Provided by: shorewall_3.0.4-1_all bug


       shorewall - the Shoreline firewall, an iptables based firewall


       shorewall [debug|trace] [nolock] [-c <directory>] [-q] [-f] <command>


       Copyright (C) 1999-2005 by Tom Eastep <>


       The  Shoreline  Firewall,  more  commonly  known  as  Shorewall,  is  a
       Netfilter (iptables) based firewall that can be  used  on  a  dedicated
       firewall   system,  a  multi-function  gateway/router/server  or  on  a
       standalone GNU/Linux system.


              Set up the debug mode (sets the -x shell option).

       nolock Tells Shorewall not to acquire the lock  file  ($STATEDIR/lock).
              Used  by programs issuing Shorewall commands when those programs
              already have the lock file.

       -c directory
              Look  for  configuration   files   in   directory   instead   of

       -f     If  the  file  /var/lib/shorewall/restore  is  present shorewall
              restore     the     state     of     the      firewall      when
              /var/lib/shorewall/restore was created. Note: this option can be
              used only with the start command.

       -n     This option, when used  with  start,  stop  and  restart  forces
              Shorewall to not alter the routing in any way.

       -q     Quiet mode.


       start  Starts the firewall.

       stop   Stops  the  firewall.  The  only  traffic  permitted through the
              firewall is from systems listed in  /etc/shorewall/routestopped.

              Stops the firewall (if it’s running) and then starts it again.

       reset  Reset the packet and byte counters in the firewall.

       clear  Remove all rules and chains installed by the firewall.

              Refresh  the rules involving the broadcast addresses of firewall
              interfaces, the  black  list,  traffic  control  rules  and  ECN
              control rules.

       save   Creates a script /var/lib/shorewall/restore  which when run will
              restore the state of the firewall to its current state.

              Runs the /var/lib/shorewall/restore  created  by  the  Shorewall
              save command.

       forget Removes  the  /var/lib/shorewall/restore  script  created by the
              save   command   and   the   dynamic   blacklist    save    file

              Starts  the  firewall  then prompts you to ask you if everything
              looks ok. If you answer "no" or if you don’t  answer  within  60
              seconds, a "shorewall clear" is executed.

              Saves  your  current  configuration  to /var/lib/shorewall/safe-
              restart then issues a "shorewall restart"; It then  prompts  you
              to  ask  if  you if you want to accept the new configuration. If
              you answer "no" or if you don’t answer within  60  seconds,  the
              configuration is restored to its prior state.


       status Rports the status of the firewall (started or not started).

       dump   Produces  a  verbose  report  about the firewall (iptables -L -n

       show [key]
              Produces a verbose report about the firewall (iptable -L -n -v),
              key can be one of the following:

              chain  Produces  a  verbose  report  about the chain (iptable -L
                     chain -n -v)

              nat    Produces a verbose report about the nat  table  (iptables
                     -t nat -L -n -v).

              tos    Produces   a   verbose  report  about  the  mangle  table
                     (iptables -t mangle -L -n -v).

              log    Display the last 20 packet log entries.

                     Displays the IP connections currently  being  tracked  by
                     the firewall.

              tc     Displays  information  about  the traffic control/shaping

                     Displays the dynamic blacklisting configuration

       hits   Produces several reports about the Shorewall packet log messages
              in  the  current  log  file  named  in  the $LOGFILE variable in

              Displays the installed version number.

       check  Performs a cursory validation of the zones,  interfaces,  hosts,
              rules  and  policy  files.  CAUTION:  this  command  is  totally
              unsuppored  and  does  not  parse  and  validate  the  generated
              iptables   commands.   Even   though   the   command   completes
              successfully, the  configuration  may  fail  to  start.  Problem
              reports  that  complain  about  errors that the command does not
              detect will not be accepted.

       try configuration-directory [timeout]
              Restarts   Shorewall   using   the   configuration   found    in
              configuration-directory and if an error occurs or if the timeout
              option is given and the new configuration has been up  for  that
              many  seconds  then  Shorewall  is  restarted using the standard

              Monitors the $LOGFILE and produces an  audible  alarm  when  new
              Shorewall messages are logged.


       Shorewall can handle blacklists dynamically:

       drop <ipaddresslist>
              Inserts  ipaddresslist into the blacklist using the DENY policy.

       reject <ipaddresslist>
              Inserts ipaddresslist into the blacklist using the REJECT policy

       allow <ipaddresslist>
              Removes ipaddresslist from the blacklist.

       save   saves  the dynamic blacklisting configuration so that it will be
              automatically restored  the  next  time  that  the  firewall  is
              restarted.      This      command      also      creates     the
              /var/lib/shorewall/restore script as described above.


       Shorewall’s zones can be altered dynamically:

       add <interface>[:host] <zone>
              Adds the specified interface  (and  host  if  included)  to  the
              specified zone.

       del <interface>[:host] <zone>
              Deletes  the specified interface (and host if included) from the
              specified zone.


       ipcalc [<address> <mask> | <address/vlsm>]
              Displays the network address, broadcast address, network in CIDR
              notation and netmask corresponding to the input[s].

       iprange address1-address2
              Decomposes   the  specified  range  of  IP  addresses  into  the
              equivalent list of network/host addresses.




              The   default   configuration    directory.    Common    default
              configurations  provided  by  the  author  are  installed  under

              Main Shorewall’s configuration file.

       params Set shell variables that can  be  used  in  some  of  the  other
              configuration files.

       zones  Define the network zones.

              Tells  the  firewall which of your firewall’s network interfaces
              are connected to which zone.

       hosts  Defines  zones  in  terms  of  subnets  and/or   individual   IP

       policy Describes the firewall policies that control the traffic between

       rules  Defines exceptions to the policies.

       masq   Defines classical IP Masquerading  and  Source  Network  Address
              Translation (SNAT).

              Defines Proxy ARP.

       nat    Defines static NAT rules.

              Defines IPSec, GRE, IPIP and PPTP tunnels with end-points on the

              Defines marks to classify packet for traffic shaping.

              Contains commands for loading the  kernel  modules  required  by
              Shorewall-defined firewall rules.

       tos    Defines  Type of Service field in packet headers based on packet
              source,  packet   destination,   protocol,   source   port   and
              destination port.

              Defines static blacklists.

              Defines  the  treatment of packets under the norfc1918 interface
              option (it is installed under /ysr/share/shorewall).

       bogons Defines the treatment of packets under  the  nobogons  interface
              option (it is installed under /ysr/share/shorewall).

              Defines the hosts that are accessible from the firewall when the
              firewall is stopped.

              Associates  MAC  addresses  with   interfaces   and   optionally
              associates IP addresses with MAC addresses.


       init   Contains  a  list  of  commands  that  will  be  executed at the
              beginning of a "shorewall start" or "shorewall restart" command.

              Contains  a  list of commands that will be executed early in the
              process of Shorewall configuration, after the old  configuration
              has been cleared.

       start  Contains  a  list  of  commands  that  will  be  executed  after
              Shorewall has been started or restarted.

       stop   Contains a list  of  commands  that  will  be  executed  at  the
              beginning of a "shorewall stop" command.

              Contains  a  list  of  commands  that  will  be  executed at the
              completion of a "shorewall stop" command.

       ecn    Lists the destinations for which you want to disable ECN.

       users  Associates local users and/or groups to Shorewall "User Sets".

              Controls access by individual users to other network hosts  from
              the firewall system.

              Contains rules for traffic accounting.

       actions and action.template
              Files  in  /etc/shorewall  and /usr/share/shorewall respectively
              that  allow  you  to  define  your  own  actions  for  rules  in

       actions.std and action.*
              Files  in  /usr/share/shorewall that define the actions included
              as a standard part of Shorewall.

              Macros definition (introduced in Shorewall 3.0.0).


       Tom Eastep <>

                                 November 2005                    SHOREWALL(8)