1SHOREWALL-LITE(8) [FIXME: manual] SHOREWALL-LITE(8)
2
6 shorewall-lite - Administration tool for Shoreline Firewall Lite
7 (Shorewall-lite)
8
10 shorewall-lite [trace|debug [nolock]] [-options] allow address
11 shorewall-lite [trace|debug [nolock]] [-options] clear
13 shorewall-lite [trace|debug [nolock]] [-options] drop address
15 shorewall-lite [trace|debug] [-options] dump [-x] [-m]
17 shorewall-lite [trace|debug] [-options] forget [filename]
19 shorewall-lite [trace|debug] [-options] help
21 shorewall-lite [trace|debug] [-options] hits
23 shorewall-lite [trace|debug] [-options] ipcalc {address mask |
25 address/vlsm}
26 shorewall-lite [trace|debug] [-options] iprange address1-address2
28 shorewall-lite [trace|debug [nolock]] [-options] logdrop address
30 shorewall-lite [trace|debug] [-options] logwatch [-m]
32 [refresh-interval]
33 shorewall-lite [trace|debug [nolock]] [-options] logreject address
35 shorewall-lite [trace|debug [nolock]] [-options] reject address
37 shorewall-lite [trace|debug [nolock]] [-options] restart [-n] [-p]
39 shorewall-lite [trace|debug [nolock]] [-options] restore [filename]
41 shorewall-lite [trace|debug [nolock]] [-options] save [filename]
43 shorewall-lite [trace|debug] [-options] show [-x]
45 [-t {filter|mangle|nat|raw}] [[chain] chain...]
46 shorewall-lite [trace|debug] [-options] show [-f] capabilities
48 shorewall-lite [trace|debug] [-options] show
50 {actions|classifiers|connections|config|zones}
51 shorewall-lite [trace|debug] [-options] show [-x] {mangle|nat}
53 shorewall-lite [trace|debug] [-options] show tc
55 shorewall-lite [trace|debug] [-options] show [-m] log
57 shorewall-lite [trace|debug [nolock]] [-options] start [-n] [-f [-p]]
59 shorewall-lite [trace|debug [nolock]] [-options] stop
61 shorewall-lite [trace|debug] [-options] status
63 shorewall-lite [trace|debug] [-options] version
65
67 The shorewall-lite utility is used to control the Shoreline Firewall
68 (Shorewall) Lite.
69
71 The trace and debug options are used for debugging. See
72 http://www.shorewall.net/starting_and_stopping.htm#Trace.
73 The nolock option prevents the command from attempting to acquire the
75 Shorewall Lite lockfile. It is useful if you need to include
76 shorewall-lite commands in the started extension script.
77 The options control the amount of output that the command produces.
79 They consist of a sequence of the letters v and q. If the options are
80 omitted, the amount of output is determined by the setting of the
81 VERBOSITY parameter in shorewall.conf[1](5). Each v adds one to the
82 effective verbosity and each q subtracts one from the effective
83 VERBOSITY. Anternately, v may be followed immediately with one of
84 -1,0,1,2 to specify a specify VERBOSITY. There may be no white space
85 between v and the VERBOSITY.
86 The options may also include the letter t which causes all progress
88 messages to be timestamped.
89
91 The available commands are listed below.
92 add
94 Adds a list of hosts or subnets to a dynamic zone usually used with
95 VPN's.
96 The interface argument names an interface defined in the
98 shorewall-interfaces[2](5) file. A host-list is comma-separated
99 list whose elements are a host or network address..if n .sp
100 Caution
101 The add command is not very robust. If there are errors in the
102 host-list, you may see a large number of error messages yet a
103 subsequent shorewall show zones command will indicate that all
104 hosts were added. If this happens, replace add by delete and
105 run the same command again. Then enter the correct command.
106 allow
108 Re-enables receipt of packets from hosts previously blacklisted by
109 a drop, logdrop, reject, or logreject command.
110 clear
112 Clear will remove all rules and chains installed by Shorewall Lite.
113 The firewall is then wide open and unprotected. Existing
114 connections are untouched. Clear is often used to see if the
115 firewall is causing connection problems.
116 delete
118 The delete command reverses the effect of an earlier add command.
119 The interface argument names an interface defined in the
121 shorewall-interfaces[2](5) file. A host-list is comma-separated
122 list whose elements are a host or network address.
123 drop
125 Causes traffic from the listed addresses to be silently dropped.
126 dump
128 Produces a verbose report about the firewall configuration for the
129 purpose of problem analysis.
130 The -x option causes actual packet and byte counts to be displayed.
132 Without that option, these counts are abbreviated. The -m option
133 causes any MAC addresses included in Shorewall Lite log messages to
134 be displayed.
135 forget
137 Deletes /var/lib/shorewall-lite/filename and
138 /var/lib/shorewall-lite/save. If no filename is given then the file
139 specified by RESTOREFILE in shorewall-lite.conf[3](5) is assumed.
140 help
142 Displays a syntax summary.
143 hits
145 Generates several reports from Shorewall Lite log messages in the
146 current log file.
147 ipcalc
149 Ipcalc displays the network address, broadcast address, network in
150 CIDR notation and netmask corresponding to the input[s].
151 iprange
153 Iprange decomposes the specified range of IP addresses into the
154 equivalent list of network/host addresses.
155 logdrop
157 Causes traffic from the listed addresses to be logged then
158 discarded.
159 logwatch
161 Monitors the log file specified by theLOGFILE option in
162 shorewall-lite.conf[3](5) and produces an audible alarm when new
163 Shorewall Lite messages are logged. The -m option causes the MAC
164 address of each packet source to be displayed if that information
165 is available. The refresh-interval specifies the time in seconds
166 between screen refreshes. You can enter a negative number by
167 preceding the number with "--" (e.g., shorewall-lite logwatch --
168 -30). In this case, when a packet count changes, you will be
169 prompted to hit any key to resume screen refreshes.
170 logreject
172 Causes traffic from the listed addresses to be logged then
173 rejected.
174 reset
176 All the packet and byte counters in the firewall are reset.
177 restart
179 Restart is similar to shorewall-lite start but assumes that the
180 firewall is already started. Existing connections are maintained.
181 The -n option causes Shorewall to avoid updating the routing
183 table(s).
184 The -p option causes the connection tracking table to be flushed;
186 the conntrack utility must be installed to use this option.
187 restore
189 Restore Shorewall Lite to a state saved using the shorewall-lite
190 save command. Existing connections are maintained. The filename
191 names a restore file in /var/lib/shorewall-lite created using
192 shorewall-lite save; if no filename is given then Shorewall Lite
193 will be restored from the file specified by the RESTOREFILE option
194 in shorewall-lite.conf[3](5).
195 save
197 The dynamic blacklist is stored in /var/lib/shorewall-lite/save.
198 The state of the firewall is stored in
199 /var/lib/shorewall-lite/filename for use by the shorewall-lite
200 restore and shorewall-lite -f start commands. If filename is not
201 given then the state is saved in the file specified by the
202 RESTOREFILE option in shorewall-lite.conf[3](5).
203 show
205 The show command can have a number of different arguments:
206 actions
208 Produces a report about the available actions (built-in,
209 standard and user-defined).
210 capabilities
212 Displays your kernel/iptables capabilities. The -f option
213 causes the display to be formatted as a capabilities file for
214 use with compile -e.
215 [ [ chain ] chain ... ]
217 The rules in each chain are displayed using the iptables -L
218 chain -n -v command. If no chain is given, all of the chains in
219 the filter table are displayed. The -x option is passed
220 directly through to iptables and causes actual packet and byte
221 counts to be displayed. Without this option, those counts are
222 abbreviated. The -t option specifies the Netfilter table to
223 display. The default is filter.
224 If the t option and the chain keyword are both omitted and any
226 of the listed chains do not exist, a usage message will be
227 displayed.
228 classifiers
230 Displays information about the packet classifiers defined on
231 the system 10-080213-8397as a result of traffic shaping
232 configuration.
233 config
235 Dispays distribution-specific defaults.
236 connections
238 Displays the IP connections currently being tracked by the
239 firewall.
240 mangle
242 Displays the Netfilter mangle table using the command iptables
243 -t mangle -L -n -v.The -x option is passed directly through to
244 iptables and causes actual packet and byte counts to be
245 displayed. Without this option, those counts are abbreviated.
246 nat
248 Displays the Netfilter nat table using the command iptables -t
249 nat -L -n -v.The -x option is passed directly through to
250 iptables and causes actual packet and byte counts to be
251 displayed. Without this option, those counts are abbreviated.
252 tc
254 Displays information about queuing disciplines, classes and
255 filters.
256 zones
258 Displays the current composition of the Shorewall Lite zones on
259 the system.
260 start
262 Start shorewall Lite. Existing connections through shorewall-lite
263 managed interfaces are untouched. New connections will be allowed
264 only if they are allowed by the firewall rules or policies. If -f
265 is specified, the saved configuration specified by the RESTOREFILE
266 option in shorewall-lite.conf[3](5) will be restored if that saved
267 configuration exists and has been modified more recently than the
268 files in /etc/shorewall.
269 The -n option causes Shorewall to avoid updating the routing
271 table(s).
272 The -p option causes the connection tracking table to be flushed;
274 the conntrack utility must be installed to use this option.
275 stop
277 Stops the firewall. All existing connections, except those listed
278 in shorewall-routestopped[4](5) or permitted by the
279 ADMINISABSENTMINDED option in shorewall.conf(5), are taken down.
280 The only new traffic permitted through the firewall is from systems
281 listed in shorewall-routestopped[4](5) or by ADMINISABSENTMINDED.
282 status
284 Produces a short report about the state of the Shorewall-configured
285 firewall.
286 version
288 Displays Shorewall-lite's version.
289
291 /etc/shorewall-lite/
292
294 http://www.shorewall.net/starting_and_stopping_shorewall.htm
295 shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5),
297 shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5),
298 shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5),
299 shorewall-netmap(5), shorewall-params(5), shorewall-policy(5),
300 shorewall-providers(5), shorewall-proxyarp(5),
301 shorewall-route_rules(5), shorewall-routestopped(5),
302 shorewall-rules(5), shorewall.conf(5), shorewall-tcclasses(5),
303 shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5),
304 shorewall-tunnels(5), shorewall-zones(5)
305
307 1. shorewall.conf
308 http://www.shorewall.net/manpages/shorewall.conf.html
309 2. shorewall-interfaces
311 http://www.shorewall.net/manpages/shorewall-interfaces.html
312 3. shorewall-lite.conf
314 http://www.shorewall.net/manpages/shorewall-lite.conf.html
315 4. shorewall-routestopped
317 http://www.shorewall.net/manpages/shorewall-routestopped.html
318[FIXME: source] 09/16/2011 SHOREWALL-LITE(8)