1SHOREWALL6(8) [FIXME: manual] SHOREWALL6(8)
2
6 shorewall6 - Administration tool for Shoreline Firewall 6 (Shorewall6)
7
9 shorewall6 [trace|debug [nolock]] [-options] add
10 interface[:host-list]... zone
11 shorewall6 [trace|debug [nolock]] [-options] allow address
13 shorewall6 [trace|debug] [-options] check [-e] [-d] [-p] [-r] [-T]
15 [directory]
16 shorewall6 [trace|debug [nolock]] [-options] clear
18 shorewall6 [trace|debug] [-options] compile [-e] [-d] [-T] [directory]
20 [pathname]
21 shorewall6 [trace|debug [nolock]] [-options] drop address
23 shorewall6 [trace|debug] [-options] dump [-x] [-l] [-m]
25 shorewall6 [trace|debug [nolock]] [-options] export [directory1]
27 [user@]system[:directory2]
28 shorewall6 [trace|debug [nolock]] [-options] forget [filename]
30 shorewall6 [trace|debug] [-options] help
32 shorewall6 [trace|debug] [-options] iptrace iptables match expression
34 shorewall6 [trace|debug] [-options] load [-s] [-c] [-r root-user-name]
36 [directory] system
37 shorewall6 [trace|debug [nolock]] [-options] logdrop address
39 shorewall6 [trace|debug] [-options] logwatch [-m] [refresh-interval]
41 shorewall6 [trace|debug [nolock]] [-options] logreject address
43 shorewall6 [trace|debug] [-options] noiptrace iptables match expression
45 shorewall6 [trace|debug [nolock]] [-options] refresh [chain...]
47 shorewall6 [trace|debug [nolock]] [-options] reject address
49 shorewall6 [trace|debug] [-options] reload [-s] [-c]
51 [-r root-user-name] [directory] system
52 shorewall6 [trace|debug [nolock]] [-options] reset
54 shorewall6 [trace|debug [nolock]] [-options] restart [-n] [-f] [-c]
56 [directory]
57 shorewall6 [trace|debug [nolock]] [-options] restore [filename]
59 shorewall6 [trace|debug [nolock]] [-options] safe-restart [-d]
61 [directory]
62 shorewall6 [trace|debug] [-options] safe-start [-d] [directory]
64 shorewall6 [trace|debug [nolock]] [-options] save [filename]
66 shorewall6 [trace|debug] [-options] show [-x] [-l]
68 [-t {filter|mangle|raw}] [[chain] chain...]
69 shorewall6 [trace|debug] [-options] show [-f] capabilities
71 shorewall6 [trace|debug] [-options] show
73 {actions|classifiers|connections|config|filters|ip|macros|zones}
74 shorewall6 [trace|debug] [-options] show policies
76 shorewall6 [trace|debug] [-options] show tc
78 shorewall6 [trace|debug] [-options] show [-m] log
80 shorewall6 [trace|debug [nolock]] [-options] start [-n] [-f [-c]]
82 [directory]
83 shorewall6 [trace|debug [nolock]] [-options] stop
85 shorewall6 [trace|debug] [-options] status
87 shorewall6 [trace|debug [nolock]] [-options] try directory [timeout]
89 shorewall6 [trace|debug] [-options] update [-e] [-d] [-p] [-r] [-T]
91 [-a] [directory]
92 shorewall6 [trace|debug] [-options] version [-a]
94
96 The shorewall6 utility is used to control the Shoreline Firewall 6
97 (Shorewall6).
98
100 The trace and debug options are used for debugging. See
101 http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace.
102 The nolock option prevents the command from attempting to acquire the
104 Shorewall6 lockfile. It is useful if you need to include shorewall6
105 commands in /etc/shorewall6/started.
106 The options control the amount of output that the command produces.
108 They consist of a sequence of the letters v and q. If the options are
109 omitted, the amount of output is determined by the setting of the
110 VERBOSITY parameter in shorewall6.conf[1](5). Each v adds one to the
111 effective verbosity and each q subtracts one from the effective
112 VERBOSITY. Anternately, v may be followed immediately with one of
113 -1,0,1,2 to specify a specify VERBOSITY. There may be no white space
114 between v and the VERBOSITY.
115 The options may also include the letter t which causes all progress
117 messages to be timestamped.
118
120 The available commands are listed below.
121 add
123 Added in Shorewall 4.4.21. Adds a list of hosts or subnets to a
124 dynamic zone usually used with VPN's.
125 The interface argument names an interface defined in the
127 shorewall6-interfaces[2](5) file. A host-list is comma-separated
128 list whose elements are host or network addresses..if n .sp
129 Caution
130 The add command is not very robust. If there are errors in the
131 host-list, you may see a large number of error messages yet a
132 subsequent shorewall show zones command will indicate that all
133 hosts were added. If this happens, replace add by delete and
134 run the same command again. Then enter the correct command.
135 allow
137 Re-enables receipt of packets from hosts previously blacklisted by
138 a drop, logdrop, reject, or logreject command.
139 check
141 Compiles the configuraton in the specified directory and discards
142 the compiled output script. If no directory is given, then
143 /etc/shorewall6 is assumed.
144 The -e option causes the compiler to look for a file named
146 capabilities. This file is produced using the command
147 shorewall6-lite show -f capabilities > capabilities on a system
148 with Shorewall6 Lite installed.
149 The -d option causes the compiler to be run under control of the
151 Perl debugger.
152 The -p option causes the compiler to be profiled via the Perl
154 -wd:DProf command-line option.
155 The -r option was added in Shorewall 4.5.2 and causes the compiler
157 to print the generated ruleset to standard out.
158 The -T option was added in Shorewall 4.4.20 and causes a Perl stack
160 trace to be included with each compiler-generated error and warning
161 message.
162 clear
164 Clear will remove all rules and chains installed by Shorewall6. The
165 firewall is then wide open and unprotected. Existing connections
166 are untouched. Clear is often used to see if the firewall is
167 causing connection problems.
168 compile
170 Compiles the current configuration into the executable file
171 pathname. If a directory is supplied, Shorewall6 will look in that
172 directory first for configuration files. If the pathname is
173 omitted, the file firewall in the VARDIR (normally
174 /var/lib/shorewall/) is assumed. A pathname of '-' causes the
175 compiler to send the generated script to it's standard output file.
176 Note that '-v-1' is usually specified in this case (e.g.,
177 shorewall6 -v-1 compile -- -) to suppress the 'Compiling...'
178 message normally generated by /sbin/shorewall6.
179 When -e is specified, the compilation is being performed on a
181 system other than where the compiled script will run. This option
182 disables certain configuration options that require the script to
183 be compiled where it is to be run. The use of -e requires the
184 presense of a configuration file named capabilities which may be
185 produced using the command shorewall6-lite show -f capabilities >
186 capabilities on a system with Shorewall6 Lite installed
187 The -d option causes the compiler to be run under control of the
189 Perl debugger.
190 The -p option causes the compiler to be profiled via the Perl
192 -wd:DProf command-line option.
193 The -T option was added in Shorewall 4.4.20 and causes a Perl stack
195 trace to be included with each compiler-generated error and warning
196 message.
197 delete
199 Added in Shorewall 4.4.21. The delete command reverses the effect
200 of an earlier add command.
201 The interface argument names an interface defined in the
203 shorewall6-interfaces[2](5) file. A host-list is comma-separated
204 list whose elements are a host or network address.
205 drop
207 Causes traffic from the listed addresses to be silently dropped.
208 dump
210 Produces a verbose report about the firewall configuration for the
211 purpose of problem analysis.
212 The -x option causes actual packet and byte counts to be displayed.
214 Without that option, these counts are abbreviated. The -m option
215 causes any MAC addresses included in Shorewall6 log messages to be
216 displayed.
217 The -l option causes the rule number for each Netfilter rule to be
219 displayed.
220 export
222 If directory1 is omitted, the current working directory is assumed.
223 Allows a non-root user to compile a shorewall6 script and stage it
225 on a system (provided that the user has access to the system via
226 ssh). The command is equivalent to:
227 /sbin/shorewall6 compile -e directory1 directory1/firewall &&\
229 scp directory1/firewall directory1/firewall.conf [user@]system:[directory2]
230 In other words, the configuration in the specified (or defaulted)
232 directory is compiled to a file called firewall in that directory.
233 If compilation succeeds, then firewall and firewall.conf are copied
234 to system using scp.
235 forget
237 Deletes /var/lib/shorewall6/filename and /var/lib/shorewall6/save.
238 If no filename is given then the file specified by RESTOREFILE in
239 shorewall6.conf[1](5) is assumed.
240 help
242 Displays a syntax summary.
243 iptrace
245 This is a low-level debugging command that causes iptables TRACE
246 log records to be created. See ip6tables(8) for details.
247 The ip6tables match expression must be one or more matches that may
249 appear in both the raw table OUTPUT and raw table PREROUTING
250 chains.
251 The trace records are written to the kernel's log buffer with
253 faciility = kernel and priority = warning, and they are routed from
254 there by your logging daemon (syslogd, rsyslog, syslog-ng, ...) --
255 Shorewall has no control over where the messages go; consult your
256 logging daemon's documentation.
257 load
259 If directory is omitted, the current working directory is assumed.
260 Allows a non-root user to compile a shorewall6 script and install
261 it on a system (provided that the user has root access to the
262 system via ssh). The command is equivalent to:
263 /sbin/shorewall6 compile -e directory directory/firewall &&\
265 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall6-lite/ &&\
266 ssh root@system '/sbin/shorewall6-lite start'
267 In other words, the configuration in the specified (or defaulted)
269 directory is compiled to a file called firewall in that directory.
270 If compilation succeeds, then firewall is copied to system using
271 scp. If the copy succeeds, Shorewall6 Lite on system is started via
272 ssh.
273 If -s is specified and the start command succeeds, then the remote
275 Shorewall6-lite configuration is saved by executing shorewall6-lite
276 save via ssh.
277 if -c is included, the command shorewall6-lite show capabilities -f
279 > /var/lib/shorewall6-lite/capabilities is executed via ssh then
280 the generated file is copied to directory using scp. This step is
281 performed before the configuration is compiled.
282 If -r is included, it specifies that the root user on system is
284 named root-user-name rather than "root".
285 logdrop
287 Causes traffic from the listed addresses to be logged then
288 discarded. Logging occurs at the log level specified by the
289 BLACKLIST_LOGLEVEL setting in shorewall6.conf[1] (5).
290 logwatch
292 Monitors the log file specified by the LOGFILE option in
293 shorewall6.conf[1](5) and produces an audible alarm when new
294 Shorewall6 messages are logged. The -m option causes the MAC
295 address of each packet source to be displayed if that information
296 is available. The refresh-interval specifies the time in seconds
297 between screen refreshes. You can enter a negative number by
298 preceding the number with "--" (e.g., shorewall6 logwatch -- -30).
299 In this case, when a packet count changes, you will be prompted to
300 hit any key to resume screen refreshes.
301 logreject
303 Causes traffic from the listed addresses to be logged then
304 rejected. Logging occurs at the log level specified by the
305 BLACKLIST_LOGLEVEL setting in shorewall6.conf[1] (5).
306 noiptrace
308 This is a low-level debugging command that cancels a trace started
309 by a preceding iptrace command.
310 The iptables match expression must be one given in the iptrace
312 command being cancelled.
313 refresh
315 All steps performed by restart are performed by refresh with the
316 exception that refresh only recreates the chains specified in the
317 command while restart recreates the entire Netfilter ruleset.When
318 no chain name is given to the refresh command, the mangle table is
319 refreshed along with the blacklist chain (if any). This allows you
320 to modify /etc/shorewall6/tcrulesand install the changes using
321 refresh.
322 The listed chains are assumed to be in the filter table. You can
324 refresh chains in other tables by prefixing the chain name with the
325 table name followed by ":" (e.g., nat:net_dnat). Chain names which
326 follow are assumed to be in that table until the end of the list or
327 until an entry in the list names another table. Built-in chains
328 such as FORWARD may not be refreshed.
329 Example:
331 shorewall6 refresh net2fw nat:net_dnat #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table
333 reload
335 If directory is omitted, the current working directory is assumed.
336 Allows a non-root user to compile a shorewall6 script and install
337 it on a system (provided that the user has root access to the
338 system via ssh). The command is equivalent to:
339 /sbin/shorewall6 compile -e directory directory/firewall &&\
341 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall6-lite/ &&\
342 ssh root@system '/sbin/shorewall6-lite restart'
343 In other words, the configuration in the specified (or defaulted)
345 directory is compiled to a file called firewall in that directory.
346 If compilation succeeds, then firewall is copied to system using
347 scp. If the copy succeeds, Shorewall6 Lite on system is restarted
348 via ssh.
349 If -s is specified and the restart command succeeds, then the
351 remote Shorewall6-lite configuration is saved by executing
352 shorewall6-lite save via ssh.
353 if -c is included, the command shorewall6-lite show capabilities -f
355 > /var/lib/shorewall6-lite/capabilities is executed via ssh then
356 the generated file is copied to directory using scp. This step is
357 performed before the configuration is compiled.
358 If -r is included, it specifies that the root user on system is
360 named root-user-name rather than "root".
361 reset [chain, ...]
363 Resets the packet and byte counters in the specified chain(s). If
364 no chain is specified, all the packet and byte counters in the
365 firewall are reset.
366 restart
368 Restart is similar to shorewall6 start except that it assumes that
369 the firewall is already started. Existing connections are
370 maintained. If a directory is included in the command, Shorewall6
371 will look in that directory first for configuration files.
372 The -n option causes Shorewall6 to avoid updating the routing
374 table(s).
375 The -p option causes the connection tracking table to be flushed;
377 the conntrack utility must be installed to use this option.
378 The -d option causes the compiler to run under the Perl debugger.
380 The -f option suppresses the compilation step and simply reused the
382 compiled script which last started/restarted Shorewall, provided
383 that /etc/shorewall6 and its contents have not been modified since
384 the last start/restart.
385 The -c option was added in Shorewall 4.4.20 and performs the
387 compilation step unconditionally, overriding the AUTOMAKE setting
388 in shorewall6.conf[1](5). When both -f and -c are present, the
389 result is determined by the option that appears last.
390 restore
392 Restore Shorewall6 to a state saved using the shorewall6 save
393 command. Existing connections are maintained. The filename names a
394 restore file in /var/lib/shorewall6 created using shorewall6 save;
395 if no filename is given then Shorewall6 will be restored from the
396 file specified by the RESTOREFILE option in shorewall6.conf[1](5).
397 safe-restart
399 Only allowed if Shorewall6 is running. The current configuration is
400 saved in /var/lib/shorewall6/safe-restart (see the save command
401 below) then a shorewall6 restart is done. You will then be prompted
402 asking if you want to accept the new configuration or not. If you
403 answer "n" or if you fail to answer within 60 seconds (such as when
404 your new configuration has disabled communication with your
405 terminal), the configuration is restored from the saved
406 configuration. If a directory is given, then Shorewall6 will look
407 in that directory first when opening configuration files.
408 safe-start
410 Shorewall6 is started normally. You will then be prompted asking if
411 everything went all right. If you answer "n" or if you fail to
412 answer within 60 seconds (such as when your new configuration has
413 disabled communication with your terminal), a shorewall6 clear is
414 performed for you. If a directory is given, then Shorewall6 will
415 look in that directory first when opening configuration files.
416 save
418 The dynamic blacklist is stored in /var/lib/shorewall6/save. The
419 state of the firewall is stored in /var/lib/shorewall6/filename for
420 use by the shorewall6 restore and shorewall6 -f start commands. If
421 filename is not given then the state is saved in the file specified
422 by the RESTOREFILE option in shorewall6.conf[1](5).
423 show
425 The show command can have a number of different arguments:
426 actions
428 Produces a report about the available actions (built-in,
429 standard and user-defined).
430 capabilities
432 Displays your kernel/ip6tables capabilities. The -f option
433 causes the display to be formatted as a capabilities file for
434 use with compile -e.
435 [ [ chain ] chain... ]
437 The rules in each chain are displayed using the ip6tables -L
438 chain -n -v command. If no chain is given, all of the chains in
439 the filter table are displayed. The -x option is passed
440 directly through to ip6tables and causes actual packet and byte
441 counts to be displayed. Without this option, those counts are
442 abbreviated. The -t option specifies the Netfilter table to
443 display. The default is filter.
444 The -l option causes the rule number for each Netfilter rule to
446 be displayed.
447 If the -t option and the chain keyword are both omitted and any
449 of the listed chains do not exist, a usage message is
450 displayed.
451 classifiers|filters
453 Displays information about the packet classifiers defined on
454 the system as a result of traffic shaping configuration.
455 config
457 Dispays distribution-specific defaults.
458 connections
460 Displays the IP connections currently being tracked by the
461 firewall.
462 ip
464 Displays the system's IPv6 configuration.
465 log
467 Displays the last 20 Shorewall6 messages from the log file
468 specified by the LOGFILE option in shorewall6.conf[1](5). The
469 -m option causes the MAC address of each packet source to be
470 displayed if that information is available.
471 macros
473 Displays information about each macro defined on the firewall
474 system.
475 mangle
477 Displays the Netfilter mangle table using the command ip6tables
478 -t mangle -L -n -v.The -x option is passed directly through to
479 ip6tables and causes actual packet and byte counts to be
480 displayed. Without this option, those counts are abbreviated.
481 policies
483 Added in Shorewall 4.4.4. Displays the applicable policy
484 between each pair of zones. Note that implicit intrazone ACCEPT
485 policies are not displayed for zones associated with a single
486 network where that network doesn't specify routeback.
487 Routing
489 Displays the system's IPv6 routing configuration.
490 tc
492 Displays information about queuing disciplines, classes and
493 filters.
494 zones
496 Displays the current composition of the Shorewall6 zones on the
497 system.
498 start
500 Start shorewall6. Existing connections through shorewall6 managed
501 interfaces are untouched. New connections will be allowed only if
502 they are allowed by the firewall rules or policies. If a directory
503 is included in the command, Shorewall6 will look in that directory
504 first for configuration files. If -f is specified, the saved
505 configuration specified by the RESTOREFILE option in
506 shorewall6.conf[1](5) will be restored if that saved configuration
507 exists and has been modified more recently than the files in
508 /etc/shorewall6. When -f is given, a directory may not be
509 specified.
510 Update: In Shorewall6 4.4.20, a new LEGACY_FASTSTART option was
512 added to shorewall6.conf[1](5). When LEGACY_FASTSTART=No, the
513 modificaiotn times of files in /etc/shorewall6 are compared with
514 that of /var/lib/shorewall6/firewall (the compiled script that last
515 started/restarted the firewall).
516 The -n option causes Shorewall6 to avoid updating the routing
518 table(s).
519 The -c option was added in Shorewall 4.4.20 and performs the
521 compilation step unconditionally, overriding the AUTOMAKE setting
522 in shorewall6.conf[1](5). When both -f and -c are present, the
523 result is determined by the option that appears last.
524 stop
526 Stops the firewall. All existing connections, except those listed
527 in shorewall6-routestopped[3](5) or permitted by the
528 ADMINISABSENTMINDED option in shorewall6.conf[1](5), are taken
529 down. The only new traffic permitted through the firewall is from
530 systems listed in shorewall6-routestopped[3](5) or by
531 ADMINISABSENTMINDED.
532 status
534 Produces a short report about the state of the
535 Shorewall6-configured firewall.
536 try
538 If Shorewall6 is started then the firewall state is saved to a
539 temporary saved configuration (/var/lib/shorewall6/.try). Next, if
540 Shorewall6 is currently started then a restart command is issued;
541 otherwise, a start command is performed. if an error occurs during
542 the compliation phase of the restart or start, the command
543 terminates without changing the Shorewall6 state. If an error
544 occurs during the restart phase, then a shorewall6 restore is
545 performed using the saved configuration. If an error occurs during
546 the start phase, then Shorewall6 is cleared. If the start/restart
547 succeeds and a timeout is specified then a clear or restore is
548 performed after timeout seconds.
549 update
551 Added in Shorewall 4.4.21 and causes the compiler to update
552 /etc/shorewall6/shorewall6.conf then validate the configuration.
553 The update will add options not present in the existing file with
554 their default values, and will move deprecated options with
555 non-defaults to a deprecated options section at the bottom of the
556 file. Your existing shorewall6.conf file is renamed
557 shorewall6.conf.bak.
558 The -a option causes the updated shorewall6.conf file to be
560 annotated with documentation.
561 For a description of the other options, see the check command
563 above.
564 version
566 Displays Shorewall6's version. If the -a option is included, the
567 version of Shorewall will also be displayed.
568
570 /etc/shorewall6/
571
573 http://www.shorewall.net/starting_and_stopping_shorewall.htm
574 shorewall6-accounting(5), shorewall6-actions(5),
576 shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
577 shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
578 shorewall6-providers(5), shorewall6-route_rules(5),
579 shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
580 shorewall6-secmarks(5), shorewall6-tcclasses(5),
581 shorewall6-tcdevices(5), shorewall6-tcrules(5), shorewall6-tos(5),
582 shorewall6-tunnels(5), shorewall6-zones(5)
583
585 1. shorewall6.conf
586 http://www.shorewall.net/manpages6/shorewall6.conf.html
587 2. shorewall6-interfaces
589 http://www.shorewall.net/manpages6/shorewall6-interfaces.html
590 3. shorewall6-routestopped
592 http://www.shorewall.net/manpages6/shorewall6-routestopped.html
593[FIXME: source] 09/16/2011 SHOREWALL6(8)