STARTOPTIONS } boot() { @@ -78,17 +78,17 @@ boot() { } restart() { - exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RESTARTOPTIONS + exec ${SBINDIR}/shorewall -l $OPTIONS $command $RESTARTOPTIONS } reload() { - exec ${SBINDIR}/shorewall-lite $OPTIONS $command $RELOADOPTION + exec ${SBINDIR}/shorewall -l $OPTIONS $command $RELOADOPTION } stop() { - exec ${SBINDIR}/shorewall-lite $OPTIONS $command $STOPOPTIONS + exec ${SBINDIR}/shorewall -l $OPTIONS $command $STOPOPTIONS } status() { - exec ${SBINDIR}/shorewall-lite $OPTIONS $command $@ + exec ${SBINDIR}/shorewall -l $OPTIONS $command $@ } diff --git a/Shorewall-lite/install.sh b/Shorewall-lite/install.sh index c8bffe108..ec4338b43 100755 --- a/Shorewall-lite/install.sh +++ b/Shorewall-lite/install.sh @@ -114,7 +114,7 @@ require() # cd "$(dirname $0)" -if [ -f shorewall-lite ]; then +if [ -f shorewall-lite.service ]; then PRODUCT=shorewall-lite Product="Shorewall Lite" else @@ -331,7 +331,6 @@ if [ -n "$DESTDIR" ]; then OWNERSHIP="" fi - make_directory ${DESTDIR}${SBINDIR} 755 make_directory ${DESTDIR}${INITDIR} 755 else @@ -362,9 +361,9 @@ else fi # -# Check for ${SBINDIR}/$PRODUCT +# Check for ${SHAREDIR}/$PRODUCT/version # -if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then +if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then first_install="" else first_install="Yes" @@ -372,11 +371,8 @@ fi delete_file ${DESTDIR}/usr/share/$PRODUCT/xmodules -install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0544 [ -n "${INITFILE}" ] && make_directory ${DESTDIR}${INITDIR} 755 -echo "$Product control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT" - # # Create ${CONFDIR}/$PRODUCT, /usr/share/$PRODUCT and /var/lib/$PRODUCT if needed # @@ -498,7 +494,7 @@ done if [ -d manpages -a -n "$MANDIR" ]; then cd manpages - mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/ + mkdir -p ${DESTDIR}${MANDIR}/man5/ for f in *.5; do gzip -c $f > $f.gz @@ -506,12 +502,6 @@ if [ -d manpages -a -n "$MANDIR" ]; then echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz" done - for f in *.8; do - gzip -c $f > $f.gz - install_file $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz 644 - echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz" - done - cd .. echo "Man Pages Installed" @@ -539,6 +529,7 @@ fi delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.common delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/lib.cli delete_file ${DESTDIR}${SHAREDIR}/$PRODUCT/wait4ifup +delete_file ${DESTDIR}${SBINDIR}/$PRODUCT # # Note -- not all packages will have the SYSCONFFILE so we need to check for its existance here @@ -555,7 +546,6 @@ fi if [ ${SHAREDIR} != /usr/share ]; then eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SHAREDIR}/${PRODUCT}/lib.base - eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/$PRODUCT fi if [ $configure -eq 1 -a -z "$DESTDIR" -a -n "$first_install" -a -z "${cygwin}${mac}" ]; then diff --git a/Shorewall-lite/manpages/shorewall-lite.xml b/Shorewall-lite/manpages/shorewall-lite.xml deleted file mode 100644 index 9ee27f58d..000000000 --- a/Shorewall-lite/manpages/shorewall-lite.xml +++ /dev/null @@ -1,1657 +0,0 @@ - - - - - shorewall-lite - - 8 - - Administrative Commands - - - - shorewall-lite - - Administration tool for Shoreline Firewall Lite (Shorewall - Lite) - - - - - shorewall-lite - - | - - -options - - - - interface[:host-list] - - zone - - - - shorewall-lite - - | - - -options - - - - address - - - - shorewall-lite - - | - - -options - - - - address - - - - shorewall-lite - - | - - -options - - - - address - - - - shorewall-lite - - | - - -options - - - - - - shorewall-lite - - | - - -options - - - open-number | - sourcedestprotocol - port - - - - - shorewall-lite - - | - - -options - - - - interface[:host-list] - - zone - - - - shorewall-lite - - | - - -options - - - - { interface | - provider } - - - - shorewall-lite - - | - - -options - - - - address - - - - shorewall-lite - - | - - -options - - - - - - - - - - - - - - shorewall-lite - - | - - -options - - - - { interface | - provider } - - - - shorewall-lite - - | - - -options - - - - filename - - - - shorewall-lite - - | - - -options - - - - - - shorewall-lite - - | - - -options - - - - - - shorewall-lite - - | - - -options - - - - - address - mask - - address/vlsm - - - - - shorewall-lite - - | - - -options - - - - address1address2 - - - - shorewall-lite - - | - - -options - - - - iptables match - expression - - - - shorewall-lite - - | - - -options - - - - address - - - - shorewall-lite - - | - - -options - - - - - - refresh-interval - - - - shorewall-lite - - | - - -options - - - - address - - - - shorewall-lite - - | - - -options - - - - iptables match - expression - - - - shorewall-lite - - - source dest - protocol port - - - - - shorewall-lite - - | - - -options - - - - { interface | - provider } - - - - shorewall-lite - - | - - -options - - - - address - - - - shorewall-lite - - | - - -options - - - - - - - - - - shorewall-lite - - | - - -options - - - - - - shorewall-lite - - | - - -options - - - - - - - - - - shorewall-lite - - | - - -options - - - - - - filename - - - - shorewall-lite - - | - - -options - - - - function - - parameter ... - - - - shorewall-lite - - | - - -options - - - - filename - - - - shorewall-lite - - | - - -options - - - - - - shorewall-lite - - | - - -options - - - - - - - - - - - {|||} - - chain - - - - shorewall-lite - - | - - -options - - - - - - - - - - shorewall-lite - - | - - -options - - - - - - - - - - shorewall-lite - - | - - -options - - - - - - - - shorewall-lite - - | - - -options - - - - event - - - - shorewall-lite - - | - - -options - - - - - - - - - - shorewall-lite - - | - - -options - - - - - - - - - - shorewall-lite - - | - - -options - - - - - - - - shorewall-lite - - | - - -options - - - - - - - - - - shorewall-lite - - | - - -options - - - - - - - - - - - - - - shorewall-lite - - | - - -options - - - - - - shorewall-lite - - | - - -options - - - - - - shorewall-lite - - | - - -options - - - - - - - Description - - The shorewall-lite utility is used to control the Shoreline Firewall - Lite (Shorewall Lite). - - - - Options - - The and options are - used for debugging. See http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace. - - The nolock prevents the command from - attempting to acquire the Shorewall-lite lockfile. It is useful if you - need to include shorewall commands in the - started extension script. - - The options control the amount of output that - the command produces. They consist of a sequence of the letters v and q. If the - options are omitted, the amount of output is determined by the setting of - the VERBOSITY parameter in shorewall.conf(5). Each v adds one to the effective verbosity and each - q subtracts one from the effective - VERBOSITY. Alternately, v may be followed - immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no - white-space between v and the - VERBOSITY. - - The options may also include the letter - which causes all progress messages to be - timestamped. - - - - Commands - - The available commands are listed below. - - - - add { - interface[:host-list]... - zone | zone - host-list } - - - Adds a list of hosts or subnets to a dynamic zone usually used - with VPN's. - - The interface argument names an interface - defined in the shorewall-interfaces(5) - file. A host-list is comma-separated list whose - elements are host or network addresses. - - - The add command is not very robust. If - there are errors in the host-list, you - may see a large number of error messages yet a subsequent - shorewall-lite show zones command will indicate - that all hosts were added. If this happens, replace - add by delete and run the - same command again. Then enter the correct command. - - - - - - allow - address - - - Re-enables receipt of packets from hosts previously - blacklisted by a drop, logdrop, reject, or logreject command. Beginning with Shorewall - 5.0.10, this command can also re-enable addresses blacklisted using - the blacklist command. - - - - - blacklist - address [ option - ... ] - - - Added in Shorewall 5.0.8 and requires - DYNAMIC_BLACKLIST=ipset.. in shorewall.conf(5). - Causes packets from the given host or network - address to be dropped, based on the - setting of BLACKLIST in shorewall.conf(5). The - address along with any - options are passed to the ipset - add command. - - If the option is specified in the - DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY - determines the amount of information displayed: - - - - If the effective verbosity is > 0, then a message - giving the number of conntrack flows deleted by the command is - displayed. - - - - If the effective verbosity is > 1, then the conntrack - table entries deleted by the command are also displayed. - - - - - - - call function [ - parameter ... ] - - - Added in Shorewall 4.6.10. Allows you to call a function in - one of the Shorewall libraries or in your compiled script. function - must name the shell function to be called. The listed parameters are - passed to the function. - - The function is first searched for in - lib.base, lib.common and - lib.cli. If it is not found, the call command - is passed to the generated script to be executed. - - - - - clear - [-] - - - Clear will remove all rules and chains installed by - Shorewall-lite. The firewall is then wide open and unprotected. - Existing connections are untouched. Clear is often used to see if - the firewall is causing connection problems. - - If is given, the command will be processed - by the compiled script that executed the last successful start, reload, restart or refresh command if that script exists. - - - - - close { - open-number | - source dest [ - protocol [ port - ] ] } - - - Added in Shorewall 4.5.8. This command closes a temporary open - created by the open command. In the first form, - an open-number specifies the open to be - closed. Open numbers are displayed in the num column of the output of the - shorewall-lite show opens command. - - When the second form of the command is used, the parameters - must match those given in the earlier open - command. - - - - - delete { - interface[:host-list]... - zone | zone - host-list } - - - The delete command reverses the effect of an earlier add command. - - The interface argument names an interface - defined in the shorewall-interfaces(5) - file. A host-list is comma-separated list whose - elements are a host or network address. - - - - - disable { - interface | - provider } - - - Added in Shorewall 4.4.26. Disables the optional provider - associated with the specified interface - or provider. Where more than one provider - share a single network interface, a - provider name must be given. - - - - - drop - address - - - Causes traffic from the listed addresses - to be silently dropped. - - - - - dump [-] - [-] [-] - [-] - - - Produces a verbose report about the firewall configuration for - the purpose of problem analysis. - - The -x option causes actual - packet and byte counts to be displayed. Without that option, these - counts are abbreviated. The -m - option causes any MAC addresses included in Shorewall-lite log - messages to be displayed. - - The -l option causes the rule - number for each Netfilter rule to be displayed. - - The option causes the route cache to be - dumped in addition to the other routing information. - - - - - enable { - interface | - provider } - - - Added in Shorewall 4.4.26. Enables the optional provider - associated with the specified interface - or provider. Where more than one provider - share a single network interface, a - provider name must be given. - - - - - forget [ - filename ] - - - Deletes /var/lib/shorewall-lite/filename - and /var/lib/shorewall-lite/save. If no - filename is given then the file specified by - RESTOREFILE in shorewall.conf(5) is - assumed. - - - - - help - - - Displays a syntax summary. - - - - - hits - [-] - - - Generates several reports from Shorewall-lite log messages in - the current log file. If the option is included, - the reports are restricted to log messages generated today. - - - - - ipcalc { address mask | - address/vlsm } - - - Ipcalc displays the network address, broadcast address, - network in CIDR notation and netmask corresponding to the - input[s]. - - - - - iprange - address1-address2 - - - Iprange decomposes the specified range of IP addresses into - the equivalent list of network/host addresses. - - - - - iptrace iptables - match expression - - - This is a low-level debugging command that causes iptables - TRACE log records to be created. See iptables(8) for details. - - The iptables match expression must - be one or more matches that may appear in both the raw table OUTPUT - and raw table PREROUTING chains. - - The trace records are written to the kernel's log buffer with - facility = kernel and priority = warning, and they are routed from - there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) -- - Shorewall-lite has no control over where the messages go; consult - your logging daemon's documentation. - - - - - list - - - list is a synonym for - show -- please see below. - - - - - logdrop - address - - - Causes traffic from the listed addresses - to be logged then discarded. Logging occurs at the log level - specified by the BLACKLIST_LOGLEVEL setting in shorewall.conf (5). - - - - - logwatch [-] - [refresh-interval] - - - Monitors the log file specified by the LOGFILE option in - shorewall.conf(5) and - produces an audible alarm when new Shorewall-lite messages are - logged. The -m option causes the - MAC address of each packet source to be displayed if that - information is available. The - refresh-interval specifies the time in - seconds between screen refreshes. You can enter a negative number by - preceding the number with "--" (e.g., shorewall-lite - logwatch -- -30). In this case, when a packet count - changes, you will be prompted to hit any key to resume screen - refreshes. - - - - - logreject - address - - - Causes traffic from the listed addresses - to be logged then rejected. Logging occurs at the log level - specified by the BLACKLIST_LOGLEVEL setting in shorewall.conf (5). - - - - - ls - - - ls is a synonym for show - -- please see below. - - - - - noiptrace iptables - match expression - - - This is a low-level debugging command that cancels a trace - started by a preceding iptrace command. - - The iptables match expression must - be one given in the iptrace command being - canceled. - - - - - open - source dest [ - protocol [ port - ] ] - - - Added in Shorewall 4.6.8. This command requires that the - firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in - shorewall.conf - (5). The effect of the command is to temporarily open the - firewall for connections matching the parameters. - - The source and - dest parameters may each be specified as - all if you don't wish to restrict - the connection source or destination respectively. Otherwise, each - must contain a host or network address or a valid DNS name. - - The protocol may be specified - either as a number or as a name listed in /etc/protocols. The - port may be specified numerically or as a - name listed in /etc/services. - - To reverse the effect of a successful open - command, use the close command with the same - parameters or simply restart the firewall. - - Example: To open the firewall for SSH connections to address - 192.168.1.1, the command would be: - - shorewall-lite open all 192.168.1.1 tcp 22 - - To reverse that command, use: - - shorewall-lite close all 192.168.1.1 tcp 22 - - - - - reenable{ - interface | - provider } - - - Added in Shorewall 4.6.9. This is equivalent to a - disable command followed by an - enable command on the specified - interface or - provider. - - - - - reject - address - - - Causes traffic from the listed addresses - to be silently rejected. - - - - - reload [-n] [-p] - [-] - - - Added in Shorewall 5.0.0, reload is similar to shorewall-lite start except that it assumes - that the firewall is already started. Existing connections are - maintained. - - The option causes Shorewall-lite to avoid - updating the routing table(s). - - The option causes the connection tracking - table to be flushed; the conntrack utility must - be installed to use this option. - - The option was added in Shorewall 4.6.5. - If the specified (or implicit) firewall script is the one that - generated the current running configuration, then the running - netfilter configuration will be reloaded as is so as to preserve the - iptables packet and byte counters. - - - - - reset [chain, - ...] - - - Resets the packet and byte counters in the specified - chain(s). If no - chain is specified, all the packet and - byte counters in the firewall are reset. - - - - - restart [-n] [-p] - [-] - - - Beginning with Shorewall 5.0.0, this command performs a true - restart. The firewall is completely stopped as if a - stop command had been issued then it is started - again. - - The option causes Shorewall-lite to avoid - updating the routing table(s). - - The option causes the connection tracking - table to be flushed; the conntrack utility must - be installed to use this option. - - The option was added in Shorewall 4.6.5. - If the specified (or implicit) firewall script is the one that - generated the current running configuration, then the running - netfilter configuration will be reloaded as is so as to preserve the - iptables packet and byte counters. - - - - - restore [-] - [-] [-] [ - filename ] - - - Restore Shorewall-lite to a state saved using the shorewall-lite save command. Existing - connections are maintained. The filename names - a restore file in /var/lib/shorewall-lite created using shorewall-lite save; if no - filename is given then Shorewall-lite will be - restored from the file specified by the RESTOREFILE option in shorewall.conf(5). - - - If your iptables ruleset depends on variables that are - detected at run-time, either in your params file or by - Shorewall-generated code, restore will use the - values that were current when the ruleset was saved, which may be - different from the current values. - - - The option causes Shorewall to avoid - updating the routing table(s). - - The option, added in Shorewall 4.6.5, - causes the connection tracking table to be flushed; the - conntrack utility must be installed to use this - option. - - The option was added in Shorewall 4.6.5. - If the option was specified during shorewall save, then the counters saved by - that operation will be restored. - - - - - run - command [ - parameter ... ] - - - Added in Shorewall 4.6.3. Executes - command in the context of the generated - script passing the supplied parameters. - Normally, the command will be a function - declared in lib.private. - - Before executing the command, the - script will detect the configuration, setting all SW_* variables and - will run your init extension script with - $COMMAND = 'run'. - - - - - save [-] [ - filename ] - - - The dynamic blacklist is stored in - /var/lib/shorewall-lite/save. The state of the firewall is stored in - /var/lib/shorewall-lite/filename for use by the - shorewall-lite restore. If - filename is not given then the state is saved - in the file specified by the RESTOREFILE option in shorewall.conf(5). - - The option, added in Shorewall 4.6.5, - causes the iptables packet and byte counters to be saved along with - the chains and rules. - - - - - savesets - - - Added in shorewall 4.6.8. Performs the same action as the - stop command with respect to saving ipsets (see - the SAVE_IPSETS option in shorewall.conf (5)). - This command may be used to proactively save your ipset contents in - the event that a system failure occurs prior to issuing a - stop command. - - - - - show - - - The show command can have a number of different - arguments: - - - - bl|blacklists - [-] - - - Added in Shorewall 4.6.2. Displays the dynamic chain - along with any chains produced by entries in - shorewall-blrules(5).The -x - option is passed directly through to iptables and causes - actual packet and byte counts to be displayed. Without this - option, those counts are abbreviated. - - - - - [-] capabilities - - - Displays your kernel/iptables capabilities. The - -f option causes the display - to be formatted as a capabilities file for use with compile -e. - - - - - [-] [-] - [-] [- - {||||}] - [ chain... ] - - - The rules in each chain are - displayed using the iptables - -L chain -n -v command. If no - chain is given, all of the chains in the - filter table are displayed. The -x option is passed directly through to - iptables and causes actual packet and byte counts to be - displayed. Without this option, those counts are abbreviated. - The -t option specifies the - Netfilter table to display. The default is filter. - - The -b ('brief') option - causes rules which have not been used (i.e. which have zero - packet and byte counts) to be omitted from the output. Chains - with no rules displayed are also omitted from the - output. - - The -l option causes - the rule number for each Netfilter rule to be - displayed. - - If the t option and the - keyword are both omitted and any of the - listed chains do not exist, a usage - message is displayed. - - - - - classifiers|filters - - - Displays information about the packet classifiers - defined on the system as a result of traffic shaping - configuration. - - - - - config - - - Displays distribution-specific defaults. - - - - - connections - [filter_parameter - ...] - - - Displays the IP connections currently being tracked by - the firewall. - - If the conntrack utility is - installed, beginning with Shorewall 4.6.11 the set of - connections displayed can be limited by including conntrack - filter parameters (-p , -s, --dport, etc). See conntrack(8) - for details. - - - - - event - event - - - Added in Shorewall 4.5.19. Displays the named - event. - - - - - events - - - Added in Shorewall 4.5.19. Displays all events. - - - - - ip - - - Displays the system's IPv4 configuration. - - - - - ipa - - - Added in Shorewall 4.4.17. Displays the per-IP - accounting counters (shorewall-accounting - (5)). - - - - - [-] log - - - Displays the last 20 Shorewall-lite messages from the - log file specified by the LOGFILE option in shorewall.conf(5). The - -m option causes the MAC - address of each packet source to be displayed if that - information is available. - - - - - [-] mangle - - - Displays the Netfilter mangle table using the command - iptables -t mangle -L -n -v. - The -x option is passed - directly through to iptables and causes actual packet and byte - counts to be displayed. Without this option, those counts are - abbreviated. - - - - - marks - - - Added in Shorewall 4.4.26. Displays the various fields - in packet marks giving the min and max value (in both decimal - and hex) and the applicable mask (in hex). - - - - - nat - - - Displays the Netfilter nat table using the command - iptables -t nat -L -n -v.The - -x option is passed directly - through to iptables and causes actual packet and byte counts - to be displayed. Without this option, those counts are - abbreviated. - - - - - opens - - - Added in Shorewall 4.5.8. Displays the iptables rules in - the 'dynamic' chain created through use of the open - command.. - - - - - policies - - - Added in Shorewall 4.4.4. Displays the applicable policy - between each pair of zones. Note that implicit intrazone - ACCEPT policies are not displayed for zones associated with a - single network where that network doesn't specify - . - - - - - routing - - - Displays the system's IPv4 routing configuration. The -c - option causes the route cache to be displayed in addition to - the other routing information. - - - - - raw - - - Displays the Netfilter raw table using the command - iptables -t raw -L -n -v.The - -x option is passed directly - through to iptables and causes actual packet and byte counts - to be displayed. Without this option, those counts are - abbreviated. - - - - - tc - - - Displays information about queuing disciplines, classes - and filters. - - - - - zones - - - Displays the current composition of the Shorewall zones - on the system. - - - - - - - - start [-] - [-] [] - [-] - - - Start Shorewall Lite. Existing connections through - shorewall-lite managed interfaces are untouched. New connections - will be allowed only if they are allowed by the firewall rules or - policies. - - The option causes the connection tracking - table to be flushed; the conntrack utility must - be installed to use this option. - - The option prevents the firewall script - from modifying the current routing configuration. - - The option was added in Shorewall 4.6.5. - If the RESTOREFILE named in shorewall.conf(5) exists, is - executable and is not older than the current filewall script, then - that saved configuration is restored. - - The option was added in Shorewall 4.6.5 - and is only meaningful when the option is also - specified. If the previously-saved configuration is restored, and if - the option was also specified in the save command, then the packet and byte - counters will be restored. - - - - - stop - - - Stops the firewall. All existing connections, except those - listed in shorewall-routestopped(5) - or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5), are taken down. - The only new traffic permitted through the firewall is from systems - listed in shorewall-routestopped(5) - or by ADMINISABSENTMINDED. - - If is given, the command will be processed - by the compiled script that executed the last successful start, restart or refresh command if that script exists. - - - - - status - - - Produces a short report about the state of the - Shorewall-configured firewall. - - The option was added in Shorewall 4.6.2 - and causes the status of each optional or provider interface to be - displayed. - - - - - version - - - Displays Shorewall's version. The option - is included for compatibility with earlier Shorewall releases and is - ignored. - - - - - - - EXIT STATUS - - In general, when a command succeeds, status 0 is returned; when the - command fails, a non-zero status is returned. - - The status command returns exit status as - follows: - - 0 - Firewall is started. - - 3 - Firewall is stopped or cleared - - 4 - Unknown state; usually means that the firewall has never been - started. - - - - ENVIRONMENT - - Two environmental variables are recognized by Shorewall-lite: - - - - SHOREWALL_INIT_SCRIPT - - - When set to 1, causes Std out to be redirected to the file - specified in the STARTUP_LOG option in shorewall.conf(5). - - - - - SW_LOGGERTAG - - - Added in Shorewall 5.0.8. When set to a non-empty value, that - value is passed to the logger utility in its -t (--tag) - option. - - - - - - - FILES - - /etc/shorewall-lite/ - - - - See ALSO - - http://www.shorewall.net/starting_and_stopping_shorewall.htm - - shorewall-accounting(5), shorewall-actions(5), - shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), - shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), - shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), - shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), - shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), - shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), - shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), - shorewall-tunnels(5), shorewall-zones(5) - - diff --git a/Shorewall-lite/shorewall-lite b/Shorewall-lite/shorewall-lite deleted file mode 100755 index 2c316bce5..000000000 --- a/Shorewall-lite/shorewall-lite +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/sh -# -# Shorewall Lite Packet Filtering Firewall Control Program - V4.5 -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 - -# Tom Eastep (teastep@shorewall.net) -# -# Shorewall documentation is available at http://www.shorewall.net -# -# This program is part of Shorewall. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by the -# Free Software Foundation, either version 2 of the license or, at your -# option, any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, see . -# -# For a list of supported commands, type 'shorewall help' or 'shorewall6 help' -# -################################################################################################ -PRODUCT=shorewall-lite - -# -# This is modified by the installer when ${SHAREDIR} != /usr/share -# -. /usr/share/shorewall/shorewallrc - -g_basedir=${SHAREDIR}/shorewall - -. ${g_basedir}/lib.cli - -shorewall_cli $@ diff --git a/Shorewall/install.sh b/Shorewall/install.sh index 792cc1369..affd394d9 100755 --- a/Shorewall/install.sh +++ b/Shorewall/install.sh @@ -103,7 +103,7 @@ require() cd "$(dirname $0)" -if [ -f shorewall ]; then +if [ -f shorewall.service ]; then PRODUCT=shorewall Product=Shorewall else @@ -381,9 +381,9 @@ fi echo "Installing $Product Version $VERSION" # -# Check for /sbin/$PRODUCT +# Check for /usr/share/$PRODUCT/version # -if [ -f ${DESTDIR}${SBINDIR}/$PRODUCT ]; then +if [ -f ${DESTDIR}${SHAREDIR}/$PRODUCT/version ]; then first_install="" else first_install="Yes" @@ -394,10 +394,6 @@ if [ -z "${DESTDIR}" -a $PRODUCT = shorewall -a ! -f ${SHAREDIR}/$PRODUCT/coreve exit 1 fi -install_file $PRODUCT ${DESTDIR}${SBINDIR}/$PRODUCT 0755 -[ $SHAREDIR = /usr/share ] || eval sed -i \'s\|/usr/share/\|${SHAREDIR}/\|\' ${DESTDIR}${SBINDIR}/${PRODUCT} -echo "$PRODUCT control program installed in ${DESTDIR}${SBINDIR}/$PRODUCT" - # # Install the Firewall Script # @@ -468,6 +464,7 @@ if [ -z "$first_install" ]; then delete_file ${DESTDIR}/usr/share/shorewall6/lib.cli delete_file ${DESTDIR}/usr/share/shorewall6/lib.common delete_file ${DESTDIR}/usr/share/shorewall6/wait4ifup + delete_file ${DESTDIR}/${SBINDIR}/shorewall6 fi delete_file ${DESTDIR}/usr/share/$PRODUCT/prog.header6 @@ -1179,7 +1176,7 @@ if [ -n "$MANDIR" ]; then cd manpages -[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ ${DESTDIR}${MANDIR}/man8/ +[ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ for f in *.5; do gzip -9c $f > $f.gz @@ -1187,11 +1184,15 @@ for f in *.5; do echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man5/$f.gz" done -for f in *.8; do - gzip -9c $f > $f.gz - run_install $INSTALLD -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz - echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz" -done +if [ $PRODUCT = shorewall ]; then + [ -n "$INSTALLD" ] || mkdir -p ${DESTDIR}${MANDIR}/man5/ + + for f in *.8; do + gzip -9c $f > $f.gz + run_install $INSTALLD -m 0644 $f.gz ${DESTDIR}${MANDIR}/man8/$f.gz + echo "Man page $f.gz installed to ${DESTDIR}${MANDIR}/man8/$f.gz" + done +fi cd .. diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index a5eb14815..9a4c934bb 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -48,10 +48,10 @@ get_config() { fi if [ "$(id -u)" -eq 0 ]; then - config=$(find_file $g_program.conf) + config=$(find_file ${PRODUCT}.conf) else - [ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration" - config="$g_shorewalldir/$g_program.conf" + [ -n "$g_shorewalldir" ] || fatal_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration" + config="$g_shorewalldir/$PRODUCT.conf" fi if [ -f $config ]; then @@ -155,7 +155,7 @@ get_config() { if [ "$2" = Yes ]; then case $STARTUP_ENABLED in No|no|NO) - not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${g_program}.conf" + not_configured_error "$g_product startup is disabled. To enable startup, set STARTUP_ENABLED=Yes in ${g_confdir}/${PRODUCT}.conf" ;; Yes|yes|YES) ;; @@ -397,8 +397,8 @@ compiler() { pc=${LIBEXECDIR}/shorewall/compiler.pl if [ $(id -u) -ne 0 ]; then - if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$g_program ]; then - startup_error "Ordinary users may not $COMMAND the $CONFDIR/$g_program configuration" + if [ -z "$g_shorewalldir" -o "$g_shorewalldir" = $CONFDIR/$PRODUCT ]; then + startup_error "Ordinary users may not $COMMAND the $CONFDIR/$PRODUCT configuration" fi fi # @@ -1419,6 +1419,7 @@ remote_reload_command() # $* = original arguments less the command. sharedir=${SHAREDIR} local litedir local exitstatus + local program while [ $finished -eq 0 -a $# -gt 0 ]; do option=$1 @@ -1495,12 +1496,17 @@ remote_reload_command() # $* = original arguments less the command. sbindir="$SBINDIR" confdir="$CONFDIR" libexec="$LIBEXECDIR" + litedir="${VARDIR}-lite" . $sharedir/shorewall/shorewallrc else - error_message " WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $SHAREDIR/shorewall" >&2 + error_message " WARNING: $g_shorewalldir/shorewallrc does not exist; using settings from $g_basedir/shorewalrc" >&2 + sbindir="$SBINDIR" + confdir="$CONFDIR" + libexec="$LIBEXECDIR" + litedir="${VARDIR}-lite" fi - if [ -f $g_shorewalldir/${g_program}.conf ]; then + if [ -f $g_shorewalldir/${PRODUCT}.conf ]; then if [ -f $g_shorewalldir/params ]; then . $g_shorewalldir/params fi @@ -1516,7 +1522,7 @@ remote_reload_command() # $* = original arguments less the command. [ -n "$system" ] || fatal_error "No system name given and the FIREWALL option is not set" fi else - fatal_error "$g_shorewalldir/$g_program.conf does not exist" + fatal_error "$g_shorewalldir/$PRODUCT.conf does not exist" fi if [ -z "$getcaps" ]; then @@ -1540,13 +1546,23 @@ remote_reload_command() # $* = original arguments less the command. file=$(resolve_file $g_shorewalldir/firewall) g_export=Yes + # + # Determine the remote CLI program + # + temp=$(rsh_command /bin/ls $sbindir/${PRODUCT}-lite 2> /dev/null) - temp=$(rsh_command ${g_program}-lite show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //') - + if [ -n "$temp" ]; then + program=$sbindir/${PRODUCT}-lite + else + program="$sbindir/shorewall $g_options" + fi + # + # Handle nonstandard remote VARDIR + # + temp=$(rsh_command $program show config 2> /dev/null | grep ^LITEDIR | sed 's/LITEDIR is //') + [ -n "$temp" ] && litedir="$temp" - [ -n "$litedir" ] || litedir=${VARLIB}/${g_program}-lite - g_file="$g_shorewalldir/firewall" exitstatus=0 @@ -1557,30 +1573,29 @@ remote_reload_command() # $* = original arguments less the command. save=$(find_file save); if [ -f $save ]; then - progress_message3 "Copying $save to ${system}:${confdir}/${g_program}-lite/" - rcp_command $save ${confdir}/shorewall-lite/ + progress_message3 "Copying $save to ${system}:${confdir}/${PRODUCT}-lite/" + rcp_command $save ${confdir}/$PRODUCT/ exitstatus=$? fi if [ $exitstatus -eq 0 ]; then - progress_message3 "Copy complete" if [ $COMMAND = remote-reload ]; then - if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp reload"; then + if rsh_command "$program $g_debugging $verbose $timestamp reload"; then progress_message3 "System $system reloaded" else exitstatus=$? savit= fi elif [ $COMMAND = remote-restart ]; then - if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp restart"; then + if rsh_command "$program $g_debugging $verbose $timestamp restart"; then progress_message3 "System $system restarted" else exitstatus=$? saveit= fi - elif rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp start"; then + elif rsh_command "$program $g_debugging $verbose $timestamp start"; then progress_message3 "System $system started" else exitstatus=$? @@ -1588,7 +1603,7 @@ remote_reload_command() # $* = original arguments less the command. fi if [ -n "$saveit" ]; then - if rsh_command "${sbindir}/${g_program}-lite $g_debugging $verbose $timestamp save"; then + if rsh_command "$program $g_debugging $verbose $timestamp save"; then progress_message3 "Configuration on system $system saved" else exitstatus=$? @@ -1653,7 +1668,7 @@ export_command() # $* = original arguments less the command. target=$2 ;; *) - fatal_error "Invalid command syntax (\"man $g_program\" for help)" + fatal_error "Invalid command syntax (\"man shorewall\" for help)" ;; esac diff --git a/Shorewall6-lite/init.debian.sh b/Shorewall6-lite/init.debian.sh index 4b5504189..1336daa1e 100755 --- a/Shorewall6-lite/init.debian.sh +++ b/Shorewall6-lite/init.debian.sh @@ -13,7 +13,7 @@ . /lib/lsb/init-functions -SRWL=/sbin/shorewall6-lite +SRWL='/sbin/shorewall6-lite -6' SRWL_OPTS="-tvv" test -n ${INITLOG:=/var/log/shorewall6-lite-init.log} diff --git a/Shorewall6-lite/init.fedora.sh b/Shorewall6-lite/init.fedora.sh index 0ba303a04..192c6e67f 100755 --- a/Shorewall6-lite/init.fedora.sh +++ b/Shorewall6-lite/init.fedora.sh @@ -25,7 +25,7 @@ # . /usr/share/shorewall/shorewallrc -prog="shorewall6-lite" +prog="shorewall -6l" shorewall="${SBINDIR}/$prog" logger="logger -i -t $prog" lockfile="/var/lock/subsys/$prog" diff --git a/Shorewall6-lite/init.openwrt.sh b/Shorewall6-lite/init.openwrt.sh index 9c1e7914a..639a44727 100755 --- a/Shorewall6-lite/init.openwrt.sh +++ b/Shorewall6-lite/init.openwrt.sh @@ -79,17 +79,17 @@ boot() { } restart() { - exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RESTARTOPTIONS + exec ${SBINDIR}/shorewall -6l $OPTIONS $command $RESTARTOPTIONS } reload() { - exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $RELOADOPTION + exec ${SBINDIR}/shorewall -6l $OPTIONS $command $RELOADOPTION } stop() { - exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $STOPOPTIONS + exec ${SBINDIR}/shorewall -6l $OPTIONS $command $STOPOPTIONS } status() { - exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@ + exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@ } diff --git a/Shorewall6-lite/init.sh b/Shorewall6-lite/init.sh index 948bffa40..63ad382e6 100755 --- a/Shorewall6-lite/init.sh +++ b/Shorewall6-lite/init.sh @@ -76,13 +76,13 @@ command="$1" case "$command" in start) - exec ${SBINDIR}/shorewall6-lite $OPTIONS start $STARTOPTIONS + exec ${SBINDIR}/shorewall -6l $OPTIONS start $STARTOPTIONS ;; restart|reload) - exec ${SBINDIR}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS + exec ${SBINDIR}/shorewall -6l $OPTIONS restart $RESTARTOPTIONS ;; status|stop) - exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@ + exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@ ;; *) usage diff --git a/Shorewall6-lite/init.suse.sh b/Shorewall6-lite/init.suse.sh index f9764f6d1..4cb2de490 100644 --- a/Shorewall6-lite/init.suse.sh +++ b/Shorewall6-lite/init.suse.sh @@ -73,13 +73,13 @@ command="$1" case "$command" in start) - exec ${SBINDIR}/shorewall6-lite $OPTIONS start $STARTOPTIONS + exec ${SBINDIR}/shorewall -6l $OPTIONS start $STARTOPTIONS ;; restart|reload) - exec ${SBINDIR}/shorewall6-lite $OPTIONS restart $RESTARTOPTIONS + exec ${SBINDIR}/shorewall -6l $OPTIONS restart $RESTARTOPTIONS ;; status|stop) - exec ${SBINDIR}/shorewall6-lite $OPTIONS $command $@ + exec ${SBINDIR}/shorewall -6l $OPTIONS $command $@ ;; *) usage diff --git a/Shorewall6-lite/manpages/shorewall6-lite.xml b/Shorewall6-lite/manpages/shorewall6-lite.xml deleted file mode 100644 index c44b5bd92..000000000 --- a/Shorewall6-lite/manpages/shorewall6-lite.xml +++ /dev/null @@ -1,1614 +0,0 @@ - - - - - shorewall6-lite - - 8 - - Administrative Commands - - - - shorewall6-lite - - Administration tool for Shoreline 6 Firewall Lite (Shorewall6 - Lite) - - - - - shorewall6-lite - - | - - -options - - - - interface[:host-list] - - zone - - - - shorewall6-lite - - | - - -options - - - - address - - - - shorewall6-lite - - | - - -options - - - - address - - - - shorewall6-lite - - | - - -options - - - - functionparameter - ... - - - - shorewall6-lite - - | - - -options - - - - - - shorewall6-lite - - | - - -options - - - open-number | - sourcedestprotocol - port - - - - - shorewall6-lite - - | - - -options - - - source dest - protocol port - - - - - shorewall6-lite - - | - - -options - - - - interface[:host-list] - - zone - - - - shorewall6-lite - - | - - -options - - - - { interface | - provider } - - - - shorewall6-lite - - | - - -options - - - - address - - - - shorewall6-lite - - | - - -options - - - - - - - - - - - - - - shorewall6-lite - - | - - -options - - - - { interface | - provider } - - - - shorewall6-lite - - | - - -options - - - - filename - - - - shorewall6-lite - - | - - -options - - - - - - shorewall6-lite - - | - - -options - - - - - - shorewall6-lite - - | - - -options - - - - iptables match - expression - - - - shorewall6-lite - - | - - -options - - - - address - - - - shorewall6-lite - - | - - -options - - - - - - refresh-interval - - - - shorewall6-lite - - | - - -options - - - - address - - - - shorewall6-lite - - | - - -options - - - - iptables match - expression - - - - shorewall6-lite - - | - - -options - - - source dest - protocol port - - - - - shorewall6-lite - - | - - -options - - - - { interface | - provider } - - - - shorewall6-lite - - | - - -options - - - - address - - - - shorewall6-lite - - | - - -options - - - - - - shorewall6-lite - - | - - -options - - - - - - - - - - - - shorewall6-lite - - | - - -options - - - - - - filename - - - - shorewall6-lite - - | - - -options - - - - command - - parameter ... - - - - shorewall6-lite - - | - - -options - - - - - - filename - - - - shorewall6-lite - - | - - -options - - - - - - shorewall6-lite - - | - - -options - - - - - - - - - - - {|||} - - chain - - - - shorewall6-lite - - | - - -options - - - - - - - - - - shorewall6-lite - - | - - -options - - - - - - - - - - shorewall6-lite - - | - - -options - - - - - - - - shorewall6-lite - - | - - -options - - - - event - - - - shorewall6-lite - - | - - -options - - - - - - - - - - shorewall6-lite - - | - - -options - - - - - - - - - - shorewall6-lite - - | - - -options - - - - - - - - shorewall6-lite - - | - - -options - - - - - - - - - - shorewall6-lite - - | - - -options - - - - - - - - - - - - - - shorewall6-lite - - | - - -options - - - - - - shorewall6-lite - - | - - -options - - - - - - shorewall6-lite - - | - - -options - - - - - - - Description - - The shorewall6-lite utility is used to control the Shoreline - Firewall Lite (Shorewall Lite). - - - - Options - - The and options are - used for debugging. See http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace. - - The option prevents the command from - attempting to acquire the shorewall6-lite lockfile. It is useful if you - need to include shorewall commands in the - started extension script. - - The options control the amount of output that - the command produces. They consist of a sequence of the letters v and q. If the - options are omitted, the amount of output is determined by the setting of - the VERBOSITY parameter in shorewall6.conf(5). Each v adds one to the effective verbosity and each - q subtracts one from the effective - VERBOSITY. Alternately, v may be followed - immediately with one of -1,0,1,2 to specify VERBOSITY. There may be no - white-space between v and the - VERBOSITY. - - The options may also include the letter - which causes all progress messages to be - timestamped. - - - - Commands - - The available commands are listed below. - - - - add { - interface[:host-list]... - zone | zone - host-list } - - - Adds a list of hosts or subnets to a dynamic zone usually used - with VPN's. - - The interface argument names an - interface defined in the shorewall-interfaces(5) - file. A host-list is comma-separated list - whose elements are host or network addresses. - - - The add command is not very robust. If - there are errors in the host-list, you - may see a large number of error messages yet a subsequent - shorewall6-lite show zones command will - indicate that all hosts were added. If this happens, replace - add by delete and run the - same command again. Then enter the correct command. - - - - - - allow - address - - - Re-enables receipt of packets from hosts previously - blacklisted by a drop, - logdrop, reject, or - logreject command. Beginning with Shorewall - 5.0.10, this command can also re-enable addresses blacklisted using - the blacklist command. - - - - - blacklist - address [ option - ... ] - - - Added in Shorewall 5.0.8 and requires - DYNAMIC_BLACKLIST=ipset.. in shorewall6.conf(5). - Causes packets from the given host or network - address to be dropped, based on the - setting of BLACKLIST in shorewall6.conf(5). - The address along with any - options are passed to the ipset - add command. - - If the option is specified in the - DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY - determines the amount of information displayed: - - - - If the effective verbosity is > 0, then a message - giving the number of conntrack flows deleted by the command is - displayed. - - - - If the effective verbosity is > 1, then the conntrack - table entries deleted by the command are also displayed. - - - - - - - call function [ - parameter ... ] - - - Added in Shorewall 4.6.10. Allows you to call a function in - one of the Shorewall libraries or in your compiled script. function - must name the shell function to be called. The listed parameters are - passed to the function. - - The function is first searched for in - lib.base, lib.common and - lib.cli. If it is not found, the call command - is passed to the generated script to be executed. - - - - - clear - [-] - - - Clear will remove all rules and chains installed by - shorewall6-lite. The firewall is then wide open and unprotected. - Existing connections are untouched. Clear is often used to see if - the firewall is causing connection problems. - - If is given, the command will be processed - by the compiled script that executed the last successful - start, reload, restart or refresh command - if that script exists. - - - - - close { - open-number | - source dest [ - protocol [ port - ] ] } - - - Added in Shorewall 4.5.8. This command closes a temporary open - created by the open command. In the first form, - an open-number specifies the open to be - closed. Open numbers are displayed in the num column of the output of the - shorewall6-lite show opens command. - - When the second form of the command is used, the parameters - must match those given in the earlier open - command. - - - - - delete { - interface[:host-list]... - zone | zone - host-list } - - - The delete command reverses the effect of an earlier - add command. - - The interface argument names an - interface defined in the shorewall-interfaces(5) - file. A host-list is comma-separated list - whose elements are a host or network address. - - - - - disable { - interface | - provider } - - - Added in Shorewall 4.4.26. Disables the optional provider - associated with the specified interface - or provider. Where more than one provider - share a single network interface, a - provider name must be given. - - - - - drop - address - - - Causes traffic from the listed - addresses to be silently dropped. - - - - - dump [-] - [-] [-] - [-] - - - Produces a verbose report about the firewall configuration for - the purpose of problem analysis. - - The option causes actual packet and byte - counts to be displayed. Without that option, these counts are - abbreviated. - - The option causes any MAC addresses - included in shorewall6-lite log messages to be displayed. - - The option causes the rule number for each - Netfilter rule to be displayed. - - The option causes the route cache to be - dumped in addition to the other routing information. - - - - - enable { - interface | - provider } - - - Added in Shorewall 4.4.26. Enables the optional provider - associated with the specified interface - or provider. Where more than one provider - share a single network interface, a - provider name must be given. - - - - - forget [ - filename ] - - - Deletes - /var/lib/shorewall6-lite/filename - and /var/lib/shorewall6-lite/save. If no - filename is given then the file specified - by RESTOREFILE in shorewall6.conf(5) is - assumed. - - - - - help - - - Displays a syntax summary. - - - - - hits - - - Generates several reports from shorewall6-lite log messages in - the current log file. If the option is included, - the reports are restricted to log messages generated today. - - - - - iptrace ip6tables - match expression - - - This is a low-level debugging command that causes iptables - TRACE log records to be created. See iptables(8) for details. - - The iptables match expression must - be one or more matches that may appear in both the raw table OUTPUT - and raw table PREROUTING chains. - - The trace records are written to the kernel's log buffer with - facility = kernel and priority = warning, and they are routed from - there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) -- - shorewall6-lite has no control over where the messages go; consult - your logging daemon's documentation. - - - - - list - - - list is a synonym for - show -- please see below. - - - - - logdrop - address - - - Causes traffic from the listed - addresses to be logged then discarded. - Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL - setting in shorewall6.conf - (5). - - - - - logwatch [-] - [refresh-interval] - - - Monitors the log file specified by the LOGFILE option in - shorewall6.conf(5) and - produces an audible alarm when new shorewall6-lite messages are - logged. - - The option causes the MAC address of each - packet source to be displayed if that information is - available. - - The refresh-interval specifies the - time in seconds between screen refreshes. You can enter a negative - number by preceding the number with "--" (e.g., - shorewall6-lite logwatch -- -30). In this case, - when a packet count changes, you will be prompted to hit any key to - resume screen refreshes. - - - - - logreject - address - - - Causes traffic from the listed - addresses to be logged then rejected. - Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL - setting in shorewall6.conf - (5). - - - - - ls - - - ls is a synonym for show - -- please see below. - - - - - noiptrace - ip6tables match - expression - - - This is a low-level debugging command that cancels a trace - started by a preceding iptrace command. - - The ip6tables match expression must - be one given in the iptrace command being - canceled. - - - - - open - source dest [ - protocol [ port - ] ] - - - Added in Shorewall 4.6.8. This command requires that the - firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in - shorewall6.conf - (5). The effect of the command is to temporarily open the - firewall for connections matching the parameters. - - The source and - dest parameters may each be specified as - all if you don't wish to restrict - the connection source or destination respectively. Otherwise, each - must contain a host or network address or a valid DNS name. - - The protocol may be specified - either as a number or as a name listed in /etc/protocols. The - port may be specified numerically or as a - name listed in /etc/services. - - To reverse the effect of a successful open - command, use the close command with the same - parameters or simply restart the firewall. - - Example: To open the firewall for SSH connections to address - 2001:470:b:227::1, the command would be: - - shorewall6-lite open all 2001:470:b:227::1 tcp 22 - - To reverse that command, use: - - shorewall6-lite close all 2001:470:b:227::1 tcp 22 - - - - - reenable{ - interface | - provider } - - - Added in Shorewall 4.6.9. This is equivalent to a - disable command followed by an - enable command on the specified - interface or - provider. - - - - - reject - address - - - Causes traffic from the listed addresses - to be silently rejected. - - - - - reload [-n] [-p] - [-] - - - Added in Shorewall 5.0.0, reload is similar to shorewall6-lite - start except that it assumes that the firewall is already - started. Existing connections are maintained. - - The option causes shorewall6-lite to avoid - updating the routing table(s). - - The option causes the connection tracking - table to be flushed; the conntrack utility must - be installed to use this option. - - The option was added in Shorewall 4.6.5. - If the specified (or implicit) firewall script is the one that - generated the current running configuration, then the running - netfilter configuration will be reloaded as is so as to preserve the - iptables packet and byte counters. - - - - - reset [chain, - ...] - - - Resets the packet and byte counters in the specified - chain(s). If no - chain is specified, all the packet and - byte counters in the firewall are reset. - - - - - restart [-n] [-p] - [-] - - - Beginning with Shorewall 5.0.0, this command performs a true - restart. The firewall is completely stopped as if a - stop command had been issued then it is started - again. - - The option causes shorewall6-lite to avoid - updating the routing table(s). - - The option causes the connection tracking - table to be flushed; the conntrack utility must - be installed to use this option. - - The option was added in Shorewall 4.6.5. - If the specified (or implicit) firewall script is the one that - generated the current running configuration, then the running - netfilter configuration will be reloaded as is so as to preserve the - iptables packet and byte counters. - - - - - restore [-] - [-] [-] [ - filename ] - - - Restore shorewall6-lite to a state saved using the - shorewall6-lite save command. Existing - connections are maintained. The filename - names a restore file in /var/lib/shorewall6-lite created using - shorewall6-lite save; if no - filename is given then shorewall6-lite - will be restored from the file specified by the RESTOREFILE option - in shorewall6.conf(5). - - - If your ip6tables ruleset depends on variables that are - detected at run-time, either in your params file or by - Shorewall-generated code, restore will use the - values that were current when the ruleset was saved, which may be - different from the current values. - - - The option was added in Shorewall 4.6.5. - If the option was specified during - shorewall7-lite save, then the counters saved by - that operation will be restored. - - - - - run - command [ - parameter ... ] - - - Added in Shorewall 4.6.3. Executes - command in the context of the generated - script passing the supplied parameters. - Normally, the command will be a function - declared in lib.private. - - Before executing the command, the script will detect the - configuration, setting all SW_* variables and will run your - init extension script with $COMMAND = - 'run'. - - - - - save [-] [ - filename ] - - - The dynamic blacklist is stored in - /var/lib/shorewall6-lite/save. The state of the - firewall is stored in - /var/lib/shorewall6-lite/filename - for use by the shorewall6-lite restore command. - If filename is not given then the state - is saved in the file specified by the RESTOREFILE option in shorewall6.conf(5). - - The option, added in Shorewall 4.6.5, - causes the ip6tables packet and byte counters to be saved along with - the chains and rules. - - - - - savesets - - - Added in shorewall 4.6.8. Performs the same action as the - stop command with respect to saving ipsets (see - the SAVE_IPSETS option in shorewall6.conf (5)). - This command may be used to proactively save your ipset contents in - the event that a system failure occurs prior to issuing a - stop command. - - - - - show - - - The show command can have a number of different - arguments: - - - - [-] bl|blacklists - - - Added in Shorewall 4.6.2. Displays the dynamic chain - along with any chains produced by entries in - shorewall6-blrules(5).The option is passed - directly through to ip6tables and causes actual packet and - byte counts to be displayed. Without this option, those counts - are abbreviated. - - - - - [-] capabilities - - - Displays your kernel/iptables capabilities. The - option causes the display to be formatted - as a capabilities file for use with compile - -e. - - - - - [-] [-] - [-] [- - {||||}][ - chain... ] - - - The rules in each chain are - displayed using the iptables - -L chain -n -v command. If no - chain is given, all of the chains in the - filter table are displayed. - - The option is passed directly - through to iptables and causes actual packet and byte counts - to be displayed. Without this option, those counts are - abbreviated. - - The option specifies the Netfilter - table to display. The default is filter. - - The ('brief') option causes rules - which have not been used (i.e. which have zero packet and byte - counts) to be omitted from the output. Chains with no rules - displayed are also omitted from the output. - - The option causes the rule number - for each Netfilter rule to be displayed. - - If the option and the - keyword are both omitted and any of the - listed chains do not exist, a usage - message is displayed. - - - - - classifiers|filters - - - Displays information about the packet classifiers - defined on the system as a result of traffic shaping - configuration. - - - - - config - - - Displays distribution-specific defaults. - - - - - connections - [filter_parameter - ...] - - - Displays the IP connections currently being tracked by - the firewall. - - If the conntrack utility is - installed, beginning with Shorewall 4.6.11 the set of - connections displayed can be limited by including conntrack - filter parameters (-p , -s, --dport, etc). See conntrack(8) - for details. - - - - - event - event - - - Added in Shorewall 4.5.19. Displays the named - event. - - - - - events - - - Added in Shorewall 4.5.19. Displays all events. - - - - - ip - - - Displays the system's IPv4 configuration. - - - - - ipa - - - Added in Shorewall 4.4.17. Displays the per-IP - accounting counters (shorewall-accounting - (5)). - - - - - [-] log - - - Displays the last 20 shorewall6-lite messages from the - log file specified by the LOGFILE option in shorewall6.conf(5). - - The option causes the MAC address of - each packet source to be displayed if that information is - available. - - - - - [-] mangle - - - Displays the Netfilter mangle table using the command - ip6tables -t mangle -L -n -v.The - option is passed directly through to - ip6tables and causes actual packet and byte counts to be - displayed. Without this option, those counts are - abbreviated. - - - - - marks - - - Added in Shorewall 4.4.26. Displays the various fields - in packet marks giving the min and max value (in both decimal - and hex) and the applicable mask (in hex). - - - - - opens - - - Added in Shorewall 4.5.8. Displays the iptables rules in - the 'dynamic' chain created through use of the open - command.. - - - - - [-] nat - - - Displays the Netfilter nat table using the command - ip6tables -t nat -L -n -v.The - option is passed directly through to - iptables and causes actual packet and byte counts to be - displayed. Without this option, those counts are - abbreviated. - - - - - policies - - - Added in Shorewall 4.4.4. Displays the applicable policy - between each pair of zones. Note that implicit intrazone - ACCEPT policies are not displayed for zones associated with a - single network where that network doesn't specify - . - - - - - [-] raw - - - Displays the Netfilter raw table using the command - iptables -t raw -L -n -v.The - option is passed directly through to - iptables and causes actual packet and byte counts to be - displayed. Without this option, those counts are - abbreviated. - - - - - [-] - routing - - - Displays the system's IPv4 routing configuration. The -c - option causes the route cache to be displayed in addition to - the other routing information. - - - - - tc - - - Displays information about queuing disciplines, classes - and filters. - - - - - zones - - - Displays the current composition of the Shorewall zones - on the system. - - - - - - - - start [-] - [-] [] - [-] - - - Start Shorewall6 Lite. Existing connections through - shorewall6-lite managed interfaces are untouched. New connections - will be allowed only if they are allowed by the firewall rules or - policies. - - The option causes the connection tracking - table to be flushed; the conntrack utility must - be installed to use this option. - - The option prevents the firewall script - from modifying the current routing configuration. - - The option was added in Shorewall 4.6.5. - If the RESTOREFILE named in shorewall.conf(5) exists, is - executable and is not older than the current filewall script, then - that saved configuration is restored. - - The option was added in Shorewall 4.6.5 - and is only meaningful when the option is also - specified. If the previously-saved configuration is restored, and if - the option was also specified in the - save command, then the packet and byte counters - will be restored. - - - - - stop - [-] - - - Stops the firewall. All existing connections, except those - listed in shorewall-routestopped(5) - or permitted by the ADMINISABSENTMINDED option in shorewall6.conf(5), are taken - down. The only new traffic permitted through the firewall is from - systems listed in shorewall-routestopped(5) - or by ADMINISABSENTMINDED. - - If is given, the command will be processed - by the compiled script that executed the last successful - start, restart or - refresh command if that script exists. - - - - - status - - - Produces a short report about the state of the - Shorewall-configured firewall. - - The option was added in Shorewall 4.6.2 - and causes the status of each optional or provider interface to be - displayed. - - - - - version - [-] - - - Displays Shorewall's version. The option - is included for compatibility with earlier Shorewall releases and is - ignored. - - - - - - - EXIT STATUS - - In general, when a command succeeds, status 0 is returned; when the - command fails, a non-zero status is returned. - - The status command returns exit status as - follows: - - 0 - Firewall is started. - - 3 - Firewall is stopped or cleared - - 4 - Unknown state; usually means that the firewall has never been - started. - - - - ENVIRONMENT - - Two environmental variables are recognized by - Shorewall6-lite: - - - - SHOREWALL_INIT_SCRIPT - - - When set to 1, causes Std out to be redirected to the file - specified in the STARTUP_LOG option in shorewall6.conf(5). - - - - - SW_LOGGERTAG - - - Added in Shorewall 5.0.8. When set to a non-empty value, that - value is passed to the logger utility in its -t (--tag) - option. - - - - - - - See ALSO - - http://www.shorewall.net/starting_and_stopping_shorewall.htm - - shorewall6-accounting(5), shorewall6-actions(5), - shorewall6-blacklist(5), shorewall6-hosts(5), shorewall_interfaces(5), - shorewall6-ipsets(5), shorewall6-maclist(5), shorewall6-masq(5), - shorewall6-netmap(5), shorewall6-params(5), shorewall6-policy(5), - shorewall6-providers(5), shorewall6-proxyarp(5), shorewall6-rtrules(5), - shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), - shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), - shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), - shorewall6-zones(5) - - diff --git a/Shorewall6-lite/shorewall6-lite b/Shorewall6-lite/shorewall6-lite deleted file mode 100755 index 286e7d746..000000000 --- a/Shorewall6-lite/shorewall6-lite +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/sh -# -# Shorewall6 Lite Packet Filtering Firewall Control Program - V4.5 -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011, 2012-2014 -# Tom Eastep (teastep@shorewall.net) -# -# Shorewall documentation is available at http://www.shorewall.net -# -# This program is part of Shorewall. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by the -# Free Software Foundation, either version 2 of the license or, at your -# option, any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, see . -# -# For a list of supported commands, type 'shorewall help' or 'shorewall6 help' -# -################################################################################################ -PRODUCT=shorewall6-lite - -# -# This is modified by the installer when ${SHAREDIR} != /usr/share -# -. /usr/share/shorewall/shorewallrc - -g_basedir=${SHAREDIR}/shorewall - -. ${g_basedir}/lib.cli - -shorewall_cli $@ diff --git a/Shorewall6-lite/shorewall6-lite.service b/Shorewall6-lite/shorewall6-lite.service index 151bb2d5c..236fcead7 100644 --- a/Shorewall6-lite/shorewall6-lite.service +++ b/Shorewall6-lite/shorewall6-lite.service @@ -14,8 +14,9 @@ Type=oneshot RemainAfterExit=yes EnvironmentFile=-/etc/sysconfig/shorewall6-lite StandardOutput=syslog -ExecStart=/sbin/shorewall6-lite $OPTIONS start $STARTOPTIONS -ExecStop=/sbin/shorewall6-lite $OPTIONS stop +ExecStart=/sbin/shorewal -6l $OPTIONS start $STARTOPTIONS +ExecStop=/sbin/shorewall -6l $OPTIONS stop +ExecReload=/sbin/shorewall -6l $OPTIONS reload $RELOADOPTIONS [Install] WantedBy=basic.target diff --git a/Shorewall6/init.debian.sh b/Shorewall6/init.debian.sh index 3f22365ab..e27475351 100755 --- a/Shorewall6/init.debian.sh +++ b/Shorewall6/init.debian.sh @@ -12,7 +12,7 @@ . /lib/lsb/init-functions -SRWL=/sbin/shorewall6 +SRWL='/sbin/shorewall -6' SRWL_OPTS="-tvv" WAIT_FOR_IFUP=/usr/share/shorewall/wait4ifup test -n ${INITLOG:=/var/log/shorewall6-init.log} diff --git a/Shorewall6/init.fedora.sh b/Shorewall6/init.fedora.sh index c19a214fe..e55fef4f5 100755 --- a/Shorewall6/init.fedora.sh +++ b/Shorewall6/init.fedora.sh @@ -25,7 +25,7 @@ # . /usr/share/shorewall/shorewallrc -prog="shorewall6" +prog="shorewall -6" shorewall="${SBINDIR}/$prog" logger="logger -i -t $prog" lockfile="/var/lock/subsys/$prog" diff --git a/Shorewall6/init.sh b/Shorewall6/init.sh index cd3de2702..2c16e915d 100755 --- a/Shorewall6/init.sh +++ b/Shorewall6/init.sh @@ -77,13 +77,13 @@ command="$1" case "$command" in start) - exec ${SBINDIR}/shorewall6 $OPTIONS start $STARTOPTIONS + exec ${SBINDIR}/shorewall -6 $OPTIONS start $STARTOPTIONS ;; restart|reload) - exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS + exec ${SBINDIR}/shorewall -6 $OPTIONS restart $RESTARTOPTIONS ;; status|stop) - exec ${SBINDIR}/shorewall6 $OPTIONS $command $@ + exec ${SBINDIR}/shorewall -6 $OPTIONS $command $@ ;; *) usage diff --git a/Shorewall6/init.slackware.shorewall6.sh b/Shorewall6/init.slackware.shorewall6.sh index 8ea9eeb44..55711c6d9 100755 --- a/Shorewall6/init.slackware.shorewall6.sh +++ b/Shorewall6/init.slackware.shorewall6.sh @@ -20,21 +20,21 @@ fi start() { echo "Starting IPv6 shorewall rules..." - exec /sbin/shorewall6 $OPTIONS start $STARTOPTIONS + exec /sbin/shorewall -6 $OPTIONS start $STARTOPTIONS } stop() { echo "Stopping IPv6 shorewall rules..." - exec /sbin/shorewall6 stop + exec /sbin/shorewall -6 stop } restart() { echo "Restarting IPv6 shorewall rules..." - exec /sbin/shorewall6 restart $RESTARTOPTIONS + exec /sbin/shorewall -6 restart $RESTARTOPTIONS } status() { - exec /sbin/shorewall6 status + exec /sbin/shorewall -6 status } case "$1" in diff --git a/Shorewall6/init.suse.sh b/Shorewall6/init.suse.sh index 358d9345f..1ae7f40e5 100755 --- a/Shorewall6/init.suse.sh +++ b/Shorewall6/init.suse.sh @@ -75,13 +75,16 @@ command="$1" case "$command" in start) - exec ${SBINDIR}/shorewall6 $OPTIONS start $STARTOPTIONS + exec ${SBINDIR}/shorewall -6 $OPTIONS start $STARTOPTIONS ;; - restart|reload) - exec ${SBINDIR}/shorewall6 $OPTIONS restart $RESTARTOPTIONS + restart) + exec ${SBINDIR}/shorewall -6 $OPTIONS restart $RESTARTOPTIONS + ;; + reload) + exec ${SBINDIR}/shorewall -6 $OPTIONS reload $RESTARTOPTIONS ;; status|stop) - exec ${SBINDIR}/shorewall6 $OPTIONS $command $@ + exec ${SBINDIR}/shorewall -6 $OPTIONS $command $@ ;; *) usage diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml deleted file mode 100644 index 04f18658b..000000000 --- a/Shorewall6/manpages/shorewall6.xml +++ /dev/null @@ -1,2610 +0,0 @@ - - - - - shorewall6 - - 8 - - Administrative Commands - - - - shorewall6 - - Administration tool for Shoreline Firewall 6 - (Shorewall6) - - - - - shorewall6 - - | - - -options - - - - interface[:host-list] - - zone | zone host-list - - - - - shorewall6 - - | - - -options - - - - - - shorewall6 - - | - - -options - - - - addressoption - ... - - - - shorewall6 - - | - - -options - - - - functionparameter - ... - - - - shorewall6 - - | - - -options - - - - - - - - - - - - - - - - directory - - - - shorewall6 - - | - - -options - - - - - - shorewall6 - - | - - -options - - - open-number | - sourcedestprotocol - port - - - - - shorewall6 - - | - - -options - - - - - - - - - - - - directory - - pathname - - - - shorewall6 - - | - - -options - - - - interface[:host-list] - - zone | zone host-list - - - - - shorewall6 - - | - - -options - - - - { interface | - provider } - - - - shorewall6 - - | - - -options - - - - address - - - - shorewall6 - - | - - -options - - - - - - - - - - - - - - shorewall6 - - | - - -options - - - - { interface | - provider } - - - - shorewall6 - - | - - -options - - - - directory1 - - [user@]system[directory2] - - - - shorewall6 - - | - - -options - - - - filename - - - - shorewall6 - - | - - -options - - - - - - shorewall6 - - | - - -options - - - - iptables match - expression - - - - shorewall6 - - | - - -options - - - - address - - - - shorewall6 - - | - - -options - - - - - - refresh-interval - - - - shorewall6 - - | - - -options - - - - address - - - - shorewall6 - - | - - -options - - - - iptables match - expression - - - - shorewall6 - - | - - -options - - - source dest - protocol port - - - - - shorewall6 - - | - - -options - - - - { interface | - provider } - - - - shorewall6 - - | - - -options - - - - directory chain - - - - shorewall6 - - | - - -options - - - - address - - - - shorewall6 - - | - - -options - - - - - - - - root-user-name - - - - - - directory - - system - - - - shorewall6 - - | - - -options - - - - - - - - root-user-name - - - - - - directory - - system - - - - shorewall6 - - | - - -options - - - - - - - - root-user-name - - - - - - directory - - system - - - - shorewall6 - - | - - -options - - chain - ... - - - - shorewall6 - - | - - -options - - - - - - - - - - - - - - directory - - - - shorewall6 - - | - - -options - - - - - - - - - - - - - - directory - - - - shorewall6 - - | - - -options - - - - filename - - - - shorewall6 - - | - - -options - - - - command - - parameter ... - - - - shorewall6 - - | - - -options - - - - - - timeout - - directory - - - - shorewall6 - - | - - -options - - - - - - timeout - - directory - - - - shorewall6 - - | - - -options - - - - - - timeout - - directory - - - - shorewall6 - - | - - -options - - - - filename - - - - shorewall6 - - | - - -options - - - - - - shorewall6 - - | - - -options - - - - - - - - - - shorewall6 - - | - - -options - - - - - - - - - - - {||} - - chain - - - - shorewall6 - - | - - -options - - - - - - - - - - shorewall6 - - | - - -options - - - - - - - - shorewall6 - - | - - -options - - - - event - - - - shorewall6 - - | - - -options - - - - - - - - - - shorewall6 - - | - - -options - - - - - - - - - - shorewall6 - - | - - -options - - - - - - - - shorewall6 - - | - - -options - - - - - - - - - - shorewall6 - - | - - -options - - - - - - - - - - - - - - directory - - - - shorewall6 - - | - - -options - - - - - - shorewall6 - - | - - -options - - - - - - shorewall6 - - | - - -options - - - - directory - - timeout - - - - shorewall6 - - | - - -options - - - - - - - - - - - - - - - - directory - - - - shorewall6 - - | - - -options - - - - - - - Description - - The shorewall6 utility is used to control the Shoreline Firewall 6 - (Shorewall6). - - - - Options - - The and options are - used for debugging. See http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace. - - The option prevents the command from - attempting to acquire the Shorewall6 lockfile. It is useful if you need to - include shorewall6 commands in - /etc/shorewall6/started. - - The options control the amount of output that - the command produces. They consist of a sequence of the letters v and q. If the - options are omitted, the amount of output is determined by the setting of - the VERBOSITY parameter in shorewall6.conf(5). Each - v adds one to the effective verbosity and - each q subtracts one from the effective - VERBOSITY. Alternatively, v may be - followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY. - There may be no white-space between v and - the VERBOSITY. - - The options may also include the letter - which causes all progress messages to be - timestamped. - - - - Commands - - The available commands are listed below. - - - - add { - interface[:host-list]... - zone | zone - host-list } - - - Added in Shorewall 4.4.21. Adds a list of hosts or subnets to - a dynamic zone usually used with VPN's. - - The interface argument names an interface - defined in the shorewall6-interfaces(5) - file. A host-list is comma-separated list whose - elements are host or network addresses. - The add command is not very robust. If - there are errors in the host-list, - you may see a large number of error messages yet a subsequent - shorewall show zones command will indicate - that all hosts were added. If this happens, replace - add by delete and run the - same command again. Then enter the correct command. - - - Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall6-zones(5)) - allows a single ipset to handle entries for multiple interfaces. - When that option is specified for a zone, the add - command has the alternative syntax in which the - zone name precedes the - host-list. - - - - - allow - address - - - Re-enables receipt of packets from hosts previously - blacklisted by a drop, logdrop, reject, or logreject command. Beginning with Shorewall - 5.0.10, this command can also re-enable addresses blacklisted using - the blacklist command. - - - - - blacklist - address [ option - ... ] - - - Added in Shorewall 5.0.8 and requires - DYNAMIC_BLACKLIST=ipset.. in shorewall6.conf(5). - Causes packets from the given host or network - address to be dropped, based on the - setting of BLACKLIST in shorewall6.conf(5). - The address along with any - options are passed to the ipset - add command. - - If the option is specified in the - DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY - determines the amount of information displayed: - - - - If the effective verbosity is > 0, then a message - giving the number of conntrack flows deleted by the command is - displayed. - - - - If the effective verbosity is > 1, then the conntrack - table entries deleted by the command are also displayed. - - - - - - - call function [ - parameter ... ] - - - Added in Shorewall 4.6.10. Allows you to call a function in - one of the Shorewall libraries or in your compiled script. function - must name the shell function to be called. The listed parameters are - passed to the function. - - The function is first searched for in - lib.base, lib.common, - lib.cli and lib.cli-std. - If it is not found, the call command is passed to the generated - script to be executed. - - - - - check [-] - [-] [-] [-] - [-] [-] - [directory] - - - Compiles the configuration in the specified - directory and discards the compiled output - script. If no directory is given, then - /etc/shorewall6 is - assumed. - - The option causes the compiler to look for - a file named capabilities. This file is produced using the command - shorewall6-lite show -f capabilities > - capabilities on a system with Shorewall6 Lite - installed. - - The option causes the compiler to be run - under control of the Perl debugger. - - The option causes the compiler to be - profiled via the Perl command-line - option. - - The option was added in Shorewall 4.5.2 - and causes the compiler to print the generated ruleset to standard - out. - - The option was added in Shorewall 4.4.20 - and causes a Perl stack trace to be included with each - compiler-generated error and warning message. - - The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the current line - contains alternative input specifications following a semicolon - (";"). Such lines will be handled incorrectly if INLINE_MATCHES is - set to Yes in shorewall6.conf(5). - - - - - clear - [-] - - - Clear will remove all rules and chains installed by - Shorewall6. The firewall is then wide open and unprotected. Existing - connections are untouched. Clear is often used to see if the - firewall is causing connection problems. - - - - - close { - open-number | - source dest [ - protocol [ port - ] ] } - - - Added in Shorewall 4.5.8. This command closes a temporary open - created by the open command. In the first form, - an open-number specifies the open to be - closed. Open numbers are displayed in the num column of the output of the - shorewall6 show opens command. - - When the second form of the command is used, the parameters - must match those given in the earlier open - command. - - - - - compile [-] - [-] [-] [-] - [-] [-] - [directory] - [pathname ] - - - Compiles the current configuration into the executable file - pathname. If a directory is supplied, - Shorewall6 will look in that directory first for configuration - files. If the pathname is omitted, the file - firewall in the VARDIR (normally /var/lib/shorewall/) is assumed. A - pathname of '-' causes the compiler to send the - generated script to it's standard output file. Note that '-v-1' is - usually specified in this case (e.g., shorewall6 -v-1 - compile -- -) to suppress the 'Compiling...' message - normally generated by /sbin/shorewall6. - - When is specified, the compilation is - being performed on a system other than where the compiled script - will run. This option disables certain configuration options that - require the script to be compiled where it is to be run. The use of - requires the presence of a configuration file - named capabilities which may be produced using - the command shorewall6-lite show -f capabilities > - capabilities on a system with Shorewall6 Lite - installed. - - The option was added in Shorewall 4.5.17 - and causes conditional compilation of a script. The script specified - by pathname (or implied if pathname is omitted) is compiled if it - doesn't exist or if there is any file in the - directory or in a directory on the - CONFIG_PATH that has a modification time later than the file to be - compiled. When no compilation is needed, a message is issued and an - exit status of zero is returned. - - The option causes the compiler to be run - under control of the Perl debugger. - - The option causes the compiler to be - profiled via the Perl command-line - option. - - The option was added in Shorewall 4.4.20 - and causes a Perl stack trace to be included with each - compiler-generated error and warning message. - - The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the current line - contains alternative input specifications following a semicolon - (";"). Such lines will be handled incorrectly if INLINE_MATCHES is - set to Yes in shorewall6.conf(5). - - - - - delete { - interface[:host-list]... - zone | zone - host-list } - - - Added in Shorewall 4.4.21. The delete command reverses the - effect of an earlier add - command. - - The interface argument names an interface - defined in the shorewall6-interfaces(5) - file. A host-list is comma-separated list whose - elements are a host or network address. - - Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall6-zones(5)) - allows a single ipset to handle entries for multiple interfaces. - When that option is specified for a zone, the - delete command has the alternative syntax in - which the zone name precedes the - host-list. - - - - - disable - { interface | - provider } - - - Added in Shorewall 4.4.26. Disables the optional provider - associated with the specified interface - or provider. Where more than one provider - share a single network interface, a - provider name must be given. - - Beginning with Shorewall 4.5.10, this command may be used with - any optional network interface. interface - may be either the logical or physical name of the interface. The - command removes any routes added from shorewall6-routes(5) - and any traffic shaping configuration for the interface. - - - - - drop - address - - - Causes traffic from the listed addresses - to be silently dropped. - - - - - dump [-] - [-] [-] - [-] - - - Produces a verbose report about the firewall configuration for - the purpose of problem analysis. - - The option causes actual packet and byte - counts to be displayed. Without that option, these counts are - abbreviated. - - The option causes any MAC addresses - included in Shorewall6 log messages to be displayed. - - The option causes the rule number for each - Netfilter rule to be displayed. - - The option causes the route cache to be - dumped in addition to the other routing information. - - - - - enable { - interface | - provider } - - - Added in Shorewall 4.4.26. Enables the optional provider - associated with the specified interface - or provider. Where more than one provider - share a single network interface, a - provider name must be given. - - Beginning with Shorewall 4.5.10, this command may be used with - any optional network interface. interface - may be either the logical or physical name of the interface. The - command sets /proc entries for the interface, - adds any route specified in shorewall6-routes(5) - and installs the interface's traffic shaping configuration, if - any. - - - - - export - [directory1 ] - [user@]system[:directory2 - ] - - - If directory1 is omitted, the current - working directory is assumed. - - Allows a non-root user to compile a shorewall6 script and - stage it on a system (provided that the user has access to the - system via ssh). The command is equivalent to: - - /sbin/shorewall6 compile -e directory1 directory1/firewall &&\ - scp directory1/firewall directory1/firewall.conf [user@]system:[directory2] - - In other words, the configuration in the specified (or - defaulted) directory is compiled to a file called firewall in that - directory. If compilation succeeds, then firewall and firewall.conf - are copied to system using scp. - - - - - forget [ - filename ] - - - Deletes /var/lib/shorewall6/filename - and /var/lib/shorewall6/save - . If no filename is given then the - file specified by RESTOREFILE in shorewall6.conf(5) is - assumed. - - - - - help - - - Displays a syntax summary. - - - - - iptrace ip6tables - match expression - - - This is a low-level debugging command that causes iptables - TRACE log records to be created. See ip6tables(8) for - details. - - The ip6tables match expression must - be one or more matches that may appear in both the raw table OUTPUT - and raw table PREROUTING chains. - - The log message destination is determined by the - currently-selected IPv6 logging - backend. - - - - - list - - - list is a synonym for - show -- please see below. - - - - - logdrop - address - - - Causes traffic from the listed addresses - to be logged then discarded. Logging occurs at the log level - specified by the BLACKLIST_LOGLEVEL setting in shorewall6.conf - (5). - - - - - logwatch [-] - [refresh-interval] - - - Monitors the log file specified by the LOGFILE option in - shorewall6.conf(5) and - produces an audible alarm when new Shorewall6 messages are logged. - The option causes the MAC address of each packet - source to be displayed if that information is available. The - refresh-interval specifies the time in - seconds between screen refreshes. You can enter a negative number by - preceding the number with "--" (e.g., shorewall6 logwatch - -- -30). In this case, when a packet count changes, you - will be prompted to hit any key to resume screen refreshes. - - - - - logreject - address - - - Causes traffic from the listed addresses - to be logged then rejected. Logging occurs at the log level - specified by the BLACKLIST_LOGLEVEL setting in shorewall6.conf - (5). - - - - - ls - - - ls is a synonym for show - -- please see below. - - - - - noiptrace - ip6tables match - expression - - - This is a low-level debugging command that cancels a trace - started by a preceding iptrace command. - - The iptables match expression must - be one given in the iptrace command being - canceled. - - - - - open - source dest [ - protocol [ port - ] ] - - - Added in Shorewall 4.6.8. This command requires that the - firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in - shorewall6.conf - (5). The effect of the command is to temporarily open the - firewall for connections matching the parameters. - - The source and - dest parameters may each be specified as - all if you don't wish to restrict - the connection source or destination respectively. Otherwise, each - must contain a host or network address or a valid DNS name. - - The protocol may be specified - either as a number or as a name listed in /etc/protocols. The - port may be specified numerically or as a - name listed in /etc/services. - - To reverse the effect of a successful open - command, use the close command with the same - parameters or simply restart the firewall. - - Example: To open the firewall for SSH connections to address - 2001:470:b:227::1, the command would be: - - shorewall6 open all 2001:470:b:227::1 tcp 22 - - To reverse that command, use: - - shorewall6 close all 2001:470:b:227::1 tcp 22 - - - - - reenable{ - interface | - provider } - - - Added in Shorewall 4.6.9. This is equivalent to a - disable command followed by an - enable command on the specified - interface or - provider. - - - - - refresh [-] - [-] [-] [-i] - [-directory ] [ - chain... ] - - - All steps performed by restart are - performed by refresh with the exception that - refresh only recreates the chains specified in - the command while restart recreates the entire - Netfilter ruleset.When no chain name is given to the - refresh command, the mangle table is refreshed - along with the blacklist chain (if any). This allows you to modify - /etc/shorewall6/tcrulesand install the changes - using refresh. - - The listed chains are assumed to be in the filter table. You - can refresh chains in other tables by prefixing the chain name with - the table name followed by ":" (e.g., nat:net_dnat). Chain names - which follow are assumed to be in that table until the end of the - list or until an entry in the list names another table. Built-in - chains such as FORWARD may not be refreshed. - - The option was added in Shorewall 4.5.3 - causes Shorewall to avoid updating the routing table(s). - - The option was added in Shorewall 4.5.3 - causes the compiler to run under the Perl debugger. - - The option was added in Shorewall 4.5.3 - and causes a Perl stack trace to be included with each - compiler-generated error and warning message. - - The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the current line - contains alternative input specifications following a semicolon - (";"). Such lines will be handled incorrectly if INLINE_MATCHES is - set to Yes in shorewall6.conf(5). - - The - option was added in Shorewall 4.5.3 - and causes Shorewall to look in the given - directory first for configuration files. - - - Refresh the 'net-fw' chain in the filter table and the - 'net_dnat' chain in the nat table - - shorewall6 refresh net-fw nat:net_dnat - - - - - - - reject - address - - - Causes traffic from the listed addresses - to be silently rejected. - - - - - reload [-] - [-] [-] [-] - [-] [-] [-] - [-] [ directory ] - - - This command was re-implemented in Shorewall 5.0.0. The - pre-5.0.0 reload command is now called - remote-restart (see below). - - Reload is similar to shorewall6 start - except that it assumes that the firewall is already started. - Existing connections are maintained. If a - directory is included in the command, - Shorewall6 will look in that directory first - for configuration files. - - The option causes Shorewall6 to avoid - updating the routing table(s). - - The option causes the connection tracking - table to be flushed; the conntrack utility must - be installed to use this option. - - The option causes the compiler to run - under the Perl debugger. - - The option suppresses the compilation step - and simply reused the compiled script which last started/restarted - Shorewall, provided that /etc/shorewall6 - and its contents have not been modified since the last - start/restart. - - The option was added in Shorewall 4.4.20 - and performs the compilation step unconditionally, overriding the - AUTOMAKE setting in shorewall6.conf(5). - When both and are present, - the result is determined by the option that appears last. - - The option was added in Shorewall 4.5.3 - and causes a Perl stack trace to be included with each - compiler-generated error and warning message. - - The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the current line - contains alternative input specifications following a semicolon - (";"). Such lines will be handled incorrectly if INLINE_MATCHES is - set to Yes in shorewall6.conf(5). - - The option was added in Shorewall 4.6.5 - and is only meaningful when AUTOMAKE=Yes in shorewall6.conf(5). If - an existing firewall script is used and if that script was the one - that generated the current running configuration, then the running - netfilter configuration will be reloaded as is so as to preserve the - iptables packet and byte counters. - - - - - remote-reload - [-] [-] - [- root-user-name] - [-] [-] [ [ -D ] - directory ] [ - system ] - - - - - This command was added in Shorewall 5.0.0. - - If directory is omitted, the current - working directory is assumed. Allows a non-root user to compile a - shorewall6 script and install it on a system (provided that the user - has root access to the system via ssh). The command is equivalent - to: - - /sbin/shorewall6 compile -e directory directory/firewall &&\ - scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall6-lite/ &&\ - ssh root@system '/sbin/shorewall6-lite reload' - - In other words, the configuration in the specified (or - defaulted) directory is compiled to a file called firewall in that - directory. If compilation succeeds, then firewall is copied to - system using scp. If the copy succeeds, - Shorewall6 Lite on system is restarted via ssh. - Beginning with Shorewall 5.0.13, if - system is omitted, then the FIREWALL - option setting in shorewall6.conf(5) is assumed. In - that case, if you want to specify a - directory, then the - option must be given. - - If is specified and the - restart command succeeds, then the remote - Shorewall6-lite configuration is saved by executing - shorewall6-lite save via ssh. - - if is included, the command - shorewall6-lite show capabilities -f > - /var/lib/shorewall6-lite/capabilities is executed via ssh - then the generated file is copied to directory - using scp. This step is performed before the configuration is - compiled. - - If is included, it specifies that the root - user on system is named - root-user-name rather than "root". - - The option was added in Shorewall 4.5.3 - and causes a Perl stack trace to be included with each - compiler-generated error and warning message. - - The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the current line - contains alternative input specifications following a semicolon - (";"). Such lines will be handled incorrectly if INLINE_MATCHES is - set to Yes in shorewall6.conf(5). - - - - - remote- restart - [-] [-] - [- root-user-name] - [-] [-] [ [ -D ] - directory ] [ - system ] - - - This command was renamed from reload in - Shorewall 5.0.0. - - If directory is omitted, the current - working directory is assumed. Allows a non-root user to compile a - shorewall6 script and install it on a system (provided that the user - has root access to the system via ssh). The command is equivalent - to: - - /sbin/shorewall6 compile -e directory directory/firewall &&\ - scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall6-lite/ &&\ - ssh root@system '/sbin/shorewall6-lite restart' - - In other words, the configuration in the specified (or - defaulted) directory is compiled to a file called firewall in that - directory. If compilation succeeds, then firewall is copied to - system using scp. If the copy succeeds, - Shorewall6 Lite on system is restarted via - ssh. - - Beginning with Shorewall 5.0.13, if - system is omitted, then the FIREWALL - option setting in shorewall6.conf(5) is assumed. In - that case, if you want to specify a - directory, then the - option must be given. - - If is specified and the - restart command succeeds, then the remote - Shorewall6-lite configuration is saved by executing - shorewall6-lite save via ssh. - - if is included, the command - shorewall6-lite show capabilities -f > - /var/lib/shorewall6-lite/capabilities is executed via ssh - then the generated file is copied to directory - using scp. This step is performed before the configuration is - compiled. - - If is included, it specifies that the root - user on system is named - root-user-name rather than "root". - - The option was added in Shorewall 4.5.3 - and causes a Perl stack trace to be included with each - compiler-generated error and warning message. - - The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the current line - contains alternative input specifications following a semicolon - (";"). Such lines will be handled incorrectly if INLINE_MATCHES is - set to Yes in shorewall6.conf(5). - - - - - remote-start - [-] [-] [- - root-user-name] [-] - [-] [ [-D ] directory ] [ - system ] - - - This command was added in Shorewall 5.0.0. - - If directory is omitted, the current - working directory is assumed. Allows a non-root user to compile a - shorewall6 script and install it on a system (provided that the user - has root access to the system via ssh). The command is equivalent - to: - - /sbin/shorewall6 compile -e directory directory/firewall &&\ - scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall6-lite/ &&\ - ssh root@system '/sbin/shorewall6-lite start' - - In other words, the configuration in the specified (or - defaulted) directory is compiled to a file called firewall in that - directory. If compilation succeeds, then firewall is copied to - system using scp. If the copy succeeds, - Shorewall6 Lite on system is started via - ssh. Beginning with Shorewall 5.0.13, if - system is omitted, then the FIREWALL - option setting in shorewall6.conf(5) is assumed. In - that case, if you want to specify a - directory, then the - option must be given. - - If is specified and the start command succeeds, then the remote - Shorewall6-lite configuration is saved by executing - shorewall6-lite save via ssh. - - if is included, the command - shorewall6-lite show capabilities -f > - /var/lib/shorewall6-lite/capabilities is executed via ssh - then the generated file is copied to - directory using scp. This step is - performed before the configuration is compiled. - - If is included, it specifies that the root - user on system is named - root-user-name rather than "root". - - The option was added in Shorewall 4.5.3 - and causes a Perl stack trace to be included with each - compiler-generated error and warning message. - - The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the current line - contains alternative input specifications following a semicolon - (";"). Such lines will be handled incorrectly if INLINE_MATCHES is - set to Yes in shorewall6.conf(5). - - - - - reset [chain, - ...] - - - Resets the packet and byte counters in the specified - chain(s). If no - chain is specified, all the packet and - byte counters in the firewall are reset. - - Beginning with Shorewall 5.0.0, - chain may be composed of both a table - name and a chain name separated by a colon (e.g., - mangle:PREROUTING). Chain names following that don't include a table - name are assumed to be in that same table. If no table name is given - in the command, the filter table is assumed. - - - - - restart [-] - [-] [-] [-] - [-] [-] [-] - [-] [ directory ] - - - Beginning with Shorewall 5.0.0, this command performs a true - restart. The firewall is completely stopped as if a - stop command had been issued then it is started - again. - - If a directory is included in the - command, Shorewall6 will look in that directory - first for configuration files. - - The option causes Shorewall6 to avoid - updating the routing table(s). - - The option causes the connection tracking - table to be flushed; the conntrack utility must - be installed to use this option. - - The option causes the compiler to run - under the Perl debugger. - - The option suppresses the compilation step - and simply reused the compiled script which last started/restarted - Shorewall, provided that /etc/shorewall6 - and its contents have not been modified since the last - start/restart. - - The option was added in Shorewall 4.4.20 - and performs the compilation step unconditionally, overriding the - AUTOMAKE setting in shorewall6.conf(5). - When both and are present, - the result is determined by the option that appears last. - - The option was added in Shorewall 4.5.3 - and causes a Perl stack trace to be included with each - compiler-generated error and warning message. - - The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the current line - contains alternative input specifications following a semicolon - (";"). Such lines will be handled incorrectly if INLINE_MATCHES is - set to Yes in shorewall6.conf(5). - - The option was added in Shorewall 4.6.5 - and is only meaningful when AUTOMAKE=Yes in shorewall6.conf(5). If - an existing firewall script is used and if that script was the one - that generated the current running configuration, then the running - netfilter configuration will be reloaded as is so as to preserve the - iptables packet and byte counters. - - - - - restore [-] - [-] [-] [ - filename ] - - - Restore Shorewall6 to a state saved using the - shorewall6 save command. Existing connections are - maintained. The filename names a restore file - in /var/lib/shorewall6 - created using shorewall6 save; if no - filename is given then Shorewall6 will be - restored from the file specified by the RESTOREFILE option in shorewall6.conf(5). - - - If your ip6tables ruleset depends on variables that are - detected at run-time, either in your params file or by - Shorewall-generated code, restore will use the - values that were current when the ruleset was saved, which may be - different from the current values. - - - The option was added in Shorewall 4.6.5. - If the option was specified during - shorewall6 save, then the counters saved by that - operation will be restored. - - - - - run - command [ - parameter ... ] - - - Added in Shorewall 4.6.3. Executes - command in the context of the generated - script passing the supplied parameters. - Normally, the command will be a function - declared in lib.private. - - Before executing the command, the - script will detect the configuration, setting all SW_* variables and - will run your init extension script with - $COMMAND = 'run'. - - If there are files in the CONFIG_PATH that were modified after - the current firewall script was generated, the following warning - message is issued before the script's run command is executed: - WARNING: /var/lib/shorewall6/firewall is not up to - date - - - - - safe-restart - [-] [-] - [-timeout ] [ - directory ] - - - Only allowed if Shorewall6 is running. The current - configuration is saved in /var/lib/shorewall6/safe-restart - (see the save command - below) then a shorewall6 restart is done. You - will then be prompted asking if you want to accept the new - configuration or not. If you answer "n" or if you fail to answer - within 60 seconds (such as when your new configuration has disabled - communication with your terminal), the configuration is restored - from the saved configuration. If a directory is given, then - Shorewall6 will look in that directory first when opening - configuration files. - - Beginning with Shorewall 4.5.0, you may specify a different - timeout value using the - option. The numeric - timeout may optionally be followed by an - , or suffix - (e.g., 5m) to specify seconds, minutes or hours respectively. If the - suffix is omitted, seconds is assumed. - - - - - safe-start - [-] [-] - [-timeout ] [ - directory ] - - - Shorewall6 is started normally. You will then be prompted - asking if everything went all right. If you answer "n" or if you - fail to answer within 60 seconds (such as when your new - configuration has disabled communication with your terminal), a - shorewall6 clear is performed for you. If a directory is given, then - Shorewall6 will look in that directory first when opening - configuration files. - - Beginning with Shorewall 4.5.0, you may specify a different - timeout value using the - option. The numeric - timeout may optionally be followed by an - , or suffix - (e.g., 5m) to specify seconds, minutes or hours respectively. If the - suffix is omitted, seconds is assumed. - - - - - save [-] [ - filename ] - - - The dynamic blacklist is stored in - /var/lib/shorewall6/save. The state of the firewall is - stored in - /var/lib/shorewall6/filename - for use by the shorewall6 restore and - shorewall6 -f start commands. If filename - is not given then the state is saved in the file - specified by the RESTOREFILE option in shorewall6.conf(5). - - The option, added in Shorewall 4.6.5, - causes the ip6tables packet and byte counters to be saved along with - the chains and rules. - - - - - savesets - - - Added in shorewall 4.6.8. Performs the same action as the - stop command with respect to saving ipsets (see - the SAVE_IPSETS option in shorewall6.conf (5)). - This command may be used to proactively save your ipset contents in - the event that a system failure occurs prior to issuing a - stop command. - - - - - show - - - The show command can have a number of different - arguments: - - - - actions - - - Produces a report about the available actions (built-in, - standard and user-defined). - - - - - [-] bl|blacklists - - - - Added in Shorewall 4.6.2. Displays the dynamic chain - along with any chains produced by entries in - shorewall-blrules(5).The option is passed - directly through to ip6tables and causes actual packet and - byte counts to be displayed. Without this option, those counts - are abbreviated. - - - - - [-] capabilities - - - Displays your kernel/ip6tables capabilities. The - option causes the display to be formatted - as a capabilities file for use with shorewall6 - compile -e. - - - - - [-] [-] - [-] [- - {||||}][ - chain... ] - - - The rules in each chain are - displayed using the ip6tables -L - chain -n - -v command. If no chain is - given, all of the chains in the filter table are displayed. - The option is passed directly through to - ip6tables and causes actual packet and byte counts to be - displayed. Without this option, those counts are abbreviated. - The option specifies the Netfilter table - to display. The default is filter. - - The ('brief') option causes rules - which have not been used (i.e. which have zero packet and byte - counts) to be omitted from the output. Chains with no rules - displayed are also omitted from the output. - - The option causes the rule number - for each Netfilter rule to be displayed. - - If the option and the - keyword are both omitted and any of the - listed chains do not exist, a usage - message is displayed. - - - - - classifiers|filters - - - Displays information about the packet classifiers - defined on the system as a result of traffic shaping - configuration. - - - - - config - - - Displays distribution-specific defaults. - - - - - connections - [filter_parameter - ...] - - - Displays the IP connections currently being tracked by - the firewall. - - If the conntrack utility is - installed, beginning with Shorewall 4.6.11 the set of - connections displayed can be limited by including conntrack - filter parameters (-p , -s, --dport, etc). See conntrack(8) - for details. - - - - - event - event - - - Added in Shorewall 4.5.19. Displays the named - event. - - - - - events - - - Added in Shorewall 4.5.19. Displays all events. - - - - - ip - - - Displays the system's IPv6 configuration. - - - - - [-] log - - - Displays the last 20 Shorewall6 messages from the log - file specified by the LOGFILE option in shorewall6.conf(5). - The option causes the MAC address of each - packet source to be displayed if that information is - available. - - - - - macros - - - Displays information about each macro defined on the - firewall system. - - - - - macro - macro - - - Added in Shorewall 4.4.6. Displays the file that - implements the specified macro - (usually - /usr/share/shorewall6/macro.macro). - - - - - [-] mangle - - - Displays the Netfilter mangle table using the command - ip6tables -t mangle -L -n -v.The - option is passed directly through to - ip6tables and causes actual packet and byte counts to be - displayed. Without this option, those counts are - abbreviated. - - - - - marks - - - Added in Shorewall 4.4.26. Displays the various fields - in packet marks giving the min and max value (in both decimal - and hex) and the applicable mask (in hex). - - - - - [-] nat - - - Displays the Netfilter nat table using the command - ip6tables -t nat -L -n -v. - The -x option is passed - directly through to ip6tables and causes actual packet and - byte counts to be displayed. Without this option, those counts - are abbreviated. - - - - - opens - - - Added in Shorewall 4.5.8. Displays the iptables rules in - the 'dynamic' chain created through use of the open - command.. - - - - - policies - - - Added in Shorewall 4.4.4. Displays the applicable policy - between each pair of zones. Note that implicit intrazone - ACCEPT policies are not displayed for zones associated with a - single network where that network doesn't specify - . - - - - - [-] raw - - - Displays the Netfilter raw table using the command - ip6tables -t raw -L -n -v. - The -x option is passed - directly through to ip6tables and causes actual packet and - byte counts to be displayed. Without this option, those counts - are abbreviated. - - - - - [-] routing - - - Displays the system's IPv6 routing configuration. The -c - option causes the route cache to be displayed in addition to - the other routing information. - - - - - tc - - - Displays information about queuing disciplines, classes - and filters. - - - - - zones - - - Displays the current composition of the Shorewall6 zones - on the system. - - - - - - - - start - [-] [-] - [-] [-] [-] - [-] [-] [-] [ - directory ] - - - Start shorewall6. Existing connections through shorewall6 - managed interfaces are untouched. New connections will be allowed - only if they are allowed by the firewall rules or policies. If a - directory is included in the command, - Shorewall6 will look in that directory first - for configuration files. If is specified, the - saved configuration specified by the RESTOREFILE option in shorewall6.conf(5) - will be restored if that saved configuration exists and has been - modified more recently than the files in /etc/shorewall6. When is given, a directory may not - be specified. - - Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option - was added to shorewall6.conf(5). - When LEGACY_FASTSTART=No, the modification times of files in - /etc/shorewall6 are compared - with that of /var/lib/shorewall6/firewall (the - compiled script that last started/restarted the firewall). - - The option causes Shorewall6 to avoid - updating the routing table(s). - - The option was added in Shorewall 4.4.20 - and performs the compilation step unconditionally, overriding the - AUTOMAKE setting in shorewall6.conf(5). - When both and are present, - the result is determined by the option that appears last. - - The option was added in Shorewall 4.5.3 - and causes a Perl stack trace to be included with each - compiler-generated error and warning message. - - The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the current line - contains alternative input specifications following a semicolon - (";"). Such lines will be handled incorrectly if INLINE_MATCHES is - set to Yes in shorewall6.conf(5). - - The option was added in Shorewall 4.6.5 - and is only meaningful when the option is also - specified. If the previously-saved configuration is restored, and if - the option was also specified in the - save command, then the packet and byte counters - will be restored along with the chains and rules. - - - - - stop - [-] - - - Stops the firewall. All existing connections, except those - listed in shorewall6-routestopped(5) - or permitted by the ADMINISABSENTMINDED option in shorewall6.conf(5), - are taken down. The only new traffic permitted through the firewall - is from systems listed in shorewall6-routestopped(5) - or by ADMINISABSENTMINDED. - - If is given, the command will be processed - by the compiled script that executed the last successful start, restart or refresh command if that script exists. - - - - - status - - - Produces a short report about the state of the - Shorewall6-configured firewall. - - The option was added in Shorewall 4.6.2 - and causes the status of each optional or provider interface to be - displayed. - - - - - try - directory [ - timeout ] - - - If Shorewall6 is started then the firewall state is saved to a - temporary saved configuration - (/var/lib/shorewall6/.try). Next, if Shorewall6 - is currently started then a restart - command is issued using the specified configuration - directory; otherwise, a start command is performed using the - specified configuration directory. If an - error occurs during the compilation phase of the restart or start - , the command terminates without changing the Shorewall6 - state. If an error occurs during the restart - phase, then a shorewall6 restore is - performed using the saved configuration. If an error occurs during - the start phase, then Shorewall6 is - cleared. If the start/ restart succeeds and a - timeout is specified then a clear or restore - is performed after timeout - seconds. - - Beginning with Shorewall 4.5.0, the numeric - timeout may optionally be followed by an - , or suffix - (e.g., 5m) to specify seconds, minutes or hours respectively. If the - suffix is omitted, seconds is assumed. - - - - - update [-] - [-] [-] [-] - [-] [-] [ - directory ] - - - Added in Shorewall 4.4.21 and causes the compiler to update - /etc/shorewall/shorewall.conf then validate the - configuration. The update will add options not present in - the old file with their default values, and will move deprecated - options with non-defaults to a deprecated options section at the - bottom of the file. Your existing - shorewall.conf file is renamed - shorewall.conf.bak. - - The command was extended over the years with a set - of options that caused additional configuration - updates. - - - - Convert an existing blacklist file - into an equivalent blrules file. - - - - Convert an existing routestopped file - into an equivalent stoppedrules - file. - - - - Convert existing tcrules and - tos files into an equivalent mangle - file. - - - - Convert an existing notrack file into - an equivalent conntrack file. - - - - Convert FORMAT, SECTION and COMMENT entries into ?FORMAT, - ?SECTION and ?COMMENT directives. - - - - In each case, the old file is renamed with a .bak - suffix. - - In Shorewall 5.0.0, the options were eliminated and the - update command performs all of the updates - described above. - - - There are some notable restrictions with the - update command: - - - - Converted rules will be appended to the existing file; - if there is no existing file in the CONFIG_PATH, one will be - created in the directory specified in the command or in the - first entry in the CONFIG_PATH (normally /etc/shorewall6) - otherwise. - - - - Existing comments in the file being converted will not - be transferred to the output file. - - - - With the exception of the - notrack->conntrack - conversion, INCLUDEd files will be expanded inline in the - output file. - - - - Columns in the output file will be separated by a single - tab character; there is no attempt made to otherwise align the - columns. - - - - Prior to Shorewall 5.0.15, shell variables will be - expanded in the output file. - - - - Prior to Shorewall 5.0.15, lines omitted by compiler - directives (?if ...., etc.) will not appear in the output - file. - - - Because the translation of the 'blacklist' and - 'routestopped' files is not 1:1, omitted lines and compiler - directives are not transferred to the converted files. If - either are present, the compiler issues a warning: - - WARNING: "Omitted rules and compiler directives were not translated - - - - - - The option causes the updated - shorewall.conf file to be annotated with - documentation. - - The option was added in Shorewall 4.6.0 - and causes a warning message to be issued if the current line - contains alternative input specifications following a semicolon - (";"). Such lines will be handled incorrectly if INLINE_MATCHES is - set to Yes in shorewall.conf(5). - - The option is included for compatibility - with Shorewall 4.6 and is equivalent to specifying the - option. - - For a description of the other options, see the check command above. - - - - - version - [-] - - - Displays Shorewall6's version. If the - option is included, the version of Shorewall will also be - displayed. - - - - - - - EXIT STATUS - - In general, when a command succeeds, status 0 is returned; when the - command fails, a non-zero status is returned. - - The status command returns exit status as - follows: - - 0 - Firewall is started. - - 3 - Firewall is stopped or cleared - - 4 - Unknown state; usually means that the firewall has never been - started. - - - - ENVIRONMENT - - Two environmental variables are recognized by Shorewall6: - - - - SHOREWALL_INIT_SCRIPT - - - When set to 1, causes Std out to be redirected to the file - specified in the STARTUP_LOG option in shorewall6.conf(5). - - - - - SW_LOGGERTAG - - - Added in Shorewall 5.0.8. When set to a non-empty value, that - value is passed to the logger utility in its -t (--tag) - option. - - - - - - - See ALSO - - http://www.shorewall.net/starting_and_stopping_shorewall.htm - - shorewall6-accounting(5), shorewall6-actions(5), - shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5), - shorewall6-maclist(5), shorewall6-netmap(5),shorewall6-params(5), - shorewall6-policy(5), shorewall6-providers(5), shorewall6-rtrules(5), - shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5), - shorewall6-secmarks(5), shorewall6-tcclasses(5), shorewall6-tcdevices(5), - shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5), - shorewall6-zones(5) - - diff --git a/Shorewall6/shorewall6 b/Shorewall6/shorewall6 deleted file mode 100755 index 0f297b7d1..000000000 --- a/Shorewall6/shorewall6 +++ /dev/null @@ -1,39 +0,0 @@ -#!/bin/sh -# -# Shorewall6 Packet Filtering Firewall Control Program - V4.5 -# -# (c) 1999,2000,2001,2002,2003,2004,2005,2006,2007,2008,2009,2010,2011,2014 - -# Tom Eastep (teastep@shorewall.net) -# -# Shorewall documentation is available at http://www.shorewall.net -# -# This program is part of Shorewall. -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by the -# Free Software Foundation, either version 2 of the license or, at your -# option, any later version. -# -# This program is distributed in the hope that it will be useful, -# but WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -# GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, see . -# -# For a list of supported commands, type 'shorewall help' or 'shorewall6 help' -# -################################################################################################ -PRODUCT=shorewall6 - -# -# This is modified by the installer when ${SHAREDIR} != /usr/share -# -. /usr/share/shorewall/shorewallrc - -g_basedir=${SHAREDIR}/shorewall - -. ${g_basedir}/lib.cli - -shorewall_cli $@ diff --git a/Shorewall6/shorewall6.service b/Shorewall6/shorewall6.service index 6c8d5d664..5ab4f8a1a 100644 --- a/Shorewall6/shorewall6.service +++ b/Shorewall6/shorewall6.service @@ -14,9 +14,9 @@ Type=oneshot RemainAfterExit=yes EnvironmentFile=-/etc/sysconfig/shorewall6 StandardOutput=syslog -ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS -ExecStop=/sbin/shorewall6 $OPTIONS stop -ExecReload=/sbin/shorewall6 $OPTIONS reload $RELOADOPTIONS +ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS +ExecStop=/sbin/shorewall -6 $OPTIONS stop +ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS [Install] WantedBy=basic.target diff --git a/Shorewall6/shorewall6.service.debian b/Shorewall6/shorewall6.service.debian index ad0225d50..c311ed4d4 100644 --- a/Shorewall6/shorewall6.service.debian +++ b/Shorewall6/shorewall6.service.debian @@ -15,9 +15,9 @@ Type=oneshot RemainAfterExit=yes EnvironmentFile=-/etc/default/shorewall6 StandardOutput=syslog -ExecStart=/sbin/shorewall6 $OPTIONS start $STARTOPTIONS -ExecStop=/sbin/shorewall6 $OPTIONS stop -ExecReload=/sbin/shorewall6 $OPTIONS reload $RELOADOPTIONS +ExecStart=/sbin/shorewall -6 $OPTIONS start $STARTOPTIONS +ExecStop=/sbin/shorewall -6 $OPTIONS stop +ExecReload=/sbin/shorewall -6 $OPTIONS reload $RELOADOPTIONS [Install] WantedBy=basic.target