Provided by: sanewall_1.0.2+ds-2_all 
NAME
sanewall - an easy to use but powerful iptables stateful firewall
SYNOPSIS
sanewall
sudo -E sanewall panic [IP]
sanewall command [-- conf-arg...]
sanewall CONFIGFILE [start | debug | try] [-- conf-arg...]
DESCRIPTION
Running sanewall invokes iptables(8) to manipulate your firewall.
Run without any arguments, sanewall will present some help on usage.
When given CONFIGFILE, sanewall will use the named file instead of
/etc/sanewall/sanewall.conf as its configuration. If no command is given, sanewall assumes
try.
It is possible to pass arguments for use by the configuration file separating any conf-arg
values from the rest of the arguments with --. The arguments are accessible in the
configuration using standard bash(1) syntax e.g. $1, $2, etc.
Sanewall is a fork of FireHOL[1]. existing FireHOL configurations should be compatible
with Sanewall, but please see the section called “COMPATIBILITY” for any differences in
behaviour.
PANIC
To block all communication, invoke sanewall with the panic command.
Sanewall removes all rules from the running firewall and then DROPs all traffic on all
iptables tables (mangle, nat, filter) and pre-defined chains (PREROUTING, INPUT, FORWARD,
OUTPUT, POSTROUTING).
DROPing is not done by changing the default policy to DROP, but by adding one rule per
table/chain to drop all traffic. This allows systems which do not reset all the chains to
ACCEPT when starting to function correctly.
When activating panic mode, Sanewall checks for the existence of the SSH_CLIENT shell
environment variable, which is set by ssh. If it finds this, then panic mode will allow
the established SSH connection specified in this variable to operate.
Note
In order for Sanewall to see the environment variable you must ensure that it is
preserved. For sudo use the -E and for su omit the - (minus sign).
If SSH_CLIENT is not set, the IP after the panic argument allows you to give an IP address
for which all established connections between the IP address and the host in panic will be
allowed to continue.
COMMANDS
start, restart
Activates the firewall configuration from /etc/sanewall/sanewall.conf.
Use of the term restart is allowed for compatibility with common init implementations.
try
Activates the firewall, waiting for the user to type the word commit. If this word is
not typed within 30 seconds, the previous firewall is restored.
stop
Stops a running iptables firewall by clearing all of the tables and chains and setting
the default policies to ACCEPT. This will allow all traffic to pass unchecked.
condrestart
Starts the Sanewall firewall only if it is not already active. It does not detect a
modified configuration file, only verifies that Sanewall has been started in the past
and not stopped yet.
status
Shows the running firewall, using /sbin/iptables -nxvL | less.
save
Start the firewall and then save it using /sbin/iptables-save to
/etc/sysconfig/iptables.
The required kernel modules are saved to an executable shell script
/var/spool/sanewall/last_save_modules.sh, which can be called during boot if a
firewall is to be restored.
Note
External changes may cause a firewall restored after a reboot to not work as
intended where starting the firewall with Sanewall will work.
This is because as part of starting a firewall, Sanewall checks some changeable
values. For instance the current kernel configuration is checked (for client port
ranges), and RPC servers are queried (to allow correct functioning of the NFS
service).
debug
Parses the configuration file but instead of activating it, Sanewall shows the
generated iptables statements.
explain
Enters an interactive mode where Sanewall accepts normal configuration commands and
presents the generated iptables commands for each of them, together with some
reasoning for its purpose
Additionally, Sanewall automatically generates a configuration script based on the
successful commands given.
Some extra commands are available in explain mode.
help
Present some help
show
Present the generated configuration
quit
Exit interactive mode and quit
helpme, wizard
Tries to guess the Sanewall configuration needed for the current machine.
Sanewall will not stop or alter the running firewall. The configuration file is given
in the standard output of sAnewall, thus sanewall helpme > /tmp/sanewall.conf will
produce the output in /tmp/sanewall.conf.
The generated Sanewall configuration must be edited before use on your systems. You
are required to take a number of decisions; the comments in the generated file will
instruct you in the choices you must make.
COMPATIBILITY
Sanewall should be largely compatible with all existing FireHOL configurations.
If you are using any variable starting "FIREHOL_" in your configuration, you will need to
rename it to "SANEWALL_". See control variables: sanewall-variables(5) for a list of all
variables used to control Sanewall.
In addition the default values of SANEWALL_*_ACTIVATION_POLICY, for each of INPUT, OUTPUT
and FORWARD have been changed to DROP. See the entries under control variables:
sanewall-variables(5) for details and how to obtain the original behaviour.
FILES
/etc/sanewall/sanewall.conf
SEE ALSO
Sanewall configuration: sanewall.conf(5)
control variables: sanewall-variables(5)
Sanewall Manual: sanewall-manual.pdf
Sanewall Online Documentation[2]
AUTHORS
Sanewall Team
Sanewall is heavily based on FireHOL by Costa Tsaouis
Original man page by Marc Brockschmidt
COPYRIGHT
NOTES
1. FireHOL
http://firehol.sourceforge.net/
2. Sanewall Online Documentation
http://www.sanewall.org/