#!/bin/sh # # Shorewall help subsystem - V3.2 # # # This program is under GPL [http://www.gnu.org/copyleft/gpl.htm] # # (c) 2003-2006 - Tom Eastep (teastep@shorewall.net) # Steve Herber (herber@thing.com) # # This file should be placed in /usr/share/shorewall/help # # Shorewall documentation is available at http://shorewall.sourceforge.net # # This program is free software; you can redistribute it and/or modify # it under the terms of Version 2 of the GNU General Public License # as published by the Free Software Foundation. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA ################################################################################## case $1 in address|host) echo "<$1>: May be either a host IP address such as 192.168.1.4 or a network address in CIDR format like 192.168.1.0/24. If your kernel and iptables contain iprange match support then IP address ranges of the form - are also permitted. If your kernel and iptables contain ipset match support then you may specify the name of an ipset prefaced by "+". The name of the ipsec may be optionally followed by a number of levels of ipset bindings (1 - 6) that are to be followed" ;; allow) echo "allow: allow
... Re-enables receipt of packets from hosts previously blacklisted by a drop or reject command. Shorewall allow, drop, rejct and save implement dynamic blacklisting. See also \"help address\"" ;; check) echo "check: check [ -e ] [ ] Performs a cursory validation of the zones, interfaces, hosts, rules, policy, masq, blacklist, proxyarp, nat and provider files. Use this if you are unsure of any edits you have made to the shorewall configuration. See the try command examples for a recommended way to make changes. The \"-e\" option causes Shorewall to use the /etc/shorewall/capabilities file to determine the capabilities of the target system rather than probing for them on the local system." ;; clear) echo "clear: clear Clear will remove all rules and chains installed by Shoreline. The firewall is then wide open and unprotected. Existing connections are untouched. Clear is often used to see if the firewall is causing connection problems." ;; compile) echo "compile: compile [ -e ] [ ] Compiles the current configuration into the executable file . If names a file in /var/lib/shorewall then the file may be executed using the \"restore\" command. When -e is specified, the compilation is being performed on a system other than where the compiled script will run. This option disables certain configuration options that require the script to be compiled where it is to be run. Additional distributions are expected to be supported shortly." ;; debug) echo "debug: debug If you include the keyword debug as the first argument to any of these commands: start|stop|restart|reset|clear|refresh|check|compile then a shell trace of the command is produced. For example: shorewall debug start 2> /tmp/trace The above command would trace the 'start' command and place the trace information in the file /tmp/trace. The word 'trace' is a synonym for 'debug'." ;; drop) echo "$1: $1
... Causes packets from the specified
to be ignored Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. See also \"help address\"" ;; dump) echo "dump: dump shorewall [-x] dump Produce a verbose report about the firewall for problem analysis. (iptables -L -n -) When -x is given, that option is also passed to iptables to display actual packet and byte counts." ;; export) echo "export: export [ ] If is omitted, then the current working directory is assumed. Causes the shorewall configuration in to be compiled into a program called '/firewall'. If compilation is successful, the '/firewall' script is copied via scp to the specified is of the form [user@]:[] Example: shorewall export admin@gateway:~ This command would compile the configuration in the current working directory then copy the 'firewall' (and firewall.conf) files to admin's home directory on system 'gateway'" ;; forget) echo "forget: forget [ ] Deletes /var/lib/shorewall/. If no is given then the file specified by RESTOREFILE in shorewall.conf is removed. See also \"help save\"" ;; help) echo "help: help [ | host | address ] Display helpful information about the shorewall commands." ;; hits) echo "hits: hits Produces several reports about the Shorewall packet log messages in the current /var/log/messages file." ;; ipcalc) echo "ipcalc: ipcalc { address mask | address/vlsm } Ipcalc displays the network address, broadcast address, network in CIDR notation and netmask corresponding to the input[s]." ;; ipdecimal) echo "ipdecimal: ipdecimal { | } Converts an IP address into its 32-bit decimal equivalent and vice versa" ;; iprange) echo "iprange: iprange address1-address2 Iprange decomposes the specified range of IP addresses into the equivalent list of network/host addresses." ;; load) echo "load: load [ -s ] [ ] If is omitted, then the current working directory is assumed. Requires that Shorewall Lite be installed on the named . Causes the shorewall configuration in to be compiled into a program called '/firewall'. If compilation is successful, the '/firewall' script is copied via scp to the ${LITEDIR} directory on . If the script is copied successfully, Shorewall Lite on is started via ssh. If the -s option is given and Shorewall Lite starts successfully then ssh is used to execute 'shorewall-lite save' on " ;; logdrop) echo "$1: $1
... Causes packets from the specified
to be ignored and loged. Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. See also \"help address\"" ;; logwatch) echo "logwatch: logwatch [ -m ] [] Monitors the LOGFILE, $LOGFILE, and produces an audible alarm when new Shorewall messages are logged. If \"-m\" is specified, then MAC addresses in the log entries (if any) are displayed." ;; logreject) echo "$1: $1
... Causes packets from the specified
to be rejected and logged. Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. See also \"help address\"" ;; refresh) echo "refresh: refresh The rules involving the broadcast addresses of firewall interfaces, the black list, and ECN control rules are recreated to reflect any changes made. Existing connections are untouched." ;; reject) echo "$1: $1
... Causes packets from the specified
to be rejected Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. See also \"help address\"" ;; reset) echo "reset: reset All the packet and byte counters in the firewall are reset." ;; reload) echo "reload: reload [ ] If is omitted, then the current working directory is assumed. Requires that Shorewall Lite be installed on the named . Causes the shorewall configuration in to be compiled into a program called '/firewall'. If compilation is successful, the '/firewall' script is copied via scp to the ${LITEDIR} directory on . If the script is copied successfully, Shorewall Lite on is restarted via ssh. If the -s option is given and Shorewall Lite restarts successfully then ssh is used to execute 'shorewall-lite save' on " ;; restart) echo "restart: restart [ -n ] [ ] Restart is the same as a shorewall stop && shorewall start. Existing connections are maintained. If \"-n\" is specified, no changes to routing will be made" ;; safe-restart) echo "safe-restart: safe-restart Restart the same way as a shorewall restart except that previous firewall configuration is backed up and will be restored if you notice any anomalies or you are not able to reach the firewall any more." ;; safe-start) echo "safe-start: safe-start Start the same way as a shorewall start except that in case of anomalies shorewall clear is issued. " ;; restore) echo "restore: restore [ -n ] [ ] Restore Shorewall to a state saved using the 'save' command Existing connections are maintained. The names a restore file in /var/lib/shorewall created using \"shorewall save\"; if no is given then Shorewall will be restored from the file specified by the RESTOREFILE option in shorewall.conf. If \"-n\" is specified, no changes to routing will be made. See also \"help save\", \"help compile\" and \"help forget\"" ;; save) echo "save: save [ ] The dynamic data is stored in /var/lib/shorewall/save. The state of the firewall is stored in /var/lib/shorewall/ for use by the 'shorewall restore' and 'shorewall -f start' commands. If is not given then the state is saved in the file specified by the RESTOREFILE option in shorewall.conf. Shorewall allow, drop, logdrop, logreject, reject and save implement dynamic blacklisting. See also \"help restore\" and \"help forget\"" ;; show) echo "show: show [ [ ...] |actions|capabilities|classifiers|config|connections|log|macros|mangle|nat|tc|zones] shorewall [-x] show [ ... ] - produce a verbose report about the IPtable chain(s). (iptables -L chain -n -v) shorewall show actions - produce a list of builtin actions and actions defined in /usr/share/shorewall/actions.std and /etc/shorewall shorewall [-x] show mangle - produce a verbose report about the mangle table. (iptables -t mangle -L -n -v) shorewall [-x] show nat - produce a verbose report about the nat table. (iptables -t nat -L -n -v) shorewall show [ -m ] log - display the last 20 packet log entries. If \"-m\" is specified, then MAC addresses in the log entries (if any) are displayed. shorewall show macros -- displays the standard macros. shorewall show connections - displays the IP connections currently being tracked by the firewall. shorewall show tc - displays information about the traffic control/shaping configuration. shorewall show zones - displays the contents of all zones. shorewall show [ -f ] capabilities - displays your kernel/iptables capabilities. When \"-f\" is specified, then the output is suitable for use as /etc/shorewall/capabilities. shorewall show config - displays the default CONFIG_PATH and LITEDIR for your distribution When -x is given, that option is also passed to iptables to display actual packet and byte counts." ;; start) echo "start: start [ -f ] [ -n ] [ ] Start shorewall. Existing connections through shorewall managed interfaces are untouched. New connections will be allowed only if they are allowed by the firewall rules or policies. If \"-f\" is specified, the saved configuration specified by the RESTOREFILE option in shorewall.conf will be restored if that saved configuration exists. In that case, a may not be specified. If \"-n\" is specified, no changes to routing will be made." ;; stop) echo "stop: stop Stops the firewall. All existing connections, except those listed in /etc/shorewall/routestopped, are taken down. The only new traffic permitted through the firewall is from systems listed in /etc/shorewall/routestopped." ;; status) echo "status: status shorewall status Displays the Shorewall status (running/not-running). Also displays the Shorewall state as shown in the state diagram at http://www.shorewall.net/starting_and_stopping_shorewall. The time and date when that state was reached is also displayed." ;; trace) echo "trace: trace If you include the keyword trace as the first argument to any of these commands: start|stop|restart|reset|clear|refresh|check|add|delete|compile then a shell trace of the command is produced. For example: shorewall trace start 2> /tmp/trace The above command would trace the 'start' command and place the trace information in the file /tmp/trace. The word 'debug' is a synonym for 'trace'." ;; try) echo "try: try [ -n ] [ ] Restart shorewall using the specified configuration. If an error occurs during the restart, then another shorewall restart is performed using the default configuration. If a timeout is specified then the restart is always performed after the timeout occurs and uses the default configuration. The \"-n\" option will be passed down to the underlying commands (see 'start', 'restart' and 'restore')" ;; version) echo "version: version Show the current shorewall version which is: $version" ;; *) echo "$1: $1 is not recognized by the help command" ;; esac exit 0 # always ok