1SHOREWALL(8) [FIXME: manual] SHOREWALL(8)
2
6 shorewall - Administration tool for Shoreline Firewall (Shorewall)
7
9 shorewall [trace|debug [nolock]] [-options] add
10 interface[:host-list]... zone
11 shorewall [trace|debug [nolock]] [-options] allow address
13 shorewall [trace|debug] [-options] check [-e] [-d] [-p] [-r] [-T]
15 [directory]
16 shorewall [trace|debug [nolock]] [-options] clear [-f]
18 shorewall [trace|debug] [-options] compile [-e] [-d] [-p] [-T]
20 [directory] [pathname]
21 shorewall [trace|debug [nolock]] [-options] delete
23 interface[:host-list]... zone
24 shorewall [trace|debug [nolock]] [-options] drop address
26 shorewall [trace|debug] [-options] dump [-x] [-l] [-m]
28 shorewall [trace|debug [nolock]] [-options] export [directory1]
30 [user@]system[:directory2]
31 shorewall [trace|debug [nolock]] [-options] forget [filename]
33 shorewall [trace|debug] [-options] help
35 shorewall [trace|debug] [-options] hits [-t]
37 shorewall [trace|debug] [-options] ipcalc {address mask | address/vlsm}
39 shorewall [trace|debug] [-options] iprange address1-address2
41 shorewall [trace|debug] [-options] iptrace iptables match expression
43 shorewall [trace|debug] [-options] load [-s] [-c] [-r root-user-name]
45 [directory] system
46 shorewall [trace|debug [nolock]] [-options] logdrop address
48 shorewall [trace|debug] [-options] logwatch [-m] [refresh-interval]
50 shorewall [trace|debug [nolock]] [-options] logreject address
52 shorewall [trace|debug] [-options] noiptrace iptables match expression
54 shorewall [trace|debug [nolock]] [-options] refresh [chain...]
56 shorewall [trace|debug [nolock]] [-options] reject address
58 shorewall [trace|debug] [-options] reload [-s] [-c] [-r root-user-name]
60 [directory] system
61 shorewall [trace|debug [nolock]] [-options] reset
63 shorewall [trace|debug [nolock]] [-options] restart [-n] [-p [-d]] [-f]
65 [-c] [directory]
66 shorewall [trace|debug [nolock]] [-options] restore [filename]
68 shorewall [trace|debug [nolock]] [-options] safe-restart [-d] [-p]
70 [directory]
71 shorewall [trace|debug] [-options] safe-start [-d] [-p] [directory]
73 shorewall [trace|debug [nolock]] [-options] save [filename]
75 shorewall [trace|debug] [-options] show [-x] [-l]
77 [-t {filter|mangle|nat|raw|rawpost}] [[chain] chain...]
78 shorewall [trace|debug] [-options] show [-f] capabilities
80 shorewall [trace|debug] [-options] show
82 {actions|classifiers|connections|config|filters|ip|ipa|macros|zones}
83 shorewall [trace|debug] [-options] show macro macro
85 shorewall [trace|debug] [-options] show [-x]
87 {mangle|nat|routing|raw|rawpost}
88 shorewall [trace|debug] [-options] show policies
90 shorewall [trace|debug] [-options] show tc
92 shorewall [trace|debug] [-options] show [-m] log
94 shorewall [trace|debug [nolock]] [-options] start [-n] [-f] [-p] [-c]
96 [directory]
97 shorewall [trace|debug [nolock]] [-options] stop [-f]
99 shorewall [trace|debug] [-options] status
101 shorewall [trace|debug [nolock]] [-options] try directory [timeout]
103 shorewall [trace|debug] [-options] update [-e] [-d] [-p] [-r] [-T] [-a]
105 [directory]
106 shorewall [trace|debug] [-options] version [-a]
108
110 The shorewall utility is used to control the Shoreline Firewall
111 (Shorewall).
112
114 The trace and debug options are used for debugging. See
115 http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace.
116 The nolock option prevents the command from attempting to acquire the
118 Shorewall lockfile. It is useful if you need to include shorewall
119 commands in /etc/shorewall/started.
120 The options control the amount of output that the command produces.
122 They consist of a sequence of the letters v and q. If the options are
123 omitted, the amount of output is determined by the setting of the
124 VERBOSITY parameter in shorewall.conf[1](5). Each v adds one to the
125 effective verbosity and each q subtracts one from the effective
126 VERBOSITY. Anternately, v may be followed immediately with one of
127 -1,0,1,2 to specify a specify VERBOSITY. There may be no white space
128 between v and the VERBOSITY.
129 The options may also include the letter t which causes all progress
131 messages to be timestamped.
132
134 The available commands are listed below.
135 add
137 Adds a list of hosts or subnets to a dynamic zone usually used with
138 VPN's.
139 The interface argument names an interface defined in the
141 shorewall-interfaces[2](5) file. A host-list is comma-separated
142 list whose elements are host or network addresses..if n .sp
143 Caution
144 The add command is not very robust. If there are errors in the
145 host-list, you may see a large number of error messages yet a
146 subsequent shorewall show zones command will indicate that all
147 hosts were added. If this happens, replace add by delete and
148 run the same command again. Then enter the correct command.
149 allow
151 Re-enables receipt of packets from hosts previously blacklisted by
152 a drop, logdrop, reject, or logreject command.
153 check
155 Compiles the configuraton in the specified directory and discards
156 the compiled output script. If no directory is given, then
157 /etc/shorewall is assumed.
158 The -e option causes the compiler to look for a file named
160 capabilities. This file is produced using the command
161 shorewall-lite show -f capabilities > capabilities on a system with
162 Shorewall Lite installed.
163 The -d option causes the compiler to be run under control of the
165 Perl debugger.
166 The -p option causes the compiler to be profiled via the Perl
168 -wd:DProf command-line option.
169 The -r option was added in Shorewall 4.5.2 and causes the compiler
171 to print the generated ruleset to standard out.
172 The -T option was added in Shorewall 4.4.20 and causes a Perl stack
174 trace to be included with each compiler-generated error and warning
175 message.
176 clear
178 Clear will remove all rules and chains installed by Shorewall. The
179 firewall is then wide open and unprotected. Existing connections
180 are untouched. Clear is often used to see if the firewall is
181 causing connection problems.
182 If -f is given, the command will be processed by the compiled
184 script that executed the last successful start, restart or refresh
185 command if that script exists.
186 compile
188 Compiles the current configuration into the executable file
189 pathname. If a directory is supplied, Shorewall will look in that
190 directory first for configuration files. If the pathname is
191 omitted, the file firewall in the VARDIR (normally
192 /var/lib/shorewall/) is assumed. A pathname of '-' causes the
193 compiler to send the generated script to it's standard output file.
194 Note that '-v-1' is usually specified in this case (e.g., shorewall
195 -v-1 compile -- -) to suppress the 'Compiling...' message normally
196 generated by /sbin/shorewall.
197 When -e is specified, the compilation is being performed on a
199 system other than where the compiled script will run. This option
200 disables certain configuration options that require the script to
201 be compiled where it is to be run. The use of -e requires the
202 presense of a configuration file named capabilities which may be
203 produced using the command shorewall-lite show -f capabilities >
204 capabilities on a system with Shorewall Lite installed
205 The -d option causes the compiler to be run under control of the
207 Perl debugger.
208 The -p option causes the compiler to be profiled via the Perl
210 -wd:DProf command-line option.
211 The -T option was added in Shorewall 4.4.20 and causes a Perl stack
213 trace to be included with each compiler-generated error and warning
214 message.
215 delete
217 The delete command reverses the effect of an earlier add command.
218 The interface argument names an interface defined in the
220 shorewall-interfaces[2](5) file. A host-list is comma-separated
221 list whose elements are a host or network address.
222 drop
224 Causes traffic from the listed addresses to be silently dropped.
225 dump
227 Produces a verbose report about the firewall configuration for the
228 purpose of problem analysis.
229 The -x option causes actual packet and byte counts to be displayed.
231 Without that option, these counts are abbreviated. The -m option
232 causes any MAC addresses included in Shorewall log messages to be
233 displayed.
234 The -l option causes the rule number for each Netfilter rule to be
236 displayed.
237 export
239 If directory1 is omitted, the current working directory is assumed.
240 Allows a non-root user to compile a shorewall script and stage it
242 on a system (provided that the user has access to the system via
243 ssh). The command is equivalent to:
244 /sbin/shorewall compile -e directory1 directory1/firewall &&\
246 scp directory1/firewall directory1/firewall.conf [user@]system:[directory2]
247 In other words, the configuration in the specified (or defaulted)
249 directory is compiled to a file called firewall in that directory.
250 If compilation succeeds, then firewall and firewall.conf are copied
251 to system using scp.
252 forget
254 Deletes /var/lib/shorewall/filename and /var/lib/shorewall/save. If
255 no filename is given then the file specified by RESTOREFILE in
256 shorewall.conf[1](5) is assumed.
257 help
259 Displays a syntax summary.
260 hits
262 Generates several reports from Shorewall log messages in the
263 current log file. If the -t option is included, the reports are
264 restricted to log messages generated today.
265 ipcalc
267 Ipcalc displays the network address, broadcast address, network in
268 CIDR notation and netmask corresponding to the input[s].
269 iprange
271 Iprange decomposes the specified range of IP addresses into the
272 equivalent list of network/host addresses.
273 iptrace
275 This is a low-level debugging command that causes iptables TRACE
276 log records to be created. See iptables(8) for details.
277 The iptables match expression must be one or more matches that may
279 appear in both the raw table OUTPUT and raw table PREROUTING
280 chains.
281 The trace records are written to the kernel's log buffer with
283 faciility = kernel and priority = warning, and they are routed from
284 there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
285 Shorewall has no control over where the messages go; consult your
286 logging daemon's documentation.
287 load
289 If directory is omitted, the current working directory is assumed.
290 Allows a non-root user to compile a shorewall script and install it
291 on a system (provided that the user has root access to the system
292 via ssh). The command is equivalent to:
293 /sbin/shorewall compile -e directory directory/firewall &&\
295 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
296 ssh root@system '/sbin/shorewall-lite start'
297 In other words, the configuration in the specified (or defaulted)
299 directory is compiled to a file called firewall in that directory.
300 If compilation succeeds, then firewall is copied to system using
301 scp. If the copy succeeds, Shorewall Lite on system is started via
302 ssh.
303 If -s is specified and the start command succeeds, then the remote
305 Shorewall-lite configuration is saved by executing shorewall-lite
306 save via ssh.
307 if -c is included, the command shorewall-lite show capabilities -f
309 > /var/lib/shorewall-lite/capabilities is executed via ssh then the
310 generated file is copied to directory using scp. This step is
311 performed before the configuration is compiled.
312 If -r is included, it specifies that the root user on system is
314 named root-user-name rather than "root".
315 logdrop
317 Causes traffic from the listed addresses to be logged then
318 discarded. Logging occurs at the log level specified by the
319 BLACKLIST_LOGLEVEL setting in shorewall.conf[1] (5).
320 logwatch
322 Monitors the log file specified by the LOGFILE option in
323 shorewall.conf[1](5) and produces an audible alarm when new
324 Shorewall messages are logged. The -m option causes the MAC address
325 of each packet source to be displayed if that information is
326 available. The refresh-interval specifies the time in seconds
327 between screen refreshes. You can enter a negative number by
328 preceding the number with "--" (e.g., shorewall logwatch -- -30).
329 In this case, when a packet count changes, you will be prompted to
330 hit any key to resume screen refreshes.
331 logreject
333 Causes traffic from the listed addresses to be logged then
334 rejected. Logging occurs at the log level specified by the
335 BLACKLIST_LOGLEVEL setting in shorewall.conf[1] (5).
336 noiptrace
338 This is a low-level debugging command that cancels a trace started
339 by a preceding iptrace command.
340 The iptables match expression must be one given in the iptrace
342 command being cancelled.
343 refresh
345 All steps performed by restart are performed by refresh with the
346 exception that refresh only recreates the chains specified in the
347 command while restart recreates the entire Netfilter ruleset. If no
348 chain is given, the static blacklisting chain blacklst is assumed.
349 The listed chains are assumed to be in the filter table. You can
351 refresh chains in other tables by prefixing the chain name with the
352 table name followed by ":" (e.g., nat:net_dnat). Chain names which
353 follow are assumed to be in that table until the end of the list or
354 until an entry in the list names another table. Built-in chains
355 such as FORWARD may not be refreshed.
356 Example:
358 shorewall refresh net2fw nat:net_dnat #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table
360 The refresh command has slightly different behavior. When no chain
362 name is given to the refresh command, the mangle table is refreshed
363 along with the blacklist chain (if any). This allows you to modify
364 /etc/shorewall/tcrulesand install the changes using refresh.
365 reload
367 If directory is omitted, the current working directory is assumed.
368 Allows a non-root user to compile a shorewall script and install it
369 on a system (provided that the user has root access to the system
370 via ssh). The command is equivalent to:
371 /sbin/shorewall compile -e directory directory/firewall &&\
373 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
374 ssh root@system '/sbin/shorewall-lite restart'
375 In other words, the configuration in the specified (or defaulted)
377 directory is compiled to a file called firewall in that directory.
378 If compilation succeeds, then firewall is copied to system using
379 scp. If the copy succeeds, Shorewall Lite on system is restarted
380 via ssh.
381 If -s is specified and the restart command succeeds, then the
383 remote Shorewall-lite configuration is saved by executing
384 shorewall-lite save via ssh.
385 if -c is included, the command shorewall-lite show capabilities -f
387 > /var/lib/shorewall-lite/capabilities is executed via ssh then the
388 generated file is copied to directory using scp. This step is
389 performed before the configuration is compiled.
390 If -r is included, it specifies that the root user on system is
392 named root-user-name rather than "root".
393 reset
395 All the packet and byte counters in the firewall are reset.
396 restart
398 Restart is similar to shorewall start except that it assumes that
399 the firewall is already started. Existing connections are
400 maintained. If a directory is included in the command, Shorewall
401 will look in that directory first for configuration files.
402 The -n option causes Shorewall to avoid updating the routing
404 table(s).
405 The -p option causes the connection tracking table to be flushed;
407 the conntrack utility must be installed to use this option.
408 The -d option causes the compiler to run under the Perl debugger.
410 The -f option suppresses the compilation step and simply reused the
412 compiled script which last started/restarted Shorewall, provided
413 that /etc/shorewall and its contents have not been modified since
414 the last start/restart.
415 The -c option was added in Shorewall 4.4.20 and performs the
417 compilation step unconditionally, overriding the AUTOMAKE setting
418 in shorewall.conf[1](5). When both -f and -care present, the result
419 is determined by the option that appears last.
420 restore
422 Restore Shorewall to a state saved using the shorewall save
423 command. Existing connections are maintained. The filename names a
424 restore file in /var/lib/shorewall created using shorewall save; if
425 no filename is given then Shorewall will be restored from the file
426 specified by the RESTOREFILE option in shorewall.conf[1](5).
427 safe-restart
429 Only allowed if Shorewall is running. The current configuration is
430 saved in /var/lib/shorewall/safe-restart (see the save command
431 below) then a shorewall restart is done. You will then be prompted
432 asking if you want to accept the new configuration or not. If you
433 answer "n" or if you fail to answer within 60 seconds (such as when
434 your new configuration has disabled communication with your
435 terminal), the configuration is restored from the saved
436 configuration. If a directory is given, then Shorewall will look in
437 that directory first when opening configuration files.
438 safe-start
440 Shorewall is started normally. You will then be prompted asking if
441 everything went all right. If you answer "n" or if you fail to
442 answer within 60 seconds (such as when your new configuration has
443 disabled communication with your terminal), a shorewall clear is
444 performed for you. If a directory is given, then Shorewall will
445 look in that directory first when opening configuration files.
446 save
448 The dynamic blacklist is stored in /var/lib/shorewall/save. The
449 state of the firewall is stored in /var/lib/shorewall/filename for
450 use by the shorewall restore and shorewall -f start commands. If
451 filename is not given then the state is saved in the file specified
452 by the RESTOREFILE option in shorewall.conf[1](5).
453 show
455 The show command can have a number of different arguments:
456 actions
458 Produces a report about the available actions (built-in,
459 standard and user-defined).
460 capabilities
462 Displays your kernel/iptables capabilities. The -f option
463 causes the display to be formatted as a capabilities file for
464 use with compile -e.
465 [ [ chain ] chain... ]
467 The rules in each chain are displayed using the iptables -L
468 chain -n -v command. If no chain is given, all of the chains in
469 the filter table are displayed. The -x option is passed
470 directly through to iptables and causes actual packet and byte
471 counts to be displayed. Without this option, those counts are
472 abbreviated. The -t option specifies the Netfilter table to
473 display. The default is filter.
474 The -l option causes the rule number for each Netfilter rule to
476 be displayed.
477 If the t option and the chain keyword are both omitted and any
479 of the listed chains do not exist, a usage message is
480 displayed.
481 classifiers|filters
483 Displays information about the packet classifiers defined on
484 the system as a result of traffic shaping configuration.
485 config
487 Dispays distribution-specific defaults.
488 connections
490 Displays the IP connections currently being tracked by the
491 firewall.
492 ip
494 Displays the system's IPv4 configuration.
495 ipa
497 Added in Shorewall 4.4.17. Displays the per-IP accounting
498 counters (shorewall-accounting[3] (5)).
499 log
501 Displays the last 20 Shorewall messages from the log file
502 specified by the LOGFILE option in shorewall.conf[1](5). The -m
503 option causes the MAC address of each packet source to be
504 displayed if that information is available.
505 macros
507 Displays information about each macro defined on the firewall
508 system.
509 macro
511 Added in Shorewall 4.4.6. Displays the file that implements the
512 specified macro (usually /usr/share/shorewall/macro.macro).
513 mangle
515 Displays the Netfilter mangle table using the command iptables
516 -t mangle -L -n -v.The -x option is passed directly through to
517 iptables and causes actual packet and byte counts to be
518 displayed. Without this option, those counts are abbreviated.
519 nat
521 Displays the Netfilter nat table using the command iptables -t
522 nat -L -n -v.The -x option is passed directly through to
523 iptables and causes actual packet and byte counts to be
524 displayed. Without this option, those counts are abbreviated.
525 policies
527 Added in Shorewall 4.4.4. Displays the applicable policy
528 between each pair of zones. Note that implicit intrazone ACCEPT
529 policies are not displayed for zones associated with a single
530 network where that network doesn't specify routeback.
531 routing
533 Displays the system's IPv4 routing configuration.
534 raw
536 Displays the Netfilter raw table using the command iptables -t
537 raw -L -n -v.The -x option is passed directly through to
538 iptables and causes actual packet and byte counts to be
539 displayed. Without this option, those counts are abbreviated.
540 tc
542 Displays information about queuing disciplines, classes and
543 filters.
544 zones
546 Displays the current composition of the Shorewall zones on the
547 system.
548 start
550 Start shorewall. Existing connections through shorewall managed
551 interfaces are untouched. New connections will be allowed only if
552 they are allowed by the firewall rules or policies. If a directory
553 is included in the command, Shorewall will look in that directory
554 first for configuration files. If -f is specified, the saved
555 configuration specified by the RESTOREFILE option in
556 shorewall.conf[1](5) will be restored if that saved configuration
557 exists and has been modified more recently than the files in
558 /etc/shorewall. When -f is given, a directory may not be specified.
559 Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
561 added to shorewall.conf[1](5). When LEGACY_FASTSTART=No, the
562 modificaiotn times of files in /etc/shorewall are compared with
563 that of /var/lib/shorewall/firewall (the compiled script that last
564 started/restarted the firewall).
565 The -n option causes Shorewall to avoid updating the routing
567 table(s).
568 The -p option causes the connection tracking table to be flushed;
570 the conntrack utility must be installed to use this option.
571 The -c option was added in Shorewall 4.4.20 and performs the
573 compilation step unconditionally, overriding the AUTOMAKE setting
574 in shorewall.conf[1](5). When both -f and -care present, the result
575 is determined by the option that appears last.
576 stop
578 Stops the firewall. All existing connections, except those listed
579 in shorewall-routestopped[4](5) or permitted by the
580 ADMINISABSENTMINDED option in shorewall.conf[1](5), are taken down.
581 The only new traffic permitted through the firewall is from systems
582 listed in shorewall-routestopped[4](5) or by ADMINISABSENTMINDED.
583 If -f is given, the command will be processed by the compiled
585 script that executed the last successful start, restart or refresh
586 command if that script exists.
587 status
589 Produces a short report about the state of the Shorewall-configured
590 firewall.
591 try
593 If Shorewall is started then the firewall state is saved to a
594 temporary saved configuration (/var/lib/shorewall/.try). Next, if
595 Shorewall is currently started then a restart command is issued;
596 otherwise, a start command is performed. if an error occurs during
597 the compliation phase of the restart or start, the command
598 terminates without changing the Shorewall state. If an error occurs
599 during the restart phase, then a shorewall restore is performed
600 using the saved configuration. If an error occurs during the start
601 phase, then Shorewall is cleared. If the start/restart succeeds and
602 a timeout is specified then a clear or restore is performed after
603 timeout seconds.
604 update
606 Added in Shorewall 4.4.21 and causes the compiler to update
607 /etc/shorewall/shorewall.conf then validate the configuration. The
608 update will add options not present in the old file with their
609 default values, and will move deprecated options with non-defaults
610 to a deprecated options section at the bottom of the file. Your
611 existing shorewall.conf file is renamed shorewall.conf.bak.
612 The -a option causes the updated shorewall.conf file to be
614 annotated with documentation.
615 For a description of the other options, see the check command
617 above.
618 version
620 Displays Shorewall's version. The -a option is included for
621 compatibility with earlier Shorewall releases and is ignored.
622
624 /etc/shorewall/
625
627 http://www.shorewall.net/starting_and_stopping_shorewall.htm
628 shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5),
630 shorewall-hosts(5), shorewall_interfaces(5), shorewall-ipsets(5),
631 shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
632 shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
633 shorewall-providers(5), shorewall-proxyarp(5),
634 shorewall-route_rules(5), shorewall-routestopped(5),
635 shorewall-rules(5), shorewall.conf(5), shorewall-secmarks(5),
636 shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5),
637 shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)
638
640 1. shorewall.conf
641 http://www.shorewall.net/manpages/shorewall.conf.html
642 2. shorewall-interfaces
644 http://www.shorewall.net/manpages/shorewall-interfaces.html
645 3. shorewall-accounting
647 http://www.shorewall.net/manpages/manpages/shorewall-accounting.html
648 4. shorewall-routestopped
650 http://www.shorewall.net/manpages/shorewall-routestopped.html
651[FIXME: source] 09/16/2011 SHOREWALL(8)