Provided by: shorewall-common_4.0.6-1_all bug

NAME

       shorewall - Administration tool for Shoreline Firewall (Shorewall)

SYNOPSIS

       shorewall [trace| debug] [-options] add interface[: host-list] ... zone
       shorewall [trace| debug] [-options] allow address
       shorewall [trace| debug] [-options] check [-e] [-C {shell|perl}] [-d]
                 [-p] [directory]
       shorewall [trace| debug] [-options] clear[-f]
       shorewall [trace| debug] [-options] compile [-e] [-C {shell|perl}] [-d]
                 [-p] [directory] pathname
       shorewall [trace| debug] [-options] delete interface[: host-list] ...
                 zone
       shorewall [trace| debug] [-options] drop address
       shorewall [trace| debug] [-options] dump [-x] [-m]
       shorewall [trace| debug] [-options] export[-C {shell|perl}]
                 [directory1] [user@] system[ : directory2]
       shorewall [trace| debug] [-options] forget [filename]
       shorewall [trace| debug] [-options] help
       shorewall [trace| debug] [-options] hits[-t]
       shorewall [trace| debug] [-options] ipcalc {address mask | address/
                 vlsm}
       shorewall [trace| debug] [-options] iprange address1 - address2
       shorewall [trace| debug] [-options] load [-s] [-c] [-r root-user-name]
                 [-C {shell|perl}] [directory] system
       shorewall [trace| debug] [-options] logdrop address
       shorewall [trace| debug] [-options] logwatch [-m] [refresh-interval]
       shorewall [trace| debug] [-options] logreject address
       shorewall [trace| debug] [-options] refresh[chain]...
       shorewall [trace| debug] [-options] reject address
       shorewall [trace| debug] [-options] reload [-s] [-c] [-r root-user-
                 name] [-C {shell|perl}] [directory] system
       shorewall [trace| debug] [-options] reset
       shorewall [trace| debug] [-options] restart [-C {shell|perl}]
                 [directory]
       shorewall [trace| debug] [-options] restore [filename]
       shorewall [trace| debug] [-options] safe-restart [-C {shell|perl}] [-d]
                 [-p] [directory]
       shorewall [trace| debug] [-options] safe-start [-C {shell|perl}] [-d]
                 [-p] [directory]
       shorewall [trace| debug] [-options] save [filename]
       shorewall [trace| debug] [-options] show [-x] [-t { filter| mangle|
                 nat| raw}] [[chain] chain ...]
       shorewall [trace| debug] [-options] show [-f] capabilities
       shorewall [trace| debug] [-options] show
                 {actions|classifiers|connections|config|macros|zones}
       shorewall [trace| debug] [-options] show [-x] {mangle|nat}
       shorewall [trace| debug] [-options] show tc
       shorewall [trace| debug] [-options] show [-m] log
       shorewall [trace| debug] [-options] start [-C {shell|perl}] [-f]
                 [directory]
       shorewall [trace| debug] [-options] stop[-f]
       shorewall [trace| debug] [-options] status
       shorewall [trace| debug] [-options] try [-C {shell|perl}] directory
                 [timeout]
       shorewall [trace| debug] [-options] version[-a]

DESCRIPTION

       The shorewall  utility  is  used  to  control  the  Shoreline  Firewall
       (Shorewall).

OPTIONS

       The   trace   and   debug   options   are   used   for  debugging.  See
       〈http://www.shorewall.net/starting_and_stopping.htm#Trace〉.

       The options control the amount of output  that  the  command  produces.
       They  consist  of a sequence of the letters v and q. If the options are
       omitted, the amount of output is  determined  by  the  setting  of  the
       VERBOSITY parameter in shorewall.conf 〈shorewall.conf.html〉 (5). Each v
       adds one to the effective verbosity and each q subtracts one  from  the
       effective VERBOSITY.

       The  options  may  also  include the letter t which causes all progress
       messages to be timestamped.

COMMANDS

       The available commands are listed below.

       add    Adds a list of hosts or subnets to a dynamic zone  usually  used
              with VPN’s.

              The  interface  argument  names  an  interface  defined  in  the
              shorewall-interfaces  〈shorewall-interfaces.html〉  (5)  file.  A
              host-list  is  comma-separated  list  whose elements are host or
              network addresses.
              Caution

              The add command is not very robust. If there are errors  in  the
              host-list,  you  may  see a large number of error messages yet a
              subsequent shorewall show zones command will indicate  that  all
              hosts were added. If this happens, replace add by delete and run
              the same command again. Then enter the correct command.

       allow  Re-enables receipt of packets from hosts previously  blacklisted
              by a drop, logdrop, reject, or logreject command.

       check  Compiles   the  configuraton  in  the  specified  directory  and
              discards the compiled output script. If no directory  is  given,
              then /etc/shorewall is assumed.

              The  -e  option  causes  the  compiler  to look for a file named
              capabilities. This file is produced using the command shorewall-
              lite  show  -f  capabilities  >  capabilities  on  a system with
              Shorewall Lite installed.

              The -C option determines the compiler to use (Shorewall-shell or
              Shorewall-perl).   If   not  specified,  the  SHOREWALL_COMPILER
              setting in shorewall.conf 〈shorewall.conf.html〉  (5)  determines
              the compiler to use.

              The -d option only works when the compiler is Shorewall-perl. It
              causes the  compiler  to  be  run  under  control  of  the  Perl
              debugger.

              The -p option only works when the compiler is Shorewall-perl. It
              causes the compiler  to  be  profiled  via  the  Perl  -wd:DProf
              command-line option.

       clear  Clear  will  remove all rules and chains installed by Shorewall.
              The  firewall  is  then  wide  open  and  unprotected.  Existing
              connections  are  untouched.  Clear  is often used to see if the
              firewall is causing connection problems.

              The -f option was added in Shorewall 4.0.3.  If -f is given, the
              command  will  be processed by the compiled script that executed
              the last successful start, restart or refresh  command  if  that
              script exists.

       compile
              Compiles  the  current  configuration  into  the executable file
              pathname. If a directory is supplied,  Shorewall  will  look  in
              that directory first for configuration files.

              When  -e  is  specified, the compilation is being performed on a
              system other than where  the  compiled  script  will  run.  This
              option  disables  certain configuration options that require the
              script to be compiled where it is to  be  run.  The  use  of  -e
              requires the presense of a configuration file named capabilities
              which may be produced using the command shorewall-lite  show  -f
              capabilities  >  capabilities  on  a  system with Shorewall Lite
              installed

              The -C option determines the compiler to use (Shorewall-shell or
              Shorewall-perl).   If   not  specified,  the  SHOREWALL_COMPILER
              setting in shorewall.conf 〈shorewall.conf.html〉  (5)  determines
              the compiler to use.

              The -d option only works when the compiler is Shorewall-perl. It
              causes the  compiler  to  be  run  under  control  of  the  Perl
              debugger.

              The -p option only works when the compiler is Shorewall-perl. It
              causes the compiler  to  be  profiled  via  the  Perl  -wd:DProf
              command-line option.

       delete The  delete  command  reverses  the  effect  of  an  earlier add
              command.

              The  interface  argument  names  an  interface  defined  in  the
              shorewall-interfaces  〈shorewall-interfaces.html〉  (5)  file.  A
              host-list is comma-separated list whose elements are a  host  or
              network address.

       drop   Causes traffic from the listed addresses to be silently dropped.

       dump   Produces a verbose report about the firewall  configuration  for
              the purpose of problem analysis.

              The  -x  option  causes  actual  packet  and  byte  counts to be
              displayed. Without that option, these  counts  are  abbreviated.
              The -m option causes any MAC addresses included in Shorewall log
              messages to be displayed.

       export If directory1 is  omitted,  the  current  working  directory  is
              assumed.

              The -C option determines the compiler to use (Shorewall-shell or
              Shorewall-perl).  If  not  specified,   the   SHOREWALL_COMPILER
              setting  in  shorewall.conf 〈shorewall.conf.html〉 (5) determines
              the compiler to use.

              Allows a non-root user to compile a shorewall script  and  stage
              it  on a system (provided that the user has access to the system
              via ssh). The command is equivalent to:

                  /sbin/shorewall compile -e directory1 directory1/firewall &&\
                  scp directory1/firewall directory1/firewall.conf [user@]system:[directory2]

              In  other  words,  the  configuration  in  the   specified   (or
              defaulted)  directory  is  compiled to a file called firewall in
              that directory.  If  compilation  succeeds,  then  firewall  and
              firewall.conf are copied to system using scp.

       forget Deletes /var/lib/shorewall/filename and /var/lib/shorewall/save.
              If no filename is given then the file specified  by  RESTOREFILE
              in shorewall.conf 〈shorewall.conf.html〉 (5) is assumed.

       help   Displays a syntax summary.

       hits   Generates  several  reports  from  Shorewall log messages in the
              current log file. If the -t option is included, the reports  are
              restricted to log messages generated today.

       ipcalc Ipcalc  displays the network address, broadcast address, network
              in CIDR notation and netmask corresponding to the input[s].

       iprange
              Iprange decomposes the specified range of IP addresses into  the
              equivalent list of network/host addresses.

       load   If  directory  is  omitted,  the  current  working  directory is
              assumed. Allows a non-root user to compile  a  shorewall  script
              and  install  it  on  a  system (provided that the user has root
              access to the system via ssh). The command is equivalent to:

                  /sbin/shorewall compile -e directory directory/firewall &&\
                  scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
                  ssh root@system/sbin/shorewall-lite start’

              In  other  words,  the  configuration  in  the   specified   (or
              defaulted)  directory  is  compiled to a file called firewall in
              that directory. If compilation succeeds, then firewall is copied
              to  system  using  scp.  If the copy succeeds, Shorewall Lite on
              system is started via ssh.

              If -s is specified and the  start  command  succeeds,  then  the
              remote   Shorewall-lite  configuration  is  saved  by  executing
              shorewall-lite save via ssh.

              if -c is included, the command shorewall-lite show  capabilities
              -f  >  /var/lib/shorewall-lite/capabilities  is executed via ssh
              then the generated file is copied to directory using  scp.  This
              step is performed before the configuration is compiled.

              If  -r is included, it specifies that the root user on system is
              named root-user-name rather than "root".

              The -C option determines the compiler to use (Shorewall-shell or
              Shorewall-perl).   If   not  specified,  the  SHOREWALL_COMPILER
              setting in shorewall.conf 〈shorewall.conf.html〉  (5)  determines
              the compiler to use.

       logdrop
              Causes  traffic  from  the  listed  addresses  to be logged then
              discarded.

       logwatch
              Monitors the  log  file  specified  by  the  LOGFILE  option  in
              shorewall.conf 〈shorewall.conf.html〉 (5) and produces an audible
              alarm when new Shorewall messages are  logged.   The  -m  option
              causes  the MAC address of each packet source to be displayed if
              that information is available.

       logreject
              Causes traffic from the  listed  addresses  to  be  logged  then
              rejected.

       refresh
              Shorewall-shell:  The  rules  involving  the the black list, ECN
              control rules, and traffic shaping are recreated to reflect  any
              changes  made  to your configuration files. Existing connections
              are untouched.

              Shorewall-perl: All steps performed by restart are performed  by
              refresh  with  the  exception  that  refresh  only recreates the
              chains specified in the  command  while  restart  recreates  the
              entire  Netfilter  ruleset.  If  no  chain  is given, the static
              blacklisting chain blacklst is assumed.

              Note: Specifying chains in the command  requires  Shorewall-perl
              4.0.3 or later. Earlier versions only refresh the blacklst chain

              The listed chains are assumed to be in the filter table. You can
              refresh  chains in other tables by prefixing the chain name with
              the table name followed by ":" (e.g., nat:net_dnat). Chain names
              which  follow  are  assumed to be in that table until the end of
              the list or until an entry in  the  list  names  another  table.
              Built-in chains such as FORWARD may not be refreshed.

              Example:

              shorewall refresh net2fw nat:net_dnat #Refresh the ’net2loc’ chain in the filter table and the ’net_dnat’ chain in the nat table

       reload If  directory  is  omitted,  the  current  working  directory is
              assumed. Allows a non-root user to compile  a  shorewall  script
              and  install  it  on  a  system (provided that the user has root
              access to the system via ssh). The command is equivalent to:

                  /sbin/shorewall compile -e directory directory/firewall &&\
                  scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
                  ssh root@system/sbin/shorewall-lite restart’

              In  other  words,  the  configuration  in  the   specified   (or
              defaulted)  directory  is  compiled to a file called firewall in
              that directory. If compilation succeeds, then firewall is copied
              to  system  using  scp.  If the copy succeeds, Shorewall Lite on
              system is restarted via ssh.

              If -s is specified and the restart command  succeeds,  then  the
              remote   Shorewall-lite  configuration  is  saved  by  executing
              shorewall-lite save via ssh.

              if -c is included, the command shorewall-lite show  capabilities
              -f  >  /var/lib/shorewall-lite/capabilities  is executed via ssh
              then the generated file is copied to directory using  scp.  This
              step is performed before the configuration is compiled.

              If  -r is included, it specifies that the root user on system is
              named root-user-name rather than "root".

              The -C option determines the compiler to use (Shorewall-shell or
              Shorewall-perl).   If   not  specified,  the  SHOREWALL_COMPILER
              setting in shorewall.conf 〈shorewall.conf.html〉  (5)  determines
              the compiler to use.

       reset  All the packet and byte counters in the firewall are reset.

       restart
              Restart  is  similar  to  shorewall  stop  followed by shorewall
              start. Existing connections are maintained. If  a  directory  is
              included  in  the command, Shorewall will look in that directory
              first for configuration files.

              The -C option determines the compiler to use (Shorewall-shell or
              Shorewall-perl).   If   not  specified,  the  SHOREWALL_COMPILER
              setting in shorewall.conf 〈shorewall.conf.html〉  (5)  determines
              the compiler to use.

       restore
              Restore  Shorewall  to  a  state  saved using the shorewall save
              command. Existing connections are maintained. The filename names
              a  restore  file  in  /var/lib/shorewall created using shorewall
              save; if no filename is given then Shorewall  will  be  restored
              from   the   file   specified   by  the  RESTOREFILE  option  in
              shorewall.conf 〈shorewall.conf.html〉 (5).

       safe-restart
              Only allowed if Shorewall is running. The current  configuration
              is   saved  in  /var/lib/shorewall/safe-restart  (see  the  save
              command below) then a shorewall restart is done. You  will  then
              be  prompted  asking if you want to accept the new configuration
              or not. If you answer "n" or if you fail  to  answer  within  60
              seconds  (such  as  when  your  new  configuration  has disabled
              communication with your terminal), the configuration is restored
              from  the  saved  configuration.  If  a directory is given, then
              Shorewall  will  look  in  that  directory  first  when  opening
              configuration files.

              The -C option determines the compiler to use (Shorewall-shell or
              Shorewall-perl).  If  not  specified,   the   SHOREWALL_COMPILER
              setting  in  shorewall.conf 〈shorewall.conf.html〉 (5) determines
              the compiler to use.

       safe-start
              Shorewall is started normally. You will then be prompted  asking
              if  everything  went all right. If you answer "n" or if you fail
              to answer within 60 seconds (such as when your new configuration
              has  disabled  communication  with  your  terminal), a shorewall
              clear is performed for  you.  If  a  directory  is  given,  then
              Shorewall  will  look  in  that  directory  first  when  opening
              configuration files.

              The -C option determines the compiler to use (Shorewall-shell or
              Shorewall-perl).   If   not  specified,  the  SHOREWALL_COMPILER
              setting in shorewall.conf 〈shorewall.conf.html〉  (5)  determines
              the compiler to use.

       save   The dynamic blacklist is stored in /var/lib/shorewall/save.  The
              state of the firewall is stored  in  /var/lib/shorewall/filename
              for  use  by  the  shorewall  restore  and  shorewall  -f  start
              commands. If filename is not given then the state  is  saved  in
              the  file  specified by the RESTOREFILE option in shorewall.conf
              〈shorewall.conf.html〉 (5).

       show   The show command can have a number of different arguments:

              actions
                     Produces a report about the available actions  (built-in,
                     standard and user-defined).

              capabilities
                     Displays your kernel/iptables capabilities. The -f option
                     causes the display to be formatted as a capabilities file
                     for use with compile -e.

              [ [ chain ] chain... ]
                     The  rules in each chain are displayed using the iptables
                     -L chain -n -v command. If no chain is given, all of  the
                     chains  in  the filter table are displayed. The -x option
                     is passed directly through to iptables and causes  actual
                     packet  and  byte  counts  to  be displayed. Without this
                     option, those counts  are  abbreviated.   The  -t  option
                     specifies  the Netfilter table to display. The default is
                     filter.

                     If the t option and the chain keyword  both  omitted  and
                     any of the listed chains do not exist, a usage message is
                     displayed.

              classifiers
                     Displays information about the packet classifiers defined
                     on   the   system   as   a   result  of  traffic  shaping
                     configuration.

              config Dispays distribution-specific defaults.

              connections
                     Displays the IP connections currently  being  tracked  by
                     the firewall.

              log    Displays the last 20 Shorewall messages from the log file
                     specified  by  the  LOGFILE  option   in   shorewall.conf
                     〈shorewall.conf.html〉  (5).  The -m option causes the MAC
                     address of each packet source to  be  displayed  if  that
                     information is available.

              macros Displays  information  about  each  macro  defined on the
                     firewall system.

              mangle Displays the Netfilter mangle  table  using  the  command
                     iptables  -t  mangle  -L  -n  -v.The  -x option is passed
                     directly through to iptables and causes actual packet and
                     byte  counts  to be displayed. Without this option, those
                     counts are abbreviated.

              nat    Displays  the  Netfilter  nat  table  using  the  command
                     iptables -t nat -L -n -v.The -x option is passed directly
                     through to iptables and causes  actual  packet  and  byte
                     counts to be displayed. Without this option, those counts
                     are abbreviated.

              tc     Displays information about queuing  disciplines,  classes
                     and filters.

              zones  Displays  the  current composition of the Shorewall zones
                     on the system.

       start  Start shorewall. Existing connections through shorewall  managed
              interfaces  are  untouched. New connections will be allowed only
              if they are allowed by the firewall  rules  or  policies.  If  a
              directory  is  included  in  the command, Shorewall will look in
              that directory first for configuration files.If -f is specified,
              the  saved  configuration specified by the RESTOREFILE option in
              shorewall.conf 〈shorewall.conf.html〉 (5)  will  be  restored  if
              that  saved  configuration  exists  and  has  been modified more
              recently than the files in /etc/shorewall. When -f is  given,  a
              directory may not be specified.

              The -C option determines the compiler to use (Shorewall-shell or
              Shorewall-perl).  If  not  specified,   the   SHOREWALL_COMPILER
              setting  in  shorewall.conf 〈shorewall.conf.html〉 (5) determines
              the compiler to use.

       stop   Stops the  firewall.  All  existing  connections,  except  those
              listed  in  shorewall-routestopped 〈shorewall-routestopped.html〉
              (5)  or  permitted  by   the   ADMINISABSENTMINDED   option   in
              shorewall.conf  〈shorewall.conf.html〉  (5), are taken down.  The
              only new traffic permitted through the firewall is from  systems
              listed  in  shorewall-routestopped 〈shorewall-routestopped.html〉
              (5) or by ADMINISABSENTMINDED.

              The -f option was added in Shorewall 4.0.3.  If -f is given, the
              command  will  be processed by the compiled script that executed
              the last successful start, restart or refresh  command  if  that
              script exists.

       status Produces  a  short  report  about  the  state  of the Shorewall-
              configured firewall.

       try    If Shorewall is started then the firewall state is  saved  to  a
              temporary  saved  configuration (/var/lib/shorewall/.try). Next,
              if Shorewall is currently started  then  a  restart  command  is
              issued;  otherwise,  a  start  command is performed. if an error
              occurs during the compliation phase of the restart or start, the
              command  terminates  without changing the Shorewall state. If an
              error occurs during the restart phase, then a shorewall  restore
              is  performed  using the saved configuration. If an error occurs
              during the start  phase,  then  Shorewall  is  cleared.  If  the
              start/restart  succeeds  and a timeout is specified then a clear
              or restore is performed after timeout seconds.

              The -C option determines the compiler to use (Shorewall-shell or
              Shorewall-perl).   If   not  specified,  the  SHOREWALL_COMPILER
              setting in shorewall.conf 〈shorewall.conf.html〉  (5)  determines
              the compiler to use.

       version
              Displays  Shorewall’s version. If the -a option is included, the
              versions of Shorewall-shell and/or Shorewall-perl will  also  be
              displayed.

FILES

       /etc/shorewall/

SEE ALSO

http://www.shorewall.net/starting_and_stopping_shorewall.htmshorewall-accounting(5),  shorewall-actions(5), shorewall-blacklist(5),
       shorewall-hosts(5),    shorewall-interfaces(5),     shorewall-ipsec(5),
       shorewall-maclist(5),  shorewall-masq(5),  shorewall-nat(5), shorewall-
       netmap(5),   shorewall-params(5),    shorewall-policy(5),    shorewall-
       providers(5),      shorewall-proxyarp(5),     shorewall-route_rules(5),
       shorewall-routestopped(5),    shorewall-rules(5),    shorewall.conf(5),
       shorewall-tcclasses(5),  shorewall-tcdevices(5),  shorewall-tcrules(5),
       shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)

                               23 November 2007                   shorewall(8)