holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

More work on the 'shorewall' man page

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4898 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2006-11-16 21:21:03 +00:00
parent 4b5e84078c
commit 90846ee683
1 changed files with 387 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

410
manpages/shorewall.xml
View File

@ -104,6 +104,8 @@
<command>dump</command>
<arg><option>-x</option></arg>
<arg><option>-m</option></arg>
</cmdsynopsis>
<cmdsynopsis>
@ -155,7 +157,7 @@
<command>ipcalc</command>
<group>
<group choice="req">
<arg choice="plain">address mask</arg>
<arg choice="plain">address/vlsm</arg>
@ -269,9 +271,9 @@
<arg>-options</arg>
<command>save-restart</command>
<command>restore</command>
<arg choice="opt">filename</arg>
<arg>filename</arg>
</cmdsynopsis>
<cmdsynopsis>
@ -279,9 +281,15 @@
<arg>-options</arg>
<command>save-start</command>
<command>safe-restart</command>
</cmdsynopsis>
<arg choice="opt">filename</arg>
<cmdsynopsis>
<command>shorewall</command>
<arg>-options</arg>
<command>safe-start</command>
</cmdsynopsis>
<cmdsynopsis>
@ -428,23 +436,20 @@
<refsect1>
<title>Commands</title>
<para>The available commands are listed below. The available
<emphasis>command-options</emphasis> and
<emphasis>command-arguments</emphasis> are listed with each
command.</para>
<para>The available commands are listed below.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">add</emphasis>
<emphasis>interface</emphasis>[:<emphasis>host-list</emphasis>] ...
<emphasis>zone</emphasis></term>
<term><emphasis role="bold">add</emphasis></term>
<listitem>
<para>Adds a list of hosts or subnets to a dynamic zone usually used
with VPN's.</para>
<para>A <emphasis>host-list</emphasis> is the name of an interface
followed by a comma-separated list whose elements are:</para>
<para>The <emphasis>interface</emphasis> argument names an interface
defined in the shorewall-interfaces(5) file. A
<emphasis>host-list</emphasis> is comma-separated list whose
elements are:</para>
<programlisting> A host or network address
The name of a bridge port
@ -453,8 +458,7 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">allow</emphasis>
<emphasis>address</emphasis> ...</term>
<term><emphasis role="bold">allow</emphasis></term>
<listitem>
<para>Re-enables receipt of packets from hosts previously
@ -466,8 +470,7 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">check</emphasis> [ <emphasis
role="bold">-e</emphasis> ] [ <emphasis>directory</emphasis> ]</term>
<term><emphasis role="bold">check</emphasis></term>
<listitem>
<para>Compiles the configuraton in the specified
@ -484,7 +487,7 @@
</varlistentry>
<varlistentry>
<term>clear</term>
<term><emphasis role="bold">clear</emphasis></term>
<listitem>
<para>Clear will remove all rules and chains installed by Shorewall.
@ -495,11 +498,372 @@
</varlistentry>
<varlistentry>
<term><emphasis role="bold">compile</emphasis> [ -e ] [ directory ]
filename</term>
<term><emphasis role="bold">compile</emphasis></term>
<listitem>
<para></para>
<para>Compiles the current configuration into the executable file
<emphasis>pathname</emphasis>. If a directory is supplied, Shorewall
will look in that directory first for configuration files.</para>
<para>When -e is specified, the compilation is being performed on a
system other than where the compiled script will run. This option
disables certain configuration options that require the script to be
compiled where it is to be run. The use of -e requires the presense
of a configuration file named capabilities which may be produced
using the command <emphasis role="bold">shorewall-lite show -f
capabilities &gt; capabities</emphasis> on a system with Shorewall
Lite installed</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">delete</emphasis></term>
<listitem>
<para>The delete command reverses the effect of an earlier <emphasis
role="bold">add</emphasis> command.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">drop</emphasis></term>
<listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es
to be silently dropped.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">dump</emphasis></term>
<listitem>
<para>Produces a verbose report about the firewall configuration for
the purpose of problem analysis.</para>
<para>The <emphasis role="bold">-x</emphasis> option causes actual
packet and byte counts to be displayed. Without that option, these
counts are abbreviated. The <emphasis role="bold">-m</emphasis>
option causes any MAC addresses included in Shorewall log messages
to be displayed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">export</emphasis></term>
<listitem>
<para>If <emphasis>directory1</emphasis> is omitted, the current
working directory is assumed. </para>
<para>Allows a non-root user to compile a shorewall script and stage
it on a system (provided that the user has access to the system via
ssh). The command is equivalent to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis>directory1</emphasis> <emphasis>directory1</emphasis><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> directory1<emphasis role="bold">/firewall</emphasis> <emphasis>directory1</emphasis><emphasis
role="bold">/firewall.conf</emphasis> [<emphasis>user</emphasis>@]<emphasis
role="bold">system</emphasis>:[<emphasis>directory2</emphasis>]</programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall and firewall.conf
are copied to <emphasis>system</emphasis> using scp.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">forget</emphasis></term>
<listitem>
<para>Deletes /var/lib/shorewall/<emphasis>filenam</emphasis>e and
/var/lib/shorewall/save. If no <emphasis>filename</emphasis> is
given then the file specified by RESTOREFILE in shorewall.conf(5) is
assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">help</emphasis></term>
<listitem>
<para>Displays information about a particular
<emphasis>command</emphasis>. If no <emphasis>command</emphasis> is
given, a syntax summary is displayed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hits</emphasis></term>
<listitem>
<para>Generates several reports from Shorewall log messages in the
current log file.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ipcalc</emphasis></term>
<listitem>
<para>Ipcalc displays the network address, broadcast address,
network in CIDR notation and netmask corresponding to the
input[s].</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">iprange</emphasis></term>
<listitem>
<para>Iprange decomposes the specified range of IP addresses into
the equivalent list of network/host addresses.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">load</emphasis></term>
<listitem>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis
role="bold">:/var/lib/shorewall-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis
role="bold">'/sbin/shorewall-lite start'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<emphasis>system</emphasis> using scp. If the copy succeeds,
Shorewall Lite on <emphasis>system</emphasis> is started via
ssh.</para>
<para>If <emphasis role="bold">-s</emphasis> is specified and the
<emphasis role="bold">start</emphasis> command succeeds, then the
remote Shorewall-lite configuration is saved by executing <emphasis
role="bold">shorewall-lite save</emphasis> via ssh.</para>
<para>if <emphasis role="bold">-c</emphasis> is included, the
command <emphasis role="bold">shorewall-lite show capabilities -f
&gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
ssh then the generated file is copied to
<emphasis>directory</emphasis> using scp. This step is performed
before the configuration is compiled.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">logdrop</emphasis></term>
<listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then discarded.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">logwatch</emphasis></term>
<listitem>
<para>Monitors the log file specified by theLOGFILE option in
shorewall.conf(5) and produces an audible alarm when new Shorewall
messages are logged. The <emphasis role="bold">-m</emphasis> option
causes the MAC address of each packet source to be displayed if that
information is available.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">logreject</emphasis></term>
<listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then rejected.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">refresh</emphasis></term>
<listitem>
<para>The rules involving the the black list, ECN control rules, and
traffic shaping are recreated to reflect any changes made to your
configuration files. Existing connections are untouched.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reload</emphasis></term>
<listitem>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis
role="bold">:/var/lib/shorewall-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis
role="bold">'/sbin/shorewall-lite restart'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<emphasis>system</emphasis> using scp. If the copy succeeds,
Shorewall Lite on <emphasis>system</emphasis> is restarted via
ssh.</para>
<para>If <emphasis role="bold">-s</emphasis> is specified and the
<emphasis role="bold">restart</emphasis> command succeeds, then the
remote Shorewall-lite configuration is saved by executing <emphasis
role="bold">shorewall-lite save</emphasis> via ssh.</para>
<para>if <emphasis role="bold">-c</emphasis> is included, the
command <emphasis role="bold">shorewall-lite show capabilities -f
&gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
ssh then the generated file is copied to
<emphasis>directory</emphasis> using scp. This step is performed
before the configuration is compiled.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reset</emphasis></term>
<listitem>
<para>All the packet and byte counters in the firewall are
reset.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">restart</emphasis></term>
<listitem>
<para>Restart is similar to <emphasis role="bold">shorewall
stop</emphasis> followed by <emphasis role="bold">shorewall
start</emphasis>. Existing connections are maintained. If a
<emphasis>directory</emphasis> is included in the command, Shorewall
will look in that <emphasis>directory</emphasis> first for
configuration files.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">restore</emphasis></term>
<listitem>
<para>Restore Shorewall to a state saved using the <emphasis
role="bold">shorewall save</emphasis> command. Existing connections
are maintained. The <emphasis>filename</emphasis> names a restore
file in /var/lib/shorewall created using <emphasis
role="bold">shorewall save</emphasis>; if no
<emphasis>filename</emphasis> is given then Shorewall will be
restored from the file specified by the RESTOREFILE option in
shorewall.conf(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">safe-restart</emphasis></term>
<listitem>
<para>Only allowed if Shorewall is running. The current
configuration is saved in /var/lib/shorewall/safe-restart (see the
save command below) then a <emphasis role="bold">shorewall
restart</emphasis> is done. You will then be prompted asking if you
want to accept the new configuration or not. If you answer "n" or if
you fail to answer within 60 seconds (such as when your new
configuration has disabled communication with your terminal), the
configuration is restored from the saved configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">safe-start</emphasis></term>
<listitem>
<para>Shorewall is started normally. You will then be prompted
asking if everything went all right. If you answer "n" or if you
fail to answer within 60 seconds (such as when your new
configuration has disabled communication with your terminal), a
shorewall clear is performed for you.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">save</emphasis></term>
<listitem>
<para>The dynamic blacklist is stored in /var/lib/shorewall/save.
The state of the firewall is stored in
/var/lib/shorewall/<emphasis>filename</emphasis> for use by the
<emphasis role="bold">shorewall restore</emphasis> and <emphasis
role="bold">shorewall -f start</emphasis> commands. If
<emphasis>filename</emphasis> is not given then the state is saved
in the file specified by the RESTOREFILE option in
shorewall.conf(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">show</emphasis></term>
<listitem>
<para>The show command can have a number of different
arguments:</para>
<variablelist>
<varlistentry>
<term>[ <emphasis>chain</emphasis> ] ...</term>
<listitem>
<para>Using the <emphasis role="bold">iptables -L</emphasis>
<emphasis>chain</emphasis> <emphasis role="bold">-n
-v</emphasis> command, the rules in each
<emphasis>chain</emphasis> are displayed. If no
<emphasis>chain</emphasis> is given, all of the chains in the
filter table are displayed. The <emphasis
role="bold">-x</emphasis> option is passed directly through to
iptables.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">capabilities</emphasis></term>
<listitem>
<para>Displays your kernel/iptables capabilities. The
<emphasis role="bold">-f</emphasis> option causes the display
to be formatted as a capabilities file for use with <emphasis
role="bold">compile -e</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">connections</emphasis></term>
<listitem>
<para>Displays the IP connections currently being tracked by
the firewall.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
</variablelist>
@ -514,7 +878,7 @@
<refsect1>
<title>See ALSO</title>
<para>shorewall(8), shorewall-accounting(5), shorewall-actions(5),
<para>shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),