1SHOREWALL(8) Administrative Commands SHOREWALL(8)
2
6 shorewall - Administration tool for Shoreline Firewall (Shorewall)
7
9 shorewall[6][-lite] [options] add { interface[:host-list]...
10 zone | zone host-list }
11 shorewall[6][-lite] [options] allow address
13 shorewall[6][-lite] [options] blacklist[!] address [option ...]
15 shorewall[6][-lite] [options] call function [parameter ...]
17 shorewall[6] [trace|debug] [options] [check | ck ] [-e] [-d] [-p] [-r]
19 [-T] [-i] [directory]
20 shorewall[6][-lite] [options] clear [-f]
22 shorewall[6][-lite] [options]
24 close { open-number | sourcedest [protocol [ port ]]}
25 shorewall[6] [trace|debug] [options] [compile | co ] [-e] [-c] [-d]
27 [-p] [-T] [-i] [directory] [pathname]
28 shorewall[6][-lite] [options] delete { interface[:host-list]...
30 zone | zone host-list }
31 shorewall[6][-lite] [options] disable { interface | provider }
33 shorewall[6][-lite] [options] drop address
35 shorewall[6][-lite] [options] dump [-x] [-l] [-m] [-c]
37 shorewall[6][-lite] [options] enable { interface | provider }
39 shorewall[6] [options] export [directory1] [user@]system[:directory2]
41 shorewall[6][-lite] [options] forget [filename]
43 shorewall[6][-lite] [options] help
45 shorewall[-lite] [options] hits [-t]
47 shorewall[-lite] [options] ipcalc {address mask | address/vlsm}
49 shorewall[-lite] [options] iprange address1-address2
51 shorewall[6][-lite] [options] iptrace iptables match expression
53 shorewall[6][-lite] [options] logdrop address
55 shorewall[6][-lite] [options] logwatch [-m] [refresh-interval]
57 shorewall[6][-lite] [options] logreject address
59 shorewall[6][-lite] [options] noiptrace iptables match expression
61 shorewall[6][-lite] [options] open source dest [ protocol [ port ] ]
63 shorewall[6][-lite] [options] reenable { interface | provider }
65 shorewall[6][-lite] [options] reject address
67 shorewall[6][-lite] [options] reload [-n] [-p [-d]] [-f] [-c] [-T] [-i]
69 [-C] [directory]
70 shorewall[6] remote-getcaps [-s] [-R] [-r root-user-name] [-T] [-i]
72 [[-D]directory] [system]
73 shorewall[6] [options] remote-getrc [-s] [-c] [-r root-user-name] [-T]
75 [-i] [[-D]directory] [system]
76 shorewall[6] [options] remote-start [-s] [-c] [-r root-user-name] [-T]
78 [-i] [[-D]directory] [system]
79 shorewall[6] [options] remote-reload [-s] [-c] [-r root-user-name] [-T]
81 [-i] [[-D]directory] [system]
82 shorewall[6] [options] remote-restart [-s] [-c] [-r root-user-name]
84 [-T] [-i] [[-D]directory] [system]
85 shorewall[6][-lite] [options] reset [chain ...]
87 shorewall[6][-lite] [options] restart [-n] [-p [-d]] [-f] [-c] [-T]
89 [-i] [-C] [directory]
90 shorewall[6][-lite] [options] restore [-n] [-p] [-C] [filename]
92 shorewall[6][-lite] [options] run command [parameter ...]
94 shorewall[6] [options] safe-restart [-d] [-p] [-t timeout] [directory]
96 shorewall[6] [options] safe-start [-d] [-p] [-t timeout] [directory]
98 shorewall[6][-lite] [options] save [-C] [filename]
100 shorewall[6][-lite] [options] savesets
102 shorewall[6][-lite] [options] {show | list | ls } [-x] {bl|blacklists}
104 shorewall[6][-lite] [options] {show | list | ls } [-b] [-x] [-l]
106 [-t {filter|mangle|nat|raw}] [chain...]
107 shorewall[6][-lite] [options] {show | list | ls } [-f] capabilities
109 shorewall[6] [options] {show | list | ls } [-f] {actions|macros}
111 shorewall[6] [options] {show | list | ls } action action
113 shorewall[6][-lite] [options] {show | list | ls }
115 {classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks}
116 shorewall[6][-lite] [options] {show | list | ls } event event
118 shorewall[6][-lite] [options] {show | list | ls } [-c] routing
120 shorewall[6] [options] {show | list | ls } macro macro
122 shorewall[6][-lite] [options] {show | list | ls } [-x] {mangle|nat|raw}
124 shorewall[6][-lite] [options] {show | list | ls } saves
126 shorewall[6][-lite] [options] {show | list | ls } [-m] log
128 shorewall[6][-lite] [trace|debug] [options] start [-n] [-f] [-p] [-c]
130 [-T [-i]] [-C] [directory]
131 shorewall[6][-lite] [options] stop [-f]
133 shorewall[6][-lite] [options] status [-i]
135 shorewall[6] [options] try directory [timeout]
137 shorewall[6] [options] update [-b] [-d] [-r] [-T] [-a] [-i] [-A]
139 [directory]
140 shorewall[6][-lite] [options] version [-a]
142
144 Beginning with Shorewall 5.1.0, the shorewall utility is used to
145 control the Shoreline Firewall (Shorewall), Shorewall Firewall 6
146 (Shorewall6), Shorewall Firewall Lite (Shorewall-lite) and Shorewall
147 Firewall 6 Lite (Shorewall6-lite). The utility may be accessed under
148 four different names:
149 shorewall
151 Controls the Shorewall configuration when Shorewall is installed.
152 If Shorewall is not installed, the shorewall command controls
153 Shorewall-lite if it is installed. If neither Shorewall nor
154 Shorewall-lite is installed, the shorewall command controls
155 Shorewall6-lite if it is installed.
156 shorewall6
158 The shorewall6 command controls Shorewall6 when Shorewall6 is
159 installed.
160 shorewall-lite
162 The shorewall-lite command controls Shorewall-lite when
163 Shorewall-lite is installed.
164 shorewall6-lite
166 The shorewall6-lite command controls Shorewall6-lite when
167 Shorewall6-lite is installed.
168 Prior to Shorewall 5.1.0, these four commands were implemented as four
170 separate program, each of which controlled only a single firewall
171 package. This manpage serves to document both the Shorewall 5.1 and
172 Shorewall 5.0 CLI.
173
175 The options are:
176 -4
178 Added in Shorewall 5.1.0. Causes the command to operate on the
179 Shorewall configuration or the Shorewall-lite configuration. It is
180 the default when either of those products is installed and when the
181 command is shorewall or shorewall-lite.
182 -6
184 Added in Shorewall 5.1.0. Causes the command to operate on the
185 Shorewall6 or Shorewall6-lite configuration. It is the default when
186 only Shorewall6-lite is installed and when the command is
187 shorewall6 or shorewall6-lite.
188 -l
190 Added in Shorewall 5.1.0. Causes the command to operate on either
191 Shorewall-lite or Shorewall-6 lite and is the default when
192 Shorewall is not installed or when the command is shorewall-lite or
193 shorewall6-lite.
194 With all four firewall products (Shorewall, Shorewall6,
196 Shorewall-lite and Shorewall6-lite) installed, the following table
197 shows the correspondence between the name used to invoke the
198 command and the shorewall command with the above three options.
199 Table 1. All four products installed
201 The next table shows the correspondence when only Shorewall-lite
202 and Shorewall6-lite are installed.
203 Table 2. Only Shorewall-lite and Shorewall6-lite installed
205 Note that when Shorewall isn't installed, the 'shorewall' command
206 behaves like shorewall-lite. The same is not true with respect to
207 Shorewall6, "shorewall6" and 'shorewall6-lite". You can make
208 'shorewall6' behave like 'shorewallt-lite' by adding the following
209 command to root's .profile file (or to .bashrc, if root's shell is
210 bash):
211 alias shorewall6=shorewall6-lite
213 -v[verbosity]
215 Alters the amount of output produced by the command. If neither the
216 -v nor -q option are specified, the amount of output is determined
217 by the VERBOSITY setting in shorewall.conf[1](5)
218 (shorewall6.conf[1](5)).
219 When no verbosity is specified, each instance of this option causes
221 1 to be added to the effective verbosity. When verbosity (-1,0,1 or
222 2) is given, the command is executed at the specified VERBOSITY.
223 There may be no white-space between -v and the verbosity.
224 -q
226 Alters the amount of output produced by the command. If neither the
227 -v nor -q option are specified, the amount of output is determined
228 by the VERBOSITY setting in shorewall.conf[1](5)
229 (shorewall6.conf[1](5)).
230 Each instance of this option causes 1 to be subtracted from the
232 effective verbosity.
233 -t
235 Causes all progress messages to be timestamped.
236 -T
238 Added in Shorewall 5.2.4 to replace the earlier trace keyword.. If
239 the command invokes the generated firewall script, the script's
240 execution will be traced to standard error.
241 -D
243 Added in Shorewall 5.2.4 to replace the earlier debug keyword. If
244 the command invokes the generated firewall script, individual
245 invocations of the ip[6]tables utility will be used to configure
246 the ruleset rather than ip[6]tables-restore. This is useful for
247 diagnosing ip[6]tables-restore failures on a *COMMIT command.
248 Note
250 Prior to Shorewall 5.2.4, the general syntax for a CLI command was:
251 [trace|debug] [nolock] [options] command [command-options]
253 [command-arguments]
254 Examples:
256 shorewall debug -tv2 reload
258 shorewall trace check
259 shorewall nolock enable eth0
260 In Shorewall 5.2.4 and later, those commands would be:
262 shorewall -Dtv2 reload
264 shorewall check -D
265 shorewall -N enable eth0
266 While not shown in the command synopses at the top of this page,
268 the nolock keyword is still supported in Shorewall 5.2.4 and later,
269 but is deprecated in favor of the -N option.
270
272 The available commands are listed below.
273 add { interface[:host-list]... zone | zone host-list }
275 Adds a list of hosts or subnets to a dynamic zone usually used with
276 VPN's.
277 The interface argument names an interface defined in the
279 shorewall-interfaces[2](5) (shorewall6-interfaces[2](5))file. A
280 host-list is comma-separated list whose elements are host or
281 network addresses..if n .sp
282 Caution
283 The add command is not very robust. If there are errors in the
284 host-list, you may see a large number of error messages yet a
285 subsequent shorewall show zones command will indicate that all
286 hosts were added. If this happens, replace add by delete and
287 run the same command again. Then enter the correct command.
288 Beginning with Shorewall 4.5.9, the dynamic_shared zone option
290 (shorewall-zones[3](5),shorewall6-zones[3](5)) allows a single
291 ipset to handle entries for multiple interfaces. When that option
292 is specified for a zone, the add command has the alternative syntax
293 in which the zone name precedes the host-list.
294 allow address
296 Re-enables receipt of packets from hosts previously blacklisted by
297 a blacklist, drop, logdrop, reject, or logreject command.
298 blacklist[!] address [ option ... ]
300 Added in Shorewall 5.0.8 and requires DYNAMIC_BLACKLIST=ipset.. in
301 shorewall.conf[1](5). Causes packets from the given host or network
302 address to be dropped, based on the setting of BLACKLIST in
303 shorewall.conf[1](5). The address along with any options are passed
304 to the ipset add command. Probably the most useful option is the
305 timeout option. For example, to permanently blacklist 192.0.2.22,
306 the command would be:
307 shorewall blacklist 192.0.2.22 timeout 0
309 Beginning with Shorewall 5.2.5, the above command can be shortened
311 to:
312 shorewall blacklist! 192.0.2.22
314 If the disconnect option is specified in the DYNAMIC_BLACKLISTING
316 setting, then the effective VERBOSITY determines the amount of
317 information displayed:
318 • If the effective verbosity is > 0, then a message giving the
320 number of conntrack flows deleted by the command is displayed.
321 • If the effective verbosity is > 1, then the conntrack table
323 entries deleted by the command are also displayed.
324 call function [ parameter ... ]
326 Added in Shorewall 4.6.10. Allows you to call a function in one of
327 the Shorewall libraries or in your compiled script. function must
328 name the shell function to be called. The listed parameters are
329 passed to the function.
330 The function is first searched for in lib.base, lib.common, lib.cli
332 and lib.cli-std. If it is not found, the call command is passed to
333 the generated script to be executed.
334 check [-e] [-d] [-p] [-r] [-T] [-i] [-D][directory]
336 Not available with Shorewall[6]-lite.
337 Compiles the configuration in the specified directory and discards
339 the compiled output script. If no directory is given, then
340 /etc/shorewall is assumed.
341 The -e option causes the compiler to look for a file named
343 capabilities. This file is produced using the command
344 shorewall-lite show -f capabilities > capabilities on a system with
345 Shorewall Lite installed.
346 The -d option causes the compiler to be run under control of the
348 Perl debugger.
349 The -p option causes the compiler to be profiled via the Perl
351 -wd:DProf command-line option.
352 The -r option was added in Shorewall 4.5.2 and causes the compiler
354 to print the generated ruleset to standard out.
355 The -T option was added in Shorewall 4.4.20 and causes a Perl stack
357 trace to be included with each compiler-generated error and warning
358 message.
359 The -i option was added in Shorewall 4.6.0 and causes a warning
361 message to be issued if the current line contains alternative input
362 specifications following a semicolon (";"). Such lines will be
363 handled incorrectly if INLINE_MATCHES is set to Yes in
364 shorewall.conf[1](5) (shorewall6.conf[1](5)).
365 The -D option was added in Shoewall 5.2.4 and causes the compiler
367 to write a large amount of debugging information to standard
368 output.
369 clear [-f]
371 Clear will remove all rules and chains installed by Shorewall. The
372 firewall is then wide open and unprotected. Existing connections
373 are untouched. Clear is often used to see if the firewall is
374 causing connection problems.
375 If -f is given, the command will be processed by the compiled
377 script that executed the last successful start, restart or reload
378 command if that script exists.
379 close { open-number | source dest [ protocol [ port ] ] }
381 Added in Shorewall 4.5.8. This command closes a temporary open
382 created by the open command. In the first form, an open-number
383 specifies the open to be closed. Open numbers are displayed in the
384 num column of the output of the shorewall show opens command.
385 When the second form of the command is used, the parameters must
387 match those given in the earlier open command.
388 This command requires that the firewall be in the started state and
390 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[1].
391 compile [-e] [-c] [-d] [-p] [-T] [-i] [-D] [ directory ] [ pathname ]
393 Not available with shorewall[6]-lite.
394 Compiles the current configuration into the executable file
396 pathname. If a directory is supplied, Shorewall will look in that
397 directory first for configuration files. If the pathname is
398 omitted, the file firewall in the VARDIR (normally
399 /var/lib/shorewall/) is assumed. A pathname of '-' causes the
400 compiler to send the generated script to it's standard output file.
401 Note that '-v-1' is usually specified in this case (e.g., shorewall
402 -v-1 compile -- -) to suppress the 'Compiling...' message normally
403 generated by /sbin/shorewall.
404 When -e is specified, the compilation is being performed on a
406 system other than where the compiled script will run. This option
407 disables certain configuration options that require the script to
408 be compiled where it is to be run. The use of -e requires the
409 presence of a configuration file named capabilities which may be
410 produced using the command shorewall-lite show -f capabilities >
411 capabilities on a system with Shorewall Lite installed
412 The -c option was added in Shorewall 4.5.17 and causes conditional
414 compilation of a script. The script specified by pathname (or
415 implied if pathname is omitted) is compiled if it doesn't exist or
416 if there is any file in the directory or in a directory on the
417 CONFIG_PATH that has a modification time later than the file to be
418 compiled. When no compilation is needed, a message is issued and an
419 exit status of zero is returned.
420 The -d option causes the compiler to be run under control of the
422 Perl debugger.
423 The -p option causes the compiler to be profiled via the Perl
425 -wd:DProf command-line option.
426 The -T option was added in Shorewall 4.4.20 and causes a Perl stack
428 trace to be included with each compiler-generated error and warning
429 message.
430 The -i option was added in Shorewall 4.6.0 and causes a warning
432 message to be issued if the current line contains alternative input
433 specifications following a semicolon (";"). Such lines will be
434 handled incorrectly if INLINE_MATCHES is set to Yes in
435 shorewall.conf[1](5) (shorewall6.conf[1](5)).
436 The -D option was added in Shoewall 5.2.4 and causes the compiler
438 to write a large amount of debugging information to standard
439 output.
440 delete { interface[:host-list]... zone | zone host-list }
442 The delete command reverses the effect of an earlier add command.
443 The interface argument names an interface defined in the
445 shorewall-interfaces[2](5) (shorewall6-interfaces[2](5) file. A
446 host-list is comma-separated list whose elements are a host or
447 network address.
448 Beginning with Shorewall 4.5.9, the dynamic_shared zone option
450 (shorewall-zones[3](5), shorewall6-zones[3](5)) allows a single
451 ipset to handle entries for multiple interfaces. When that option
452 is specified for a zone, the delete command has the alternative
453 syntax in which the zone name precedes the host-list.
454 disable { interface | provider }
456 Added in Shorewall 4.4.26. Disables the optional provider
457 associated with the specified interface or provider. Where more
458 than one provider share a single network interface, a provider name
459 must be given.
460 Beginning with Shorewall 4.5.10, this command may be used with any
462 optional network interface. interface may be either the logical or
463 physical name of the interface. The command removes any routes
464 added from shorewall-routes[4](5) (shorewall6-routes[4](5))and any
465 traffic shaping configuration for the interface.
466 drop address
468 Causes traffic from the listed addresses to be silently dropped.
469 This command requires that the firewall be in the started state and
470 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[1].
471 dump [-x] [-l] [-m] [-c]
473 Produces a verbose report about the firewall configuration for the
474 purpose of problem analysis.
475 The -x option causes actual packet and byte counts to be displayed.
477 Without that option, these counts are abbreviated.
478 The -m option causes any MAC addresses included in Shorewall log
480 messages to be displayed.
481 The -l option causes the rule number for each Netfilter rule to be
483 displayed.
484 The -c option causes the route cache to be dumped in addition to
486 the other routing information.
487 enable { interface | provider }
489 Added in Shorewall 4.4.26. Enables the optional provider associated
490 with the specified interface or provider. Where more than one
491 provider share a single network interface, a provider name must be
492 given.
493 Beginning with Shorewall 4.5.10, this command may be used with any
495 optional network interface. interface may be either the logical or
496 physical name of the interface. The command sets /proc entries for
497 the interface, adds any route specified in shorewall-routes[4](5)
498 (shorewall6-routes[4](5)) and installs the interface's traffic
499 shaping configuration, if any.
500 export [ directory1 ] [ user@]system[:directory2 ]
502 Not available with Shorewall[6]-lite.
503 If directory1 is omitted, the current working directory is assumed.
505 Allows a non-root user to compile a shorewall script and stage it
507 on a system (provided that the user has access to the system via
508 ssh). The command is equivalent to:
509 /sbin/shorewall compile -e directory1 directory1/firewall &&\
511 scp directory1/firewall directory1/firewall.conf [user@]system:[directory2]
512 In other words, the configuration in the specified (or defaulted)
514 directory is compiled to a file called firewall in that directory.
515 If compilation succeeds, then firewall and firewall.conf are copied
516 to system using scp.
517 forget [ filename ]
519 Deletes /var/lib/shorewall/filename and /var/lib/shorewall/save. If
520 no filename is given then the file specified by RESTOREFILE in
521 shorewall.conf[1](5) (shorewall6.conf[1](5)) is assumed.
522 help
524 Displays a syntax summary.
525 hits [-t]
527 Generates several reports from Shorewall log messages in the
528 current log file. If the -t option is included, the reports are
529 restricted to log messages generated today. Not available with
530 Shorewall6[-lite].
531 ipcalc { address mask | address/vlsm }
533 Ipcalc displays the network address, broadcast address, network in
534 CIDR notation and netmask corresponding to the input[s]. Not
535 available with Shorewall6[-lite].
536 iprange address1-address2
538 Iprange decomposes the specified range of IP addresses into the
539 equivalent list of network/host addresses. Not available with
540 Shorewall6[-lite].
541 iptrace iptables match expression
543 This is a low-level debugging command that causes iptables TRACE
544 log records to be created. See iptables(8) for details.
545 The iptables match expression must be one or more matches that may
547 appear in both the raw table OUTPUT and raw table PREROUTING
548 chains.
549 The log message destination is determined by the currently-selected
551 IPv4 or IPv6 logging backend[5].
552 list
554 list is a synonym for show -- please see below.
555 logdrop address
557 Causes traffic from the listed addresses to be logged then
558 discarded. Logging occurs at the log level specified by the
559 BLACKLIST_LOGLEVEL setting in shorewall.conf[1] (5)
560 (shorewall6.conf[1](5)). This command requires that the firewall be
561 in the started state and that DYNAMIC_BLACKLIST=Yes in
562 shorewall.conf (5)[1].
563 logwatch [-m] [ refresh-interval ]
565 Monitors the log file specified by the LOGFILE option in
566 shorewall.conf[1](5) (shorewall6.conf[1](5)) and produces an
567 audible alarm when new Shorewall messages are logged. The -m option
568 causes the MAC address of each packet source to be displayed if
569 that information is available. The refresh-interval specifies the
570 time in seconds between screen refreshes. You can enter a negative
571 number by preceding the number with "--" (e.g., shorewall logwatch
572 -- -30). In this case, when a packet count changes, you will be
573 prompted to hit any key to resume screen refreshes.
574 logreject address
576 Causes traffic from the listed addresses to be logged then
577 rejected. Logging occurs at the log level specified by the
578 BLACKLIST_LOGLEVEL setting in shorewall.conf[1] (5),
579 (shorewall6.conf[1](5)). This command requires that the firewall be
580 in the started state and that DYNAMIC_BLACKLIST=Yes in
581 shorewall.conf (5)[1].
582 ls
584 ls is a synonym for show -- please see below.
585 noiptrace iptables match expression
587 This is a low-level debugging command that cancels a trace started
588 by a preceding iptrace command.
589 The iptables match expression must be one given in the iptrace
591 command being canceled.
592 open source dest [ protocol [ port ] ]
594 Added in Shorewall 4.6.8. This command requires that the firewall
595 be in the started state and that DYNAMIC_BLACKLIST=Yes in
596 shorewall.conf (5)[1]. The effect of the command is to temporarily
597 open the firewall for connections matching the parameters.
598 The source and dest parameters may each be specified as all if you
600 don't wish to restrict the connection source or destination
601 respectively. Otherwise, each must contain a host or network
602 address or a valid DNS name.
603 The protocol may be specified either as a number or as a name
605 listed in /etc/protocols. The port may be specified numerically or
606 as a name listed in /etc/services.
607 To reverse the effect of a successful open command, use the close
609 command with the same parameters or simply restart the firewall.
610 Example: To open the firewall for SSH connections to address
612 192.168.1.1, the command would be:
613 shorewall open all 192.168.1.1 tcp 22
615 To reverse that command, use:
617 shorewall close all 192.168.1.1 tcp 22
619 reenable{ interface | provider }
621 Added in Shorewall 4.6.9. This is equivalent to a disable command
622 followed by an enable command on the specified interface or
623 provider.
624 reject address
626 Causes traffic from the listed addresses to be silently rejected.
627 This command requires that the firewall be in the started state and
628 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[1].
629 reload [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [-D] [ directory ]
631 This command was re-implemented in Shorewall 5.0.0. The pre-5.0.0
632 reload command is now called remote-restart (see below).
633 Shorewall and Shorewall6
635 Reload is similar to shorewall start except that it assumes
636 that the firewall is already started. Existing connections are
637 maintained. If a directory is included in the command,
638 Shorewall will look in that directory first for configuration
639 files.
640 The -n option causes Shorewall to avoid updating the routing
642 table(s).
643 The -p option causes the connection tracking table to be
645 flushed; the conntrack utility must be installed to use this
646 option.
647 The -d option causes the compiler to run under the Perl
649 debugger.
650 The -f option suppresses the compilation step and simply reused
652 the compiled script which last started/restarted Shorewall,
653 provided that /etc/shorewall and its contents have not been
654 modified since the last start/restart.
655 The -c option was added in Shorewall 4.4.20 and performs the
657 compilation step unconditionally, overriding the AUTOMAKE
658 setting in shorewall.conf[1](5) (Shorewall and Shorewall6
659 only). When both -f and -c are present, the result is
660 determined by the option that appears last.
661 The -T option was added in Shorewall 4.5.3 and causes a Perl
663 stack trace to be included with each compiler-generated error
664 and warning message.
665 The -i option was added in Shorewall 4.6.0 and causes a warning
667 message to be issued if the current line contains alternative
668 input specifications following a semicolon (";"). Such lines
669 will be handled incorrectly if INLINE_MATCHES is set to Yes in
670 shorewall.conf[1](5) (shorewall6.conf[1](5))..
671 The -C option was added in Shorewall 4.6.5 and is only
673 meaningful when AUTOMAKE=Yes in shorewall.conf[1](5)
674 (shorewall6.conf[1](5)). If an existing firewall script is used
675 and if that script was the one that generated the current
676 running configuration, then the running netfilter configuration
677 will be reloaded as is so as to preserve the iptables packet
678 and byte counters.
679 The -D option was added in Shoewall 5.2.4 and causes the
681 compiler to write a large amount of debugging information to
682 standard output.
683 Shorewall-lite and Shorewall6-lite
685 Reload is similar to shorewall start except that it assumes
686 that the firewall is already started. Existing connections are
687 maintained.
688 The -n option causes Shorewall to avoid updating the routing
690 table(s).
691 The -p option causes the connection tracking table to be
693 flushed; the conntrack utility must be installed to use this
694 option.
695 The -C option was added in Shorewall 4.6.5 If the existing
697 firewall script is the one that generated the current running
698 configuration, then the running netfilter configuration will be
699 reloaded as is so as to preserve the iptables packet and byte
700 counters.
701 remote-getcaps [-R] [-r root-user-name] [ [ -D ] directory ] [ system ]
703 Added in Shoreall 5.2.0, this command executes shorewall[6]-lite
704 show capabilities -f > /var/lib/shorewall[6]-lite/capabilities on
705 the remote system via ssh then the generated file is copied to
706 directory on the local system. If no directory is given, the
707 current working directory is assumed.
708 if -R is included, the remote shorewallrc file is also copied to
710 directory.
711 If -r is included, it specifies that the root user on system is
713 named root-user-name rather than "root".
714 remote-getrc [-c] [-r root-user-name] [ [ -D ] directory ] [ system ]
716 Added in Shoreall 5.2.0, this command copies the shorewallrc file
717 from the remote system to directory on the local system. If no
718 directory is given, the current working directory is assumed.
719 if -c is included, the remote capabilities are also copied to
721 directory, as is done by the remote-getcaps command.
722 If -r is included, it specifies that the root user on system is
724 named root-user-name rather than "root".
725 remote-start [-n] [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
727 directory ] [ system ]
728 This command was renamed from load in Shorewall 5.0.0 and is only
729 available in Shorewall and Shoreawall6.
730 If directory is omitted, the current working directory is assumed.
732 Allows a non-root user to compile a shorewall script and install it
733 on a system (provided that the user has root access to the system
734 via ssh). The command is equivalent to:
735 /sbin/shorewall compile -e directory directory/firewall &&\
737 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
738 ssh root@system '/sbin/shorewall-lite start'
739 In other words, the configuration in the specified (or defaulted)
741 directory is compiled to a file called firewall in that directory.
742 If compilation succeeds, then firewall is copied to system using
743 scp. If the copy succeeds, Shorewall Lite on system is started via
744 ssh. Beginning with Shorewall 5.0.13, if system is omitted, then
745 the FIREWALL option setting in shorewall.conf[6](5)
746 (shorewall6.conf(5)[1]) is assumed. In that case, if you want to
747 specify a directory, then the -D option must be given.
748 The -n option causes Shorewall to avoid updating the routing
750 table(s).
751 If -s is specified and the start command succeeds, then the remote
753 Shorewall-lite configuration is saved by executing shorewall-lite
754 save via ssh.
755 if -c is included, the command shorewall[6]-lite show capabilities
757 -f > /var/lib/shorewall[6]-lite/capabilities is executed via ssh
758 then the generated file is copied to directory using scp. This step
759 is performed before the configuration is compiled.
760 If -r is included, it specifies that the root user on system is
762 named root-user-name rather than "root".
763 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
765 trace to be included with each compiler-generated error and warning
766 message.
767 remote-reload [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
769 directory ] [ system ]
770 This command was added in Shorewall 5.0.0 and is only available in
771 Shorewall and Shorewall6.
772 If directory is omitted, the current working directory is assumed.
774 Allows a non-root user to compile a shorewall script and install it
775 on a system (provided that the user has root access to the system
776 via ssh). The command is equivalent to:
777 /sbin/shorewall compile -e directory directory/firewall &&\
779 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
780 ssh root@system '/sbin/shorewall-lite reload'
781 In other words, the configuration in the specified (or defaulted)
783 directory is compiled to a file called firewall in that directory.
784 If compilation succeeds, then firewall is copied to system using
785 scp. If the copy succeeds, Shorewall Lite on system is restarted
786 via ssh. Beginning with Shorewall 5.0.13, if system is omitted,
787 then the FIREWALL option setting in shorewall6.conf(5)[1]
788 (shorewall6.conf[1](5)) is assumed. In that case, if you want to
789 specify a directory, then the -D option must be given.
790 If -s is specified and the restart command succeeds, then the
792 remote Shorewall-lite configuration is saved by executing
793 shorewall-lite save via ssh.
794 if -c is included, the command shorewall-lite show capabilities -f
796 > /var/lib/shorewall-lite/capabilities is executed via ssh then the
797 generated file is copied to directory using scp. This step is
798 performed before the configuration is compiled.
799 If -r is included, it specifies that the root user on system is
801 named root-user-name rather than "root".
802 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
804 trace to be included with each compiler-generated error and warning
805 message.
806 The -i option was added in Shorewall 4.6.0 and causes a warning
808 message to be issued if the current line contains alternative input
809 specifications following a semicolon (";"). Such lines will be
810 handled incorrectly if INLINE_MATCHES is set to Yes in
811 shorewall.conf[1](5) (shorewall6.conf[1](5)).
812 remote-restart [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
814 directory ] [ system ]
815 This command was renamed from reload in Shorewall 5.0.0 and is
816 available in Shorewall and Shorewall6 only.
817 If directory is omitted, the current working directory is assumed.
819 Allows a non-root user to compile a shorewall script and install it
820 on a system (provided that the user has root access to the system
821 via ssh). The command is equivalent to:
822 /sbin/shorewall compile -e directory directory/firewall &&\
824 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
825 ssh root@system '/sbin/shorewall-lite restart'
826 In other words, the configuration in the specified (or defaulted)
828 directory is compiled to a file called firewall in that directory.
829 If compilation succeeds, then firewall is copied to system using
830 scp. If the copy succeeds, Shorewall Lite on system is restarted
831 via ssh. Beginning with Shorewall 5.0.13, if system is omitted,
832 then the FIREWALL option setting in shorewall6.conf(5)[1]
833 (shorewall6.conf[1](5)) is assumed. In that case, if you want to
834 specify a directory, then the -D option must be given.
835 If -s is specified and the restart command succeeds, then the
837 remote Shorewall-lite configuration is saved by executing
838 shorewall-lite save via ssh.
839 if -c is included, the command shorewall-lite show capabilities -f
841 > /var/lib/shorewall-lite/capabilities is executed via ssh then the
842 generated file is copied to directory using scp. This step is
843 performed before the configuration is compiled.
844 If -r is included, it specifies that the root user on system is
846 named root-user-name rather than "root".
847 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
849 trace to be included with each compiler-generated error and warning
850 message.
851 The -i option was added in Shorewall 4.6.0 and causes a warning
853 message to be issued if the current line contains alternative input
854 specifications following a semicolon (";"). Such lines will be
855 handled incorrectly if INLINE_MATCHES is set to Yes in
856 shorewall.conf[1](5) (shorewall6.conf[1](5).
857 reset [chain, ...]
859 Resets the packet and byte counters in the specified chain(s). If
860 no chain is specified, all the packet and byte counters in the
861 firewall are reset.
862 Beginning with Shorewall 5.0.0, chain may be composed of both a
864 table name and a chain name separated by a colon (e.g.,
865 mangle:PREROUTING). Chain names following that don't include a
866 table name are assumed to be in that same table. If no table name
867 is given in the command, the filter table is assumed.
868 restart [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [-D] [ directory ]
870 Beginning with Shorewall 5.0.0, this command performs a true
871 restart. The firewall is completely stopped as if a stop command
872 had been issued then it is started again.
873 Shorewall and Shorewall6
875 If a directory is included in the command, Shorewall will look
876 in that directory first for configuration files.
877 The -n option causes Shorewall to avoid updating the routing
879 table(s).
880 The -p option causes the connection tracking table to be
882 flushed; the conntrack utility must be installed to use this
883 option.
884 The -d option causes the compiler to run under the Perl
886 debugger.
887 The -f option suppresses the compilation step and simply reused
889 the compiled script which last started/restarted Shorewall,
890 provided that /etc/shorewall and its contents have not been
891 modified since the last start/restart.
892 The -c option was added in Shorewall 4.4.20 and performs the
894 compilation step unconditionally, overriding the AUTOMAKE
895 setting in shorewall.conf[1](5). When both -f and -c are
896 present, the result is determined by the option that appears
897 last.
898 The -T option was added in Shorewall 4.5.3 and causes a Perl
900 stack trace to be included with each compiler-generated error
901 and warning message.
902 The -i option was added in Shorewall 4.6.0 and causes a warning
904 message to be issued if the current line contains alternative
905 input specifications following a semicolon (";"). Such lines
906 will be handled incorrectly if INLINE_MATCHES is set to Yes in
907 shorewall.conf[1](5).
908 The -C option was added in Shorewall 4.6.5 and is only
910 meaningful when AUTOMAKE=Yes in shorewall.conf[1](5). If an
911 existing firewall script is used and if that script was the one
912 that generated the current running configuration, then the
913 running netfilter configuration will be reloaded as is so as to
914 preserve the iptables packet and byte counters.
915 The -D option was added in Shoewall 5.2.4 and causes the
917 compiler to write a large amount of debugging information to
918 standard output.
919 Shorewall-lite and Shorewall6-lite
921 The -n option causes Shorewall to avoid updating the routing
922 table(s).
923 The -p option causes the connection tracking table to be
925 flushed; the conntrack utility must be installed to use this
926 option.
927 The -C option was added in Shorewall 4.6.5 If the existing
929 firewall script is the one that generated the current running
930 configuration, then the running netfilter configuration will be
931 reloaded as is so as to preserve the iptables packet and byte
932 counters.
933 restore [-n] [-p] [-C] [ filename ]
935 Restore Shorewall to a state saved using the shorewall save
936 command. Existing connections are maintained. The filename names a
937 restore file in /var/lib/shorewall created using shorewall save; if
938 no filename is given then Shorewall will be restored from the file
939 specified by the RESTOREFILE option in shorewall.conf[1](5)
940 (shorewall6.conf[1](5)).
941 Caution
943 If your iptables ruleset depends on variables that are detected
944 at run-time, either in your params file or by
945 Shorewall-generated code, restore will use the values that were
946 current when the ruleset was saved, which may be different from
947 the current values.
948 The -n option causes Shorewall to avoid updating the routing
949 table(s).
950 The -p option, added in Shorewall 4.6.5, causes the connection
952 tracking table to be flushed; the conntrack utility must be
953 installed to use this option.
954 The -C option was added in Shorewall 4.6.5. If the -C option was
956 specified during shorewall save, then the counters saved by that
957 operation will be restored.
958 run command [ parameter ... ]
960 Added in Shorewall 4.6.3. Executes command in the context of the
961 generated script passing the supplied parameters. Normally, the
962 command will be a function declared in lib.private.
963 Before executing the command, the script will detect the
965 configuration, setting all SW_* variables and will run your init
966 extension script with $COMMAND = 'run'.
967 If there are files in the CONFIG_PATH that were modified after the
969 current firewall script was generated, the following warning
970 message is issued:
971 WARNING: /var/lib/shorewall/firewall is not up to
972 date
973 safe-reload [-d] [-p] [-t timeout ] [ directory ]
975 Added in Shorewall 5.0.0, this command performs the same function
976 as did safe_restart in earlier releases. The command is available
977 in Shorewall and Shorewall6 only.
978 Only allowed if Shorewall is running. The current configuration is
980 saved in /var/lib/shorewall/safe-reload (see the save command
981 below) then a shorewall reload is done. You will then be prompted
982 asking if you want to accept the new configuration or not. If you
983 answer "n" or if you fail to answer within 60 seconds (such as when
984 your new configuration has disabled communication with your
985 terminal), the configuration is restored from the saved
986 configuration. If a directory is given, then Shorewall will look in
987 that directory first when opening configuration files.
988 Beginning with Shorewall 4.5.0, you may specify a different timeout
990 value using the -t option. The numeric timeout may optionally be
991 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
992 minutes or hours respectively. If the suffix is omitted, seconds is
993 assumed.
994 safe-restart [-d] [-p] [-t timeout ] [ directory ]
996 Only allowed if Shorewall[6] is running and is not available in
997 Shorewall-lite and Shorewall6-lite. The current configuration is
998 saved in /var/lib/shorewall/safe-restart (see the save command
999 below) then a shorewall restart is done. You will then be prompted
1000 asking if you want to accept the new configuration or not. If you
1001 answer "n" or if you fail to answer within 60 seconds (such as when
1002 your new configuration has disabled communication with your
1003 terminal), the configuration is restored from the saved
1004 configuration. If a directory is given, then Shorewall will look in
1005 that directory first when opening configuration files.
1006 Beginning with Shorewall 4.5.0, you may specify a different timeout
1008 value using the -t option. The numeric timeout may optionally be
1009 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1010 minutes or hours respectively. If the suffix is omitted, seconds is
1011 assumed.
1012 safe-start [-d] [-p] [-ttimeout ] [ directory ]
1014 Shorewall is started normally. You will then be prompted asking if
1015 everything went all right. If you answer "n" or if you fail to
1016 answer within 60 seconds (such as when your new configuration has
1017 disabled communication with your terminal), a shorewall clear is
1018 performed for you. If a directory is given, then Shorewall will
1019 look in that directory first when opening configuration files.
1020 Beginning with Shorewall 4.5.0, you may specify a different timeout
1022 value using the -t option. The numeric timeout may optionally be
1023 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1024 minutes or hours respectively. If the suffix is omitted, seconds is
1025 assumed.
1026 This command is available in Shorewall and Shorewall6 only.
1028 save [-C] [ filename ]
1030 Creates a snapshot of the currently running firewall. The dynamic
1031 blacklist is stored in /var/lib/shorewall/save. The state of the
1032 firewall is stored in /var/lib/shorewall/filename for use by the
1033 shorewall restore command. If filename is not given then the state
1034 is saved in the file specified by the RESTOREFILE option in
1035 shorewall.conf[1](5) (shorewall6.conf[1](5)).
1036 The -C option, added in Shorewall 4.6.5, causes the iptables packet
1038 and byte counters to be saved along with the chains and rules.
1039 savesets
1041 Added in shorewall 4.6.8. Performs the same action as the stop
1042 command with respect to saving ipsets (see the SAVE_IPSETS option
1043 in shorewall.conf[1] (5) (shorewall6.conf[1](5)). This command may
1044 be used to proactively save your ipset contents in the event that a
1045 system failure occurs prior to issuing a stop command.
1046 show
1048 The show command can have a number of different arguments:
1049 action action
1051 Lists the named action file. Available on Shorewall and
1052 Shorewall6 only.
1053 actions
1055 Produces a report about the available actions (built-in,
1056 standard and user-defined). Available on Shorewall and
1057 Shorewall6 only.
1058 bl|blacklists [-x]
1060 Added in Shorewall 4.6.2. Displays the dynamic chain along with
1061 any chains produced by entries in shorewall-blrules(5). The -x
1062 option is passed directly through to iptables and causes actual
1063 packet and byte counts to be displayed. Without this option,
1064 those counts are abbreviated.
1065 [-f] capabilities
1067 Displays your kernel/iptables capabilities. The -f option
1068 causes the display to be formatted as a capabilities file for
1069 use with compile -e.
1070 [-b] [-x] [-l] [-t {filter|mangle|nat|raw}] [ chain... ]
1072 The rules in each chain are displayed using the iptables -L
1073 chain -n -v command. If no chain is given, all of the chains in
1074 the filter table are displayed. The -x option is passed
1075 directly through to iptables and causes actual packet and byte
1076 counts to be displayed. Without this option, those counts are
1077 abbreviated. The -t option specifies the Netfilter table to
1078 display. The default is filter.
1079 The -b ('brief') option causes rules which have not been used
1081 (i.e. which have zero packet and byte counts) to be omitted
1082 from the output. Chains with no rules displayed are also
1083 omitted from the output.
1084 The -l option causes the rule number for each Netfilter rule to
1086 be displayed.
1087 If the -t option and the chain keyword are both omitted and any
1089 of the listed chains do not exist, a usage message is
1090 displayed.
1091 classifiers|filters
1093 Displays information about the packet classifiers defined on
1094 the system as a result of traffic shaping configuration.
1095 Beginning with Shorewall 5.2.8, this command is deprecated, as
1096 its output is included in the information displayed by the
1097 'show tc' command.
1098 config
1100 Displays distribution-specific defaults.
1101 connections [filter_parameter ...]
1103 Displays the IP connections currently being tracked by the
1104 firewall.
1105 If the conntrack utility is installed, beginning with Shorewall
1107 4.6.11 the set of connections displayed can be limited by
1108 including conntrack filter parameters (-p , -s, --dport, etc).
1109 See conntrack(8) for details.
1110 event event
1112 Added in Shorewall 4.5.19. Displays the named event.
1113 events
1115 Added in Shorewall 4.5.19. Displays all events.
1116 ip
1118 Displays the system's IPv4 configuration.
1119 ipa
1121 Added in Shorewall 4.4.17. Displays the per-IP accounting
1122 counters (shorewall-accounting[7] (5),
1123 shorewall6-accounting[7](5)).
1124 ipsec
1126 Added in Shorewall 5.1.0. Displays the contents of the IPSEC
1127 Security Policy Database (SPD) and Security Association
1128 Database (SAD). SAD keys are not displayed.
1129 [-m] log
1131 Displays the last 20 Shorewall messages from the log file
1132 specified by the LOGFILE option in shorewall.conf[1](5)
1133 (shorewall6.conf[1](5)). The -m option causes the MAC address
1134 of each packet source to be displayed if that information is
1135 available.
1136 macros
1138 Displays information about each macro defined on the firewall
1139 system (Shorewall and Shorewall6 only)
1140 macro macro
1142 Added in Shorewall 4.4.6. Displays the file that implements the
1143 specified macro (usually /usr/share/shorewall/macro.macro).
1144 Available only in Shorewall and Shorewall6.
1145 [-x] mangle
1147 Displays the Netfilter mangle table using the command iptables
1148 -t mangle -L -n -v. The -x option is passed directly through to
1149 iptables and causes actual packet and byte counts to be
1150 displayed. Without this option, those counts are abbreviated.
1151 marks
1153 Added in Shorewall 4.4.26. Displays the various fields in
1154 packet marks giving the min and max value (in both decimal and
1155 hex) and the applicable mask (in hex).
1156 [-x] nat
1158 Displays the Netfilter nat table using the command iptables -t
1159 nat -L -n -v. The -x option is passed directly through to
1160 iptables and causes actual packet and byte counts to be
1161 displayed. Without this option, those counts are abbreviated.
1162 opens
1164 Added in Shorewall 4.5.8. Displays the iptables rules in the
1165 'dynamic' chain created through use of the open command..
1166 policies
1168 Added in Shorewall 4.4.4. Displays the applicable policy
1169 between each pair of zones. Note that implicit intrazone ACCEPT
1170 policies are not displayed for zones associated with a single
1171 network where that network doesn't specify routeback.
1172 rc
1174 Added in Shorewall 5.2.0. Displays the contents of
1175 $SHAREDIR/shorewall/shorewallrc.
1176 [-c] routing
1178 Displays the system's IPv4 routing configuration. The -c option
1179 causes the route cache to be displayed along with the other
1180 routing information.
1181 [-x] raw
1183 Displays the Netfilter raw table using the command iptables -t
1184 raw -L -n -v. The -x option is passed directly through to
1185 iptables and causes actual packet and byte counts to be
1186 displayed. Without this option, those counts are abbreviated.
1187 saves
1189 Added in Shorewall 5.2.0. Lists snapshots created by the save
1190 command. Each snapshot is listed with the date and time when it
1191 was taken. If there is a snapshot with the name specified in
1192 the RESTOREFILE option in shorewall.conf(5[6]), that snapshot
1193 is listed as the default snapshot for the restore command.
1194 tc
1196 Displays information about queuing disciplines, classes and
1197 filters.
1198 zones
1200 Displays the current composition of the Shorewall zones on the
1201 system.
1202 start [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [-D] [ directory ]
1204 Shorewall and Shorewall6
1206 Start shorewall[6]. Existing connections through shorewall
1207 managed interfaces are untouched. New connections will be
1208 allowed only if they are allowed by the firewall rules or
1209 policies. If a directory is included in the command, Shorewall
1210 will look in that directory first for configuration files. If
1211 -f is specified, the saved configuration specified by the
1212 RESTOREFILE option in shorewall.conf[1](5)
1213 (shorewall6.conf[1](5)) will be restored if that saved
1214 configuration exists and has been modified more recently than
1215 the files in /etc/shorewall. When -f is given, a directory may
1216 not be specified.
1217 Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
1219 added to shorewall.conf[1](5) (shorewall6.conf[1](5)). When
1220 LEGACY_FASTSTART=No, the modification times of files in
1221 /etc/shorewall are compared with that of
1222 /var/lib/shorewall/firewall (the compiled script that last
1223 started/restarted the firewall).
1224 The -n option causes Shorewall to avoid updating the routing
1226 table(s).
1227 The -p option causes the connection tracking table to be
1229 flushed; the conntrack utility must be installed to use this
1230 option.
1231 The -c option was added in Shorewall 4.4.20 and performs the
1233 compilation step unconditionally, overriding the AUTOMAKE
1234 setting in shorewall.conf[1](5) (shorewall6.conf[1](5)). When
1235 both -f and -care present, the result is determined by the
1236 option that appears last.
1237 The -T option was added in Shorewall 4.5.3 and causes a Perl
1239 stack trace to be included with each compiler-generated error
1240 and warning message.
1241 The -i option was added in Shorewall 4.6.0 and causes a warning
1243 message to be issued if the current line contains alternative
1244 input specifications following a semicolon (";"). Such lines
1245 will be handled incorrectly if INLINE_MATCHES is set to Yes in
1246 shorewall.conf(5)[1] (shorewall6.conf[1](5)).
1247 The -C option was added in Shorewall 4.6.5 and is only
1249 meaningful when the -f option is also specified. If the
1250 previously-saved configuration is restored, and if the -C
1251 option was also specified in the save command, then the packet
1252 and byte counters will be restored.
1253 The -D option was added in Shoewall 5.2.4 and causes the
1255 compiler to write a large amount of debugging information to
1256 standard output.
1257 Shorewall-lite and Shorewall6-lite
1259 Start Shorewall[6] Lite. Existing connections through
1260 shorewall[6]-lite managed interfaces are untouched. New
1261 connections will be allowed only if they are allowed by the
1262 firewall rules or policies.
1263 The -p option causes the connection tracking table to be
1265 flushed; the conntrack utility must be installed to use this
1266 option.
1267 The -n option prevents the firewall script from modifying the
1269 current routing configuration.
1270 The -f option was added in Shorewall 4.6.5. If the RESTOREFILE
1272 named in shorewall.conf[6](5) exists, is executable and is not
1273 older than the current filewall script, then that saved
1274 configuration is restored.
1275 The -C option was added in Shorewall 4.6.5 and is only
1277 meaningful when the -f option is also specified. If the
1278 previously-saved configuration is restored, and if the -C
1279 option was also specified in the save command, then the packet
1280 and byte counters will be restored.
1281 stop
1283 Stops the firewall. All existing connections, except those listed
1284 in shorewall-stoppedrules[8](5) or permitted by the
1285 ADMINISABSENTMINDED option in shorewall.conf[1] The only new
1286 traffic permitted through the firewall is from systems listed in
1287 shorewall-stoppedrules[8](5) or by ADMINISABSENTMINDED.
1288 status [-i]
1290 Produces a short report about the state of the Shorewall-configured
1291 firewall.
1292 The -i option was added in Shorewall 4.6.2 and causes the status of
1294 each optional or provider interface to be displayed.
1295 try directory [ timeout ]
1297 This command is available in Shorewall and Shorewall6 only.
1298 If Shorewall[6] is started then the firewall state is saved to a
1300 temporary saved configuration (/var/lib/shorewall/.try). Next, if
1301 Shorewall[6] is currently started then a restart command is issued
1302 using the specified configuration directory; otherwise, a start
1303 command is performed using the specified configuration directory.
1304 if an error occurs during the compilation phase of the restart or
1305 start, the command terminates without changing the Shorewall[6]
1306 state. If an error occurs during the restart phase, then a
1307 shorewall restore is performed using the saved configuration. If an
1308 error occurs during the start phase, then Shorewall is cleared. If
1309 the start/restart succeeds and a timeout is specified then a clear
1310 or restore is performed after timeout seconds.
1311 Beginning with Shorewall 4.5.0, the numeric timeout may optionally
1313 be followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1314 minutes or hours respectively. If the suffix is omitted, seconds is
1315 assumed.
1316 update [-d] [-r] [-T] [-a] [-i] [-A] [ directory ]
1318 This command is available only in Shorewall and Shorewall6.
1319 Added in Shorewall 4.4.21 and causes the compiler to update
1321 /etc/shorewall/shorewall.conf then validate the configuration. The
1322 update will add options not present in the old file with their
1323 default values, and will move deprecated options with non-defaults
1324 to a deprecated options section at the bottom of the file. Your
1325 existing shorewall.conf file is renamed shorewall.conf.bak.
1326 The command was extended over the years with a set of options that
1328 caused additional configuration updates.
1329 • Convert an existing blacklist file into an equivalent blrules
1331 file.
1332 • Convert an existing routestopped file into an equivalent
1334 stoppedrules file.
1335 • Convert existing tcrules and tos files into an equivalent
1337 mangle file.
1338 • Convert an existing notrack file into an equivalent conntrack
1340 file.
1341 • Convert FORMAT, SECTION and COMMENT entries into ?FORMAT,
1343 ?SECTION and ?COMMENT directives.
1344 In each case, the old file is renamed with a .bak suffix.
1346 In Shorewall 5.0.0, the options were eliminated and the update
1348 command performs all of the updates described above.
1349 Important
1351 There are some notable restrictions with the update command:
1352 1. Converted rules will be appended to the existing file; if
1354 there is no existing file in the CONFIG_PATH, one will be
1355 created in the directory specified in the command or in the
1356 first entry in the CONFIG_PATH (normally /etc/shorewall)
1357 otherwise.
1358 2. Existing comments in the file being converted will not be
1360 transferred to the output file.
1361 3. With the exception of the notrack->conntrack conversion,
1363 INCLUDEd files will be expanded inline in the output file.
1364 4. Columns in the output file will be separated by a single
1366 tab character; there is no attempt made to otherwise align
1367 the columns.
1368 5. Prior to Shorewall 5.0.15, shell variables will be expanded
1370 in the output file.
1371 6. Prior to Shorewall 5.0.15, lines omitted by compiler
1373 directives (?if ...., etc.) will not appear in the output
1374 file.
1375 Important
1377 Because the translation of the 'blacklist' and
1378 'routestopped' files is not 1:1, omitted lines and
1379 compiler directives are not transferred to the
1380 converted files. If either are present, the compiler
1381 issues a warning:
1382 WARNING: "Omitted rules and compiler directives were not translated
1384 The -a option causes the updated shorewall.conf file to be
1385 annotated with documentation.
1386 The -i option was added in Shorewall 4.6.0 and causes a warning
1388 message to be issued if the current line contains alternative input
1389 specifications following a semicolon (";"). Such lines will be
1390 handled incorrectly if INLINE_MATCHES is set to Yes in
1391 shorewall.conf[1](5).
1392 The -A option is included for compatibility with Shorewall 4.6 and
1394 is equivalent to specifying the -i option.
1395 For a description of the other options, see the check command
1397 above.
1398 version [-a]
1400 Displays Shorewall's version. The -a option is included for
1401 compatibility with earlier Shorewall releases and is ignored.
1402
1404 In general, when a command succeeds, status 0 is returned; when the
1405 command fails, a non-zero status is returned.
1406 The status command returns exit status as follows:
1408 0 - Firewall is started.
1410 3 - Firewall is stopped or cleared
1412 4 - Unknown state; usually means that the firewall has never been
1414 started.
1415
1417 Two environmental variables are recognized by Shorewall:
1418 SHOREWALL_INIT_SCRIPT
1420 When set to 1, causes Std out to be redirected to the file
1421 specified in the STARTUP_LOG option in shorewall.conf(5)[6].
1422 SW_LOGGERTAG
1424 Added in Shorewall 5.0.8. When set to a non-empty value, that value
1425 is passed to the logger utility in its -t (--tag) option.
1426
1428 /etc/shorewall/*
1429 /etc/shorewall6/*
1431
1433 https://shorewall.org/starting_and_stopping_shorewall.htm[9]
1434 - Describes operational aspects of Shorewall.
1435 shorewall-files(5)[10] -
1436 Describes the various configuration files along with features
1437 and
1438 conventions common to those files.
1439 shorewall-names(5)[11] -
1440 Describes naming of objects within a Shorewall configuration.
1441 shorewall-addresses(5)[12] -
1442 Describes how to specify addresses within a Shorewall
1443 configuration.
1444 shorewall-exclusion(5)[13] -
1445 Describes how to exclude certain hosts and/or networks from
1446 matching a
1447 rule.
1448 shorewall-nesting(5)[14]
1449 - Describes how to nest one Shorewall zone inside another.
1450
1452 1. shorewall.conf
1453 https://shorewall.org/manpages//manpages/shorewall.conf.html
1454 2. shorewall-interfaces
1456 https://shorewall.org/manpages//manpages/shorewall-interfaces.html
1457 3. shorewall-zones
1459 https://shorewall.org/manpages//manpages/shorewall-zones.html
1460 4. shorewall-routes
1462 https://shorewall.org/manpages//manpages/shorewall-routes.html
1463 5. logging backend
1465 https://shorewall.org/manpages//shorewall_logging.html#Backends
1466 6. shorewall.conf
1468 https://shorewall.org/manpages/shorewall.conf.html
1469 7. shorewall-accounting
1471 https://shorewall.org/manpages//manpages/shorewall-accounting.html
1472 8. shorewall-stoppedrules
1474 https://shorewall.org/manpages//manpages/shorewall-stoppedrules.html
1475 9. https://shorewall.org/starting_and_stopping_shorewall.htm
1477 https://shorewall.org/manpages//starting_and_stopping_shorewall.htm
1478 10. shorewall-files(5)
1480 https://shorewall.org/manpages/shorewall-files.html
1481 11. shorewall-names(5)
1483 https://shorewall.org/manpages/shorewall-names.html
1484 12. shorewall-addresses(5)
1486 https://shorewall.org/manpages/shorewall-addresses.html
1487 13. shorewall-exclusion(5)
1489 https://shorewall.org/manpages/shorewall-exclusion.html
1490 14. shorewall-nesting(5)
1492 https://shorewall.org/manpages/shorewall-nesting.html
1493Administrative Commands 09/24/2020 SHOREWALL(8)