Shorewall 2.0.2

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1327 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb

Lrp2/etc/shorewall/hosts

@@ -14,6 +14,11 @@
 #	individual IP addresses. Most simple setups don't need to
 #	(should not) place anything in this file.
 #
+#	The order of entries in this file is not significant in
+#	determining zone composition. Rather, the order that the zones
+#	are defined in /etc/shorewall/zones determines the order in
+#	which the records in this file are interpreted. 
+#
 #	ZONE	- The name of a zone defined in /etc/shorewall/zones
 #
 #	HOST(S)	- The name of an interface  defined in the
@@ -49,10 +54,10 @@
 #				       an ethernet NIC and must be up before
 #				       Shorewall is started.
 #
-#			routeback    - Shorewall show set up the infrastructure
+#			routeback    - Shorewall should set up the infrastructure
 #				       to pass packets from this/these
 #				       address(es) back to themselves. This is
-#				       necessary of hosts in this group use the
+#				       necessary if hosts in this group use the
 #				       services of a transparent proxy that is
 #				       a member of the group or if DNAT is used
 #				       to send requests originating from this 

Lrp2/etc/shorewall/interfaces

@@ -115,11 +115,21 @@
 #				       established connection will be accepted
 #				       from this interface, even if 
 #				       NEWNOTSYN=No has been specified in
-#				       /etc/shorewall/shorewall.conf.
+#				       /etc/shorewall/shorewall.conf. In other
+#				       words, packets coming in on this interface
+#				       are processed as if NEWNOTSYN=Yes had been
+#				       specified in /etc/shorewall/shorewall.conf.
 #
 #				       This option has no effect if 
 #				       NEWNOTSYN=Yes.
 #
+#				       It is the opinion of the author that
+#			  	       NEWNOTSYN=No creates more problems than
+#				       it solves and I recommend against using 
+#				       that setting in shorewall.conf (hence 
+#				       making the use of the 'newnotsyn'
+#				       interface option unnecessary).
+#
 #			routeback    - If specified, indicates that Shorewall
 #				       should include rules that allow filtering
 #				       traffic arriving on this interface back

Lrp2/etc/shorewall/masq

@@ -55,6 +55,27 @@
 #				
 #				This column may not contain DNS Names.
 #
+#				If you want to leave this column empty
+#				but you need to specify the next column then
+#				place a hyphen ("-") here.
+#
+#	PROTO -- (Optional)     If you wish to restrict this entry to a
+#				particular protocol then enter the protocol
+#				name (from /etc/protocols) or number here.
+#
+#	PORT(S) -- (Optional)   If the PROTO column specifies TCP (protocol 6)
+#				or UDP (protocol 17) then you may list one
+#				or more port numbers (or names from
+#				/etc/services) separated by commas or you
+#				may list a single port range
+#				(<low port>:<high port>).
+#				
+#				Where a comma-separated list is given, your
+#				kernel and iptables must have multiport match
+#				support and a maximum of 15 ports may be 
+#				listed.
+#				
+#
 #	Example 1:
 #
 #		  You have a simple masquerading setup where eth0 connects to
@@ -94,6 +115,19 @@
 #
 #			eth0:0	192.168.1.0/24	206.124.146.176
 #
-##############################################################################
+#	Example 5:
-#INTERFACE	        SUBNET		ADDRESS
+#
+#		 You want all outgoing SMTP traffic entering the firewall
+#		 on eth1 to be sent from eth0 with source IP address 
+#		 206.124.146.177. You want all other outgoing traffic 
+#		 from eth1 to be sent from eth0 with source IP address
+#		 206.124.146.176.
+#
+#			eth0	eth1	206.124.146.177	tcp	smtp
+#			eth0	eth1	206.124.146.176
+#
+#		THE ORDER OF THE ABOVE TWO RULES IS SIGNIFICANT!!!!!
+#
+###############################################################################
+#INTERFACE	        SUBNET		ADDRESS		PROTO	PORT(S)
 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE

Lrp2/etc/shorewall/nat

@@ -29,8 +29,7 @@
 #                       If No or no (or left empty) then NAT will be effective
 #                       only through the interface named in the INTERFACE
 #                       column
-#       LOCAL           If Yes or yes and the ALL INTERFACES column contains
+#       LOCAL           If Yes or yes, NAT will be effective from the firewall
-#                       Yes or yes, NAT will be effective from the firewall
 #                       system
 ##############################################################################
 #EXTERNAL	INTERFACE	INTERNAL	ALL	 		LOCAL

Lrp2/etc/shorewall/rules

@@ -25,6 +25,13 @@
 #			LOG, QUEUE or an <action>.
 #
 #				ACCEPT   -- allow the connection request
+#				ACCEPT+  -- like ACCEPT but also excludes the
+#					    connection from any subsequent
+#					    DNAT[-] or REDIRECT[-] rules
+#				NONAT    -- Excludes the connection from any
+#					    subsequent DNAT[-] or REDIRECT[-]
+#					    rules but doesn't generate a rule
+#					    to accept the traffic.
 #				DROP     -- ignore the request
 #				REJECT   -- disallow the request and return an
 #					    icmp-unreachable or an RST packet.
@@ -70,6 +77,15 @@
 #			to a separate log through use of ulogd
 #			(http://www.gnumonks.org/projects/ulogd).
 #
+#			Actions specifying logging may be followed by a
+#			log tag (a string of alphanumeric characters)
+#			are appended to the string generated by the
+#			LOGPREFIX (in /etc/shorewall/shorewall.conf). 
+#
+#			Example: ACCEPT:info:ftp would include 'ftp '
+#			at the end of the log prefix generated by the
+#			LOGPREFIX setting.
+#
 #	SOURCE		Source hosts to which the rule applies. May be a zone
 #                       defined in /etc/shorewall/zones, $FW to indicate the
 #			firewall itself, or "all" If the ACTION is DNAT or

Lrp2/etc/shorewall/shorewall.conf

@@ -90,12 +90,21 @@ LOGFORMAT="Shorewall:%s:%s:"
 # maximum initial burst size that will be logged. If set empty, the default
 # value of 5 will be used.
 #
+# If BOTH variables are set empty then logging will not be rate-limited.
+#
 # Example:
 #
 #	LOGRATE=10/minute
 #	LOGBURST=5
 #
-# If BOTH variables are set empty then logging will not be rate-limited.
+# For each logging rule, the first time the rule is reached, the packet
+# will be logged; in fact, since the burst is 5, the first five packets
+# will be logged. After this, it will be 6 seconds (1 minute divided by
+# the rate of 10) before a message will be logged from the rule, regardless
+# of how many packets reach it. Also, every 6 seconds which passes without
+# matching a packet, one of the bursts will be regained; if no packets hit
+# the rule for 30 seconds, the burst will be fully recharged; back where
+# we started.
 #
 
 LOGRATE=
@@ -169,8 +178,10 @@ RFC1918_LOG_LEVEL=info
 # SMURF Log Level
 #
 # Specifies the logging level for smurf packets dropped by the
-#'nosmurfs' interface option in /etc/shorewall/interfaces. If set to the empty
+#'nosmurfs' interface option in /etc/shorewall/interfaces and in
-# value ( SMURF_LOG_LEVEL="" ) then dropped smurfs are not logged. 
+# /etc/shorewall/hosts. If set to the empty value ( SMURF_LOG_LEVEL=""
+# ) then dropped smurfs are not logged. 
+
 #
 # See the comment at the top of this section for a description of log levels
 #
@@ -181,8 +192,9 @@ SMURF_LOG_LEVEL=info
 # BOGON Log Level
 #
 # Specifies the logging level for bogon packets dropped by the
-#'nobogons' interface option in /etc/shorewall/interfaces. If set to the empty
+#'nobogons' interface option in /etc/shorewall/interfaces and in
-# value ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop'
+# /etc/shorewall/hosts. If set to the empty value
+# ( BOGON_LOG_LEVEL="" ) then packets whose TARGET is 'logdrop'
 # in /usr/share/shorewall/bogons are logged at the 'info' level.
 #
 # See the comment at the top of this section for a description of log levels
@@ -222,7 +234,7 @@ SUBSYSLOCK=/var/run/shorewall
 # it is running
 #
 
-STATEDIR=/tmp/shorewall
+STATEDIR=/var/state/shorewall
 
 #
 # KERNEL MODULE DIRECTORY
@@ -233,6 +245,19 @@ STATEDIR=/tmp/shorewall
 
 MODULESDIR=
 
+#
+# CONFIGURATION SEARCH PATH
+#
+# This option holds a list of directory names separated by colons
+# (":"). Shorewall will search each directory in turn when looking for a
+# configuration file. When processing a 'try' command or a command
+# containing the "-c" option, Shorewall will automatically add the
+# directory specified in the command to the front of this list.
+#
+# If not specified or specified as null ("CONFIG_PATH=""),
+# CONFIG_PATH=/etc/shorewall:/usr/share/shorewall is assumed.
+
+CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
 ################################################################################
 #                       F I R E W A L L   O P T I O N S
 ################################################################################
@@ -432,7 +457,7 @@ MUTEX_TIMEOUT=60
 # established connection.
 # 
 # If NEWNOTSYN is set to "No" or "no", then non-SYN packets that are not
-# part of an already established connection, it will be dropped by the
+# part of an already established connection will be dropped by the
 # firewall. The setting of LOGNEWNOTSYN above determines if these packets are
 # logged before they are dropped.
 #
@@ -444,7 +469,9 @@ MUTEX_TIMEOUT=60
 # also need to select NEWNOTSYN=Yes.
 #
 # The behavior of NEWNOTSYN=Yes may also be enabled on a per-interface basis 
-# using the 'newnotsyn' option in /etc/shorewall/interfaces.
+# using the 'newnotsyn' option in /etc/shorewall/interfaces and on a
+# network or host basis using the same option in /etc/shorewall/hosts.
+
 #
 # I find that NEWNOTSYN=No tends to result in lots of "stuck"
 # connections because any network timeout during TCP session tear down
@@ -510,9 +537,9 @@ BLACKLISTNEWONLY=Yes
 #
 # When loading a module named in /etc/shorewall/modules, Shorewall normally
 # looks in the MODULES DIRECTORY (see MODULESDIR above) for files whose names
-# end in ".o", ".ko", ".gz" or "o.gz". If your distribution uses a different
+# end in ".o", ".ko", ".gz", "o.gz" or "ko.gz" . If your distribution uses a
-# naming convention then you can specify the suffix (extension) for module 
+# different naming convention then you can specify the suffix (extension) for
-# names in this variable.
+# module names in this variable.
 #
 # To see what suffix is used by your distribution:
 #
@@ -551,6 +578,14 @@ DISABLE_IPV6=Yes
 #
 
 BRIDGING=No
+
+#
+# DYNAMIC ZONES
+#
+# If you need to be able to add and delete hosts from zones dynamically then
+# set DYNAMIC_ZONES=Yes. Otherwise, set DYNAMIC_ZONES=No.
+
+DYNAMIC_ZONES=No
 ################################################################################
 #                       P A C K E T   D I S P O S I T I O N
 ################################################################################
@@ -580,8 +615,9 @@ MACLIST_DISPOSITION=REJECT
 #
 # This variable determins the disposition of packets having an invalid
 # combination of TCP flags that are received on interfaces having the
-# 'tcpflags' option specified in /etc/shorewall/interfaces. If not specified
+# 'tcpflags' option specified in /etc/shorewall/interfaces or in
-# or specified as empty (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
+# /etc/shorewall/hosts. If not specified or specified as empty
+# (TCP_FLAGS_DISPOSITION="") then DROP is assumed.
 
 TCP_FLAGS_DISPOSITION=DROP
 

Lrp2/sbin/shorewall

@@ -80,6 +80,10 @@
 #						   "dropped" addresses so that it will
 #						   be automatically reinstated the
 #						   next time that Shorewall starts.
+#                                                  Save the current state so that 'shorewall
+#                                                  restore' can be used.
+#
+#          shorewall forget                        Discard the data saved by 'shorewall save'
 #
 #          shorewall ipaddr [ <address>/<cidr> | <address> <netmask> ]
 #
@@ -160,6 +164,7 @@ get_config() {
 	    exit 2
 	fi
     fi
+
 }
 
 #
@@ -530,7 +535,7 @@ help()
 #
 usage() # $1 = exit status
 {
-    echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] <command>"
+    echo "Usage: $(basename $0) [debug|trace] [nolock] [-c <directory>] [ -x ] [ -q ] <command>"
     echo "where <command> is one of:"
     echo "   add <interface>[:<host>] <zone>"
     echo "   allow <address> ..."
@@ -538,6 +543,7 @@ usage() # $1 = exit status
     echo "   clear"
     echo "   delete <interface>[:<host>] <zone>"
     echo "   drop <address> ..."
+    echo "   forget"
     echo "   help [ <command > | host | address ]"
     echo "   hits"
     echo "   ipcalc [ <address>/<vlsm> | <address> <netmask> ]"
@@ -548,6 +554,7 @@ usage() # $1 = exit status
     echo "   reject <address> ..."
     echo "   reset"
     echo "   restart"
+    echo "   restore"
     echo "   save"
     echo "   show [<chain> [ <chain> ... ]|classifiers|connections|log|nat|tc|tos]"
     echo "   start"
@@ -585,13 +592,24 @@ if [ $# -gt 0 ] && [ "$1" = "nolock" ]; then
 fi
 
 SHOREWALL_DIR=
+QUIET=
 IPT_OPTIONS="-nv"
+FAST=
+
 done=0
 
 while [ $done -eq 0 ]; do
     [ $# -eq 0 ] && usage 1
-    case $1 in
+    option=$1
-    -c)
+    case $option in
+	-*)
+	    option=${option#-}
+
+	    [ -z "$option" ] && usage 1
+	    
+	    while [ -n "$option" ]; do
+		case $option in
+		    c)
 			[ $# -eq 1 ] && usage 1
 
 			if [ ! -d $2 ]; then
@@ -603,11 +621,26 @@ while [ $done -eq 0 ]; do
 			fi
 			
 			SHOREWALL_DIR=$2
-	shift
+			option=
 			shift
 			;;
-    -x)
+		    x*)
 			IPT_OPTIONS="-xnv"
+			option=${option#x}
+			;;
+		    q*)
+			QUIET=Yes
+			option=${option#q}
+			;;
+		    f*)
+			FAST=Yes
+			option=${option#f}
+			;;
+		    *)
+			usage 1
+			;;
+		esac
+	    done
 	    shift
 	    ;;
 	*)
@@ -621,6 +654,7 @@ if [ $# -eq 0 ]; then
 fi
 
 [ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
+[ -n "$QUIET" ]         && export QUIET
 
 PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
 MUTEX_TIMEOUT=
@@ -638,6 +672,8 @@ else
     exit 2
 fi
 
+ensure_config_path
+
 config=$(find_file shorewall.conf)
 
 if [ -f $config ]; then
@@ -647,6 +683,10 @@ else
     exit 2
 fi
 
+ensure_config_path
+
+export CONFIG_PATH
+
 [ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
 
 if [ ! -f $FIREWALL ]; then
@@ -691,7 +731,23 @@ case $(echo -n "Testing") in
 esac
 
 case "$1" in
-    start|stop|restart|reset|clear|refresh|check)
+    start)
+	[ $# -ne 1 ] && usage 1
+	get_config
+	if [ -n "$FAST" ]; then
+	    if [ -f /var/lib/shorewall/restore ]; then
+		echo Restoring Shorewall...
+		. /var/lib/shorewall/restore
+		date > $STATEDIR/restarted
+		echo Shorewall restored
+	    else
+		exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
+	    fi
+        else
+	    exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock start
+	fi
+	;;
+    stop|restart|reset|clear|refresh|check)
 	[ $# -ne 1 ] && usage 1
 	get_config
 	exec $SHOREWALL_SHELL $FIREWALL $debugging $nolock $1
@@ -909,11 +965,24 @@ case "$1" in
     	[ -n "$debugging" ] && set -x
 	[ $# -ne 1 ] && usage 1
 	mutex_on
+
 	if qt iptables -L shorewall -n; then
 	    [ -d /var/lib/shorewall ] || mkdir /var/lib/shorewall
 
 	    if iptables -L dynamic -n > /var/lib/shorewall/save; then
-		echo "Dynamic Rules Saved"
+		echo "   Dynamic Rules Saved"
+		if [ -f /var/lib/shorewall/restore-base ]; then
+		    cp -f /var/lib/shorewall/restore-base /var/lib/shorewall/restore-$$
+		    if iptables-save >> /var/lib/shorewall/restore-$$ ; then
+			echo EOF >> /var/lib/shorewall/restore-$$
+			mv -f /var/lib/shorewall/restore-$$ /var/lib/shorewall/restore
+			chmod +x /var/lib/shorewall/restore
+			echo "   Currently-running Configuration Saved"
+                    else
+			rm -f /var/lib/shorewall/restore-$$
+			echo "   ERROR: Currently-running Configuration Not Saved"
+		    fi
+		fi
 	    else
 		echo "Error Saving the Dynamic Rules"
 	    fi
@@ -922,6 +991,11 @@ case "$1" in
 	fi
 	mutex_off
 	;;
+    forget)
+	rm -f /var/lib/shorewall/restore
+	rm -f /var/lib/shorewall/save
+	echo "   Previously saved information discarded"
+	;;
     ipcalc)
     	[ -n "$debugging" ] && set -x
 	if [ $# -eq 2 ]; then
@@ -957,6 +1031,16 @@ case "$1" in
 		;;
 	esac
 	;;
+    restore)
+	if [ -f /var/lib/shorewall/restore ]; then
+	    echo Restoring Shorewall...
+	    . /var/lib/shorewall/restore
+            echo Shorewall restored
+	else
+	    echo "File /var/lib/shorewall/restore: file not found"
+            exit 2
+        fi
+        ;;
     call) 
     	[ -n "$debugging" ] && set -x
 	#

Lrp2/usr/share/shorewall/bogons

@@ -46,13 +46,19 @@
 49.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
 50.0.0.0/8		logdrop		# JTC - Returned to IANA Mar 98
 58.0.0.0/7		logdrop		# Reserved
-70.0.0.0/7		logdrop		# Reserved
+71.0.0.0/8		logdrop		# Reserved
 72.0.0.0/5		logdrop		# Reserved
-85.0.0.0/8		logdrop		# Reserved
+89.0.0.0/8		logdrop		# Reserved
-86.0.0.0/7		logdrop		# Reserved
+90.0.0.0/7		logdrop		# Reserved
-88.0.0.0/5		logdrop		# Reserved
+92.0.0.0/6		logdrop		# Reserved
 96.0.0.0/3		logdrop		# Reserved
 127.0.0.0/8		logdrop		# Loopback
+173.0.0.0/8		logdrop		# Reserved
+174.0.0.0/7		logdrop		# Reserved
+176.0.0.0/5		logdrop		# Reserved
+184.0.0.0/6		logdrop		# Reserved
+189.0.0.0/8		logdrop		# Reserved
+190.0.0.0/8		logdrop		# Reserved
 197.0.0.0/8		logdrop		# Reserved
 198.18.0.0/15		logdrop		# Reserved
 223.0.0.0/8		logdrop		# Reserved - Returned by APNIC in 2003

Lrp2/usr/share/shorewall/functions

@@ -82,11 +82,24 @@ fix_bang() {
     done
 }
 
+#
+# Set default config path
+#
+ensure_config_path() {
+    local F=/usr/share/shorewall/configpath
+    if [ -z "$CONFIG_PATH" ]; then
+	[ -f $F ] || { echo "   ERROR: $F does not exist"; exit 2; }
+	. $F
+    fi
+}
+   
 #
 # Find a File -- For relative file name, look first in $SHOREWALL_DIR then in /etc/shorewall
 #
 find_file()
 {
+    local saveifs= directory
+
     case $1 in
 	/*)
 	    echo $1
@@ -94,11 +107,19 @@ find_file()
 	*)
 	    if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/$1 ]; then
 		echo $SHOREWALL_DIR/$1
-	    elif [ -f /etc/shorewall/$1 ]; then
-		echo /etc/shorewall/$1
-	    elif [ -f /usr/share/shorewall/$1 ]; then
-		echo /usr/share/shorewall/$1
 	    else
+		saveifs=$IFS
+		IFS=:
+		for directory in $CONFIG_PATH; do
+		    if [ -f $directory/$1 ]; then
+			echo $directory/$1
+			IFS=$saveifs
+			return
+		    fi
+		done
+		
+		IFS=$saveifs
+		
 		echo /etc/shorewall/$1
 	    fi
 	    ;;
@@ -485,14 +506,14 @@ in_network() # $1 = IP address, $2 = CIDR network
 ip_vlsm() {
     local mask=$(decodeaddr $1)
     local vlsm=0
-    local x=$(( 128 $LEFTSHIFT 24 ))
+    local x=$(( 128 $LEFTSHIFT 24 )) # 0x80000000
 
     while [ $(( $x & $mask )) -ne 0 ]; do
-	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Don't Ask...
+	[ $mask -eq $x ] && mask=0 || mask=$(( $mask $LEFTSHIFT 1 )) # Not all shells shift 0x80000000 left properly.
 	vlsm=$(($vlsm + 1))
     done
 
-    if [ $(( $mask & 2147483647)) -ne 0 ]; then
+    if [ $(( $mask & 2147483647 )) -ne 0 ]; then # 2147483647 = 0x7fffffff
 	echo "Invalid net mask: $1" >&2
     else
 	echo $vlsm

Lrp2/usr/share/shorewall/help

@@ -116,6 +116,14 @@ drop)
     See also \"help address\""
 	;;
 
+forget)
+	echo "forget: forget
+    Deletes /var/lib/shorewall/save and /var/lib/shorewall/restore. Those
+    files are created by the 'shorewall save' command
+
+    See also \"help save\""
+	;;
+
 help)
 	echo "help: help [<command> | host | address ]
     Display helpful information about the shorewall commands."
@@ -147,15 +155,21 @@ logwatch)
 
 monitor)
 	echo "monitor: monitor [<refresh_interval>]
+
+    shorewall [-x] monitor [<refresh_interval>]
+
     Continuously display the firewall status, last 20 log entries and nat.
-    When the log entry display changes, an audible alarm is sounded."
+    When the log entry display changes, an audible alarm is sounded.
+
+    When -x is given, that option is also passed to iptables to display actual packet and byte counts."
 	;;
 
 refresh)
-	echo "refresh: refresh
+	echo "refresh: [ -q ] refresh
     The rules involving the broadcast addresses of firewall interfaces,
     the black list, traffic control rules and ECN control rules are recreated
-    to reflect any changes made.  Existing connections are untouched"
+    to reflect any changes made.  Existing connections are untouched
+    If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
 	;;
 
 reject)
@@ -173,26 +187,41 @@ reset)
 	;;
 
 restart)
-	echo "restart: restart [ -c <configuration-directory> ]
+	echo "restart: restart [ -q ] [ -c <configuration-directory> ]
     Restart is the same as a shorewall stop && shorewall start.
-    Existing connections are dropped."
+    Existing connections are maintained.
+    If \"-q\" is specified, less detain is displayed making it easier to spot warnings"
+	;;
+
+restore)
+	echo "restore: restore
+    Restore Shorewall to its last state saved using the 'save' command
+    Existing connections are maintained.
+
+    See also \"help save\" and \"help forget\""
 	;;
 
 save)
 	echo "save: save
-    The dynamic data is stored in /var/lib/shorewall/save
+    The dynamic data is stored in /var/lib/shorewall/save. The state of the 
-    Shorewall allow, drop, rejct and save implement dynamic blacklisting."
+    firewall is stored in /var/lib/shorewall/restore for use by the 'shorewall restore'
+    and 'shorewall -f start' commands.
+
+    Shorewall allow, drop, rejct and save implement dynamic blacklisting.
+
+    See also \"help restore\" and \"help forget\""
 	;;
 
 show)
-	echo "show: show [<chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
+	echo "show: show [ <chain> [ <chain> ...] |classifiers|connections|log|nat|tc|tos]
-    shorewall show <chain> [ <chain> ... ]  - produce a verbose report about the IPtable chain(s).
+
+    shorewall [-x] show <chain> [ <chain> ... ]  - produce a verbose report about the IPtable chain(s).
     (iptables -L chain -n -v)
 
-    shorewall show nat - produce a verbose report about the nat table.
+    shorewall [-x] show nat - produce a verbose report about the nat table.
     (iptables -t nat -L -n -v)
 
-    shorewall show tos - produce a verbose report about the mangle table.
+    shorewall [-x] show tos - produce a verbose report about the mangle table.
     (iptables -t mangle -L -n -v)
 
     shorewall show log - display the last 20 packet log entries.
@@ -201,14 +230,18 @@ show)
 	being tracked by the firewall.
 
     shorewall show tc - displays information about the traffic
-	control/shaping configuration."
+	control/shaping configuration.
+
+    When -x is given, that option is also passed to iptables to display actual packet and byte counts."
 	;;
 
 start)
-	echo "start: start [ -c <configuration-directory> ]
+	echo "start: [ -q ] [ -f ] [ -c <configuration-directory> ] start
     Start shorewall.  Existing connections through shorewall managed
     interfaces are untouched.  New connections will be allowed only
-    if they are allowed by the firewall rules or policies."
+    if they are allowed by the firewall rules or policies.
+    If \"-q\" is specified, less detain is displayed making it easier to spot warnings
+    If \"-f\" is specified, the last saved configuraton if any will be restored"
 	;;
 
 stop)
@@ -221,9 +254,14 @@ stop)
 
 status)
 	echo "status: status
+
+    shorewall [-x] status
+
     Produce a verbose report about the firewall.
    
-    (iptables -L -n -v)"
+    (iptables -L -n -)
+
+    When -x is given, that option is also passed to iptables to display actual packet and byte counts."
 	;;
 
 trace)

Lrp2/usr/share/shorewall/version

@@ -1 +1 @@
-2.0.1
+2.0.2

Lrp2/var/lib/lrpkg/shorwall.list

@@ -2,4 +2,5 @@ etc/init.d/shorewall
 etc/shorewall
 sbin/shorewall
 usr/share/shorewall
+var/lib/shorewall
 var/lib/lrpkg/shorwall.*

Lrp2/var/lib/lrpkg/shorwall.version

@@ -1 +1 @@
-2.0.0-RC1
+2.0.2