shorewall_code/manpages/shorewall.xml
Tom Eastep d6bac484dc Allow the timeout to be specified in that 'safe' commands.
Also, allow a suffix (s, m or h) in the <timeout> paramater to the 'try' command.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2011-12-31 09:40:36 -08:00

1679 lines
62 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.oasis-open.org/docbook/xml/4.4/docbookx.dtd">
<refentry>
<refmeta>
<refentrytitle>shorewall</refentrytitle>
<manvolnum>8</manvolnum>
</refmeta>
<refnamediv>
<refname>shorewall</refname>
<refpurpose>Administration tool for Shoreline Firewall
(Shorewall)</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg rep="norepeat">-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>add</option></arg>
<arg choice="plain"
rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
<arg choice="plain"><replaceable>zone</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>allow</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>check</option></arg>
<arg><option>-e</option></arg>
<arg><option>-d</option></arg>
<arg><option>-p</option></arg>
<arg><option>-r</option></arg>
<arg><option>-T</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg
choice="plain"><option>clear</option><arg><option>-f</option></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>compile</option></arg>
<arg><option>-e</option></arg>
<arg><option>-d</option></arg>
<arg><option>-p</option></arg>
<arg><option>-T</option></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="opt"><replaceable>pathname</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg rep="norepeat">-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>delete</option></arg>
<arg choice="plain"
rep="repeat"><replaceable>interface</replaceable>[:<replaceable>host-list</replaceable>]</arg>
<arg choice="plain"><replaceable>zone</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>disable</option></arg>
<arg choice="plain">{ <replaceable>interface</replaceable> |
<replaceable>provider</replaceable> }</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>drop</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>dump</option></arg>
<arg><option>-x</option></arg>
<arg><option>-l</option></arg>
<arg><option>-m</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>enable</option></arg>
<arg choice="plain">{ <replaceable>interface</replaceable> |
<replaceable>provider</replaceable> }</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>export</option></arg>
<arg choice="opt"><replaceable>directory1</replaceable></arg>
<arg
choice="plain">[<replaceable>user</replaceable>@]<replaceable>system</replaceable>[<option>:</option><replaceable>directory2</replaceable>]</arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>forget</option></arg>
<arg><replaceable>filename</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>help</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg
choice="plain"><option>hits</option><arg><option>-t</option></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>ipcalc</option></arg>
<group choice="req">
<arg choice="plain"><replaceable>address</replaceable>
<replaceable>mask</replaceable></arg>
<arg
choice="plain"><replaceable>address</replaceable>/<replaceable>vlsm</replaceable></arg>
</group>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>iprange</option></arg>
<arg
choice="plain"><replaceable>address1</replaceable><option>-</option><replaceable>address2</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>iptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>load</option></arg>
<arg><option>-s</option></arg>
<arg><option>-c</option></arg>
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>logdrop</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>logwatch</option></arg>
<arg><option>-m</option></arg>
<arg><replaceable>refresh-interval</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>logreject</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>noiptrace</option></arg>
<arg choice="plain"><replaceable>iptables match
expression</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>refresh</option><arg
rep="repeat"><replaceable>chain</replaceable></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reject</option></arg>
<arg choice="plain"><replaceable>address</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reload</option></arg>
<arg><option>-s</option></arg>
<arg><option>-c</option></arg>
<arg><option>-r</option> <replaceable>root-user-name</replaceable></arg>
<arg><replaceable>directory</replaceable></arg>
<arg choice="plain"><replaceable>system</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>reset</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>restart</option></arg>
<arg><option>-n</option></arg>
<arg><option>-p</option><arg><option>-d</option></arg></arg>
<arg><option>-f</option></arg>
<arg><option>-c</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>restore</option></arg>
<arg><replaceable>filename</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>safe-restart</option></arg>
<arg><option>-d</option></arg>
<arg><option>-p</option></arg>
<arg><option>-t</option> <replaceable>timeout</replaceable></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>safe-start</option></arg>
<arg><option>-d</option></arg>
<arg><option>-p</option></arg>
<arg><option>-t</option> <replaceable>timeout</replaceable></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>save</option></arg>
<arg choice="opt"><replaceable>filename</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>show</option></arg>
<arg><option>-x</option></arg>
<arg><option>-l</option></arg>
<arg><option>-t</option>
{<option>filter</option>|<option>mangle</option>|<option>nat</option>|<option>raw|rawpost</option>}</arg>
<arg><arg><option>chain</option></arg><arg choice="plain"
rep="repeat"><replaceable>chain</replaceable></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>show</option></arg>
<arg><option>-f</option></arg>
<arg choice="plain"><option>capabilities</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>show</option></arg>
<arg
choice="req"><option>actions|classifiers|connections|config|filters|ip|ipa|macros|zones|policies|marks</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>show</option></arg>
<arg choice="plain"><option>macro</option><arg
choice="plain"><replaceable>macro</replaceable></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>show</option></arg>
<arg><option>-x</option></arg>
<arg choice="req"><option>mangle|nat|routing|raw|rawpost</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>show</option></arg>
<arg choice="plain"><option>tc</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>show</option></arg>
<arg><option>-m</option></arg>
<arg choice="plain"><option>log</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>start</option></arg>
<arg><option>-n</option></arg>
<arg><option>-f</option></arg>
<arg><option>-p</option></arg>
<arg><option>-c</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg
choice="plain"><option>stop</option><arg><option>-f</option></arg></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>status</option></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg
choice="opt"><option>trace</option>|<option>debug</option><arg><option>nolock</option></arg></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>try</option></arg>
<arg choice="plain"><replaceable>directory</replaceable></arg>
<arg><replaceable>timeout</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg choice="plain"><option>update</option></arg>
<arg><option>-b</option></arg>
<arg><option>-d</option></arg>
<arg><option>-r</option></arg>
<arg><option>-T</option></arg>
<arg><option>-a</option></arg>
<arg><replaceable>directory</replaceable></arg>
</cmdsynopsis>
<cmdsynopsis>
<command>shorewall</command>
<arg choice="opt"><option>trace</option>|<option>debug</option></arg>
<arg>-<replaceable>options</replaceable></arg>
<arg
choice="plain"><option>version</option><arg><option>-a</option></arg></arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para>The shorewall utility is used to control the Shoreline Firewall
(Shorewall).</para>
</refsect1>
<refsect1>
<title>Options</title>
<para>The <option>trace</option> and <option>debug</option> options are
used for debugging. See <ulink
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace">http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace</ulink>.</para>
<para>The nolock <option>option</option> prevents the command from
attempting to acquire the Shorewall lockfile. It is useful if you need to
include <command>shorewall</command> commands in
<filename>/etc/shorewall/started</filename>.</para>
<para>The <emphasis>options</emphasis> control the amount of output that
the command produces. They consist of a sequence of the letters <emphasis
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
options are omitted, the amount of output is determined by the setting of
the VERBOSITY parameter in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). Each <emphasis
role="bold">v</emphasis> adds one to the effective verbosity and each
<emphasis role="bold">q</emphasis> subtracts one from the effective
VERBOSITY. Anternately, <emphasis role="bold">v</emphasis> may be followed
immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
be no white space between <emphasis role="bold">v</emphasis> and the
VERBOSITY.</para>
<para>The <emphasis>options</emphasis> may also include the letter
<option>t</option> which causes all progress messages to be
timestamped.</para>
</refsect1>
<refsect1>
<title>Commands</title>
<para>The available commands are listed below.</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">add</emphasis></term>
<listitem>
<para>Adds a list of hosts or subnets to a dynamic zone usually used
with VPN's.</para>
<para>The <emphasis>interface</emphasis> argument names an interface
defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file. A <emphasis>host-list</emphasis> is comma-separated list whose
elements are host or network addresses.<caution>
<para>The <command>add</command> command is not very robust. If
there are errors in the <replaceable>host-list</replaceable>,
you may see a large number of error messages yet a subsequent
<command>shorewall show zones</command> command will indicate
that all hosts were added. If this happens, replace
<command>add</command> by <command>delete</command> and run the
same command again. Then enter the correct command.</para>
</caution></para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">allow</emphasis></term>
<listitem>
<para>Re-enables receipt of packets from hosts previously
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
role="bold">logdrop</emphasis>, <emphasis
role="bold">reject</emphasis>, or <emphasis
role="bold">logreject</emphasis> command.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">check</emphasis></term>
<listitem>
<para>Compiles the configuraton in the specified
<emphasis>directory</emphasis> and discards the compiled output
script. If no <emphasis>directory</emphasis> is given, then
/etc/shorewall is assumed.</para>
<para>The <emphasis role="bold">-e</emphasis> option causes the
compiler to look for a file named capabilities. This file is
produced using the command <emphasis role="bold">shorewall-lite show
-f capabilities &gt; capabilities</emphasis> on a system with
Shorewall Lite installed.</para>
<para>The <option>-d</option> option causes the compiler to be run
under control of the Perl debugger.</para>
<para>The <option>-p</option> option causes the compiler to be
profiled via the Perl <option>-wd:DProf</option> command-line
option.</para>
<para>The <option>-r</option> option was added in Shorewall 4.5.2
and causes the compiler to print the generated ruleset to standard
out.</para>
<para>The <option>-T</option> option was added in Shorewall 4.4.20
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">clear</emphasis></term>
<listitem>
<para>Clear will remove all rules and chains installed by Shorewall.
The firewall is then wide open and unprotected. Existing connections
are untouched. Clear is often used to see if the firewall is causing
connection problems.</para>
<para>If <option>-f</option> is given, the command will be processed
by the compiled script that executed the last successful <emphasis
role="bold">start</emphasis>, <emphasis
role="bold">restart</emphasis> or <emphasis
role="bold">refresh</emphasis> command if that script exists.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">compile</emphasis></term>
<listitem>
<para>Compiles the current configuration into the executable file
<emphasis>pathname</emphasis>. If a directory is supplied, Shorewall
will look in that directory first for configuration files. If the
<emphasis>pathname</emphasis> is omitted, the file
<filename>firewall</filename> in the VARDIR (normally <filename
class="directory">/var/lib/shorewall/</filename>) is assumed. A
<emphasis>pathname</emphasis> of '-' causes the compiler to send the
generated script to it's standard output file. Note that '-v-1' is
usually specified in this case (e.g., <command>shorewall -v-1
compile -- -</command>) to suppress the 'Compiling...' message
normally generated by <filename>/sbin/shorewall</filename>.</para>
<para>When -e is specified, the compilation is being performed on a
system other than where the compiled script will run. This option
disables certain configuration options that require the script to be
compiled where it is to be run. The use of -e requires the presense
of a configuration file named <filename>capabilities</filename>
which may be produced using the command <emphasis
role="bold">shorewall-lite show -f capabilities &gt;
capabilities</emphasis> on a system with Shorewall Lite
installed</para>
<para>The <option>-d</option> option causes the compiler to be run
under control of the Perl debugger.</para>
<para>The <option>-p</option> option causes the compiler to be
profiled via the Perl <option>-wd:DProf</option> command-line
option.</para>
<para>The <option>-T</option> option was added in Shorewall 4.4.20
and causes a Perl stack trace to be included with each
compiler-generated error and warning message.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">delete</emphasis></term>
<listitem>
<para>The delete command reverses the effect of an earlier <emphasis
role="bold">add</emphasis> command.</para>
<para>The <emphasis>interface</emphasis> argument names an interface
defined in the <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink>(5)
file. A <emphasis>host-list</emphasis> is comma-separated list whose
elements are a host or network address.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">disable</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.26. Disables the optional provider
associated with the specified <replaceable>interface</replaceable>
or <replaceable>provider</replaceable>. Where more than one provider
share a single network interface, a
<replaceable>provider</replaceable> name must be given.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">drop</emphasis></term>
<listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es
to be silently dropped.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">dump</emphasis></term>
<listitem>
<para>Produces a verbose report about the firewall configuration for
the purpose of problem analysis.</para>
<para>The <emphasis role="bold">-x</emphasis> option causes actual
packet and byte counts to be displayed. Without that option, these
counts are abbreviated. The <emphasis role="bold">-m</emphasis>
option causes any MAC addresses included in Shorewall log messages
to be displayed.</para>
<para>The <emphasis role="bold">-l</emphasis> option causes the rule
number for each Netfilter rule to be displayed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">enable</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.26. Enables the optional provider
associated with the specified <replaceable>interface</replaceable>
or <replaceable>provider</replaceable>. Where more than one provider
share a single network interface, a
<replaceable>provider</replaceable> name must be given.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">export</emphasis></term>
<listitem>
<para>If <emphasis>directory1</emphasis> is omitted, the current
working directory is assumed.</para>
<para>Allows a non-root user to compile a shorewall script and stage
it on a system (provided that the user has access to the system via
ssh). The command is equivalent to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis>directory1</emphasis> <emphasis>directory1</emphasis><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> directory1<emphasis role="bold">/firewall</emphasis> <emphasis>directory1</emphasis><emphasis
role="bold">/firewall.conf</emphasis> [<emphasis>user</emphasis>@]<emphasis
role="bold">system</emphasis>:[<emphasis>directory2</emphasis>]</programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall and firewall.conf
are copied to <emphasis>system</emphasis> using scp.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">forget</emphasis></term>
<listitem>
<para>Deletes /var/lib/shorewall/<emphasis>filenam</emphasis>e and
/var/lib/shorewall/save. If no <emphasis>filename</emphasis> is
given then the file specified by RESTOREFILE in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5) is
assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">help</emphasis></term>
<listitem>
<para>Displays a syntax summary.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">hits</emphasis></term>
<listitem>
<para>Generates several reports from Shorewall log messages in the
current log file. If the <option>-t</option> option is included, the
reports are restricted to log messages generated today.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ipcalc</emphasis></term>
<listitem>
<para>Ipcalc displays the network address, broadcast address,
network in CIDR notation and netmask corresponding to the
input[s].</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">iprange</emphasis></term>
<listitem>
<para>Iprange decomposes the specified range of IP addresses into
the equivalent list of network/host addresses.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">iptrace</emphasis></term>
<listitem>
<para>This is a low-level debugging command that causes iptables
TRACE log records to be created. See iptables(8) for details.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one or more matches that may appear in both the raw table OUTPUT
and raw table PREROUTING chains.</para>
<para>The trace records are written to the kernel's log buffer with
faciility = kernel and priority = warning, and they are routed from
there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
Shorewall has no control over where the messages go; consult your
logging daemon's documentation.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">load</emphasis></term>
<listitem>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis><replaceable>directory</replaceable></emphasis> <replaceable>directory</replaceable><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><replaceable>system</replaceable><emphasis
role="bold">:/var/lib/shorewall-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><replaceable>system</replaceable> <emphasis
role="bold">'/sbin/shorewall-lite start'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<replaceable>system</replaceable> using scp. If the copy succeeds,
Shorewall Lite on <replaceable>system</replaceable> is started via
ssh.</para>
<para>If <emphasis role="bold">-s</emphasis> is specified and the
<emphasis role="bold">start</emphasis> command succeeds, then the
remote Shorewall-lite configuration is saved by executing <emphasis
role="bold">shorewall-lite save</emphasis> via ssh.</para>
<para>if <emphasis role="bold">-c</emphasis> is included, the
command <emphasis role="bold">shorewall-lite show capabilities -f
&gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
ssh then the generated file is copied to
<replaceable>directory</replaceable> using scp. This step is
performed before the configuration is compiled.</para>
<para>If <option>-r</option> is included, it specifies that the root
user on <replaceable>system</replaceable> is named
<replaceable>root-user-name</replaceable> rather than "root".</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">logdrop</emphasis></term>
<listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then discarded. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">logwatch</emphasis></term>
<listitem>
<para>Monitors the log file specified by the LOGFILE option in
<ulink url="shorewall.conf.html">shorewall.conf</ulink>(5) and
produces an audible alarm when new Shorewall messages are logged.
The <emphasis role="bold">-m</emphasis> option causes the MAC
address of each packet source to be displayed if that information is
available. The <replaceable>refresh-interval</replaceable> specifies
the time in seconds between screen refreshes. You can enter a
negative number by preceding the number with "--" (e.g.,
<command>shorewall logwatch -- -30</command>). In this case, when a
packet count changes, you will be prompted to hit any key to resume
screen refreshes.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">logreject</emphasis></term>
<listitem>
<para>Causes traffic from the listed <emphasis>address</emphasis>es
to be logged then rejected. Logging occurs at the log level
specified by the BLACKLIST_LOGLEVEL setting in <ulink
url="shorewall.conf.html">shorewall.conf</ulink> (5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">noiptrace</emphasis></term>
<listitem>
<para>This is a low-level debugging command that cancels a trace
started by a preceding <command>iptrace</command> command.</para>
<para>The <replaceable>iptables match expression</replaceable> must
be one given in the <command>iptrace</command> command being
cancelled.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">refresh</emphasis></term>
<listitem>
<para>All steps performed by <command>restart</command> are
performed by <command>refresh</command> with the exception that
<command>refresh</command> only recreates the chains specified in
the command while <command>restart</command> recreates the entire
Netfilter ruleset. If no <replaceable>chain</replaceable> is given,
the static blacklisting chain <emphasis
role="bold">blacklst</emphasis> is assumed.</para>
<para>The listed chains are assumed to be in the filter table. You
can refresh chains in other tables by prefixing the chain name with
the table name followed by ":" (e.g., nat:net_dnat). Chain names
which follow are assumed to be in that table until the end of the
list or until an entry in the list names another table. Built-in
chains such as FORWARD may not be refreshed.</para>
<para>Example:<programlisting><command>shorewall refresh net2fw nat:net_dnat</command> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</programlisting></para>
<para>The <emphasis role="bold">refresh</emphasis> command has
slightly different behavior. When no chain name is given to the
<emphasis role="bold">refresh</emphasis> command, the mangle table
is refreshed along with the blacklist chain (if any). This allows
you to modify <filename>/etc/shorewall/tcrules </filename>and
install the changes using <emphasis
role="bold">refresh</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reload</emphasis></term>
<listitem>
<para>If <emphasis>directory</emphasis> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</para>
<programlisting> <emphasis role="bold">/sbin/shorewall compile -e</emphasis> <emphasis>directory</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall &amp;&amp;\</emphasis>
<emphasis role="bold">scp</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall</emphasis> <emphasis>directory</emphasis><emphasis
role="bold">/firewall.conf</emphasis> <emphasis role="bold">root@</emphasis><emphasis>system</emphasis><emphasis
role="bold">:/var/lib/shorewall-lite/ &amp;&amp;\</emphasis>
<emphasis role="bold">ssh root@</emphasis><emphasis>system</emphasis> <emphasis
role="bold">'/sbin/shorewall-lite restart'</emphasis></programlisting>
<para>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<emphasis>system</emphasis> using scp. If the copy succeeds,
Shorewall Lite on <emphasis>system</emphasis> is restarted via
ssh.</para>
<para>If <emphasis role="bold">-s</emphasis> is specified and the
<emphasis role="bold">restart</emphasis> command succeeds, then the
remote Shorewall-lite configuration is saved by executing <emphasis
role="bold">shorewall-lite save</emphasis> via ssh.</para>
<para>if <emphasis role="bold">-c</emphasis> is included, the
command <emphasis role="bold">shorewall-lite show capabilities -f
&gt; /var/lib/shorewall-lite/capabilities</emphasis> is executed via
ssh then the generated file is copied to
<emphasis>directory</emphasis> using scp. This step is performed
before the configuration is compiled.</para>
<para>If <option>-r</option> is included, it specifies that the root
user on <replaceable>system</replaceable> is named
<replaceable>root-user-name</replaceable> rather than "root".</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">reset</emphasis></term>
<listitem>
<para>All the packet and byte counters in the firewall are
reset.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">restart</emphasis></term>
<listitem>
<para>Restart is similar to <emphasis role="bold">shorewall
start</emphasis> except that it assumes that the firewall is already
started. Existing connections are maintained. If a
<emphasis>directory</emphasis> is included in the command, Shorewall
will look in that <emphasis>directory</emphasis> first for
configuration files.</para>
<para>The <option>-n</option> option causes Shorewall to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
<para>The <option>-d </option>option causes the compiler to run
under the Perl debugger.</para>
<para>The <option>-f</option> option suppresses the compilation step
and simply reused the compiled script which last started/restarted
Shorewall, provided that /etc/shorewall and its contents have not
been modified since the last start/restart.</para>
<para>The <option>-c</option> option was added in Shorewall 4.4.20
and performs the compilation step unconditionally, overriding the
AUTOMAKE setting in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
<option>-f</option> and <option>-c</option>are present, the result
is determined by the option that appears last.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">restore</emphasis></term>
<listitem>
<para>Restore Shorewall to a state saved using the <emphasis
role="bold">shorewall save</emphasis> command. Existing connections
are maintained. The <emphasis>filename</emphasis> names a restore
file in /var/lib/shorewall created using <emphasis
role="bold">shorewall save</emphasis>; if no
<emphasis>filename</emphasis> is given then Shorewall will be
restored from the file specified by the RESTOREFILE option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">safe-restart</emphasis></term>
<listitem>
<para>Only allowed if Shorewall is running. The current
configuration is saved in /var/lib/shorewall/safe-restart (see the
save command below) then a <emphasis role="bold">shorewall
restart</emphasis> is done. You will then be prompted asking if you
want to accept the new configuration or not. If you answer "n" or if
you fail to answer within 60 seconds (such as when your new
configuration has disabled communication with your terminal), the
configuration is restored from the saved configuration. If a
directory is given, then Shorewall will look in that directory first
when opening configuration files.</para>
<para>Begining with Shorewall 4.4.28, you may specify a different
<replaceable>timeout</replaceable> value using the
<option>-t</option> option. The numeric
<replaceable>timeout</replaceable> may optionally be followed by an
<option>s</option>, <option>m</option> or <option>h</option> suffix
(e.g., 5m) to specify seconds, minutes or hours respectively. If the
suffix is omitted, seconds is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">safe-start</emphasis></term>
<listitem>
<para>Shorewall is started normally. You will then be prompted
asking if everything went all right. If you answer "n" or if you
fail to answer within 60 seconds (such as when your new
configuration has disabled communication with your terminal), a
shorewall clear is performed for you. If a directory is given, then
Shorewall will look in that directory first when opening
configuration files.</para>
<para>Begining with Shorewall 4.4.28, you may specify a different
<replaceable>timeout</replaceable> value using the
<option>-t</option> option. The numeric
<replaceable>timeout</replaceable> may optionally be followed by an
<option>s</option>, <option>m</option> or <option>h</option> suffix
(e.g., 5m) to specify seconds, minutes or hours respectively. If the
suffix is omitted, seconds is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">save</emphasis></term>
<listitem>
<para>The dynamic blacklist is stored in /var/lib/shorewall/save.
The state of the firewall is stored in
/var/lib/shorewall/<emphasis>filename</emphasis> for use by the
<emphasis role="bold">shorewall restore</emphasis> and <emphasis
role="bold">shorewall -f start</emphasis> commands. If
<emphasis>filename</emphasis> is not given then the state is saved
in the file specified by the RESTOREFILE option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">show</emphasis></term>
<listitem>
<para>The show command can have a number of different
arguments:</para>
<variablelist>
<varlistentry>
<term><emphasis role="bold">actions</emphasis></term>
<listitem>
<para>Produces a report about the available actions (built-in,
standard and user-defined).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">capabilities</emphasis></term>
<listitem>
<para>Displays your kernel/iptables capabilities. The
<emphasis role="bold">-f</emphasis> option causes the display
to be formatted as a capabilities file for use with <emphasis
role="bold">compile -e</emphasis>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>[ [ <option>chain</option> ] <emphasis>chain</emphasis>...
]</term>
<listitem>
<para>The rules in each <emphasis>chain</emphasis> are
displayed using the <emphasis role="bold">iptables
-L</emphasis> <emphasis>chain</emphasis> <emphasis
role="bold">-n -v</emphasis> command. If no
<emphasis>chain</emphasis> is given, all of the chains in the
filter table are displayed. The <emphasis
role="bold">-x</emphasis> option is passed directly through to
iptables and causes actual packet and byte counts to be
displayed. Without this option, those counts are abbreviated.
The <emphasis role="bold">-t</emphasis> option specifies the
Netfilter table to display. The default is <emphasis
role="bold">filter</emphasis>.</para>
<para>The <emphasis role="bold">-l</emphasis> option causes
the rule number for each Netfilter rule to be
displayed.</para>
<para>If the <emphasis role="bold">t</emphasis> option and the
<option>chain</option> keyword are both omitted and any of the
listed <replaceable>chain</replaceable>s do not exist, a usage
message is displayed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis
role="bold">classifiers|filters</emphasis></term>
<listitem>
<para>Displays information about the packet classifiers
defined on the system as a result of traffic shaping
configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">config</emphasis></term>
<listitem>
<para>Dispays distribution-specific defaults.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">connections</emphasis></term>
<listitem>
<para>Displays the IP connections currently being tracked by
the firewall.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ip</emphasis></term>
<listitem>
<para>Displays the system's IPv4 configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">ipa</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.17. Displays the per-IP
accounting counters (<ulink
url="manpages/shorewall-accounting.html">shorewall-accounting</ulink>
(5)).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">log</emphasis></term>
<listitem>
<para>Displays the last 20 Shorewall messages from the log
file specified by the LOGFILE option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). The
<emphasis role="bold">-m</emphasis> option causes the MAC
address of each packet source to be displayed if that
information is available.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">macros</emphasis></term>
<listitem>
<para>Displays information about each macro defined on the
firewall system.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">macro</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.6. Displays the file that
implements the specified <replaceable>macro</replaceable>
(usually
<filename>/usr/share/shorewall/macro</filename>.<replaceable>macro</replaceable>).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">marks</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.26. Displays the various fields
in packet marks giving the min and max value (in both decimal
and hex) and the applicable mask (in hex).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">nat</emphasis></term>
<listitem>
<para>Displays the Netfilter nat table using the command
<emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
<emphasis role="bold">-x</emphasis> option is passed directly
through to iptables and causes actual packet and byte counts
to be displayed. Without this option, those counts are
abbreviated.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">policies</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.4. Displays the applicable policy
between each pair of zones. Note that implicit intrazone
ACCEPT policies are not displayed for zones associated with a
single network where that network doesn't specify
<option>routeback</option>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">routing</emphasis></term>
<listitem>
<para>Displays the system's IPv4 routing configuration.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">raw</emphasis></term>
<listitem>
<para>Displays the Netfilter raw table using the command
<emphasis role="bold">iptables -t raw -L -n -v</emphasis>.The
<emphasis role="bold">-x</emphasis> option is passed directly
through to iptables and causes actual packet and byte counts
to be displayed. Without this option, those counts are
abbreviated.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">tc</emphasis></term>
<listitem>
<para>Displays information about queuing disciplines, classes
and filters.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">zones</emphasis></term>
<listitem>
<para>Displays the current composition of the Shorewall zones
on the system.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">start</emphasis></term>
<listitem>
<para>Start shorewall. Existing connections through shorewall
managed interfaces are untouched. New connections will be allowed
only if they are allowed by the firewall rules or policies. If a
<replaceable>directory</replaceable> is included in the command,
Shorewall will look in that <emphasis>directory</emphasis> first for
configuration files. If <emphasis role="bold">-f</emphasis> is
specified, the saved configuration specified by the RESTOREFILE
option in <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5)
will be restored if that saved configuration exists and has been
modified more recently than the files in /etc/shorewall. When
<emphasis role="bold">-f</emphasis> is given, a
<replaceable>directory</replaceable> may not be specified.</para>
<para>Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
added to <ulink url="shorewall.conf.html">shorewall.conf</ulink>(5).
When LEGACY_FASTSTART=No, the modificaiotn times of files in
/etc/shorewall are compared with that of /var/lib/shorewall/firewall
(the compiled script that last started/restarted the
firewall).</para>
<para>The <option>-n</option> option causes Shorewall to avoid
updating the routing table(s).</para>
<para>The <option>-p</option> option causes the connection tracking
table to be flushed; the <command>conntrack</command> utility must
be installed to use this option.</para>
<para>The <option>-c</option> option was added in Shorewall 4.4.20
and performs the compilation step unconditionally, overriding the
AUTOMAKE setting in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5). When both
<option>-f</option> and <option>-c</option>are present, the result
is determined by the option that appears last.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">stop</emphasis></term>
<listitem>
<para>Stops the firewall. All existing connections, except those
listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or permitted by the ADMINISABSENTMINDED option in <ulink
url="shorewall.conf.html">shorewall.conf</ulink>(5), are taken down.
The only new traffic permitted through the firewall is from systems
listed in <ulink
url="shorewall-routestopped.html">shorewall-routestopped</ulink>(5)
or by ADMINISABSENTMINDED.</para>
<para>If <option>-f</option> is given, the command will be processed
by the compiled script that executed the last successful <emphasis
role="bold">start</emphasis>, <emphasis
role="bold">restart</emphasis> or <emphasis
role="bold">refresh</emphasis> command if that script exists.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">status</emphasis></term>
<listitem>
<para>Produces a short report about the state of the
Shorewall-configured firewall.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">try</emphasis></term>
<listitem>
<para>If Shorewall is started then the firewall state is saved to a
temporary saved configuration
(<filename>/var/lib/shorewall/.try</filename>). Next, if Shorewall
is currently started then a <emphasis role="bold">restart</emphasis>
command is issued; otherwise, a <emphasis
role="bold">start</emphasis> command is performed. if an error
occurs during the compliation phase of the <emphasis
role="bold">restart</emphasis> or <emphasis
role="bold">start</emphasis>, the command terminates without
changing the Shorewall state. If an error occurs during the
<emphasis role="bold">restart</emphasis> phase, then a <emphasis
role="bold">shorewall restore</emphasis> is performed using the
saved configuration. If an error occurs during the <emphasis
role="bold">start</emphasis> phase, then Shorewall is cleared. If
the <emphasis role="bold">start</emphasis>/<emphasis
role="bold">restart</emphasis> succeeds and a
<replaceable>timeout</replaceable> is specified then a <emphasis
role="bold">clear</emphasis> or <emphasis
role="bold">restore</emphasis> is performed after
<replaceable>timeout</replaceable> seconds.</para>
<para>Begining with Shorewall 4.4.28, the numeric
<replaceable>timeout</replaceable> may optionally be followed by an
<option>s</option>, <option>m</option> or <option>h</option> suffix
(e.g., 5m) to specify seconds, minutes or hours respectively. If the
suffix is omitted, seconds is assumed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">update</emphasis></term>
<listitem>
<para>Added in Shorewall 4.4.21 and causes the compiler to update
<filename>/etc/shorewall/shorewall.conf then validate the
configuration</filename>. The update will add options not present in
the old file with their default values, and will move deprecated
options with non-defaults to a deprecated options section at the
bottom of the file. Your existing
<filename>shorewall.conf</filename> file is renamed
<filename>shorewall.conf.bak.</filename></para>
<para>The <option>-a</option> option causes the updated
<filename>shorewall.conf</filename> file to be annotated with
documentation.</para>
<para>The <option>-b</option> option was added in Shorewall 4.4.26
and causes legacy blacklisting rules (<ulink
url="shorewall-blacklist.html">shorewall-blacklist</ulink> (5) ) to
be converted to entries in the blrules file (<ulink
url="shorewall-blrules.html">shorewall-blrules</ulink> (5) ). The
blacklist keyword is removed from <ulink
url="shorewall-zones.html">shorewall-zones</ulink> (5), <ulink
url="shorewall-interfaces.html">shorewall-interfaces</ulink> (5) and
<ulink url="shorewall-hosts.html">shorewall-hosts</ulink> (5). The
unmodified files are saved with a .bak suffix.</para>
<para>For a description of the other options, see the <emphasis
role="bold">check</emphasis> command above.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><emphasis role="bold">version</emphasis></term>
<listitem>
<para>Displays Shorewall's version. The <option>-a</option> option
is included for compatibility with earlier Shorewall releases and is
ignored.</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>FILES</title>
<para>/etc/shorewall/</para>
</refsect1>
<refsect1>
<title>See ALSO</title>
<para><ulink
url="http://www.shorewall.net/starting_and_stopping_shorewall.htm">http://www.shorewall.net/starting_and_stopping_shorewall.htm</ulink></para>
<para>shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall_interfaces(5),
shorewall-ipsets(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-secmarks(5), shorewall-tcclasses(5),
shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
shorewall-tunnels(5), shorewall-zones(5)</para>
</refsect1>
</refentry>