<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" "http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd"> <refentry> <refmeta> <refentrytitle>shorewall-lite</refentrytitle> <manvolnum>8</manvolnum> </refmeta> <refnamediv> <refname>shorewall-lite</refname> <refpurpose>Administration tool for Shoreline Firewall Lite (Shorewall Lite)</refpurpose> </refnamediv> <refsynopsisdiv> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg rep="norepeat">-<replaceable>options</replaceable></arg> <arg choice="plain"><option>add</option></arg> <arg choice="plain" rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg> <arg choice="plain"><replaceable>zone</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>allow</option></arg> <arg choice="plain"><replaceable>address</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>clear</option><arg><option>-f</option></arg></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg rep="norepeat">-<replaceable>options</replaceable></arg> <arg choice="plain"><option>delete</option></arg> <arg choice="plain" rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg> <arg choice="plain"><replaceable>zone</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>disable</option></arg> <arg choice="plain">{ <replaceable>interface</replaceable> | <replaceable>provider</replaceable> }</arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>drop</option></arg> <arg choice="plain"><replaceable>address</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>dump</option></arg> <arg><option>-x</option></arg> <arg><option>-l</option></arg> <arg><option>-m</option></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>enable</option></arg> <arg choice="plain">{ <replaceable>interface</replaceable> | <replaceable>provider</replaceable> }</arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>forget</option></arg> <arg><replaceable>filename</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>help</option></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>hits</option><arg><option>-t</option></arg></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>ipcalc</option></arg> <group choice="req"> <arg choice="plain"><replaceable>address</replaceable> <replaceable>mask</replaceable></arg> <arg choice="plain"><replaceable>address</replaceable>/<replaceable>vlsm</replaceable></arg> </group> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>iprange</option></arg> <arg choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>iptrace</option></arg> <arg choice="plain"><replaceable>iptables match expression</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>logdrop</option></arg> <arg choice="plain"><replaceable>address</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>logwatch</option></arg> <arg><option>-m</option></arg> <arg><replaceable>refresh-interval</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>logreject</option></arg> <arg choice="plain"><replaceable>address</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>noiptrace</option></arg> <arg choice="plain"><replaceable>iptables match expression</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>reject</option></arg> <arg choice="plain"><replaceable>address</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>reset</option></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>restart</option></arg> <arg><option>-n</option></arg> <arg><option>-p</option></arg> <arg><replaceable>directory</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>restore</option></arg> <arg><replaceable>filename</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>save</option></arg> <arg choice="opt"><replaceable>filename</replaceable></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>show</option></arg> <arg><option>-x</option></arg> <arg><option>-l</option></arg> <arg><option>-t</option> {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg> <arg><arg><option>chain</option></arg><arg choice="plain" rep="repeat"><replaceable>chain</replaceable></arg></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>show</option></arg> <arg><option>-f</option></arg> <arg choice="plain"><option>capabilities</option></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>show</option></arg> <arg choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>show</option></arg> <arg><option>-x</option></arg> <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>show</option></arg> <arg choice="plain"><option>tc</option></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>show</option></arg> <arg><option>-m</option></arg> <arg choice="plain"><option>log</option></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>start</option></arg> <arg><option>-n</option></arg> <arg><option>-p</option></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>stop</option></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>status</option></arg> </cmdsynopsis> <cmdsynopsis> <command>shorewall-lite</command> <arg choice="opt"><option>trace</option>|<option>debug</option></arg> <arg>-<replaceable>options</replaceable></arg> <arg choice="plain"><option>version</option><arg><option>-a</option></arg></arg> </cmdsynopsis> </refsynopsisdiv> <refsect1> <title>Description</title> <para>The shorewall-lite utility is used to control the Shoreline Firewall Lite (Shorewall Lite).</para> </refsect1> <refsect1> <title>Options</title> <para>The <option>trace</option> and <option>debug</option> options are used for debugging. See <ulink url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para> <para>The nolock <option>option</option> prevents the command from attempting to acquire the Shorewall-lite lockfile. It is useful if you need to include <command>shorewall</command> commands in <filename>/etc/shorewall/started</filename>.</para> <para>The <emphasis>options</emphasis> control the amount of output that the command produces. They consist of a sequence of the letters <emphasis role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the options are omitted, the amount of output is determined by the setting of the VERBOSITY parameter in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis role="bold">v</emphasis> adds one to the effective verbosity and each <emphasis role="bold">q</emphasis> subtracts one from the effective VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may be no white space between <emphasis role="bold">v</emphasis> and the VERBOSITY.</para> <para>The <emphasis>options</emphasis> may also include the letter <option>t</option> which causes all progress messages to be timestamped.</para> </refsect1> <refsect1> <title>Commands</title> <para>The available commands are listed below.</para> <variablelist> <varlistentry> <term><emphasis role="bold">add</emphasis></term> <listitem> <para>Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.</para> <para>The <emphasis>interface</emphasis> argument names an interface defined in the <ulink url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) file. A <emphasis>host-list</emphasis> is comma-separated list whose elements are host or network addresses.<caution> <para>The <command>add</command> command is not very robust. If there are errors in the <replaceable>host-list</replaceable>, you may see a large number of error messages yet a subsequent <command>shorewall-lite show zones</command> command will indicate that all hosts were added. If this happens, replace <command>add</command> by <command>delete</command> and run the same command again. Then enter the correct command.</para> </caution></para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">allow</emphasis></term> <listitem> <para>Re-enables receipt of packets from hosts previously blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis role="bold">logdrop</emphasis>, <emphasis role="bold">reject</emphasis>, or <emphasis role="bold">logreject</emphasis> command.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">clear</emphasis></term> <listitem> <para>Clear will remove all rules and chains installed by Shorewall-lite. The firewall is then wide open and unprotected. Existing connections are untouched. Clear is often used to see if the firewall is causing connection problems.</para> <para>If <option>-f</option> is given, the command will be processed by the compiled script that executed the last successful <emphasis role="bold">start</emphasis>, <emphasis role="bold">restart</emphasis> or <emphasis role="bold">refresh</emphasis> command if that script exists.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">delete</emphasis></term> <listitem> <para>The delete command reverses the effect of an earlier <emphasis role="bold">add</emphasis> command.</para> <para>The <emphasis>interface</emphasis> argument names an interface defined in the <ulink url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5) file. A <emphasis>host-list</emphasis> is comma-separated list whose elements are a host or network address.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">disable</emphasis></term> <listitem> <para>Added in Shorewall 4.4.26. Disables the optional provider associated with the specified <replaceable>interface</replaceable> or <replaceable>provider</replaceable>. Where more than one provider share a single network interface, a <replaceable>provider</replaceable> name must be given.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">drop</emphasis></term> <listitem> <para>Causes traffic from the listed <emphasis>address</emphasis>es to be silently dropped.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">dump</emphasis></term> <listitem> <para>Produces a verbose report about the firewall configuration for the purpose of problem analysis.</para> <para>The <emphasis role="bold">-x</emphasis> option causes actual packet and byte counts to be displayed. Without that option, these counts are abbreviated. The <emphasis role="bold">-m</emphasis> option causes any MAC addresses included in Shorewall-lite log messages to be displayed.</para> <para>The <emphasis role="bold">-l</emphasis> option causes the rule number for each Netfilter rule to be displayed.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">enable</emphasis></term> <listitem> <para>Added in Shorewall 4.4.26. Enables the optional provider associated with the specified <replaceable>interface</replaceable> or <replaceable>provider</replaceable>. Where more than one provider share a single network interface, a <replaceable>provider</replaceable> name must be given.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">forget</emphasis></term> <listitem> <para>Deletes /var/lib/shorewall-lite/<emphasis>filenam</emphasis>e and /var/lib/shorewall-lite/save. If no <emphasis>filename</emphasis> is given then the file specified by RESTOREFILE in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) is assumed.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">help</emphasis></term> <listitem> <para>Displays a syntax summary.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">hits</emphasis></term> <listitem> <para>Generates several reports from Shorewall-lite log messages in the current log file. If the <option>-t</option> option is included, the reports are restricted to log messages generated today.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">ipcalc</emphasis></term> <listitem> <para>Ipcalc displays the network address, broadcast address, network in CIDR notation and netmask corresponding to the input[s].</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">iprange</emphasis></term> <listitem> <para>Iprange decomposes the specified range of IP addresses into the equivalent list of network/host addresses.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">iptrace</emphasis></term> <listitem> <para>This is a low-level debugging command that causes iptables TRACE log records to be created. See iptables(8) for details.</para> <para>The <replaceable>iptables match expression</replaceable> must be one or more matches that may appear in both the raw table OUTPUT and raw table PREROUTING chains.</para> <para>The trace records are written to the kernel's log buffer with faciility = kernel and priority = warning, and they are routed from there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) -- Shorewall-lite has no control over where the messages go; consult your logging daemon's documentation.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">logdrop</emphasis></term> <listitem> <para>Causes traffic from the listed <emphasis>address</emphasis>es to be logged then discarded. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in <ulink url="shorewall.conf.html">shorewall.conf</ulink> (5).</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">logwatch</emphasis></term> <listitem> <para>Monitors the log file specified by the LOGFILE option in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) and produces an audible alarm when new Shorewall-lite messages are logged. The <emphasis role="bold">-m</emphasis> option causes the MAC address of each packet source to be displayed if that information is available. The <replaceable>refresh-interval</replaceable> specifies the time in seconds between screen refreshes. You can enter a negative number by preceding the number with "--" (e.g., <command>shorewall-lite logwatch -- -30</command>). In this case, when a packet count changes, you will be prompted to hit any key to resume screen refreshes.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">logreject</emphasis></term> <listitem> <para>Causes traffic from the listed <emphasis>address</emphasis>es to be logged then rejected. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in <ulink url="shorewall.conf.html">shorewall.conf</ulink> (5).</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">noiptrace</emphasis></term> <listitem> <para>This is a low-level debugging command that cancels a trace started by a preceding <command>iptrace</command> command.</para> <para>The <replaceable>iptables match expression</replaceable> must be one given in the <command>iptrace</command> command being cancelled.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">reset</emphasis></term> <listitem> <para>All the packet and byte counters in the firewall are reset.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">restart</emphasis></term> <listitem> <para>Restart is similar to <emphasis role="bold">shorewall-lite start</emphasis> except that it assumes that the firewall is already started. Existing connections are maintained.</para> <para>The <option>-n</option> option causes Shorewall-lite to avoid updating the routing table(s).</para> <para>The <option>-p</option> option causes the connection tracking table to be flushed; the <command>conntrack</command> utility must be installed to use this option.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">restore</emphasis></term> <listitem> <para>Restore Shorewall-lite to a state saved using the <emphasis role="bold">shorewall-lite save</emphasis> command. Existing connections are maintained. The <emphasis>filename</emphasis> names a restore file in /var/lib/shorewall-lite created using <emphasis role="bold">shorewall-lite save</emphasis>; if no <emphasis>filename</emphasis> is given then Shorewall-lite will be restored from the file specified by the RESTOREFILE option in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">save</emphasis></term> <listitem> <para>The dynamic blacklist is stored in /var/lib/shorewall-lite/save. The state of the firewall is stored in /var/lib/shorewall-lite/<emphasis>filename</emphasis> for use by the <emphasis role="bold">shorewall-lite restore</emphasis>. If <emphasis>filename</emphasis> is not given then the state is saved in the file specified by the RESTOREFILE option in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">show</emphasis></term> <listitem> <para>The show command can have a number of different arguments:</para> <variablelist> <varlistentry> <term><emphasis role="bold">capabilities</emphasis></term> <listitem> <para>Displays your kernel/iptables capabilities. The <emphasis role="bold">-f</emphasis> option causes the display to be formatted as a capabilities file for use with <emphasis role="bold">compile -e</emphasis>.</para> </listitem> </varlistentry> <varlistentry> <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>... ]</term> <listitem> <para>The rules in each <emphasis>chain</emphasis> are displayed using the <emphasis role="bold">iptables -L</emphasis> <emphasis>chain</emphasis> <emphasis role="bold">-n -v</emphasis> command. If no <emphasis>chain</emphasis> is given, all of the chains in the filter table are displayed. The <emphasis role="bold">-x</emphasis> option is passed directly through to iptables and causes actual packet and byte counts to be displayed. Without this option, those counts are abbreviated. The <emphasis role="bold">-t</emphasis> option specifies the Netfilter table to display. The default is <emphasis role="bold">filter</emphasis>.</para> <para>The <emphasis role="bold">-l</emphasis> option causes the rule number for each Netfilter rule to be displayed.</para> <para>If the <emphasis role="bold">t</emphasis> option and the <option>chain</option> keyword are both omitted and any of the listed <replaceable>chain</replaceable>s do not exist, a usage message is displayed.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">classifiers|filters</emphasis></term> <listitem> <para>Displays information about the packet classifiers defined on the system as a result of traffic shaping configuration.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">config</emphasis></term> <listitem> <para>Dispays distribution-specific defaults.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">connections</emphasis></term> <listitem> <para>Displays the IP connections currently being tracked by the firewall.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">ip</emphasis></term> <listitem> <para>Displays the system's IPv4 configuration.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">ipa</emphasis></term> <listitem> <para>Added in Shorewall 4.4.17. Displays the per-IP accounting counters (<ulink url="manpages/shorewall-accounting.html">shorewall-accounting</ulink> (5)).</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">log</emphasis></term> <listitem> <para>Displays the last 20 Shorewall-lite messages from the log file specified by the LOGFILE option in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5). The <emphasis role="bold">-m</emphasis> option causes the MAC address of each packet source to be displayed if that information is available.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">marks</emphasis></term> <listitem> <para>Added in Shorewall 4.4.26. Displays the various fields in packet marks giving the min and max value (in both decimal and hex) and the applicable mask (in hex).</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">nat</emphasis></term> <listitem> <para>Displays the Netfilter nat table using the command <emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The <emphasis role="bold">-x</emphasis> option is passed directly through to iptables and causes actual packet and byte counts to be displayed. Without this option, those counts are abbreviated.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">policies</emphasis></term> <listitem> <para>Added in Shorewall 4.4.4. Displays the applicable policy between each pair of zones. Note that implicit intrazone ACCEPT policies are not displayed for zones associated with a single network where that network doesn't specify <option>routeback</option>.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">routing</emphasis></term> <listitem> <para>Displays the system's IPv4 routing configuration.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">raw</emphasis></term> <listitem> <para>Displays the Netfilter raw table using the command <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The <emphasis role="bold">-x</emphasis> option is passed directly through to iptables and causes actual packet and byte counts to be displayed. Without this option, those counts are abbreviated.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">tc</emphasis></term> <listitem> <para>Displays information about queuing disciplines, classes and filters.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">zones</emphasis></term> <listitem> <para>Displays the current composition of the Shorewall zones on the system.</para> </listitem> </varlistentry> </variablelist> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">start</emphasis></term> <listitem> <para>Start Shorewall Lite. Existing connections through shorewall-lite managed interfaces are untouched. New connections will be allowed only if they are allowed by the firewall rules or policies.</para> <para>The <option>-p</option> option causes the connection tracking table to be flushed; the <command>conntrack</command> utility must be installed to use this option.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">stop</emphasis></term> <listitem> <para>Stops the firewall. All existing connections, except those listed in <ulink url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5) or permitted by the ADMINISABSENTMINDED option in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down. The only new traffic permitted through the firewall is from systems listed in <ulink url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5) or by ADMINISABSENTMINDED.</para> <para>If <option>-f</option> is given, the command will be processed by the compiled script that executed the last successful <emphasis role="bold">start</emphasis>, <emphasis role="bold">restart</emphasis> or <emphasis role="bold">refresh</emphasis> command if that script exists.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">status</emphasis></term> <listitem> <para>Produces a short report about the state of the Shorewall-configured firewall.</para> </listitem> </varlistentry> <varlistentry> <term><emphasis role="bold">version</emphasis></term> <listitem> <para>Displays Shorewall's version. The <option>-a</option> option is included for compatibility with earlier Shorewall releases and is ignored.</para> </listitem> </varlistentry> </variablelist> </refsect1> <refsect1> <title>FILES</title> <para>/etc/shorewall-lite/</para> </refsect1> <refsect1> <title>See ALSO</title> <para><ulink url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para> <para>shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</para> </refsect1> </refentry>