1SHOREWALL(8)                Administrative Commands               SHOREWALL(8)
2
3
4

NAME

6       shorewall - Administration tool for Shoreline Firewall (Shorewall)
7

SYNOPSIS

9       shorewall[6][-lite] [trace|debug [nolock]] [options] add {
10                           interface[:host-list]... zone | zone host-list }
11
12       shorewall[6][-lite] [trace|debug [nolock]] [options] allow address
13
14       shorewall[6][-lite] [trace|debug [nolock]] [options] blacklist
15                           address [option ...]
16
17       shorewall[6][-lite] [trace|debug [nolock]] [options] call
18                           function [parameter ...]
19
20       shorewall[6] [trace|debug] [options] [check | ck ]  [-e] [-d] [-p] [-r]
21                    [-T] [-i] [directory]
22
23       shorewall[6][-lite] [trace|debug [nolock]] [options] clear [-f]
24
25       shorewall[6][-lite] [trace|debug [nolock]] [options]
26                           close { open-number | sourcedest [protocol [ port ]]}
27
28       shorewall[6] [trace|debug] [options] [compile | co ]  [-e] [-c] [-d]
29                    [-p] [-T] [-i] [directory] [pathname]
30
31       shorewall[6][-lite] [trace|debug [nolock]] [options] delete {
32                           interface[:host-list]... zone | zone host-list }
33
34       shorewall[6][-lite] [trace|debug [nolock]] [options] disable
35                           { interface | provider }
36
37       shorewall[6][-lite] [trace|debug [nolock]] [options] drop address
38
39       shorewall[6][-lite] [trace|debug] [options] dump [-x] [-l] [-m] [-c]
40
41       shorewall[6][-lite] [trace|debug [nolock]] [options] enable
42                           { interface | provider }
43
44       shorewall[6] [trace|debug [nolock]] [options] export [directory1]
45                    [user@]system[:directory2]
46
47       shorewall[6][-lite] [trace|debug [nolock]] [options] forget [filename]
48
49       shorewall[6][-lite] [trace|debug] [options] help
50
51       shorewall[-lite] [trace|debug] [options] hits [-t]
52
53       shorewall[-lite] [trace|debug] [options] ipcalc {address mask |
54                        address/vlsm}
55
56       shorewall[-lite] [trace|debug] [options] iprange address1-address2
57
58       shorewall[6][-lite] [trace|debug] [options] iptrace
59                           iptables match expression
60
61       shorewall[6][-lite] [trace|debug [nolock]] [options] logdrop address
62
63       shorewall[6][-lite] [trace|debug] [options] logwatch [-m]
64                           [refresh-interval]
65
66       shorewall[6][-lite] [trace|debug [nolock]] [options] logreject address
67
68       shorewall[6][-lite] [trace|debug] [options] noiptrace
69                           iptables match expression
70
71       shorewall[6][-lite] [options] open source dest [ protocol [ port ] ]
72
73       shorewall[6][-lite] [trace|debug [nolock]] [options] reenable
74                           { interface | provider }
75
76       shorewall[6][-lite] [trace|debug [nolock]] [options] reject address
77
78       shorewall[6][-lite] [trace|debug [nolock]] [options] reload [-n]
79                           [-p [-d]] [-f] [-c] [-T] [-i] [-C] [directory]
80
81       shorewall[6] [trace|debug] [options] remote-getcaps [-s] [-R]
82                    [-r root-user-name] [-T] [-i] [[-D]directory] [system]
83
84       shorewall[6] [trace|debug] [options] remote-getrc [-s] [-c]
85                    [-r root-user-name] [-T] [-i] [[-D]directory] [system]
86
87       shorewall[6] [trace|debug] [options] remote-start [-s] [-c]
88                    [-r root-user-name] [-T] [-i] [[-D]directory] [system]
89
90       shorewall[6] [trace|debug] [options] remote-reload [-s] [-c]
91                    [-r root-user-name] [-T] [-i] [[-D]directory] [system]
92
93       shorewall[6] [trace|debug] [options] remote-restart [-s] [-c]
94                    [-r root-user-name] [-T] [-i] [[-D]directory] [system]
95
96       shorewall[6][-lite] [trace|debug [nolock]] [options] reset [chain ...]
97
98       shorewall[6][-lite] [trace|debug [nolock]] [options] restart [-n]
99                           [-p [-d]] [-f] [-c] [-T] [-i] [-C] [directory]
100
101       shorewall[6][-lite] [trace|debug [nolock]] [options]
102                           restore [-n] [-p] [-C]  [filename]
103
104       shorewall[6][-lite] [trace|debug [nolock]] [options] run command
105                           [parameter ...]
106
107       shorewall[6] [trace|debug [nolock]] [options] safe-restart [-d] [-p]
108                    [-t timeout] [directory]
109
110       shorewall[6] [trace|debug] [options] safe-start [-d] [-p] [-t timeout]
111                    [directory]
112
113       shorewall[6][-lite] [trace|debug [nolock]] [options] save [-C]
114                           [filename]
115
116       shorewall[6][-lite] [trace|debug [nolock]] [options] savesets
117
118       shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-x]
119                           {bl|blacklists}
120
121       shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-b]
122                           [-x] [-l] [-t {filter|mangle|nat|raw}] [chain...]
123
124       shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-f]
125                           capabilities
126
127       shorewall[6] [options] {show | list | ls } [-f] {actions|macros}
128
129       shorewall[6] [trace|debug] [options] {show | list | ls } action action
130
131       shorewall[6][-lite] [trace|debug] [options] {show | list | ls }
132                           {classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks}
133
134       shorewall[6][-lite] [trace|debug] [options] {show | list | ls }
135                           event event
136
137       shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-c]
138                           routing
139
140       shorewall[6] [trace|debug] [options] {show | list | ls } macro macro
141
142       shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-x]
143                           {mangle|nat|raw}
144
145       shorewall[6][-lite] [trace|debug] [options] {show | list | ls } saves
146
147       shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-m]
148                           log
149
150       shorewall[6][-lite] [trace|debug [nolock]] [options] start [-n] [-f]
151                           [-p] [-c] [-T [-i]] [-C] [directory]
152
153       shorewall[6][-lite] [trace|debug [nolock]] [options] stop [-f]
154
155       shorewall[6][-lite] [trace|debug] [options] status [-i]
156
157       shorewall[6] [trace|debug [nolock]] [options] try directory [timeout]
158
159       shorewall[6] [trace|debug] [options] update [-b] [-d] [-r] [-T] [-a]
160                    [-i] [-A] [directory]
161
162       shorewall[6][-lite] [trace|debug] [options] version [-a]
163

DESCRIPTION

165       Beginning with Shorewall 5.1.0, the shorewall utility is used to
166       control the Shoreline Firewall (Shorewall), Shorewall Firewall 6
167       (Shorewall6), Shorewall Firewall Lite (Shorewall-lite) and Shorewall
168       Firewall 6 Lite (Shorewall6-lite). The utility may be accessed under
169       four different names:
170
171       shorewall
172           Controls the Shorewall configuration when Shorewall is installed.
173           If Shorewall is not installed, the shorewall command controls
174           Shorewall-lite if it is installed. If neither Shorewall nor
175           Shorewall-lite is installed, the shorewall command controls
176           Shorewall6-lite if it is installed.
177
178       shorewall6
179           The shorewall6 command controls Shorewall6 when Shorewall6 is
180           installed.
181
182       shorewall-lite
183           The shorewall-lite command controls Shorewall-lite when
184           Shorewall-lite is installed.
185
186       shorewall6-lite
187           The shorewall6-lite command controls Shorewall6-lite when
188           Shorewall6-lite is installed.
189
190       Prior to Shorewall 5.1.0, these four commands were implemented as four
191       separate program, each of which controlled only a single firewall
192       package. This manpage serves to document both the Shorewall 5.1 and
193       Shorewall 5.0 CLI.
194

OPTIONS

196       The trace and debug options are used for debugging. See
197       http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace[1].
198
199       The nolock option prevents the command from attempting to acquire the
200       Shorewall lockfile. It is useful if you need to include shorewall
201       commands in /etc/shorewall/started.
202
203       Other options are:
204
205       -4
206           Added in Shorewall 5.1.0. Causes the command to operate on the
207           Shorewall configuration or the Shorewall-lite configuration. It is
208           the default when either of those products is installed and when the
209           command is shorewall or shorewall-lite.
210
211       -6
212           Added in Shorewall 5.1.0. Causes the command to operate on the
213           Shorewall6 or Shorewall6-lite configuration. It is the default when
214           only Shorewall6-lite is installed and when the command is
215           shorewall6 or shorewall6-lite.
216
217       -l
218           Added in Shorewall 5.1.0. Causes the command to operate on either
219           Shorewall-lite or Shorewall-6 lite and is the default when
220           Shorewall is not installed or when the command is shorewall-lite or
221           shorewall6-lite.
222
223           With all four firewall products (Shorewall, Shorewall6,
224           Shorewall-lite and Shorewall6-lite) installed, the following table
225           shows the correspondence between the name used to invoke the
226           command and the shorewall command with the above three options.
227
228           Table 1. All four products installed
229           The next table shows the correspondence when only Shorewall-lite
230           and Shorewall6-lite are installed.
231
232           Table 2. Only Shorewall-lite and Shorewall6-lite installed
233       -v[verbosity]
234           Alters the amount of output produced by the command. If neither the
235           -v nor -q option are specified, the amount of output is determined
236           by the VERBOSITY setting in shorewall.conf[2](5)
237           (shorewall6.conf[3](5)).
238
239           When no verbosity is specified, each instance of this option causes
240           1 to be added to the effective verbosity. When verbosity (-1,0,1 or
241           2) is given, the command is executed at the specified VERBOSITY.
242           There may be no white-space between -v and the verbosity.
243
244       -q
245           Alters the amount of output produced by the command. If neither the
246           -v nor -q option are specified, the amount of output is determined
247           by the VERBOSITY setting in shorewall.conf[2](5)
248           (shorewall6.conf[3](5)).
249
250           Each instance of this option causes 1 to be subtracted from the
251           effective verbosity.
252
253       -t
254           Causes all progress messages to be timestamped.
255

COMMANDS

257       The available commands are listed below.
258
259       add { interface[:host-list]... zone | zone host-list }
260           Adds a list of hosts or subnets to a dynamic zone usually used with
261           VPN's.
262
263           The interface argument names an interface defined in the
264           shorewall-interfaces[4](5) (shorewall6-interfaces[5](5))file. A
265           host-list is comma-separated list whose elements are host or
266           network addresses..if n .sp
267               Caution
268               The add command is not very robust. If there are errors in the
269               host-list, you may see a large number of error messages yet a
270               subsequent shorewall show zones command will indicate that all
271               hosts were added. If this happens, replace add by delete and
272               run the same command again. Then enter the correct command.
273
274           Beginning with Shorewall 4.5.9, the dynamic_shared zone option
275           (shorewall-zones[6](5),shorewall6-zones[7](5)) allows a single
276           ipset to handle entries for multiple interfaces. When that option
277           is specified for a zone, the add command has the alternative syntax
278           in which the zone name precedes the host-list.
279
280       allow address
281           Re-enables receipt of packets from hosts previously blacklisted by
282           a blacklist, drop, logdrop, reject, or logreject command.
283
284       blacklist address [ option ... ]
285           Added in Shorewall 5.0.8 and requires DYNAMIC_BLACKLIST=ipset.. in
286           shorewall.conf[2](5). Causes packets from the given host or network
287           address to be dropped, based on the setting of BLACKLIST in
288           shorewall.conf[2](5). The address along with any options are passed
289           to the ipset add command.
290
291           If the disconnect option is specified in the DYNAMIC_BLACKLISTING
292           setting, then the effective VERBOSITY determines the amount of
293           information displayed:
294
295           ·   If the effective verbosity is > 0, then a message giving the
296               number of conntrack flows deleted by the command is displayed.
297
298           ·   If the effective verbosity is > 1, then the conntrack table
299               entries deleted by the command are also displayed.
300
301       call function [ parameter ... ]
302           Added in Shorewall 4.6.10. Allows you to call a function in one of
303           the Shorewall libraries or in your compiled script. function must
304           name the shell function to be called. The listed parameters are
305           passed to the function.
306
307           The function is first searched for in lib.base, lib.common, lib.cli
308           and lib.cli-std. If it is not found, the call command is passed to
309           the generated script to be executed.
310
311       check [-e] [-d] [-p] [-r] [-T] [-i] [directory]
312           Not available with Shorewall[6]-lite.
313
314           Compiles the configuration in the specified directory and discards
315           the compiled output script. If no directory is given, then
316           /etc/shorewall is assumed.
317
318           The -e option causes the compiler to look for a file named
319           capabilities. This file is produced using the command
320           shorewall-lite show -f capabilities > capabilities on a system with
321           Shorewall Lite installed.
322
323           The -d option causes the compiler to be run under control of the
324           Perl debugger.
325
326           The -p option causes the compiler to be profiled via the Perl
327           -wd:DProf command-line option.
328
329           The -r option was added in Shorewall 4.5.2 and causes the compiler
330           to print the generated ruleset to standard out.
331
332           The -T option was added in Shorewall 4.4.20 and causes a Perl stack
333           trace to be included with each compiler-generated error and warning
334           message.
335
336           The -i option was added in Shorewall 4.6.0 and causes a warning
337           message to be issued if the current line contains alternative input
338           specifications following a semicolon (";"). Such lines will be
339           handled incorrectly if INLINE_MATCHES is set to Yes in
340           shorewall.conf[2](5) (shorewall6.conf[3](5)).
341
342       clear [-f]
343           Clear will remove all rules and chains installed by Shorewall. The
344           firewall is then wide open and unprotected. Existing connections
345           are untouched. Clear is often used to see if the firewall is
346           causing connection problems.
347
348           If -f is given, the command will be processed by the compiled
349           script that executed the last successful start, restart or reload
350           command if that script exists.
351
352       close { open-number | source dest [ protocol [ port ] ] }
353           Added in Shorewall 4.5.8. This command closes a temporary open
354           created by the open command. In the first form, an open-number
355           specifies the open to be closed. Open numbers are displayed in the
356           num column of the output of the shorewall show opens command.
357
358           When the second form of the command is used, the parameters must
359           match those given in the earlier open command.
360
361           This command requires that the firewall be in the started state and
362           that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[2].
363
364       compile [-e] [-c] [-d] [-p] [-T] [-i] [ directory ] [ pathname ]
365           Not available with shorewall[6]-lite.
366
367           Compiles the current configuration into the executable file
368           pathname. If a directory is supplied, Shorewall will look in that
369           directory first for configuration files. If the pathname is
370           omitted, the file firewall in the VARDIR (normally
371           /var/lib/shorewall/) is assumed. A pathname of '-' causes the
372           compiler to send the generated script to it's standard output file.
373           Note that '-v-1' is usually specified in this case (e.g., shorewall
374           -v-1 compile -- -) to suppress the 'Compiling...' message normally
375           generated by /sbin/shorewall.
376
377           When -e is specified, the compilation is being performed on a
378           system other than where the compiled script will run. This option
379           disables certain configuration options that require the script to
380           be compiled where it is to be run. The use of -e requires the
381           presence of a configuration file named capabilities which may be
382           produced using the command shorewall-lite show -f capabilities >
383           capabilities on a system with Shorewall Lite installed
384
385           The -c option was added in Shorewall 4.5.17 and causes conditional
386           compilation of a script. The script specified by pathname (or
387           implied if pathname is omitted) is compiled if it doesn't exist or
388           if there is any file in the directory or in a directory on the
389           CONFIG_PATH that has a modification time later than the file to be
390           compiled. When no compilation is needed, a message is issued and an
391           exit status of zero is returned.
392
393           The -d option causes the compiler to be run under control of the
394           Perl debugger.
395
396           The -p option causes the compiler to be profiled via the Perl
397           -wd:DProf command-line option.
398
399           The -T option was added in Shorewall 4.4.20 and causes a Perl stack
400           trace to be included with each compiler-generated error and warning
401           message.
402
403           The -i option was added in Shorewall 4.6.0 and causes a warning
404           message to be issued if the current line contains alternative input
405           specifications following a semicolon (";"). Such lines will be
406           handled incorrectly if INLINE_MATCHES is set to Yes in
407           shorewall.conf[2](5) (shorewall6.conf[3](5)).
408
409       delete { interface[:host-list]... zone | zone host-list }
410           The delete command reverses the effect of an earlier add command.
411
412           The interface argument names an interface defined in the
413           shorewall-interfaces[4](5) (shorewall6-interfaces[5](5) file. A
414           host-list is comma-separated list whose elements are a host or
415           network address.
416
417           Beginning with Shorewall 4.5.9, the dynamic_shared zone option
418           (shorewall-zones[6](5), shorewall6-zones[8](5)) allows a single
419           ipset to handle entries for multiple interfaces. When that option
420           is specified for a zone, the delete command has the alternative
421           syntax in which the zone name precedes the host-list.
422
423       disable { interface | provider }
424           Added in Shorewall 4.4.26. Disables the optional provider
425           associated with the specified interface or provider. Where more
426           than one provider share a single network interface, a provider name
427           must be given.
428
429           Beginning with Shorewall 4.5.10, this command may be used with any
430           optional network interface.  interface may be either the logical or
431           physical name of the interface. The command removes any routes
432           added from shorewall-routes[9](5) (shorewall6-routes[10](5))and any
433           traffic shaping configuration for the interface.
434
435       drop address
436           Causes traffic from the listed addresses to be silently dropped.
437           This command requires that the firewall be in the started state and
438           that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[2].
439
440       dump  [-x] [-l] [-m] [-c]
441           Produces a verbose report about the firewall configuration for the
442           purpose of problem analysis.
443
444           The -x option causes actual packet and byte counts to be displayed.
445           Without that option, these counts are abbreviated.
446
447           The -m option causes any MAC addresses included in Shorewall log
448           messages to be displayed.
449
450           The -l option causes the rule number for each Netfilter rule to be
451           displayed.
452
453           The -c option causes the route cache to be dumped in addition to
454           the other routing information.
455
456       enable { interface | provider }
457           Added in Shorewall 4.4.26. Enables the optional provider associated
458           with the specified interface or provider. Where more than one
459           provider share a single network interface, a provider name must be
460           given.
461
462           Beginning with Shorewall 4.5.10, this command may be used with any
463           optional network interface.  interface may be either the logical or
464           physical name of the interface. The command sets /proc entries for
465           the interface, adds any route specified in shorewall-routes[9](5)
466           (shorewall6-routes[10](5)) and installs the interface's traffic
467           shaping configuration, if any.
468
469       export [ directory1 ] [ user@]system[:directory2 ]
470           Not available with Shorewall[6]-lite.
471
472           If directory1 is omitted, the current working directory is assumed.
473
474           Allows a non-root user to compile a shorewall script and stage it
475           on a system (provided that the user has access to the system via
476           ssh). The command is equivalent to:
477
478                   /sbin/shorewall compile -e directory1 directory1/firewall &&\
479                   scp directory1/firewall directory1/firewall.conf [user@]system:[directory2]
480
481           In other words, the configuration in the specified (or defaulted)
482           directory is compiled to a file called firewall in that directory.
483           If compilation succeeds, then firewall and firewall.conf are copied
484           to system using scp.
485
486       forget [ filename ]
487           Deletes /var/lib/shorewall/filename and /var/lib/shorewall/save. If
488           no filename is given then the file specified by RESTOREFILE in
489           shorewall.conf[2](5) (shorewall6.conf[3](5)) is assumed.
490
491       help
492           Displays a syntax summary.
493
494       hits [-t]
495           Generates several reports from Shorewall log messages in the
496           current log file. If the -t option is included, the reports are
497           restricted to log messages generated today. Not available with
498           Shorewall6[-lite].
499
500       ipcalc { address mask | address/vlsm }
501           Ipcalc displays the network address, broadcast address, network in
502           CIDR notation and netmask corresponding to the input[s]. Not
503           available with Shorewall6[-lite].
504
505       iprange address1-address2
506           Iprange decomposes the specified range of IP addresses into the
507           equivalent list of network/host addresses. Not available with
508           Shorewall6[-lite].
509
510       iptrace iptables match expression
511           This is a low-level debugging command that causes iptables TRACE
512           log records to be created. See iptables(8) for details.
513
514           The iptables match expression must be one or more matches that may
515           appear in both the raw table OUTPUT and raw table PREROUTING
516           chains.
517
518           The log message destination is determined by the currently-selected
519           IPv4 or IPv6 logging backend[11].
520
521       list
522           list is a synonym for show -- please see below.
523
524       logdrop address
525           Causes traffic from the listed addresses to be logged then
526           discarded. Logging occurs at the log level specified by the
527           BLACKLIST_LOGLEVEL setting in shorewall.conf[2] (5)
528           (shorewall6.conf[3](5)). This command requires that the firewall be
529           in the started state and that DYNAMIC_BLACKLIST=Yes in
530           shorewall.conf (5)[2].
531
532       logwatch [-m] [ refresh-interval ]
533           Monitors the log file specified by the LOGFILE option in
534           shorewall.conf[2](5) (shorewall6.conf[3](5)) and produces an
535           audible alarm when new Shorewall messages are logged. The -m option
536           causes the MAC address of each packet source to be displayed if
537           that information is available. The refresh-interval specifies the
538           time in seconds between screen refreshes. You can enter a negative
539           number by preceding the number with "--" (e.g., shorewall logwatch
540           -- -30). In this case, when a packet count changes, you will be
541           prompted to hit any key to resume screen refreshes.
542
543       logreject address
544           Causes traffic from the listed addresses to be logged then
545           rejected. Logging occurs at the log level specified by the
546           BLACKLIST_LOGLEVEL setting in shorewall.conf[2] (5),
547           (shorewall6.conf[3](5)). This command requires that the firewall be
548           in the started state and that DYNAMIC_BLACKLIST=Yes in
549           shorewall.conf (5)[2].
550
551       ls
552           ls is a synonym for show -- please see below.
553
554       noiptrace iptables match expression
555           This is a low-level debugging command that cancels a trace started
556           by a preceding iptrace command.
557
558           The iptables match expression must be one given in the iptrace
559           command being canceled.
560
561       open source dest [ protocol [ port ] ]
562           Added in Shorewall 4.6.8. This command requires that the firewall
563           be in the started state and that DYNAMIC_BLACKLIST=Yes in
564           shorewall.conf (5)[2]. The effect of the command is to temporarily
565           open the firewall for connections matching the parameters.
566
567           The source and dest parameters may each be specified as all if you
568           don't wish to restrict the connection source or destination
569           respectively. Otherwise, each must contain a host or network
570           address or a valid DNS name.
571
572           The protocol may be specified either as a number or as a name
573           listed in /etc/protocols. The port may be specified numerically or
574           as a name listed in /etc/services.
575
576           To reverse the effect of a successful open command, use the close
577           command with the same parameters or simply restart the firewall.
578
579           Example: To open the firewall for SSH connections to address
580           192.168.1.1, the command would be:
581
582                   shorewall open all 192.168.1.1 tcp 22
583
584           To reverse that command, use:
585
586                   shorewall close all 192.168.1.1 tcp 22
587
588       reenable{ interface | provider }
589           Added in Shorewall 4.6.9. This is equivalent to a disable command
590           followed by an enable command on the specified interface or
591           provider.
592
593       reject address
594           Causes traffic from the listed addresses to be silently rejected.
595           This command requires that the firewall be in the started state and
596           that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[2].
597
598       reload [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [ directory ]
599           This command was re-implemented in Shorewall 5.0.0. The pre-5.0.0
600           reload command is now called remote-restart (see below).
601
602           Shorewall and Shorewall6
603               Reload is similar to shorewall start except that it assumes
604               that the firewall is already started. Existing connections are
605               maintained. If a directory is included in the command,
606               Shorewall will look in that directory first for configuration
607               files.
608
609               The -n option causes Shorewall to avoid updating the routing
610               table(s).
611
612               The -p option causes the connection tracking table to be
613               flushed; the conntrack utility must be installed to use this
614               option.
615
616               The -d option causes the compiler to run under the Perl
617               debugger.
618
619               The -f option suppresses the compilation step and simply reused
620               the compiled script which last started/restarted Shorewall,
621               provided that /etc/shorewall and its contents have not been
622               modified since the last start/restart.
623
624               The -c option was added in Shorewall 4.4.20 and performs the
625               compilation step unconditionally, overriding the AUTOMAKE
626               setting in shorewall.conf[2](5) (Shorewall and Shorewall6
627               only). When both -f and -c are present, the result is
628               determined by the option that appears last.
629
630               The -T option was added in Shorewall 4.5.3 and causes a Perl
631               stack trace to be included with each compiler-generated error
632               and warning message.
633
634               The -i option was added in Shorewall 4.6.0 and causes a warning
635               message to be issued if the current line contains alternative
636               input specifications following a semicolon (";"). Such lines
637               will be handled incorrectly if INLINE_MATCHES is set to Yes in
638               shorewall.conf[2](5) (shorewall6.conf[3](5))..
639
640               The -C option was added in Shorewall 4.6.5 and is only
641               meaningful when AUTOMAKE=Yes in shorewall.conf[2](5)
642               (shorewall6.conf[3](5)). If an existing firewall script is used
643               and if that script was the one that generated the current
644               running configuration, then the running netfilter configuration
645               will be reloaded as is so as to preserve the iptables packet
646               and byte counters.
647
648           Shorewall-lite and Shorewall6-lite
649               Reload is similar to shorewall start except that it assumes
650               that the firewall is already started. Existing connections are
651               maintained.
652
653               The -n option causes Shorewall to avoid updating the routing
654               table(s).
655
656               The -p option causes the connection tracking table to be
657               flushed; the conntrack utility must be installed to use this
658               option.
659
660               The -C option was added in Shorewall 4.6.5 If the existing
661               firewall script is the one that generated the current running
662               configuration, then the running netfilter configuration will be
663               reloaded as is so as to preserve the iptables packet and byte
664               counters.
665
666       remote-getcaps [-R] [-r root-user-name] [ [ -D ] directory ] [ system ]
667           Added in Shoreall 5.2.0, this command executes shorewall[6]-lite
668           show capabilities -f > /var/lib/shorewall[6]-lite/capabilities on
669           the remote system via ssh then the generated file is copied to
670           directory on the local system. If no directory is given, the
671           current working directory is assumed.
672
673           if -R is included, the remote shorewallrc file is also copied to
674           directory.
675
676           If -r is included, it specifies that the root user on system is
677           named root-user-name rather than "root".
678
679       remote-getrc [-c] [-r root-user-name] [ [ -D ] directory ] [ system ]
680           Added in Shoreall 5.2.0, this command copies the shorewallrc file
681           from the remote system to directory on the local system. If no
682           directory is given, the current working directory is assumed.
683
684           if -c is included, the remote capabilities are also copied to
685           directory, as is done by the remote-getcaps command.
686
687           If -r is included, it specifies that the root user on system is
688           named root-user-name rather than "root".
689
690       remote-start [-n] [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
691       directory ] [ system ]
692           This command was renamed from load in Shorewall 5.0.0 and is only
693           available in Shorewall and Shoreawall6.
694
695           If directory is omitted, the current working directory is assumed.
696           Allows a non-root user to compile a shorewall script and install it
697           on a system (provided that the user has root access to the system
698           via ssh). The command is equivalent to:
699
700                   /sbin/shorewall compile -e directory directory/firewall &&\
701                   scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
702                   ssh root@system '/sbin/shorewall-lite start'
703
704           In other words, the configuration in the specified (or defaulted)
705           directory is compiled to a file called firewall in that directory.
706           If compilation succeeds, then firewall is copied to system using
707           scp. If the copy succeeds, Shorewall Lite on system is started via
708           ssh. Beginning with Shorewall 5.0.13, if system is omitted, then
709           the FIREWALL option setting in shorewall.conf[12](5)
710           (shorewall6.conf(5)[3]) is assumed. In that case, if you want to
711           specify a directory, then the -D option must be given.
712
713           The -n option causes Shorewall to avoid updating the routing
714           table(s).
715
716           If -s is specified and the start command succeeds, then the remote
717           Shorewall-lite configuration is saved by executing shorewall-lite
718           save via ssh.
719
720           if -c is included, the command shorewall[6]-lite show capabilities
721           -f > /var/lib/shorewall[6]-lite/capabilities is executed via ssh
722           then the generated file is copied to directory using scp. This step
723           is performed before the configuration is compiled.
724
725           If -r is included, it specifies that the root user on system is
726           named root-user-name rather than "root".
727
728           The -T option was added in Shorewall 4.5.3 and causes a Perl stack
729           trace to be included with each compiler-generated error and warning
730           message.
731
732       remote-reload [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
733       directory ] [ system ]
734           This command was added in Shorewall 5.0.0 and is only available in
735           Shorewall and Shorewall6.
736
737           If directory is omitted, the current working directory is assumed.
738           Allows a non-root user to compile a shorewall script and install it
739           on a system (provided that the user has root access to the system
740           via ssh). The command is equivalent to:
741
742                   /sbin/shorewall compile -e directory directory/firewall &&\
743                   scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
744                   ssh root@system '/sbin/shorewall-lite reload'
745
746           In other words, the configuration in the specified (or defaulted)
747           directory is compiled to a file called firewall in that directory.
748           If compilation succeeds, then firewall is copied to system using
749           scp. If the copy succeeds, Shorewall Lite on system is restarted
750           via ssh. Beginning with Shorewall 5.0.13, if system is omitted,
751           then the FIREWALL option setting in shorewall6.conf(5)[13]
752           (shorewall6.conf[3](5)) is assumed. In that case, if you want to
753           specify a directory, then the -D option must be given.
754
755           If -s is specified and the restart command succeeds, then the
756           remote Shorewall-lite configuration is saved by executing
757           shorewall-lite save via ssh.
758
759           if -c is included, the command shorewall-lite show capabilities -f
760           > /var/lib/shorewall-lite/capabilities is executed via ssh then the
761           generated file is copied to directory using scp. This step is
762           performed before the configuration is compiled.
763
764           If -r is included, it specifies that the root user on system is
765           named root-user-name rather than "root".
766
767           The -T option was added in Shorewall 4.5.3 and causes a Perl stack
768           trace to be included with each compiler-generated error and warning
769           message.
770
771           The -i option was added in Shorewall 4.6.0 and causes a warning
772           message to be issued if the current line contains alternative input
773           specifications following a semicolon (";"). Such lines will be
774           handled incorrectly if INLINE_MATCHES is set to Yes in
775           shorewall.conf[2](5) (shorewall6.conf[3](5)).
776
777       remote-restart [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
778       directory ] [ system ]
779           This command was renamed from reload in Shorewall 5.0.0 and is
780           available in Shorewall and Shorewall6 only.
781
782           If directory is omitted, the current working directory is assumed.
783           Allows a non-root user to compile a shorewall script and install it
784           on a system (provided that the user has root access to the system
785           via ssh). The command is equivalent to:
786
787                   /sbin/shorewall compile -e directory directory/firewall &&\
788                   scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
789                   ssh root@system '/sbin/shorewall-lite restart'
790
791           In other words, the configuration in the specified (or defaulted)
792           directory is compiled to a file called firewall in that directory.
793           If compilation succeeds, then firewall is copied to system using
794           scp. If the copy succeeds, Shorewall Lite on system is restarted
795           via ssh. Beginning with Shorewall 5.0.13, if system is omitted,
796           then the FIREWALL option setting in shorewall6.conf(5)[13]
797           (shorewall6.conf[3](5)) is assumed. In that case, if you want to
798           specify a directory, then the -D option must be given.
799
800           If -s is specified and the restart command succeeds, then the
801           remote Shorewall-lite configuration is saved by executing
802           shorewall-lite save via ssh.
803
804           if -c is included, the command shorewall-lite show capabilities -f
805           > /var/lib/shorewall-lite/capabilities is executed via ssh then the
806           generated file is copied to directory using scp. This step is
807           performed before the configuration is compiled.
808
809           If -r is included, it specifies that the root user on system is
810           named root-user-name rather than "root".
811
812           The -T option was added in Shorewall 4.5.3 and causes a Perl stack
813           trace to be included with each compiler-generated error and warning
814           message.
815
816           The -i option was added in Shorewall 4.6.0 and causes a warning
817           message to be issued if the current line contains alternative input
818           specifications following a semicolon (";"). Such lines will be
819           handled incorrectly if INLINE_MATCHES is set to Yes in
820           shorewall.conf[2](5) (shorewall6.conf[3](5).
821
822       reset [chain, ...]
823           Resets the packet and byte counters in the specified chain(s). If
824           no chain is specified, all the packet and byte counters in the
825           firewall are reset.
826
827           Beginning with Shorewall 5.0.0, chain may be composed of both a
828           table name and a chain name separated by a colon (e.g.,
829           mangle:PREROUTING). Chain names following that don't include a
830           table name are assumed to be in that same table. If no table name
831           is given in the command, the filter table is assumed.
832
833       restart [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [ directory ]
834           Beginning with Shorewall 5.0.0, this command performs a true
835           restart. The firewall is completely stopped as if a stop command
836           had been issued then it is started again.
837
838           Shorewall and Shorewall6
839               If a directory is included in the command, Shorewall will look
840               in that directory first for configuration files.
841
842               The -n option causes Shorewall to avoid updating the routing
843               table(s).
844
845               The -p option causes the connection tracking table to be
846               flushed; the conntrack utility must be installed to use this
847               option.
848
849               The -d option causes the compiler to run under the Perl
850               debugger.
851
852               The -f option suppresses the compilation step and simply reused
853               the compiled script which last started/restarted Shorewall,
854               provided that /etc/shorewall and its contents have not been
855               modified since the last start/restart.
856
857               The -c option was added in Shorewall 4.4.20 and performs the
858               compilation step unconditionally, overriding the AUTOMAKE
859               setting in shorewall.conf[2](5). When both -f and -c are
860               present, the result is determined by the option that appears
861               last.
862
863               The -T option was added in Shorewall 4.5.3 and causes a Perl
864               stack trace to be included with each compiler-generated error
865               and warning message.
866
867               The -i option was added in Shorewall 4.6.0 and causes a warning
868               message to be issued if the current line contains alternative
869               input specifications following a semicolon (";"). Such lines
870               will be handled incorrectly if INLINE_MATCHES is set to Yes in
871               shorewall.conf[2](5).
872
873               The -C option was added in Shorewall 4.6.5 and is only
874               meaningful when AUTOMAKE=Yes in shorewall.conf[2](5). If an
875               existing firewall script is used and if that script was the one
876               that generated the current running configuration, then the
877               running netfilter configuration will be reloaded as is so as to
878               preserve the iptables packet and byte counters.
879
880           Shorewall-lite and Shorewall6-lite
881               The -n option causes Shorewall to avoid updating the routing
882               table(s).
883
884               The -p option causes the connection tracking table to be
885               flushed; the conntrack utility must be installed to use this
886               option.
887
888               The -C option was added in Shorewall 4.6.5 If the existing
889               firewall script is the one that generated the current running
890               configuration, then the running netfilter configuration will be
891               reloaded as is so as to preserve the iptables packet and byte
892               counters.
893
894       restore  [-n] [-p] [-C] [ filename ]
895           Restore Shorewall to a state saved using the shorewall save
896           command. Existing connections are maintained. The filename names a
897           restore file in /var/lib/shorewall created using shorewall save; if
898           no filename is given then Shorewall will be restored from the file
899           specified by the RESTOREFILE option in shorewall.conf[2](5)
900           (shorewall6.conf[3](5)).
901
902               Caution
903               If your iptables ruleset depends on variables that are detected
904               at run-time, either in your params file or by
905               Shorewall-generated code, restore will use the values that were
906               current when the ruleset was saved, which may be different from
907               the current values.
908           The -n option causes Shorewall to avoid updating the routing
909           table(s).
910
911           The -p option, added in Shorewall 4.6.5, causes the connection
912           tracking table to be flushed; the conntrack utility must be
913           installed to use this option.
914
915           The -C option was added in Shorewall 4.6.5. If the -C option was
916           specified during shorewall save, then the counters saved by that
917           operation will be restored.
918
919       run command [ parameter ... ]
920           Added in Shorewall 4.6.3. Executes command in the context of the
921           generated script passing the supplied parameters. Normally, the
922           command will be a function declared in lib.private.
923
924           Before executing the command, the script will detect the
925           configuration, setting all SW_* variables and will run your init
926           extension script with $COMMAND = 'run'.
927
928           If there are files in the CONFIG_PATH that were modified after the
929           current firewall script was generated, the following warning
930           message is issued:
931               WARNING: /var/lib/shorewall/firewall is not up to
932                           date
933
934       safe-reload [-d] [-p] [-t timeout ] [ directory ]
935           Added in Shorewall 5.0.0, this command performs the same function
936           as did safe_restart in earlier releases. The command is available
937           in Shorewall and Shorewall6 only.
938
939           Only allowed if Shorewall is running. The current configuration is
940           saved in /var/lib/shorewall/safe-reload (see the save command
941           below) then a shorewall reload is done. You will then be prompted
942           asking if you want to accept the new configuration or not. If you
943           answer "n" or if you fail to answer within 60 seconds (such as when
944           your new configuration has disabled communication with your
945           terminal), the configuration is restored from the saved
946           configuration. If a directory is given, then Shorewall will look in
947           that directory first when opening configuration files.
948
949           Beginning with Shorewall 4.5.0, you may specify a different timeout
950           value using the -t option. The numeric timeout may optionally be
951           followed by an s, m or h suffix (e.g., 5m) to specify seconds,
952           minutes or hours respectively. If the suffix is omitted, seconds is
953           assumed.
954
955       safe-restart [-d] [-p] [-t timeout ] [ directory ]
956           Only allowed if Shorewall[6] is running and is not available in
957           Shorewall-lite and Shorewall6-lite. The current configuration is
958           saved in /var/lib/shorewall/safe-restart (see the save command
959           below) then a shorewall restart is done. You will then be prompted
960           asking if you want to accept the new configuration or not. If you
961           answer "n" or if you fail to answer within 60 seconds (such as when
962           your new configuration has disabled communication with your
963           terminal), the configuration is restored from the saved
964           configuration. If a directory is given, then Shorewall will look in
965           that directory first when opening configuration files.
966
967           Beginning with Shorewall 4.5.0, you may specify a different timeout
968           value using the -t option. The numeric timeout may optionally be
969           followed by an s, m or h suffix (e.g., 5m) to specify seconds,
970           minutes or hours respectively. If the suffix is omitted, seconds is
971           assumed.
972
973       safe-start [-d] [-p] [-ttimeout ] [ directory ]
974           Shorewall is started normally. You will then be prompted asking if
975           everything went all right. If you answer "n" or if you fail to
976           answer within 60 seconds (such as when your new configuration has
977           disabled communication with your terminal), a shorewall clear is
978           performed for you. If a directory is given, then Shorewall will
979           look in that directory first when opening configuration files.
980
981           Beginning with Shorewall 4.5.0, you may specify a different timeout
982           value using the -t option. The numeric timeout may optionally be
983           followed by an s, m or h suffix (e.g., 5m) to specify seconds,
984           minutes or hours respectively. If the suffix is omitted, seconds is
985           assumed.
986
987           This command is available in Shorewall and Shorewall6 only.
988
989       save  [-C] [ filename ]
990           Creates a snapshot of the currently running firewall. The dynamic
991           blacklist is stored in /var/lib/shorewall/save. The state of the
992           firewall is stored in /var/lib/shorewall/filename for use by the
993           shorewall restore command. If filename is not given then the state
994           is saved in the file specified by the RESTOREFILE option in
995           shorewall.conf[2](5) (shorewall6.conf[3](5)).
996
997           The -C option, added in Shorewall 4.6.5, causes the iptables packet
998           and byte counters to be saved along with the chains and rules.
999
1000       savesets
1001           Added in shorewall 4.6.8. Performs the same action as the stop
1002           command with respect to saving ipsets (see the SAVE_IPSETS option
1003           in shorewall.conf[2] (5) (shorewall6.conf[3](5)). This command may
1004           be used to proactively save your ipset contents in the event that a
1005           system failure occurs prior to issuing a stop command.
1006
1007       show
1008           The show command can have a number of different arguments:
1009
1010           action action
1011               Lists the named action file. Available on Shorewall and
1012               Shorewall6 only.
1013
1014           actions
1015               Produces a report about the available actions (built-in,
1016               standard and user-defined). Available on Shorewall and
1017               Shorewall6 only.
1018
1019           bl|blacklists [-x]
1020               Added in Shorewall 4.6.2. Displays the dynamic chain along with
1021               any chains produced by entries in shorewall-blrules(5). The -x
1022               option is passed directly through to iptables and causes actual
1023               packet and byte counts to be displayed. Without this option,
1024               those counts are abbreviated.
1025
1026           [-f] capabilities
1027               Displays your kernel/iptables capabilities. The -f option
1028               causes the display to be formatted as a capabilities file for
1029               use with compile -e.
1030
1031           [-b] [-x] [-l] [-t {filter|mangle|nat|raw}] [ chain... ]
1032               The rules in each chain are displayed using the iptables -L
1033               chain -n -v command. If no chain is given, all of the chains in
1034               the filter table are displayed. The -x option is passed
1035               directly through to iptables and causes actual packet and byte
1036               counts to be displayed. Without this option, those counts are
1037               abbreviated. The -t option specifies the Netfilter table to
1038               display. The default is filter.
1039
1040               The -b ('brief') option causes rules which have not been used
1041               (i.e. which have zero packet and byte counts) to be omitted
1042               from the output. Chains with no rules displayed are also
1043               omitted from the output.
1044
1045               The -l option causes the rule number for each Netfilter rule to
1046               be displayed.
1047
1048               If the -t option and the chain keyword are both omitted and any
1049               of the listed chains do not exist, a usage message is
1050               displayed.
1051
1052           classifiers|filters
1053               Displays information about the packet classifiers defined on
1054               the system as a result of traffic shaping configuration.
1055
1056           config
1057               Displays distribution-specific defaults.
1058
1059           connections [filter_parameter ...]
1060               Displays the IP connections currently being tracked by the
1061               firewall.
1062
1063               If the conntrack utility is installed, beginning with Shorewall
1064               4.6.11 the set of connections displayed can be limited by
1065               including conntrack filter parameters (-p , -s, --dport, etc).
1066               See conntrack(8) for details.
1067
1068           event event
1069               Added in Shorewall 4.5.19. Displays the named event.
1070
1071           events
1072               Added in Shorewall 4.5.19. Displays all events.
1073
1074           ip
1075               Displays the system's IPv4 configuration.
1076
1077           ipa
1078               Added in Shorewall 4.4.17. Displays the per-IP accounting
1079               counters (shorewall-accounting[14] (5),
1080               shorewall6-accounting[15](5)).
1081
1082           ipsec
1083               Added in Shorewall 5.1.0. Displays the contents of the IPSEC
1084               Security Policy Database (SPD) and Security Association
1085               Database (SAD). SAD keys are not displayed.
1086
1087           [-m] log
1088               Displays the last 20 Shorewall messages from the log file
1089               specified by the LOGFILE option in shorewall.conf[2](5)
1090               (shorewall6.conf[3](5)). The -m option causes the MAC address
1091               of each packet source to be displayed if that information is
1092               available.
1093
1094           macros
1095               Displays information about each macro defined on the firewall
1096               system (Shorewall and Shorewall6 only)
1097
1098           macro macro
1099               Added in Shorewall 4.4.6. Displays the file that implements the
1100               specified macro (usually /usr/share/shorewall/macro.macro).
1101               Available only in Shorewall and Shorewall6.
1102
1103           [-x] mangle
1104               Displays the Netfilter mangle table using the command iptables
1105               -t mangle -L -n -v. The -x option is passed directly through to
1106               iptables and causes actual packet and byte counts to be
1107               displayed. Without this option, those counts are abbreviated.
1108
1109           marks
1110               Added in Shorewall 4.4.26. Displays the various fields in
1111               packet marks giving the min and max value (in both decimal and
1112               hex) and the applicable mask (in hex).
1113
1114           [-x] nat
1115               Displays the Netfilter nat table using the command iptables -t
1116               nat -L -n -v. The -x option is passed directly through to
1117               iptables and causes actual packet and byte counts to be
1118               displayed. Without this option, those counts are abbreviated.
1119
1120           opens
1121               Added in Shorewall 4.5.8. Displays the iptables rules in the
1122               'dynamic' chain created through use of the open command..
1123
1124           policies
1125               Added in Shorewall 4.4.4. Displays the applicable policy
1126               between each pair of zones. Note that implicit intrazone ACCEPT
1127               policies are not displayed for zones associated with a single
1128               network where that network doesn't specify routeback.
1129
1130           rc
1131               Added in Shorewall 5.2.0. Displays the contents of
1132               $SHAREDIR/shorewall/shorewallrc.
1133
1134           [-c] routing
1135               Displays the system's IPv4 routing configuration. The -c option
1136               causes the route cache to be displayed along with the other
1137               routing information.
1138
1139           [-x] raw
1140               Displays the Netfilter raw table using the command iptables -t
1141               raw -L -n -v. The -x option is passed directly through to
1142               iptables and causes actual packet and byte counts to be
1143               displayed. Without this option, those counts are abbreviated.
1144
1145           saves
1146               Added in Shorewall 5.2.0. Lists snapshots created by the save
1147               command. Each snapshot is listed with the date and time when it
1148               was taken. If there is a snapshot with the name specified in
1149               the RESTOREFILE option in shorewall.conf(5[12]), that snapshot
1150               is listed as the default snapshot for the restore command.
1151
1152           tc
1153               Displays information about queuing disciplines, classes and
1154               filters.
1155
1156           zones
1157               Displays the current composition of the Shorewall zones on the
1158               system.
1159
1160       start  [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [ directory ]
1161
1162           Shorewall and Shorewall6
1163               Start shorewall[6]. Existing connections through shorewall
1164               managed interfaces are untouched. New connections will be
1165               allowed only if they are allowed by the firewall rules or
1166               policies. If a directory is included in the command, Shorewall
1167               will look in that directory first for configuration files. If
1168               -f is specified, the saved configuration specified by the
1169               RESTOREFILE option in shorewall.conf[2](5)
1170               (shorewall6.conf[3](5)) will be restored if that saved
1171               configuration exists and has been modified more recently than
1172               the files in /etc/shorewall. When -f is given, a directory may
1173               not be specified.
1174
1175               Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
1176               added to shorewall.conf[2](5) (shorewall6.conf[3](5)). When
1177               LEGACY_FASTSTART=No, the modification times of files in
1178               /etc/shorewall are compared with that of
1179               /var/lib/shorewall/firewall (the compiled script that last
1180               started/restarted the firewall).
1181
1182               The -n option causes Shorewall to avoid updating the routing
1183               table(s).
1184
1185               The -p option causes the connection tracking table to be
1186               flushed; the conntrack utility must be installed to use this
1187               option.
1188
1189               The -c option was added in Shorewall 4.4.20 and performs the
1190               compilation step unconditionally, overriding the AUTOMAKE
1191               setting in shorewall.conf[2](5) (shorewall6.conf[3](5)). When
1192               both -f and -care present, the result is determined by the
1193               option that appears last.
1194
1195               The -T option was added in Shorewall 4.5.3 and causes a Perl
1196               stack trace to be included with each compiler-generated error
1197               and warning message.
1198
1199               The -i option was added in Shorewall 4.6.0 and causes a warning
1200               message to be issued if the current line contains alternative
1201               input specifications following a semicolon (";"). Such lines
1202               will be handled incorrectly if INLINE_MATCHES is set to Yes in
1203               shorewall.conf(5)[2] (shorewall6.conf[3](5)).
1204
1205               The -C option was added in Shorewall 4.6.5 and is only
1206               meaningful when the -f option is also specified. If the
1207               previously-saved configuration is restored, and if the -C
1208               option was also specified in the save command, then the packet
1209               and byte counters will be restored.
1210
1211           Shorewall-lite and Shorewall6-lite
1212               Start Shorewall[6] Lite. Existing connections through
1213               shorewall[6]-lite managed interfaces are untouched. New
1214               connections will be allowed only if they are allowed by the
1215               firewall rules or policies.
1216
1217               The -p option causes the connection tracking table to be
1218               flushed; the conntrack utility must be installed to use this
1219               option.
1220
1221               The -n option prevents the firewall script from modifying the
1222               current routing configuration.
1223
1224               The -f option was added in Shorewall 4.6.5. If the RESTOREFILE
1225               named in shorewall.conf[12](5) exists, is executable and is not
1226               older than the current filewall script, then that saved
1227               configuration is restored.
1228
1229               The -C option was added in Shorewall 4.6.5 and is only
1230               meaningful when the -f option is also specified. If the
1231               previously-saved configuration is restored, and if the -C
1232               option was also specified in the save command, then the packet
1233               and byte counters will be restored.
1234
1235       stop [-f]
1236           Stops the firewall. All existing connections, except those listed
1237           in shorewall-routestopped[16](5) or permitted by the
1238           ADMINISABSENTMINDED option in shorewall.conf[2](5), are taken down.
1239           The only new traffic permitted through the firewall is from systems
1240           listed in shorewall-routestopped[16](5) or by ADMINISABSENTMINDED.
1241
1242           If -f is given, the command will be processed by the compiled
1243           script that executed the last successful start, restart or reload
1244           command if that script exists.
1245
1246       status [-i]
1247           Produces a short report about the state of the Shorewall-configured
1248           firewall.
1249
1250           The -i option was added in Shorewall 4.6.2 and causes the status of
1251           each optional or provider interface to be displayed.
1252
1253       try directory [ timeout ]
1254           This command is available in Shorewall and Shorewall6 only.
1255
1256           If Shorewall[6] is started then the firewall state is saved to a
1257           temporary saved configuration (/var/lib/shorewall/.try). Next, if
1258           Shorewall[6] is currently started then a restart command is issued
1259           using the specified configuration directory; otherwise, a start
1260           command is performed using the specified configuration directory.
1261           if an error occurs during the compilation phase of the restart or
1262           start, the command terminates without changing the Shorewall[6]
1263           state. If an error occurs during the restart phase, then a
1264           shorewall restore is performed using the saved configuration. If an
1265           error occurs during the start phase, then Shorewall is cleared. If
1266           the start/restart succeeds and a timeout is specified then a clear
1267           or restore is performed after timeout seconds.
1268
1269           Beginning with Shorewall 4.5.0, the numeric timeout may optionally
1270           be followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1271           minutes or hours respectively. If the suffix is omitted, seconds is
1272           assumed.
1273
1274       update  [-d] [-r] [-T] [-a] [-i] [-A] [ directory ]
1275           This command is available only in Shorewall and Shorewall6.
1276
1277           Added in Shorewall 4.4.21 and causes the compiler to update
1278           /etc/shorewall/shorewall.conf then validate the configuration. The
1279           update will add options not present in the old file with their
1280           default values, and will move deprecated options with non-defaults
1281           to a deprecated options section at the bottom of the file. Your
1282           existing shorewall.conf file is renamed shorewall.conf.bak.
1283
1284           The command was extended over the years with a set of options that
1285           caused additional configuration updates.
1286
1287           ·   Convert an existing blacklist file into an equivalent blrules
1288               file.
1289
1290           ·   Convert an existing routestopped file into an equivalent
1291               stoppedrules file.
1292
1293           ·   Convert existing tcrules and tos files into an equivalent
1294               mangle file.
1295
1296           ·   Convert an existing notrack file into an equivalent conntrack
1297               file.
1298
1299           ·   Convert FORMAT, SECTION and COMMENT entries into ?FORMAT,
1300               ?SECTION and ?COMMENT directives.
1301
1302           In each case, the old file is renamed with a .bak suffix.
1303
1304           In Shorewall 5.0.0, the options were eliminated and the update
1305           command performs all of the updates described above.
1306
1307               Important
1308               There are some notable restrictions with the update command:
1309
1310                1. Converted rules will be appended to the existing file; if
1311                   there is no existing file in the CONFIG_PATH, one will be
1312                   created in the directory specified in the command or in the
1313                   first entry in the CONFIG_PATH (normally /etc/shorewall)
1314                   otherwise.
1315
1316                2. Existing comments in the file being converted will not be
1317                   transferred to the output file.
1318
1319                3. With the exception of the notrack->conntrack conversion,
1320                   INCLUDEd files will be expanded inline in the output file.
1321
1322                4. Columns in the output file will be separated by a single
1323                   tab character; there is no attempt made to otherwise align
1324                   the columns.
1325
1326                5. Prior to Shorewall 5.0.15, shell variables will be expanded
1327                   in the output file.
1328
1329                6. Prior to Shorewall 5.0.15, lines omitted by compiler
1330                   directives (?if ...., etc.) will not appear in the output
1331                   file.
1332
1333                       Important
1334                       Because the translation of the 'blacklist' and
1335                       'routestopped' files is not 1:1, omitted lines and
1336                       compiler directives are not transferred to the
1337                       converted files. If either are present, the compiler
1338                       issues a warning:
1339
1340                            WARNING: "Omitted rules and compiler directives were not translated
1341           The -a option causes the updated shorewall.conf file to be
1342           annotated with documentation.
1343
1344           The -i option was added in Shorewall 4.6.0 and causes a warning
1345           message to be issued if the current line contains alternative input
1346           specifications following a semicolon (";"). Such lines will be
1347           handled incorrectly if INLINE_MATCHES is set to Yes in
1348           shorewall.conf[2](5).
1349
1350           The -A option is included for compatibility with Shorewall 4.6 and
1351           is equivalent to specifying the -i option.
1352
1353           For a description of the other options, see the check command
1354           above.
1355
1356       version [-a]
1357           Displays Shorewall's version. The -a option is included for
1358           compatibility with earlier Shorewall releases and is ignored.
1359

EXIT STATUS

1361       In general, when a command succeeds, status 0 is returned; when the
1362       command fails, a non-zero status is returned.
1363
1364       The status command returns exit status as follows:
1365
1366       0 - Firewall is started.
1367
1368       3 - Firewall is stopped or cleared
1369
1370       4 - Unknown state; usually means that the firewall has never been
1371       started.
1372

ENVIRONMENT

1374       Two environmental variables are recognized by Shorewall:
1375
1376       SHOREWALL_INIT_SCRIPT
1377           When set to 1, causes Std out to be redirected to the file
1378           specified in the STARTUP_LOG option in shorewall.conf(5)[12].
1379
1380       SW_LOGGERTAG
1381           Added in Shorewall 5.0.8. When set to a non-empty value, that value
1382           is passed to the logger utility in its -t (--tag) option.
1383

FILES

1385       /etc/shorewall/
1386
1387       /etc/shorewall6/
1388

SEE ALSO

1390       http://www.shorewall.net/starting_and_stopping_shorewall.htm[17]
1391
1392       shorewall-accounting(5), shorewall-actions(5), shorewall-arprules(5),
1393       shorewall-blrules(5), shorewall.conf(5), shorewall-conntrack(5),
1394       shorewall-ecn(5), shorewall-exclusion(5), shorewall-hosts(5),
1395       shorewall-init(5), shorewall_interfaces(5), shorewall-ipsets(5),
1396       shorewall-logging(), shorewall-maclist(5), shorewall-mangle(5),
1397       shorewall-masq(5), shorewall-modules(5), shorewall-nat(5),
1398       shorewall-nesting(5), shorewall-netmap(5), shorewall-params(5),
1399       shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
1400       shorewall6-proxyndp(5), shorewall-routes(5), shorewall-rtrules(5),
1401       shorewall-rtrules(5), shorewall-rules(5), shorewall-secmarks(5),
1402       shorewall-snat(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
1403       shorewall-tcfilters(5), shorewall-tcinterfaces(5), shorewall-tcpri(5),
1404       shorewall-tunnels(5), shorewall-vardir(5), shorewall-zones(5)
1405

NOTES

1407        1. http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace
1408           http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace
1409
1410        2. shorewall.conf
1411           http://www.shorewall.net/manpages/shorewall.conf.html
1412
1413        3. shorewall6.conf
1414           http://www.shorewall.net/manpages6/shorewall6.conf.html
1415
1416        4. shorewall-interfaces
1417           http://www.shorewall.net/manpages/shorewall-interfaces.html
1418
1419        5. shorewall6-interfaces
1420           http://www.shorewall.net/manpages6/shorewall6-interfaces.html
1421
1422        6. shorewall-zones
1423           http://www.shorewall.net/manpages/shorewall-zones.html
1424
1425        7. shorewall6-zones
1426           http://www.shorewall.net???
1427
1428        8. shorewall6-zones
1429           http://www.shorewall.net/manpages6/shorewall6-zones.html
1430
1431        9. shorewall-routes
1432           http://www.shorewall.net/manpages/shorewall-routes.html
1433
1434       10. shorewall6-routes
1435           http://www.shorewall.net/manpages/shorewall6-routes.html
1436
1437       11. logging backend
1438           http://www.shorewall.net/shorewall_logging.html#Backends
1439
1440       12. shorewall.conf
1441           http://www.shorewall.netshorewall.conf.html
1442
1443       13. shorewall6.conf(5)
1444           http://www.shorewall.netshorewall6.conf.html
1445
1446       14. shorewall-accounting
1447           http://www.shorewall.net/manpages/shorewall-accounting.html
1448
1449       15. shorewall6-accounting
1450           http://www.shorewall.net/manpages6/shorewall6-accounting.html
1451
1452       16. shorewall-routestopped
1453           http://www.shorewall.net/manpages/shorewall-routestopped.html
1454
1455       17. http://www.shorewall.net/starting_and_stopping_shorewall.htm
1456           http://www.shorewall.net/starting_and_stopping_shorewall.htm
1457
1458
1459
1460Administrative Commands           08/05/2018                      SHOREWALL(8)
Impressum