1SHOREWALL(8) Administrative Commands SHOREWALL(8)
2
3
4
6 shorewall - Administration tool for Shoreline Firewall (Shorewall)
7
9 shorewall[6][-lite] [trace|debug [nolock]] [options] add {
10 interface[:host-list]... zone | zone host-list }
11
12 shorewall[6][-lite] [trace|debug [nolock]] [options] allow address
13
14 shorewall[6][-lite] [trace|debug [nolock]] [options] blacklist
15 address [option ...]
16
17 shorewall[6][-lite] [trace|debug [nolock]] [options] call
18 function [parameter ...]
19
20 shorewall[6] [trace|debug] [options] [check | ck ] [-e] [-d] [-p] [-r]
21 [-T] [-i] [directory]
22
23 shorewall[6][-lite] [trace|debug [nolock]] [options] clear [-f]
24
25 shorewall[6][-lite] [trace|debug [nolock]] [options]
26 close { open-number | sourcedest [protocol [ port ]]}
27
28 shorewall[6] [trace|debug] [options] [compile | co ] [-e] [-c] [-d]
29 [-p] [-T] [-i] [directory] [pathname]
30
31 shorewall[6][-lite] [trace|debug [nolock]] [options] delete {
32 interface[:host-list]... zone | zone host-list }
33
34 shorewall[6][-lite] [trace|debug [nolock]] [options] disable
35 { interface | provider }
36
37 shorewall[6][-lite] [trace|debug [nolock]] [options] drop address
38
39 shorewall[6][-lite] [trace|debug] [options] dump [-x] [-l] [-m] [-c]
40
41 shorewall[6][-lite] [trace|debug [nolock]] [options] enable
42 { interface | provider }
43
44 shorewall[6] [trace|debug [nolock]] [options] export [directory1]
45 [user@]system[:directory2]
46
47 shorewall[6][-lite] [trace|debug [nolock]] [options] forget [filename]
48
49 shorewall[6][-lite] [trace|debug] [options] help
50
51 shorewall[-lite] [trace|debug] [options] hits [-t]
52
53 shorewall[-lite] [trace|debug] [options] ipcalc {address mask |
54 address/vlsm}
55
56 shorewall[-lite] [trace|debug] [options] iprange address1-address2
57
58 shorewall[6][-lite] [trace|debug] [options] iptrace
59 iptables match expression
60
61 shorewall[6][-lite] [trace|debug [nolock]] [options] logdrop address
62
63 shorewall[6][-lite] [trace|debug] [options] logwatch [-m]
64 [refresh-interval]
65
66 shorewall[6][-lite] [trace|debug [nolock]] [options] logreject address
67
68 shorewall[6][-lite] [trace|debug] [options] noiptrace
69 iptables match expression
70
71 shorewall[6][-lite] [options] open source dest [ protocol [ port ] ]
72
73 shorewall[6][-lite] [trace|debug [nolock]] [options] reenable
74 { interface | provider }
75
76 shorewall[6][-lite] [trace|debug [nolock]] [options] reject address
77
78 shorewall[6][-lite] [trace|debug [nolock]] [options] reload [-n]
79 [-p [-d]] [-f] [-c] [-T] [-i] [-C] [directory]
80
81 shorewall[6] [trace|debug] [options] remote-getcaps [-s] [-R]
82 [-r root-user-name] [-T] [-i] [[-D]directory] [system]
83
84 shorewall[6] [trace|debug] [options] remote-getrc [-s] [-c]
85 [-r root-user-name] [-T] [-i] [[-D]directory] [system]
86
87 shorewall[6] [trace|debug] [options] remote-start [-s] [-c]
88 [-r root-user-name] [-T] [-i] [[-D]directory] [system]
89
90 shorewall[6] [trace|debug] [options] remote-reload [-s] [-c]
91 [-r root-user-name] [-T] [-i] [[-D]directory] [system]
92
93 shorewall[6] [trace|debug] [options] remote-restart [-s] [-c]
94 [-r root-user-name] [-T] [-i] [[-D]directory] [system]
95
96 shorewall[6][-lite] [trace|debug [nolock]] [options] reset [chain ...]
97
98 shorewall[6][-lite] [trace|debug [nolock]] [options] restart [-n]
99 [-p [-d]] [-f] [-c] [-T] [-i] [-C] [directory]
100
101 shorewall[6][-lite] [trace|debug [nolock]] [options]
102 restore [-n] [-p] [-C] [filename]
103
104 shorewall[6][-lite] [trace|debug [nolock]] [options] run command
105 [parameter ...]
106
107 shorewall[6] [trace|debug [nolock]] [options] safe-restart [-d] [-p]
108 [-t timeout] [directory]
109
110 shorewall[6] [trace|debug] [options] safe-start [-d] [-p] [-t timeout]
111 [directory]
112
113 shorewall[6][-lite] [trace|debug [nolock]] [options] save [-C]
114 [filename]
115
116 shorewall[6][-lite] [trace|debug [nolock]] [options] savesets
117
118 shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-x]
119 {bl|blacklists}
120
121 shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-b]
122 [-x] [-l] [-t {filter|mangle|nat|raw}] [chain...]
123
124 shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-f]
125 capabilities
126
127 shorewall[6] [options] {show | list | ls } [-f] {actions|macros}
128
129 shorewall[6] [trace|debug] [options] {show | list | ls } action action
130
131 shorewall[6][-lite] [trace|debug] [options] {show | list | ls }
132 {classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks}
133
134 shorewall[6][-lite] [trace|debug] [options] {show | list | ls }
135 event event
136
137 shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-c]
138 routing
139
140 shorewall[6] [trace|debug] [options] {show | list | ls } macro macro
141
142 shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-x]
143 {mangle|nat|raw}
144
145 shorewall[6][-lite] [trace|debug] [options] {show | list | ls } saves
146
147 shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-m]
148 log
149
150 shorewall[6][-lite] [trace|debug [nolock]] [options] start [-n] [-f]
151 [-p] [-c] [-T [-i]] [-C] [directory]
152
153 shorewall[6][-lite] [trace|debug [nolock]] [options] stop [-f]
154
155 shorewall[6][-lite] [trace|debug] [options] status [-i]
156
157 shorewall[6] [trace|debug [nolock]] [options] try directory [timeout]
158
159 shorewall[6] [trace|debug] [options] update [-b] [-d] [-r] [-T] [-a]
160 [-i] [-A] [directory]
161
162 shorewall[6][-lite] [trace|debug] [options] version [-a]
163
165 Beginning with Shorewall 5.1.0, the shorewall utility is used to
166 control the Shoreline Firewall (Shorewall), Shorewall Firewall 6
167 (Shorewall6), Shorewall Firewall Lite (Shorewall-lite) and Shorewall
168 Firewall 6 Lite (Shorewall6-lite). The utility may be accessed under
169 four different names:
170
171 shorewall
172 Controls the Shorewall configuration when Shorewall is installed.
173 If Shorewall is not installed, the shorewall command controls
174 Shorewall-lite if it is installed. If neither Shorewall nor
175 Shorewall-lite is installed, the shorewall command controls
176 Shorewall6-lite if it is installed.
177
178 shorewall6
179 The shorewall6 command controls Shorewall6 when Shorewall6 is
180 installed.
181
182 shorewall-lite
183 The shorewall-lite command controls Shorewall-lite when
184 Shorewall-lite is installed.
185
186 shorewall6-lite
187 The shorewall6-lite command controls Shorewall6-lite when
188 Shorewall6-lite is installed.
189
190 Prior to Shorewall 5.1.0, these four commands were implemented as four
191 separate program, each of which controlled only a single firewall
192 package. This manpage serves to document both the Shorewall 5.1 and
193 Shorewall 5.0 CLI.
194
196 The trace and debug options are used for debugging. See
197 http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace[1].
198
199 The nolock option prevents the command from attempting to acquire the
200 Shorewall lockfile. It is useful if you need to include shorewall
201 commands in /etc/shorewall/started.
202
203 Other options are:
204
205 -4
206 Added in Shorewall 5.1.0. Causes the command to operate on the
207 Shorewall configuration or the Shorewall-lite configuration. It is
208 the default when either of those products is installed and when the
209 command is shorewall or shorewall-lite.
210
211 -6
212 Added in Shorewall 5.1.0. Causes the command to operate on the
213 Shorewall6 or Shorewall6-lite configuration. It is the default when
214 only Shorewall6-lite is installed and when the command is
215 shorewall6 or shorewall6-lite.
216
217 -l
218 Added in Shorewall 5.1.0. Causes the command to operate on either
219 Shorewall-lite or Shorewall-6 lite and is the default when
220 Shorewall is not installed or when the command is shorewall-lite or
221 shorewall6-lite.
222
223 With all four firewall products (Shorewall, Shorewall6,
224 Shorewall-lite and Shorewall6-lite) installed, the following table
225 shows the correspondence between the name used to invoke the
226 command and the shorewall command with the above three options.
227
228 Table 1. All four products installed
229 The next table shows the correspondence when only Shorewall-lite
230 and Shorewall6-lite are installed.
231
232 Table 2. Only Shorewall-lite and Shorewall6-lite installed
233 -v[verbosity]
234 Alters the amount of output produced by the command. If neither the
235 -v nor -q option are specified, the amount of output is determined
236 by the VERBOSITY setting in shorewall.conf[2](5)
237 (shorewall6.conf[2](5)).
238
239 When no verbosity is specified, each instance of this option causes
240 1 to be added to the effective verbosity. When verbosity (-1,0,1 or
241 2) is given, the command is executed at the specified VERBOSITY.
242 There may be no white-space between -v and the verbosity.
243
244 -q
245 Alters the amount of output produced by the command. If neither the
246 -v nor -q option are specified, the amount of output is determined
247 by the VERBOSITY setting in shorewall.conf[2](5)
248 (shorewall6.conf[2](5)).
249
250 Each instance of this option causes 1 to be subtracted from the
251 effective verbosity.
252
253 -t
254 Causes all progress messages to be timestamped.
255
257 The available commands are listed below.
258
259 add { interface[:host-list]... zone | zone host-list }
260 Adds a list of hosts or subnets to a dynamic zone usually used with
261 VPN's.
262
263 The interface argument names an interface defined in the
264 shorewall-interfaces[3](5) (shorewall6-interfaces[3](5))file. A
265 host-list is comma-separated list whose elements are host or
266 network addresses..if n .sp
267 Caution
268 The add command is not very robust. If there are errors in the
269 host-list, you may see a large number of error messages yet a
270 subsequent shorewall show zones command will indicate that all
271 hosts were added. If this happens, replace add by delete and
272 run the same command again. Then enter the correct command.
273
274 Beginning with Shorewall 4.5.9, the dynamic_shared zone option
275 (shorewall-zones[4](5),shorewall6-zones[4](5)) allows a single
276 ipset to handle entries for multiple interfaces. When that option
277 is specified for a zone, the add command has the alternative syntax
278 in which the zone name precedes the host-list.
279
280 allow address
281 Re-enables receipt of packets from hosts previously blacklisted by
282 a blacklist, drop, logdrop, reject, or logreject command.
283
284 blacklist address [ option ... ]
285 Added in Shorewall 5.0.8 and requires DYNAMIC_BLACKLIST=ipset.. in
286 shorewall.conf[2](5). Causes packets from the given host or network
287 address to be dropped, based on the setting of BLACKLIST in
288 shorewall.conf[2](5). The address along with any options are passed
289 to the ipset add command.
290
291 If the disconnect option is specified in the DYNAMIC_BLACKLISTING
292 setting, then the effective VERBOSITY determines the amount of
293 information displayed:
294
295 · If the effective verbosity is > 0, then a message giving the
296 number of conntrack flows deleted by the command is displayed.
297
298 · If the effective verbosity is > 1, then the conntrack table
299 entries deleted by the command are also displayed.
300
301 call function [ parameter ... ]
302 Added in Shorewall 4.6.10. Allows you to call a function in one of
303 the Shorewall libraries or in your compiled script. function must
304 name the shell function to be called. The listed parameters are
305 passed to the function.
306
307 The function is first searched for in lib.base, lib.common, lib.cli
308 and lib.cli-std. If it is not found, the call command is passed to
309 the generated script to be executed.
310
311 check [-e] [-d] [-p] [-r] [-T] [-i] [directory]
312 Not available with Shorewall[6]-lite.
313
314 Compiles the configuration in the specified directory and discards
315 the compiled output script. If no directory is given, then
316 /etc/shorewall is assumed.
317
318 The -e option causes the compiler to look for a file named
319 capabilities. This file is produced using the command
320 shorewall-lite show -f capabilities > capabilities on a system with
321 Shorewall Lite installed.
322
323 The -d option causes the compiler to be run under control of the
324 Perl debugger.
325
326 The -p option causes the compiler to be profiled via the Perl
327 -wd:DProf command-line option.
328
329 The -r option was added in Shorewall 4.5.2 and causes the compiler
330 to print the generated ruleset to standard out.
331
332 The -T option was added in Shorewall 4.4.20 and causes a Perl stack
333 trace to be included with each compiler-generated error and warning
334 message.
335
336 The -i option was added in Shorewall 4.6.0 and causes a warning
337 message to be issued if the current line contains alternative input
338 specifications following a semicolon (";"). Such lines will be
339 handled incorrectly if INLINE_MATCHES is set to Yes in
340 shorewall.conf[2](5) (shorewall6.conf[2](5)).
341
342 clear [-f]
343 Clear will remove all rules and chains installed by Shorewall. The
344 firewall is then wide open and unprotected. Existing connections
345 are untouched. Clear is often used to see if the firewall is
346 causing connection problems.
347
348 If -f is given, the command will be processed by the compiled
349 script that executed the last successful start, restart or reload
350 command if that script exists.
351
352 close { open-number | source dest [ protocol [ port ] ] }
353 Added in Shorewall 4.5.8. This command closes a temporary open
354 created by the open command. In the first form, an open-number
355 specifies the open to be closed. Open numbers are displayed in the
356 num column of the output of the shorewall show opens command.
357
358 When the second form of the command is used, the parameters must
359 match those given in the earlier open command.
360
361 This command requires that the firewall be in the started state and
362 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[2].
363
364 compile [-e] [-c] [-d] [-p] [-T] [-i] [ directory ] [ pathname ]
365 Not available with shorewall[6]-lite.
366
367 Compiles the current configuration into the executable file
368 pathname. If a directory is supplied, Shorewall will look in that
369 directory first for configuration files. If the pathname is
370 omitted, the file firewall in the VARDIR (normally
371 /var/lib/shorewall/) is assumed. A pathname of '-' causes the
372 compiler to send the generated script to it's standard output file.
373 Note that '-v-1' is usually specified in this case (e.g., shorewall
374 -v-1 compile -- -) to suppress the 'Compiling...' message normally
375 generated by /sbin/shorewall.
376
377 When -e is specified, the compilation is being performed on a
378 system other than where the compiled script will run. This option
379 disables certain configuration options that require the script to
380 be compiled where it is to be run. The use of -e requires the
381 presence of a configuration file named capabilities which may be
382 produced using the command shorewall-lite show -f capabilities >
383 capabilities on a system with Shorewall Lite installed
384
385 The -c option was added in Shorewall 4.5.17 and causes conditional
386 compilation of a script. The script specified by pathname (or
387 implied if pathname is omitted) is compiled if it doesn't exist or
388 if there is any file in the directory or in a directory on the
389 CONFIG_PATH that has a modification time later than the file to be
390 compiled. When no compilation is needed, a message is issued and an
391 exit status of zero is returned.
392
393 The -d option causes the compiler to be run under control of the
394 Perl debugger.
395
396 The -p option causes the compiler to be profiled via the Perl
397 -wd:DProf command-line option.
398
399 The -T option was added in Shorewall 4.4.20 and causes a Perl stack
400 trace to be included with each compiler-generated error and warning
401 message.
402
403 The -i option was added in Shorewall 4.6.0 and causes a warning
404 message to be issued if the current line contains alternative input
405 specifications following a semicolon (";"). Such lines will be
406 handled incorrectly if INLINE_MATCHES is set to Yes in
407 shorewall.conf[2](5) (shorewall6.conf[2](5)).
408
409 delete { interface[:host-list]... zone | zone host-list }
410 The delete command reverses the effect of an earlier add command.
411
412 The interface argument names an interface defined in the
413 shorewall-interfaces[3](5) (shorewall6-interfaces[3](5) file. A
414 host-list is comma-separated list whose elements are a host or
415 network address.
416
417 Beginning with Shorewall 4.5.9, the dynamic_shared zone option
418 (shorewall-zones[4](5), shorewall6-zones[4](5)) allows a single
419 ipset to handle entries for multiple interfaces. When that option
420 is specified for a zone, the delete command has the alternative
421 syntax in which the zone name precedes the host-list.
422
423 disable { interface | provider }
424 Added in Shorewall 4.4.26. Disables the optional provider
425 associated with the specified interface or provider. Where more
426 than one provider share a single network interface, a provider name
427 must be given.
428
429 Beginning with Shorewall 4.5.10, this command may be used with any
430 optional network interface. interface may be either the logical or
431 physical name of the interface. The command removes any routes
432 added from shorewall-routes[5](5) (shorewall6-routes[5](5))and any
433 traffic shaping configuration for the interface.
434
435 drop address
436 Causes traffic from the listed addresses to be silently dropped.
437 This command requires that the firewall be in the started state and
438 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[2].
439
440 dump [-x] [-l] [-m] [-c]
441 Produces a verbose report about the firewall configuration for the
442 purpose of problem analysis.
443
444 The -x option causes actual packet and byte counts to be displayed.
445 Without that option, these counts are abbreviated.
446
447 The -m option causes any MAC addresses included in Shorewall log
448 messages to be displayed.
449
450 The -l option causes the rule number for each Netfilter rule to be
451 displayed.
452
453 The -c option causes the route cache to be dumped in addition to
454 the other routing information.
455
456 enable { interface | provider }
457 Added in Shorewall 4.4.26. Enables the optional provider associated
458 with the specified interface or provider. Where more than one
459 provider share a single network interface, a provider name must be
460 given.
461
462 Beginning with Shorewall 4.5.10, this command may be used with any
463 optional network interface. interface may be either the logical or
464 physical name of the interface. The command sets /proc entries for
465 the interface, adds any route specified in shorewall-routes[5](5)
466 (shorewall6-routes[5](5)) and installs the interface's traffic
467 shaping configuration, if any.
468
469 export [ directory1 ] [ user@]system[:directory2 ]
470 Not available with Shorewall[6]-lite.
471
472 If directory1 is omitted, the current working directory is assumed.
473
474 Allows a non-root user to compile a shorewall script and stage it
475 on a system (provided that the user has access to the system via
476 ssh). The command is equivalent to:
477
478 /sbin/shorewall compile -e directory1 directory1/firewall &&\
479 scp directory1/firewall directory1/firewall.conf [user@]system:[directory2]
480
481 In other words, the configuration in the specified (or defaulted)
482 directory is compiled to a file called firewall in that directory.
483 If compilation succeeds, then firewall and firewall.conf are copied
484 to system using scp.
485
486 forget [ filename ]
487 Deletes /var/lib/shorewall/filename and /var/lib/shorewall/save. If
488 no filename is given then the file specified by RESTOREFILE in
489 shorewall.conf[2](5) (shorewall6.conf[2](5)) is assumed.
490
491 help
492 Displays a syntax summary.
493
494 hits [-t]
495 Generates several reports from Shorewall log messages in the
496 current log file. If the -t option is included, the reports are
497 restricted to log messages generated today. Not available with
498 Shorewall6[-lite].
499
500 ipcalc { address mask | address/vlsm }
501 Ipcalc displays the network address, broadcast address, network in
502 CIDR notation and netmask corresponding to the input[s]. Not
503 available with Shorewall6[-lite].
504
505 iprange address1-address2
506 Iprange decomposes the specified range of IP addresses into the
507 equivalent list of network/host addresses. Not available with
508 Shorewall6[-lite].
509
510 iptrace iptables match expression
511 This is a low-level debugging command that causes iptables TRACE
512 log records to be created. See iptables(8) for details.
513
514 The iptables match expression must be one or more matches that may
515 appear in both the raw table OUTPUT and raw table PREROUTING
516 chains.
517
518 The log message destination is determined by the currently-selected
519 IPv4 or IPv6 logging backend[6].
520
521 list
522 list is a synonym for show -- please see below.
523
524 logdrop address
525 Causes traffic from the listed addresses to be logged then
526 discarded. Logging occurs at the log level specified by the
527 BLACKLIST_LOGLEVEL setting in shorewall.conf[2] (5)
528 (shorewall6.conf[2](5)). This command requires that the firewall be
529 in the started state and that DYNAMIC_BLACKLIST=Yes in
530 shorewall.conf (5)[2].
531
532 logwatch [-m] [ refresh-interval ]
533 Monitors the log file specified by the LOGFILE option in
534 shorewall.conf[2](5) (shorewall6.conf[2](5)) and produces an
535 audible alarm when new Shorewall messages are logged. The -m option
536 causes the MAC address of each packet source to be displayed if
537 that information is available. The refresh-interval specifies the
538 time in seconds between screen refreshes. You can enter a negative
539 number by preceding the number with "--" (e.g., shorewall logwatch
540 -- -30). In this case, when a packet count changes, you will be
541 prompted to hit any key to resume screen refreshes.
542
543 logreject address
544 Causes traffic from the listed addresses to be logged then
545 rejected. Logging occurs at the log level specified by the
546 BLACKLIST_LOGLEVEL setting in shorewall.conf[2] (5),
547 (shorewall6.conf[2](5)). This command requires that the firewall be
548 in the started state and that DYNAMIC_BLACKLIST=Yes in
549 shorewall.conf (5)[2].
550
551 ls
552 ls is a synonym for show -- please see below.
553
554 noiptrace iptables match expression
555 This is a low-level debugging command that cancels a trace started
556 by a preceding iptrace command.
557
558 The iptables match expression must be one given in the iptrace
559 command being canceled.
560
561 open source dest [ protocol [ port ] ]
562 Added in Shorewall 4.6.8. This command requires that the firewall
563 be in the started state and that DYNAMIC_BLACKLIST=Yes in
564 shorewall.conf (5)[2]. The effect of the command is to temporarily
565 open the firewall for connections matching the parameters.
566
567 The source and dest parameters may each be specified as all if you
568 don't wish to restrict the connection source or destination
569 respectively. Otherwise, each must contain a host or network
570 address or a valid DNS name.
571
572 The protocol may be specified either as a number or as a name
573 listed in /etc/protocols. The port may be specified numerically or
574 as a name listed in /etc/services.
575
576 To reverse the effect of a successful open command, use the close
577 command with the same parameters or simply restart the firewall.
578
579 Example: To open the firewall for SSH connections to address
580 192.168.1.1, the command would be:
581
582 shorewall open all 192.168.1.1 tcp 22
583
584 To reverse that command, use:
585
586 shorewall close all 192.168.1.1 tcp 22
587
588 reenable{ interface | provider }
589 Added in Shorewall 4.6.9. This is equivalent to a disable command
590 followed by an enable command on the specified interface or
591 provider.
592
593 reject address
594 Causes traffic from the listed addresses to be silently rejected.
595 This command requires that the firewall be in the started state and
596 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[2].
597
598 reload [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [ directory ]
599 This command was re-implemented in Shorewall 5.0.0. The pre-5.0.0
600 reload command is now called remote-restart (see below).
601
602 Shorewall and Shorewall6
603 Reload is similar to shorewall start except that it assumes
604 that the firewall is already started. Existing connections are
605 maintained. If a directory is included in the command,
606 Shorewall will look in that directory first for configuration
607 files.
608
609 The -n option causes Shorewall to avoid updating the routing
610 table(s).
611
612 The -p option causes the connection tracking table to be
613 flushed; the conntrack utility must be installed to use this
614 option.
615
616 The -d option causes the compiler to run under the Perl
617 debugger.
618
619 The -f option suppresses the compilation step and simply reused
620 the compiled script which last started/restarted Shorewall,
621 provided that /etc/shorewall and its contents have not been
622 modified since the last start/restart.
623
624 The -c option was added in Shorewall 4.4.20 and performs the
625 compilation step unconditionally, overriding the AUTOMAKE
626 setting in shorewall.conf[2](5) (Shorewall and Shorewall6
627 only). When both -f and -c are present, the result is
628 determined by the option that appears last.
629
630 The -T option was added in Shorewall 4.5.3 and causes a Perl
631 stack trace to be included with each compiler-generated error
632 and warning message.
633
634 The -i option was added in Shorewall 4.6.0 and causes a warning
635 message to be issued if the current line contains alternative
636 input specifications following a semicolon (";"). Such lines
637 will be handled incorrectly if INLINE_MATCHES is set to Yes in
638 shorewall.conf[2](5) (shorewall6.conf[2](5))..
639
640 The -C option was added in Shorewall 4.6.5 and is only
641 meaningful when AUTOMAKE=Yes in shorewall.conf[2](5)
642 (shorewall6.conf[2](5)). If an existing firewall script is used
643 and if that script was the one that generated the current
644 running configuration, then the running netfilter configuration
645 will be reloaded as is so as to preserve the iptables packet
646 and byte counters.
647
648 Shorewall-lite and Shorewall6-lite
649 Reload is similar to shorewall start except that it assumes
650 that the firewall is already started. Existing connections are
651 maintained.
652
653 The -n option causes Shorewall to avoid updating the routing
654 table(s).
655
656 The -p option causes the connection tracking table to be
657 flushed; the conntrack utility must be installed to use this
658 option.
659
660 The -C option was added in Shorewall 4.6.5 If the existing
661 firewall script is the one that generated the current running
662 configuration, then the running netfilter configuration will be
663 reloaded as is so as to preserve the iptables packet and byte
664 counters.
665
666 remote-getcaps [-R] [-r root-user-name] [ [ -D ] directory ] [ system ]
667 Added in Shoreall 5.2.0, this command executes shorewall[6]-lite
668 show capabilities -f > /var/lib/shorewall[6]-lite/capabilities on
669 the remote system via ssh then the generated file is copied to
670 directory on the local system. If no directory is given, the
671 current working directory is assumed.
672
673 if -R is included, the remote shorewallrc file is also copied to
674 directory.
675
676 If -r is included, it specifies that the root user on system is
677 named root-user-name rather than "root".
678
679 remote-getrc [-c] [-r root-user-name] [ [ -D ] directory ] [ system ]
680 Added in Shoreall 5.2.0, this command copies the shorewallrc file
681 from the remote system to directory on the local system. If no
682 directory is given, the current working directory is assumed.
683
684 if -c is included, the remote capabilities are also copied to
685 directory, as is done by the remote-getcaps command.
686
687 If -r is included, it specifies that the root user on system is
688 named root-user-name rather than "root".
689
690 remote-start [-n] [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
691 directory ] [ system ]
692 This command was renamed from load in Shorewall 5.0.0 and is only
693 available in Shorewall and Shoreawall6.
694
695 If directory is omitted, the current working directory is assumed.
696 Allows a non-root user to compile a shorewall script and install it
697 on a system (provided that the user has root access to the system
698 via ssh). The command is equivalent to:
699
700 /sbin/shorewall compile -e directory directory/firewall &&\
701 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
702 ssh root@system '/sbin/shorewall-lite start'
703
704 In other words, the configuration in the specified (or defaulted)
705 directory is compiled to a file called firewall in that directory.
706 If compilation succeeds, then firewall is copied to system using
707 scp. If the copy succeeds, Shorewall Lite on system is started via
708 ssh. Beginning with Shorewall 5.0.13, if system is omitted, then
709 the FIREWALL option setting in shorewall.conf[7](5)
710 (shorewall6.conf(5)[2]) is assumed. In that case, if you want to
711 specify a directory, then the -D option must be given.
712
713 The -n option causes Shorewall to avoid updating the routing
714 table(s).
715
716 If -s is specified and the start command succeeds, then the remote
717 Shorewall-lite configuration is saved by executing shorewall-lite
718 save via ssh.
719
720 if -c is included, the command shorewall[6]-lite show capabilities
721 -f > /var/lib/shorewall[6]-lite/capabilities is executed via ssh
722 then the generated file is copied to directory using scp. This step
723 is performed before the configuration is compiled.
724
725 If -r is included, it specifies that the root user on system is
726 named root-user-name rather than "root".
727
728 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
729 trace to be included with each compiler-generated error and warning
730 message.
731
732 remote-reload [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
733 directory ] [ system ]
734 This command was added in Shorewall 5.0.0 and is only available in
735 Shorewall and Shorewall6.
736
737 If directory is omitted, the current working directory is assumed.
738 Allows a non-root user to compile a shorewall script and install it
739 on a system (provided that the user has root access to the system
740 via ssh). The command is equivalent to:
741
742 /sbin/shorewall compile -e directory directory/firewall &&\
743 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
744 ssh root@system '/sbin/shorewall-lite reload'
745
746 In other words, the configuration in the specified (or defaulted)
747 directory is compiled to a file called firewall in that directory.
748 If compilation succeeds, then firewall is copied to system using
749 scp. If the copy succeeds, Shorewall Lite on system is restarted
750 via ssh. Beginning with Shorewall 5.0.13, if system is omitted,
751 then the FIREWALL option setting in shorewall6.conf(5)[2]
752 (shorewall6.conf[2](5)) is assumed. In that case, if you want to
753 specify a directory, then the -D option must be given.
754
755 If -s is specified and the restart command succeeds, then the
756 remote Shorewall-lite configuration is saved by executing
757 shorewall-lite save via ssh.
758
759 if -c is included, the command shorewall-lite show capabilities -f
760 > /var/lib/shorewall-lite/capabilities is executed via ssh then the
761 generated file is copied to directory using scp. This step is
762 performed before the configuration is compiled.
763
764 If -r is included, it specifies that the root user on system is
765 named root-user-name rather than "root".
766
767 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
768 trace to be included with each compiler-generated error and warning
769 message.
770
771 The -i option was added in Shorewall 4.6.0 and causes a warning
772 message to be issued if the current line contains alternative input
773 specifications following a semicolon (";"). Such lines will be
774 handled incorrectly if INLINE_MATCHES is set to Yes in
775 shorewall.conf[2](5) (shorewall6.conf[2](5)).
776
777 remote-restart [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
778 directory ] [ system ]
779 This command was renamed from reload in Shorewall 5.0.0 and is
780 available in Shorewall and Shorewall6 only.
781
782 If directory is omitted, the current working directory is assumed.
783 Allows a non-root user to compile a shorewall script and install it
784 on a system (provided that the user has root access to the system
785 via ssh). The command is equivalent to:
786
787 /sbin/shorewall compile -e directory directory/firewall &&\
788 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
789 ssh root@system '/sbin/shorewall-lite restart'
790
791 In other words, the configuration in the specified (or defaulted)
792 directory is compiled to a file called firewall in that directory.
793 If compilation succeeds, then firewall is copied to system using
794 scp. If the copy succeeds, Shorewall Lite on system is restarted
795 via ssh. Beginning with Shorewall 5.0.13, if system is omitted,
796 then the FIREWALL option setting in shorewall6.conf(5)[2]
797 (shorewall6.conf[2](5)) is assumed. In that case, if you want to
798 specify a directory, then the -D option must be given.
799
800 If -s is specified and the restart command succeeds, then the
801 remote Shorewall-lite configuration is saved by executing
802 shorewall-lite save via ssh.
803
804 if -c is included, the command shorewall-lite show capabilities -f
805 > /var/lib/shorewall-lite/capabilities is executed via ssh then the
806 generated file is copied to directory using scp. This step is
807 performed before the configuration is compiled.
808
809 If -r is included, it specifies that the root user on system is
810 named root-user-name rather than "root".
811
812 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
813 trace to be included with each compiler-generated error and warning
814 message.
815
816 The -i option was added in Shorewall 4.6.0 and causes a warning
817 message to be issued if the current line contains alternative input
818 specifications following a semicolon (";"). Such lines will be
819 handled incorrectly if INLINE_MATCHES is set to Yes in
820 shorewall.conf[2](5) (shorewall6.conf[2](5).
821
822 reset [chain, ...]
823 Resets the packet and byte counters in the specified chain(s). If
824 no chain is specified, all the packet and byte counters in the
825 firewall are reset.
826
827 Beginning with Shorewall 5.0.0, chain may be composed of both a
828 table name and a chain name separated by a colon (e.g.,
829 mangle:PREROUTING). Chain names following that don't include a
830 table name are assumed to be in that same table. If no table name
831 is given in the command, the filter table is assumed.
832
833 restart [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [ directory ]
834 Beginning with Shorewall 5.0.0, this command performs a true
835 restart. The firewall is completely stopped as if a stop command
836 had been issued then it is started again.
837
838 Shorewall and Shorewall6
839 If a directory is included in the command, Shorewall will look
840 in that directory first for configuration files.
841
842 The -n option causes Shorewall to avoid updating the routing
843 table(s).
844
845 The -p option causes the connection tracking table to be
846 flushed; the conntrack utility must be installed to use this
847 option.
848
849 The -d option causes the compiler to run under the Perl
850 debugger.
851
852 The -f option suppresses the compilation step and simply reused
853 the compiled script which last started/restarted Shorewall,
854 provided that /etc/shorewall and its contents have not been
855 modified since the last start/restart.
856
857 The -c option was added in Shorewall 4.4.20 and performs the
858 compilation step unconditionally, overriding the AUTOMAKE
859 setting in shorewall.conf[2](5). When both -f and -c are
860 present, the result is determined by the option that appears
861 last.
862
863 The -T option was added in Shorewall 4.5.3 and causes a Perl
864 stack trace to be included with each compiler-generated error
865 and warning message.
866
867 The -i option was added in Shorewall 4.6.0 and causes a warning
868 message to be issued if the current line contains alternative
869 input specifications following a semicolon (";"). Such lines
870 will be handled incorrectly if INLINE_MATCHES is set to Yes in
871 shorewall.conf[2](5).
872
873 The -C option was added in Shorewall 4.6.5 and is only
874 meaningful when AUTOMAKE=Yes in shorewall.conf[2](5). If an
875 existing firewall script is used and if that script was the one
876 that generated the current running configuration, then the
877 running netfilter configuration will be reloaded as is so as to
878 preserve the iptables packet and byte counters.
879
880 Shorewall-lite and Shorewall6-lite
881 The -n option causes Shorewall to avoid updating the routing
882 table(s).
883
884 The -p option causes the connection tracking table to be
885 flushed; the conntrack utility must be installed to use this
886 option.
887
888 The -C option was added in Shorewall 4.6.5 If the existing
889 firewall script is the one that generated the current running
890 configuration, then the running netfilter configuration will be
891 reloaded as is so as to preserve the iptables packet and byte
892 counters.
893
894 restore [-n] [-p] [-C] [ filename ]
895 Restore Shorewall to a state saved using the shorewall save
896 command. Existing connections are maintained. The filename names a
897 restore file in /var/lib/shorewall created using shorewall save; if
898 no filename is given then Shorewall will be restored from the file
899 specified by the RESTOREFILE option in shorewall.conf[2](5)
900 (shorewall6.conf[2](5)).
901
902 Caution
903 If your iptables ruleset depends on variables that are detected
904 at run-time, either in your params file or by
905 Shorewall-generated code, restore will use the values that were
906 current when the ruleset was saved, which may be different from
907 the current values.
908 The -n option causes Shorewall to avoid updating the routing
909 table(s).
910
911 The -p option, added in Shorewall 4.6.5, causes the connection
912 tracking table to be flushed; the conntrack utility must be
913 installed to use this option.
914
915 The -C option was added in Shorewall 4.6.5. If the -C option was
916 specified during shorewall save, then the counters saved by that
917 operation will be restored.
918
919 run command [ parameter ... ]
920 Added in Shorewall 4.6.3. Executes command in the context of the
921 generated script passing the supplied parameters. Normally, the
922 command will be a function declared in lib.private.
923
924 Before executing the command, the script will detect the
925 configuration, setting all SW_* variables and will run your init
926 extension script with $COMMAND = 'run'.
927
928 If there are files in the CONFIG_PATH that were modified after the
929 current firewall script was generated, the following warning
930 message is issued:
931 WARNING: /var/lib/shorewall/firewall is not up to
932 date
933
934 safe-reload [-d] [-p] [-t timeout ] [ directory ]
935 Added in Shorewall 5.0.0, this command performs the same function
936 as did safe_restart in earlier releases. The command is available
937 in Shorewall and Shorewall6 only.
938
939 Only allowed if Shorewall is running. The current configuration is
940 saved in /var/lib/shorewall/safe-reload (see the save command
941 below) then a shorewall reload is done. You will then be prompted
942 asking if you want to accept the new configuration or not. If you
943 answer "n" or if you fail to answer within 60 seconds (such as when
944 your new configuration has disabled communication with your
945 terminal), the configuration is restored from the saved
946 configuration. If a directory is given, then Shorewall will look in
947 that directory first when opening configuration files.
948
949 Beginning with Shorewall 4.5.0, you may specify a different timeout
950 value using the -t option. The numeric timeout may optionally be
951 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
952 minutes or hours respectively. If the suffix is omitted, seconds is
953 assumed.
954
955 safe-restart [-d] [-p] [-t timeout ] [ directory ]
956 Only allowed if Shorewall[6] is running and is not available in
957 Shorewall-lite and Shorewall6-lite. The current configuration is
958 saved in /var/lib/shorewall/safe-restart (see the save command
959 below) then a shorewall restart is done. You will then be prompted
960 asking if you want to accept the new configuration or not. If you
961 answer "n" or if you fail to answer within 60 seconds (such as when
962 your new configuration has disabled communication with your
963 terminal), the configuration is restored from the saved
964 configuration. If a directory is given, then Shorewall will look in
965 that directory first when opening configuration files.
966
967 Beginning with Shorewall 4.5.0, you may specify a different timeout
968 value using the -t option. The numeric timeout may optionally be
969 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
970 minutes or hours respectively. If the suffix is omitted, seconds is
971 assumed.
972
973 safe-start [-d] [-p] [-ttimeout ] [ directory ]
974 Shorewall is started normally. You will then be prompted asking if
975 everything went all right. If you answer "n" or if you fail to
976 answer within 60 seconds (such as when your new configuration has
977 disabled communication with your terminal), a shorewall clear is
978 performed for you. If a directory is given, then Shorewall will
979 look in that directory first when opening configuration files.
980
981 Beginning with Shorewall 4.5.0, you may specify a different timeout
982 value using the -t option. The numeric timeout may optionally be
983 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
984 minutes or hours respectively. If the suffix is omitted, seconds is
985 assumed.
986
987 This command is available in Shorewall and Shorewall6 only.
988
989 save [-C] [ filename ]
990 Creates a snapshot of the currently running firewall. The dynamic
991 blacklist is stored in /var/lib/shorewall/save. The state of the
992 firewall is stored in /var/lib/shorewall/filename for use by the
993 shorewall restore command. If filename is not given then the state
994 is saved in the file specified by the RESTOREFILE option in
995 shorewall.conf[2](5) (shorewall6.conf[2](5)).
996
997 The -C option, added in Shorewall 4.6.5, causes the iptables packet
998 and byte counters to be saved along with the chains and rules.
999
1000 savesets
1001 Added in shorewall 4.6.8. Performs the same action as the stop
1002 command with respect to saving ipsets (see the SAVE_IPSETS option
1003 in shorewall.conf[2] (5) (shorewall6.conf[2](5)). This command may
1004 be used to proactively save your ipset contents in the event that a
1005 system failure occurs prior to issuing a stop command.
1006
1007 show
1008 The show command can have a number of different arguments:
1009
1010 action action
1011 Lists the named action file. Available on Shorewall and
1012 Shorewall6 only.
1013
1014 actions
1015 Produces a report about the available actions (built-in,
1016 standard and user-defined). Available on Shorewall and
1017 Shorewall6 only.
1018
1019 bl|blacklists [-x]
1020 Added in Shorewall 4.6.2. Displays the dynamic chain along with
1021 any chains produced by entries in shorewall-blrules(5). The -x
1022 option is passed directly through to iptables and causes actual
1023 packet and byte counts to be displayed. Without this option,
1024 those counts are abbreviated.
1025
1026 [-f] capabilities
1027 Displays your kernel/iptables capabilities. The -f option
1028 causes the display to be formatted as a capabilities file for
1029 use with compile -e.
1030
1031 [-b] [-x] [-l] [-t {filter|mangle|nat|raw}] [ chain... ]
1032 The rules in each chain are displayed using the iptables -L
1033 chain -n -v command. If no chain is given, all of the chains in
1034 the filter table are displayed. The -x option is passed
1035 directly through to iptables and causes actual packet and byte
1036 counts to be displayed. Without this option, those counts are
1037 abbreviated. The -t option specifies the Netfilter table to
1038 display. The default is filter.
1039
1040 The -b ('brief') option causes rules which have not been used
1041 (i.e. which have zero packet and byte counts) to be omitted
1042 from the output. Chains with no rules displayed are also
1043 omitted from the output.
1044
1045 The -l option causes the rule number for each Netfilter rule to
1046 be displayed.
1047
1048 If the -t option and the chain keyword are both omitted and any
1049 of the listed chains do not exist, a usage message is
1050 displayed.
1051
1052 classifiers|filters
1053 Displays information about the packet classifiers defined on
1054 the system as a result of traffic shaping configuration.
1055
1056 config
1057 Displays distribution-specific defaults.
1058
1059 connections [filter_parameter ...]
1060 Displays the IP connections currently being tracked by the
1061 firewall.
1062
1063 If the conntrack utility is installed, beginning with Shorewall
1064 4.6.11 the set of connections displayed can be limited by
1065 including conntrack filter parameters (-p , -s, --dport, etc).
1066 See conntrack(8) for details.
1067
1068 event event
1069 Added in Shorewall 4.5.19. Displays the named event.
1070
1071 events
1072 Added in Shorewall 4.5.19. Displays all events.
1073
1074 ip
1075 Displays the system's IPv4 configuration.
1076
1077 ipa
1078 Added in Shorewall 4.4.17. Displays the per-IP accounting
1079 counters (shorewall-accounting[8] (5),
1080 shorewall6-accounting[8](5)).
1081
1082 ipsec
1083 Added in Shorewall 5.1.0. Displays the contents of the IPSEC
1084 Security Policy Database (SPD) and Security Association
1085 Database (SAD). SAD keys are not displayed.
1086
1087 [-m] log
1088 Displays the last 20 Shorewall messages from the log file
1089 specified by the LOGFILE option in shorewall.conf[2](5)
1090 (shorewall6.conf[2](5)). The -m option causes the MAC address
1091 of each packet source to be displayed if that information is
1092 available.
1093
1094 macros
1095 Displays information about each macro defined on the firewall
1096 system (Shorewall and Shorewall6 only)
1097
1098 macro macro
1099 Added in Shorewall 4.4.6. Displays the file that implements the
1100 specified macro (usually /usr/share/shorewall/macro.macro).
1101 Available only in Shorewall and Shorewall6.
1102
1103 [-x] mangle
1104 Displays the Netfilter mangle table using the command iptables
1105 -t mangle -L -n -v. The -x option is passed directly through to
1106 iptables and causes actual packet and byte counts to be
1107 displayed. Without this option, those counts are abbreviated.
1108
1109 marks
1110 Added in Shorewall 4.4.26. Displays the various fields in
1111 packet marks giving the min and max value (in both decimal and
1112 hex) and the applicable mask (in hex).
1113
1114 [-x] nat
1115 Displays the Netfilter nat table using the command iptables -t
1116 nat -L -n -v. The -x option is passed directly through to
1117 iptables and causes actual packet and byte counts to be
1118 displayed. Without this option, those counts are abbreviated.
1119
1120 opens
1121 Added in Shorewall 4.5.8. Displays the iptables rules in the
1122 'dynamic' chain created through use of the open command..
1123
1124 policies
1125 Added in Shorewall 4.4.4. Displays the applicable policy
1126 between each pair of zones. Note that implicit intrazone ACCEPT
1127 policies are not displayed for zones associated with a single
1128 network where that network doesn't specify routeback.
1129
1130 rc
1131 Added in Shorewall 5.2.0. Displays the contents of
1132 $SHAREDIR/shorewall/shorewallrc.
1133
1134 [-c] routing
1135 Displays the system's IPv4 routing configuration. The -c option
1136 causes the route cache to be displayed along with the other
1137 routing information.
1138
1139 [-x] raw
1140 Displays the Netfilter raw table using the command iptables -t
1141 raw -L -n -v. The -x option is passed directly through to
1142 iptables and causes actual packet and byte counts to be
1143 displayed. Without this option, those counts are abbreviated.
1144
1145 saves
1146 Added in Shorewall 5.2.0. Lists snapshots created by the save
1147 command. Each snapshot is listed with the date and time when it
1148 was taken. If there is a snapshot with the name specified in
1149 the RESTOREFILE option in shorewall.conf(5[7]), that snapshot
1150 is listed as the default snapshot for the restore command.
1151
1152 tc
1153 Displays information about queuing disciplines, classes and
1154 filters.
1155
1156 zones
1157 Displays the current composition of the Shorewall zones on the
1158 system.
1159
1160 start [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [ directory ]
1161
1162 Shorewall and Shorewall6
1163 Start shorewall[6]. Existing connections through shorewall
1164 managed interfaces are untouched. New connections will be
1165 allowed only if they are allowed by the firewall rules or
1166 policies. If a directory is included in the command, Shorewall
1167 will look in that directory first for configuration files. If
1168 -f is specified, the saved configuration specified by the
1169 RESTOREFILE option in shorewall.conf[2](5)
1170 (shorewall6.conf[2](5)) will be restored if that saved
1171 configuration exists and has been modified more recently than
1172 the files in /etc/shorewall. When -f is given, a directory may
1173 not be specified.
1174
1175 Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
1176 added to shorewall.conf[2](5) (shorewall6.conf[2](5)). When
1177 LEGACY_FASTSTART=No, the modification times of files in
1178 /etc/shorewall are compared with that of
1179 /var/lib/shorewall/firewall (the compiled script that last
1180 started/restarted the firewall).
1181
1182 The -n option causes Shorewall to avoid updating the routing
1183 table(s).
1184
1185 The -p option causes the connection tracking table to be
1186 flushed; the conntrack utility must be installed to use this
1187 option.
1188
1189 The -c option was added in Shorewall 4.4.20 and performs the
1190 compilation step unconditionally, overriding the AUTOMAKE
1191 setting in shorewall.conf[2](5) (shorewall6.conf[2](5)). When
1192 both -f and -care present, the result is determined by the
1193 option that appears last.
1194
1195 The -T option was added in Shorewall 4.5.3 and causes a Perl
1196 stack trace to be included with each compiler-generated error
1197 and warning message.
1198
1199 The -i option was added in Shorewall 4.6.0 and causes a warning
1200 message to be issued if the current line contains alternative
1201 input specifications following a semicolon (";"). Such lines
1202 will be handled incorrectly if INLINE_MATCHES is set to Yes in
1203 shorewall.conf(5)[2] (shorewall6.conf[2](5)).
1204
1205 The -C option was added in Shorewall 4.6.5 and is only
1206 meaningful when the -f option is also specified. If the
1207 previously-saved configuration is restored, and if the -C
1208 option was also specified in the save command, then the packet
1209 and byte counters will be restored.
1210
1211 Shorewall-lite and Shorewall6-lite
1212 Start Shorewall[6] Lite. Existing connections through
1213 shorewall[6]-lite managed interfaces are untouched. New
1214 connections will be allowed only if they are allowed by the
1215 firewall rules or policies.
1216
1217 The -p option causes the connection tracking table to be
1218 flushed; the conntrack utility must be installed to use this
1219 option.
1220
1221 The -n option prevents the firewall script from modifying the
1222 current routing configuration.
1223
1224 The -f option was added in Shorewall 4.6.5. If the RESTOREFILE
1225 named in shorewall.conf[7](5) exists, is executable and is not
1226 older than the current filewall script, then that saved
1227 configuration is restored.
1228
1229 The -C option was added in Shorewall 4.6.5 and is only
1230 meaningful when the -f option is also specified. If the
1231 previously-saved configuration is restored, and if the -C
1232 option was also specified in the save command, then the packet
1233 and byte counters will be restored.
1234
1235 stop [-f]
1236 Stops the firewall. All existing connections, except those listed
1237 in shorewall-routestopped[9](5) or permitted by the
1238 ADMINISABSENTMINDED option in shorewall.conf[2](5), are taken down.
1239 The only new traffic permitted through the firewall is from systems
1240 listed in shorewall-routestopped[9](5) or by ADMINISABSENTMINDED.
1241
1242 If -f is given, the command will be processed by the compiled
1243 script that executed the last successful start, restart or reload
1244 command if that script exists.
1245
1246 status [-i]
1247 Produces a short report about the state of the Shorewall-configured
1248 firewall.
1249
1250 The -i option was added in Shorewall 4.6.2 and causes the status of
1251 each optional or provider interface to be displayed.
1252
1253 try directory [ timeout ]
1254 This command is available in Shorewall and Shorewall6 only.
1255
1256 If Shorewall[6] is started then the firewall state is saved to a
1257 temporary saved configuration (/var/lib/shorewall/.try). Next, if
1258 Shorewall[6] is currently started then a restart command is issued
1259 using the specified configuration directory; otherwise, a start
1260 command is performed using the specified configuration directory.
1261 if an error occurs during the compilation phase of the restart or
1262 start, the command terminates without changing the Shorewall[6]
1263 state. If an error occurs during the restart phase, then a
1264 shorewall restore is performed using the saved configuration. If an
1265 error occurs during the start phase, then Shorewall is cleared. If
1266 the start/restart succeeds and a timeout is specified then a clear
1267 or restore is performed after timeout seconds.
1268
1269 Beginning with Shorewall 4.5.0, the numeric timeout may optionally
1270 be followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1271 minutes or hours respectively. If the suffix is omitted, seconds is
1272 assumed.
1273
1274 update [-d] [-r] [-T] [-a] [-i] [-A] [ directory ]
1275 This command is available only in Shorewall and Shorewall6.
1276
1277 Added in Shorewall 4.4.21 and causes the compiler to update
1278 /etc/shorewall/shorewall.conf then validate the configuration. The
1279 update will add options not present in the old file with their
1280 default values, and will move deprecated options with non-defaults
1281 to a deprecated options section at the bottom of the file. Your
1282 existing shorewall.conf file is renamed shorewall.conf.bak.
1283
1284 The command was extended over the years with a set of options that
1285 caused additional configuration updates.
1286
1287 · Convert an existing blacklist file into an equivalent blrules
1288 file.
1289
1290 · Convert an existing routestopped file into an equivalent
1291 stoppedrules file.
1292
1293 · Convert existing tcrules and tos files into an equivalent
1294 mangle file.
1295
1296 · Convert an existing notrack file into an equivalent conntrack
1297 file.
1298
1299 · Convert FORMAT, SECTION and COMMENT entries into ?FORMAT,
1300 ?SECTION and ?COMMENT directives.
1301
1302 In each case, the old file is renamed with a .bak suffix.
1303
1304 In Shorewall 5.0.0, the options were eliminated and the update
1305 command performs all of the updates described above.
1306
1307 Important
1308 There are some notable restrictions with the update command:
1309
1310 1. Converted rules will be appended to the existing file; if
1311 there is no existing file in the CONFIG_PATH, one will be
1312 created in the directory specified in the command or in the
1313 first entry in the CONFIG_PATH (normally /etc/shorewall)
1314 otherwise.
1315
1316 2. Existing comments in the file being converted will not be
1317 transferred to the output file.
1318
1319 3. With the exception of the notrack->conntrack conversion,
1320 INCLUDEd files will be expanded inline in the output file.
1321
1322 4. Columns in the output file will be separated by a single
1323 tab character; there is no attempt made to otherwise align
1324 the columns.
1325
1326 5. Prior to Shorewall 5.0.15, shell variables will be expanded
1327 in the output file.
1328
1329 6. Prior to Shorewall 5.0.15, lines omitted by compiler
1330 directives (?if ...., etc.) will not appear in the output
1331 file.
1332
1333 Important
1334 Because the translation of the 'blacklist' and
1335 'routestopped' files is not 1:1, omitted lines and
1336 compiler directives are not transferred to the
1337 converted files. If either are present, the compiler
1338 issues a warning:
1339
1340 WARNING: "Omitted rules and compiler directives were not translated
1341 The -a option causes the updated shorewall.conf file to be
1342 annotated with documentation.
1343
1344 The -i option was added in Shorewall 4.6.0 and causes a warning
1345 message to be issued if the current line contains alternative input
1346 specifications following a semicolon (";"). Such lines will be
1347 handled incorrectly if INLINE_MATCHES is set to Yes in
1348 shorewall.conf[2](5).
1349
1350 The -A option is included for compatibility with Shorewall 4.6 and
1351 is equivalent to specifying the -i option.
1352
1353 For a description of the other options, see the check command
1354 above.
1355
1356 version [-a]
1357 Displays Shorewall's version. The -a option is included for
1358 compatibility with earlier Shorewall releases and is ignored.
1359
1361 In general, when a command succeeds, status 0 is returned; when the
1362 command fails, a non-zero status is returned.
1363
1364 The status command returns exit status as follows:
1365
1366 0 - Firewall is started.
1367
1368 3 - Firewall is stopped or cleared
1369
1370 4 - Unknown state; usually means that the firewall has never been
1371 started.
1372
1374 Two environmental variables are recognized by Shorewall:
1375
1376 SHOREWALL_INIT_SCRIPT
1377 When set to 1, causes Std out to be redirected to the file
1378 specified in the STARTUP_LOG option in shorewall.conf(5)[7].
1379
1380 SW_LOGGERTAG
1381 Added in Shorewall 5.0.8. When set to a non-empty value, that value
1382 is passed to the logger utility in its -t (--tag) option.
1383
1385 /etc/shorewall/*
1386
1387 /etc/shorewall6/*
1388
1390 http://www.shorewall.net/starting_and_stopping_shorewall.htm[10]
1391 - Describes operational aspects of Shorewall.
1392 shorewall-files(5)[11] -
1393 Describes the various configuration files along with features
1394 and
1395 conventions common to those files.
1396 shorewall-names(5)[12] -
1397 Describes naming of objects within a Shorewall configuration.
1398 shorewall-addresses(5)[13] -
1399 Describes how to specify addresses within a Shorewall
1400 configuration.
1401 shorewall-exclusion(5)[14] -
1402 Describes how to exclude certain hosts and/or networks from
1403 matching a
1404 rule.
1405 shorewall-nesting(5)[15]
1406 - Describes how to nest one Shorewall zone inside another.
1407
1409 1. http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace
1410 https://shorewall.org/starting_and_stopping_shorewall.htm#Trace
1411
1412 2. shorewall.conf
1413 https://shorewall.org/manpages/shorewall.conf.html
1414
1415 3. shorewall-interfaces
1416 https://shorewall.org/manpages/shorewall-interfaces.html
1417
1418 4. shorewall-zones
1419 https://shorewall.org/manpages/shorewall-zones.html
1420
1421 5. shorewall-routes
1422 https://shorewall.org/manpages/shorewall-routes.html
1423
1424 6. logging backend
1425 https://shorewall.org/shorewall_logging.html#Backends
1426
1427 7. shorewall.conf
1428 https://shorewall.orgshorewall.conf.html
1429
1430 8. shorewall-accounting
1431 https://shorewall.org/manpages/shorewall-accounting.html
1432
1433 9. shorewall-routestopped
1434 https://shorewall.org/manpages/shorewall-routestopped.html
1435
1436 10. http://www.shorewall.net/starting_and_stopping_shorewall.htm
1437 https://shorewall.org/starting_and_stopping_shorewall.htm
1438
1439 11. shorewall-files(5)
1440 https://shorewall.orgshorewall-files.html
1441
1442 12. shorewall-names(5)
1443 https://shorewall.orgshorewall-names.html
1444
1445 13. shorewall-addresses(5)
1446 https://shorewall.orgshorewall-addresses.html
1447
1448 14. shorewall-exclusion(5)
1449 https://shorewall.orgshorewall-exclusion.html
1450
1451 15. shorewall-nesting(5)
1452 https://shorewall.orgshorewall-nesting.html
1453
1454
1455
1456Administrative Commands 01/15/2020 SHOREWALL(8)