1shorewall(8) shorewall(8)
2
6 shorewall - Administration tool for Shoreline Firewall (Shorewall)
7
9 shorewall [trace| debug[nolock]] [-options] add interface[: host-list]
10 ... zone
11 shorewall [trace| debug[nolock]] [-options] allow address
12 shorewall [trace| debug] [-options] check [-e] [-C {shell|perl}] [-d]
13 [-p] [directory]
14 shorewall [trace| debug[nolock]] [-options] clear[-f]
15 shorewall [trace| debug] [-options] compile [-e] [-C {shell|perl}] [-d]
16 [-p] [directory] pathname
17 shorewall [trace| debug[nolock]] [-options] delete interface[: host-
18 list] ... zone
19 shorewall [trace| debug[nolock]] [-options] drop address
20 shorewall [trace| debug] [-options] dump [-x] [-m]
21 shorewall [trace| debug] [-options] export[-C {shell|perl}]
22 [directory1] [user@] system[ : directory2]
23 shorewall [trace| debug[nolock]] [-options] forget [filename]
24 shorewall [trace| debug] [-options] help
25 shorewall [trace| debug] [-options] hits[-t]
26 shorewall [trace| debug] [-options] ipcalc {address mask | address/
27 vlsm}
28 shorewall [trace| debug] [-options] iprange address1 - address2
29 shorewall [trace| debug] [-options] load [-s] [-c] [-r root-user-name]
30 [-C {shell|perl}] [directory] system
31 shorewall [trace| debug[nolock]] [-options] logdrop address
32 shorewall [trace| debug] [-options] logwatch [-m] [refresh-interval]
33 shorewall [trace| debug[nolock]] [-options] logreject address
34 shorewall [trace| debug[nolock]] [-options] refresh[chain]...
35 shorewall [trace| debug[nolock]] [-options] reject address
36 shorewall [trace| debug] [-options] reload [-s] [-c] [-r root-user-
37 name] [-C {shell|perl}] [directory] system
38 shorewall [trace| debug[nolock]] [-options] reset
39 shorewall [trace| debug[nolock]] [-options] restart [-n] [-C
40 {shell|perl}] [directory]
41 shorewall [trace| debug[nolock]] [-options] restore [filename]
42 shorewall [trace| debug[nolock]] [-options] safe-restart [-C
43 {shell|perl}] [-d] [-p] [directory]
44 shorewall [trace| debug[nolock]] [-options] safe-start [-C
45 {shell|perl}] [-d] [-p] [directory]
46 shorewall [trace| debug[nolock]] [-options] save [filename]
47 shorewall [trace| debug] [-options] show [-x] [-t { filter| mangle|
48 nat| raw}] [[chain] chain ...]
49 shorewall [trace| debug] [-options] show [-f] capabilities
50 shorewall [trace| debug] [-options] show
51 {actions|classifiers|connections|config|macros|zones}
52 shorewall [trace| debug] [-options] show [-x] {mangle|nat}
53 shorewall [trace| debug] [-options] show tc
54 shorewall [trace| debug] [-options] show [-m] log
55 shorewall [trace| debug[nolock]] [-options] start [-n] [-C
56 {shell|perl}] [-f] [directory]
57 shorewall [trace| debug[nolock]] [-options] stop[-f]
58 shorewall [trace| debug] [-options] status
59 shorewall [trace| debug[nolock]] [-options] try [-C {shell|perl}]
60 directory [timeout]
61 shorewall [trace| debug] [-options] version[-a]
62
64 The shorewall utility is used to control the Shoreline Firewall (Shore‐
65 wall).
66
68 The trace and debug options are used for debugging. See
69 ⟨http://www.shorewall.net/starting_and_stopping.htm#Trace⟩.
70 The nolock option prevents the command from attempting to acquire the
72 Shorewall lockfile. It is useful if you need to include shorewall com‐
73 mands in /etc/shorewall/started.
74 The options control the amount of output that the command produces.
76 They consist of a sequence of the letters v and q. If the options are
77 omitted, the amount of output is determined by the setting of the VER‐
78 BOSITY parameter in shorewall.conf ⟨shorewall.conf.html⟩ (5). Each v
79 adds one to the effective verbosity and each q subtracts one from the
80 effective VERBOSITY. Anternately, v may be followed immediately with
81 one of -1,0,1,2 to specify a specify VERBOSITY. There may be no white
82 space between v and the VERBOSITY.
83 The options may also include the letter t which causes all progress
85 messages to be timestamped.
86
88 The available commands are listed below.
89 add Adds a list of hosts or subnets to a dynamic zone usually used
91 with VPN's.
92 The interface argument names an interface defined in the shore‐
94 wall-interfaces ⟨shorewall-interfaces.html⟩ (5) file. A host-
95 list is comma-separated list whose elements are host or network
96 addresses.
97 Caution
98 The add command is not very robust. If there are errors in the
100 host-list, you may see a large number of error messages yet a
101 subsequent shorewall show zones command will indicate that all
102 hosts were added. If this happens, replace add by delete and run
103 the same command again. Then enter the correct command.
104 allow Re-enables receipt of packets from hosts previously blacklisted
106 by a drop, logdrop, reject, or logreject command.
107 check Compiles the configuraton in the specified directory and dis‐
109 cards the compiled output script. If no directory is given, then
110 /etc/shorewall is assumed.
111 The -e option causes the compiler to look for a file named capa‐
113 bilities. This file is produced using the command shorewall-lite
114 show -f capabilities > capabilities on a system with Shorewall
115 Lite installed.
116 The -C option determines the compiler to use (Shorewall-shell or
118 Shorewall-perl). If not specified, the SHOREWALL_COMPILER set‐
119 ting in shorewall.conf ⟨shorewall.conf.html⟩ (5) determines the
120 compiler to use.
121 The -d option only works when the compiler is Shorewall-perl. It
123 causes the compiler to be run under control of the Perl debug‐
124 ger.
125 The -p option only works when the compiler is Shorewall-perl. It
127 causes the compiler to be profiled via the Perl -wd:DProf com‐
128 mand-line option.
129 clear Clear will remove all rules and chains installed by Shorewall.
131 The firewall is then wide open and unprotected. Existing connec‐
132 tions are untouched. Clear is often used to see if the firewall
133 is causing connection problems.
134 The -f option was added in Shorewall 4.0.3. If -f is given, the
136 command will be processed by the compiled script that executed
137 the last successful start, restart or refresh command if that
138 script exists.
139 compile
141 Compiles the current configuration into the executable file
142 pathname. If a directory is supplied, Shorewall will look in
143 that directory first for configuration files.
144 When -e is specified, the compilation is being performed on a
146 system other than where the compiled script will run. This op‐
147 tion disables certain configuration options that require the
148 script to be compiled where it is to be run. The use of -e re‐
149 quires the presense of a configuration file named capabilities
150 which may be produced using the command shorewall-lite show -f
151 capabilities > capabilities on a system with Shorewall Lite in‐
152 stalled
153 The -C option determines the compiler to use (Shorewall-shell or
155 Shorewall-perl). If not specified, the SHOREWALL_COMPILER set‐
156 ting in shorewall.conf ⟨shorewall.conf.html⟩ (5) determines the
157 compiler to use.
158 The -d option only works when the compiler is Shorewall-perl. It
160 causes the compiler to be run under control of the Perl debug‐
161 ger.
162 The -p option only works when the compiler is Shorewall-perl. It
164 causes the compiler to be profiled via the Perl -wd:DProf com‐
165 mand-line option.
166 delete The delete command reverses the effect of an earlier add com‐
168 mand.
169 The interface argument names an interface defined in the shore‐
171 wall-interfaces ⟨shorewall-interfaces.html⟩ (5) file. A host-
172 list is comma-separated list whose elements are a host or net‐
173 work address.
174 drop Causes traffic from the listed addresses to be silently dropped.
176 dump Produces a verbose report about the firewall configuration for
178 the purpose of problem analysis.
179 The -x option causes actual packet and byte counts to be dis‐
181 played. Without that option, these counts are abbreviated. The
182 -m option causes any MAC addresses included in Shorewall log
183 messages to be displayed.
184 export If directory1 is omitted, the current working directory is as‐
186 sumed.
187 The -C option determines the compiler to use (Shorewall-shell or
189 Shorewall-perl). If not specified, the SHOREWALL_COMPILER set‐
190 ting in shorewall.conf ⟨shorewall.conf.html⟩ (5) determines the
191 compiler to use.
192 Allows a non-root user to compile a shorewall script and stage
194 it on a system (provided that the user has access to the system
195 via ssh). The command is equivalent to:
196 /sbin/shorewall compile -e directory1 directory1/firewall &&\
198 scp directory1/firewall directory1/firewall.conf [user@]system:[directory2]
199 In other words, the configuration in the specified (or default‐
201 ed) directory is compiled to a file called firewall in that di‐
202 rectory. If compilation succeeds, then firewall and fire‐
203 wall.conf are copied to system using scp.
204 forget Deletes /var/lib/shorewall/filename and /var/lib/shorewall/save.
206 If no filename is given then the file specified by RESTOREFILE
207 in shorewall.conf ⟨shorewall.conf.html⟩ (5) is assumed.
208 help Displays a syntax summary.
210 hits Generates several reports from Shorewall log messages in the
212 current log file. If the -t option is included, the reports are
213 restricted to log messages generated today.
214 ipcalc Ipcalc displays the network address, broadcast address, network
216 in CIDR notation and netmask corresponding to the input[s].
217 iprange
219 Iprange decomposes the specified range of IP addresses into the
220 equivalent list of network/host addresses.
221 load If directory is omitted, the current working directory is as‐
223 sumed. Allows a non-root user to compile a shorewall script and
224 install it on a system (provided that the user has root access
225 to the system via ssh). The command is equivalent to:
226 /sbin/shorewall compile -e directory directory/firewall &&\
228 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
229 ssh root@system '/sbin/shorewall-lite start'
230 In other words, the configuration in the specified (or default‐
232 ed) directory is compiled to a file called firewall in that di‐
233 rectory. If compilation succeeds, then firewall is copied to
234 system using scp. If the copy succeeds, Shorewall Lite on system
235 is started via ssh.
236 If -s is specified and the start command succeeds, then the re‐
238 mote Shorewall-lite configuration is saved by executing shore‐
239 wall-lite save via ssh.
240 if -c is included, the command shorewall-lite show capabilities
242 -f > /var/lib/shorewall-lite/capabilities is executed via ssh
243 then the generated file is copied to directory using scp. This
244 step is performed before the configuration is compiled.
245 If -r is included, it specifies that the root user on system is
247 named root-user-name rather than "root".
248 The -C option determines the compiler to use (Shorewall-shell or
250 Shorewall-perl). If not specified, the SHOREWALL_COMPILER set‐
251 ting in shorewall.conf ⟨shorewall.conf.html⟩ (5) determines the
252 compiler to use.
253 logdrop
255 Causes traffic from the listed addresses to be logged then dis‐
256 carded.
257 logwatch
259 Monitors the log file specified by the LOGFILE option in shore‐
260 wall.conf ⟨shorewall.conf.html⟩ (5) and produces an audible
261 alarm when new Shorewall messages are logged. The -m option
262 causes the MAC address of each packet source to be displayed if
263 that information is available. The refresh-interval specifies
264 the time in seconds between screen refreshes. You can enter a
265 negative number by preceding the number with "--" (e.g., shore‐
266 wall logwatch -- -30). In this case, when a packet count
267 changes, you will be prompted to hit any key to resume screen
268 refreshes.
269 logreject
271 Causes traffic from the listed addresses to be logged then re‐
272 jected.
273 refresh
275 Shorewall-shell: The rules involving the the black list, ECN
276 control rules, and traffic shaping are recreated to reflect any
277 changes made to your configuration files. Existing connections
278 are untouched.
279 Shorewall-perl: All steps performed by restart are performed by
281 refresh with the exception that refresh only recreates the
282 chains specified in the command while restart recreates the en‐
283 tire Netfilter ruleset. If no chain is given, the static black‐
284 listing chain blacklst is assumed.
285 Note: Specifying chains in the command requires Shorewall-perl
287 4.0.3 or later. Earlier versions only refresh the blacklst chain
288 The listed chains are assumed to be in the filter table. You can
290 refresh chains in other tables by prefixing the chain name with
291 the table name followed by ":" (e.g., nat:net_dnat). Chain names
292 which follow are assumed to be in that table until the end of
293 the list or until an entry in the list names another table.
294 Built-in chains such as FORWARD may not be refreshed.
295 Example:
297 shorewall refresh net2fw nat:net_dnat #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table
299 reload If directory is omitted, the current working directory is as‐
301 sumed. Allows a non-root user to compile a shorewall script and
302 install it on a system (provided that the user has root access
303 to the system via ssh). The command is equivalent to:
304 /sbin/shorewall compile -e directory directory/firewall &&\
306 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
307 ssh root@system '/sbin/shorewall-lite restart'
308 In other words, the configuration in the specified (or default‐
310 ed) directory is compiled to a file called firewall in that di‐
311 rectory. If compilation succeeds, then firewall is copied to
312 system using scp. If the copy succeeds, Shorewall Lite on system
313 is restarted via ssh.
314 If -s is specified and the restart command succeeds, then the
316 remote Shorewall-lite configuration is saved by executing shore‐
317 wall-lite save via ssh.
318 if -c is included, the command shorewall-lite show capabilities
320 -f > /var/lib/shorewall-lite/capabilities is executed via ssh
321 then the generated file is copied to directory using scp. This
322 step is performed before the configuration is compiled.
323 If -r is included, it specifies that the root user on system is
325 named root-user-name rather than "root".
326 The -C option determines the compiler to use (Shorewall-shell or
328 Shorewall-perl). If not specified, the SHOREWALL_COMPILER set‐
329 ting in shorewall.conf ⟨shorewall.conf.html⟩ (5) determines the
330 compiler to use.
331 reset All the packet and byte counters in the firewall are reset.
333 restart
335 Restart is similar to shorewall stop followed by shorewall
336 start. Existing connections are maintained. If a directory is
337 included in the command, Shorewall will look in that directory
338 first for configuration files.
339 The -n option causes Shorewall to avoid updating the routing ta‐
341 ble(s).
342 The -C option determines the compiler to use (Shorewall-shell or
344 Shorewall-perl). If not specified, the SHOREWALL_COMPILER set‐
345 ting in shorewall.conf ⟨shorewall.conf.html⟩ (5) determines the
346 compiler to use.
347 restore
349 Restore Shorewall to a state saved using the shorewall save com‐
350 mand. Existing connections are maintained. The filename names a
351 restore file in /var/lib/shorewall created using shorewall save;
352 if no filename is given then Shorewall will be restored from the
353 file specified by the RESTOREFILE option in shorewall.conf
354 ⟨shorewall.conf.html⟩ (5).
355 safe-restart
357 Only allowed if Shorewall is running. The current configuration
358 is saved in /var/lib/shorewall/safe-restart (see the save com‐
359 mand below) then a shorewall restart is done. You will then be
360 prompted asking if you want to accept the new configuration or
361 not. If you answer "n" or if you fail to answer within 60 sec‐
362 onds (such as when your new configuration has disabled communi‐
363 cation with your terminal), the configuration is restored from
364 the saved configuration. If a directory is given, then Shorewall
365 will look in that directory first when opening configuration
366 files.
367 The -C option determines the compiler to use (Shorewall-shell or
369 Shorewall-perl). If not specified, the SHOREWALL_COMPILER set‐
370 ting in shorewall.conf ⟨shorewall.conf.html⟩ (5) determines the
371 compiler to use.
372 safe-start
374 Shorewall is started normally. You will then be prompted asking
375 if everything went all right. If you answer "n" or if you fail
376 to answer within 60 seconds (such as when your new configuration
377 has disabled communication with your terminal), a shorewall
378 clear is performed for you. If a directory is given, then Shore‐
379 wall will look in that directory first when opening configura‐
380 tion files.
381 The -C option determines the compiler to use (Shorewall-shell or
383 Shorewall-perl). If not specified, the SHOREWALL_COMPILER set‐
384 ting in shorewall.conf ⟨shorewall.conf.html⟩ (5) determines the
385 compiler to use.
386 save The dynamic blacklist is stored in /var/lib/shorewall/save. The
388 state of the firewall is stored in /var/lib/shorewall/filename
389 for use by the shorewall restore and shorewall -f start com‐
390 mands. If filename is not given then the state is saved in the
391 file specified by the RESTOREFILE option in shorewall.conf
392 ⟨shorewall.conf.html⟩ (5).
393 show The show command can have a number of different arguments:
395 actions
397 Produces a report about the available actions (built-in,
398 standard and user-defined).
399 capabilities
401 Displays your kernel/iptables capabilities. The -f option
402 causes the display to be formatted as a capabilities file
403 for use with compile -e.
404 [ [ chain ] chain... ]
406 The rules in each chain are displayed using the iptables
407 -L chain -n -v command. If no chain is given, all of the
408 chains in the filter table are displayed. The -x option
409 is passed directly through to iptables and causes actual
410 packet and byte counts to be displayed. Without this op‐
411 tion, those counts are abbreviated. The -t option speci‐
412 fies the Netfilter table to display. The default is fil‐
413 ter.
414 If the t option and the chain keyword are both omitted
416 and any of the listed chains do not exist, a usage mes‐
417 sage is displayed.
418 classifiers
420 Displays information about the packet classifiers defined
421 on the system as a result of traffic shaping configura‐
422 tion.
423 config Dispays distribution-specific defaults.
425 connections
427 Displays the IP connections currently being tracked by
428 the firewall.
429 log Displays the last 20 Shorewall messages from the log file
431 specified by the LOGFILE option in shorewall.conf
432 ⟨shorewall.conf.html⟩ (5). The -m option causes the MAC
433 address of each packet source to be displayed if that in‐
434 formation is available.
435 macros Displays information about each macro defined on the
437 firewall system.
438 mangle Displays the Netfilter mangle table using the command
440 iptables -t mangle -L -n -v.The -x option is passed di‐
441 rectly through to iptables and causes actual packet and
442 byte counts to be displayed. Without this option, those
443 counts are abbreviated.
444 nat Displays the Netfilter nat table using the command ipta‐
446 bles -t nat -L -n -v.The -x option is passed directly
447 through to iptables and causes actual packet and byte
448 counts to be displayed. Without this option, those counts
449 are abbreviated.
450 tc Displays information about queuing disciplines, classes
452 and filters.
453 zones Displays the current composition of the Shorewall zones
455 on the system.
456 start Start shorewall. Existing connections through shorewall managed
458 interfaces are untouched. New connections will be allowed only
459 if they are allowed by the firewall rules or policies. If a di‐
460 rectory is included in the command, Shorewall will look in that
461 directory first for configuration files.If -f is specified, the
462 saved configuration specified by the RESTOREFILE option in
463 shorewall.conf ⟨shorewall.conf.html⟩ (5) will be restored if
464 that saved configuration exists and has been modified more re‐
465 cently than the files in /etc/shorewall. When -f is given, a di‐
466 rectory may not be specified.
467 The -n option causes Shorewall to avoid updating the routing ta‐
469 ble(s).
470 The -C option determines the compiler to use (Shorewall-shell or
472 Shorewall-perl). If not specified, the SHOREWALL_COMPILER set‐
473 ting in shorewall.conf ⟨shorewall.conf.html⟩ (5) determines the
474 compiler to use.
475 stop Stops the firewall. All existing connections, except those list‐
477 ed in shorewall-routestopped ⟨shorewall-routestopped.html⟩ (5)
478 or permitted by the ADMINISABSENTMINDED option in shorewall.conf
479 ⟨shorewall.conf.html⟩ (5), are taken down. The only new traffic
480 permitted through the firewall is from systems listed in shore‐
481 wall-routestopped ⟨shorewall-routestopped.html⟩ (5) or by ADMIN‐
482 ISABSENTMINDED.
483 The -f option was added in Shorewall 4.0.3. If -f is given, the
485 command will be processed by the compiled script that executed
486 the last successful start, restart or refresh command if that
487 script exists.
488 status Produces a short report about the state of the Shorewall-config‐
490 ured firewall.
491 try If Shorewall is started then the firewall state is saved to a
493 temporary saved configuration (/var/lib/shorewall/.try). Next,
494 if Shorewall is currently started then a restart command is is‐
495 sued; otherwise, a start command is performed. if an error oc‐
496 curs during the compliation phase of the restart or start, the
497 command terminates without changing the Shorewall state. If an
498 error occurs during the restart phase, then a shorewall restore
499 is performed using the saved configuration. If an error occurs
500 during the start phase, then Shorewall is cleared. If the
501 start/restart succeeds and a timeout is specified then a clear
502 or restore is performed after timeout seconds.
503 The -C option determines the compiler to use (Shorewall-shell or
505 Shorewall-perl). If not specified, the SHOREWALL_COMPILER set‐
506 ting in shorewall.conf ⟨shorewall.conf.html⟩ (5) determines the
507 compiler to use.
508 version
510 Displays Shorewall's version. If the -a option is included, the
511 versions of Shorewall-shell and/or Shorewall-perl will also be
512 displayed.
513
515 /etc/shorewall/
516
518 ⟨http://www.shorewall.net/starting_and_stopping_shorewall.htm⟩
519 shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5),
521 shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shore‐
522 wall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-
523 netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-
524 providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shore‐
525 wall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-
526 tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-
527 tos(5), shorewall-tunnels(5), shorewall-zones(5)
528 19 May 2008 shorewall(8)