forked from extern/shorewall_code
6935e8ef00
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@4942 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
717 lines
20 KiB
XML
717 lines
20 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<refentry>
|
|
<refmeta>
|
|
<refentrytitle>shorewall-lite</refentrytitle>
|
|
|
|
<manvolnum>8</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>shorewall-lite</refname>
|
|
|
|
<refpurpose>Administration tool for Shoreline Firewall Lite
|
|
(Shorewall-lite)</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>allow</command>
|
|
|
|
<arg choice="plain">address</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>clear</command>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>drop</command>
|
|
|
|
<arg choice="plain">address</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>dump</command>
|
|
|
|
<arg><option>-x</option></arg>
|
|
|
|
<arg><option>-m</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>forget</command>
|
|
|
|
<arg>filename</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>help</command>
|
|
|
|
<group>
|
|
<arg choice="plain">command</arg>
|
|
</group>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>hits</command>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>ipcalc</command>
|
|
|
|
<group choice="req">
|
|
<arg choice="plain">address mask</arg>
|
|
|
|
<arg choice="plain">address/vlsm</arg>
|
|
</group>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>iprange</command>
|
|
|
|
<arg choice="plain">address1-address2</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>logdrop</command>
|
|
|
|
<arg choice="plain">address</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>logwatch</command>
|
|
|
|
<arg><option>-m</option></arg>
|
|
|
|
<arg>refresh-interval</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>logreject</command>
|
|
|
|
<arg choice="plain">address</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>reject</command>
|
|
|
|
<arg choice="plain">address</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>restart</command>
|
|
|
|
<arg>directory</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>restore</command>
|
|
|
|
<arg>filename</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>save</command>
|
|
|
|
<arg choice="opt">filename</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>show</command>
|
|
|
|
<arg><option>-x</option></arg>
|
|
|
|
<arg rep="repeat">chain</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>show</command>
|
|
|
|
<arg><option>-f</option></arg>
|
|
|
|
<command>capabilities</command>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>show</command>
|
|
|
|
<arg
|
|
choice="req"><option>actions|classifiers|connections|config|macros|zones</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>show</command>
|
|
|
|
<arg><option>-x</option></arg>
|
|
|
|
<arg choice="req"><option>mangle|nat</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>show</command>
|
|
|
|
<arg choice="plain"><option>tc</option></arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>show</command>
|
|
|
|
<arg><option>-m</option></arg>
|
|
|
|
<command>log</command>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>start</command>
|
|
|
|
<arg><option>-f</option></arg>
|
|
|
|
<arg>directory</arg>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>stop</command>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>status</command>
|
|
</cmdsynopsis>
|
|
|
|
<cmdsynopsis>
|
|
<command>shorewall-lite</command>
|
|
|
|
<arg>-options</arg>
|
|
|
|
<command>version</command>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para>The shorewall utility is used to control the Shoreline Firewall
|
|
(Shorewall).</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
|
|
<para>The <emphasis>options</emphasis> control the amount of output that
|
|
the command produces. They consist of a sequence of the letters <emphasis
|
|
role="bold">v</emphasis> and <emphasis role="bold">q</emphasis>. If the
|
|
options are omitted, the amount of output is determined by the setting of
|
|
the VERBOSITY parameter in shorewall.conf(5). Each <emphasis
|
|
role="bold">v</emphasis> adds one to the effective verbosity and each
|
|
<emphasis role="bold">q</emphasis> subtracts one from the effective
|
|
VERBOSITY.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Commands</title>
|
|
|
|
<para>The available commands are listed below.</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><emphasis role="bold">add</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Adds a list of hosts or subnets to a dynamic zone usually used
|
|
with VPN's.</para>
|
|
|
|
<para>The <emphasis>interface</emphasis> argument names an interface
|
|
defined in the shorewall-interfaces(5) file. A
|
|
<emphasis>host-list</emphasis> is comma-separated list whose
|
|
elements are:</para>
|
|
|
|
<programlisting> A host or network address
|
|
The name of a bridge port
|
|
The name of a bridge port followed by a colon (:) and a host or network address</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">allow</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Re-enables receipt of packets from hosts previously
|
|
blacklisted by a <emphasis role="bold">drop</emphasis>, <emphasis
|
|
role="bold">logdrop</emphasis>, <emphasis
|
|
role="bold">reject</emphasis>, or <emphasis
|
|
role="bold">logreject</emphasis> command.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">clear</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Clear will remove all rules and chains installed by Shorewall.
|
|
The firewall is then wide open and unprotected. Existing connections
|
|
are untouched. Clear is often used to see if the firewall is causing
|
|
connection problems.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">delete</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The delete command reverses the effect of an earlier <emphasis
|
|
role="bold">add</emphasis> command.</para>
|
|
|
|
<para>The <emphasis>interface</emphasis> argument names an interface
|
|
defined in the shorewall-interfaces(5) file. A
|
|
<emphasis>host-list</emphasis> is comma-separated list whose
|
|
elements are:</para>
|
|
|
|
<programlisting> A host or network address
|
|
The name of a bridge port
|
|
The name of a bridge port followed by a colon (:) and a host or network address</programlisting>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">drop</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
|
to be silently dropped.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">dump</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Produces a verbose report about the firewall configuration for
|
|
the purpose of problem analysis.</para>
|
|
|
|
<para>The <emphasis role="bold">-x</emphasis> option causes actual
|
|
packet and byte counts to be displayed. Without that option, these
|
|
counts are abbreviated. The <emphasis role="bold">-m</emphasis>
|
|
option causes any MAC addresses included in Shorewall log messages
|
|
to be displayed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">forget</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Deletes /var/lib/shorewall/<emphasis>filenam</emphasis>e and
|
|
/var/lib/shorewall/save. If no <emphasis>filename</emphasis> is
|
|
given then the file specified by RESTOREFILE in shorewall.conf(5) is
|
|
assumed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">help</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays information about a particular
|
|
<emphasis>command</emphasis>. If no <emphasis>command</emphasis> is
|
|
given, a syntax summary is displayed.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">hits</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Generates several reports from Shorewall log messages in the
|
|
current log file.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">ipcalc</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Ipcalc displays the network address, broadcast address,
|
|
network in CIDR notation and netmask corresponding to the
|
|
input[s].</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">iprange</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Iprange decomposes the specified range of IP addresses into
|
|
the equivalent list of network/host addresses.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">logdrop</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
|
to be logged then discarded.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">logwatch</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Monitors the log file specified by theLOGFILE option in
|
|
shorewall.conf(5) and produces an audible alarm when new Shorewall
|
|
messages are logged. The <emphasis role="bold">-m</emphasis> option
|
|
causes the MAC address of each packet source to be displayed if that
|
|
information is available.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">logreject</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Causes traffic from the listed <emphasis>address</emphasis>es
|
|
to be logged then rejected.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">reset</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>All the packet and byte counters in the firewall are
|
|
reset.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">restart</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Restart is similar to <emphasis role="bold">shorewall-lite
|
|
stop</emphasis> followed by <emphasis role="bold">shorewall-lite
|
|
start</emphasis>. Existing connections are maintained. If a
|
|
<emphasis>directory</emphasis> is included in the command, Shorewall
|
|
will look in that <emphasis>directory</emphasis> first for
|
|
configuration files.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">restore</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Restore Shorewall to a state saved using the <emphasis
|
|
role="bold">shorewall-lite save</emphasis> command. Existing
|
|
connections are maintained. The <emphasis>filename</emphasis> names
|
|
a restore file in /var/lib/shorewall-lite created using <emphasis
|
|
role="bold">shorewall-lite save</emphasis>; if no
|
|
<emphasis>filename</emphasis> is given then Shorewall will be
|
|
restored from the file specified by the RESTOREFILE option in
|
|
shorewall.conf(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">save</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The dynamic blacklist is stored in
|
|
/var/lib/shorewall-lite/save. The state of the firewall is stored in
|
|
/var/lib/shorewall-lite/<emphasis>filename</emphasis> for use by the
|
|
<emphasis role="bold">shorewall-lite restore</emphasis> and
|
|
<emphasis role="bold">shorewall-lite -f start</emphasis> commands.
|
|
If <emphasis>filename</emphasis> is not given then the state is
|
|
saved in the file specified by the RESTOREFILE option in
|
|
shorewall.conf(5).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">show</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>The show command can have a number of different
|
|
arguments:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>[ <emphasis>chain</emphasis> ] ...</term>
|
|
|
|
<listitem>
|
|
<para>The rules in each <emphasis>chain</emphasis> are
|
|
displayed ssing the <emphasis role="bold">iptables
|
|
-L</emphasis> <emphasis>chain</emphasis> <emphasis
|
|
role="bold">-n -v</emphasis> command. If no
|
|
<emphasis>chain</emphasis> is given, all of the chains in the
|
|
filter table are displayed. The <emphasis
|
|
role="bold">-x</emphasis> option is passed directly through to
|
|
iptables and causes actual packet and byte counts to be
|
|
displayed. Without this option, those counts are
|
|
abbreviated.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">actions</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Produces a report about the available actions (built-in,
|
|
standard and user-defined).</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">capabilities</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays your kernel/iptables capabilities. The
|
|
<emphasis role="bold">-f</emphasis> option causes the display
|
|
to be formatted as a capabilities file for use with <emphasis
|
|
role="bold">compile -e</emphasis>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">classifiers</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays information about the packet classifiers
|
|
defined on the system as a result of traffic shaping
|
|
configuration.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">config</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Dispays distribution-specific defaults.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">connections</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the IP connections currently being tracked by
|
|
the firewall.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">macros</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays information about each macro defined on the
|
|
firewall system.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">mangle</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the Netfilter mangle table using the command
|
|
<emphasis role="bold">iptables -t mangle -L -n
|
|
-v</emphasis>.The <emphasis role="bold">-x</emphasis> option
|
|
is passed directly through to iptables and causes actual
|
|
packet and byte counts to be displayed. Without this option,
|
|
those counts are abbreviated.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">nat</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the Netfilter nat table using the command
|
|
<emphasis role="bold">iptables -t nat -L -n -v</emphasis>.The
|
|
<emphasis role="bold">-x</emphasis> option is passed directly
|
|
through to iptables and causes actual packet and byte counts
|
|
to be displayed. Without this option, those counts are
|
|
abbreviated.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">tc</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays information about queuing disciplines, classes
|
|
and filters.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">zones</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays the current composition of the Shorewall zones
|
|
on the system.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">start</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Start shorewall. Existing connections through shorewall
|
|
managed interfaces are untouched. New connections will be allowed
|
|
only if they are allowed by the firewall rules or policies. If a
|
|
<emphasis>directory</emphasis> is included in the command, Shorewall
|
|
will look in that <emphasis>directory</emphasis> first for
|
|
configuration files.If <emphasis role="bold">-f</emphasis> is
|
|
specified, the saved configuration specified by the RESTOREFILE
|
|
option in shorewall.conf(5) will be restored if that saved
|
|
configuration exists and has been modified more recently than the
|
|
files in /etc/shorewall.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">stop</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Stops the firewall. All existing connections, except those
|
|
listed in shorewall-routestopped(5) or permitted by the
|
|
ADMINISABSENTMINDED option in shorewall.conf(5), are taken down. The
|
|
only new traffic permitted through the firewall is from systems
|
|
listed in shorewall-routestopped(5) or by
|
|
ADMINISABSENTMINDED.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">status</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Produces a short report about the state of the
|
|
Shorewall-configured firewall.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><emphasis role="bold">version</emphasis></term>
|
|
|
|
<listitem>
|
|
<para>Displays Shorewall-lite's version.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>FILES</title>
|
|
|
|
<para>/etc/shorewall-lite/</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See ALSO</title>
|
|
|
|
<para>shorewall.conf(5)</para>
|
|
</refsect1>
|
|
</refentry> |