Provided by: sanewall_1.0.2+ds-2_all 
NAME
sanewall - an easy to use but powerful iptables stateful firewall
SYNOPSIS
sanewall
sudo -E sanewall panic [IP]
sanewall command [-- conf-arg...]
sanewall CONFIGFILE [start | debug | try] [-- conf-arg...]
DESCRIPTION
Running sanewall invokes iptables(8) to manipulate your firewall.
Run without any arguments, sanewall will present some help on usage.
When given CONFIGFILE, sanewall will use the named file instead of /etc/sanewall/sanewall.conf as its
configuration. If no command is given, sanewall assumes try.
It is possible to pass arguments for use by the configuration file separating any conf-arg values from
the rest of the arguments with --. The arguments are accessible in the configuration using standard
bash(1) syntax e.g. $1, $2, etc.
Sanewall is a fork of FireHOL[1]. existing FireHOL configurations should be compatible with Sanewall, but
please see the section called “COMPATIBILITY” for any differences in behaviour.
PANIC
To block all communication, invoke sanewall with the panic command.
Sanewall removes all rules from the running firewall and then DROPs all traffic on all iptables tables
(mangle, nat, filter) and pre-defined chains (PREROUTING, INPUT, FORWARD, OUTPUT, POSTROUTING).
DROPing is not done by changing the default policy to DROP, but by adding one rule per table/chain to
drop all traffic. This allows systems which do not reset all the chains to ACCEPT when starting to
function correctly.
When activating panic mode, Sanewall checks for the existence of the SSH_CLIENT shell environment
variable, which is set by ssh. If it finds this, then panic mode will allow the established SSH
connection specified in this variable to operate.
Note
In order for Sanewall to see the environment variable you must ensure that it is preserved. For sudo
use the -E and for su omit the - (minus sign).
If SSH_CLIENT is not set, the IP after the panic argument allows you to give an IP address for which all
established connections between the IP address and the host in panic will be allowed to continue.
COMMANDS
start, restart
Activates the firewall configuration from /etc/sanewall/sanewall.conf.
Use of the term restart is allowed for compatibility with common init implementations.
try
Activates the firewall, waiting for the user to type the word commit. If this word is not typed
within 30 seconds, the previous firewall is restored.
stop
Stops a running iptables firewall by clearing all of the tables and chains and setting the default
policies to ACCEPT. This will allow all traffic to pass unchecked.
condrestart
Starts the Sanewall firewall only if it is not already active. It does not detect a modified
configuration file, only verifies that Sanewall has been started in the past and not stopped yet.
status
Shows the running firewall, using /sbin/iptables -nxvL | less.
save
Start the firewall and then save it using /sbin/iptables-save to /etc/sysconfig/iptables.
The required kernel modules are saved to an executable shell script
/var/spool/sanewall/last_save_modules.sh, which can be called during boot if a firewall is to be
restored.
Note
External changes may cause a firewall restored after a reboot to not work as intended where
starting the firewall with Sanewall will work.
This is because as part of starting a firewall, Sanewall checks some changeable values. For
instance the current kernel configuration is checked (for client port ranges), and RPC servers
are queried (to allow correct functioning of the NFS service).
debug
Parses the configuration file but instead of activating it, Sanewall shows the generated iptables
statements.
explain
Enters an interactive mode where Sanewall accepts normal configuration commands and presents the
generated iptables commands for each of them, together with some reasoning for its purpose
Additionally, Sanewall automatically generates a configuration script based on the successful
commands given.
Some extra commands are available in explain mode.
help
Present some help
show
Present the generated configuration
quit
Exit interactive mode and quit
helpme, wizard
Tries to guess the Sanewall configuration needed for the current machine.
Sanewall will not stop or alter the running firewall. The configuration file is given in the standard
output of sAnewall, thus sanewall helpme > /tmp/sanewall.conf will produce the output in
/tmp/sanewall.conf.
The generated Sanewall configuration must be edited before use on your systems. You are required to
take a number of decisions; the comments in the generated file will instruct you in the choices you
must make.
COMPATIBILITY
Sanewall should be largely compatible with all existing FireHOL configurations.
If you are using any variable starting "FIREHOL_" in your configuration, you will need to rename it to
"SANEWALL_". See control variables: sanewall-variables(5) for a list of all variables used to control
Sanewall.
In addition the default values of SANEWALL_*_ACTIVATION_POLICY, for each of INPUT, OUTPUT and FORWARD
have been changed to DROP. See the entries under control variables: sanewall-variables(5) for details and
how to obtain the original behaviour.
FILES
/etc/sanewall/sanewall.conf
SEE ALSO
Sanewall configuration: sanewall.conf(5)
control variables: sanewall-variables(5)
Sanewall Manual: sanewall-manual.pdf
Sanewall Online Documentation[2]
AUTHORS
Sanewall Team
Sanewall is heavily based on FireHOL by Costa Tsaouis
Original man page by Marc Brockschmidt
COPYRIGHT
NOTES
1. FireHOL
http://firehol.sourceforge.net/
2. Sanewall Online Documentation
http://www.sanewall.org/
Sanewall 1.0.2 Built 01 Jun 2013 SANEWALL PROGRAM: SA(1)