1SHOREWALL(8) Administrative Commands SHOREWALL(8)
2
6 shorewall - Administration tool for Shoreline Firewall (Shorewall)
7
9 shorewall[6][-lite] [trace|debug [nolock]] [options] add {
10 interface[:host-list]... zone | zone host-list }
11 shorewall[6][-lite] [trace|debug [nolock]] [options] allow address
13 shorewall[6][-lite] [trace|debug [nolock]] [options] blacklist
15 address [option ...]
16 shorewall[6][-lite] [trace|debug [nolock]] [options] call
18 function [parameter ...]
19 shorewall[6] [trace|debug] [options] [check | ck ] [-e] [-d] [-p] [-r]
21 [-T] [-i] [directory]
22 shorewall[6][-lite] [trace|debug [nolock]] [options] clear [-f]
24 shorewall[6][-lite] [trace|debug [nolock]] [options]
26 close { open-number | sourcedest [protocol [ port ]]}
27 shorewall[6] [trace|debug] [options] [compile | co ] [-e] [-c] [-d]
29 [-p] [-T] [-i] [directory] [pathname]
30 shorewall[6][-lite] [trace|debug [nolock]] [options] delete {
32 interface[:host-list]... zone | zone host-list }
33 shorewall[6][-lite] [trace|debug [nolock]] [options] disable
35 { interface | provider }
36 shorewall[6][-lite] [trace|debug [nolock]] [options] drop address
38 shorewall[6][-lite] [trace|debug] [options] dump [-x] [-l] [-m] [-c]
40 shorewall[6][-lite] [trace|debug [nolock]] [options] enable
42 { interface | provider }
43 shorewall[6] [trace|debug [nolock]] [options] export [directory1]
45 [user@]system[:directory2]
46 shorewall[6][-lite] [trace|debug [nolock]] [options] forget [filename]
48 shorewall[6][-lite] [trace|debug] [options] help
50 shorewall[-lite] [trace|debug] [options] hits [-t]
52 shorewall[-lite] [trace|debug] [options] ipcalc {address mask |
54 address/vlsm}
55 shorewall[-lite] [trace|debug] [options] iprange address1-address2
57 shorewall[6][-lite] [trace|debug] [options] iptrace
59 iptables match expression
60 shorewall[6][-lite] [trace|debug [nolock]] [options] logdrop address
62 shorewall[6][-lite] [trace|debug] [options] logwatch [-m]
64 [refresh-interval]
65 shorewall[6][-lite] [trace|debug [nolock]] [options] logreject address
67 shorewall[6][-lite] [trace|debug] [options] noiptrace
69 iptables match expression
70 shorewall[6][-lite] [options] open source dest [ protocol [ port ] ]
72 shorewall[6][-lite] [trace|debug [nolock]] [options] reenable
74 { interface | provider }
75 shorewall[6][-lite] [trace|debug [nolock]] [options] reject address
77 shorewall[6][-lite] [trace|debug [nolock]] [options] reload [-n]
79 [-p [-d]] [-f] [-c] [-T] [-i] [-C] [directory]
80 shorewall[6] [trace|debug] [options] remote-getcaps [-s] [-R]
82 [-r root-user-name] [-T] [-i] [[-D]directory] [system]
83 shorewall[6] [trace|debug] [options] remote-getrc [-s] [-c]
85 [-r root-user-name] [-T] [-i] [[-D]directory] [system]
86 shorewall[6] [trace|debug] [options] remote-start [-s] [-c]
88 [-r root-user-name] [-T] [-i] [[-D]directory] [system]
89 shorewall[6] [trace|debug] [options] remote-reload [-s] [-c]
91 [-r root-user-name] [-T] [-i] [[-D]directory] [system]
92 shorewall[6] [trace|debug] [options] remote-restart [-s] [-c]
94 [-r root-user-name] [-T] [-i] [[-D]directory] [system]
95 shorewall[6][-lite] [trace|debug [nolock]] [options] reset [chain ...]
97 shorewall[6][-lite] [trace|debug [nolock]] [options] restart [-n]
99 [-p [-d]] [-f] [-c] [-T] [-i] [-C] [directory]
100 shorewall[6][-lite] [trace|debug [nolock]] [options]
102 restore [-n] [-p] [-C] [filename]
103 shorewall[6][-lite] [trace|debug [nolock]] [options] run command
105 [parameter ...]
106 shorewall[6] [trace|debug [nolock]] [options] safe-restart [-d] [-p]
108 [-t timeout] [directory]
109 shorewall[6] [trace|debug] [options] safe-start [-d] [-p] [-t timeout]
111 [directory]
112 shorewall[6][-lite] [trace|debug [nolock]] [options] save [-C]
114 [filename]
115 shorewall[6][-lite] [trace|debug [nolock]] [options] savesets
117 shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-x]
119 {bl|blacklists}
120 shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-b]
122 [-x] [-l] [-t {filter|mangle|nat|raw}] [chain...]
123 shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-f]
125 capabilities
126 shorewall[6] [options] {show | list | ls } [-f] {actions|macros}
128 shorewall[6] [trace|debug] [options] {show | list | ls } action action
130 shorewall[6][-lite] [trace|debug] [options] {show | list | ls }
132 {classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks}
133 shorewall[6][-lite] [trace|debug] [options] {show | list | ls }
135 event event
136 shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-c]
138 routing
139 shorewall[6] [trace|debug] [options] {show | list | ls } macro macro
141 shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-x]
143 {mangle|nat|raw}
144 shorewall[6][-lite] [trace|debug] [options] {show | list | ls } saves
146 shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-m]
148 log
149 shorewall[6][-lite] [trace|debug [nolock]] [options] start [-n] [-f]
151 [-p] [-c] [-T [-i]] [-C] [directory]
152 shorewall[6][-lite] [trace|debug [nolock]] [options] stop [-f]
154 shorewall[6][-lite] [trace|debug] [options] status [-i]
156 shorewall[6] [trace|debug [nolock]] [options] try directory [timeout]
158 shorewall[6] [trace|debug] [options] update [-b] [-d] [-r] [-T] [-a]
160 [-i] [-A] [directory]
161 shorewall[6][-lite] [trace|debug] [options] version [-a]
163
165 Beginning with Shorewall 5.1.0, the shorewall utility is used to
166 control the Shoreline Firewall (Shorewall), Shorewall Firewall 6
167 (Shorewall6), Shorewall Firewall Lite (Shorewall-lite) and Shorewall
168 Firewall 6 Lite (Shorewall6-lite). The utility may be accessed under
169 four different names:
170 shorewall
172 Controls the Shorewall configuration when Shorewall is installed.
173 If Shorewall is not installed, the shorewall command controls
174 Shorewall-lite if it is installed. If neither Shorewall nor
175 Shorewall-lite is installed, the shorewall command controls
176 Shorewall6-lite if it is installed.
177 shorewall6
179 The shorewall6 command controls Shorewall6 when Shorewall6 is
180 installed.
181 shorewall-lite
183 The shorewall-lite command controls Shorewall-lite when
184 Shorewall-lite is installed.
185 shorewall6-lite
187 The shorewall6-lite command controls Shorewall6-lite when
188 Shorewall6-lite is installed.
189 Prior to Shorewall 5.1.0, these four commands were implemented as four
191 separate program, each of which controlled only a single firewall
192 package. This manpage serves to document both the Shorewall 5.1 and
193 Shorewall 5.0 CLI.
194
196 The trace and debug options are used for debugging. See
197 http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace[1].
198 The nolock option prevents the command from attempting to acquire the
200 Shorewall lockfile. It is useful if you need to include shorewall
201 commands in /etc/shorewall/started.
202 Other options are:
204 -4
206 Added in Shorewall 5.1.0. Causes the command to operate on the
207 Shorewall configuration or the Shorewall-lite configuration. It is
208 the default when either of those products is installed and when the
209 command is shorewall or shorewall-lite.
210 -6
212 Added in Shorewall 5.1.0. Causes the command to operate on the
213 Shorewall6 or Shorewall6-lite configuration. It is the default when
214 only Shorewall6-lite is installed and when the command is
215 shorewall6 or shorewall6-lite.
216 -l
218 Added in Shorewall 5.1.0. Causes the command to operate on either
219 Shorewall-lite or Shorewall-6 lite and is the default when
220 Shorewall is not installed or when the command is shorewall-lite or
221 shorewall6-lite.
222 With all four firewall products (Shorewall, Shorewall6,
224 Shorewall-lite and Shorewall6-lite) installed, the following table
225 shows the correspondence between the name used to invoke the
226 command and the shorewall command with the above three options.
227 Table 1. All four products installed
229 The next table shows the correspondence when only Shorewall-lite
230 and Shorewall6-lite are installed.
231 Table 2. Only Shorewall-lite and Shorewall6-lite installed
233 -v[verbosity]
234 Alters the amount of output produced by the command. If neither the
235 -v nor -q option are specified, the amount of output is determined
236 by the VERBOSITY setting in shorewall.conf[2](5)
237 (shorewall6.conf[3](5)).
238 When no verbosity is specified, each instance of this option causes
240 1 to be added to the effective verbosity. When verbosity (-1,0,1 or
241 2) is given, the command is executed at the specified VERBOSITY.
242 There may be no white-space between -v and the verbosity.
243 -q
245 Alters the amount of output produced by the command. If neither the
246 -v nor -q option are specified, the amount of output is determined
247 by the VERBOSITY setting in shorewall.conf[2](5)
248 (shorewall6.conf[3](5)).
249 Each instance of this option causes 1 to be subtracted from the
251 effective verbosity.
252 -t
254 Causes all progress messages to be timestamped.
255
257 The available commands are listed below.
258 add { interface[:host-list]... zone | zone host-list }
260 Adds a list of hosts or subnets to a dynamic zone usually used with
261 VPN's.
262 The interface argument names an interface defined in the
264 shorewall-interfaces[4](5) (shorewall6-interfaces[5](5))file. A
265 host-list is comma-separated list whose elements are host or
266 network addresses..if n .sp
267 Caution
268 The add command is not very robust. If there are errors in the
269 host-list, you may see a large number of error messages yet a
270 subsequent shorewall show zones command will indicate that all
271 hosts were added. If this happens, replace add by delete and
272 run the same command again. Then enter the correct command.
273 Beginning with Shorewall 4.5.9, the dynamic_shared zone option
275 (shorewall-zones[6](5),shorewall6-zones[7](5)) allows a single
276 ipset to handle entries for multiple interfaces. When that option
277 is specified for a zone, the add command has the alternative syntax
278 in which the zone name precedes the host-list.
279 allow address
281 Re-enables receipt of packets from hosts previously blacklisted by
282 a blacklist, drop, logdrop, reject, or logreject command.
283 blacklist address [ option ... ]
285 Added in Shorewall 5.0.8 and requires DYNAMIC_BLACKLIST=ipset.. in
286 shorewall.conf[2](5). Causes packets from the given host or network
287 address to be dropped, based on the setting of BLACKLIST in
288 shorewall.conf[2](5). The address along with any options are passed
289 to the ipset add command.
290 If the disconnect option is specified in the DYNAMIC_BLACKLISTING
292 setting, then the effective VERBOSITY determines the amount of
293 information displayed:
294 · If the effective verbosity is > 0, then a message giving the
296 number of conntrack flows deleted by the command is displayed.
297 · If the effective verbosity is > 1, then the conntrack table
299 entries deleted by the command are also displayed.
300 call function [ parameter ... ]
302 Added in Shorewall 4.6.10. Allows you to call a function in one of
303 the Shorewall libraries or in your compiled script. function must
304 name the shell function to be called. The listed parameters are
305 passed to the function.
306 The function is first searched for in lib.base, lib.common, lib.cli
308 and lib.cli-std. If it is not found, the call command is passed to
309 the generated script to be executed.
310 check [-e] [-d] [-p] [-r] [-T] [-i] [directory]
312 Not available with Shorewall[6]-lite.
313 Compiles the configuration in the specified directory and discards
315 the compiled output script. If no directory is given, then
316 /etc/shorewall is assumed.
317 The -e option causes the compiler to look for a file named
319 capabilities. This file is produced using the command
320 shorewall-lite show -f capabilities > capabilities on a system with
321 Shorewall Lite installed.
322 The -d option causes the compiler to be run under control of the
324 Perl debugger.
325 The -p option causes the compiler to be profiled via the Perl
327 -wd:DProf command-line option.
328 The -r option was added in Shorewall 4.5.2 and causes the compiler
330 to print the generated ruleset to standard out.
331 The -T option was added in Shorewall 4.4.20 and causes a Perl stack
333 trace to be included with each compiler-generated error and warning
334 message.
335 The -i option was added in Shorewall 4.6.0 and causes a warning
337 message to be issued if the current line contains alternative input
338 specifications following a semicolon (";"). Such lines will be
339 handled incorrectly if INLINE_MATCHES is set to Yes in
340 shorewall.conf[2](5) (shorewall6.conf[3](5)).
341 clear [-f]
343 Clear will remove all rules and chains installed by Shorewall. The
344 firewall is then wide open and unprotected. Existing connections
345 are untouched. Clear is often used to see if the firewall is
346 causing connection problems.
347 If -f is given, the command will be processed by the compiled
349 script that executed the last successful start, restart or reload
350 command if that script exists.
351 close { open-number | source dest [ protocol [ port ] ] }
353 Added in Shorewall 4.5.8. This command closes a temporary open
354 created by the open command. In the first form, an open-number
355 specifies the open to be closed. Open numbers are displayed in the
356 num column of the output of the shorewall show opens command.
357 When the second form of the command is used, the parameters must
359 match those given in the earlier open command.
360 This command requires that the firewall be in the started state and
362 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[2].
363 compile [-e] [-c] [-d] [-p] [-T] [-i] [ directory ] [ pathname ]
365 Not available with shorewall[6]-lite.
366 Compiles the current configuration into the executable file
368 pathname. If a directory is supplied, Shorewall will look in that
369 directory first for configuration files. If the pathname is
370 omitted, the file firewall in the VARDIR (normally
371 /var/lib/shorewall/) is assumed. A pathname of '-' causes the
372 compiler to send the generated script to it's standard output file.
373 Note that '-v-1' is usually specified in this case (e.g., shorewall
374 -v-1 compile -- -) to suppress the 'Compiling...' message normally
375 generated by /sbin/shorewall.
376 When -e is specified, the compilation is being performed on a
378 system other than where the compiled script will run. This option
379 disables certain configuration options that require the script to
380 be compiled where it is to be run. The use of -e requires the
381 presence of a configuration file named capabilities which may be
382 produced using the command shorewall-lite show -f capabilities >
383 capabilities on a system with Shorewall Lite installed
384 The -c option was added in Shorewall 4.5.17 and causes conditional
386 compilation of a script. The script specified by pathname (or
387 implied if pathname is omitted) is compiled if it doesn't exist or
388 if there is any file in the directory or in a directory on the
389 CONFIG_PATH that has a modification time later than the file to be
390 compiled. When no compilation is needed, a message is issued and an
391 exit status of zero is returned.
392 The -d option causes the compiler to be run under control of the
394 Perl debugger.
395 The -p option causes the compiler to be profiled via the Perl
397 -wd:DProf command-line option.
398 The -T option was added in Shorewall 4.4.20 and causes a Perl stack
400 trace to be included with each compiler-generated error and warning
401 message.
402 The -i option was added in Shorewall 4.6.0 and causes a warning
404 message to be issued if the current line contains alternative input
405 specifications following a semicolon (";"). Such lines will be
406 handled incorrectly if INLINE_MATCHES is set to Yes in
407 shorewall.conf[2](5) (shorewall6.conf[3](5)).
408 delete { interface[:host-list]... zone | zone host-list }
410 The delete command reverses the effect of an earlier add command.
411 The interface argument names an interface defined in the
413 shorewall-interfaces[4](5) (shorewall6-interfaces[5](5) file. A
414 host-list is comma-separated list whose elements are a host or
415 network address.
416 Beginning with Shorewall 4.5.9, the dynamic_shared zone option
418 (shorewall-zones[6](5), shorewall6-zones[8](5)) allows a single
419 ipset to handle entries for multiple interfaces. When that option
420 is specified for a zone, the delete command has the alternative
421 syntax in which the zone name precedes the host-list.
422 disable { interface | provider }
424 Added in Shorewall 4.4.26. Disables the optional provider
425 associated with the specified interface or provider. Where more
426 than one provider share a single network interface, a provider name
427 must be given.
428 Beginning with Shorewall 4.5.10, this command may be used with any
430 optional network interface. interface may be either the logical or
431 physical name of the interface. The command removes any routes
432 added from shorewall-routes[9](5) (shorewall6-routes[10](5))and any
433 traffic shaping configuration for the interface.
434 drop address
436 Causes traffic from the listed addresses to be silently dropped.
437 This command requires that the firewall be in the started state and
438 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[2].
439 dump [-x] [-l] [-m] [-c]
441 Produces a verbose report about the firewall configuration for the
442 purpose of problem analysis.
443 The -x option causes actual packet and byte counts to be displayed.
445 Without that option, these counts are abbreviated.
446 The -m option causes any MAC addresses included in Shorewall log
448 messages to be displayed.
449 The -l option causes the rule number for each Netfilter rule to be
451 displayed.
452 The -c option causes the route cache to be dumped in addition to
454 the other routing information.
455 enable { interface | provider }
457 Added in Shorewall 4.4.26. Enables the optional provider associated
458 with the specified interface or provider. Where more than one
459 provider share a single network interface, a provider name must be
460 given.
461 Beginning with Shorewall 4.5.10, this command may be used with any
463 optional network interface. interface may be either the logical or
464 physical name of the interface. The command sets /proc entries for
465 the interface, adds any route specified in shorewall-routes[9](5)
466 (shorewall6-routes[10](5)) and installs the interface's traffic
467 shaping configuration, if any.
468 export [ directory1 ] [ user@]system[:directory2 ]
470 Not available with Shorewall[6]-lite.
471 If directory1 is omitted, the current working directory is assumed.
473 Allows a non-root user to compile a shorewall script and stage it
475 on a system (provided that the user has access to the system via
476 ssh). The command is equivalent to:
477 /sbin/shorewall compile -e directory1 directory1/firewall &&\
479 scp directory1/firewall directory1/firewall.conf [user@]system:[directory2]
480 In other words, the configuration in the specified (or defaulted)
482 directory is compiled to a file called firewall in that directory.
483 If compilation succeeds, then firewall and firewall.conf are copied
484 to system using scp.
485 forget [ filename ]
487 Deletes /var/lib/shorewall/filename and /var/lib/shorewall/save. If
488 no filename is given then the file specified by RESTOREFILE in
489 shorewall.conf[2](5) (shorewall6.conf[3](5)) is assumed.
490 help
492 Displays a syntax summary.
493 hits [-t]
495 Generates several reports from Shorewall log messages in the
496 current log file. If the -t option is included, the reports are
497 restricted to log messages generated today. Not available with
498 Shorewall6[-lite].
499 ipcalc { address mask | address/vlsm }
501 Ipcalc displays the network address, broadcast address, network in
502 CIDR notation and netmask corresponding to the input[s]. Not
503 available with Shorewall6[-lite].
504 iprange address1-address2
506 Iprange decomposes the specified range of IP addresses into the
507 equivalent list of network/host addresses. Not available with
508 Shorewall6[-lite].
509 iptrace iptables match expression
511 This is a low-level debugging command that causes iptables TRACE
512 log records to be created. See iptables(8) for details.
513 The iptables match expression must be one or more matches that may
515 appear in both the raw table OUTPUT and raw table PREROUTING
516 chains.
517 The log message destination is determined by the currently-selected
519 IPv4 or IPv6 logging backend[11].
520 list
522 list is a synonym for show -- please see below.
523 logdrop address
525 Causes traffic from the listed addresses to be logged then
526 discarded. Logging occurs at the log level specified by the
527 BLACKLIST_LOGLEVEL setting in shorewall.conf[2] (5)
528 (shorewall6.conf[3](5)). This command requires that the firewall be
529 in the started state and that DYNAMIC_BLACKLIST=Yes in
530 shorewall.conf (5)[2].
531 logwatch [-m] [ refresh-interval ]
533 Monitors the log file specified by the LOGFILE option in
534 shorewall.conf[2](5) (shorewall6.conf[3](5)) and produces an
535 audible alarm when new Shorewall messages are logged. The -m option
536 causes the MAC address of each packet source to be displayed if
537 that information is available. The refresh-interval specifies the
538 time in seconds between screen refreshes. You can enter a negative
539 number by preceding the number with "--" (e.g., shorewall logwatch
540 -- -30). In this case, when a packet count changes, you will be
541 prompted to hit any key to resume screen refreshes.
542 logreject address
544 Causes traffic from the listed addresses to be logged then
545 rejected. Logging occurs at the log level specified by the
546 BLACKLIST_LOGLEVEL setting in shorewall.conf[2] (5),
547 (shorewall6.conf[3](5)). This command requires that the firewall be
548 in the started state and that DYNAMIC_BLACKLIST=Yes in
549 shorewall.conf (5)[2].
550 ls
552 ls is a synonym for show -- please see below.
553 noiptrace iptables match expression
555 This is a low-level debugging command that cancels a trace started
556 by a preceding iptrace command.
557 The iptables match expression must be one given in the iptrace
559 command being canceled.
560 open source dest [ protocol [ port ] ]
562 Added in Shorewall 4.6.8. This command requires that the firewall
563 be in the started state and that DYNAMIC_BLACKLIST=Yes in
564 shorewall.conf (5)[2]. The effect of the command is to temporarily
565 open the firewall for connections matching the parameters.
566 The source and dest parameters may each be specified as all if you
568 don't wish to restrict the connection source or destination
569 respectively. Otherwise, each must contain a host or network
570 address or a valid DNS name.
571 The protocol may be specified either as a number or as a name
573 listed in /etc/protocols. The port may be specified numerically or
574 as a name listed in /etc/services.
575 To reverse the effect of a successful open command, use the close
577 command with the same parameters or simply restart the firewall.
578 Example: To open the firewall for SSH connections to address
580 192.168.1.1, the command would be:
581 shorewall open all 192.168.1.1 tcp 22
583 To reverse that command, use:
585 shorewall close all 192.168.1.1 tcp 22
587 reenable{ interface | provider }
589 Added in Shorewall 4.6.9. This is equivalent to a disable command
590 followed by an enable command on the specified interface or
591 provider.
592 reject address
594 Causes traffic from the listed addresses to be silently rejected.
595 This command requires that the firewall be in the started state and
596 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[2].
597 reload [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [ directory ]
599 This command was re-implemented in Shorewall 5.0.0. The pre-5.0.0
600 reload command is now called remote-restart (see below).
601 Shorewall and Shorewall6
603 Reload is similar to shorewall start except that it assumes
604 that the firewall is already started. Existing connections are
605 maintained. If a directory is included in the command,
606 Shorewall will look in that directory first for configuration
607 files.
608 The -n option causes Shorewall to avoid updating the routing
610 table(s).
611 The -p option causes the connection tracking table to be
613 flushed; the conntrack utility must be installed to use this
614 option.
615 The -d option causes the compiler to run under the Perl
617 debugger.
618 The -f option suppresses the compilation step and simply reused
620 the compiled script which last started/restarted Shorewall,
621 provided that /etc/shorewall and its contents have not been
622 modified since the last start/restart.
623 The -c option was added in Shorewall 4.4.20 and performs the
625 compilation step unconditionally, overriding the AUTOMAKE
626 setting in shorewall.conf[2](5) (Shorewall and Shorewall6
627 only). When both -f and -c are present, the result is
628 determined by the option that appears last.
629 The -T option was added in Shorewall 4.5.3 and causes a Perl
631 stack trace to be included with each compiler-generated error
632 and warning message.
633 The -i option was added in Shorewall 4.6.0 and causes a warning
635 message to be issued if the current line contains alternative
636 input specifications following a semicolon (";"). Such lines
637 will be handled incorrectly if INLINE_MATCHES is set to Yes in
638 shorewall.conf[2](5) (shorewall6.conf[3](5))..
639 The -C option was added in Shorewall 4.6.5 and is only
641 meaningful when AUTOMAKE=Yes in shorewall.conf[2](5)
642 (shorewall6.conf[3](5)). If an existing firewall script is used
643 and if that script was the one that generated the current
644 running configuration, then the running netfilter configuration
645 will be reloaded as is so as to preserve the iptables packet
646 and byte counters.
647 Shorewall-lite and Shorewall6-lite
649 Reload is similar to shorewall start except that it assumes
650 that the firewall is already started. Existing connections are
651 maintained.
652 The -n option causes Shorewall to avoid updating the routing
654 table(s).
655 The -p option causes the connection tracking table to be
657 flushed; the conntrack utility must be installed to use this
658 option.
659 The -C option was added in Shorewall 4.6.5 If the existing
661 firewall script is the one that generated the current running
662 configuration, then the running netfilter configuration will be
663 reloaded as is so as to preserve the iptables packet and byte
664 counters.
665 remote-getcaps [-R] [-r root-user-name] [ [ -D ] directory ] [ system ]
667 Added in Shoreall 5.2.0, this command executes shorewall[6]-lite
668 show capabilities -f > /var/lib/shorewall[6]-lite/capabilities on
669 the remote system via ssh then the generated file is copied to
670 directory on the local system. If no directory is given, the
671 current working directory is assumed.
672 if -R is included, the remote shorewallrc file is also copied to
674 directory.
675 If -r is included, it specifies that the root user on system is
677 named root-user-name rather than "root".
678 remote-getrc [-c] [-r root-user-name] [ [ -D ] directory ] [ system ]
680 Added in Shoreall 5.2.0, this command copies the shorewallrc file
681 from the remote system to directory on the local system. If no
682 directory is given, the current working directory is assumed.
683 if -c is included, the remote capabilities are also copied to
685 directory, as is done by the remote-getcaps command.
686 If -r is included, it specifies that the root user on system is
688 named root-user-name rather than "root".
689 remote-start [-n] [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
691 directory ] [ system ]
692 This command was renamed from load in Shorewall 5.0.0 and is only
693 available in Shorewall and Shoreawall6.
694 If directory is omitted, the current working directory is assumed.
696 Allows a non-root user to compile a shorewall script and install it
697 on a system (provided that the user has root access to the system
698 via ssh). The command is equivalent to:
699 /sbin/shorewall compile -e directory directory/firewall &&\
701 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
702 ssh root@system '/sbin/shorewall-lite start'
703 In other words, the configuration in the specified (or defaulted)
705 directory is compiled to a file called firewall in that directory.
706 If compilation succeeds, then firewall is copied to system using
707 scp. If the copy succeeds, Shorewall Lite on system is started via
708 ssh. Beginning with Shorewall 5.0.13, if system is omitted, then
709 the FIREWALL option setting in shorewall.conf[12](5)
710 (shorewall6.conf(5)[3]) is assumed. In that case, if you want to
711 specify a directory, then the -D option must be given.
712 The -n option causes Shorewall to avoid updating the routing
714 table(s).
715 If -s is specified and the start command succeeds, then the remote
717 Shorewall-lite configuration is saved by executing shorewall-lite
718 save via ssh.
719 if -c is included, the command shorewall[6]-lite show capabilities
721 -f > /var/lib/shorewall[6]-lite/capabilities is executed via ssh
722 then the generated file is copied to directory using scp. This step
723 is performed before the configuration is compiled.
724 If -r is included, it specifies that the root user on system is
726 named root-user-name rather than "root".
727 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
729 trace to be included with each compiler-generated error and warning
730 message.
731 remote-reload [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
733 directory ] [ system ]
734 This command was added in Shorewall 5.0.0 and is only available in
735 Shorewall and Shorewall6.
736 If directory is omitted, the current working directory is assumed.
738 Allows a non-root user to compile a shorewall script and install it
739 on a system (provided that the user has root access to the system
740 via ssh). The command is equivalent to:
741 /sbin/shorewall compile -e directory directory/firewall &&\
743 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
744 ssh root@system '/sbin/shorewall-lite reload'
745 In other words, the configuration in the specified (or defaulted)
747 directory is compiled to a file called firewall in that directory.
748 If compilation succeeds, then firewall is copied to system using
749 scp. If the copy succeeds, Shorewall Lite on system is restarted
750 via ssh. Beginning with Shorewall 5.0.13, if system is omitted,
751 then the FIREWALL option setting in shorewall6.conf(5)[13]
752 (shorewall6.conf[3](5)) is assumed. In that case, if you want to
753 specify a directory, then the -D option must be given.
754 If -s is specified and the restart command succeeds, then the
756 remote Shorewall-lite configuration is saved by executing
757 shorewall-lite save via ssh.
758 if -c is included, the command shorewall-lite show capabilities -f
760 > /var/lib/shorewall-lite/capabilities is executed via ssh then the
761 generated file is copied to directory using scp. This step is
762 performed before the configuration is compiled.
763 If -r is included, it specifies that the root user on system is
765 named root-user-name rather than "root".
766 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
768 trace to be included with each compiler-generated error and warning
769 message.
770 The -i option was added in Shorewall 4.6.0 and causes a warning
772 message to be issued if the current line contains alternative input
773 specifications following a semicolon (";"). Such lines will be
774 handled incorrectly if INLINE_MATCHES is set to Yes in
775 shorewall.conf[2](5) (shorewall6.conf[3](5)).
776 remote-restart [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
778 directory ] [ system ]
779 This command was renamed from reload in Shorewall 5.0.0 and is
780 available in Shorewall and Shorewall6 only.
781 If directory is omitted, the current working directory is assumed.
783 Allows a non-root user to compile a shorewall script and install it
784 on a system (provided that the user has root access to the system
785 via ssh). The command is equivalent to:
786 /sbin/shorewall compile -e directory directory/firewall &&\
788 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
789 ssh root@system '/sbin/shorewall-lite restart'
790 In other words, the configuration in the specified (or defaulted)
792 directory is compiled to a file called firewall in that directory.
793 If compilation succeeds, then firewall is copied to system using
794 scp. If the copy succeeds, Shorewall Lite on system is restarted
795 via ssh. Beginning with Shorewall 5.0.13, if system is omitted,
796 then the FIREWALL option setting in shorewall6.conf(5)[13]
797 (shorewall6.conf[3](5)) is assumed. In that case, if you want to
798 specify a directory, then the -D option must be given.
799 If -s is specified and the restart command succeeds, then the
801 remote Shorewall-lite configuration is saved by executing
802 shorewall-lite save via ssh.
803 if -c is included, the command shorewall-lite show capabilities -f
805 > /var/lib/shorewall-lite/capabilities is executed via ssh then the
806 generated file is copied to directory using scp. This step is
807 performed before the configuration is compiled.
808 If -r is included, it specifies that the root user on system is
810 named root-user-name rather than "root".
811 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
813 trace to be included with each compiler-generated error and warning
814 message.
815 The -i option was added in Shorewall 4.6.0 and causes a warning
817 message to be issued if the current line contains alternative input
818 specifications following a semicolon (";"). Such lines will be
819 handled incorrectly if INLINE_MATCHES is set to Yes in
820 shorewall.conf[2](5) (shorewall6.conf[3](5).
821 reset [chain, ...]
823 Resets the packet and byte counters in the specified chain(s). If
824 no chain is specified, all the packet and byte counters in the
825 firewall are reset.
826 Beginning with Shorewall 5.0.0, chain may be composed of both a
828 table name and a chain name separated by a colon (e.g.,
829 mangle:PREROUTING). Chain names following that don't include a
830 table name are assumed to be in that same table. If no table name
831 is given in the command, the filter table is assumed.
832 restart [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [ directory ]
834 Beginning with Shorewall 5.0.0, this command performs a true
835 restart. The firewall is completely stopped as if a stop command
836 had been issued then it is started again.
837 Shorewall and Shorewall6
839 If a directory is included in the command, Shorewall will look
840 in that directory first for configuration files.
841 The -n option causes Shorewall to avoid updating the routing
843 table(s).
844 The -p option causes the connection tracking table to be
846 flushed; the conntrack utility must be installed to use this
847 option.
848 The -d option causes the compiler to run under the Perl
850 debugger.
851 The -f option suppresses the compilation step and simply reused
853 the compiled script which last started/restarted Shorewall,
854 provided that /etc/shorewall and its contents have not been
855 modified since the last start/restart.
856 The -c option was added in Shorewall 4.4.20 and performs the
858 compilation step unconditionally, overriding the AUTOMAKE
859 setting in shorewall.conf[2](5). When both -f and -c are
860 present, the result is determined by the option that appears
861 last.
862 The -T option was added in Shorewall 4.5.3 and causes a Perl
864 stack trace to be included with each compiler-generated error
865 and warning message.
866 The -i option was added in Shorewall 4.6.0 and causes a warning
868 message to be issued if the current line contains alternative
869 input specifications following a semicolon (";"). Such lines
870 will be handled incorrectly if INLINE_MATCHES is set to Yes in
871 shorewall.conf[2](5).
872 The -C option was added in Shorewall 4.6.5 and is only
874 meaningful when AUTOMAKE=Yes in shorewall.conf[2](5). If an
875 existing firewall script is used and if that script was the one
876 that generated the current running configuration, then the
877 running netfilter configuration will be reloaded as is so as to
878 preserve the iptables packet and byte counters.
879 Shorewall-lite and Shorewall6-lite
881 The -n option causes Shorewall to avoid updating the routing
882 table(s).
883 The -p option causes the connection tracking table to be
885 flushed; the conntrack utility must be installed to use this
886 option.
887 The -C option was added in Shorewall 4.6.5 If the existing
889 firewall script is the one that generated the current running
890 configuration, then the running netfilter configuration will be
891 reloaded as is so as to preserve the iptables packet and byte
892 counters.
893 restore [-n] [-p] [-C] [ filename ]
895 Restore Shorewall to a state saved using the shorewall save
896 command. Existing connections are maintained. The filename names a
897 restore file in /var/lib/shorewall created using shorewall save; if
898 no filename is given then Shorewall will be restored from the file
899 specified by the RESTOREFILE option in shorewall.conf[2](5)
900 (shorewall6.conf[3](5)).
901 Caution
903 If your iptables ruleset depends on variables that are detected
904 at run-time, either in your params file or by
905 Shorewall-generated code, restore will use the values that were
906 current when the ruleset was saved, which may be different from
907 the current values.
908 The -n option causes Shorewall to avoid updating the routing
909 table(s).
910 The -p option, added in Shorewall 4.6.5, causes the connection
912 tracking table to be flushed; the conntrack utility must be
913 installed to use this option.
914 The -C option was added in Shorewall 4.6.5. If the -C option was
916 specified during shorewall save, then the counters saved by that
917 operation will be restored.
918 run command [ parameter ... ]
920 Added in Shorewall 4.6.3. Executes command in the context of the
921 generated script passing the supplied parameters. Normally, the
922 command will be a function declared in lib.private.
923 Before executing the command, the script will detect the
925 configuration, setting all SW_* variables and will run your init
926 extension script with $COMMAND = 'run'.
927 If there are files in the CONFIG_PATH that were modified after the
929 current firewall script was generated, the following warning
930 message is issued:
931 WARNING: /var/lib/shorewall/firewall is not up to
932 date
933 safe-reload [-d] [-p] [-t timeout ] [ directory ]
935 Added in Shorewall 5.0.0, this command performs the same function
936 as did safe_restart in earlier releases. The command is available
937 in Shorewall and Shorewall6 only.
938 Only allowed if Shorewall is running. The current configuration is
940 saved in /var/lib/shorewall/safe-reload (see the save command
941 below) then a shorewall reload is done. You will then be prompted
942 asking if you want to accept the new configuration or not. If you
943 answer "n" or if you fail to answer within 60 seconds (such as when
944 your new configuration has disabled communication with your
945 terminal), the configuration is restored from the saved
946 configuration. If a directory is given, then Shorewall will look in
947 that directory first when opening configuration files.
948 Beginning with Shorewall 4.5.0, you may specify a different timeout
950 value using the -t option. The numeric timeout may optionally be
951 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
952 minutes or hours respectively. If the suffix is omitted, seconds is
953 assumed.
954 safe-restart [-d] [-p] [-t timeout ] [ directory ]
956 Only allowed if Shorewall[6] is running and is not available in
957 Shorewall-lite and Shorewall6-lite. The current configuration is
958 saved in /var/lib/shorewall/safe-restart (see the save command
959 below) then a shorewall restart is done. You will then be prompted
960 asking if you want to accept the new configuration or not. If you
961 answer "n" or if you fail to answer within 60 seconds (such as when
962 your new configuration has disabled communication with your
963 terminal), the configuration is restored from the saved
964 configuration. If a directory is given, then Shorewall will look in
965 that directory first when opening configuration files.
966 Beginning with Shorewall 4.5.0, you may specify a different timeout
968 value using the -t option. The numeric timeout may optionally be
969 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
970 minutes or hours respectively. If the suffix is omitted, seconds is
971 assumed.
972 safe-start [-d] [-p] [-ttimeout ] [ directory ]
974 Shorewall is started normally. You will then be prompted asking if
975 everything went all right. If you answer "n" or if you fail to
976 answer within 60 seconds (such as when your new configuration has
977 disabled communication with your terminal), a shorewall clear is
978 performed for you. If a directory is given, then Shorewall will
979 look in that directory first when opening configuration files.
980 Beginning with Shorewall 4.5.0, you may specify a different timeout
982 value using the -t option. The numeric timeout may optionally be
983 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
984 minutes or hours respectively. If the suffix is omitted, seconds is
985 assumed.
986 This command is available in Shorewall and Shorewall6 only.
988 save [-C] [ filename ]
990 Creates a snapshot of the currently running firewall. The dynamic
991 blacklist is stored in /var/lib/shorewall/save. The state of the
992 firewall is stored in /var/lib/shorewall/filename for use by the
993 shorewall restore command. If filename is not given then the state
994 is saved in the file specified by the RESTOREFILE option in
995 shorewall.conf[2](5) (shorewall6.conf[3](5)).
996 The -C option, added in Shorewall 4.6.5, causes the iptables packet
998 and byte counters to be saved along with the chains and rules.
999 savesets
1001 Added in shorewall 4.6.8. Performs the same action as the stop
1002 command with respect to saving ipsets (see the SAVE_IPSETS option
1003 in shorewall.conf[2] (5) (shorewall6.conf[3](5)). This command may
1004 be used to proactively save your ipset contents in the event that a
1005 system failure occurs prior to issuing a stop command.
1006 show
1008 The show command can have a number of different arguments:
1009 action action
1011 Lists the named action file. Available on Shorewall and
1012 Shorewall6 only.
1013 actions
1015 Produces a report about the available actions (built-in,
1016 standard and user-defined). Available on Shorewall and
1017 Shorewall6 only.
1018 bl|blacklists [-x]
1020 Added in Shorewall 4.6.2. Displays the dynamic chain along with
1021 any chains produced by entries in shorewall-blrules(5). The -x
1022 option is passed directly through to iptables and causes actual
1023 packet and byte counts to be displayed. Without this option,
1024 those counts are abbreviated.
1025 [-f] capabilities
1027 Displays your kernel/iptables capabilities. The -f option
1028 causes the display to be formatted as a capabilities file for
1029 use with compile -e.
1030 [-b] [-x] [-l] [-t {filter|mangle|nat|raw}] [ chain... ]
1032 The rules in each chain are displayed using the iptables -L
1033 chain -n -v command. If no chain is given, all of the chains in
1034 the filter table are displayed. The -x option is passed
1035 directly through to iptables and causes actual packet and byte
1036 counts to be displayed. Without this option, those counts are
1037 abbreviated. The -t option specifies the Netfilter table to
1038 display. The default is filter.
1039 The -b ('brief') option causes rules which have not been used
1041 (i.e. which have zero packet and byte counts) to be omitted
1042 from the output. Chains with no rules displayed are also
1043 omitted from the output.
1044 The -l option causes the rule number for each Netfilter rule to
1046 be displayed.
1047 If the -t option and the chain keyword are both omitted and any
1049 of the listed chains do not exist, a usage message is
1050 displayed.
1051 classifiers|filters
1053 Displays information about the packet classifiers defined on
1054 the system as a result of traffic shaping configuration.
1055 config
1057 Displays distribution-specific defaults.
1058 connections [filter_parameter ...]
1060 Displays the IP connections currently being tracked by the
1061 firewall.
1062 If the conntrack utility is installed, beginning with Shorewall
1064 4.6.11 the set of connections displayed can be limited by
1065 including conntrack filter parameters (-p , -s, --dport, etc).
1066 See conntrack(8) for details.
1067 event event
1069 Added in Shorewall 4.5.19. Displays the named event.
1070 events
1072 Added in Shorewall 4.5.19. Displays all events.
1073 ip
1075 Displays the system's IPv4 configuration.
1076 ipa
1078 Added in Shorewall 4.4.17. Displays the per-IP accounting
1079 counters (shorewall-accounting[14] (5),
1080 shorewall6-accounting[15](5)).
1081 ipsec
1083 Added in Shorewall 5.1.0. Displays the contents of the IPSEC
1084 Security Policy Database (SPD) and Security Association
1085 Database (SAD). SAD keys are not displayed.
1086 [-m] log
1088 Displays the last 20 Shorewall messages from the log file
1089 specified by the LOGFILE option in shorewall.conf[2](5)
1090 (shorewall6.conf[3](5)). The -m option causes the MAC address
1091 of each packet source to be displayed if that information is
1092 available.
1093 macros
1095 Displays information about each macro defined on the firewall
1096 system (Shorewall and Shorewall6 only)
1097 macro macro
1099 Added in Shorewall 4.4.6. Displays the file that implements the
1100 specified macro (usually /usr/share/shorewall/macro.macro).
1101 Available only in Shorewall and Shorewall6.
1102 [-x] mangle
1104 Displays the Netfilter mangle table using the command iptables
1105 -t mangle -L -n -v. The -x option is passed directly through to
1106 iptables and causes actual packet and byte counts to be
1107 displayed. Without this option, those counts are abbreviated.
1108 marks
1110 Added in Shorewall 4.4.26. Displays the various fields in
1111 packet marks giving the min and max value (in both decimal and
1112 hex) and the applicable mask (in hex).
1113 [-x] nat
1115 Displays the Netfilter nat table using the command iptables -t
1116 nat -L -n -v. The -x option is passed directly through to
1117 iptables and causes actual packet and byte counts to be
1118 displayed. Without this option, those counts are abbreviated.
1119 opens
1121 Added in Shorewall 4.5.8. Displays the iptables rules in the
1122 'dynamic' chain created through use of the open command..
1123 policies
1125 Added in Shorewall 4.4.4. Displays the applicable policy
1126 between each pair of zones. Note that implicit intrazone ACCEPT
1127 policies are not displayed for zones associated with a single
1128 network where that network doesn't specify routeback.
1129 rc
1131 Added in Shorewall 5.2.0. Displays the contents of
1132 $SHAREDIR/shorewall/shorewallrc.
1133 [-c] routing
1135 Displays the system's IPv4 routing configuration. The -c option
1136 causes the route cache to be displayed along with the other
1137 routing information.
1138 [-x] raw
1140 Displays the Netfilter raw table using the command iptables -t
1141 raw -L -n -v. The -x option is passed directly through to
1142 iptables and causes actual packet and byte counts to be
1143 displayed. Without this option, those counts are abbreviated.
1144 saves
1146 Added in Shorewall 5.2.0. Lists snapshots created by the save
1147 command. Each snapshot is listed with the date and time when it
1148 was taken. If there is a snapshot with the name specified in
1149 the RESTOREFILE option in shorewall.conf(5[12]), that snapshot
1150 is listed as the default snapshot for the restore command.
1151 tc
1153 Displays information about queuing disciplines, classes and
1154 filters.
1155 zones
1157 Displays the current composition of the Shorewall zones on the
1158 system.
1159 start [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [ directory ]
1161 Shorewall and Shorewall6
1163 Start shorewall[6]. Existing connections through shorewall
1164 managed interfaces are untouched. New connections will be
1165 allowed only if they are allowed by the firewall rules or
1166 policies. If a directory is included in the command, Shorewall
1167 will look in that directory first for configuration files. If
1168 -f is specified, the saved configuration specified by the
1169 RESTOREFILE option in shorewall.conf[2](5)
1170 (shorewall6.conf[3](5)) will be restored if that saved
1171 configuration exists and has been modified more recently than
1172 the files in /etc/shorewall. When -f is given, a directory may
1173 not be specified.
1174 Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
1176 added to shorewall.conf[2](5) (shorewall6.conf[3](5)). When
1177 LEGACY_FASTSTART=No, the modification times of files in
1178 /etc/shorewall are compared with that of
1179 /var/lib/shorewall/firewall (the compiled script that last
1180 started/restarted the firewall).
1181 The -n option causes Shorewall to avoid updating the routing
1183 table(s).
1184 The -p option causes the connection tracking table to be
1186 flushed; the conntrack utility must be installed to use this
1187 option.
1188 The -c option was added in Shorewall 4.4.20 and performs the
1190 compilation step unconditionally, overriding the AUTOMAKE
1191 setting in shorewall.conf[2](5) (shorewall6.conf[3](5)). When
1192 both -f and -care present, the result is determined by the
1193 option that appears last.
1194 The -T option was added in Shorewall 4.5.3 and causes a Perl
1196 stack trace to be included with each compiler-generated error
1197 and warning message.
1198 The -i option was added in Shorewall 4.6.0 and causes a warning
1200 message to be issued if the current line contains alternative
1201 input specifications following a semicolon (";"). Such lines
1202 will be handled incorrectly if INLINE_MATCHES is set to Yes in
1203 shorewall.conf(5)[2] (shorewall6.conf[3](5)).
1204 The -C option was added in Shorewall 4.6.5 and is only
1206 meaningful when the -f option is also specified. If the
1207 previously-saved configuration is restored, and if the -C
1208 option was also specified in the save command, then the packet
1209 and byte counters will be restored.
1210 Shorewall-lite and Shorewall6-lite
1212 Start Shorewall[6] Lite. Existing connections through
1213 shorewall[6]-lite managed interfaces are untouched. New
1214 connections will be allowed only if they are allowed by the
1215 firewall rules or policies.
1216 The -p option causes the connection tracking table to be
1218 flushed; the conntrack utility must be installed to use this
1219 option.
1220 The -n option prevents the firewall script from modifying the
1222 current routing configuration.
1223 The -f option was added in Shorewall 4.6.5. If the RESTOREFILE
1225 named in shorewall.conf[12](5) exists, is executable and is not
1226 older than the current filewall script, then that saved
1227 configuration is restored.
1228 The -C option was added in Shorewall 4.6.5 and is only
1230 meaningful when the -f option is also specified. If the
1231 previously-saved configuration is restored, and if the -C
1232 option was also specified in the save command, then the packet
1233 and byte counters will be restored.
1234 stop [-f]
1236 Stops the firewall. All existing connections, except those listed
1237 in shorewall-routestopped[16](5) or permitted by the
1238 ADMINISABSENTMINDED option in shorewall.conf[2](5), are taken down.
1239 The only new traffic permitted through the firewall is from systems
1240 listed in shorewall-routestopped[16](5) or by ADMINISABSENTMINDED.
1241 If -f is given, the command will be processed by the compiled
1243 script that executed the last successful start, restart or reload
1244 command if that script exists.
1245 status [-i]
1247 Produces a short report about the state of the Shorewall-configured
1248 firewall.
1249 The -i option was added in Shorewall 4.6.2 and causes the status of
1251 each optional or provider interface to be displayed.
1252 try directory [ timeout ]
1254 This command is available in Shorewall and Shorewall6 only.
1255 If Shorewall[6] is started then the firewall state is saved to a
1257 temporary saved configuration (/var/lib/shorewall/.try). Next, if
1258 Shorewall[6] is currently started then a restart command is issued
1259 using the specified configuration directory; otherwise, a start
1260 command is performed using the specified configuration directory.
1261 if an error occurs during the compilation phase of the restart or
1262 start, the command terminates without changing the Shorewall[6]
1263 state. If an error occurs during the restart phase, then a
1264 shorewall restore is performed using the saved configuration. If an
1265 error occurs during the start phase, then Shorewall is cleared. If
1266 the start/restart succeeds and a timeout is specified then a clear
1267 or restore is performed after timeout seconds.
1268 Beginning with Shorewall 4.5.0, the numeric timeout may optionally
1270 be followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1271 minutes or hours respectively. If the suffix is omitted, seconds is
1272 assumed.
1273 update [-d] [-r] [-T] [-a] [-i] [-A] [ directory ]
1275 This command is available only in Shorewall and Shorewall6.
1276 Added in Shorewall 4.4.21 and causes the compiler to update
1278 /etc/shorewall/shorewall.conf then validate the configuration. The
1279 update will add options not present in the old file with their
1280 default values, and will move deprecated options with non-defaults
1281 to a deprecated options section at the bottom of the file. Your
1282 existing shorewall.conf file is renamed shorewall.conf.bak.
1283 The command was extended over the years with a set of options that
1285 caused additional configuration updates.
1286 · Convert an existing blacklist file into an equivalent blrules
1288 file.
1289 · Convert an existing routestopped file into an equivalent
1291 stoppedrules file.
1292 · Convert existing tcrules and tos files into an equivalent
1294 mangle file.
1295 · Convert an existing notrack file into an equivalent conntrack
1297 file.
1298 · Convert FORMAT, SECTION and COMMENT entries into ?FORMAT,
1300 ?SECTION and ?COMMENT directives.
1301 In each case, the old file is renamed with a .bak suffix.
1303 In Shorewall 5.0.0, the options were eliminated and the update
1305 command performs all of the updates described above.
1306 Important
1308 There are some notable restrictions with the update command:
1309 1. Converted rules will be appended to the existing file; if
1311 there is no existing file in the CONFIG_PATH, one will be
1312 created in the directory specified in the command or in the
1313 first entry in the CONFIG_PATH (normally /etc/shorewall)
1314 otherwise.
1315 2. Existing comments in the file being converted will not be
1317 transferred to the output file.
1318 3. With the exception of the notrack->conntrack conversion,
1320 INCLUDEd files will be expanded inline in the output file.
1321 4. Columns in the output file will be separated by a single
1323 tab character; there is no attempt made to otherwise align
1324 the columns.
1325 5. Prior to Shorewall 5.0.15, shell variables will be expanded
1327 in the output file.
1328 6. Prior to Shorewall 5.0.15, lines omitted by compiler
1330 directives (?if ...., etc.) will not appear in the output
1331 file.
1332 Important
1334 Because the translation of the 'blacklist' and
1335 'routestopped' files is not 1:1, omitted lines and
1336 compiler directives are not transferred to the
1337 converted files. If either are present, the compiler
1338 issues a warning:
1339 WARNING: "Omitted rules and compiler directives were not translated
1341 The -a option causes the updated shorewall.conf file to be
1342 annotated with documentation.
1343 The -i option was added in Shorewall 4.6.0 and causes a warning
1345 message to be issued if the current line contains alternative input
1346 specifications following a semicolon (";"). Such lines will be
1347 handled incorrectly if INLINE_MATCHES is set to Yes in
1348 shorewall.conf[2](5).
1349 The -A option is included for compatibility with Shorewall 4.6 and
1351 is equivalent to specifying the -i option.
1352 For a description of the other options, see the check command
1354 above.
1355 version [-a]
1357 Displays Shorewall's version. The -a option is included for
1358 compatibility with earlier Shorewall releases and is ignored.
1359
1361 In general, when a command succeeds, status 0 is returned; when the
1362 command fails, a non-zero status is returned.
1363 The status command returns exit status as follows:
1365 0 - Firewall is started.
1367 3 - Firewall is stopped or cleared
1369 4 - Unknown state; usually means that the firewall has never been
1371 started.
1372
1374 Two environmental variables are recognized by Shorewall:
1375 SHOREWALL_INIT_SCRIPT
1377 When set to 1, causes Std out to be redirected to the file
1378 specified in the STARTUP_LOG option in shorewall.conf(5)[12].
1379 SW_LOGGERTAG
1381 Added in Shorewall 5.0.8. When set to a non-empty value, that value
1382 is passed to the logger utility in its -t (--tag) option.
1383
1385 /etc/shorewall/*
1386 /etc/shorewall6/*
1388
1390 http://www.shorewall.net/starting_and_stopping_shorewall.htm[17]
1391 - Describes operational aspects of Shorewall.
1392 shorewall-files(5)[18] -
1393 Describes the various configuration files along with features
1394 and
1395 conventions common to those files.
1396 shorewall-names(5)[19] -
1397 Describes naming of objects within a Shorewall configuration.
1398 shorewall-addresses(5)[20] -
1399 Describes how to specify addresses within a Shorewall
1400 configuration.
1401 shorewall-exclusion(5)[21] -
1402 Describes how to exclude certain hosts and/or networks from
1403 matching a
1404 rule.
1405 shorewall-nesting(5)[22]
1406 - Describes how to nest one Shorewall zone inside another.
1407
1409 1. http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace
1410 http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace
1411 2. shorewall.conf
1413 http://www.shorewall.net/manpages/shorewall.conf.html
1414 3. shorewall6.conf
1416 http://www.shorewall.net/manpages6/shorewall6.conf.html
1417 4. shorewall-interfaces
1419 http://www.shorewall.net/manpages/shorewall-interfaces.html
1420 5. shorewall6-interfaces
1422 http://www.shorewall.net/manpages6/shorewall6-interfaces.html
1423 6. shorewall-zones
1425 http://www.shorewall.net/manpages/shorewall-zones.html
1426 7. shorewall6-zones
1428 http://www.shorewall.net???
1429 8. shorewall6-zones
1431 http://www.shorewall.net/manpages6/shorewall6-zones.html
1432 9. shorewall-routes
1434 http://www.shorewall.net/manpages/shorewall-routes.html
1435 10. shorewall6-routes
1437 http://www.shorewall.net/manpages/shorewall6-routes.html
1438 11. logging backend
1440 http://www.shorewall.net/shorewall_logging.html#Backends
1441 12. shorewall.conf
1443 http://www.shorewall.netshorewall.conf.html
1444 13. shorewall6.conf(5)
1446 http://www.shorewall.netshorewall6.conf.html
1447 14. shorewall-accounting
1449 http://www.shorewall.net/manpages/shorewall-accounting.html
1450 15. shorewall6-accounting
1452 http://www.shorewall.net/manpages6/shorewall6-accounting.html
1453 16. shorewall-routestopped
1455 http://www.shorewall.net/manpages/shorewall-routestopped.html
1456 17. http://www.shorewall.net/starting_and_stopping_shorewall.htm
1458 http://www.shorewall.net/starting_and_stopping_shorewall.htm
1459 18. shorewall-files(5)
1461 http://www.shorewall.netshorewall-files.html
1462 19. shorewall-names(5)
1464 http://www.shorewall.netshorewall-names.html
1465 20. shorewall-addresses(5)
1467 http://www.shorewall.netshorewall-addresses.html
1468 21. shorewall-exclusion(5)
1470 http://www.shorewall.netshorewall-exclusion.html
1471 22. shorewall-nesting(5)
1473 http://www.shorewall.netshorewall-nesting.html
1474Administrative Commands 01/17/2019 SHOREWALL(8)