1SHOREWALL(8) Administrative Commands SHOREWALL(8)
2
6 shorewall - Administration tool for Shoreline Firewall (Shorewall)
7
9 shorewall[6][-lite] [options] add { interface[:host-list]...
10 zone | zone host-list }
11 shorewall[6][-lite] [options] allow address
13 shorewall[6][-lite] [options] blacklist[!] address [option ...]
15 shorewall[6][-lite] [options] call function [parameter ...]
17 shorewall[6] [trace|debug] [options] [check | ck ] [-e] [-d] [-p] [-r]
19 [-T] [-i] [directory]
20 shorewall[6][-lite] [options] clear [-f]
22 shorewall[6][-lite] [options]
24 close { open-number | sourcedest [protocol [ port ]]}
25 shorewall[6] [trace|debug] [options] [compile | co ] [-e] [-c] [-d]
27 [-p] [-T] [-i] [directory] [pathname]
28 shorewall[6][-lite] [options] delete { interface[:host-list]...
30 zone | zone host-list }
31 shorewall[6][-lite] [options] disable { interface | provider }
33 shorewall[6][-lite] [options] drop address
35 shorewall[6][-lite] [options] dump [-x] [-l] [-m] [-c]
37 shorewall[6][-lite] [options] enable { interface | provider }
39 shorewall[6] [options] export [directory1] [user@]system[:directory2]
41 shorewall[6][-lite] [options] forget [filename]
43 shorewall[6][-lite] [options] help
45 shorewall[-lite] [options] hits [-t]
47 shorewall[-lite] [options] ipcalc {address mask | address/vlsm}
49 shorewall[-lite] [options] iprange address1-address2
51 shorewall[6][-lite] [options] iptrace iptables match expression
53 shorewall[6][-lite] [options] logdrop address
55 shorewall[6][-lite] [options] logwatch [-m] [refresh-interval]
57 shorewall[6][-lite] [options] logreject address
59 shorewall[6][-lite] [options] noiptrace iptables match expression
61 shorewall[6][-lite] [options] open source dest [ protocol [ port ] ]
63 shorewall[6][-lite] [options] reenable { interface | provider }
65 shorewall[6][-lite] [options] reject address
67 shorewall[6][-lite] [options] reload [-n] [-p [-d]] [-f] [-c] [-T] [-i]
69 [-C] [directory]
70 shorewall[6] remote-getcaps [-s] [-R] [-r root-user-name] [-T] [-i]
72 [[-D]directory] [system]
73 shorewall[6] [options] remote-getrc [-s] [-c] [-r root-user-name] [-T]
75 [-i] [[-D]directory] [system]
76 shorewall[6] [options] remote-start [-s] [-c] [-r root-user-name] [-T]
78 [-i] [[-D]directory] [system]
79 shorewall[6] [options] remote-reload [-s] [-c] [-r root-user-name] [-T]
81 [-i] [[-D]directory] [system]
82 shorewall[6] [options] remote-restart [-s] [-c] [-r root-user-name]
84 [-T] [-i] [[-D]directory] [system]
85 shorewall[6][-lite] [options] reset [chain ...]
87 shorewall[6][-lite] [options] restart [-n] [-p [-d]] [-f] [-c] [-T]
89 [-i] [-C] [directory]
90 shorewall[6][-lite] [options] restore [-n] [-p] [-C] [filename]
92 shorewall[6][-lite] [options] run command [parameter ...]
94 shorewall[6] [options] safe-restart [-d] [-p] [-t timeout] [directory]
96 shorewall[6] [options] safe-start [-d] [-p] [-t timeout] [directory]
98 shorewall[6][-lite] [options] save [-C] [filename]
100 shorewall[6][-lite] [options] savesets
102 shorewall[6][-lite] [options] {show | list | ls } [-x] {bl|blacklists}
104 shorewall[6][-lite] [options] {show | list | ls } [-b] [-x] [-l]
106 [-t {filter|mangle|nat|raw}] [chain...]
107 shorewall[6][-lite] [options] {show | list | ls } [-f] capabilities
109 shorewall[6] [options] {show | list | ls } [-f] {actions|macros}
111 shorewall[6] [options] {show | list | ls } action action
113 shorewall[6][-lite] [options] {show | list | ls }
115 {classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks}
116 shorewall[6][-lite] [options] {show | list | ls } event event
118 shorewall[6][-lite] [options] {show | list | ls } [-c] routing
120 shorewall[6] [options] {show | list | ls } macro macro
122 shorewall[6][-lite] [options] {show | list | ls } [-x] {mangle|nat|raw}
124 shorewall[6][-lite] [options] {show | list | ls } saves
126 shorewall[6][-lite] [options] {show | list | ls } [-m] log
128 shorewall[6][-lite] [trace|debug] [options] start [-n] [-f] [-p] [-c]
130 [-T [-i]] [-C] [directory]
131 shorewall[6][-lite] [options] stop [-f]
133 shorewall[6][-lite] [options] status [-i]
135 shorewall[6] [options] try directory [timeout]
137 shorewall[6] [options] update [-b] [-d] [-r] [-T] [-a] [-i] [-A]
139 [directory]
140 shorewall[6][-lite] [options] version [-a]
142
144 Beginning with Shorewall 5.1.0, the shorewall utility is used to
145 control the Shoreline Firewall (Shorewall), Shorewall Firewall 6
146 (Shorewall6), Shorewall Firewall Lite (Shorewall-lite) and Shorewall
147 Firewall 6 Lite (Shorewall6-lite). The utility may be accessed under
148 four different names:
149 shorewall
151 Controls the Shorewall configuration when Shorewall is installed.
152 If Shorewall is not installed, the shorewall command controls
153 Shorewall-lite if it is installed. If neither Shorewall nor
154 Shorewall-lite is installed, the shorewall command controls
155 Shorewall6-lite if it is installed.
156 shorewall6
158 The shorewall6 command controls Shorewall6 when Shorewall6 is
159 installed.
160 shorewall-lite
162 The shorewall-lite command controls Shorewall-lite when
163 Shorewall-lite is installed.
164 shorewall6-lite
166 The shorewall6-lite command controls Shorewall6-lite when
167 Shorewall6-lite is installed.
168 Prior to Shorewall 5.1.0, these four commands were implemented as four
170 separate program, each of which controlled only a single firewall
171 package. This manpage serves to document both the Shorewall 5.1 and
172 Shorewall 5.0 CLI.
173
175 The options are:
176 -4
178 Added in Shorewall 5.1.0. Causes the command to operate on the
179 Shorewall configuration or the Shorewall-lite configuration. It is
180 the default when either of those products is installed and when the
181 command is shorewall or shorewall-lite.
182 -6
184 Added in Shorewall 5.1.0. Causes the command to operate on the
185 Shorewall6 or Shorewall6-lite configuration. It is the default when
186 only Shorewall6-lite is installed and when the command is
187 shorewall6 or shorewall6-lite.
188 -l
190 Added in Shorewall 5.1.0. Causes the command to operate on either
191 Shorewall-lite or Shorewall-6 lite and is the default when
192 Shorewall is not installed or when the command is shorewall-lite or
193 shorewall6-lite.
194 With all four firewall products (Shorewall, Shorewall6,
196 Shorewall-lite and Shorewall6-lite) installed, the following table
197 shows the correspondence between the name used to invoke the
198 command and the shorewall command with the above three options.
199 Table 1. All four products installed
201 The next table shows the correspondence when only Shorewall-lite
202 and Shorewall6-lite are installed.
203 Table 2. Only Shorewall-lite and Shorewall6-lite installed
205 -v[verbosity]
206 Alters the amount of output produced by the command. If neither the
207 -v nor -q option are specified, the amount of output is determined
208 by the VERBOSITY setting in shorewall.conf[1](5)
209 (shorewall6.conf[1](5)).
210 When no verbosity is specified, each instance of this option causes
212 1 to be added to the effective verbosity. When verbosity (-1,0,1 or
213 2) is given, the command is executed at the specified VERBOSITY.
214 There may be no white-space between -v and the verbosity.
215 -q
217 Alters the amount of output produced by the command. If neither the
218 -v nor -q option are specified, the amount of output is determined
219 by the VERBOSITY setting in shorewall.conf[1](5)
220 (shorewall6.conf[1](5)).
221 Each instance of this option causes 1 to be subtracted from the
223 effective verbosity.
224 -t
226 Causes all progress messages to be timestamped.
227 -T
229 Added in Shorewall 5.2.4 to replace the earlier trace keyword.. If
230 the command invokes the generated firewall script, the script's
231 execution will be traced to standard error.
232 -D
234 Added in Shorewall 5.2.4 to replace the earlier debug keyword. If
235 the command invokes the generated firewall script, individual
236 invocations of the ip[6]tables utility will be used to configure
237 the ruleset rather than ip[6]tables-restore. This is useful for
238 diagnosing ip[6]tables-restore failures on a *COMMIT command.
239 Note
241 Prior to Shorewall 5.2.4, the general syntax for a CLI command was:
242 [trace|debug] [nolock] [options] command [command-options]
244 [command-arguments]
245 Examples:
247 shorewall debug -tv2 reload
249 shorewall trace check
250 shorewall nolock enable eth0
251 In Shorewall 5.2.4 and later, those commands would be:
253 shorewall -Dtv2 reload
255 shorewall check -D
256 shorewall -N enable eth0
257 While not shown in the command synopses at the top of this page,
259 the nolock keyword is still supported in Shorewall 5.2.4 and later,
260 but is deprecated in favor of the -N option.
261
263 The available commands are listed below.
264 add { interface[:host-list]... zone | zone host-list }
266 Adds a list of hosts or subnets to a dynamic zone usually used with
267 VPN's.
268 The interface argument names an interface defined in the
270 shorewall-interfaces[2](5) (shorewall6-interfaces[2](5))file. A
271 host-list is comma-separated list whose elements are host or
272 network addresses..if n .sp
273 Caution
274 The add command is not very robust. If there are errors in the
275 host-list, you may see a large number of error messages yet a
276 subsequent shorewall show zones command will indicate that all
277 hosts were added. If this happens, replace add by delete and
278 run the same command again. Then enter the correct command.
279 Beginning with Shorewall 4.5.9, the dynamic_shared zone option
281 (shorewall-zones[3](5),shorewall6-zones[3](5)) allows a single
282 ipset to handle entries for multiple interfaces. When that option
283 is specified for a zone, the add command has the alternative syntax
284 in which the zone name precedes the host-list.
285 allow address
287 Re-enables receipt of packets from hosts previously blacklisted by
288 a blacklist, drop, logdrop, reject, or logreject command.
289 blacklist[!] address [ option ... ]
291 Added in Shorewall 5.0.8 and requires DYNAMIC_BLACKLIST=ipset.. in
292 shorewall.conf[1](5). Causes packets from the given host or network
293 address to be dropped, based on the setting of BLACKLIST in
294 shorewall.conf[1](5). The address along with any options are passed
295 to the ipset add command. Probably the most useful option is the
296 timeout option. For example, to permanently blacklist 192.0.2.22,
297 the command would be:
298 shorewall blacklist 192.0.2.22 timeout 0
300 Beginning with Shorewall 5.2.5, the above command can be shortened
302 to:
303 shorewall blacklist! 192.0.2.22
305 If the disconnect option is specified in the DYNAMIC_BLACKLISTING
307 setting, then the effective VERBOSITY determines the amount of
308 information displayed:
309 · If the effective verbosity is > 0, then a message giving the
311 number of conntrack flows deleted by the command is displayed.
312 · If the effective verbosity is > 1, then the conntrack table
314 entries deleted by the command are also displayed.
315 call function [ parameter ... ]
317 Added in Shorewall 4.6.10. Allows you to call a function in one of
318 the Shorewall libraries or in your compiled script. function must
319 name the shell function to be called. The listed parameters are
320 passed to the function.
321 The function is first searched for in lib.base, lib.common, lib.cli
323 and lib.cli-std. If it is not found, the call command is passed to
324 the generated script to be executed.
325 check [-e] [-d] [-p] [-r] [-T] [-i] [-D][directory]
327 Not available with Shorewall[6]-lite.
328 Compiles the configuration in the specified directory and discards
330 the compiled output script. If no directory is given, then
331 /etc/shorewall is assumed.
332 The -e option causes the compiler to look for a file named
334 capabilities. This file is produced using the command
335 shorewall-lite show -f capabilities > capabilities on a system with
336 Shorewall Lite installed.
337 The -d option causes the compiler to be run under control of the
339 Perl debugger.
340 The -p option causes the compiler to be profiled via the Perl
342 -wd:DProf command-line option.
343 The -r option was added in Shorewall 4.5.2 and causes the compiler
345 to print the generated ruleset to standard out.
346 The -T option was added in Shorewall 4.4.20 and causes a Perl stack
348 trace to be included with each compiler-generated error and warning
349 message.
350 The -i option was added in Shorewall 4.6.0 and causes a warning
352 message to be issued if the current line contains alternative input
353 specifications following a semicolon (";"). Such lines will be
354 handled incorrectly if INLINE_MATCHES is set to Yes in
355 shorewall.conf[1](5) (shorewall6.conf[1](5)).
356 The -D option was added in Shoewall 5.2.4 and causes the compiler
358 to write a large amount of debugging information to standard
359 output.
360 clear [-f]
362 Clear will remove all rules and chains installed by Shorewall. The
363 firewall is then wide open and unprotected. Existing connections
364 are untouched. Clear is often used to see if the firewall is
365 causing connection problems.
366 If -f is given, the command will be processed by the compiled
368 script that executed the last successful start, restart or reload
369 command if that script exists.
370 close { open-number | source dest [ protocol [ port ] ] }
372 Added in Shorewall 4.5.8. This command closes a temporary open
373 created by the open command. In the first form, an open-number
374 specifies the open to be closed. Open numbers are displayed in the
375 num column of the output of the shorewall show opens command.
376 When the second form of the command is used, the parameters must
378 match those given in the earlier open command.
379 This command requires that the firewall be in the started state and
381 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[1].
382 compile [-e] [-c] [-d] [-p] [-T] [-i] [-D] [ directory ] [ pathname ]
384 Not available with shorewall[6]-lite.
385 Compiles the current configuration into the executable file
387 pathname. If a directory is supplied, Shorewall will look in that
388 directory first for configuration files. If the pathname is
389 omitted, the file firewall in the VARDIR (normally
390 /var/lib/shorewall/) is assumed. A pathname of '-' causes the
391 compiler to send the generated script to it's standard output file.
392 Note that '-v-1' is usually specified in this case (e.g., shorewall
393 -v-1 compile -- -) to suppress the 'Compiling...' message normally
394 generated by /sbin/shorewall.
395 When -e is specified, the compilation is being performed on a
397 system other than where the compiled script will run. This option
398 disables certain configuration options that require the script to
399 be compiled where it is to be run. The use of -e requires the
400 presence of a configuration file named capabilities which may be
401 produced using the command shorewall-lite show -f capabilities >
402 capabilities on a system with Shorewall Lite installed
403 The -c option was added in Shorewall 4.5.17 and causes conditional
405 compilation of a script. The script specified by pathname (or
406 implied if pathname is omitted) is compiled if it doesn't exist or
407 if there is any file in the directory or in a directory on the
408 CONFIG_PATH that has a modification time later than the file to be
409 compiled. When no compilation is needed, a message is issued and an
410 exit status of zero is returned.
411 The -d option causes the compiler to be run under control of the
413 Perl debugger.
414 The -p option causes the compiler to be profiled via the Perl
416 -wd:DProf command-line option.
417 The -T option was added in Shorewall 4.4.20 and causes a Perl stack
419 trace to be included with each compiler-generated error and warning
420 message.
421 The -i option was added in Shorewall 4.6.0 and causes a warning
423 message to be issued if the current line contains alternative input
424 specifications following a semicolon (";"). Such lines will be
425 handled incorrectly if INLINE_MATCHES is set to Yes in
426 shorewall.conf[1](5) (shorewall6.conf[1](5)).
427 The -D option was added in Shoewall 5.2.4 and causes the compiler
429 to write a large amount of debugging information to standard
430 output.
431 delete { interface[:host-list]... zone | zone host-list }
433 The delete command reverses the effect of an earlier add command.
434 The interface argument names an interface defined in the
436 shorewall-interfaces[2](5) (shorewall6-interfaces[2](5) file. A
437 host-list is comma-separated list whose elements are a host or
438 network address.
439 Beginning with Shorewall 4.5.9, the dynamic_shared zone option
441 (shorewall-zones[3](5), shorewall6-zones[3](5)) allows a single
442 ipset to handle entries for multiple interfaces. When that option
443 is specified for a zone, the delete command has the alternative
444 syntax in which the zone name precedes the host-list.
445 disable { interface | provider }
447 Added in Shorewall 4.4.26. Disables the optional provider
448 associated with the specified interface or provider. Where more
449 than one provider share a single network interface, a provider name
450 must be given.
451 Beginning with Shorewall 4.5.10, this command may be used with any
453 optional network interface. interface may be either the logical or
454 physical name of the interface. The command removes any routes
455 added from shorewall-routes[4](5) (shorewall6-routes[4](5))and any
456 traffic shaping configuration for the interface.
457 drop address
459 Causes traffic from the listed addresses to be silently dropped.
460 This command requires that the firewall be in the started state and
461 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[1].
462 dump [-x] [-l] [-m] [-c]
464 Produces a verbose report about the firewall configuration for the
465 purpose of problem analysis.
466 The -x option causes actual packet and byte counts to be displayed.
468 Without that option, these counts are abbreviated.
469 The -m option causes any MAC addresses included in Shorewall log
471 messages to be displayed.
472 The -l option causes the rule number for each Netfilter rule to be
474 displayed.
475 The -c option causes the route cache to be dumped in addition to
477 the other routing information.
478 enable { interface | provider }
480 Added in Shorewall 4.4.26. Enables the optional provider associated
481 with the specified interface or provider. Where more than one
482 provider share a single network interface, a provider name must be
483 given.
484 Beginning with Shorewall 4.5.10, this command may be used with any
486 optional network interface. interface may be either the logical or
487 physical name of the interface. The command sets /proc entries for
488 the interface, adds any route specified in shorewall-routes[4](5)
489 (shorewall6-routes[4](5)) and installs the interface's traffic
490 shaping configuration, if any.
491 export [ directory1 ] [ user@]system[:directory2 ]
493 Not available with Shorewall[6]-lite.
494 If directory1 is omitted, the current working directory is assumed.
496 Allows a non-root user to compile a shorewall script and stage it
498 on a system (provided that the user has access to the system via
499 ssh). The command is equivalent to:
500 /sbin/shorewall compile -e directory1 directory1/firewall &&\
502 scp directory1/firewall directory1/firewall.conf [user@]system:[directory2]
503 In other words, the configuration in the specified (or defaulted)
505 directory is compiled to a file called firewall in that directory.
506 If compilation succeeds, then firewall and firewall.conf are copied
507 to system using scp.
508 forget [ filename ]
510 Deletes /var/lib/shorewall/filename and /var/lib/shorewall/save. If
511 no filename is given then the file specified by RESTOREFILE in
512 shorewall.conf[1](5) (shorewall6.conf[1](5)) is assumed.
513 help
515 Displays a syntax summary.
516 hits [-t]
518 Generates several reports from Shorewall log messages in the
519 current log file. If the -t option is included, the reports are
520 restricted to log messages generated today. Not available with
521 Shorewall6[-lite].
522 ipcalc { address mask | address/vlsm }
524 Ipcalc displays the network address, broadcast address, network in
525 CIDR notation and netmask corresponding to the input[s]. Not
526 available with Shorewall6[-lite].
527 iprange address1-address2
529 Iprange decomposes the specified range of IP addresses into the
530 equivalent list of network/host addresses. Not available with
531 Shorewall6[-lite].
532 iptrace iptables match expression
534 This is a low-level debugging command that causes iptables TRACE
535 log records to be created. See iptables(8) for details.
536 The iptables match expression must be one or more matches that may
538 appear in both the raw table OUTPUT and raw table PREROUTING
539 chains.
540 The log message destination is determined by the currently-selected
542 IPv4 or IPv6 logging backend[5].
543 list
545 list is a synonym for show -- please see below.
546 logdrop address
548 Causes traffic from the listed addresses to be logged then
549 discarded. Logging occurs at the log level specified by the
550 BLACKLIST_LOGLEVEL setting in shorewall.conf[1] (5)
551 (shorewall6.conf[1](5)). This command requires that the firewall be
552 in the started state and that DYNAMIC_BLACKLIST=Yes in
553 shorewall.conf (5)[1].
554 logwatch [-m] [ refresh-interval ]
556 Monitors the log file specified by the LOGFILE option in
557 shorewall.conf[1](5) (shorewall6.conf[1](5)) and produces an
558 audible alarm when new Shorewall messages are logged. The -m option
559 causes the MAC address of each packet source to be displayed if
560 that information is available. The refresh-interval specifies the
561 time in seconds between screen refreshes. You can enter a negative
562 number by preceding the number with "--" (e.g., shorewall logwatch
563 -- -30). In this case, when a packet count changes, you will be
564 prompted to hit any key to resume screen refreshes.
565 logreject address
567 Causes traffic from the listed addresses to be logged then
568 rejected. Logging occurs at the log level specified by the
569 BLACKLIST_LOGLEVEL setting in shorewall.conf[1] (5),
570 (shorewall6.conf[1](5)). This command requires that the firewall be
571 in the started state and that DYNAMIC_BLACKLIST=Yes in
572 shorewall.conf (5)[1].
573 ls
575 ls is a synonym for show -- please see below.
576 noiptrace iptables match expression
578 This is a low-level debugging command that cancels a trace started
579 by a preceding iptrace command.
580 The iptables match expression must be one given in the iptrace
582 command being canceled.
583 open source dest [ protocol [ port ] ]
585 Added in Shorewall 4.6.8. This command requires that the firewall
586 be in the started state and that DYNAMIC_BLACKLIST=Yes in
587 shorewall.conf (5)[1]. The effect of the command is to temporarily
588 open the firewall for connections matching the parameters.
589 The source and dest parameters may each be specified as all if you
591 don't wish to restrict the connection source or destination
592 respectively. Otherwise, each must contain a host or network
593 address or a valid DNS name.
594 The protocol may be specified either as a number or as a name
596 listed in /etc/protocols. The port may be specified numerically or
597 as a name listed in /etc/services.
598 To reverse the effect of a successful open command, use the close
600 command with the same parameters or simply restart the firewall.
601 Example: To open the firewall for SSH connections to address
603 192.168.1.1, the command would be:
604 shorewall open all 192.168.1.1 tcp 22
606 To reverse that command, use:
608 shorewall close all 192.168.1.1 tcp 22
610 reenable{ interface | provider }
612 Added in Shorewall 4.6.9. This is equivalent to a disable command
613 followed by an enable command on the specified interface or
614 provider.
615 reject address
617 Causes traffic from the listed addresses to be silently rejected.
618 This command requires that the firewall be in the started state and
619 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[1].
620 reload [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [-D] [ directory ]
622 This command was re-implemented in Shorewall 5.0.0. The pre-5.0.0
623 reload command is now called remote-restart (see below).
624 Shorewall and Shorewall6
626 Reload is similar to shorewall start except that it assumes
627 that the firewall is already started. Existing connections are
628 maintained. If a directory is included in the command,
629 Shorewall will look in that directory first for configuration
630 files.
631 The -n option causes Shorewall to avoid updating the routing
633 table(s).
634 The -p option causes the connection tracking table to be
636 flushed; the conntrack utility must be installed to use this
637 option.
638 The -d option causes the compiler to run under the Perl
640 debugger.
641 The -f option suppresses the compilation step and simply reused
643 the compiled script which last started/restarted Shorewall,
644 provided that /etc/shorewall and its contents have not been
645 modified since the last start/restart.
646 The -c option was added in Shorewall 4.4.20 and performs the
648 compilation step unconditionally, overriding the AUTOMAKE
649 setting in shorewall.conf[1](5) (Shorewall and Shorewall6
650 only). When both -f and -c are present, the result is
651 determined by the option that appears last.
652 The -T option was added in Shorewall 4.5.3 and causes a Perl
654 stack trace to be included with each compiler-generated error
655 and warning message.
656 The -i option was added in Shorewall 4.6.0 and causes a warning
658 message to be issued if the current line contains alternative
659 input specifications following a semicolon (";"). Such lines
660 will be handled incorrectly if INLINE_MATCHES is set to Yes in
661 shorewall.conf[1](5) (shorewall6.conf[1](5))..
662 The -C option was added in Shorewall 4.6.5 and is only
664 meaningful when AUTOMAKE=Yes in shorewall.conf[1](5)
665 (shorewall6.conf[1](5)). If an existing firewall script is used
666 and if that script was the one that generated the current
667 running configuration, then the running netfilter configuration
668 will be reloaded as is so as to preserve the iptables packet
669 and byte counters.
670 The -D option was added in Shoewall 5.2.4 and causes the
672 compiler to write a large amount of debugging information to
673 standard output.
674 Shorewall-lite and Shorewall6-lite
676 Reload is similar to shorewall start except that it assumes
677 that the firewall is already started. Existing connections are
678 maintained.
679 The -n option causes Shorewall to avoid updating the routing
681 table(s).
682 The -p option causes the connection tracking table to be
684 flushed; the conntrack utility must be installed to use this
685 option.
686 The -C option was added in Shorewall 4.6.5 If the existing
688 firewall script is the one that generated the current running
689 configuration, then the running netfilter configuration will be
690 reloaded as is so as to preserve the iptables packet and byte
691 counters.
692 remote-getcaps [-R] [-r root-user-name] [ [ -D ] directory ] [ system ]
694 Added in Shoreall 5.2.0, this command executes shorewall[6]-lite
695 show capabilities -f > /var/lib/shorewall[6]-lite/capabilities on
696 the remote system via ssh then the generated file is copied to
697 directory on the local system. If no directory is given, the
698 current working directory is assumed.
699 if -R is included, the remote shorewallrc file is also copied to
701 directory.
702 If -r is included, it specifies that the root user on system is
704 named root-user-name rather than "root".
705 remote-getrc [-c] [-r root-user-name] [ [ -D ] directory ] [ system ]
707 Added in Shoreall 5.2.0, this command copies the shorewallrc file
708 from the remote system to directory on the local system. If no
709 directory is given, the current working directory is assumed.
710 if -c is included, the remote capabilities are also copied to
712 directory, as is done by the remote-getcaps command.
713 If -r is included, it specifies that the root user on system is
715 named root-user-name rather than "root".
716 remote-start [-n] [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
718 directory ] [ system ]
719 This command was renamed from load in Shorewall 5.0.0 and is only
720 available in Shorewall and Shoreawall6.
721 If directory is omitted, the current working directory is assumed.
723 Allows a non-root user to compile a shorewall script and install it
724 on a system (provided that the user has root access to the system
725 via ssh). The command is equivalent to:
726 /sbin/shorewall compile -e directory directory/firewall &&\
728 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
729 ssh root@system '/sbin/shorewall-lite start'
730 In other words, the configuration in the specified (or defaulted)
732 directory is compiled to a file called firewall in that directory.
733 If compilation succeeds, then firewall is copied to system using
734 scp. If the copy succeeds, Shorewall Lite on system is started via
735 ssh. Beginning with Shorewall 5.0.13, if system is omitted, then
736 the FIREWALL option setting in shorewall.conf[6](5)
737 (shorewall6.conf(5)[1]) is assumed. In that case, if you want to
738 specify a directory, then the -D option must be given.
739 The -n option causes Shorewall to avoid updating the routing
741 table(s).
742 If -s is specified and the start command succeeds, then the remote
744 Shorewall-lite configuration is saved by executing shorewall-lite
745 save via ssh.
746 if -c is included, the command shorewall[6]-lite show capabilities
748 -f > /var/lib/shorewall[6]-lite/capabilities is executed via ssh
749 then the generated file is copied to directory using scp. This step
750 is performed before the configuration is compiled.
751 If -r is included, it specifies that the root user on system is
753 named root-user-name rather than "root".
754 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
756 trace to be included with each compiler-generated error and warning
757 message.
758 remote-reload [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
760 directory ] [ system ]
761 This command was added in Shorewall 5.0.0 and is only available in
762 Shorewall and Shorewall6.
763 If directory is omitted, the current working directory is assumed.
765 Allows a non-root user to compile a shorewall script and install it
766 on a system (provided that the user has root access to the system
767 via ssh). The command is equivalent to:
768 /sbin/shorewall compile -e directory directory/firewall &&\
770 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
771 ssh root@system '/sbin/shorewall-lite reload'
772 In other words, the configuration in the specified (or defaulted)
774 directory is compiled to a file called firewall in that directory.
775 If compilation succeeds, then firewall is copied to system using
776 scp. If the copy succeeds, Shorewall Lite on system is restarted
777 via ssh. Beginning with Shorewall 5.0.13, if system is omitted,
778 then the FIREWALL option setting in shorewall6.conf(5)[1]
779 (shorewall6.conf[1](5)) is assumed. In that case, if you want to
780 specify a directory, then the -D option must be given.
781 If -s is specified and the restart command succeeds, then the
783 remote Shorewall-lite configuration is saved by executing
784 shorewall-lite save via ssh.
785 if -c is included, the command shorewall-lite show capabilities -f
787 > /var/lib/shorewall-lite/capabilities is executed via ssh then the
788 generated file is copied to directory using scp. This step is
789 performed before the configuration is compiled.
790 If -r is included, it specifies that the root user on system is
792 named root-user-name rather than "root".
793 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
795 trace to be included with each compiler-generated error and warning
796 message.
797 The -i option was added in Shorewall 4.6.0 and causes a warning
799 message to be issued if the current line contains alternative input
800 specifications following a semicolon (";"). Such lines will be
801 handled incorrectly if INLINE_MATCHES is set to Yes in
802 shorewall.conf[1](5) (shorewall6.conf[1](5)).
803 remote-restart [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
805 directory ] [ system ]
806 This command was renamed from reload in Shorewall 5.0.0 and is
807 available in Shorewall and Shorewall6 only.
808 If directory is omitted, the current working directory is assumed.
810 Allows a non-root user to compile a shorewall script and install it
811 on a system (provided that the user has root access to the system
812 via ssh). The command is equivalent to:
813 /sbin/shorewall compile -e directory directory/firewall &&\
815 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
816 ssh root@system '/sbin/shorewall-lite restart'
817 In other words, the configuration in the specified (or defaulted)
819 directory is compiled to a file called firewall in that directory.
820 If compilation succeeds, then firewall is copied to system using
821 scp. If the copy succeeds, Shorewall Lite on system is restarted
822 via ssh. Beginning with Shorewall 5.0.13, if system is omitted,
823 then the FIREWALL option setting in shorewall6.conf(5)[1]
824 (shorewall6.conf[1](5)) is assumed. In that case, if you want to
825 specify a directory, then the -D option must be given.
826 If -s is specified and the restart command succeeds, then the
828 remote Shorewall-lite configuration is saved by executing
829 shorewall-lite save via ssh.
830 if -c is included, the command shorewall-lite show capabilities -f
832 > /var/lib/shorewall-lite/capabilities is executed via ssh then the
833 generated file is copied to directory using scp. This step is
834 performed before the configuration is compiled.
835 If -r is included, it specifies that the root user on system is
837 named root-user-name rather than "root".
838 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
840 trace to be included with each compiler-generated error and warning
841 message.
842 The -i option was added in Shorewall 4.6.0 and causes a warning
844 message to be issued if the current line contains alternative input
845 specifications following a semicolon (";"). Such lines will be
846 handled incorrectly if INLINE_MATCHES is set to Yes in
847 shorewall.conf[1](5) (shorewall6.conf[1](5).
848 reset [chain, ...]
850 Resets the packet and byte counters in the specified chain(s). If
851 no chain is specified, all the packet and byte counters in the
852 firewall are reset.
853 Beginning with Shorewall 5.0.0, chain may be composed of both a
855 table name and a chain name separated by a colon (e.g.,
856 mangle:PREROUTING). Chain names following that don't include a
857 table name are assumed to be in that same table. If no table name
858 is given in the command, the filter table is assumed.
859 restart [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [-D] [ directory ]
861 Beginning with Shorewall 5.0.0, this command performs a true
862 restart. The firewall is completely stopped as if a stop command
863 had been issued then it is started again.
864 Shorewall and Shorewall6
866 If a directory is included in the command, Shorewall will look
867 in that directory first for configuration files.
868 The -n option causes Shorewall to avoid updating the routing
870 table(s).
871 The -p option causes the connection tracking table to be
873 flushed; the conntrack utility must be installed to use this
874 option.
875 The -d option causes the compiler to run under the Perl
877 debugger.
878 The -f option suppresses the compilation step and simply reused
880 the compiled script which last started/restarted Shorewall,
881 provided that /etc/shorewall and its contents have not been
882 modified since the last start/restart.
883 The -c option was added in Shorewall 4.4.20 and performs the
885 compilation step unconditionally, overriding the AUTOMAKE
886 setting in shorewall.conf[1](5). When both -f and -c are
887 present, the result is determined by the option that appears
888 last.
889 The -T option was added in Shorewall 4.5.3 and causes a Perl
891 stack trace to be included with each compiler-generated error
892 and warning message.
893 The -i option was added in Shorewall 4.6.0 and causes a warning
895 message to be issued if the current line contains alternative
896 input specifications following a semicolon (";"). Such lines
897 will be handled incorrectly if INLINE_MATCHES is set to Yes in
898 shorewall.conf[1](5).
899 The -C option was added in Shorewall 4.6.5 and is only
901 meaningful when AUTOMAKE=Yes in shorewall.conf[1](5). If an
902 existing firewall script is used and if that script was the one
903 that generated the current running configuration, then the
904 running netfilter configuration will be reloaded as is so as to
905 preserve the iptables packet and byte counters.
906 The -D option was added in Shoewall 5.2.4 and causes the
908 compiler to write a large amount of debugging information to
909 standard output.
910 Shorewall-lite and Shorewall6-lite
912 The -n option causes Shorewall to avoid updating the routing
913 table(s).
914 The -p option causes the connection tracking table to be
916 flushed; the conntrack utility must be installed to use this
917 option.
918 The -C option was added in Shorewall 4.6.5 If the existing
920 firewall script is the one that generated the current running
921 configuration, then the running netfilter configuration will be
922 reloaded as is so as to preserve the iptables packet and byte
923 counters.
924 restore [-n] [-p] [-C] [ filename ]
926 Restore Shorewall to a state saved using the shorewall save
927 command. Existing connections are maintained. The filename names a
928 restore file in /var/lib/shorewall created using shorewall save; if
929 no filename is given then Shorewall will be restored from the file
930 specified by the RESTOREFILE option in shorewall.conf[1](5)
931 (shorewall6.conf[1](5)).
932 Caution
934 If your iptables ruleset depends on variables that are detected
935 at run-time, either in your params file or by
936 Shorewall-generated code, restore will use the values that were
937 current when the ruleset was saved, which may be different from
938 the current values.
939 The -n option causes Shorewall to avoid updating the routing
940 table(s).
941 The -p option, added in Shorewall 4.6.5, causes the connection
943 tracking table to be flushed; the conntrack utility must be
944 installed to use this option.
945 The -C option was added in Shorewall 4.6.5. If the -C option was
947 specified during shorewall save, then the counters saved by that
948 operation will be restored.
949 run command [ parameter ... ]
951 Added in Shorewall 4.6.3. Executes command in the context of the
952 generated script passing the supplied parameters. Normally, the
953 command will be a function declared in lib.private.
954 Before executing the command, the script will detect the
956 configuration, setting all SW_* variables and will run your init
957 extension script with $COMMAND = 'run'.
958 If there are files in the CONFIG_PATH that were modified after the
960 current firewall script was generated, the following warning
961 message is issued:
962 WARNING: /var/lib/shorewall/firewall is not up to
963 date
964 safe-reload [-d] [-p] [-t timeout ] [ directory ]
966 Added in Shorewall 5.0.0, this command performs the same function
967 as did safe_restart in earlier releases. The command is available
968 in Shorewall and Shorewall6 only.
969 Only allowed if Shorewall is running. The current configuration is
971 saved in /var/lib/shorewall/safe-reload (see the save command
972 below) then a shorewall reload is done. You will then be prompted
973 asking if you want to accept the new configuration or not. If you
974 answer "n" or if you fail to answer within 60 seconds (such as when
975 your new configuration has disabled communication with your
976 terminal), the configuration is restored from the saved
977 configuration. If a directory is given, then Shorewall will look in
978 that directory first when opening configuration files.
979 Beginning with Shorewall 4.5.0, you may specify a different timeout
981 value using the -t option. The numeric timeout may optionally be
982 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
983 minutes or hours respectively. If the suffix is omitted, seconds is
984 assumed.
985 safe-restart [-d] [-p] [-t timeout ] [ directory ]
987 Only allowed if Shorewall[6] is running and is not available in
988 Shorewall-lite and Shorewall6-lite. The current configuration is
989 saved in /var/lib/shorewall/safe-restart (see the save command
990 below) then a shorewall restart is done. You will then be prompted
991 asking if you want to accept the new configuration or not. If you
992 answer "n" or if you fail to answer within 60 seconds (such as when
993 your new configuration has disabled communication with your
994 terminal), the configuration is restored from the saved
995 configuration. If a directory is given, then Shorewall will look in
996 that directory first when opening configuration files.
997 Beginning with Shorewall 4.5.0, you may specify a different timeout
999 value using the -t option. The numeric timeout may optionally be
1000 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1001 minutes or hours respectively. If the suffix is omitted, seconds is
1002 assumed.
1003 safe-start [-d] [-p] [-ttimeout ] [ directory ]
1005 Shorewall is started normally. You will then be prompted asking if
1006 everything went all right. If you answer "n" or if you fail to
1007 answer within 60 seconds (such as when your new configuration has
1008 disabled communication with your terminal), a shorewall clear is
1009 performed for you. If a directory is given, then Shorewall will
1010 look in that directory first when opening configuration files.
1011 Beginning with Shorewall 4.5.0, you may specify a different timeout
1013 value using the -t option. The numeric timeout may optionally be
1014 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1015 minutes or hours respectively. If the suffix is omitted, seconds is
1016 assumed.
1017 This command is available in Shorewall and Shorewall6 only.
1019 save [-C] [ filename ]
1021 Creates a snapshot of the currently running firewall. The dynamic
1022 blacklist is stored in /var/lib/shorewall/save. The state of the
1023 firewall is stored in /var/lib/shorewall/filename for use by the
1024 shorewall restore command. If filename is not given then the state
1025 is saved in the file specified by the RESTOREFILE option in
1026 shorewall.conf[1](5) (shorewall6.conf[1](5)).
1027 The -C option, added in Shorewall 4.6.5, causes the iptables packet
1029 and byte counters to be saved along with the chains and rules.
1030 savesets
1032 Added in shorewall 4.6.8. Performs the same action as the stop
1033 command with respect to saving ipsets (see the SAVE_IPSETS option
1034 in shorewall.conf[1] (5) (shorewall6.conf[1](5)). This command may
1035 be used to proactively save your ipset contents in the event that a
1036 system failure occurs prior to issuing a stop command.
1037 show
1039 The show command can have a number of different arguments:
1040 action action
1042 Lists the named action file. Available on Shorewall and
1043 Shorewall6 only.
1044 actions
1046 Produces a report about the available actions (built-in,
1047 standard and user-defined). Available on Shorewall and
1048 Shorewall6 only.
1049 bl|blacklists [-x]
1051 Added in Shorewall 4.6.2. Displays the dynamic chain along with
1052 any chains produced by entries in shorewall-blrules(5). The -x
1053 option is passed directly through to iptables and causes actual
1054 packet and byte counts to be displayed. Without this option,
1055 those counts are abbreviated.
1056 [-f] capabilities
1058 Displays your kernel/iptables capabilities. The -f option
1059 causes the display to be formatted as a capabilities file for
1060 use with compile -e.
1061 [-b] [-x] [-l] [-t {filter|mangle|nat|raw}] [ chain... ]
1063 The rules in each chain are displayed using the iptables -L
1064 chain -n -v command. If no chain is given, all of the chains in
1065 the filter table are displayed. The -x option is passed
1066 directly through to iptables and causes actual packet and byte
1067 counts to be displayed. Without this option, those counts are
1068 abbreviated. The -t option specifies the Netfilter table to
1069 display. The default is filter.
1070 The -b ('brief') option causes rules which have not been used
1072 (i.e. which have zero packet and byte counts) to be omitted
1073 from the output. Chains with no rules displayed are also
1074 omitted from the output.
1075 The -l option causes the rule number for each Netfilter rule to
1077 be displayed.
1078 If the -t option and the chain keyword are both omitted and any
1080 of the listed chains do not exist, a usage message is
1081 displayed.
1082 classifiers|filters
1084 Displays information about the packet classifiers defined on
1085 the system as a result of traffic shaping configuration.
1086 config
1088 Displays distribution-specific defaults.
1089 connections [filter_parameter ...]
1091 Displays the IP connections currently being tracked by the
1092 firewall.
1093 If the conntrack utility is installed, beginning with Shorewall
1095 4.6.11 the set of connections displayed can be limited by
1096 including conntrack filter parameters (-p , -s, --dport, etc).
1097 See conntrack(8) for details.
1098 event event
1100 Added in Shorewall 4.5.19. Displays the named event.
1101 events
1103 Added in Shorewall 4.5.19. Displays all events.
1104 ip
1106 Displays the system's IPv4 configuration.
1107 ipa
1109 Added in Shorewall 4.4.17. Displays the per-IP accounting
1110 counters (shorewall-accounting[7] (5),
1111 shorewall6-accounting[7](5)).
1112 ipsec
1114 Added in Shorewall 5.1.0. Displays the contents of the IPSEC
1115 Security Policy Database (SPD) and Security Association
1116 Database (SAD). SAD keys are not displayed.
1117 [-m] log
1119 Displays the last 20 Shorewall messages from the log file
1120 specified by the LOGFILE option in shorewall.conf[1](5)
1121 (shorewall6.conf[1](5)). The -m option causes the MAC address
1122 of each packet source to be displayed if that information is
1123 available.
1124 macros
1126 Displays information about each macro defined on the firewall
1127 system (Shorewall and Shorewall6 only)
1128 macro macro
1130 Added in Shorewall 4.4.6. Displays the file that implements the
1131 specified macro (usually /usr/share/shorewall/macro.macro).
1132 Available only in Shorewall and Shorewall6.
1133 [-x] mangle
1135 Displays the Netfilter mangle table using the command iptables
1136 -t mangle -L -n -v. The -x option is passed directly through to
1137 iptables and causes actual packet and byte counts to be
1138 displayed. Without this option, those counts are abbreviated.
1139 marks
1141 Added in Shorewall 4.4.26. Displays the various fields in
1142 packet marks giving the min and max value (in both decimal and
1143 hex) and the applicable mask (in hex).
1144 [-x] nat
1146 Displays the Netfilter nat table using the command iptables -t
1147 nat -L -n -v. The -x option is passed directly through to
1148 iptables and causes actual packet and byte counts to be
1149 displayed. Without this option, those counts are abbreviated.
1150 opens
1152 Added in Shorewall 4.5.8. Displays the iptables rules in the
1153 'dynamic' chain created through use of the open command..
1154 policies
1156 Added in Shorewall 4.4.4. Displays the applicable policy
1157 between each pair of zones. Note that implicit intrazone ACCEPT
1158 policies are not displayed for zones associated with a single
1159 network where that network doesn't specify routeback.
1160 rc
1162 Added in Shorewall 5.2.0. Displays the contents of
1163 $SHAREDIR/shorewall/shorewallrc.
1164 [-c] routing
1166 Displays the system's IPv4 routing configuration. The -c option
1167 causes the route cache to be displayed along with the other
1168 routing information.
1169 [-x] raw
1171 Displays the Netfilter raw table using the command iptables -t
1172 raw -L -n -v. The -x option is passed directly through to
1173 iptables and causes actual packet and byte counts to be
1174 displayed. Without this option, those counts are abbreviated.
1175 saves
1177 Added in Shorewall 5.2.0. Lists snapshots created by the save
1178 command. Each snapshot is listed with the date and time when it
1179 was taken. If there is a snapshot with the name specified in
1180 the RESTOREFILE option in shorewall.conf(5[6]), that snapshot
1181 is listed as the default snapshot for the restore command.
1182 tc
1184 Displays information about queuing disciplines, classes and
1185 filters.
1186 zones
1188 Displays the current composition of the Shorewall zones on the
1189 system.
1190 start [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [-D] [ directory ]
1192 Shorewall and Shorewall6
1194 Start shorewall[6]. Existing connections through shorewall
1195 managed interfaces are untouched. New connections will be
1196 allowed only if they are allowed by the firewall rules or
1197 policies. If a directory is included in the command, Shorewall
1198 will look in that directory first for configuration files. If
1199 -f is specified, the saved configuration specified by the
1200 RESTOREFILE option in shorewall.conf[1](5)
1201 (shorewall6.conf[1](5)) will be restored if that saved
1202 configuration exists and has been modified more recently than
1203 the files in /etc/shorewall. When -f is given, a directory may
1204 not be specified.
1205 Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
1207 added to shorewall.conf[1](5) (shorewall6.conf[1](5)). When
1208 LEGACY_FASTSTART=No, the modification times of files in
1209 /etc/shorewall are compared with that of
1210 /var/lib/shorewall/firewall (the compiled script that last
1211 started/restarted the firewall).
1212 The -n option causes Shorewall to avoid updating the routing
1214 table(s).
1215 The -p option causes the connection tracking table to be
1217 flushed; the conntrack utility must be installed to use this
1218 option.
1219 The -c option was added in Shorewall 4.4.20 and performs the
1221 compilation step unconditionally, overriding the AUTOMAKE
1222 setting in shorewall.conf[1](5) (shorewall6.conf[1](5)). When
1223 both -f and -care present, the result is determined by the
1224 option that appears last.
1225 The -T option was added in Shorewall 4.5.3 and causes a Perl
1227 stack trace to be included with each compiler-generated error
1228 and warning message.
1229 The -i option was added in Shorewall 4.6.0 and causes a warning
1231 message to be issued if the current line contains alternative
1232 input specifications following a semicolon (";"). Such lines
1233 will be handled incorrectly if INLINE_MATCHES is set to Yes in
1234 shorewall.conf(5)[1] (shorewall6.conf[1](5)).
1235 The -C option was added in Shorewall 4.6.5 and is only
1237 meaningful when the -f option is also specified. If the
1238 previously-saved configuration is restored, and if the -C
1239 option was also specified in the save command, then the packet
1240 and byte counters will be restored.
1241 The -D option was added in Shoewall 5.2.4 and causes the
1243 compiler to write a large amount of debugging information to
1244 standard output.
1245 Shorewall-lite and Shorewall6-lite
1247 Start Shorewall[6] Lite. Existing connections through
1248 shorewall[6]-lite managed interfaces are untouched. New
1249 connections will be allowed only if they are allowed by the
1250 firewall rules or policies.
1251 The -p option causes the connection tracking table to be
1253 flushed; the conntrack utility must be installed to use this
1254 option.
1255 The -n option prevents the firewall script from modifying the
1257 current routing configuration.
1258 The -f option was added in Shorewall 4.6.5. If the RESTOREFILE
1260 named in shorewall.conf[6](5) exists, is executable and is not
1261 older than the current filewall script, then that saved
1262 configuration is restored.
1263 The -C option was added in Shorewall 4.6.5 and is only
1265 meaningful when the -f option is also specified. If the
1266 previously-saved configuration is restored, and if the -C
1267 option was also specified in the save command, then the packet
1268 and byte counters will be restored.
1269 stop
1271 Stops the firewall. All existing connections, except those listed
1272 in shorewall-stoppedrules[8](5) or permitted by the
1273 ADMINISABSENTMINDED option in shorewall.conf[1] The only new
1274 traffic permitted through the firewall is from systems listed in
1275 shorewall-stoppedrules[8](5) or by ADMINISABSENTMINDED.
1276 status [-i]
1278 Produces a short report about the state of the Shorewall-configured
1279 firewall.
1280 The -i option was added in Shorewall 4.6.2 and causes the status of
1282 each optional or provider interface to be displayed.
1283 try directory [ timeout ]
1285 This command is available in Shorewall and Shorewall6 only.
1286 If Shorewall[6] is started then the firewall state is saved to a
1288 temporary saved configuration (/var/lib/shorewall/.try). Next, if
1289 Shorewall[6] is currently started then a restart command is issued
1290 using the specified configuration directory; otherwise, a start
1291 command is performed using the specified configuration directory.
1292 if an error occurs during the compilation phase of the restart or
1293 start, the command terminates without changing the Shorewall[6]
1294 state. If an error occurs during the restart phase, then a
1295 shorewall restore is performed using the saved configuration. If an
1296 error occurs during the start phase, then Shorewall is cleared. If
1297 the start/restart succeeds and a timeout is specified then a clear
1298 or restore is performed after timeout seconds.
1299 Beginning with Shorewall 4.5.0, the numeric timeout may optionally
1301 be followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1302 minutes or hours respectively. If the suffix is omitted, seconds is
1303 assumed.
1304 update [-d] [-r] [-T] [-a] [-i] [-A] [ directory ]
1306 This command is available only in Shorewall and Shorewall6.
1307 Added in Shorewall 4.4.21 and causes the compiler to update
1309 /etc/shorewall/shorewall.conf then validate the configuration. The
1310 update will add options not present in the old file with their
1311 default values, and will move deprecated options with non-defaults
1312 to a deprecated options section at the bottom of the file. Your
1313 existing shorewall.conf file is renamed shorewall.conf.bak.
1314 The command was extended over the years with a set of options that
1316 caused additional configuration updates.
1317 · Convert an existing blacklist file into an equivalent blrules
1319 file.
1320 · Convert an existing routestopped file into an equivalent
1322 stoppedrules file.
1323 · Convert existing tcrules and tos files into an equivalent
1325 mangle file.
1326 · Convert an existing notrack file into an equivalent conntrack
1328 file.
1329 · Convert FORMAT, SECTION and COMMENT entries into ?FORMAT,
1331 ?SECTION and ?COMMENT directives.
1332 In each case, the old file is renamed with a .bak suffix.
1334 In Shorewall 5.0.0, the options were eliminated and the update
1336 command performs all of the updates described above.
1337 Important
1339 There are some notable restrictions with the update command:
1340 1. Converted rules will be appended to the existing file; if
1342 there is no existing file in the CONFIG_PATH, one will be
1343 created in the directory specified in the command or in the
1344 first entry in the CONFIG_PATH (normally /etc/shorewall)
1345 otherwise.
1346 2. Existing comments in the file being converted will not be
1348 transferred to the output file.
1349 3. With the exception of the notrack->conntrack conversion,
1351 INCLUDEd files will be expanded inline in the output file.
1352 4. Columns in the output file will be separated by a single
1354 tab character; there is no attempt made to otherwise align
1355 the columns.
1356 5. Prior to Shorewall 5.0.15, shell variables will be expanded
1358 in the output file.
1359 6. Prior to Shorewall 5.0.15, lines omitted by compiler
1361 directives (?if ...., etc.) will not appear in the output
1362 file.
1363 Important
1365 Because the translation of the 'blacklist' and
1366 'routestopped' files is not 1:1, omitted lines and
1367 compiler directives are not transferred to the
1368 converted files. If either are present, the compiler
1369 issues a warning:
1370 WARNING: "Omitted rules and compiler directives were not translated
1372 The -a option causes the updated shorewall.conf file to be
1373 annotated with documentation.
1374 The -i option was added in Shorewall 4.6.0 and causes a warning
1376 message to be issued if the current line contains alternative input
1377 specifications following a semicolon (";"). Such lines will be
1378 handled incorrectly if INLINE_MATCHES is set to Yes in
1379 shorewall.conf[1](5).
1380 The -A option is included for compatibility with Shorewall 4.6 and
1382 is equivalent to specifying the -i option.
1383 For a description of the other options, see the check command
1385 above.
1386 version [-a]
1388 Displays Shorewall's version. The -a option is included for
1389 compatibility with earlier Shorewall releases and is ignored.
1390
1392 In general, when a command succeeds, status 0 is returned; when the
1393 command fails, a non-zero status is returned.
1394 The status command returns exit status as follows:
1396 0 - Firewall is started.
1398 3 - Firewall is stopped or cleared
1400 4 - Unknown state; usually means that the firewall has never been
1402 started.
1403
1405 Two environmental variables are recognized by Shorewall:
1406 SHOREWALL_INIT_SCRIPT
1408 When set to 1, causes Std out to be redirected to the file
1409 specified in the STARTUP_LOG option in shorewall.conf(5)[6].
1410 SW_LOGGERTAG
1412 Added in Shorewall 5.0.8. When set to a non-empty value, that value
1413 is passed to the logger utility in its -t (--tag) option.
1414
1416 /etc/shorewall/*
1417 /etc/shorewall6/*
1419
1421 https://shorewall.org/starting_and_stopping_shorewall.htm[9]
1422 - Describes operational aspects of Shorewall.
1423 shorewall-files(5)[10] -
1424 Describes the various configuration files along with features
1425 and
1426 conventions common to those files.
1427 shorewall-names(5)[11] -
1428 Describes naming of objects within a Shorewall configuration.
1429 shorewall-addresses(5)[12] -
1430 Describes how to specify addresses within a Shorewall
1431 configuration.
1432 shorewall-exclusion(5)[13] -
1433 Describes how to exclude certain hosts and/or networks from
1434 matching a
1435 rule.
1436 shorewall-nesting(5)[14]
1437 - Describes how to nest one Shorewall zone inside another.
1438
1440 1. shorewall.conf
1441 https://shorewall.org/manpages//manpages/shorewall.conf.html
1442 2. shorewall-interfaces
1444 https://shorewall.org/manpages//manpages/shorewall-interfaces.html
1445 3. shorewall-zones
1447 https://shorewall.org/manpages//manpages/shorewall-zones.html
1448 4. shorewall-routes
1450 https://shorewall.org/manpages//manpages/shorewall-routes.html
1451 5. logging backend
1453 https://shorewall.org/manpages//shorewall_logging.html#Backends
1454 6. shorewall.conf
1456 https://shorewall.org/manpages/shorewall.conf.html
1457 7. shorewall-accounting
1459 https://shorewall.org/manpages//manpages/shorewall-accounting.html
1460 8. shorewall-stoppedrules
1462 https://shorewall.org/manpages//manpages/shorewall-stoppedrules.html
1463 9. https://shorewall.org/starting_and_stopping_shorewall.htm
1465 https://shorewall.org/manpages//starting_and_stopping_shorewall.htm
1466 10. shorewall-files(5)
1468 https://shorewall.org/manpages/shorewall-files.html
1469 11. shorewall-names(5)
1471 https://shorewall.org/manpages/shorewall-names.html
1472 12. shorewall-addresses(5)
1474 https://shorewall.org/manpages/shorewall-addresses.html
1475 13. shorewall-exclusion(5)
1477 https://shorewall.org/manpages/shorewall-exclusion.html
1478 14. shorewall-nesting(5)
1480 https://shorewall.org/manpages/shorewall-nesting.html
1481Administrative Commands 07/29/2020 SHOREWALL(8)