Provided by: shorewall_3.4.4-1_all bug
 

NAME

        shorewall - Administration tool for Shoreline Firewall (Shorewall)
 

SYNOPSIS

        shorewall [-options] add interface[: host-list] ... zone
 
        shorewall [-options] allow address
 
        shorewall [-options] check [-e] [directory]
 
        shorewall [-options] clear
 
        shorewall [-options] compile [-e] [directory] pathname
 
        shorewall [-options] delete interface[: host-list] ... zone
 
        shorewall [-options] drop address
 
        shorewall [-options] dump [-x] [-m]
 
        shorewall [-options] export [directory1] [user@] system[ : directory2]
 
        shorewall [-options] forget [filename]
 
        shorewall [-options] help
 
        shorewall [-options] hits
 
        shorewall [-options] ipcalc {address mask | address/ vlsm}
 
        shorewall [-options] iprange address1 - address2
 
        shorewall [-options] load [-s] [-c] [-r root-user-name] [directory]
                  system
 
        shorewall [-options] logdrop address
 
        shorewall [-options] logwatch [-m] [refresh-interval]
 
        shorewall [-options] logreject address
 
        shorewall [-options] refresh
 
        shorewall [-options] reject address
 
        shorewall [-options] reload [-s] [-c] [-r root-user-name] [directory]
                  system
 
        shorewall [-options] restart [directory]
 
        shorewall [-options] restore [filename]
 
        shorewall [-options] safe-restart [directory]
 
        shorewall [-options] safe-start [directory]
 
        shorewall [-options] save [filename]
 
        shorewall [-options] show [-x] [-t { filter| mangle| nat| raw}]
                  [chain]...
 
        shorewall [-options] show [-f] capabilities
 
        shorewall [-options] show {actions|classifiers|connections|con     
                  fig|macros|zones}
 
        shorewall [-options] show [-x] {mangle|nat}
 
        shorewall [-options] show tc
 
        shorewall [-options] show [-m] log
 
        shorewall [-options] start [-f] [directory]
 
        shorewall [-options] stop
 
        shorewall [-options] status
 
        shorewall [-options] try directory [timeout]
 
        shorewall [-options] version
 

DESCRIPTION

        The shorewall utility is used to control the Shoreline Firewall (Shore‐
        wall).
 

OPTIONS

        The options control the amount of output  that  the  command  produces.
        They  consist  of a sequence of the letters v and q. If the options are
        omitted, the amount of output is determined by the setting of the  VER‐
        BOSITY parameter in shorewall.conf(5). Each v adds one to the effective
        verbosity and each q subtracts one from the effective VERBOSITY.
 
        The options may also include the letter t  which  causes  all  progress
        messages to be timestamped.
 

COMMANDS

        The available commands are listed below.
 
        add    Adds  a  list of hosts or subnets to a dynamic zone usually used
               with VPN’s.
 
               The interface argument names an interface defined in the  shore‐
               wall-interfaces(5)  file.  A  host-list  is comma-separated list
               whose elements are:
 
                       A host or network address
                       The name of a bridge port
                       The name of a bridge port followed by a colon (:) and a host or network address
 
        allow  Re-enables receipt of packets from hosts previously  blacklisted
               by a drop, logdrop, reject, or logreject command.
 
        check  Compiles  the  configuraton  in the specified directory and dis‐
               cards the compiled output script. If no directory is given, then
               /etc/shorewall is assumed.
 
               The -e option causes the compiler to look for a file named capa‐
               bilities. This file is produced using the command shorewall-lite
               show  -f  capabilities > capabilities on a system with Shorewall
               Lite installed.
 
        clear  Clear will remove all rules and chains installed  by  Shorewall.
               The firewall is then wide open and unprotected. Existing connec‐
               tions are untouched. Clear is often used to see if the  firewall
               is causing connection problems.
 
        compile
               Compiles  the  current  configuration  into  the executable file
               pathname. If a directory is supplied,  Shorewall  will  look  in
               that directory first for configuration files.
 
               When  -e  is  specified, the compilation is being performed on a
               system other than where  the  compiled  script  will  run.  This
               option  disables  certain configuration options that require the
               script to be compiled where it is to  be  run.  The  use  of  -e
               requires the presense of a configuration file named capabilities
               which may be produced using the command shorewall-lite  show  -f
               capabilities  >  capabilities  on  a  system with Shorewall Lite
               installed
 
        delete The delete command reverses the effect of an  earlier  add  com‐
               mand.
 
               The  interface argument names an interface defined in the shore‐
               wall-interfaces(5) file. A  host-list  is  comma-separated  list
               whose elements are:
 
                       A host or network address
                       The name of a bridge port
                       The name of a bridge port followed by a colon (:) and a host or network address
 
        drop   Causes traffic from the listed addresses to be silently dropped.
 
        dump   Produces a verbose report about the firewall  configuration  for
               the purpose of problem analysis.
 
               The  -x  option  causes actual packet and byte counts to be dis‐
               played. Without that option, these counts are  abbreviated.  The
               -m  option  causes  any  MAC addresses included in Shorewall log
               messages to be displayed.
 
        export If directory1 is  omitted,  the  current  working  directory  is
               assumed.
 
               Allows  a  non-root user to compile a shorewall script and stage
               it on a system (provided that the user has access to the  system
               via ssh). The command is equivalent to:
 
                   /sbin/shorewall compile -e directory1 directory1/firewall &&\
                   scp directory1/firewall directory1/firewall.conf [user@]system:[directory2]
 
               In   other   words,  the  configuration  in  the  specified  (or
               defaulted) directory is compiled to a file  called  firewall  in
               that directory. If compilation succeeds, then firewall and fire‐
               wall.conf are copied to system using scp.
 
        forget Deletes /var/lib/shorewall/filename and /var/lib/shorewall/save.
               If  no  filename is given then the file specified by RESTOREFILE
               in shorewall.conf(5) is assumed.
 
        help   Displays a syntax summary.
 
        hits   Generates several reports from Shorewall  log  messages  in  the
               current log file.
 
        ipcalc Ipcalc  displays the network address, broadcast address, network
               in CIDR notation and netmask corresponding to the input[s].
 
        iprange
               Iprange decomposes the specified range of IP addresses into  the
               equivalent list of network/host addresses.
 
        load   If  directory  is  omitted,  the  current  working  directory is
               assumed. Allows a non-root user to compile  a  shorewall  script
               and  install  it  on  a  system (provided that the user has root
               access to the system via ssh). The command is equivalent to:
 
                   /sbin/shorewall compile -e directory directory/firewall &&\
                   scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
                   ssh root@system      /sbin/shorewall-lite start     
 
               In  other  words,  the  configuration  in  the   specified   (or
               defaulted)  directory  is  compiled to a file called firewall in
               that directory. If compilation succeeds, then firewall is copied
               to  system  using  scp.  If the copy succeeds, Shorewall Lite on
               system is started via ssh.
 
               If -s is specified and the  start  command  succeeds,  then  the
               remote Shorewall-lite configuration is saved by executing shore     
               wall-lite save via ssh.
 
               if -c is included, the command shorewall-lite show  capabilities
               -f  >  /var/lib/shorewall-lite/capabilities  is executed via ssh
               then the generated file is copied to directory using  scp.  This
               step is performed before the configuration is compiled.
 
               If  -r is included, it specifies that the root user on system is
               named root-user-name rather than "root".
 
        logdrop
               Causes traffic from the listed addresses to be logged then  dis‐
               carded.
 
        logwatch
               Monitors  the log file specified by the LOGFILE option in shore‐
               wall.conf(5) and produces an audible alarm  when  new  Shorewall
               messages  are  logged.   The -m option causes the MAC address of
               each packet source to be displayed if that information is avail‐
               able.
 
        logreject
               Causes  traffic  from  the  listed  addresses  to be logged then
               rejected.
 
        refresh
               The rules involving the the black list, ECN control  rules,  and
               traffic  shaping  are  recreated  to reflect any changes made to
               your configuration files. Existing connections are untouched.
 
        reload If directory  is  omitted,  the  current  working  directory  is
               assumed.  Allows  a  non-root user to compile a shorewall script
               and install it on a system (provided  that  the  user  has  root
               access to the system via ssh). The command is equivalent to:
 
                   /sbin/shorewall compile -e directory directory/firewall &&\
                   scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
                   ssh root@system      /sbin/shorewall-lite restart     
 
               In   other   words,  the  configuration  in  the  specified  (or
               defaulted) directory is compiled to a file  called  firewall  in
               that directory. If compilation succeeds, then firewall is copied
               to system using scp. If the copy  succeeds,  Shorewall  Lite  on
               system is restarted via ssh.
 
               If  -s  is  specified and the restart command succeeds, then the
               remote Shorewall-lite configuration is saved by executing shore     
               wall-lite save via ssh.
 
               if  -c is included, the command shorewall-lite show capabilities
               -f > /var/lib/shorewall-lite/capabilities is  executed  via  ssh
               then  the  generated file is copied to directory using scp. This
               step is performed before the configuration is compiled.
 
               If -r is included, it specifies that the root user on system  is
               named root-user-name rather than "root".
 
        reset  All the packet and byte counters in the firewall are reset.
 
        restart
               Restart  is  similar  to  shorewall  stop  followed by shorewall
               start. Existing connections are maintained. If  a  directory  is
               included  in  the command, Shorewall will look in that directory
               first for configuration files.
 
        restore
               Restore Shorewall to a state saved using the shorewall save com‐
               mand.  Existing connections are maintained. The filename names a
               restore file in /var/lib/shorewall created using shorewall save;
               if no filename is given then Shorewall will be restored from the
               file specified by the RESTOREFILE option in shorewall.conf(5).
 
        safe-restart
               Only allowed if Shorewall is running. The current  configuration
               is  saved  in /var/lib/shorewall/safe-restart (see the save com‐
               mand below) then a shorewall restart is done. You will  then  be
               prompted  asking  if you want to accept the new configuration or
               not. If you answer "n" or if you fail to answer within  60  sec‐
               onds  (such as when your new configuration has disabled communi‐
               cation with your terminal), the configuration is  restored  from
               the saved configuration. If a directory is given, then Shorewall
               will look in that directory  first  when  opening  configuration
               files.
 
        safe-start
               Shorewall  is started normally. You will then be prompted asking
               if everything went all right. If you answer "n" or if  you  fail
               to answer within 60 seconds (such as when your new configuration
               has disabled communication  with  your  terminal),  a  shorewall
               clear is performed for you. If a directory is given, then Shore‐
               wall will look in that directory first when  opening  configura‐
               tion files.
 
        save   The dynamic blacklist is stored in /var/lib/shorewall/save.  The
               state of the firewall is stored  in  /var/lib/shorewall/filename
               for  use  by  the  shorewall restore and shorewall -f start com‐
               mands. If filename is not given then the state is saved  in  the
               file specified by the RESTOREFILE option in shorewall.conf(5).
 
        show   The show command can have a number of different arguments:
 
               [ chain ] ...
                      The  rules in each chain are displayed ssing the iptables
                      -L chain -n -v command. If no chain is given, all of  the
                      chains  in  the filter table are displayed. The -x option
                      is passed directly through to iptables and causes  actual
                      packet  and  byte  counts  to  be displayed. Without this
                      option, those counts  are  abbreviated.   The  -t  option
                      specifies  the Netfilter table to display. The default is
                      filter.
 
               actions
                      Produces a report about the available actions  (built-in,
                      standard and user-defined).
 
               capabilities
                      Displays your kernel/iptables capabilities. The -f option
                      causes the display to be formatted as a capabilities file
                      for use with compile -e.
 
               classifiers
                      Displays information about the packet classifiers defined
                      on the system as a result of traffic  shaping  configura‐
                      tion.
 
               config Dispays distribution-specific defaults.
 
               connections
                      Displays  the  IP  connections currently being tracked by
                      the firewall.
 
               log    Displays the last 20 Shorewall messages from the log file
                      specified by the LOGFILE option in shorewall.conf(5). The
                      -m option causes the MAC address of each packet source to
                      be displayed if that information is available.
 
               macros Displays  information  about  each  macro  defined on the
                      firewall system.
 
               mangle Displays the Netfilter mangle  table  using  the  command
                      iptables  -t  mangle  -L  -n  -v.The  -x option is passed
                      directly through to iptables and causes actual packet and
                      byte  counts  to be displayed. Without this option, those
                      counts are abbreviated.
 
               nat    Displays the Netfilter nat table using the command  ipta     
                      bles  -t  nat  -L  -n -v.The -x option is passed directly
                      through to iptables and causes  actual  packet  and  byte
                      counts to be displayed. Without this option, those counts
                      are abbreviated.
 
               tc     Displays information about queuing  disciplines,  classes
                      and filters.
 
               zones  Displays  the  current composition of the Shorewall zones
                      on the system.
 
        start  Start shorewall. Existing connections through shorewall  managed
               interfaces  are  untouched. New connections will be allowed only
               if they are allowed by the firewall  rules  or  policies.  If  a
               directory  is  included  in  the command, Shorewall will look in
               that directory first for configuration files.If -f is specified,
               the  saved  configuration specified by the RESTOREFILE option in
               shorewall.conf(5) will be restored if that  saved  configuration
               exists  and  has  been  modified more recently than the files in
               /etc/shorewall. When -f is given, a directory may not be  speci‐
               fied.
 
        stop   Stops  the  firewall.  All  existing  connections,  except those
               listed in shorewall-routestopped(5) or permitted by the ADMINIS‐
               ABSENTMINDED  option  in shorewall.conf(5), are taken down.  The
               only new traffic permitted through the firewall is from  systems
               listed in shorewall-routestopped(5) or by ADMINISABSENTMINDED.
 
        status Produces a short report about the state of the Shorewall-config‐
               ured firewall.
 
        try    If Shorewall is started then the firewall state is  saved  to  a
               temporary  saved  configuration (/var/lib/shorewall/.try). Next,
               if Shorewall is currently started  then  a  restart  command  is
               issued;  otherwise,  a  start  command is performed. if an error
               occurs during the compliation phase of the restart or start, the
               command  terminates  without changing the Shorewall state. If an
               error occurs during the restart phase, then a shorewall  restore
               is  performed  using the saved configuration. If an error occurs
               during the start  phase,  then  Shorewall  is  cleared.  If  the
               start/restart  succeeds  and a timeout is specified then a clear
               or restore is performed after timeout seconds.
 
        version
               Displays Shorewall’s version.
 

FILES

        /etc/shorewall/
        http://www.shorewall.net/starting_and_stopping_shorewall.htm
 
        shorewall-accounting(5), shorewall-actions(5),  shorewall-blacklist(5),
        shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shore‐
        wall-maclist(5),   shorewall-masq(5),   shorewall-nat(5),    shorewall-
        netmap(5),    shorewall-params(5),    shorewall-policy(5),   shorewall-
        providers(5), shorewall-proxyarp(5),  shorewall-route_rules(5),  shore‐
        wall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-
        tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),  shorewall-
        tos(5), shorewall-tunnels(5), shorewall-zones(5)
 
                                  17 June 2007                     shorewall(8)