<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
  <refmeta>
    <refentrytitle>shorewall-lite</refentrytitle>

    <manvolnum>8</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>shorewall-lite</refname>

    <refpurpose>Administration tool for Shoreline Firewall Lite (Shorewall
    Lite)</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg rep="norepeat">-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>add</option></arg>

      <arg choice="plain"
      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>

      <arg choice="plain"><replaceable>zone</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>allow</option></arg>

      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg
      choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg rep="norepeat">-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>delete</option></arg>

      <arg choice="plain"
      rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>

      <arg choice="plain"><replaceable>zone</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>disable</option></arg>

      <arg choice="plain">{ <replaceable>interface</replaceable> |
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>drop</option></arg>

      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>dump</option></arg>

      <arg><option>-x</option></arg>

      <arg><option>-l</option></arg>

      <arg><option>-m</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>enable</option></arg>

      <arg choice="plain">{ <replaceable>interface</replaceable> |
      <replaceable>provider</replaceable> }</arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>forget</option></arg>

      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>help</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg
      choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>ipcalc</option></arg>

      <group choice="req">
        <arg choice="plain"><replaceable>address</replaceable>
        <replaceable>mask</replaceable></arg>

        <arg
        choice="plain"><replaceable>address</replaceable>/<replaceable>vlsm</replaceable></arg>
      </group>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>iprange</option></arg>

      <arg
      choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>iptrace</option></arg>

      <arg choice="plain"><replaceable>iptables match
      expression</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>logdrop</option></arg>

      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>logwatch</option></arg>

      <arg><option>-m</option></arg>

      <arg><replaceable>refresh-interval</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>logreject</option></arg>

      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>noiptrace</option></arg>

      <arg choice="plain"><replaceable>iptables match
      expression</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>reject</option></arg>

      <arg choice="plain"><replaceable>address</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>reset</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>restart</option></arg>

      <arg><option>-n</option></arg>

      <arg><option>-p</option></arg>

      <arg><replaceable>directory</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>restore</option></arg>

      <arg><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>save</option></arg>

      <arg choice="opt"><replaceable>filename</replaceable></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>show</option></arg>

      <arg><option>-x</option></arg>

      <arg><option>-l</option></arg>

      <arg><option>-t</option>
      {<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>

      <arg><arg><option>chain</option></arg><arg choice="plain"
      rep="repeat"><replaceable>chain</replaceable></arg></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>show</option></arg>

      <arg><option>-f</option></arg>

      <arg choice="plain"><option>capabilities</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>show</option></arg>

      <arg
      choice="req"><option>classifiers|connections|config|filters|ip|ipa|zones|policies|marks</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>show</option></arg>

      <arg><option>-x</option></arg>

      <arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>show</option></arg>

      <arg choice="plain"><option>tc</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>show</option></arg>

      <arg><option>-m</option></arg>

      <arg choice="plain"><option>log</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>start</option></arg>

      <arg><option>-n</option></arg>

      <arg><option>-p</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg
      choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>stop</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg choice="plain"><option>status</option></arg>
    </cmdsynopsis>

    <cmdsynopsis>
      <command>shorewall-lite</command>

      <arg choice="opt"><option>trace</option>|<option>debug</option></arg>

      <arg>-<replaceable>options</replaceable></arg>

      <arg
      choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
    </cmdsynopsis>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para>The shorewall-lite utility is used to control the Shoreline Firewall
    Lite (Shorewall Lite).</para>
  </refsect1>

  <refsect1>
    <title>Options</title>

    <para>The <option>trace</option> and <option>debug</option> options are
    used for debugging. See <ulink
    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>

    <para>The nolock <option>option</option> prevents the command from
    attempting to acquire the Shorewall-lite lockfile. It is useful if you
    need to include <command>shorewall</command> commands in
    <filename>/etc/shorewall/started</filename>.</para>

    <para>The <emphasis>options</emphasis> control the amount of output that
    the command produces. They consist of a sequence of the letters <emphasis
    role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
    options are omitted, the amount of output is determined by the setting of
    the VERBOSITY parameter in <ulink
    url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
    role="bold">v</emphasis> adds one to the effective verbosity and each
    <emphasis role="bold">q</emphasis> subtracts one from the effective
    VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
    immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
    be no white space between <emphasis role="bold">v</emphasis> and the
    VERBOSITY.</para>

    <para>The <emphasis>options</emphasis> may also include the letter
    <option>t</option> which causes all progress messages to be
    timestamped.</para>
  </refsect1>

  <refsect1>
    <title>Commands</title>

    <para>The available commands are listed below.</para>

    <variablelist>
      <varlistentry>
        <term><emphasis role="bold">add</emphasis></term>

        <listitem>
          <para>Adds a list of hosts or subnets to a dynamic zone usually used
          with VPN's.</para>

          <para>The <emphasis>interface</emphasis> argument names an interface
          defined in the <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are host or network addresses.<caution>
              <para>The <command>add</command> command is not very robust. If
              there are errors in the <replaceable>host-list</replaceable>,
              you may see a large number of error messages yet a subsequent
              <command>shorewall-lite show zones</command> command will
              indicate that all hosts were added. If this happens, replace
              <command>add</command> by <command>delete</command> and run the
              same command again. Then enter the correct command.</para>
            </caution></para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">allow</emphasis></term>

        <listitem>
          <para>Re-enables receipt of packets from hosts previously
          blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
          role="bold">logdrop</emphasis>, <emphasis
          role="bold">reject</emphasis>, or <emphasis
          role="bold">logreject</emphasis> command.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">clear</emphasis></term>

        <listitem>
          <para>Clear will remove all rules and chains installed by
          Shorewall-lite. The firewall is then wide open and unprotected.
          Existing connections are untouched. Clear is often used to see if
          the firewall is causing connection problems.</para>

          <para>If <option>-f</option> is given, the command will be processed
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">delete</emphasis></term>

        <listitem>
          <para>The delete command reverses the effect of an earlier <emphasis
          role="bold">add</emphasis> command.</para>

          <para>The <emphasis>interface</emphasis> argument names an interface
          defined in the <ulink
          url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
          file. A <emphasis>host-list</emphasis> is comma-separated list whose
          elements are a host or network address.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">disable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Disables the optional provider
          associated with the specified <replaceable>interface</replaceable>
          or <replaceable>provider</replaceable>. Where more than one provider
          share a single network interface, a
          <replaceable>provider</replaceable> name must be given.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">drop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be silently dropped.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">dump</emphasis></term>

        <listitem>
          <para>Produces a verbose report about the firewall configuration for
          the purpose of problem analysis.</para>

          <para>The <emphasis role="bold">-x</emphasis> option causes actual
          packet and byte counts to be displayed. Without that option, these
          counts are abbreviated. The <emphasis role="bold">-m</emphasis>
          option causes any MAC addresses included in Shorewall-lite log
          messages to be displayed.</para>

          <para>The <emphasis role="bold">-l</emphasis> option causes the rule
          number for each Netfilter rule to be displayed.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">enable</emphasis></term>

        <listitem>
          <para>Added in Shorewall 4.4.26. Enables the optional provider
          associated with the specified <replaceable>interface</replaceable>
          or <replaceable>provider</replaceable>. Where more than one provider
          share a single network interface, a
          <replaceable>provider</replaceable> name must be given.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">forget</emphasis></term>

        <listitem>
          <para>Deletes /var/lib/shorewall-lite/<emphasis>filenam</emphasis>e
          and /var/lib/shorewall-lite/save. If no
          <emphasis>filename</emphasis> is given then the file specified by
          RESTOREFILE in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5) is
          assumed.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">help</emphasis></term>

        <listitem>
          <para>Displays a syntax summary.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">hits</emphasis></term>

        <listitem>
          <para>Generates several reports from Shorewall-lite log messages in
          the current log file. If the <option>-t</option> option is included,
          the reports are restricted to log messages generated today.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">ipcalc</emphasis></term>

        <listitem>
          <para>Ipcalc displays the network address, broadcast address,
          network in CIDR notation and netmask corresponding to the
          input[s].</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">iprange</emphasis></term>

        <listitem>
          <para>Iprange decomposes the specified range of IP addresses into
          the equivalent list of network/host addresses.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">iptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that causes iptables
          TRACE log records to be created. See iptables(8) for details.</para>

          <para>The <replaceable>iptables match expression</replaceable> must
          be one or more matches that may appear in both the raw table OUTPUT
          and raw table PREROUTING chains.</para>

          <para>The trace records are written to the kernel's log buffer with
          faciility = kernel and priority = warning, and they are routed from
          there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
          Shorewall-lite has no control over where the messages go; consult
          your logging daemon's documentation.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">logdrop</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be logged then discarded. Logging occurs at the log level
          specified by the BLACKLIST_LOGLEVEL setting in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">logwatch</emphasis></term>

        <listitem>
          <para>Monitors the log file specified by the LOGFILE option in
          <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) and
          produces an audible alarm when new Shorewall-lite messages are
          logged. The <emphasis role="bold">-m</emphasis> option causes the
          MAC address of each packet source to be displayed if that
          information is available. The
          <replaceable>refresh-interval</replaceable> specifies the time in
          seconds between screen refreshes. You can enter a negative number by
          preceding the number with "--" (e.g., <command>shorewall-lite
          logwatch -- -30</command>). In this case, when a packet count
          changes, you will be prompted to hit any key to resume screen
          refreshes.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">logreject</emphasis></term>

        <listitem>
          <para>Causes traffic from the listed <emphasis>address</emphasis>es
          to be logged then rejected. Logging occurs at the log level
          specified by the BLACKLIST_LOGLEVEL setting in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">noiptrace</emphasis></term>

        <listitem>
          <para>This is a low-level debugging command that cancels a trace
          started by a preceding <command>iptrace</command> command.</para>

          <para>The <replaceable>iptables match expression</replaceable> must
          be one given in the <command>iptrace</command> command being
          cancelled.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">reset</emphasis></term>

        <listitem>
          <para>All the packet and byte counters in the firewall are
          reset.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">restart</emphasis></term>

        <listitem>
          <para>Restart is similar to <emphasis role="bold">shorewall-lite
          start</emphasis> except that it assumes that the firewall is already
          started. Existing connections are maintained.</para>

          <para>The <option>-n</option> option causes Shorewall-lite to avoid
          updating the routing table(s).</para>

          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">restore</emphasis></term>

        <listitem>
          <para>Restore Shorewall-lite to a state saved using the <emphasis
          role="bold">shorewall-lite save</emphasis> command. Existing
          connections are maintained. The <emphasis>filename</emphasis> names
          a restore file in /var/lib/shorewall-lite created using <emphasis
          role="bold">shorewall-lite save</emphasis>; if no
          <emphasis>filename</emphasis> is given then Shorewall-lite will be
          restored from the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">save</emphasis></term>

        <listitem>
          <para>The dynamic blacklist is stored in
          /var/lib/shorewall-lite/save. The state of the firewall is stored in
          /var/lib/shorewall-lite/<emphasis>filename</emphasis> for use by the
          <emphasis role="bold">shorewall-lite restore</emphasis>. If
          <emphasis>filename</emphasis> is not given then the state is saved
          in the file specified by the RESTOREFILE option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">show</emphasis></term>

        <listitem>
          <para>The show command can have a number of different
          arguments:</para>

          <variablelist>
            <varlistentry>
              <term><emphasis role="bold">capabilities</emphasis></term>

              <listitem>
                <para>Displays your kernel/iptables capabilities. The
                <emphasis role="bold">-f</emphasis> option causes the display
                to be formatted as a capabilities file for use with <emphasis
                role="bold">compile -e</emphasis>.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
              ]</term>

              <listitem>
                <para>The rules in each <emphasis>chain</emphasis> are
                displayed using the <emphasis role="bold">iptables
                -L</emphasis> <emphasis>chain</emphasis> <emphasis
                role="bold">-n -v</emphasis> command. If no
                <emphasis>chain</emphasis> is given, all of the chains in the
                filter table are displayed. The <emphasis
                role="bold">-x</emphasis> option is passed directly through to
                iptables and causes actual packet and byte counts to be
                displayed. Without this option, those counts are abbreviated.
                The <emphasis role="bold">-t</emphasis> option specifies the
                Netfilter table to display. The default is <emphasis
                role="bold">filter</emphasis>.</para>

                <para>The <emphasis role="bold">-l</emphasis> option causes
                the rule number for each Netfilter rule to be
                displayed.</para>

                <para>If the <emphasis role="bold">t</emphasis> option and the
                <option>chain</option> keyword are both omitted and any of the
                listed <replaceable>chain</replaceable>s do not exist, a usage
                message is displayed.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis
              role="bold">classifiers|filters</emphasis></term>

              <listitem>
                <para>Displays information about the packet classifiers
                defined on the system as a result of traffic shaping
                configuration.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">config</emphasis></term>

              <listitem>
                <para>Dispays distribution-specific defaults.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">connections</emphasis></term>

              <listitem>
                <para>Displays the IP connections currently being tracked by
                the firewall.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">ip</emphasis></term>

              <listitem>
                <para>Displays the system's IPv4 configuration.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">ipa</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.4.17. Displays the per-IP
                accounting counters (<ulink
                url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
                (5)).</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">log</emphasis></term>

              <listitem>
                <para>Displays the last 20 Shorewall-lite messages from the
                log file specified by the LOGFILE option in <ulink
                url="shorewall.conf.html">shorewall.conf</ulink>(5). The
                <emphasis role="bold">-m</emphasis> option causes the MAC
                address of each packet source to be displayed if that
                information is available.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">marks</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.4.26. Displays the various fields
                in packet marks giving the min and max value (in both decimal
                and hex) and the applicable mask (in hex).</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">nat</emphasis></term>

              <listitem>
                <para>Displays the Netfilter nat table using the command
                <emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
                <emphasis role="bold">-x</emphasis> option is passed directly
                through to iptables and causes actual packet and byte counts
                to be displayed. Without this option, those counts are
                abbreviated.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">policies</emphasis></term>

              <listitem>
                <para>Added in Shorewall 4.4.4. Displays the applicable policy
                between each pair of zones. Note that implicit intrazone
                ACCEPT policies are not displayed for zones associated with a
                single network where that network doesn't specify
                <option>routeback</option>.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">routing</emphasis></term>

              <listitem>
                <para>Displays the system's IPv4 routing configuration.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">raw</emphasis></term>

              <listitem>
                <para>Displays the Netfilter raw table using the command
                <emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
                <emphasis role="bold">-x</emphasis> option is passed directly
                through to iptables and causes actual packet and byte counts
                to be displayed. Without this option, those counts are
                abbreviated.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">tc</emphasis></term>

              <listitem>
                <para>Displays information about queuing disciplines, classes
                and filters.</para>
              </listitem>
            </varlistentry>

            <varlistentry>
              <term><emphasis role="bold">zones</emphasis></term>

              <listitem>
                <para>Displays the current composition of the Shorewall zones
                on the system.</para>
              </listitem>
            </varlistentry>
          </variablelist>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">start</emphasis></term>

        <listitem>
          <para>Start Shorewall Lite. Existing connections through
          shorewall-lite managed interfaces are untouched. New connections
          will be allowed only if they are allowed by the firewall rules or
          policies.</para>

          <para>The <option>-p</option> option causes the connection tracking
          table to be flushed; the <command>conntrack</command> utility must
          be installed to use this option.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">stop</emphasis></term>

        <listitem>
          <para>Stops the firewall. All existing connections, except those
          listed in <ulink
          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
          or permitted by the ADMINISABSENTMINDED option in <ulink
          url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
          The only new traffic permitted through the firewall is from systems
          listed in <ulink
          url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
          or by ADMINISABSENTMINDED.</para>

          <para>If <option>-f</option> is given, the command will be processed
          by the compiled script that executed the last successful <emphasis
          role="bold">start</emphasis>, <emphasis
          role="bold">restart</emphasis> or <emphasis
          role="bold">refresh</emphasis> command if that script exists.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">status</emphasis></term>

        <listitem>
          <para>Produces a short report about the state of the
          Shorewall-configured firewall.</para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term><emphasis role="bold">version</emphasis></term>

        <listitem>
          <para>Displays Shorewall's version. The <option>-a</option> option
          is included for compatibility with earlier Shorewall releases and is
          ignored.</para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>FILES</title>

    <para>/etc/shorewall-lite/</para>
  </refsect1>

  <refsect1>
    <title>See ALSO</title>

    <para><ulink
    url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>

    <para>shorewall-accounting(5), shorewall-actions(5),
    shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
    shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
    shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
    shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
    shorewall-rtrules(5), shorewall-routestopped(5), shorewall-rules(5),
    shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
    shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
    shorewall-tunnels(5), shorewall-zones(5)</para>
  </refsect1>
</refentry>