Provided by: shorewall_3.0.4-1_all
shorewall - the Shoreline firewall, an iptables based firewall
shorewall [debug|trace] [nolock] [-c <directory>] [-q] [-f] <command>
Copyright (C) 1999-2005 by Tom Eastep <email@example.com>
The Shoreline Firewall, more commonly known as Shorewall, is a
Netfilter (iptables) based firewall that can be used on a dedicated
firewall system, a multi-function gateway/router/server or on a
standalone GNU/Linux system.
Set up the debug mode (sets the -x shell option).
nolock Tells Shorewall not to acquire the lock file ($STATEDIR/lock).
Used by programs issuing Shorewall commands when those programs
already have the lock file.
Look for configuration files in directory instead of
-f If the file /var/lib/shorewall/restore is present shorewall
restore the state of the firewall when
/var/lib/shorewall/restore was created. Note: this option can be
used only with the start command.
-n This option, when used with start, stop and restart forces
Shorewall to not alter the routing in any way.
-q Quiet mode.
start Starts the firewall.
stop Stops the firewall. The only traffic permitted through the
firewall is from systems listed in /etc/shorewall/routestopped.
Stops the firewall (if it’s running) and then starts it again.
reset Reset the packet and byte counters in the firewall.
clear Remove all rules and chains installed by the firewall.
Refresh the rules involving the broadcast addresses of firewall
interfaces, the black list, traffic control rules and ECN
save Creates a script /var/lib/shorewall/restore which when run will
restore the state of the firewall to its current state.
Runs the /var/lib/shorewall/restore created by the Shorewall
forget Removes the /var/lib/shorewall/restore script created by the
save command and the dynamic blacklist save file
Starts the firewall then prompts you to ask you if everything
looks ok. If you answer "no" or if you don’t answer within 60
seconds, a "shorewall clear" is executed.
Saves your current configuration to /var/lib/shorewall/safe-
restart then issues a "shorewall restart"; It then prompts you
to ask if you if you want to accept the new configuration. If
you answer "no" or if you don’t answer within 60 seconds, the
configuration is restored to its prior state.
status Rports the status of the firewall (started or not started).
dump Produces a verbose report about the firewall (iptables -L -n
Produces a verbose report about the firewall (iptable -L -n -v),
key can be one of the following:
chain Produces a verbose report about the chain (iptable -L
chain -n -v)
nat Produces a verbose report about the nat table (iptables
-t nat -L -n -v).
tos Produces a verbose report about the mangle table
(iptables -t mangle -L -n -v).
log Display the last 20 packet log entries.
Displays the IP connections currently being tracked by
tc Displays information about the traffic control/shaping
Displays the dynamic blacklisting configuration
hits Produces several reports about the Shorewall packet log messages
in the current log file named in the $LOGFILE variable in
Displays the installed version number.
check Performs a cursory validation of the zones, interfaces, hosts,
rules and policy files. CAUTION: this command is totally
unsuppored and does not parse and validate the generated
iptables commands. Even though the command completes
successfully, the configuration may fail to start. Problem
reports that complain about errors that the command does not
detect will not be accepted.
try configuration-directory [timeout]
Restarts Shorewall using the configuration found in
configuration-directory and if an error occurs or if the timeout
option is given and the new configuration has been up for that
many seconds then Shorewall is restarted using the standard
Monitors the $LOGFILE and produces an audible alarm when new
Shorewall messages are logged.
DYNAMIC BLACKLIST COMMAND
Shorewall can handle blacklists dynamically:
Inserts ipaddresslist into the blacklist using the DENY policy.
Inserts ipaddresslist into the blacklist using the REJECT policy
Removes ipaddresslist from the blacklist.
save saves the dynamic blacklisting configuration so that it will be
automatically restored the next time that the firewall is
restarted. This command also creates the
/var/lib/shorewall/restore script as described above.
DYNAMIC ZONES COMMAND
Shorewall’s zones can be altered dynamically:
add <interface>[:host] <zone>
Adds the specified interface (and host if included) to the
del <interface>[:host] <zone>
Deletes the specified interface (and host if included) from the
ipcalc [<address> <mask> | <address/vlsm>]
Displays the network address, broadcast address, network in CIDR
notation and netmask corresponding to the input[s].
Decomposes the specified range of IP addresses into the
equivalent list of network/host addresses.
The default configuration directory. Common default
configurations provided by the author are installed under
Main Shorewall’s configuration file.
params Set shell variables that can be used in some of the other
zones Define the network zones.
Tells the firewall which of your firewall’s network interfaces
are connected to which zone.
hosts Defines zones in terms of subnets and/or individual IP
policy Describes the firewall policies that control the traffic between
rules Defines exceptions to the policies.
masq Defines classical IP Masquerading and Source Network Address
Defines Proxy ARP.
nat Defines static NAT rules.
Defines IPSec, GRE, IPIP and PPTP tunnels with end-points on the
Defines marks to classify packet for traffic shaping.
Contains commands for loading the kernel modules required by
Shorewall-defined firewall rules.
tos Defines Type of Service field in packet headers based on packet
source, packet destination, protocol, source port and
Defines static blacklists.
Defines the treatment of packets under the norfc1918 interface
option (it is installed under /ysr/share/shorewall).
bogons Defines the treatment of packets under the nobogons interface
option (it is installed under /ysr/share/shorewall).
Defines the hosts that are accessible from the firewall when the
firewall is stopped.
Associates MAC addresses with interfaces and optionally
associates IP addresses with MAC addresses.
init Contains a list of commands that will be executed at the
beginning of a "shorewall start" or "shorewall restart" command.
Contains a list of commands that will be executed early in the
process of Shorewall configuration, after the old configuration
has been cleared.
start Contains a list of commands that will be executed after
Shorewall has been started or restarted.
stop Contains a list of commands that will be executed at the
beginning of a "shorewall stop" command.
Contains a list of commands that will be executed at the
completion of a "shorewall stop" command.
ecn Lists the destinations for which you want to disable ECN.
users Associates local users and/or groups to Shorewall "User Sets".
Controls access by individual users to other network hosts from
the firewall system.
Contains rules for traffic accounting.
actions and action.template
Files in /etc/shorewall and /usr/share/shorewall respectively
that allow you to define your own actions for rules in
actions.std and action.*
Files in /usr/share/shorewall that define the actions included
as a standard part of Shorewall.
Macros definition (introduced in Shorewall 3.0.0).
Tom Eastep <firstname.lastname@example.org>
November 2005 SHOREWALL(8)