1SHOREWALL6-LITE(8) [FIXME: manual] SHOREWALL6-LITE(8)
2
6 shorewall6-lite - Administration tool for Shoreline Firewall 6 Lite
7 (Shorewall6-lite)
8
10 shorewall6-lite [trace|debug [nolock]] [-options] allow address
11 shorewall6-lite [trace|debug [nolock]] [-options] clear
13 shorewall6-lite [trace|debug [nolock]] [-options] drop address
15 shorewall6-lite [trace|debug] [-options] dump [-x] [-m]
17 shorewall6-lite [trace|debug] [-options] forget [filename]
19 shorewall6-lite [trace|debug] [-options] help
21 shorewall6-lite [trace|debug] [-options] hits
23 shorewall6-lite [trace|debug [nolock]] [-options] logdrop address
25 shorewall6-lite [trace|debug] [-options] logwatch [-m]
27 [refresh-interval]
28 shorewall6-lite [trace|debug [nolock]] [-options] logreject address
30 shorewall6-lite [trace|debug [nolock]] [-options] reject address
32 shorewall6-lite [trace|debug [nolock]] [-options] restart [-n] [-p]
34 shorewall6-lite [trace|debug [nolock]] [-options] restore [filename]
36 shorewall6-lite [trace|debug [nolock]] [-options] save [filename]
38 shorewall6-lite [trace|debug] [-options] show [-x]
40 [-t {filter|mangle|raw}] [[chain] chain...]
41 shorewall6-lite [trace|debug] [-options] show [-f] capabilities
43 shorewall6-lite [trace|debug] [-options] show
45 {actions|classifiers|connections|config|zones}
46 shorewall6-lite [trace|debug] [-options] show [-x] mangle
48 shorewall6-lite [trace|debug] [-options] show tc
50 shorewall6-lite [trace|debug] [-options] show [-m] log
52 shorewall6-lite [trace|debug [nolock]] [-options] start [-n] [-p] [-f]
54 shorewall6-lite [trace|debug [nolock]] [-options] stop
56 shorewall6-lite [trace|debug] [-options] status
58 shorewall6-lite [trace|debug] [-options] version
60
62 The shorewall6-lite utility is used to control the Shoreline Firewall 6
63 (Shorewall6) Lite.
64
66 The trace and debug options are used for debugging. See
67 http://www.shorewall.net/starting_and_stopping.htm#Trace.
68 The nolock option prevents the command from attempting to acquire the
70 Shorewall6 Lite lockfile. It is useful if you need to include
71 shorewall6-lite commands in the started extension script.
72 The options control the amount of output that the command produces.
74 They consist of a sequence of the letters v and q. If the options are
75 omitted, the amount of output is determined by the setting of the
76 VERBOSITY parameter in shorewall6.conf[1](5). Each v adds one to the
77 effective verbosity and each q subtracts one from the effective
78 VERBOSITY. Anternately, v may be followed immediately with one of
79 -1,0,1,2 to specify a specify VERBOSITY. There may be no white space
80 between v and the VERBOSITY.
81 The options may also include the letter t which causes all progress
83 messages to be timestamped.
84
86 The available commands are listed below.
87 allow
89 Re-enables receipt of packets from hosts previously blacklisted by
90 a drop, logdrop, reject, or logreject command.
91 clear
93 Clear will remove all rules and chains installed by Shorewall6
94 Lite. The firewall is then wide open and unprotected. Existing
95 connections are untouched. Clear is often used to see if the
96 firewall is causing connection problems.
97 drop
99 Causes traffic from the listed addresses to be silently dropped.
100 dump
102 Produces a verbose report about the firewall configuration for the
103 purpose of problem analysis.
104 The -x option causes actual packet and byte counts to be displayed.
106 Without that option, these counts are abbreviated. The -m option
107 causes any MAC addresses included in Shorewall6 Lite log messages
108 to be displayed.
109 forget
111 Deletes /var/lib/shorewall6-lite/filename and
112 /var/lib/shorewall6-lite/save. If no filename is given then the
113 file specified by RESTOREFILE in shorewall6-lite.conf[2](5) is
114 assumed.
115 help
117 Displays a syntax summary.
118 hits
120 Generates several reports from Shorewall6 Lite log messages in the
121 current log file.
122 logdrop
124 Causes traffic from the listed addresses to be logged then
125 discarded.
126 logwatch
128 Monitors the log file specified by theLOGFILE option in
129 shorewall6-lite.conf[2](5) and produces an audible alarm when new
130 Shorewall6 Lite messages are logged. The -m option causes the MAC
131 address of each packet source to be displayed if that information
132 is available. The refresh-interval specifies the time in seconds
133 between screen refreshes. You can enter a negative number by
134 preceding the number with "--" (e.g., shorewall6-lite logwatch --
135 -30). In this case, when a packet count changes, you will be
136 prompted to hit any key to resume screen refreshes.
137 logreject
139 Causes traffic from the listed addresses to be logged then
140 rejected.
141 reset
143 All the packet and byte counters in the firewall are reset.
144 restart
146 Restart is similar to shorewall6-lite stop followed by
147 shorewall6-lite start. Existing connections are maintained.
148 The -n option causes Shorewall6 to avoid updating the routing
150 table(s).
151 The -p option causes the connection tracking table to be flushed;
153 the conntrack utility must be installed to use this option.
154 restore
156 Restore Shorewall6 Lite to a state saved using the shorewall6-lite
157 save command. Existing connections are maintained. The filename
158 names a restore file in /var/lib/shorewall6-lite created using
159 shorewall6-lite save; if no filename is given then Shorewall6 Lite
160 will be restored from the file specified by the RESTOREFILE option
161 in shorewall6-lite.conf[2](5).
162 save
164 The dynamic blacklist is stored in /var/lib/shorewall6-lite/save.
165 The state of the firewall is stored in
166 /var/lib/shorewall6-lite/filename for use by the shorewall6-lite
167 restore and shorewall6-lite -f start commands. If filename is not
168 given then the state is saved in the file specified by the
169 RESTOREFILE option in shorewall6-lite.conf[2](5).
170 show
172 The show command can have a number of different arguments:
173 actions
175 Produces a report about the available actions (built-in,
176 standard and user-defined).
177 capabilities
179 Displays your kernel/iptables capabilities. The -f option
180 causes the display to be formatted as a capabilities file for
181 use with compile -e.
182 [ [ chain ] chain ... ]
184 The rules in each chain are displayed using the ip6tables -L
185 chain -n -v command. If no chain is given, all of the chains in
186 the filter table are displayed. The -x option is passed
187 directly through to iptables and causes actual packet and byte
188 counts to be displayed. Without this option, those counts are
189 abbreviated. The -t option specifies the Netfilter table to
190 display. The default is filter.
191 If the t option and the chain keyword are both omitted and any
193 of the listed chains do not exist, a usage message will be
194 displayed.
195 classifiers
197 Displays information about the packet classifiers defined on
198 the system as a result of traffic shaping configuration.
199 config
201 Dispays distribution-specific defaults.
202 connections
204 Displays the IPv6 connections currently being tracked by the
205 firewall.
206 mangle
208 Displays the Netfilter mangle table using the command ip6tables
209 -t mangle -L -n -v.The -x option is passed directly through to
210 iptables and causes actual packet and byte counts to be
211 displayed. Without this option, those counts are abbreviated.
212 tc
214 Displays information about queuing disciplines, classes and
215 filters.
216 zones
218 Displays the current composition of the Shorewall6 Lite zones
219 on the system.
220 start
222 Start shorewall6 Lite. Existing connections through shorewall6-lite
223 managed interfaces are untouched. New connections will be allowed
224 only if they are allowed by the firewall rules or policies. If -f
225 is specified, the saved configuration specified by the RESTOREFILE
226 option in shorewall6-lite.conf[2](5) will be restored if that saved
227 configuration exists and has been modified more recently than the
228 files in /etc/shorewall6.
229 The -n option causes Shorewall6 to avoid updating the routing
231 table(s).
232 The -p option causes the connection tracking table to be flushed;
234 the conntrack utility must be installed to use this option.
235 stop
237 Stops the firewall. All existing connections, except those listed
238 in shorewall6-routestopped[3](5) or permitted by the
239 ADMINISABSENTMINDED option in shorewall6.conf(5), are taken down.
240 The only new traffic permitted through the firewall is from systems
241 listed in shorewall6-routestopped[3](5) or by ADMINISABSENTMINDED.
242 status
244 Produces a short report about the state of the
245 Shorewall6-configured firewall.
246 version
248 Displays Shorewall6-lite's version.
249
251 /etc/shorewall6-lite/
252
254 http://www.shorewall.net/starting_and_stopping_shorewall.htm[4]
255 shorewall6-accounting(5), shorewall6-actions(5),
257 shorewall6-blacklist(5), shorewall6-hosts(5), shorewall6-interfaces(5),
258 shorewall6-maclist(5), shorewall6-params(5), shorewall6-policy(5),
259 shorewall6-providers(5), shorewall6-route_rules(5),
260 shorewall6-routestopped(5), shorewall6-rules(5), shorewall6.conf(5),
261 shorewall6-tcclasses(5), shorewall6-tcdevices(5),
262 shorewall6-tcrules(5), shorewall6-tos(5), shorewall6-tunnels(5),
263 shorewall6-zones(5)
264
266 1. shorewall6.conf
267 http://www.shorewall.net/manpages6/shorewall6.conf.html
268 2. shorewall6-lite.conf
270 http://www.shorewall.net/manpages6/shorewall6-lite.conf.html
271 3. shorewall6-routestopped
273 http://www.shorewall.net/manpages6/shorewall6-routestopped.html
274 4. http://www.shorewall.net/starting_and_stopping_shorewall.htm
276 http://www.shorewall.net/starting_and_stopping_shorewall6.htm
277[FIXME: source] 09/16/2011 SHOREWALL6-LITE(8)