From dae060bbb4158f32c17fe7e468b8412a262846c1 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 20 Nov 2016 13:03:13 -0800 Subject: [PATCH] Update shorewall(8) for single CLI Signed-off-by: Tom Eastep --- Shorewall/manpages/shorewall.xml | 405 +++++++++++++++++++++---------- 1 file changed, 275 insertions(+), 130 deletions(-) diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index 0f6bf9fa2..e90c5c479 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -898,8 +898,8 @@ include shorewall commands in /etc/shorewall/started. - Beginning with Shorewall 5.0.15, the shorewall - command may also be used to control Shorewall6, Shorewall-lite and + Beginning with Shorewall 5.1.0, the shorewall + command is also be used to control Shorewall6, Shorewall-lite and Shorewall6-lite. @@ -923,9 +923,10 @@ When the Shorewall6 package is installed, the - option is used to cause shorewall commands to operate on the Shorewall6 - configuration. In other words, "shorewall -6 ..." is - equivalent to "shorewall6 ...". + option is used to cause shorewall commands to operate + on the Shorewall6 configuration. In other words, "shorewall -6 + ..." is equivalent to the 5.0 command "shorewall6 + ...". Similarly, when Shorewall is not installed but both Shorewall-lite and Shorewall6-lite are installed, the option causes @@ -936,10 +937,10 @@ and the corresponding -lite product(s) are installed, the option causes shorewall commands to operate on the -lite configuration rather than the standard configuration. - In other words "shorewall -l ..." is equivalent to - "shorewall-lite -l ..." and "shorewall -6l - ..." is equivalent to "shorewall6-lite - ...". + In other words "shorewall -l ..." is equivalent to the + 5.0 "shorewall-lite -l ..." command and + "shorewall -6l ..." is equivalent to + "shorewall6-lite ...". The remaining options control the amount of output that the command produces. They consist of a sequence of the @@ -978,7 +979,9 @@ The interface argument names an interface defined in the shorewall-interfaces(5) - file. A host-list is comma-separated list whose + (shorewall6-interfaces(5))file. + A host-list is comma-separated list whose elements are host or network addresses. The add command is not very robust. If there are errors in the host-list, @@ -991,12 +994,12 @@ Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall-zones(5)) - allows a single ipset to handle entries for multiple interfaces. - When that option is specified for a zone, the add - command has the alternative syntax in which the - zone name precedes the - host-list. + url="/manpages/shorewall-zones.html">shorewall-zones(5),shorewall6-zones(5)) allows a single ipset to + handle entries for multiple interfaces. When that option is + specified for a zone, the add command has the + alternative syntax in which the zone name + precedes the host-list. @@ -1076,6 +1079,8 @@ [directory] + Not available with Shorewall[6]-lite. + Compiles the configuration in the specified directory and discards the compiled output script. If no directory is given, then @@ -1107,7 +1112,9 @@ contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5) + (shorewall6.conf(5)). @@ -1147,6 +1154,11 @@ When the second form of the command is used, the parameters must match those given in the earlier open command. + + This command requires that the firewall be in the started + state and that DYNAMIC_BLACKLIST=Yes in shorewall.conf + (5). @@ -1157,6 +1169,8 @@ ] [ pathname ] + Not available with shorewall[6]-lite. + Compiles the current configuration into the executable file pathname. If a directory is supplied, Shorewall will @@ -1206,7 +1220,9 @@ contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5) + (shorewall6.conf(5)). @@ -1223,12 +1239,16 @@ The interface argument names an interface defined in the shorewall-interfaces(5) + (shorewall6-interfaces(5) file. A host-list is comma-separated list whose elements are a host or network address. Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall-zones(5)) + url="/manpages/shorewall-zones.html">shorewall-zones(5), + shorewall6-zones(5)) allows a single ipset to handle entries for multiple interfaces. When that option is specified for a zone, the delete command has the alternative syntax in @@ -1254,7 +1274,9 @@ may be either the logical or physical name of the interface. The command removes any routes added from shorewall-routes(5) - and any traffic shaping configuration for the interface. + (shorewall6-routes(5))and + any traffic shaping configuration for the interface. @@ -1264,7 +1286,10 @@ Causes traffic from the listed addresses - to be silently dropped. + to be silently dropped. This command requires that the firewall be + in the started state and that DYNAMIC_BLACKLIST=Yes in shorewall.conf + (5). @@ -1310,6 +1335,8 @@ command sets /proc entries for the interface, adds any route specified in shorewall-routes(5) + (shorewall6-routes(5)) and installs the interface's traffic shaping configuration, if any. @@ -1322,6 +1349,8 @@ ] + Not available with Shorewall[6]-lite. + If directory1 is omitted, the current working directory is assumed. @@ -1350,7 +1379,9 @@ Deletes /var/lib/shorewall/filename and /var/lib/shorewall/save. If no filename is given then the file specified by RESTOREFILE in shorewall.conf(5) is + url="/manpages/shorewall.conf.html">shorewall.conf(5) + (shorewall6.conf(5)) is assumed. @@ -1370,7 +1401,8 @@ Generates several reports from Shorewall log messages in the current log file. If the option is included, the - reports are restricted to log messages generated today. + reports are restricted to log messages generated today. Not + available with Shorewall6[-lite]. @@ -1380,8 +1412,8 @@ Ipcalc displays the network address, broadcast address, - network in CIDR notation and netmask corresponding to the - input[s]. + network in CIDR notation and netmask corresponding to the input[s]. + Not available with Shorewall6[-lite]. @@ -1391,7 +1423,8 @@ Iprange decomposes the specified range of IP addresses into - the equivalent list of network/host addresses. + the equivalent list of network/host addresses. Not available with + Shorewall6[-lite]. @@ -1431,8 +1464,13 @@ Causes traffic from the listed addresses to be logged then discarded. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in shorewall.conf - (5). + url="/manpages/shorewall.conf.html">shorewall.conf (5) + (shorewall6.conf(5)). + This command requires that the firewall be in the started state and + that DYNAMIC_BLACKLIST=Yes in shorewall.conf + (5). @@ -1443,6 +1481,8 @@ Monitors the log file specified by the LOGFILE option in shorewall.conf(5) + (shorewall6.conf(5)) and produces an audible alarm when new Shorewall messages are logged. The -m option causes the MAC address of each packet source to be displayed if that @@ -1463,8 +1503,13 @@ Causes traffic from the listed addresses to be logged then rejected. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in shorewall.conf - (5). + url="/manpages/shorewall.conf.html">shorewall.conf (5), + (shorewall6.conf(5)). + This command requires that the firewall be in the started state and + that DYNAMIC_BLACKLIST=Yes in shorewall.conf + (5). @@ -1551,6 +1596,8 @@ chain... ] + Not available with Shorewall[6]-lite. + All steps performed by restart are performed by refresh with the exception that refresh only recreates the chains specified in @@ -1605,7 +1652,10 @@ Causes traffic from the listed addresses - to be silently rejected. + to be silently rejected. This command requires that the firewall be + in the started state and that DYNAMIC_BLACKLIST=Yes in shorewall.conf + (5). @@ -1635,38 +1685,47 @@ be installed to use this option. The option causes the compiler to run - under the Perl debugger. + under the Perl debugger (Shorewall and Shorewall6 only). The option suppresses the compilation step and simply reused the compiled script which last started/restarted Shorewall, provided that /etc/shorewall and its contents have not - been modified since the last start/restart. + been modified since the last start/restart (Shorewall and Shorewall6 + only). The option was added in Shorewall 4.4.20 and performs the compilation step unconditionally, overriding the AUTOMAKE setting in shorewall.conf(5). When - both and are present, the - result is determined by the option that appears last. + url="/manpages/shorewall.conf.html">shorewall.conf(5) + (Shorewall and Shorewall6 only). When both and + are present, the result is determined by the + option that appears last. The option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each - compiler-generated error and warning message. + compiler-generated error and warning message (Shorewall and + Shorewall6 only). The option was added in Shorewall 4.6.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5) + (shorewall6.conf(5)). + This option is available in Shorewall and Shorewall6 only. The option was added in Shorewall 4.6.5 and is only meaningful when AUTOMAKE=Yes in shorewall.conf(5). If an - existing firewall script is used and if that script was the one that - generated the current running configuration, then the running - netfilter configuration will be reloaded as is so as to preserve the - iptables packet and byte counters. + url="/manpages/shorewall.conf.html">shorewall.conf(5) + (shorewall6.conf(5)). + If an existing firewall script is used and if that script was the + one that generated the current running configuration, then the + running netfilter configuration will be reloaded as is so as to + preserve the iptables packet and byte counters. This option is + available in Shorewall and Shorewall6 only. @@ -1679,7 +1738,8 @@ This command was renamed from load in - Shorewall 5.0.0. + Shorewall 5.0.0 and is only available in Shorewall and + Shoreawall6. If directory is omitted, the current working directory is assumed. Allows a non-root user to compile a @@ -1704,8 +1764,9 @@ ssh. Beginning with Shorewall 5.0.13, if system is omitted, then the FIREWALL option setting in shorewall6.conf(5) is assumed. In - that case, if you want to specify a + url="shorewall.conf.html">shorewall.conf(5) (shorewall6.conf(5)) is + assumed. In that case, if you want to specify a directory, then the option must be given. @@ -1747,7 +1808,8 @@ system ] - This command was added in Shorewall 5.0.0. + This command was added in Shorewall 5.0.0 and is only + available in Shorewall and Shorewall6. If directory is omitted, the current working directory is assumed. Allows a non-root user to compile a @@ -1772,8 +1834,9 @@ Beginning with Shorewall 5.0.13, if system is omitted, then the FIREWALL option setting in shorewall6.conf(5) is assumed. In - that case, if you want to specify a + url="shorewall6.conf.html">shorewall6.conf(5) (shorewall6.conf(5)) is + assumed. In that case, if you want to specify a directory, then the option must be given. @@ -1802,7 +1865,9 @@ contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5) + (shorewall6.conf(5)). @@ -1816,7 +1881,8 @@ This command was renamed from reload in - Shorewall 5.0.0. + Shorewall 5.0.0 and is available in Shorewall and Shorewall6 + only. If directory is omitted, the current working directory is assumed. Allows a non-root user to compile a @@ -1841,8 +1907,9 @@ Beginning with Shorewall 5.0.13, if system is omitted, then the FIREWALL option setting in shorewall6.conf(5) is assumed. In - that case, if you want to specify a + url="shorewall6.conf.html">shorewall6.conf(5) (shorewall6.conf(5)) is + assumed. In that case, if you want to specify a directory, then the option must be given. @@ -1871,7 +1938,9 @@ contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5) + (shorewall6.conf(5). @@ -1904,7 +1973,8 @@ Beginning with Shorewall 5.0.0, this command performs a true restart. The firewall is completely stopped as if a stop command had been issued then it is started - again. + again. The command is available on Shorewall and Shorewall6 + only. If a directory is included in the command, Shorewall will look in that directory @@ -1966,7 +2036,9 @@ role="bold">shorewall save; if no filename is given then Shorewall will be restored from the file specified by the RESTOREFILE option in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5) + (shorewall6.conf(5)). If your iptables ruleset depends on variables that are @@ -2027,8 +2099,8 @@ Added in Shorewall 5.0.0, this command performs the same - function as did safe_restart in earlier - releases. + function as did safe_restart in earlier releases. + The command is available in Shorewall and Shorewall6 only. Only allowed if Shorewall is running. The current configuration is saved in /var/lib/shorewall/safe-reload (see the @@ -2058,16 +2130,17 @@ directory ] - Only allowed if Shorewall is running. The current - configuration is saved in /var/lib/shorewall/safe-restart (see the - save command below) then a shorewall - restart is done. You will then be prompted asking if you - want to accept the new configuration or not. If you answer "n" or if - you fail to answer within 60 seconds (such as when your new - configuration has disabled communication with your terminal), the - configuration is restored from the saved configuration. If a - directory is given, then Shorewall will look in that directory first - when opening configuration files. + Only allowed if Shorewall[6] is running and is not available + in Shorewall-lite and Shorewall6-lite. The current configuration is + saved in /var/lib/shorewall/safe-restart (see the save command + below) then a shorewall restart is + done. You will then be prompted asking if you want to accept the new + configuration or not. If you answer "n" or if you fail to answer + within 60 seconds (such as when your new configuration has disabled + communication with your terminal), the configuration is restored + from the saved configuration. If a directory is given, then + Shorewall will look in that directory first when opening + configuration files. Beginning with Shorewall 4.5.0, you may specify a different timeout value using the @@ -2101,6 +2174,9 @@ , or suffix (e.g., 5m) to specify seconds, minutes or hours respectively. If the suffix is omitted, seconds is assumed. + + This command is available in Shorewall and Shorewall6 + only. @@ -2116,7 +2192,9 @@ role="bold">shorewall -f start commands. If filename is not given then the state is saved in the file specified by the RESTOREFILE option in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5) + (shorewall6.conf(5)). The option, added in Shorewall 4.6.5, causes the iptables packet and byte counters to be saved along with @@ -2131,7 +2209,9 @@ Added in shorewall 4.6.8. Performs the same action as the stop command with respect to saving ipsets (see the SAVE_IPSETS option in shorewall.conf (5)). + url="/manpages/shorewall.conf.html">shorewall.conf (5) + (shorewall6.conf(5)). This command may be used to proactively save your ipset contents in the event that a system failure occurs prior to issuing a stop command. @@ -2287,7 +2367,8 @@ Added in Shorewall 4.4.17. Displays the per-IP accounting counters (shorewall-accounting - (5)). + (5), shorewall6-accounting(5)). @@ -2298,7 +2379,9 @@ Displays the last 20 Shorewall messages from the log file specified by the LOGFILE option in shorewall.conf(5). + url="/manpages/shorewall.conf.html">shorewall.conf(5) + (shorewall6.conf(5)). The -m option causes the MAC address of each packet source to be displayed if that information is available. @@ -2310,7 +2393,7 @@ Displays information about each macro defined on the - firewall system. + firewall system (Shorewall and Shorewall6 only) @@ -2322,7 +2405,8 @@ Added in Shorewall 4.4.6. Displays the file that implements the specified macro (usually - /usr/share/shorewall/macro.macro). + /usr/share/shorewall/macro.macro). + Available only in Shorewall and Shorewall6. @@ -2440,59 +2524,114 @@ directory ] - Start shorewall. Existing connections through shorewall - managed interfaces are untouched. New connections will be allowed - only if they are allowed by the firewall rules or policies. If a - directory is included in the command, - Shorewall will look in that directory first for - configuration files. If -f is - specified, the saved configuration specified by the RESTOREFILE - option in shorewall.conf(5) will - be restored if that saved configuration exists and has been modified - more recently than the files in /etc/shorewall. When -f is given, a - directory may not be specified. + + + Shorewall and Shorewall6 - Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was - added to shorewall.conf(5). When - LEGACY_FASTSTART=No, the modification times of files in - /etc/shorewall are compared with that of /var/lib/shorewall/firewall - (the compiled script that last started/restarted the - firewall). + + Start shorewall[6]. Existing connections through + shorewall managed interfaces are untouched. New connections + will be allowed only if they are allowed by the firewall + rules or policies. If a directory + is included in the command, Shorewall will look in that + directory first for configuration + files. If -f is specified, + the saved configuration specified by the RESTOREFILE option + in shorewall.conf(5) + (shorewall6.conf(5)) + will be restored if that saved configuration exists and has + been modified more recently than the files in + /etc/shorewall. When -f is + given, a directory may not be + specified. - The option causes Shorewall to avoid - updating the routing table(s). + Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART + option was added to shorewall.conf(5) + (shorewall6.conf(5)). + When LEGACY_FASTSTART=No, the modification times of files in + /etc/shorewall are compared with that of + /var/lib/shorewall/firewall (the compiled script that last + started/restarted the firewall). - The option causes the connection tracking - table to be flushed; the conntrack utility must - be installed to use this option. + The option causes Shorewall to + avoid updating the routing table(s). - The option was added in Shorewall 4.4.20 - and performs the compilation step unconditionally, overriding the - AUTOMAKE setting in shorewall.conf(5). When - both and are present, the - result is determined by the option that appears last. + The option causes the connection + tracking table to be flushed; the + conntrack utility must be installed to + use this option. - The option was added in Shorewall 4.5.3 - and causes a Perl stack trace to be included with each - compiler-generated error and warning message. + The option was added in Shorewall + 4.4.20 and performs the compilation step unconditionally, + overriding the AUTOMAKE setting in shorewall.conf(5) + (shorewall6.conf(5)). + When both and are + present, the result is determined by the option that appears + last. - The -i option was added in Shorewall 4.6.0 and causes a - warning message to be issued if the current line contains - alternative input specifications following a semicolon (";"). Such - lines will be handled incorrectly if INLINE_MATCHES is set to Yes in - shorewall.conf(5). + The option was added in Shorewall + 4.5.3 and causes a Perl stack trace to be included with each + compiler-generated error and warning message. - The option was added in Shorewall 4.6.5 - and is only meaningful when the option is also - specified. If the previously-saved configuration is restored, and if - the option was also specified in the save command, then the packet and byte - counters will be restored. + The -i option was added in Shorewall 4.6.0 and causes + a warning message to be issued if the current line contains + alternative input specifications following a semicolon + (";"). Such lines will be handled incorrectly if + INLINE_MATCHES is set to Yes in shorewall.conf(5) + (shorewall6.conf(5)). + + The option was added in Shorewall + 4.6.5 and is only meaningful when the + option is also specified. If the previously-saved + configuration is restored, and if the + option was also specified in the save command, then the packet and + byte counters will be restored. + + + + + Shorewall-lite and Shorewall6-lite + + + Start Shorewall[6] Lite. Existing connections through + shorewall[6]-lite managed interfaces are untouched. New + connections will be allowed only if they are allowed by the + firewall rules or policies. + + The option causes the connection + tracking table to be flushed; the + conntrack utility must be installed to + use this option. + + The option prevents the firewall + script from modifying the current routing + configuration. + + The option was added in Shorewall + 4.6.5. If the RESTOREFILE named in shorewall.conf(5) exists, + is executable and is not older than the current filewall + script, then that saved configuration is restored. + + The option was added in Shorewall + 4.6.5 and is only meaningful when the + option is also specified. If the previously-saved + configuration is restored, and if the + option was also specified in the save command, then the packet and + byte counters will be restored. + + + @@ -2539,18 +2678,21 @@ timeout ] - If Shorewall is started then the firewall state is saved to a - temporary saved configuration - (/var/lib/shorewall/.try). Next, if Shorewall - is currently started then a restart - command is issued using the specified configuration - directory; otherwise, a start command is performed using the - specified configuration directory. if an - error occurs during the compilation phase of the This command is available in Shorewall and Shorewall6 + only. + + If Shorewall[6] is started then the firewall state is saved to + a temporary saved configuration + (/var/lib/shorewall/.try). Next, if + Shorewall[6] is currently started then a restart command is issued using the specified + configuration directory; otherwise, a + start command is performed using + the specified configuration directory. if + an error occurs during the compilation phase of the restart or start, the command terminates without - changing the Shorewall state. If an error occurs during the + changing the Shorewall[6] state. If an error occurs during the restart phase, then a shorewall restore is performed using the saved configuration. If an error occurs during the directory ] + This command is available only in Shorewall and + Shorewall6. + Added in Shorewall 4.4.21 and causes the compiler to update /etc/shorewall/shorewall.conf then validate the configuration. The update will add options not present in