1SHOREWALL(8)                Administrative Commands               SHOREWALL(8)
2
3
4

NAME

6       shorewall - Administration tool for Shoreline Firewall (Shorewall)
7

SYNOPSIS

9       shorewall[6][-lite] [options] add { interface[:host-list]...
10                           zone | zone host-list }
11
12       shorewall[6][-lite] [options] allow address
13
14       shorewall[6][-lite] [options] blacklist[!] address [option ...]
15
16       shorewall[6][-lite] [options] call function [parameter ...]
17
18       shorewall[6] [trace|debug] [options] [check | ck ]  [-e] [-d] [-p] [-r]
19                    [-T] [-i] [directory]
20
21       shorewall[6][-lite] [options] clear [-f]
22
23       shorewall[6][-lite] [options]
24                           close { open-number | sourcedest [protocol [ port ]]}
25
26       shorewall[6] [trace|debug] [options] [compile | co ]  [-e] [-c] [-d]
27                    [-p] [-T] [-i] [directory] [pathname]
28
29       shorewall[6][-lite] [options] delete { interface[:host-list]...
30                           zone | zone host-list }
31
32       shorewall[6][-lite] [options] disable { interface | provider }
33
34       shorewall[6][-lite] [options] drop address
35
36       shorewall[6][-lite] [options] dump [-x] [-l] [-m] [-c]
37
38       shorewall[6][-lite] [options] enable { interface | provider }
39
40       shorewall[6] [options] export [directory1] [user@]system[:directory2]
41
42       shorewall[6][-lite] [options] forget [filename]
43
44       shorewall[6][-lite] [options] help
45
46       shorewall[-lite] [options] hits [-t]
47
48       shorewall[-lite] [options] ipcalc {address mask | address/vlsm}
49
50       shorewall[-lite] [options] iprange address1-address2
51
52       shorewall[6][-lite] [options] iptrace iptables match expression
53
54       shorewall[6][-lite] [options] logdrop address
55
56       shorewall[6][-lite] [options] logwatch [-m] [refresh-interval]
57
58       shorewall[6][-lite] [options] logreject address
59
60       shorewall[6][-lite] [options] noiptrace iptables match expression
61
62       shorewall[6][-lite] [options] open source dest [ protocol [ port ] ]
63
64       shorewall[6][-lite] [options] reenable { interface | provider }
65
66       shorewall[6][-lite] [options] reject address
67
68       shorewall[6][-lite] [options] reload [-n] [-p [-d]] [-f] [-c] [-T] [-i]
69                           [-C] [directory]
70
71       shorewall[6] remote-getcaps [-s] [-R] [-r root-user-name] [-T] [-i]
72                    [[-D]directory] [system]
73
74       shorewall[6] [options] remote-getrc [-s] [-c] [-r root-user-name] [-T]
75                    [-i] [[-D]directory] [system]
76
77       shorewall[6] [options] remote-start [-s] [-c] [-r root-user-name] [-T]
78                    [-i] [[-D]directory] [system]
79
80       shorewall[6] [options] remote-reload [-s] [-c] [-r root-user-name] [-T]
81                    [-i] [[-D]directory] [system]
82
83       shorewall[6] [options] remote-restart [-s] [-c] [-r root-user-name]
84                    [-T] [-i] [[-D]directory] [system]
85
86       shorewall[6][-lite] [options] reset [chain ...]
87
88       shorewall[6][-lite] [options] restart [-n] [-p [-d]] [-f] [-c] [-T]
89                           [-i] [-C] [directory]
90
91       shorewall[6][-lite] [options] restore [-n] [-p] [-C]  [filename]
92
93       shorewall[6][-lite] [options] run command [parameter ...]
94
95       shorewall[6] [options] safe-restart [-d] [-p] [-t timeout] [directory]
96
97       shorewall[6] [options] safe-start [-d] [-p] [-t timeout] [directory]
98
99       shorewall[6][-lite] [options] save [-C]  [filename]
100
101       shorewall[6][-lite] [options] savesets
102
103       shorewall[6][-lite] [options] {show | list | ls } [-x] {bl|blacklists}
104
105       shorewall[6][-lite] [options] {show | list | ls } [-b] [-x] [-l]
106                           [-t {filter|mangle|nat|raw}] [chain...]
107
108       shorewall[6][-lite] [options] {show | list | ls } [-f] capabilities
109
110       shorewall[6] [options] {show | list | ls } [-f] {actions|macros}
111
112       shorewall[6] [options] {show | list | ls } action action
113
114       shorewall[6][-lite] [options] {show | list | ls }
115                           {classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks}
116
117       shorewall[6][-lite] [options] {show | list | ls } event event
118
119       shorewall[6][-lite] [options] {show | list | ls } [-c] routing
120
121       shorewall[6] [options] {show | list | ls } macro macro
122
123       shorewall[6][-lite] [options] {show | list | ls } [-x] {mangle|nat|raw}
124
125       shorewall[6][-lite] [options] {show | list | ls } saves
126
127       shorewall[6][-lite] [options] {show | list | ls } [-m] log
128
129       shorewall[6][-lite] [trace|debug] [options] start [-n] [-f] [-p] [-c]
130                           [-T [-i]] [-C] [directory]
131
132       shorewall[6][-lite] [options] stop [-f]
133
134       shorewall[6][-lite] [options] status [-i]
135
136       shorewall[6] [options] try directory [timeout]
137
138       shorewall[6] [options] update [-b] [-d] [-r] [-T] [-a] [-i] [-A]
139                    [directory]
140
141       shorewall[6][-lite] [options] version [-a]
142

DESCRIPTION

144       Beginning with Shorewall 5.1.0, the shorewall utility is used to
145       control the Shoreline Firewall (Shorewall), Shorewall Firewall 6
146       (Shorewall6), Shorewall Firewall Lite (Shorewall-lite) and Shorewall
147       Firewall 6 Lite (Shorewall6-lite). The utility may be accessed under
148       four different names:
149
150       shorewall
151           Controls the Shorewall configuration when Shorewall is installed.
152           If Shorewall is not installed, the shorewall command controls
153           Shorewall-lite if it is installed. If neither Shorewall nor
154           Shorewall-lite is installed, the shorewall command controls
155           Shorewall6-lite if it is installed.
156
157       shorewall6
158           The shorewall6 command controls Shorewall6 when Shorewall6 is
159           installed.
160
161       shorewall-lite
162           The shorewall-lite command controls Shorewall-lite when
163           Shorewall-lite is installed.
164
165       shorewall6-lite
166           The shorewall6-lite command controls Shorewall6-lite when
167           Shorewall6-lite is installed.
168
169       Prior to Shorewall 5.1.0, these four commands were implemented as four
170       separate program, each of which controlled only a single firewall
171       package. This manpage serves to document both the Shorewall 5.1 and
172       Shorewall 5.0 CLI.
173

OPTIONS

175       The options are:
176
177       -4
178           Added in Shorewall 5.1.0. Causes the command to operate on the
179           Shorewall configuration or the Shorewall-lite configuration. It is
180           the default when either of those products is installed and when the
181           command is shorewall or shorewall-lite.
182
183       -6
184           Added in Shorewall 5.1.0. Causes the command to operate on the
185           Shorewall6 or Shorewall6-lite configuration. It is the default when
186           only Shorewall6-lite is installed and when the command is
187           shorewall6 or shorewall6-lite.
188
189       -l
190           Added in Shorewall 5.1.0. Causes the command to operate on either
191           Shorewall-lite or Shorewall-6 lite and is the default when
192           Shorewall is not installed or when the command is shorewall-lite or
193           shorewall6-lite.
194
195           With all four firewall products (Shorewall, Shorewall6,
196           Shorewall-lite and Shorewall6-lite) installed, the following table
197           shows the correspondence between the name used to invoke the
198           command and the shorewall command with the above three options.
199
200           Table 1. All four products installed
201           The next table shows the correspondence when only Shorewall-lite
202           and Shorewall6-lite are installed.
203
204           Table 2. Only Shorewall-lite and Shorewall6-lite installed
205           Note that when Shorewall isn't installed, the 'shorewall' command
206           behaves like shorewall-lite. The same is not true with respect to
207           Shorewall6, "shorewall6" and 'shorewall6-lite". You can make
208           'shorewall6' behave like 'shorewallt-lite' by adding the following
209           command to root's .profile file (or to .bashrc, if root's shell is
210           bash):
211
212                   alias shorewall6=shorewall6-lite
213
214       -v[verbosity]
215           Alters the amount of output produced by the command. If neither the
216           -v nor -q option are specified, the amount of output is determined
217           by the VERBOSITY setting in shorewall.conf[1](5)
218           (shorewall6.conf[1](5)).
219
220           When no verbosity is specified, each instance of this option causes
221           1 to be added to the effective verbosity. When verbosity (-1,0,1 or
222           2) is given, the command is executed at the specified VERBOSITY.
223           There may be no white-space between -v and the verbosity.
224
225       -q
226           Alters the amount of output produced by the command. If neither the
227           -v nor -q option are specified, the amount of output is determined
228           by the VERBOSITY setting in shorewall.conf[1](5)
229           (shorewall6.conf[1](5)).
230
231           Each instance of this option causes 1 to be subtracted from the
232           effective verbosity.
233
234       -t
235           Causes all progress messages to be timestamped.
236
237       -T
238           Added in Shorewall 5.2.4 to replace the earlier trace keyword.. If
239           the command invokes the generated firewall script, the script's
240           execution will be traced to standard error.
241
242       -D
243           Added in Shorewall 5.2.4 to replace the earlier debug keyword. If
244           the command invokes the generated firewall script, individual
245           invocations of the ip[6]tables utility will be used to configure
246           the ruleset rather than ip[6]tables-restore. This is useful for
247           diagnosing ip[6]tables-restore failures on a *COMMIT command.
248
249           Note
250           Prior to Shorewall 5.2.4, the general syntax for a CLI command was:
251
252           [trace|debug] [nolock] [options] command [command-options]
253            [command-arguments]
254
255           Examples:
256
257                   shorewall debug -tv2 reload
258                   shorewall trace check
259                   shorewall nolock enable eth0
260
261           In Shorewall 5.2.4 and later, those commands would be:
262
263                   shorewall -Dtv2 reload
264                   shorewall check -D
265                   shorewall -N enable eth0
266
267           While not shown in the command synopses at the top of this page,
268           the nolock keyword is still supported in Shorewall 5.2.4 and later,
269           but is deprecated in favor of the -N option.
270

COMMANDS

272       The available commands are listed below.
273
274       add { interface[:host-list]... zone | zone host-list }
275           Adds a list of hosts or subnets to a dynamic zone usually used with
276           VPN's.
277
278           The interface argument names an interface defined in the
279           shorewall-interfaces[2](5) (shorewall6-interfaces[2](5))file. A
280           host-list is comma-separated list whose elements are host or
281           network addresses..if n .sp
282               Caution
283               The add command is not very robust. If there are errors in the
284               host-list, you may see a large number of error messages yet a
285               subsequent shorewall show zones command will indicate that all
286               hosts were added. If this happens, replace add by delete and
287               run the same command again. Then enter the correct command.
288
289           Beginning with Shorewall 4.5.9, the dynamic_shared zone option
290           (shorewall-zones[3](5),shorewall6-zones[3](5)) allows a single
291           ipset to handle entries for multiple interfaces. When that option
292           is specified for a zone, the add command has the alternative syntax
293           in which the zone name precedes the host-list.
294
295       allow address
296           Re-enables receipt of packets from hosts previously blacklisted by
297           a blacklist, drop, logdrop, reject, or logreject command.
298
299       blacklist[!] address [ option ... ]
300           Added in Shorewall 5.0.8 and requires DYNAMIC_BLACKLIST=ipset.. in
301           shorewall.conf[1](5). Causes packets from the given host or network
302           address to be dropped, based on the setting of BLACKLIST in
303           shorewall.conf[1](5). The address along with any options are passed
304           to the ipset add command. Probably the most useful option is the
305           timeout option. For example, to permanently blacklist 192.0.2.22,
306           the command would be:
307
308                   shorewall blacklist 192.0.2.22 timeout 0
309
310           Beginning with Shorewall 5.2.5, the above command can be shortened
311           to:
312
313                   shorewall blacklist! 192.0.2.22
314
315           If the disconnect option is specified in the DYNAMIC_BLACKLISTING
316           setting, then the effective VERBOSITY determines the amount of
317           information displayed:
318
319           •   If the effective verbosity is > 0, then a message giving the
320               number of conntrack flows deleted by the command is displayed.
321
322           •   If the effective verbosity is > 1, then the conntrack table
323               entries deleted by the command are also displayed.
324
325       call function [ parameter ... ]
326           Added in Shorewall 4.6.10. Allows you to call a function in one of
327           the Shorewall libraries or in your compiled script. function must
328           name the shell function to be called. The listed parameters are
329           passed to the function.
330
331           The function is first searched for in lib.base, lib.common, lib.cli
332           and lib.cli-std. If it is not found, the call command is passed to
333           the generated script to be executed.
334
335       check [-e] [-d] [-p] [-r] [-T] [-i] [-D][directory]
336           Not available with Shorewall[6]-lite.
337
338           Compiles the configuration in the specified directory and discards
339           the compiled output script. If no directory is given, then
340           /etc/shorewall is assumed.
341
342           The -e option causes the compiler to look for a file named
343           capabilities. This file is produced using the command
344           shorewall-lite show -f capabilities > capabilities on a system with
345           Shorewall Lite installed.
346
347           The -d option causes the compiler to be run under control of the
348           Perl debugger.
349
350           The -p option causes the compiler to be profiled via the Perl
351           -wd:DProf command-line option.
352
353           The -r option was added in Shorewall 4.5.2 and causes the compiler
354           to print the generated ruleset to standard out.
355
356           The -T option was added in Shorewall 4.4.20 and causes a Perl stack
357           trace to be included with each compiler-generated error and warning
358           message.
359
360           The -i option was added in Shorewall 4.6.0 and causes a warning
361           message to be issued if the current line contains alternative input
362           specifications following a semicolon (";"). Such lines will be
363           handled incorrectly if INLINE_MATCHES is set to Yes in
364           shorewall.conf[1](5) (shorewall6.conf[1](5)).
365
366           The -D option was added in Shoewall 5.2.4 and causes the compiler
367           to write a large amount of debugging information to standard
368           output.
369
370       clear [-f]
371           Clear will remove all rules and chains installed by Shorewall. The
372           firewall is then wide open and unprotected. Existing connections
373           are untouched. Clear is often used to see if the firewall is
374           causing connection problems.
375
376           If -f is given, the command will be processed by the compiled
377           script that executed the last successful start, restart or reload
378           command if that script exists.
379
380       close { open-number | source dest [ protocol [ port ] ] }
381           Added in Shorewall 4.5.8. This command closes a temporary open
382           created by the open command. In the first form, an open-number
383           specifies the open to be closed. Open numbers are displayed in the
384           num column of the output of the shorewall show opens command.
385
386           When the second form of the command is used, the parameters must
387           match those given in the earlier open command.
388
389           This command requires that the firewall be in the started state and
390           that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[1].
391
392       compile [-e] [-c] [-d] [-p] [-T] [-i] [-D] [ directory ] [ pathname ]
393           Not available with shorewall[6]-lite.
394
395           Compiles the current configuration into the executable file
396           pathname. If a directory is supplied, Shorewall will look in that
397           directory first for configuration files. If the pathname is
398           omitted, the file firewall in the VARDIR (normally
399           /var/lib/shorewall/) is assumed. A pathname of '-' causes the
400           compiler to send the generated script to it's standard output file.
401           Note that '-v-1' is usually specified in this case (e.g., shorewall
402           -v-1 compile -- -) to suppress the 'Compiling...' message normally
403           generated by /sbin/shorewall.
404
405           When -e is specified, the compilation is being performed on a
406           system other than where the compiled script will run. This option
407           disables certain configuration options that require the script to
408           be compiled where it is to be run. The use of -e requires the
409           presence of a configuration file named capabilities which may be
410           produced using the command shorewall-lite show -f capabilities >
411           capabilities on a system with Shorewall Lite installed
412
413           The -c option was added in Shorewall 4.5.17 and causes conditional
414           compilation of a script. The script specified by pathname (or
415           implied if pathname is omitted) is compiled if it doesn't exist or
416           if there is any file in the directory or in a directory on the
417           CONFIG_PATH that has a modification time later than the file to be
418           compiled. When no compilation is needed, a message is issued and an
419           exit status of zero is returned.
420
421           The -d option causes the compiler to be run under control of the
422           Perl debugger.
423
424           The -p option causes the compiler to be profiled via the Perl
425           -wd:DProf command-line option.
426
427           The -T option was added in Shorewall 4.4.20 and causes a Perl stack
428           trace to be included with each compiler-generated error and warning
429           message.
430
431           The -i option was added in Shorewall 4.6.0 and causes a warning
432           message to be issued if the current line contains alternative input
433           specifications following a semicolon (";"). Such lines will be
434           handled incorrectly if INLINE_MATCHES is set to Yes in
435           shorewall.conf[1](5) (shorewall6.conf[1](5)).
436
437           The -D option was added in Shoewall 5.2.4 and causes the compiler
438           to write a large amount of debugging information to standard
439           output.
440
441       delete { interface[:host-list]... zone | zone host-list }
442           The delete command reverses the effect of an earlier add command.
443
444           The interface argument names an interface defined in the
445           shorewall-interfaces[2](5) (shorewall6-interfaces[2](5) file. A
446           host-list is comma-separated list whose elements are a host or
447           network address.
448
449           Beginning with Shorewall 4.5.9, the dynamic_shared zone option
450           (shorewall-zones[3](5), shorewall6-zones[3](5)) allows a single
451           ipset to handle entries for multiple interfaces. When that option
452           is specified for a zone, the delete command has the alternative
453           syntax in which the zone name precedes the host-list.
454
455       disable { interface | provider }
456           Added in Shorewall 4.4.26. Disables the optional provider
457           associated with the specified interface or provider. Where more
458           than one provider share a single network interface, a provider name
459           must be given.
460
461           Beginning with Shorewall 4.5.10, this command may be used with any
462           optional network interface.  interface may be either the logical or
463           physical name of the interface. The command removes any routes
464           added from shorewall-routes[4](5) (shorewall6-routes[4](5))and any
465           traffic shaping configuration for the interface.
466
467       drop address
468           Causes traffic from the listed addresses to be silently dropped.
469           This command requires that the firewall be in the started state and
470           that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[1].
471
472       dump  [-x] [-l] [-m] [-c]
473           Produces a verbose report about the firewall configuration for the
474           purpose of problem analysis.
475
476           The -x option causes actual packet and byte counts to be displayed.
477           Without that option, these counts are abbreviated.
478
479           The -m option causes any MAC addresses included in Shorewall log
480           messages to be displayed.
481
482           The -l option causes the rule number for each Netfilter rule to be
483           displayed.
484
485           The -c option causes the route cache to be dumped in addition to
486           the other routing information.
487
488       enable { interface | provider }
489           Added in Shorewall 4.4.26. Enables the optional provider associated
490           with the specified interface or provider. Where more than one
491           provider share a single network interface, a provider name must be
492           given.
493
494           Beginning with Shorewall 4.5.10, this command may be used with any
495           optional network interface.  interface may be either the logical or
496           physical name of the interface. The command sets /proc entries for
497           the interface, adds any route specified in shorewall-routes[4](5)
498           (shorewall6-routes[4](5)) and installs the interface's traffic
499           shaping configuration, if any.
500
501       export [ directory1 ] [ user@]system[:directory2 ]
502           Not available with Shorewall[6]-lite.
503
504           If directory1 is omitted, the current working directory is assumed.
505
506           Allows a non-root user to compile a shorewall script and stage it
507           on a system (provided that the user has access to the system via
508           ssh). The command is equivalent to:
509
510                   /sbin/shorewall compile -e directory1 directory1/firewall &&\
511                   scp directory1/firewall directory1/firewall.conf [user@]system:[directory2]
512
513           In other words, the configuration in the specified (or defaulted)
514           directory is compiled to a file called firewall in that directory.
515           If compilation succeeds, then firewall and firewall.conf are copied
516           to system using scp.
517
518       forget [ filename ]
519           Deletes /var/lib/shorewall/filename and /var/lib/shorewall/save. If
520           no filename is given then the file specified by RESTOREFILE in
521           shorewall.conf[1](5) (shorewall6.conf[1](5)) is assumed.
522
523       help
524           Displays a syntax summary.
525
526       hits [-t]
527           Generates several reports from Shorewall log messages in the
528           current log file. If the -t option is included, the reports are
529           restricted to log messages generated today. Not available with
530           Shorewall6[-lite].
531
532       ipcalc { address mask | address/vlsm }
533           Ipcalc displays the network address, broadcast address, network in
534           CIDR notation and netmask corresponding to the input[s]. Not
535           available with Shorewall6[-lite].
536
537       iprange address1-address2
538           Iprange decomposes the specified range of IP addresses into the
539           equivalent list of network/host addresses. Not available with
540           Shorewall6[-lite].
541
542       iptrace iptables match expression
543           This is a low-level debugging command that causes iptables TRACE
544           log records to be created. See iptables(8) for details.
545
546           The iptables match expression must be one or more matches that may
547           appear in both the raw table OUTPUT and raw table PREROUTING
548           chains.
549
550           The log message destination is determined by the currently-selected
551           IPv4 or IPv6 logging backend[5].
552
553       list
554           list is a synonym for show -- please see below.
555
556       logdrop address
557           Causes traffic from the listed addresses to be logged then
558           discarded. Logging occurs at the log level specified by the
559           BLACKLIST_LOGLEVEL setting in shorewall.conf[1] (5)
560           (shorewall6.conf[1](5)). This command requires that the firewall be
561           in the started state and that DYNAMIC_BLACKLIST=Yes in
562           shorewall.conf (5)[1].
563
564       logwatch [-m] [ refresh-interval ]
565           Monitors the log file specified by the LOGFILE option in
566           shorewall.conf[1](5) (shorewall6.conf[1](5)) and produces an
567           audible alarm when new Shorewall messages are logged. The -m option
568           causes the MAC address of each packet source to be displayed if
569           that information is available. The refresh-interval specifies the
570           time in seconds between screen refreshes. You can enter a negative
571           number by preceding the number with "--" (e.g., shorewall logwatch
572           -- -30). In this case, when a packet count changes, you will be
573           prompted to hit any key to resume screen refreshes.
574
575       logreject address
576           Causes traffic from the listed addresses to be logged then
577           rejected. Logging occurs at the log level specified by the
578           BLACKLIST_LOGLEVEL setting in shorewall.conf[1] (5),
579           (shorewall6.conf[1](5)). This command requires that the firewall be
580           in the started state and that DYNAMIC_BLACKLIST=Yes in
581           shorewall.conf (5)[1].
582
583       ls
584           ls is a synonym for show -- please see below.
585
586       noiptrace iptables match expression
587           This is a low-level debugging command that cancels a trace started
588           by a preceding iptrace command.
589
590           The iptables match expression must be one given in the iptrace
591           command being canceled.
592
593       open source dest [ protocol [ port ] ]
594           Added in Shorewall 4.6.8. This command requires that the firewall
595           be in the started state and that DYNAMIC_BLACKLIST=Yes in
596           shorewall.conf (5)[1]. The effect of the command is to temporarily
597           open the firewall for connections matching the parameters.
598
599           The source and dest parameters may each be specified as all if you
600           don't wish to restrict the connection source or destination
601           respectively. Otherwise, each must contain a host or network
602           address or a valid DNS name.
603
604           The protocol may be specified either as a number or as a name
605           listed in /etc/protocols. The port may be specified numerically or
606           as a name listed in /etc/services.
607
608           To reverse the effect of a successful open command, use the close
609           command with the same parameters or simply restart the firewall.
610
611           Example: To open the firewall for SSH connections to address
612           192.168.1.1, the command would be:
613
614                   shorewall open all 192.168.1.1 tcp 22
615
616           To reverse that command, use:
617
618                   shorewall close all 192.168.1.1 tcp 22
619
620       reenable{ interface | provider }
621           Added in Shorewall 4.6.9. This is equivalent to a disable command
622           followed by an enable command on the specified interface or
623           provider.
624
625       reject address
626           Causes traffic from the listed addresses to be silently rejected.
627           This command requires that the firewall be in the started state and
628           that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[1].
629
630       reload [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [-D] [ directory ]
631           This command was re-implemented in Shorewall 5.0.0. The pre-5.0.0
632           reload command is now called remote-restart (see below).
633
634           Shorewall and Shorewall6
635               Reload is similar to shorewall start except that it assumes
636               that the firewall is already started. Existing connections are
637               maintained. If a directory is included in the command,
638               Shorewall will look in that directory first for configuration
639               files.
640
641               The -n option causes Shorewall to avoid updating the routing
642               table(s).
643
644               The -p option causes the connection tracking table to be
645               flushed; the conntrack utility must be installed to use this
646               option.
647
648               The -d option causes the compiler to run under the Perl
649               debugger.
650
651               The -f option suppresses the compilation step and simply reused
652               the compiled script which last started/restarted Shorewall,
653               provided that /etc/shorewall and its contents have not been
654               modified since the last start/restart.
655
656               The -c option was added in Shorewall 4.4.20 and performs the
657               compilation step unconditionally, overriding the AUTOMAKE
658               setting in shorewall.conf[1](5) (Shorewall and Shorewall6
659               only). When both -f and -c are present, the result is
660               determined by the option that appears last.
661
662               The -T option was added in Shorewall 4.5.3 and causes a Perl
663               stack trace to be included with each compiler-generated error
664               and warning message.
665
666               The -i option was added in Shorewall 4.6.0 and causes a warning
667               message to be issued if the current line contains alternative
668               input specifications following a semicolon (";"). Such lines
669               will be handled incorrectly if INLINE_MATCHES is set to Yes in
670               shorewall.conf[1](5) (shorewall6.conf[1](5))..
671
672               The -C option was added in Shorewall 4.6.5 and is only
673               meaningful when AUTOMAKE=Yes in shorewall.conf[1](5)
674               (shorewall6.conf[1](5)). If an existing firewall script is used
675               and if that script was the one that generated the current
676               running configuration, then the running netfilter configuration
677               will be reloaded as is so as to preserve the iptables packet
678               and byte counters.
679
680               The -D option was added in Shoewall 5.2.4 and causes the
681               compiler to write a large amount of debugging information to
682               standard output.
683
684           Shorewall-lite and Shorewall6-lite
685               Reload is similar to shorewall start except that it assumes
686               that the firewall is already started. Existing connections are
687               maintained.
688
689               The -n option causes Shorewall to avoid updating the routing
690               table(s).
691
692               The -p option causes the connection tracking table to be
693               flushed; the conntrack utility must be installed to use this
694               option.
695
696               The -C option was added in Shorewall 4.6.5 If the existing
697               firewall script is the one that generated the current running
698               configuration, then the running netfilter configuration will be
699               reloaded as is so as to preserve the iptables packet and byte
700               counters.
701
702       remote-getcaps [-R] [-r root-user-name] [ [ -D ] directory ] [ system ]
703           Added in Shoreall 5.2.0, this command executes shorewall[6]-lite
704           show capabilities -f > /var/lib/shorewall[6]-lite/capabilities on
705           the remote system via ssh then the generated file is copied to
706           directory on the local system. If no directory is given, the
707           current working directory is assumed.
708
709           if -R is included, the remote shorewallrc file is also copied to
710           directory.
711
712           If -r is included, it specifies that the root user on system is
713           named root-user-name rather than "root".
714
715       remote-getrc [-c] [-r root-user-name] [ [ -D ] directory ] [ system ]
716           Added in Shoreall 5.2.0, this command copies the shorewallrc file
717           from the remote system to directory on the local system. If no
718           directory is given, the current working directory is assumed.
719
720           if -c is included, the remote capabilities are also copied to
721           directory, as is done by the remote-getcaps command.
722
723           If -r is included, it specifies that the root user on system is
724           named root-user-name rather than "root".
725
726       remote-start [-n] [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
727       directory ] [ system ]
728           This command was renamed from load in Shorewall 5.0.0 and is only
729           available in Shorewall and Shoreawall6.
730
731           If directory is omitted, the current working directory is assumed.
732           Allows a non-root user to compile a shorewall script and install it
733           on a system (provided that the user has root access to the system
734           via ssh). The command is equivalent to:
735
736                   /sbin/shorewall compile -e directory directory/firewall &&\
737                   scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
738                   ssh root@system '/sbin/shorewall-lite start'
739
740           In other words, the configuration in the specified (or defaulted)
741           directory is compiled to a file called firewall in that directory.
742           If compilation succeeds, then firewall is copied to system using
743           scp. If the copy succeeds, Shorewall Lite on system is started via
744           ssh. Beginning with Shorewall 5.0.13, if system is omitted, then
745           the FIREWALL option setting in shorewall.conf[6](5)
746           (shorewall6.conf(5)[1]) is assumed. In that case, if you want to
747           specify a directory, then the -D option must be given.
748
749           The -n option causes Shorewall to avoid updating the routing
750           table(s).
751
752           If -s is specified and the start command succeeds, then the remote
753           Shorewall-lite configuration is saved by executing shorewall-lite
754           save via ssh.
755
756           if -c is included, the command shorewall[6]-lite show capabilities
757           -f > /var/lib/shorewall[6]-lite/capabilities is executed via ssh
758           then the generated file is copied to directory using scp. This step
759           is performed before the configuration is compiled.
760
761           If -r is included, it specifies that the root user on system is
762           named root-user-name rather than "root".
763
764           The -T option was added in Shorewall 4.5.3 and causes a Perl stack
765           trace to be included with each compiler-generated error and warning
766           message.
767
768       remote-reload [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
769       directory ] [ system ]
770           This command was added in Shorewall 5.0.0 and is only available in
771           Shorewall and Shorewall6.
772
773           If directory is omitted, the current working directory is assumed.
774           Allows a non-root user to compile a shorewall script and install it
775           on a system (provided that the user has root access to the system
776           via ssh). The command is equivalent to:
777
778                   /sbin/shorewall compile -e directory directory/firewall &&\
779                   scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
780                   ssh root@system '/sbin/shorewall-lite reload'
781
782           In other words, the configuration in the specified (or defaulted)
783           directory is compiled to a file called firewall in that directory.
784           If compilation succeeds, then firewall is copied to system using
785           scp. If the copy succeeds, Shorewall Lite on system is restarted
786           via ssh. Beginning with Shorewall 5.0.13, if system is omitted,
787           then the FIREWALL option setting in shorewall6.conf(5)[1]
788           (shorewall6.conf[1](5)) is assumed. In that case, if you want to
789           specify a directory, then the -D option must be given.
790
791           If -s is specified and the restart command succeeds, then the
792           remote Shorewall-lite configuration is saved by executing
793           shorewall-lite save via ssh.
794
795           if -c is included, the command shorewall-lite show capabilities -f
796           > /var/lib/shorewall-lite/capabilities is executed via ssh then the
797           generated file is copied to directory using scp. This step is
798           performed before the configuration is compiled.
799
800           If -r is included, it specifies that the root user on system is
801           named root-user-name rather than "root".
802
803           The -T option was added in Shorewall 4.5.3 and causes a Perl stack
804           trace to be included with each compiler-generated error and warning
805           message.
806
807           The -i option was added in Shorewall 4.6.0 and causes a warning
808           message to be issued if the current line contains alternative input
809           specifications following a semicolon (";"). Such lines will be
810           handled incorrectly if INLINE_MATCHES is set to Yes in
811           shorewall.conf[1](5) (shorewall6.conf[1](5)).
812
813       remote-restart [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
814       directory ] [ system ]
815           This command was renamed from reload in Shorewall 5.0.0 and is
816           available in Shorewall and Shorewall6 only.
817
818           If directory is omitted, the current working directory is assumed.
819           Allows a non-root user to compile a shorewall script and install it
820           on a system (provided that the user has root access to the system
821           via ssh). The command is equivalent to:
822
823                   /sbin/shorewall compile -e directory directory/firewall &&\
824                   scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
825                   ssh root@system '/sbin/shorewall-lite restart'
826
827           In other words, the configuration in the specified (or defaulted)
828           directory is compiled to a file called firewall in that directory.
829           If compilation succeeds, then firewall is copied to system using
830           scp. If the copy succeeds, Shorewall Lite on system is restarted
831           via ssh. Beginning with Shorewall 5.0.13, if system is omitted,
832           then the FIREWALL option setting in shorewall6.conf(5)[1]
833           (shorewall6.conf[1](5)) is assumed. In that case, if you want to
834           specify a directory, then the -D option must be given.
835
836           If -s is specified and the restart command succeeds, then the
837           remote Shorewall-lite configuration is saved by executing
838           shorewall-lite save via ssh.
839
840           if -c is included, the command shorewall-lite show capabilities -f
841           > /var/lib/shorewall-lite/capabilities is executed via ssh then the
842           generated file is copied to directory using scp. This step is
843           performed before the configuration is compiled.
844
845           If -r is included, it specifies that the root user on system is
846           named root-user-name rather than "root".
847
848           The -T option was added in Shorewall 4.5.3 and causes a Perl stack
849           trace to be included with each compiler-generated error and warning
850           message.
851
852           The -i option was added in Shorewall 4.6.0 and causes a warning
853           message to be issued if the current line contains alternative input
854           specifications following a semicolon (";"). Such lines will be
855           handled incorrectly if INLINE_MATCHES is set to Yes in
856           shorewall.conf[1](5) (shorewall6.conf[1](5).
857
858       reset [chain, ...]
859           Resets the packet and byte counters in the specified chain(s). If
860           no chain is specified, all the packet and byte counters in the
861           firewall are reset.
862
863           Beginning with Shorewall 5.0.0, chain may be composed of both a
864           table name and a chain name separated by a colon (e.g.,
865           mangle:PREROUTING). Chain names following that don't include a
866           table name are assumed to be in that same table. If no table name
867           is given in the command, the filter table is assumed.
868
869       restart [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [-D] [ directory ]
870           Beginning with Shorewall 5.0.0, this command performs a true
871           restart. The firewall is completely stopped as if a stop command
872           had been issued then it is started again.
873
874           Shorewall and Shorewall6
875               If a directory is included in the command, Shorewall will look
876               in that directory first for configuration files.
877
878               The -n option causes Shorewall to avoid updating the routing
879               table(s).
880
881               The -p option causes the connection tracking table to be
882               flushed; the conntrack utility must be installed to use this
883               option.
884
885               The -d option causes the compiler to run under the Perl
886               debugger.
887
888               The -f option suppresses the compilation step and simply reused
889               the compiled script which last started/restarted Shorewall,
890               provided that /etc/shorewall and its contents have not been
891               modified since the last start/restart.
892
893               The -c option was added in Shorewall 4.4.20 and performs the
894               compilation step unconditionally, overriding the AUTOMAKE
895               setting in shorewall.conf[1](5). When both -f and -c are
896               present, the result is determined by the option that appears
897               last.
898
899               The -T option was added in Shorewall 4.5.3 and causes a Perl
900               stack trace to be included with each compiler-generated error
901               and warning message.
902
903               The -i option was added in Shorewall 4.6.0 and causes a warning
904               message to be issued if the current line contains alternative
905               input specifications following a semicolon (";"). Such lines
906               will be handled incorrectly if INLINE_MATCHES is set to Yes in
907               shorewall.conf[1](5).
908
909               The -C option was added in Shorewall 4.6.5 and is only
910               meaningful when AUTOMAKE=Yes in shorewall.conf[1](5). If an
911               existing firewall script is used and if that script was the one
912               that generated the current running configuration, then the
913               running netfilter configuration will be reloaded as is so as to
914               preserve the iptables packet and byte counters.
915
916               The -D option was added in Shoewall 5.2.4 and causes the
917               compiler to write a large amount of debugging information to
918               standard output.
919
920           Shorewall-lite and Shorewall6-lite
921               The -n option causes Shorewall to avoid updating the routing
922               table(s).
923
924               The -p option causes the connection tracking table to be
925               flushed; the conntrack utility must be installed to use this
926               option.
927
928               The -C option was added in Shorewall 4.6.5 If the existing
929               firewall script is the one that generated the current running
930               configuration, then the running netfilter configuration will be
931               reloaded as is so as to preserve the iptables packet and byte
932               counters.
933
934       restore  [-n] [-p] [-C] [ filename ]
935           Restore Shorewall to a state saved using the shorewall save
936           command. Existing connections are maintained. The filename names a
937           restore file in /var/lib/shorewall created using shorewall save; if
938           no filename is given then Shorewall will be restored from the file
939           specified by the RESTOREFILE option in shorewall.conf[1](5)
940           (shorewall6.conf[1](5)).
941
942               Caution
943               If your iptables ruleset depends on variables that are detected
944               at run-time, either in your params file or by
945               Shorewall-generated code, restore will use the values that were
946               current when the ruleset was saved, which may be different from
947               the current values.
948           The -n option causes Shorewall to avoid updating the routing
949           table(s).
950
951           The -p option, added in Shorewall 4.6.5, causes the connection
952           tracking table to be flushed; the conntrack utility must be
953           installed to use this option.
954
955           The -C option was added in Shorewall 4.6.5. If the -C option was
956           specified during shorewall save, then the counters saved by that
957           operation will be restored.
958
959       run command [ parameter ... ]
960           Added in Shorewall 4.6.3. Executes command in the context of the
961           generated script passing the supplied parameters. Normally, the
962           command will be a function declared in lib.private.
963
964           Before executing the command, the script will detect the
965           configuration, setting all SW_* variables and will run your init
966           extension script with $COMMAND = 'run'.
967
968           If there are files in the CONFIG_PATH that were modified after the
969           current firewall script was generated, the following warning
970           message is issued:
971               WARNING: /var/lib/shorewall/firewall is not up to
972                           date
973
974       safe-reload [-d] [-p] [-t timeout ] [ directory ]
975           Added in Shorewall 5.0.0, this command performs the same function
976           as did safe_restart in earlier releases. The command is available
977           in Shorewall and Shorewall6 only.
978
979           Only allowed if Shorewall is running. The current configuration is
980           saved in /var/lib/shorewall/safe-reload (see the save command
981           below) then a shorewall reload is done. You will then be prompted
982           asking if you want to accept the new configuration or not. If you
983           answer "n" or if you fail to answer within 60 seconds (such as when
984           your new configuration has disabled communication with your
985           terminal), the configuration is restored from the saved
986           configuration. If a directory is given, then Shorewall will look in
987           that directory first when opening configuration files.
988
989           Beginning with Shorewall 4.5.0, you may specify a different timeout
990           value using the -t option. The numeric timeout may optionally be
991           followed by an s, m or h suffix (e.g., 5m) to specify seconds,
992           minutes or hours respectively. If the suffix is omitted, seconds is
993           assumed.
994
995       safe-restart [-d] [-p] [-t timeout ] [ directory ]
996           Only allowed if Shorewall[6] is running and is not available in
997           Shorewall-lite and Shorewall6-lite. The current configuration is
998           saved in /var/lib/shorewall/safe-restart (see the save command
999           below) then a shorewall restart is done. You will then be prompted
1000           asking if you want to accept the new configuration or not. If you
1001           answer "n" or if you fail to answer within 60 seconds (such as when
1002           your new configuration has disabled communication with your
1003           terminal), the configuration is restored from the saved
1004           configuration. If a directory is given, then Shorewall will look in
1005           that directory first when opening configuration files.
1006
1007           Beginning with Shorewall 4.5.0, you may specify a different timeout
1008           value using the -t option. The numeric timeout may optionally be
1009           followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1010           minutes or hours respectively. If the suffix is omitted, seconds is
1011           assumed.
1012
1013       safe-start [-d] [-p] [-ttimeout ] [ directory ]
1014           Shorewall is started normally. You will then be prompted asking if
1015           everything went all right. If you answer "n" or if you fail to
1016           answer within 60 seconds (such as when your new configuration has
1017           disabled communication with your terminal), a shorewall clear is
1018           performed for you. If a directory is given, then Shorewall will
1019           look in that directory first when opening configuration files.
1020
1021           Beginning with Shorewall 4.5.0, you may specify a different timeout
1022           value using the -t option. The numeric timeout may optionally be
1023           followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1024           minutes or hours respectively. If the suffix is omitted, seconds is
1025           assumed.
1026
1027           This command is available in Shorewall and Shorewall6 only.
1028
1029       save  [-C] [ filename ]
1030           Creates a snapshot of the currently running firewall. The dynamic
1031           blacklist is stored in /var/lib/shorewall/save. The state of the
1032           firewall is stored in /var/lib/shorewall/filename for use by the
1033           shorewall restore command. If filename is not given then the state
1034           is saved in the file specified by the RESTOREFILE option in
1035           shorewall.conf[1](5) (shorewall6.conf[1](5)).
1036
1037           The -C option, added in Shorewall 4.6.5, causes the iptables packet
1038           and byte counters to be saved along with the chains and rules.
1039
1040       savesets
1041           Added in shorewall 4.6.8. Performs the same action as the stop
1042           command with respect to saving ipsets (see the SAVE_IPSETS option
1043           in shorewall.conf[1] (5) (shorewall6.conf[1](5)). This command may
1044           be used to proactively save your ipset contents in the event that a
1045           system failure occurs prior to issuing a stop command.
1046
1047       show
1048           The show command can have a number of different arguments:
1049
1050           action action
1051               Lists the named action file. Available on Shorewall and
1052               Shorewall6 only.
1053
1054           actions
1055               Produces a report about the available actions (built-in,
1056               standard and user-defined). Available on Shorewall and
1057               Shorewall6 only.
1058
1059           bl|blacklists [-x]
1060               Added in Shorewall 4.6.2. Displays the dynamic chain along with
1061               any chains produced by entries in shorewall-blrules(5). The -x
1062               option is passed directly through to iptables and causes actual
1063               packet and byte counts to be displayed. Without this option,
1064               those counts are abbreviated.
1065
1066           [-f] capabilities
1067               Displays your kernel/iptables capabilities. The -f option
1068               causes the display to be formatted as a capabilities file for
1069               use with compile -e.
1070
1071           [-b] [-x] [-l] [-t {filter|mangle|nat|raw}] [ chain... ]
1072               The rules in each chain are displayed using the iptables -L
1073               chain -n -v command. If no chain is given, all of the chains in
1074               the filter table are displayed. The -x option is passed
1075               directly through to iptables and causes actual packet and byte
1076               counts to be displayed. Without this option, those counts are
1077               abbreviated. The -t option specifies the Netfilter table to
1078               display. The default is filter.
1079
1080               The -b ('brief') option causes rules which have not been used
1081               (i.e. which have zero packet and byte counts) to be omitted
1082               from the output. Chains with no rules displayed are also
1083               omitted from the output.
1084
1085               The -l option causes the rule number for each Netfilter rule to
1086               be displayed.
1087
1088               If the -t option and the chain keyword are both omitted and any
1089               of the listed chains do not exist, a usage message is
1090               displayed.
1091
1092           classifiers|filters
1093               Displays information about the packet classifiers defined on
1094               the system as a result of traffic shaping configuration.
1095               Beginning with Shorewall 5.2.8, this command is deprecated, as
1096               its output is included in the information displayed by the
1097               'show tc' command.
1098
1099           config
1100               Displays distribution-specific defaults.
1101
1102           connections [filter_parameter ...]
1103               Displays the IP connections currently being tracked by the
1104               firewall.
1105
1106               If the conntrack utility is installed, beginning with Shorewall
1107               4.6.11 the set of connections displayed can be limited by
1108               including conntrack filter parameters (-p , -s, --dport, etc).
1109               See conntrack(8) for details.
1110
1111           event event
1112               Added in Shorewall 4.5.19. Displays the named event.
1113
1114           events
1115               Added in Shorewall 4.5.19. Displays all events.
1116
1117           ip
1118               Displays the system's IPv4 configuration.
1119
1120           ipa
1121               Added in Shorewall 4.4.17. Displays the per-IP accounting
1122               counters (shorewall-accounting[7] (5),
1123               shorewall6-accounting[7](5)).
1124
1125           ipsec
1126               Added in Shorewall 5.1.0. Displays the contents of the IPSEC
1127               Security Policy Database (SPD) and Security Association
1128               Database (SAD). SAD keys are not displayed.
1129
1130           [-m] log
1131               Displays the last 20 Shorewall messages from the log file
1132               specified by the LOGFILE option in shorewall.conf[1](5)
1133               (shorewall6.conf[1](5)). The -m option causes the MAC address
1134               of each packet source to be displayed if that information is
1135               available.
1136
1137           macros
1138               Displays information about each macro defined on the firewall
1139               system (Shorewall and Shorewall6 only)
1140
1141           macro macro
1142               Added in Shorewall 4.4.6. Displays the file that implements the
1143               specified macro (usually /usr/share/shorewall/macro.macro).
1144               Available only in Shorewall and Shorewall6.
1145
1146           [-x] mangle
1147               Displays the Netfilter mangle table using the command iptables
1148               -t mangle -L -n -v. The -x option is passed directly through to
1149               iptables and causes actual packet and byte counts to be
1150               displayed. Without this option, those counts are abbreviated.
1151
1152           marks
1153               Added in Shorewall 4.4.26. Displays the various fields in
1154               packet marks giving the min and max value (in both decimal and
1155               hex) and the applicable mask (in hex).
1156
1157           [-x] nat
1158               Displays the Netfilter nat table using the command iptables -t
1159               nat -L -n -v. The -x option is passed directly through to
1160               iptables and causes actual packet and byte counts to be
1161               displayed. Without this option, those counts are abbreviated.
1162
1163           opens
1164               Added in Shorewall 4.5.8. Displays the iptables rules in the
1165               'dynamic' chain created through use of the open command..
1166
1167           policies
1168               Added in Shorewall 4.4.4. Displays the applicable policy
1169               between each pair of zones. Note that implicit intrazone ACCEPT
1170               policies are not displayed for zones associated with a single
1171               network where that network doesn't specify routeback.
1172
1173           rc
1174               Added in Shorewall 5.2.0. Displays the contents of
1175               $SHAREDIR/shorewall/shorewallrc.
1176
1177           [-c] routing
1178               Displays the system's IPv4 routing configuration. The -c option
1179               causes the route cache to be displayed along with the other
1180               routing information.
1181
1182           [-x] raw
1183               Displays the Netfilter raw table using the command iptables -t
1184               raw -L -n -v. The -x option is passed directly through to
1185               iptables and causes actual packet and byte counts to be
1186               displayed. Without this option, those counts are abbreviated.
1187
1188           saves
1189               Added in Shorewall 5.2.0. Lists snapshots created by the save
1190               command. Each snapshot is listed with the date and time when it
1191               was taken. If there is a snapshot with the name specified in
1192               the RESTOREFILE option in shorewall.conf(5[6]), that snapshot
1193               is listed as the default snapshot for the restore command.
1194
1195           tc
1196               Displays information about queuing disciplines, classes and
1197               filters.
1198
1199           zones
1200               Displays the current composition of the Shorewall zones on the
1201               system.
1202
1203       start  [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [-D] [ directory ]
1204
1205           Shorewall and Shorewall6
1206               Start shorewall[6]. Existing connections through shorewall
1207               managed interfaces are untouched. New connections will be
1208               allowed only if they are allowed by the firewall rules or
1209               policies. If a directory is included in the command, Shorewall
1210               will look in that directory first for configuration files. If
1211               -f is specified, the saved configuration specified by the
1212               RESTOREFILE option in shorewall.conf[1](5)
1213               (shorewall6.conf[1](5)) will be restored if that saved
1214               configuration exists and has been modified more recently than
1215               the files in /etc/shorewall. When -f is given, a directory may
1216               not be specified.
1217
1218               Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
1219               added to shorewall.conf[1](5) (shorewall6.conf[1](5)). When
1220               LEGACY_FASTSTART=No, the modification times of files in
1221               /etc/shorewall are compared with that of
1222               /var/lib/shorewall/firewall (the compiled script that last
1223               started/restarted the firewall).
1224
1225               The -n option causes Shorewall to avoid updating the routing
1226               table(s).
1227
1228               The -p option causes the connection tracking table to be
1229               flushed; the conntrack utility must be installed to use this
1230               option.
1231
1232               The -c option was added in Shorewall 4.4.20 and performs the
1233               compilation step unconditionally, overriding the AUTOMAKE
1234               setting in shorewall.conf[1](5) (shorewall6.conf[1](5)). When
1235               both -f and -care present, the result is determined by the
1236               option that appears last.
1237
1238               The -T option was added in Shorewall 4.5.3 and causes a Perl
1239               stack trace to be included with each compiler-generated error
1240               and warning message.
1241
1242               The -i option was added in Shorewall 4.6.0 and causes a warning
1243               message to be issued if the current line contains alternative
1244               input specifications following a semicolon (";"). Such lines
1245               will be handled incorrectly if INLINE_MATCHES is set to Yes in
1246               shorewall.conf(5)[1] (shorewall6.conf[1](5)).
1247
1248               The -C option was added in Shorewall 4.6.5 and is only
1249               meaningful when the -f option is also specified. If the
1250               previously-saved configuration is restored, and if the -C
1251               option was also specified in the save command, then the packet
1252               and byte counters will be restored.
1253
1254               The -D option was added in Shoewall 5.2.4 and causes the
1255               compiler to write a large amount of debugging information to
1256               standard output.
1257
1258           Shorewall-lite and Shorewall6-lite
1259               Start Shorewall[6] Lite. Existing connections through
1260               shorewall[6]-lite managed interfaces are untouched. New
1261               connections will be allowed only if they are allowed by the
1262               firewall rules or policies.
1263
1264               The -p option causes the connection tracking table to be
1265               flushed; the conntrack utility must be installed to use this
1266               option.
1267
1268               The -n option prevents the firewall script from modifying the
1269               current routing configuration.
1270
1271               The -f option was added in Shorewall 4.6.5. If the RESTOREFILE
1272               named in shorewall.conf[6](5) exists, is executable and is not
1273               older than the current filewall script, then that saved
1274               configuration is restored.
1275
1276               The -C option was added in Shorewall 4.6.5 and is only
1277               meaningful when the -f option is also specified. If the
1278               previously-saved configuration is restored, and if the -C
1279               option was also specified in the save command, then the packet
1280               and byte counters will be restored.
1281
1282       stop
1283           Stops the firewall. All existing connections, except those listed
1284           in shorewall-stoppedrules[8](5) or permitted by the
1285           ADMINISABSENTMINDED option in shorewall.conf[1] The only new
1286           traffic permitted through the firewall is from systems listed in
1287           shorewall-stoppedrules[8](5) or by ADMINISABSENTMINDED.
1288
1289       status [-i]
1290           Produces a short report about the state of the Shorewall-configured
1291           firewall.
1292
1293           The -i option was added in Shorewall 4.6.2 and causes the status of
1294           each optional or provider interface to be displayed.
1295
1296       try directory [ timeout ]
1297           This command is available in Shorewall and Shorewall6 only.
1298
1299           If Shorewall[6] is started then the firewall state is saved to a
1300           temporary saved configuration (/var/lib/shorewall/.try). Next, if
1301           Shorewall[6] is currently started then a restart command is issued
1302           using the specified configuration directory; otherwise, a start
1303           command is performed using the specified configuration directory.
1304           if an error occurs during the compilation phase of the restart or
1305           start, the command terminates without changing the Shorewall[6]
1306           state. If an error occurs during the restart phase, then a
1307           shorewall restore is performed using the saved configuration. If an
1308           error occurs during the start phase, then Shorewall is cleared. If
1309           the start/restart succeeds and a timeout is specified then a clear
1310           or restore is performed after timeout seconds.
1311
1312           Beginning with Shorewall 4.5.0, the numeric timeout may optionally
1313           be followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1314           minutes or hours respectively. If the suffix is omitted, seconds is
1315           assumed.
1316
1317       update  [-d] [-r] [-T] [-a] [-i] [-A] [ directory ]
1318           This command is available only in Shorewall and Shorewall6.
1319
1320           Added in Shorewall 4.4.21 and causes the compiler to update
1321           /etc/shorewall/shorewall.conf then validate the configuration. The
1322           update will add options not present in the old file with their
1323           default values, and will move deprecated options with non-defaults
1324           to a deprecated options section at the bottom of the file. Your
1325           existing shorewall.conf file is renamed shorewall.conf.bak.
1326
1327           The command was extended over the years with a set of options that
1328           caused additional configuration updates.
1329
1330           •   Convert an existing blacklist file into an equivalent blrules
1331               file.
1332
1333           •   Convert an existing routestopped file into an equivalent
1334               stoppedrules file.
1335
1336           •   Convert existing tcrules and tos files into an equivalent
1337               mangle file.
1338
1339           •   Convert an existing notrack file into an equivalent conntrack
1340               file.
1341
1342           •   Convert FORMAT, SECTION and COMMENT entries into ?FORMAT,
1343               ?SECTION and ?COMMENT directives.
1344
1345           In each case, the old file is renamed with a .bak suffix.
1346
1347           In Shorewall 5.0.0, the options were eliminated and the update
1348           command performs all of the updates described above.
1349
1350               Important
1351               There are some notable restrictions with the update command:
1352
1353                1. Converted rules will be appended to the existing file; if
1354                   there is no existing file in the CONFIG_PATH, one will be
1355                   created in the directory specified in the command or in the
1356                   first entry in the CONFIG_PATH (normally /etc/shorewall)
1357                   otherwise.
1358
1359                2. Existing comments in the file being converted will not be
1360                   transferred to the output file.
1361
1362                3. With the exception of the notrack->conntrack conversion,
1363                   INCLUDEd files will be expanded inline in the output file.
1364
1365                4. Columns in the output file will be separated by a single
1366                   tab character; there is no attempt made to otherwise align
1367                   the columns.
1368
1369                5. Prior to Shorewall 5.0.15, shell variables will be expanded
1370                   in the output file.
1371
1372                6. Prior to Shorewall 5.0.15, lines omitted by compiler
1373                   directives (?if ...., etc.) will not appear in the output
1374                   file.
1375
1376                       Important
1377                       Because the translation of the 'blacklist' and
1378                       'routestopped' files is not 1:1, omitted lines and
1379                       compiler directives are not transferred to the
1380                       converted files. If either are present, the compiler
1381                       issues a warning:
1382
1383                            WARNING: "Omitted rules and compiler directives were not translated
1384           The -a option causes the updated shorewall.conf file to be
1385           annotated with documentation.
1386
1387           The -i option was added in Shorewall 4.6.0 and causes a warning
1388           message to be issued if the current line contains alternative input
1389           specifications following a semicolon (";"). Such lines will be
1390           handled incorrectly if INLINE_MATCHES is set to Yes in
1391           shorewall.conf[1](5).
1392
1393           The -A option is included for compatibility with Shorewall 4.6 and
1394           is equivalent to specifying the -i option.
1395
1396           For a description of the other options, see the check command
1397           above.
1398
1399       version [-a]
1400           Displays Shorewall's version. The -a option is included for
1401           compatibility with earlier Shorewall releases and is ignored.
1402

EXIT STATUS

1404       In general, when a command succeeds, status 0 is returned; when the
1405       command fails, a non-zero status is returned.
1406
1407       The status command returns exit status as follows:
1408
1409       0 - Firewall is started.
1410
1411       3 - Firewall is stopped or cleared
1412
1413       4 - Unknown state; usually means that the firewall has never been
1414       started.
1415

ENVIRONMENT

1417       Two environmental variables are recognized by Shorewall:
1418
1419       SHOREWALL_INIT_SCRIPT
1420           When set to 1, causes Std out to be redirected to the file
1421           specified in the STARTUP_LOG option in shorewall.conf(5)[6].
1422
1423       SW_LOGGERTAG
1424           Added in Shorewall 5.0.8. When set to a non-empty value, that value
1425           is passed to the logger utility in its -t (--tag) option.
1426

FILES

1428       /etc/shorewall/*
1429
1430       /etc/shorewall6/*
1431

SEE ALSO

1433           https://shorewall.org/starting_and_stopping_shorewall.htm[9]
1434                 - Describes operational aspects of Shorewall.
1435           shorewall-files(5)[10] -
1436                 Describes the various configuration files along with features
1437           and
1438                 conventions common to those files.
1439           shorewall-names(5)[11] -
1440                 Describes naming of objects within a Shorewall configuration.
1441           shorewall-addresses(5)[12] -
1442                 Describes how to specify addresses within a Shorewall
1443                 configuration.
1444           shorewall-exclusion(5)[13] -
1445                 Describes how to exclude certain hosts and/or networks from
1446           matching a
1447                 rule.
1448           shorewall-nesting(5)[14]
1449                 - Describes how to nest one Shorewall zone inside another.
1450

NOTES

1452        1. shorewall.conf
1453           https://shorewall.org/manpages//manpages/shorewall.conf.html
1454
1455        2. shorewall-interfaces
1456           https://shorewall.org/manpages//manpages/shorewall-interfaces.html
1457
1458        3. shorewall-zones
1459           https://shorewall.org/manpages//manpages/shorewall-zones.html
1460
1461        4. shorewall-routes
1462           https://shorewall.org/manpages//manpages/shorewall-routes.html
1463
1464        5. logging backend
1465           https://shorewall.org/manpages//shorewall_logging.html#Backends
1466
1467        6. shorewall.conf
1468           https://shorewall.org/manpages/shorewall.conf.html
1469
1470        7. shorewall-accounting
1471           https://shorewall.org/manpages//manpages/shorewall-accounting.html
1472
1473        8. shorewall-stoppedrules
1474           https://shorewall.org/manpages//manpages/shorewall-stoppedrules.html
1475
1476        9. https://shorewall.org/starting_and_stopping_shorewall.htm
1477           https://shorewall.org/manpages//starting_and_stopping_shorewall.htm
1478
1479       10. shorewall-files(5)
1480           https://shorewall.org/manpages/shorewall-files.html
1481
1482       11. shorewall-names(5)
1483           https://shorewall.org/manpages/shorewall-names.html
1484
1485       12. shorewall-addresses(5)
1486           https://shorewall.org/manpages/shorewall-addresses.html
1487
1488       13. shorewall-exclusion(5)
1489           https://shorewall.org/manpages/shorewall-exclusion.html
1490
1491       14. shorewall-nesting(5)
1492           https://shorewall.org/manpages/shorewall-nesting.html
1493
1494
1495
1496Administrative Commands           09/24/2020                      SHOREWALL(8)
Impressum