forked from extern/shorewall_code
d6bac484dc
Also, allow a suffix (s, m or h) in the <timeout> paramater to the 'try' command. Signed-off-by: Tom Eastep <teastep@shorewall.net>
1679 lines
62 KiB
XML
1679 lines
62 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
|
|
<refentry>
|
|
<refmeta>
|
|
<refentrytitle>shorewall</refentrytitle>
|
|
|
|
<manvolnum>8</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>shorewall</refname>
|
|
|
|
<refpurpose>Administration tool for Shoreline Firewall
|
|
(Shorewall)</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg rep="norepeat">-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>add</option></arg>
|
|
|
|
<arg choice="plain"
|
|
rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
|
|
|
|
<arg choice="plain"><replaceable>zone</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>allow</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>check</option></arg>
|
|
|
|
<arg><option>-e</option></arg>
|
|
|
|
<arg><option>-d</option></arg>
|
|
|
|
<arg><option>-p</option></arg>
|
|
|
|
<arg><option>-r</option></arg>
|
|
|
|
<arg><option>-T</option></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg
|
|
choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>compile</option></arg>
|
|
|
|
<arg><option>-e</option></arg>
|
|
|
|
<arg><option>-d</option></arg>
|
|
|
|
<arg><option>-p</option></arg>
|
|
|
|
<arg><option>-T</option></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
|
|
<arg choice="opt"><replaceable>pathname</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg rep="norepeat">-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>delete</option></arg>
|
|
|
|
<arg choice="plain"
|
|
rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
|
|
|
|
<arg choice="plain"><replaceable>zone</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>disable</option></arg>
|
|
|
|
<arg choice="plain">{ <replaceable>interface</replaceable> |
|
|
<replaceable>provider</replaceable> }</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>drop</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>dump</option></arg>
|
|
|
|
<arg><option>-x</option></arg>
|
|
|
|
<arg><option>-l</option></arg>
|
|
|
|
<arg><option>-m</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>enable</option></arg>
|
|
|
|
<arg choice="plain">{ <replaceable>interface</replaceable> |
|
|
<replaceable>provider</replaceable> }</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>export</option></arg>
|
|
|
|
<arg choice="opt"><replaceable>directory1</replaceable></arg>
|
|
|
|
<arg
|
|
choice="plain">[<replaceable>user</replaceable>@]<replaceable>system</replaceable>[<option>:</option><replaceable>directory2</replaceable>]</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>forget</option></arg>
|
|
|
|
<arg><replaceable>filename</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>help</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg
|
|
choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>ipcalc</option></arg>
|
|
|
|
<group choice="req">
|
|
<arg choice="plain"><replaceable>address</replaceable>
|
|
<replaceable>mask</replaceable></arg>
|
|
|
|
<arg
|
|
choice="plain"><replaceable>address</replaceable>/<replaceable>vlsm</replaceable></arg>
|
|
</group>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>iprange</option></arg>
|
|
|
|
<arg
|
|
choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>iptrace</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>iptables match
|
|
expression</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>load</option></arg>
|
|
|
|
<arg><option>-s</option></arg>
|
|
|
|
<arg><option>-c</option></arg>
|
|
|
|
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
|
|
<arg choice="plain"><replaceable>system</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>logdrop</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>logwatch</option></arg>
|
|
|
|
<arg><option>-m</option></arg>
|
|
|
|
<arg><replaceable>refresh-interval</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>logreject</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>noiptrace</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>iptables match
|
|
expression</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>refresh</option><arg
|
|
rep="repeat"><replaceable>chain</replaceable></arg></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>reject</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>address</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>reload</option></arg>
|
|
|
|
<arg><option>-s</option></arg>
|
|
|
|
<arg><option>-c</option></arg>
|
|
|
|
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
|
|
<arg choice="plain"><replaceable>system</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>reset</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>restart</option></arg>
|
|
|
|
<arg><option>-n</option></arg>
|
|
|
|
<arg><option>-p</option><arg><option>-d</option></arg></arg>
|
|
|
|
<arg><option>-f</option></arg>
|
|
|
|
<arg><option>-c</option></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>restore</option></arg>
|
|
|
|
<arg><replaceable>filename</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>safe-restart</option></arg>
|
|
|
|
<arg><option>-d</option></arg>
|
|
|
|
<arg><option>-p</option></arg>
|
|
|
|
<arg><option>-t</option> <replaceable>timeout</replaceable></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>safe-start</option></arg>
|
|
|
|
<arg><option>-d</option></arg>
|
|
|
|
<arg><option>-p</option></arg>
|
|
|
|
<arg><option>-t</option> <replaceable>timeout</replaceable></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>save</option></arg>
|
|
|
|
<arg choice="opt"><replaceable>filename</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>show</option></arg>
|
|
|
|
<arg><option>-x</option></arg>
|
|
|
|
<arg><option>-l</option></arg>
|
|
|
|
<arg><option>-t</option>
|
|
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>
|
|
|
|
<arg><arg><option>chain</option></arg><arg choice="plain"
|
|
rep="repeat"><replaceable>chain</replaceable></arg></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>show</option></arg>
|
|
|
|
<arg><option>-f</option></arg>
|
|
|
|
<arg choice="plain"><option>capabilities</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>show</option></arg>
|
|
|
|
<arg
|
|
choice="req"><option>actions|classifiers|connections|config|filters|ip|ipa|macros|zones|policies|marks</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>show</option></arg>
|
|
|
|
<arg choice="plain"><option>macro</option><arg
|
|
choice="plain"><replaceable>macro</replaceable></arg></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>show</option></arg>
|
|
|
|
<arg><option>-x</option></arg>
|
|
|
|
<arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>show</option></arg>
|
|
|
|
<arg choice="plain"><option>tc</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>show</option></arg>
|
|
|
|
<arg><option>-m</option></arg>
|
|
|
|
<arg choice="plain"><option>log</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>start</option></arg>
|
|
|
|
<arg><option>-n</option></arg>
|
|
|
|
<arg><option>-f</option></arg>
|
|
|
|
<arg><option>-p</option></arg>
|
|
|
|
<arg><option>-c</option></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg
|
|
choice="plain"><option>stop</option><arg><option>-f</option></arg></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>status</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg
|
|
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>try</option></arg>
|
|
|
|
<arg choice="plain"><replaceable>directory</replaceable></arg>
|
|
|
|
<arg><replaceable>timeout</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg choice="plain"><option>update</option></arg>
|
|
|
|
<arg><option>-b</option></arg>
|
|
|
|
<arg><option>-d</option></arg>
|
|
|
|
<arg><option>-r</option></arg>
|
|
|
|
<arg><option>-T</option></arg>
|
|
|
|
<arg><option>-a</option></arg>
|
|
|
|
<arg><replaceable>directory</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall</command>
|
|
|
|
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
|
|
|
|
<arg>-<replaceable>options</replaceable></arg>
|
|
|
|
<arg
|
|
choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>The shorewall utility is used to control the Shoreline Firewall
|
|
(Shorewall).</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
|
|
<para>The <option>trace</option> and <option>debug</option> options are
|
|
used for debugging. See <ulink
|
|
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
|
|
|
|
<para>The nolock <option>option</option> prevents the command from
|
|
attempting to acquire the Shorewall lockfile. It is useful if you need to
|
|
include <command>shorewall</command> commands in
|
|
<filename>/etc/shorewall/started</filename>.</para>
|
|
|
|
<para>The <emphasis>options</emphasis> control the amount of output that
|
|
the command produces. They consist of a sequence of the letters <emphasis
|
|
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
|
|
options are omitted, the amount of output is determined by the setting of
|
|
the VERBOSITY parameter in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
|
|
role="bold">v</emphasis> adds one to the effective verbosity and each
|
|
<emphasis role="bold">q</emphasis> subtracts one from the effective
|
|
VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
|
|
immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
|
|
be no white space between <emphasis role="bold">v</emphasis> and the
|
|
VERBOSITY.</para>
|
|
|
|
<para>The <emphasis>options</emphasis> may also include the letter
|
|
<option>t</option> which causes all progress messages to be
|
|
timestamped.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Commands</title>
|
|
|
|
<para>The available commands are listed below.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">add</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Adds a list of hosts or subnets to a dynamic zone usually used
|
|
with VPN's.</para>
|
|
|
|
<para>The <emphasis>interface</emphasis> argument names an interface
|
|
defined in the <ulink
|
|
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
|
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
|
elements are host or network addresses.<caution>
|
|
<para>The <command>add</command> command is not very robust. If
|
|
there are errors in the <replaceable>host-list</replaceable>,
|
|
you may see a large number of error messages yet a subsequent
|
|
<command>shorewall show zones</command> command will indicate
|
|
that all hosts were added. If this happens, replace
|
|
<command>add</command> by <command>delete</command> and run the
|
|
same command again. Then enter the correct command.</para>
|
|
</caution></para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">allow</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Re-enables receipt of packets from hosts previously
|
|
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
|
role="bold">logdrop</emphasis>, <emphasis
|
|
role="bold">reject</emphasis>, or <emphasis
|
|
role="bold">logreject</emphasis> command.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">check</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Compiles the configuraton in the specified
|
|
<emphasis>directory</emphasis> and discards the compiled output
|
|
script. If no <emphasis>directory</emphasis> is given, then
|
|
/etc/shorewall is assumed.</para>
|
|
|
|
<para>The <emphasis role="bold">-e</emphasis> option causes the
|
|
compiler to look for a file named capabilities. This file is
|
|
produced using the command <emphasis role="bold">shorewall-lite show
|
|
-f capabilities > capabilities</emphasis> on a system with
|
|
Shorewall Lite installed.</para>
|
|
|
|
<para>The <option>-d</option> option causes the compiler to be run
|
|
under control of the Perl debugger.</para>
|
|
|
|
<para>The <option>-p</option> option causes the compiler to be
|
|
profiled via the Perl <option>-wd:DProf</option> command-line
|
|
option.</para>
|
|
|
|
<para>The <option>-r</option> option was added in Shorewall 4.5.2
|
|
and causes the compiler to print the generated ruleset to standard
|
|
out.</para>
|
|
|
|
<para>The <option>-T</option> option was added in Shorewall 4.4.20
|
|
and causes a Perl stack trace to be included with each
|
|
compiler-generated error and warning message.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">clear</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Clear will remove all rules and chains installed by Shorewall.
|
|
The firewall is then wide open and unprotected. Existing connections
|
|
are untouched. Clear is often used to see if the firewall is causing
|
|
connection problems.</para>
|
|
|
|
<para>If <option>-f</option> is given, the command will be processed
|
|
by the compiled script that executed the last successful <emphasis
|
|
role="bold">start</emphasis>, <emphasis
|
|
role="bold">restart</emphasis> or <emphasis
|
|
role="bold">refresh</emphasis> command if that script exists.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">compile</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Compiles the current configuration into the executable file
|
|
<emphasis>pathname</emphasis>. If a directory is supplied, Shorewall
|
|
will look in that directory first for configuration files. If the
|
|
<emphasis>pathname</emphasis> is omitted, the file
|
|
<filename>firewall</filename> in the VARDIR (normally <filename
|
|
class="directory">/var/lib/shorewall/</filename>) is assumed. A
|
|
<emphasis>pathname</emphasis> of '-' causes the compiler to send the
|
|
generated script to it's standard output file. Note that '-v-1' is
|
|
usually specified in this case (e.g., <command>shorewall -v-1
|
|
compile -- -</command>) to suppress the 'Compiling...' message
|
|
normally generated by <filename>/sbin/shorewall</filename>.</para>
|
|
|
|
<para>When -e is specified, the compilation is being performed on a
|
|
system other than where the compiled script will run. This option
|
|
disables certain configuration options that require the script to be
|
|
compiled where it is to be run. The use of -e requires the presense
|
|
of a configuration file named <filename>capabilities</filename>
|
|
which may be produced using the command <emphasis
|
|
role="bold">shorewall-lite show -f capabilities >
|
|
capabilities</emphasis> on a system with Shorewall Lite
|
|
installed</para>
|
|
|
|
<para>The <option>-d</option> option causes the compiler to be run
|
|
under control of the Perl debugger.</para>
|
|
|
|
<para>The <option>-p</option> option causes the compiler to be
|
|
profiled via the Perl <option>-wd:DProf</option> command-line
|
|
option.</para>
|
|
|
|
<para>The <option>-T</option> option was added in Shorewall 4.4.20
|
|
and causes a Perl stack trace to be included with each
|
|
compiler-generated error and warning message.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">delete</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The delete command reverses the effect of an earlier <emphasis
|
|
role="bold">add</emphasis> command.</para>
|
|
|
|
<para>The <emphasis>interface</emphasis> argument names an interface
|
|
defined in the <ulink
|
|
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
|
|
file. A <emphasis>host-list</emphasis> is comma-separated list whose
|
|
elements are a host or network address.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">disable</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.26. Disables the optional provider
|
|
associated with the specified <replaceable>interface</replaceable>
|
|
or <replaceable>provider</replaceable>. Where more than one provider
|
|
share a single network interface, a
|
|
<replaceable>provider</replaceable> name must be given.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">drop</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
|
to be silently dropped.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">dump</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Produces a verbose report about the firewall configuration for
|
|
the purpose of problem analysis.</para>
|
|
|
|
<para>The <emphasis role="bold">-x</emphasis> option causes actual
|
|
packet and byte counts to be displayed. Without that option, these
|
|
counts are abbreviated. The <emphasis role="bold">-m</emphasis>
|
|
option causes any MAC addresses included in Shorewall log messages
|
|
to be displayed.</para>
|
|
|
|
<para>The <emphasis role="bold">-l</emphasis> option causes the rule
|
|
number for each Netfilter rule to be displayed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">enable</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.26. Enables the optional provider
|
|
associated with the specified <replaceable>interface</replaceable>
|
|
or <replaceable>provider</replaceable>. Where more than one provider
|
|
share a single network interface, a
|
|
<replaceable>provider</replaceable> name must be given.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">export</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>If <emphasis>directory1</emphasis> is omitted, the current
|
|
working directory is assumed.</para>
|
|
|
|
<para>Allows a non-root user to compile a shorewall script and stage
|
|
it on a system (provided that the user has access to the system via
|
|
ssh). The command is equivalent to:</para>
|
|
|
|
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis>directory1</emphasis> <emphasis>directory1</emphasis><emphasis
|
|
role="bold">/firewall &&\</emphasis>
|
|
<emphasis role="bold">scp</emphasis> directory1<emphasis role="bold">/firewall</emphasis> <emphasis>directory1</emphasis><emphasis
|
|
role="bold">/firewall.conf</emphasis> [<emphasis>user</emphasis>@]<emphasis
|
|
role="bold">system</emphasis>:[<emphasis>directory2</emphasis>]</programlisting>
|
|
|
|
<para>In other words, the configuration in the specified (or
|
|
defaulted) directory is compiled to a file called firewall in that
|
|
directory. If compilation succeeds, then firewall and firewall.conf
|
|
are copied to <emphasis>system</emphasis> using scp.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">forget</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Deletes /var/lib/shorewall/<emphasis>filenam</emphasis>e and
|
|
/var/lib/shorewall/save. If no <emphasis>filename</emphasis> is
|
|
given then the file specified by RESTOREFILE in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5) is
|
|
assumed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">help</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays a syntax summary.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">hits</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Generates several reports from Shorewall log messages in the
|
|
current log file. If the <option>-t</option> option is included, the
|
|
reports are restricted to log messages generated today.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ipcalc</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Ipcalc displays the network address, broadcast address,
|
|
network in CIDR notation and netmask corresponding to the
|
|
input[s].</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">iprange</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Iprange decomposes the specified range of IP addresses into
|
|
the equivalent list of network/host addresses.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">iptrace</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>This is a low-level debugging command that causes iptables
|
|
TRACE log records to be created. See iptables(8) for details.</para>
|
|
|
|
<para>The <replaceable>iptables match expression</replaceable> must
|
|
be one or more matches that may appear in both the raw table OUTPUT
|
|
and raw table PREROUTING chains.</para>
|
|
|
|
<para>The trace records are written to the kernel's log buffer with
|
|
faciility = kernel and priority = warning, and they are routed from
|
|
there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
|
|
Shorewall has no control over where the messages go; consult your
|
|
logging daemon's documentation.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">load</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>If <emphasis>directory</emphasis> is omitted, the current
|
|
working directory is assumed. Allows a non-root user to compile a
|
|
shorewall script and install it on a system (provided that the user
|
|
has root access to the system via ssh). The command is equivalent
|
|
to:</para>
|
|
|
|
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
|
|
role="bold">/firewall &&\</emphasis>
|
|
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
|
|
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
|
|
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
|
|
role="bold">:/var/lib/shorewall-lite/ &&\</emphasis>
|
|
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
|
|
role="bold">'/sbin/shorewall-lite start'</emphasis></programlisting>
|
|
|
|
<para>In other words, the configuration in the specified (or
|
|
defaulted) directory is compiled to a file called firewall in that
|
|
directory. If compilation succeeds, then firewall is copied to
|
|
<replaceable>system</replaceable> using scp. If the copy succeeds,
|
|
Shorewall Lite on <replaceable>system</replaceable> is started via
|
|
ssh.</para>
|
|
|
|
<para>If <emphasis role="bold">-s</emphasis> is specified and the
|
|
<emphasis role="bold">start</emphasis> command succeeds, then the
|
|
remote Shorewall-lite configuration is saved by executing <emphasis
|
|
role="bold">shorewall-lite save</emphasis> via ssh.</para>
|
|
|
|
<para>if <emphasis role="bold">-c</emphasis> is included, the
|
|
command <emphasis role="bold">shorewall-lite show capabilities -f
|
|
> /var/lib/shorewall-lite/capabilities</emphasis> is executed via
|
|
ssh then the generated file is copied to
|
|
<replaceable>directory</replaceable> using scp. This step is
|
|
performed before the configuration is compiled.</para>
|
|
|
|
<para>If <option>-r</option> is included, it specifies that the root
|
|
user on <replaceable>system</replaceable> is named
|
|
<replaceable>root-user-name</replaceable> rather than "root".</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">logdrop</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
|
to be logged then discarded. Logging occurs at the log level
|
|
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">logwatch</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Monitors the log file specified by the LOGFILE option in
|
|
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) and
|
|
produces an audible alarm when new Shorewall messages are logged.
|
|
The <emphasis role="bold">-m</emphasis> option causes the MAC
|
|
address of each packet source to be displayed if that information is
|
|
available. The <replaceable>refresh-interval</replaceable> specifies
|
|
the time in seconds between screen refreshes. You can enter a
|
|
negative number by preceding the number with "--" (e.g.,
|
|
<command>shorewall logwatch -- -30</command>). In this case, when a
|
|
packet count changes, you will be prompted to hit any key to resume
|
|
screen refreshes.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">logreject</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
|
to be logged then rejected. Logging occurs at the log level
|
|
specified by the BLACKLIST_LOGLEVEL setting in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">noiptrace</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>This is a low-level debugging command that cancels a trace
|
|
started by a preceding <command>iptrace</command> command.</para>
|
|
|
|
<para>The <replaceable>iptables match expression</replaceable> must
|
|
be one given in the <command>iptrace</command> command being
|
|
cancelled.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">refresh</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>All steps performed by <command>restart</command> are
|
|
performed by <command>refresh</command> with the exception that
|
|
<command>refresh</command> only recreates the chains specified in
|
|
the command while <command>restart</command> recreates the entire
|
|
Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
|
|
the static blacklisting chain <emphasis
|
|
role="bold">blacklst</emphasis> is assumed.</para>
|
|
|
|
<para>The listed chains are assumed to be in the filter table. You
|
|
can refresh chains in other tables by prefixing the chain name with
|
|
the table name followed by ":" (e.g., nat:net_dnat). Chain names
|
|
which follow are assumed to be in that table until the end of the
|
|
list or until an entry in the list names another table. Built-in
|
|
chains such as FORWARD may not be refreshed.</para>
|
|
|
|
<para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
|
|
|
|
<para>The <emphasis role="bold">refresh</emphasis> command has
|
|
slightly different behavior. When no chain name is given to the
|
|
<emphasis role="bold">refresh</emphasis> command, the mangle table
|
|
is refreshed along with the blacklist chain (if any). This allows
|
|
you to modify <filename>/etc/shorewall/tcrules </filename>and
|
|
install the changes using <emphasis
|
|
role="bold">refresh</emphasis>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">reload</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>If <emphasis>directory</emphasis> is omitted, the current
|
|
working directory is assumed. Allows a non-root user to compile a
|
|
shorewall script and install it on a system (provided that the user
|
|
has root access to the system via ssh). The command is equivalent
|
|
to:</para>
|
|
|
|
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis
|
|
role="bold">/firewall &&\</emphasis>
|
|
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
|
|
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
|
|
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis
|
|
role="bold">:/var/lib/shorewall-lite/ &&\</emphasis>
|
|
<emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis
|
|
role="bold">'/sbin/shorewall-lite restart'</emphasis></programlisting>
|
|
|
|
<para>In other words, the configuration in the specified (or
|
|
defaulted) directory is compiled to a file called firewall in that
|
|
directory. If compilation succeeds, then firewall is copied to
|
|
<emphasis>system</emphasis> using scp. If the copy succeeds,
|
|
Shorewall Lite on <emphasis>system</emphasis> is restarted via
|
|
ssh.</para>
|
|
|
|
<para>If <emphasis role="bold">-s</emphasis> is specified and the
|
|
<emphasis role="bold">restart</emphasis> command succeeds, then the
|
|
remote Shorewall-lite configuration is saved by executing <emphasis
|
|
role="bold">shorewall-lite save</emphasis> via ssh.</para>
|
|
|
|
<para>if <emphasis role="bold">-c</emphasis> is included, the
|
|
command <emphasis role="bold">shorewall-lite show capabilities -f
|
|
> /var/lib/shorewall-lite/capabilities</emphasis> is executed via
|
|
ssh then the generated file is copied to
|
|
<emphasis>directory</emphasis> using scp. This step is performed
|
|
before the configuration is compiled.</para>
|
|
|
|
<para>If <option>-r</option> is included, it specifies that the root
|
|
user on <replaceable>system</replaceable> is named
|
|
<replaceable>root-user-name</replaceable> rather than "root".</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">reset</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>All the packet and byte counters in the firewall are
|
|
reset.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">restart</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Restart is similar to <emphasis role="bold">shorewall
|
|
start</emphasis> except that it assumes that the firewall is already
|
|
started. Existing connections are maintained. If a
|
|
<emphasis>directory</emphasis> is included in the command, Shorewall
|
|
will look in that <emphasis>directory</emphasis> first for
|
|
configuration files.</para>
|
|
|
|
<para>The <option>-n</option> option causes Shorewall to avoid
|
|
updating the routing table(s).</para>
|
|
|
|
<para>The <option>-p</option> option causes the connection tracking
|
|
table to be flushed; the <command>conntrack</command> utility must
|
|
be installed to use this option.</para>
|
|
|
|
<para>The <option>-d </option>option causes the compiler to run
|
|
under the Perl debugger.</para>
|
|
|
|
<para>The <option>-f</option> option suppresses the compilation step
|
|
and simply reused the compiled script which last started/restarted
|
|
Shorewall, provided that /etc/shorewall and its contents have not
|
|
been modified since the last start/restart.</para>
|
|
|
|
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
|
and performs the compilation step unconditionally, overriding the
|
|
AUTOMAKE setting in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
|
|
<option>-f</option> and <option>-c</option>are present, the result
|
|
is determined by the option that appears last.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">restore</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Restore Shorewall to a state saved using the <emphasis
|
|
role="bold">shorewall save</emphasis> command. Existing connections
|
|
are maintained. The <emphasis>filename</emphasis> names a restore
|
|
file in /var/lib/shorewall created using <emphasis
|
|
role="bold">shorewall save</emphasis>; if no
|
|
<emphasis>filename</emphasis> is given then Shorewall will be
|
|
restored from the file specified by the RESTOREFILE option in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">safe-restart</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Only allowed if Shorewall is running. The current
|
|
configuration is saved in /var/lib/shorewall/safe-restart (see the
|
|
save command below) then a <emphasis role="bold">shorewall
|
|
restart</emphasis> is done. You will then be prompted asking if you
|
|
want to accept the new configuration or not. If you answer "n" or if
|
|
you fail to answer within 60 seconds (such as when your new
|
|
configuration has disabled communication with your terminal), the
|
|
configuration is restored from the saved configuration. If a
|
|
directory is given, then Shorewall will look in that directory first
|
|
when opening configuration files.</para>
|
|
|
|
<para>Begining with Shorewall 4.4.28, you may specify a different
|
|
<replaceable>timeout</replaceable> value using the
|
|
<option>-t</option> option. The numeric
|
|
<replaceable>timeout</replaceable> may optionally be followed by an
|
|
<option>s</option>, <option>m</option> or <option>h</option> suffix
|
|
(e.g., 5m) to specify seconds, minutes or hours respectively. If the
|
|
suffix is omitted, seconds is assumed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">safe-start</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Shorewall is started normally. You will then be prompted
|
|
asking if everything went all right. If you answer "n" or if you
|
|
fail to answer within 60 seconds (such as when your new
|
|
configuration has disabled communication with your terminal), a
|
|
shorewall clear is performed for you. If a directory is given, then
|
|
Shorewall will look in that directory first when opening
|
|
configuration files.</para>
|
|
|
|
<para>Begining with Shorewall 4.4.28, you may specify a different
|
|
<replaceable>timeout</replaceable> value using the
|
|
<option>-t</option> option. The numeric
|
|
<replaceable>timeout</replaceable> may optionally be followed by an
|
|
<option>s</option>, <option>m</option> or <option>h</option> suffix
|
|
(e.g., 5m) to specify seconds, minutes or hours respectively. If the
|
|
suffix is omitted, seconds is assumed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">save</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The dynamic blacklist is stored in /var/lib/shorewall/save.
|
|
The state of the firewall is stored in
|
|
/var/lib/shorewall/<emphasis>filename</emphasis> for use by the
|
|
<emphasis role="bold">shorewall restore</emphasis> and <emphasis
|
|
role="bold">shorewall -f start</emphasis> commands. If
|
|
<emphasis>filename</emphasis> is not given then the state is saved
|
|
in the file specified by the RESTOREFILE option in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">show</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The show command can have a number of different
|
|
arguments:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">actions</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Produces a report about the available actions (built-in,
|
|
standard and user-defined).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">capabilities</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays your kernel/iptables capabilities. The
|
|
<emphasis role="bold">-f</emphasis> option causes the display
|
|
to be formatted as a capabilities file for use with <emphasis
|
|
role="bold">compile -e</emphasis>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
|
|
]</term>
|
|
|
|
<listitem>
|
|
<para>The rules in each <emphasis>chain</emphasis> are
|
|
displayed using the <emphasis role="bold">iptables
|
|
-L</emphasis> <emphasis>chain</emphasis> <emphasis
|
|
role="bold">-n -v</emphasis> command. If no
|
|
<emphasis>chain</emphasis> is given, all of the chains in the
|
|
filter table are displayed. The <emphasis
|
|
role="bold">-x</emphasis> option is passed directly through to
|
|
iptables and causes actual packet and byte counts to be
|
|
displayed. Without this option, those counts are abbreviated.
|
|
The <emphasis role="bold">-t</emphasis> option specifies the
|
|
Netfilter table to display. The default is <emphasis
|
|
role="bold">filter</emphasis>.</para>
|
|
|
|
<para>The <emphasis role="bold">-l</emphasis> option causes
|
|
the rule number for each Netfilter rule to be
|
|
displayed.</para>
|
|
|
|
<para>If the <emphasis role="bold">t</emphasis> option and the
|
|
<option>chain</option> keyword are both omitted and any of the
|
|
listed <replaceable>chain</replaceable>s do not exist, a usage
|
|
message is displayed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis
|
|
role="bold">classifiers|filters</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays information about the packet classifiers
|
|
defined on the system as a result of traffic shaping
|
|
configuration.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">config</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Dispays distribution-specific defaults.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">connections</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the IP connections currently being tracked by
|
|
the firewall.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ip</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the system's IPv4 configuration.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ipa</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.17. Displays the per-IP
|
|
accounting counters (<ulink
|
|
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
|
|
(5)).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">log</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the last 20 Shorewall messages from the log
|
|
file specified by the LOGFILE option in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5). The
|
|
<emphasis role="bold">-m</emphasis> option causes the MAC
|
|
address of each packet source to be displayed if that
|
|
information is available.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">macros</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays information about each macro defined on the
|
|
firewall system.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">macro</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.6. Displays the file that
|
|
implements the specified <replaceable>macro</replaceable>
|
|
(usually
|
|
<filename>/usr/share/shorewall/macro</filename>.<replaceable>macro</replaceable>).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">marks</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.26. Displays the various fields
|
|
in packet marks giving the min and max value (in both decimal
|
|
and hex) and the applicable mask (in hex).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">nat</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the Netfilter nat table using the command
|
|
<emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
|
|
<emphasis role="bold">-x</emphasis> option is passed directly
|
|
through to iptables and causes actual packet and byte counts
|
|
to be displayed. Without this option, those counts are
|
|
abbreviated.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">policies</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.4. Displays the applicable policy
|
|
between each pair of zones. Note that implicit intrazone
|
|
ACCEPT policies are not displayed for zones associated with a
|
|
single network where that network doesn't specify
|
|
<option>routeback</option>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">routing</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the system's IPv4 routing configuration.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">raw</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the Netfilter raw table using the command
|
|
<emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
|
|
<emphasis role="bold">-x</emphasis> option is passed directly
|
|
through to iptables and causes actual packet and byte counts
|
|
to be displayed. Without this option, those counts are
|
|
abbreviated.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">tc</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays information about queuing disciplines, classes
|
|
and filters.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">zones</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the current composition of the Shorewall zones
|
|
on the system.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">start</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Start shorewall. Existing connections through shorewall
|
|
managed interfaces are untouched. New connections will be allowed
|
|
only if they are allowed by the firewall rules or policies. If a
|
|
<replaceable>directory</replaceable> is included in the command,
|
|
Shorewall will look in that <emphasis>directory</emphasis> first for
|
|
configuration files. If <emphasis role="bold">-f</emphasis> is
|
|
specified, the saved configuration specified by the RESTOREFILE
|
|
option in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5)
|
|
will be restored if that saved configuration exists and has been
|
|
modified more recently than the files in /etc/shorewall. When
|
|
<emphasis role="bold">-f</emphasis> is given, a
|
|
<replaceable>directory</replaceable> may not be specified.</para>
|
|
|
|
<para>Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
|
|
added to <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).
|
|
When LEGACY_FASTSTART=No, the modificaiotn times of files in
|
|
/etc/shorewall are compared with that of /var/lib/shorewall/firewall
|
|
(the compiled script that last started/restarted the
|
|
firewall).</para>
|
|
|
|
<para>The <option>-n</option> option causes Shorewall to avoid
|
|
updating the routing table(s).</para>
|
|
|
|
<para>The <option>-p</option> option causes the connection tracking
|
|
table to be flushed; the <command>conntrack</command> utility must
|
|
be installed to use this option.</para>
|
|
|
|
<para>The <option>-c</option> option was added in Shorewall 4.4.20
|
|
and performs the compilation step unconditionally, overriding the
|
|
AUTOMAKE setting in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
|
|
<option>-f</option> and <option>-c</option>are present, the result
|
|
is determined by the option that appears last.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">stop</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Stops the firewall. All existing connections, except those
|
|
listed in <ulink
|
|
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
|
or permitted by the ADMINISABSENTMINDED option in <ulink
|
|
url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
|
|
The only new traffic permitted through the firewall is from systems
|
|
listed in <ulink
|
|
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
|
|
or by ADMINISABSENTMINDED.</para>
|
|
|
|
<para>If <option>-f</option> is given, the command will be processed
|
|
by the compiled script that executed the last successful <emphasis
|
|
role="bold">start</emphasis>, <emphasis
|
|
role="bold">restart</emphasis> or <emphasis
|
|
role="bold">refresh</emphasis> command if that script exists.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">status</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Produces a short report about the state of the
|
|
Shorewall-configured firewall.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">try</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>If Shorewall is started then the firewall state is saved to a
|
|
temporary saved configuration
|
|
(<filename>/var/lib/shorewall/.try</filename>). Next, if Shorewall
|
|
is currently started then a <emphasis role="bold">restart</emphasis>
|
|
command is issued; otherwise, a <emphasis
|
|
role="bold">start</emphasis> command is performed. if an error
|
|
occurs during the compliation phase of the <emphasis
|
|
role="bold">restart</emphasis> or <emphasis
|
|
role="bold">start</emphasis>, the command terminates without
|
|
changing the Shorewall state. If an error occurs during the
|
|
<emphasis role="bold">restart</emphasis> phase, then a <emphasis
|
|
role="bold">shorewall restore</emphasis> is performed using the
|
|
saved configuration. If an error occurs during the <emphasis
|
|
role="bold">start</emphasis> phase, then Shorewall is cleared. If
|
|
the <emphasis role="bold">start</emphasis>/<emphasis
|
|
role="bold">restart</emphasis> succeeds and a
|
|
<replaceable>timeout</replaceable> is specified then a <emphasis
|
|
role="bold">clear</emphasis> or <emphasis
|
|
role="bold">restore</emphasis> is performed after
|
|
<replaceable>timeout</replaceable> seconds.</para>
|
|
|
|
<para>Begining with Shorewall 4.4.28, the numeric
|
|
<replaceable>timeout</replaceable> may optionally be followed by an
|
|
<option>s</option>, <option>m</option> or <option>h</option> suffix
|
|
(e.g., 5m) to specify seconds, minutes or hours respectively. If the
|
|
suffix is omitted, seconds is assumed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">update</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Added in Shorewall 4.4.21 and causes the compiler to update
|
|
<filename>/etc/shorewall/shorewall.conf then validate the
|
|
configuration</filename>. The update will add options not present in
|
|
the old file with their default values, and will move deprecated
|
|
options with non-defaults to a deprecated options section at the
|
|
bottom of the file. Your existing
|
|
<filename>shorewall.conf</filename> file is renamed
|
|
<filename>shorewall.conf.bak.</filename></para>
|
|
|
|
<para>The <option>-a</option> option causes the updated
|
|
<filename>shorewall.conf</filename> file to be annotated with
|
|
documentation.</para>
|
|
|
|
<para>The <option>-b</option> option was added in Shorewall 4.4.26
|
|
and causes legacy blacklisting rules (<ulink
|
|
url="shorewall-blacklist.html">shorewall-blacklist</ulink> (5) ) to
|
|
be converted to entries in the blrules file (<ulink
|
|
url="shorewall-blrules.html">shorewall-blrules</ulink> (5) ). The
|
|
blacklist keyword is removed from <ulink
|
|
url="shorewall-zones.html">shorewall-zones</ulink> (5), <ulink
|
|
url="shorewall-interfaces.html">shorewall-interfaces</ulink> (5) and
|
|
<ulink url="shorewall-hosts.html">shorewall-hosts</ulink> (5). The
|
|
unmodified files are saved with a .bak suffix.</para>
|
|
|
|
<para>For a description of the other options, see the <emphasis
|
|
role="bold">check</emphasis> command above.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">version</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays Shorewall's version. The <option>-a</option> option
|
|
is included for compatibility with earlier Shorewall releases and is
|
|
ignored.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILES</title>
|
|
|
|
<para>/etc/shorewall/</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See ALSO</title>
|
|
|
|
<para><ulink
|
|
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
|
|
|
|
<para>shorewall-accounting(5), shorewall-actions(5),
|
|
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
|
|
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
|
|
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
|
|
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
|
|
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
|
|
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
|
|
shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
|
|
shorewall-tunnels(5), shorewall-zones(5)</para>
|
|
</refsect1>
|
|
</refentry>
|