1SHOREWALL(8) Administrative Commands SHOREWALL(8)
2
3
4
6 shorewall - Administration tool for Shoreline Firewall (Shorewall)
7
9 shorewall[6][-lite] [options] add { interface[:host-list]...
10 zone | zone host-list }
11
12 shorewall[6][-lite] [options] allow address
13
14 shorewall[6][-lite] [options] blacklist[!] address [option ...]
15
16 shorewall[6][-lite] [options] call function [parameter ...]
17
18 shorewall[6] [trace|debug] [options] [check | ck ] [-e] [-d] [-p] [-r]
19 [-T] [-i] [directory]
20
21 shorewall[6][-lite] [options] clear [-f]
22
23 shorewall[6][-lite] [options]
24 close { open-number | sourcedest [protocol [ port ]]}
25
26 shorewall[6] [trace|debug] [options] [compile | co ] [-e] [-c] [-d]
27 [-p] [-T] [-i] [directory] [pathname]
28
29 shorewall[6][-lite] [options] delete { interface[:host-list]...
30 zone | zone host-list }
31
32 shorewall[6][-lite] [options] disable { interface | provider }
33
34 shorewall[6][-lite] [options] drop address
35
36 shorewall[6][-lite] [options] dump [-x] [-l] [-m] [-c]
37
38 shorewall[6][-lite] [options] enable { interface | provider }
39
40 shorewall[6] [options] export [directory1] [user@]system[:directory2]
41
42 shorewall[6][-lite] [options] forget [filename]
43
44 shorewall[6][-lite] [options] help
45
46 shorewall[-lite] [options] hits [-t]
47
48 shorewall[-lite] [options] ipcalc {address mask | address/vlsm}
49
50 shorewall[-lite] [options] iprange address1-address2
51
52 shorewall[6][-lite] [options] iptrace iptables match expression
53
54 shorewall[6][-lite] [options] logdrop address
55
56 shorewall[6][-lite] [options] logwatch [-m] [refresh-interval]
57
58 shorewall[6][-lite] [options] logreject address
59
60 shorewall[6][-lite] [options] noiptrace iptables match expression
61
62 shorewall[6][-lite] [options] open source dest [ protocol [ port ] ]
63
64 shorewall[6][-lite] [options] reenable { interface | provider }
65
66 shorewall[6][-lite] [options] reject address
67
68 shorewall[6][-lite] [options] reload [-n] [-p [-d]] [-f] [-c] [-T] [-i]
69 [-C] [directory]
70
71 shorewall[6] remote-getcaps [-s] [-R] [-r root-user-name] [-T] [-i]
72 [[-D]directory] [system]
73
74 shorewall[6] [options] remote-getrc [-s] [-c] [-r root-user-name] [-T]
75 [-i] [[-D]directory] [system]
76
77 shorewall[6] [options] remote-start [-s] [-c] [-r root-user-name] [-T]
78 [-i] [[-D]directory] [system]
79
80 shorewall[6] [options] remote-reload [-s] [-c] [-r root-user-name] [-T]
81 [-i] [[-D]directory] [system]
82
83 shorewall[6] [options] remote-restart [-s] [-c] [-r root-user-name]
84 [-T] [-i] [[-D]directory] [system]
85
86 shorewall[6][-lite] [options] reset [chain ...]
87
88 shorewall[6][-lite] [options] restart [-n] [-p [-d]] [-f] [-c] [-T]
89 [-i] [-C] [directory]
90
91 shorewall[6][-lite] [options] restore [-n] [-p] [-C] [filename]
92
93 shorewall[6][-lite] [options] run command [parameter ...]
94
95 shorewall[6] [options] safe-restart [-d] [-p] [-t timeout] [directory]
96
97 shorewall[6] [options] safe-start [-d] [-p] [-t timeout] [directory]
98
99 shorewall[6][-lite] [options] save [-C] [filename]
100
101 shorewall[6][-lite] [options] savesets
102
103 shorewall[6][-lite] [options] {show | list | ls } [-x] {bl|blacklists}
104
105 shorewall[6][-lite] [options] {show | list | ls } [-b] [-x] [-l]
106 [-t {filter|mangle|nat|raw}] [chain...]
107
108 shorewall[6][-lite] [options] {show | list | ls } [-f] capabilities
109
110 shorewall[6] [options] {show | list | ls } [-f] {actions|macros}
111
112 shorewall[6] [options] {show | list | ls } action action
113
114 shorewall[6][-lite] [options] {show | list | ls }
115 {classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks}
116
117 shorewall[6][-lite] [options] {show | list | ls } event event
118
119 shorewall[6][-lite] [options] {show | list | ls } [-c] routing
120
121 shorewall[6] [options] {show | list | ls } macro macro
122
123 shorewall[6][-lite] [options] {show | list | ls } [-x] {mangle|nat|raw}
124
125 shorewall[6][-lite] [options] {show | list | ls } saves
126
127 shorewall[6][-lite] [options] {show | list | ls } [-m] log
128
129 shorewall[6][-lite] [trace|debug] [options] start [-n] [-f] [-p] [-c]
130 [-T [-i]] [-C] [directory]
131
132 shorewall[6][-lite] [options] stop [-f]
133
134 shorewall[6][-lite] [options] status [-i]
135
136 shorewall[6] [options] try directory [timeout]
137
138 shorewall[6] [options] update [-b] [-d] [-r] [-T] [-a] [-i] [-A]
139 [directory]
140
141 shorewall[6][-lite] [options] version [-a]
142
144 Beginning with Shorewall 5.1.0, the shorewall utility is used to
145 control the Shoreline Firewall (Shorewall), Shorewall Firewall 6
146 (Shorewall6), Shorewall Firewall Lite (Shorewall-lite) and Shorewall
147 Firewall 6 Lite (Shorewall6-lite). The utility may be accessed under
148 four different names:
149
150 shorewall
151 Controls the Shorewall configuration when Shorewall is installed.
152 If Shorewall is not installed, the shorewall command controls
153 Shorewall-lite if it is installed. If neither Shorewall nor
154 Shorewall-lite is installed, the shorewall command controls
155 Shorewall6-lite if it is installed.
156
157 shorewall6
158 The shorewall6 command controls Shorewall6 when Shorewall6 is
159 installed.
160
161 shorewall-lite
162 The shorewall-lite command controls Shorewall-lite when
163 Shorewall-lite is installed.
164
165 shorewall6-lite
166 The shorewall6-lite command controls Shorewall6-lite when
167 Shorewall6-lite is installed.
168
169 Prior to Shorewall 5.1.0, these four commands were implemented as four
170 separate program, each of which controlled only a single firewall
171 package. This manpage serves to document both the Shorewall 5.1 and
172 Shorewall 5.0 CLI.
173
175 The options are:
176
177 -4
178 Added in Shorewall 5.1.0. Causes the command to operate on the
179 Shorewall configuration or the Shorewall-lite configuration. It is
180 the default when either of those products is installed and when the
181 command is shorewall or shorewall-lite.
182
183 -6
184 Added in Shorewall 5.1.0. Causes the command to operate on the
185 Shorewall6 or Shorewall6-lite configuration. It is the default when
186 only Shorewall6-lite is installed and when the command is
187 shorewall6 or shorewall6-lite.
188
189 -l
190 Added in Shorewall 5.1.0. Causes the command to operate on either
191 Shorewall-lite or Shorewall-6 lite and is the default when
192 Shorewall is not installed or when the command is shorewall-lite or
193 shorewall6-lite.
194
195 With all four firewall products (Shorewall, Shorewall6,
196 Shorewall-lite and Shorewall6-lite) installed, the following table
197 shows the correspondence between the name used to invoke the
198 command and the shorewall command with the above three options.
199
200 Table 1. All four products installed
201 The next table shows the correspondence when only Shorewall-lite
202 and Shorewall6-lite are installed.
203
204 Table 2. Only Shorewall-lite and Shorewall6-lite installed
205 Note that when Shorewall isn't installed, the 'shorewall' command
206 behaves like shorewall-lite. The same is not true with respect to
207 Shorewall6, "shorewall6" and 'shorewall6-lite". You can make
208 'shorewall6' behave like 'shorewallt-lite' by adding the following
209 command to root's .profile file (or to .bashrc, if root's shell is
210 bash):
211
212 alias shorewall6=shorewall6-lite
213
214 -v[verbosity]
215 Alters the amount of output produced by the command. If neither the
216 -v nor -q option are specified, the amount of output is determined
217 by the VERBOSITY setting in shorewall.conf[1](5)
218 (shorewall6.conf[1](5)).
219
220 When no verbosity is specified, each instance of this option causes
221 1 to be added to the effective verbosity. When verbosity (-1,0,1 or
222 2) is given, the command is executed at the specified VERBOSITY.
223 There may be no white-space between -v and the verbosity.
224
225 -q
226 Alters the amount of output produced by the command. If neither the
227 -v nor -q option are specified, the amount of output is determined
228 by the VERBOSITY setting in shorewall.conf[1](5)
229 (shorewall6.conf[1](5)).
230
231 Each instance of this option causes 1 to be subtracted from the
232 effective verbosity.
233
234 -t
235 Causes all progress messages to be timestamped.
236
237 -T
238 Added in Shorewall 5.2.4 to replace the earlier trace keyword.. If
239 the command invokes the generated firewall script, the script's
240 execution will be traced to standard error.
241
242 -D
243 Added in Shorewall 5.2.4 to replace the earlier debug keyword. If
244 the command invokes the generated firewall script, individual
245 invocations of the ip[6]tables utility will be used to configure
246 the ruleset rather than ip[6]tables-restore. This is useful for
247 diagnosing ip[6]tables-restore failures on a *COMMIT command.
248
249 Note
250 Prior to Shorewall 5.2.4, the general syntax for a CLI command was:
251
252 [trace|debug] [nolock] [options] command [command-options]
253 [command-arguments]
254
255 Examples:
256
257 shorewall debug -tv2 reload
258 shorewall trace check
259 shorewall nolock enable eth0
260
261 In Shorewall 5.2.4 and later, those commands would be:
262
263 shorewall -Dtv2 reload
264 shorewall check -D
265 shorewall -N enable eth0
266
267 While not shown in the command synopses at the top of this page,
268 the nolock keyword is still supported in Shorewall 5.2.4 and later,
269 but is deprecated in favor of the -N option.
270
272 The available commands are listed below.
273
274 add { interface[:host-list]... zone | zone host-list }
275 Adds a list of hosts or subnets to a dynamic zone usually used with
276 VPN's.
277
278 The interface argument names an interface defined in the
279 shorewall-interfaces[2](5) (shorewall6-interfaces[2](5))file. A
280 host-list is comma-separated list whose elements are host or
281 network addresses..if n .sp
282 Caution
283 The add command is not very robust. If there are errors in the
284 host-list, you may see a large number of error messages yet a
285 subsequent shorewall show zones command will indicate that all
286 hosts were added. If this happens, replace add by delete and
287 run the same command again. Then enter the correct command.
288
289 Beginning with Shorewall 4.5.9, the dynamic_shared zone option
290 (shorewall-zones[3](5),shorewall6-zones[3](5)) allows a single
291 ipset to handle entries for multiple interfaces. When that option
292 is specified for a zone, the add command has the alternative syntax
293 in which the zone name precedes the host-list.
294
295 allow address
296 Re-enables receipt of packets from hosts previously blacklisted by
297 a blacklist, drop, logdrop, reject, or logreject command.
298
299 blacklist[!] address [ option ... ]
300 Added in Shorewall 5.0.8 and requires DYNAMIC_BLACKLIST=ipset.. in
301 shorewall.conf[1](5). Causes packets from the given host or network
302 address to be dropped, based on the setting of BLACKLIST in
303 shorewall.conf[1](5). The address along with any options are passed
304 to the ipset add command. Probably the most useful option is the
305 timeout option. For example, to permanently blacklist 192.0.2.22,
306 the command would be:
307
308 shorewall blacklist 192.0.2.22 timeout 0
309
310 Beginning with Shorewall 5.2.5, the above command can be shortened
311 to:
312
313 shorewall blacklist! 192.0.2.22
314
315 If the disconnect option is specified in the DYNAMIC_BLACKLISTING
316 setting, then the effective VERBOSITY determines the amount of
317 information displayed:
318
319 • If the effective verbosity is > 0, then a message giving the
320 number of conntrack flows deleted by the command is displayed.
321
322 • If the effective verbosity is > 1, then the conntrack table
323 entries deleted by the command are also displayed.
324
325 call function [ parameter ... ]
326 Added in Shorewall 4.6.10. Allows you to call a function in one of
327 the Shorewall libraries or in your compiled script. function must
328 name the shell function to be called. The listed parameters are
329 passed to the function.
330
331 The function is first searched for in lib.base, lib.common, lib.cli
332 and lib.cli-std. If it is not found, the call command is passed to
333 the generated script to be executed.
334
335 check [-e] [-d] [-p] [-r] [-T] [-i] [-D][directory]
336 Not available with Shorewall[6]-lite.
337
338 Compiles the configuration in the specified directory and discards
339 the compiled output script. If no directory is given, then
340 /etc/shorewall is assumed.
341
342 The -e option causes the compiler to look for a file named
343 capabilities. This file is produced using the command
344 shorewall-lite show -f capabilities > capabilities on a system with
345 Shorewall Lite installed.
346
347 The -d option causes the compiler to be run under control of the
348 Perl debugger.
349
350 The -p option causes the compiler to be profiled via the Perl
351 -wd:DProf command-line option.
352
353 The -r option was added in Shorewall 4.5.2 and causes the compiler
354 to print the generated ruleset to standard out.
355
356 The -T option was added in Shorewall 4.4.20 and causes a Perl stack
357 trace to be included with each compiler-generated error and warning
358 message.
359
360 The -i option was added in Shorewall 4.6.0 and causes a warning
361 message to be issued if the current line contains alternative input
362 specifications following a semicolon (";"). Such lines will be
363 handled incorrectly if INLINE_MATCHES is set to Yes in
364 shorewall.conf[1](5) (shorewall6.conf[1](5)).
365
366 The -D option was added in Shoewall 5.2.4 and causes the compiler
367 to write a large amount of debugging information to standard
368 output.
369
370 clear [-f]
371 Clear will remove all rules and chains installed by Shorewall. The
372 firewall is then wide open and unprotected. Existing connections
373 are untouched. Clear is often used to see if the firewall is
374 causing connection problems.
375
376 If -f is given, the command will be processed by the compiled
377 script that executed the last successful start, restart or reload
378 command if that script exists.
379
380 close { open-number | source dest [ protocol [ port ] ] }
381 Added in Shorewall 4.5.8. This command closes a temporary open
382 created by the open command. In the first form, an open-number
383 specifies the open to be closed. Open numbers are displayed in the
384 num column of the output of the shorewall show opens command.
385
386 When the second form of the command is used, the parameters must
387 match those given in the earlier open command.
388
389 This command requires that the firewall be in the started state and
390 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[1].
391
392 compile [-e] [-c] [-d] [-p] [-T] [-i] [-D] [ directory ] [ pathname ]
393 Not available with shorewall[6]-lite.
394
395 Compiles the current configuration into the executable file
396 pathname. If a directory is supplied, Shorewall will look in that
397 directory first for configuration files. If the pathname is
398 omitted, the file firewall in the VARDIR (normally
399 /var/lib/shorewall/) is assumed. A pathname of '-' causes the
400 compiler to send the generated script to it's standard output file.
401 Note that '-v-1' is usually specified in this case (e.g., shorewall
402 -v-1 compile -- -) to suppress the 'Compiling...' message normally
403 generated by /sbin/shorewall.
404
405 When -e is specified, the compilation is being performed on a
406 system other than where the compiled script will run. This option
407 disables certain configuration options that require the script to
408 be compiled where it is to be run. The use of -e requires the
409 presence of a configuration file named capabilities which may be
410 produced using the command shorewall-lite show -f capabilities >
411 capabilities on a system with Shorewall Lite installed
412
413 The -c option was added in Shorewall 4.5.17 and causes conditional
414 compilation of a script. The script specified by pathname (or
415 implied if pathname is omitted) is compiled if it doesn't exist or
416 if there is any file in the directory or in a directory on the
417 CONFIG_PATH that has a modification time later than the file to be
418 compiled. When no compilation is needed, a message is issued and an
419 exit status of zero is returned.
420
421 The -d option causes the compiler to be run under control of the
422 Perl debugger.
423
424 The -p option causes the compiler to be profiled via the Perl
425 -wd:DProf command-line option.
426
427 The -T option was added in Shorewall 4.4.20 and causes a Perl stack
428 trace to be included with each compiler-generated error and warning
429 message.
430
431 The -i option was added in Shorewall 4.6.0 and causes a warning
432 message to be issued if the current line contains alternative input
433 specifications following a semicolon (";"). Such lines will be
434 handled incorrectly if INLINE_MATCHES is set to Yes in
435 shorewall.conf[1](5) (shorewall6.conf[1](5)).
436
437 The -D option was added in Shoewall 5.2.4 and causes the compiler
438 to write a large amount of debugging information to standard
439 output.
440
441 delete { interface[:host-list]... zone | zone host-list }
442 The delete command reverses the effect of an earlier add command.
443
444 The interface argument names an interface defined in the
445 shorewall-interfaces[2](5) (shorewall6-interfaces[2](5) file. A
446 host-list is comma-separated list whose elements are a host or
447 network address.
448
449 Beginning with Shorewall 4.5.9, the dynamic_shared zone option
450 (shorewall-zones[3](5), shorewall6-zones[3](5)) allows a single
451 ipset to handle entries for multiple interfaces. When that option
452 is specified for a zone, the delete command has the alternative
453 syntax in which the zone name precedes the host-list.
454
455 disable { interface | provider }
456 Added in Shorewall 4.4.26. Disables the optional provider
457 associated with the specified interface or provider. Where more
458 than one provider share a single network interface, a provider name
459 must be given.
460
461 Beginning with Shorewall 4.5.10, this command may be used with any
462 optional network interface. interface may be either the logical or
463 physical name of the interface. The command removes any routes
464 added from shorewall-routes[4](5) (shorewall6-routes[4](5))and any
465 traffic shaping configuration for the interface.
466
467 drop address
468 Causes traffic from the listed addresses to be silently dropped.
469 This command requires that the firewall be in the started state and
470 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[1].
471
472 dump [-x] [-l] [-m] [-c]
473 Produces a verbose report about the firewall configuration for the
474 purpose of problem analysis.
475
476 The -x option causes actual packet and byte counts to be displayed.
477 Without that option, these counts are abbreviated.
478
479 The -m option causes any MAC addresses included in Shorewall log
480 messages to be displayed.
481
482 The -l option causes the rule number for each Netfilter rule to be
483 displayed.
484
485 The -c option causes the route cache to be dumped in addition to
486 the other routing information.
487
488 enable { interface | provider }
489 Added in Shorewall 4.4.26. Enables the optional provider associated
490 with the specified interface or provider. Where more than one
491 provider share a single network interface, a provider name must be
492 given.
493
494 Beginning with Shorewall 4.5.10, this command may be used with any
495 optional network interface. interface may be either the logical or
496 physical name of the interface. The command sets /proc entries for
497 the interface, adds any route specified in shorewall-routes[4](5)
498 (shorewall6-routes[4](5)) and installs the interface's traffic
499 shaping configuration, if any.
500
501 export [ directory1 ] [ user@]system[:directory2 ]
502 Not available with Shorewall[6]-lite.
503
504 If directory1 is omitted, the current working directory is assumed.
505
506 Allows a non-root user to compile a shorewall script and stage it
507 on a system (provided that the user has access to the system via
508 ssh). The command is equivalent to:
509
510 /sbin/shorewall compile -e directory1 directory1/firewall &&\
511 scp directory1/firewall directory1/firewall.conf [user@]system:[directory2]
512
513 In other words, the configuration in the specified (or defaulted)
514 directory is compiled to a file called firewall in that directory.
515 If compilation succeeds, then firewall and firewall.conf are copied
516 to system using scp.
517
518 forget [ filename ]
519 Deletes /var/lib/shorewall/filename and /var/lib/shorewall/save. If
520 no filename is given then the file specified by RESTOREFILE in
521 shorewall.conf[1](5) (shorewall6.conf[1](5)) is assumed.
522
523 help
524 Displays a syntax summary.
525
526 hits [-t]
527 Generates several reports from Shorewall log messages in the
528 current log file. If the -t option is included, the reports are
529 restricted to log messages generated today. Not available with
530 Shorewall6[-lite].
531
532 ipcalc { address mask | address/vlsm }
533 Ipcalc displays the network address, broadcast address, network in
534 CIDR notation and netmask corresponding to the input[s]. Not
535 available with Shorewall6[-lite].
536
537 iprange address1-address2
538 Iprange decomposes the specified range of IP addresses into the
539 equivalent list of network/host addresses. Not available with
540 Shorewall6[-lite].
541
542 iptrace iptables match expression
543 This is a low-level debugging command that causes iptables TRACE
544 log records to be created. See iptables(8) for details.
545
546 The iptables match expression must be one or more matches that may
547 appear in both the raw table OUTPUT and raw table PREROUTING
548 chains.
549
550 The log message destination is determined by the currently-selected
551 IPv4 or IPv6 logging backend[5].
552
553 list
554 list is a synonym for show -- please see below.
555
556 logdrop address
557 Causes traffic from the listed addresses to be logged then
558 discarded. Logging occurs at the log level specified by the
559 BLACKLIST_LOGLEVEL setting in shorewall.conf[1] (5)
560 (shorewall6.conf[1](5)). This command requires that the firewall be
561 in the started state and that DYNAMIC_BLACKLIST=Yes in
562 shorewall.conf (5)[1].
563
564 logwatch [-m] [ refresh-interval ]
565 Monitors the log file specified by the LOGFILE option in
566 shorewall.conf[1](5) (shorewall6.conf[1](5)) and produces an
567 audible alarm when new Shorewall messages are logged. The -m option
568 causes the MAC address of each packet source to be displayed if
569 that information is available. The refresh-interval specifies the
570 time in seconds between screen refreshes. You can enter a negative
571 number by preceding the number with "--" (e.g., shorewall logwatch
572 -- -30). In this case, when a packet count changes, you will be
573 prompted to hit any key to resume screen refreshes.
574
575 logreject address
576 Causes traffic from the listed addresses to be logged then
577 rejected. Logging occurs at the log level specified by the
578 BLACKLIST_LOGLEVEL setting in shorewall.conf[1] (5),
579 (shorewall6.conf[1](5)). This command requires that the firewall be
580 in the started state and that DYNAMIC_BLACKLIST=Yes in
581 shorewall.conf (5)[1].
582
583 ls
584 ls is a synonym for show -- please see below.
585
586 noiptrace iptables match expression
587 This is a low-level debugging command that cancels a trace started
588 by a preceding iptrace command.
589
590 The iptables match expression must be one given in the iptrace
591 command being canceled.
592
593 open source dest [ protocol [ port ] ]
594 Added in Shorewall 4.6.8. This command requires that the firewall
595 be in the started state and that DYNAMIC_BLACKLIST=Yes in
596 shorewall.conf (5)[1]. The effect of the command is to temporarily
597 open the firewall for connections matching the parameters.
598
599 The source and dest parameters may each be specified as all if you
600 don't wish to restrict the connection source or destination
601 respectively. Otherwise, each must contain a host or network
602 address or a valid DNS name.
603
604 The protocol may be specified either as a number or as a name
605 listed in /etc/protocols. The port may be specified numerically or
606 as a name listed in /etc/services.
607
608 To reverse the effect of a successful open command, use the close
609 command with the same parameters or simply restart the firewall.
610
611 Example: To open the firewall for SSH connections to address
612 192.168.1.1, the command would be:
613
614 shorewall open all 192.168.1.1 tcp 22
615
616 To reverse that command, use:
617
618 shorewall close all 192.168.1.1 tcp 22
619
620 reenable{ interface | provider }
621 Added in Shorewall 4.6.9. This is equivalent to a disable command
622 followed by an enable command on the specified interface or
623 provider.
624
625 reject address
626 Causes traffic from the listed addresses to be silently rejected.
627 This command requires that the firewall be in the started state and
628 that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[1].
629
630 reload [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [-D] [ directory ]
631 This command was re-implemented in Shorewall 5.0.0. The pre-5.0.0
632 reload command is now called remote-restart (see below).
633
634 Shorewall and Shorewall6
635 Reload is similar to shorewall start except that it assumes
636 that the firewall is already started. Existing connections are
637 maintained. If a directory is included in the command,
638 Shorewall will look in that directory first for configuration
639 files.
640
641 The -n option causes Shorewall to avoid updating the routing
642 table(s).
643
644 The -p option causes the connection tracking table to be
645 flushed; the conntrack utility must be installed to use this
646 option.
647
648 The -d option causes the compiler to run under the Perl
649 debugger.
650
651 The -f option suppresses the compilation step and simply reused
652 the compiled script which last started/restarted Shorewall,
653 provided that /etc/shorewall and its contents have not been
654 modified since the last start/restart.
655
656 The -c option was added in Shorewall 4.4.20 and performs the
657 compilation step unconditionally, overriding the AUTOMAKE
658 setting in shorewall.conf[1](5) (Shorewall and Shorewall6
659 only). When both -f and -c are present, the result is
660 determined by the option that appears last.
661
662 The -T option was added in Shorewall 4.5.3 and causes a Perl
663 stack trace to be included with each compiler-generated error
664 and warning message.
665
666 The -i option was added in Shorewall 4.6.0 and causes a warning
667 message to be issued if the current line contains alternative
668 input specifications following a semicolon (";"). Such lines
669 will be handled incorrectly if INLINE_MATCHES is set to Yes in
670 shorewall.conf[1](5) (shorewall6.conf[1](5))..
671
672 The -C option was added in Shorewall 4.6.5 and is only
673 meaningful when AUTOMAKE=Yes in shorewall.conf[1](5)
674 (shorewall6.conf[1](5)). If an existing firewall script is used
675 and if that script was the one that generated the current
676 running configuration, then the running netfilter configuration
677 will be reloaded as is so as to preserve the iptables packet
678 and byte counters.
679
680 The -D option was added in Shoewall 5.2.4 and causes the
681 compiler to write a large amount of debugging information to
682 standard output.
683
684 Shorewall-lite and Shorewall6-lite
685 Reload is similar to shorewall start except that it assumes
686 that the firewall is already started. Existing connections are
687 maintained.
688
689 The -n option causes Shorewall to avoid updating the routing
690 table(s).
691
692 The -p option causes the connection tracking table to be
693 flushed; the conntrack utility must be installed to use this
694 option.
695
696 The -C option was added in Shorewall 4.6.5 If the existing
697 firewall script is the one that generated the current running
698 configuration, then the running netfilter configuration will be
699 reloaded as is so as to preserve the iptables packet and byte
700 counters.
701
702 remote-getcaps [-R] [-r root-user-name] [ [ -D ] directory ] [ system ]
703 Added in Shoreall 5.2.0, this command executes shorewall[6]-lite
704 show capabilities -f > /var/lib/shorewall[6]-lite/capabilities on
705 the remote system via ssh then the generated file is copied to
706 directory on the local system. If no directory is given, the
707 current working directory is assumed.
708
709 if -R is included, the remote shorewallrc file is also copied to
710 directory.
711
712 If -r is included, it specifies that the root user on system is
713 named root-user-name rather than "root".
714
715 remote-getrc [-c] [-r root-user-name] [ [ -D ] directory ] [ system ]
716 Added in Shoreall 5.2.0, this command copies the shorewallrc file
717 from the remote system to directory on the local system. If no
718 directory is given, the current working directory is assumed.
719
720 if -c is included, the remote capabilities are also copied to
721 directory, as is done by the remote-getcaps command.
722
723 If -r is included, it specifies that the root user on system is
724 named root-user-name rather than "root".
725
726 remote-start [-n] [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
727 directory ] [ system ]
728 This command was renamed from load in Shorewall 5.0.0 and is only
729 available in Shorewall and Shoreawall6.
730
731 If directory is omitted, the current working directory is assumed.
732 Allows a non-root user to compile a shorewall script and install it
733 on a system (provided that the user has root access to the system
734 via ssh). The command is equivalent to:
735
736 /sbin/shorewall compile -e directory directory/firewall &&\
737 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
738 ssh root@system '/sbin/shorewall-lite start'
739
740 In other words, the configuration in the specified (or defaulted)
741 directory is compiled to a file called firewall in that directory.
742 If compilation succeeds, then firewall is copied to system using
743 scp. If the copy succeeds, Shorewall Lite on system is started via
744 ssh. Beginning with Shorewall 5.0.13, if system is omitted, then
745 the FIREWALL option setting in shorewall.conf[6](5)
746 (shorewall6.conf(5)[1]) is assumed. In that case, if you want to
747 specify a directory, then the -D option must be given.
748
749 The -n option causes Shorewall to avoid updating the routing
750 table(s).
751
752 If -s is specified and the start command succeeds, then the remote
753 Shorewall-lite configuration is saved by executing shorewall-lite
754 save via ssh.
755
756 if -c is included, the command shorewall[6]-lite show capabilities
757 -f > /var/lib/shorewall[6]-lite/capabilities is executed via ssh
758 then the generated file is copied to directory using scp. This step
759 is performed before the configuration is compiled.
760
761 If -r is included, it specifies that the root user on system is
762 named root-user-name rather than "root".
763
764 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
765 trace to be included with each compiler-generated error and warning
766 message.
767
768 remote-reload [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
769 directory ] [ system ]
770 This command was added in Shorewall 5.0.0 and is only available in
771 Shorewall and Shorewall6.
772
773 If directory is omitted, the current working directory is assumed.
774 Allows a non-root user to compile a shorewall script and install it
775 on a system (provided that the user has root access to the system
776 via ssh). The command is equivalent to:
777
778 /sbin/shorewall compile -e directory directory/firewall &&\
779 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
780 ssh root@system '/sbin/shorewall-lite reload'
781
782 In other words, the configuration in the specified (or defaulted)
783 directory is compiled to a file called firewall in that directory.
784 If compilation succeeds, then firewall is copied to system using
785 scp. If the copy succeeds, Shorewall Lite on system is restarted
786 via ssh. Beginning with Shorewall 5.0.13, if system is omitted,
787 then the FIREWALL option setting in shorewall6.conf(5)[1]
788 (shorewall6.conf[1](5)) is assumed. In that case, if you want to
789 specify a directory, then the -D option must be given.
790
791 If -s is specified and the restart command succeeds, then the
792 remote Shorewall-lite configuration is saved by executing
793 shorewall-lite save via ssh.
794
795 if -c is included, the command shorewall-lite show capabilities -f
796 > /var/lib/shorewall-lite/capabilities is executed via ssh then the
797 generated file is copied to directory using scp. This step is
798 performed before the configuration is compiled.
799
800 If -r is included, it specifies that the root user on system is
801 named root-user-name rather than "root".
802
803 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
804 trace to be included with each compiler-generated error and warning
805 message.
806
807 The -i option was added in Shorewall 4.6.0 and causes a warning
808 message to be issued if the current line contains alternative input
809 specifications following a semicolon (";"). Such lines will be
810 handled incorrectly if INLINE_MATCHES is set to Yes in
811 shorewall.conf[1](5) (shorewall6.conf[1](5)).
812
813 remote-restart [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ]
814 directory ] [ system ]
815 This command was renamed from reload in Shorewall 5.0.0 and is
816 available in Shorewall and Shorewall6 only.
817
818 If directory is omitted, the current working directory is assumed.
819 Allows a non-root user to compile a shorewall script and install it
820 on a system (provided that the user has root access to the system
821 via ssh). The command is equivalent to:
822
823 /sbin/shorewall compile -e directory directory/firewall &&\
824 scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
825 ssh root@system '/sbin/shorewall-lite restart'
826
827 In other words, the configuration in the specified (or defaulted)
828 directory is compiled to a file called firewall in that directory.
829 If compilation succeeds, then firewall is copied to system using
830 scp. If the copy succeeds, Shorewall Lite on system is restarted
831 via ssh. Beginning with Shorewall 5.0.13, if system is omitted,
832 then the FIREWALL option setting in shorewall6.conf(5)[1]
833 (shorewall6.conf[1](5)) is assumed. In that case, if you want to
834 specify a directory, then the -D option must be given.
835
836 If -s is specified and the restart command succeeds, then the
837 remote Shorewall-lite configuration is saved by executing
838 shorewall-lite save via ssh.
839
840 if -c is included, the command shorewall-lite show capabilities -f
841 > /var/lib/shorewall-lite/capabilities is executed via ssh then the
842 generated file is copied to directory using scp. This step is
843 performed before the configuration is compiled.
844
845 If -r is included, it specifies that the root user on system is
846 named root-user-name rather than "root".
847
848 The -T option was added in Shorewall 4.5.3 and causes a Perl stack
849 trace to be included with each compiler-generated error and warning
850 message.
851
852 The -i option was added in Shorewall 4.6.0 and causes a warning
853 message to be issued if the current line contains alternative input
854 specifications following a semicolon (";"). Such lines will be
855 handled incorrectly if INLINE_MATCHES is set to Yes in
856 shorewall.conf[1](5) (shorewall6.conf[1](5).
857
858 reset [chain, ...]
859 Resets the packet and byte counters in the specified chain(s). If
860 no chain is specified, all the packet and byte counters in the
861 firewall are reset.
862
863 Beginning with Shorewall 5.0.0, chain may be composed of both a
864 table name and a chain name separated by a colon (e.g.,
865 mangle:PREROUTING). Chain names following that don't include a
866 table name are assumed to be in that same table. If no table name
867 is given in the command, the filter table is assumed.
868
869 restart [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [-D] [ directory ]
870 Beginning with Shorewall 5.0.0, this command performs a true
871 restart. The firewall is completely stopped as if a stop command
872 had been issued then it is started again.
873
874 Shorewall and Shorewall6
875 If a directory is included in the command, Shorewall will look
876 in that directory first for configuration files.
877
878 The -n option causes Shorewall to avoid updating the routing
879 table(s).
880
881 The -p option causes the connection tracking table to be
882 flushed; the conntrack utility must be installed to use this
883 option.
884
885 The -d option causes the compiler to run under the Perl
886 debugger.
887
888 The -f option suppresses the compilation step and simply reused
889 the compiled script which last started/restarted Shorewall,
890 provided that /etc/shorewall and its contents have not been
891 modified since the last start/restart.
892
893 The -c option was added in Shorewall 4.4.20 and performs the
894 compilation step unconditionally, overriding the AUTOMAKE
895 setting in shorewall.conf[1](5). When both -f and -c are
896 present, the result is determined by the option that appears
897 last.
898
899 The -T option was added in Shorewall 4.5.3 and causes a Perl
900 stack trace to be included with each compiler-generated error
901 and warning message.
902
903 The -i option was added in Shorewall 4.6.0 and causes a warning
904 message to be issued if the current line contains alternative
905 input specifications following a semicolon (";"). Such lines
906 will be handled incorrectly if INLINE_MATCHES is set to Yes in
907 shorewall.conf[1](5).
908
909 The -C option was added in Shorewall 4.6.5 and is only
910 meaningful when AUTOMAKE=Yes in shorewall.conf[1](5). If an
911 existing firewall script is used and if that script was the one
912 that generated the current running configuration, then the
913 running netfilter configuration will be reloaded as is so as to
914 preserve the iptables packet and byte counters.
915
916 The -D option was added in Shoewall 5.2.4 and causes the
917 compiler to write a large amount of debugging information to
918 standard output.
919
920 Shorewall-lite and Shorewall6-lite
921 The -n option causes Shorewall to avoid updating the routing
922 table(s).
923
924 The -p option causes the connection tracking table to be
925 flushed; the conntrack utility must be installed to use this
926 option.
927
928 The -C option was added in Shorewall 4.6.5 If the existing
929 firewall script is the one that generated the current running
930 configuration, then the running netfilter configuration will be
931 reloaded as is so as to preserve the iptables packet and byte
932 counters.
933
934 restore [-n] [-p] [-C] [ filename ]
935 Restore Shorewall to a state saved using the shorewall save
936 command. Existing connections are maintained. The filename names a
937 restore file in /var/lib/shorewall created using shorewall save; if
938 no filename is given then Shorewall will be restored from the file
939 specified by the RESTOREFILE option in shorewall.conf[1](5)
940 (shorewall6.conf[1](5)).
941
942 Caution
943 If your iptables ruleset depends on variables that are detected
944 at run-time, either in your params file or by
945 Shorewall-generated code, restore will use the values that were
946 current when the ruleset was saved, which may be different from
947 the current values.
948 The -n option causes Shorewall to avoid updating the routing
949 table(s).
950
951 The -p option, added in Shorewall 4.6.5, causes the connection
952 tracking table to be flushed; the conntrack utility must be
953 installed to use this option.
954
955 The -C option was added in Shorewall 4.6.5. If the -C option was
956 specified during shorewall save, then the counters saved by that
957 operation will be restored.
958
959 run command [ parameter ... ]
960 Added in Shorewall 4.6.3. Executes command in the context of the
961 generated script passing the supplied parameters. Normally, the
962 command will be a function declared in lib.private.
963
964 Before executing the command, the script will detect the
965 configuration, setting all SW_* variables and will run your init
966 extension script with $COMMAND = 'run'.
967
968 If there are files in the CONFIG_PATH that were modified after the
969 current firewall script was generated, the following warning
970 message is issued:
971 WARNING: /var/lib/shorewall/firewall is not up to
972 date
973
974 safe-reload [-d] [-p] [-t timeout ] [ directory ]
975 Added in Shorewall 5.0.0, this command performs the same function
976 as did safe_restart in earlier releases. The command is available
977 in Shorewall and Shorewall6 only.
978
979 Only allowed if Shorewall is running. The current configuration is
980 saved in /var/lib/shorewall/safe-reload (see the save command
981 below) then a shorewall reload is done. You will then be prompted
982 asking if you want to accept the new configuration or not. If you
983 answer "n" or if you fail to answer within 60 seconds (such as when
984 your new configuration has disabled communication with your
985 terminal), the configuration is restored from the saved
986 configuration. If a directory is given, then Shorewall will look in
987 that directory first when opening configuration files.
988
989 Beginning with Shorewall 4.5.0, you may specify a different timeout
990 value using the -t option. The numeric timeout may optionally be
991 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
992 minutes or hours respectively. If the suffix is omitted, seconds is
993 assumed.
994
995 safe-restart [-d] [-p] [-t timeout ] [ directory ]
996 Only allowed if Shorewall[6] is running and is not available in
997 Shorewall-lite and Shorewall6-lite. The current configuration is
998 saved in /var/lib/shorewall/safe-restart (see the save command
999 below) then a shorewall restart is done. You will then be prompted
1000 asking if you want to accept the new configuration or not. If you
1001 answer "n" or if you fail to answer within 60 seconds (such as when
1002 your new configuration has disabled communication with your
1003 terminal), the configuration is restored from the saved
1004 configuration. If a directory is given, then Shorewall will look in
1005 that directory first when opening configuration files.
1006
1007 Beginning with Shorewall 4.5.0, you may specify a different timeout
1008 value using the -t option. The numeric timeout may optionally be
1009 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1010 minutes or hours respectively. If the suffix is omitted, seconds is
1011 assumed.
1012
1013 safe-start [-d] [-p] [-ttimeout ] [ directory ]
1014 Shorewall is started normally. You will then be prompted asking if
1015 everything went all right. If you answer "n" or if you fail to
1016 answer within 60 seconds (such as when your new configuration has
1017 disabled communication with your terminal), a shorewall clear is
1018 performed for you. If a directory is given, then Shorewall will
1019 look in that directory first when opening configuration files.
1020
1021 Beginning with Shorewall 4.5.0, you may specify a different timeout
1022 value using the -t option. The numeric timeout may optionally be
1023 followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1024 minutes or hours respectively. If the suffix is omitted, seconds is
1025 assumed.
1026
1027 This command is available in Shorewall and Shorewall6 only.
1028
1029 save [-C] [ filename ]
1030 Creates a snapshot of the currently running firewall. The dynamic
1031 blacklist is stored in /var/lib/shorewall/save. The state of the
1032 firewall is stored in /var/lib/shorewall/filename for use by the
1033 shorewall restore command. If filename is not given then the state
1034 is saved in the file specified by the RESTOREFILE option in
1035 shorewall.conf[1](5) (shorewall6.conf[1](5)).
1036
1037 The -C option, added in Shorewall 4.6.5, causes the iptables packet
1038 and byte counters to be saved along with the chains and rules.
1039
1040 savesets
1041 Added in shorewall 4.6.8. Performs the same action as the stop
1042 command with respect to saving ipsets (see the SAVE_IPSETS option
1043 in shorewall.conf[1] (5) (shorewall6.conf[1](5)). This command may
1044 be used to proactively save your ipset contents in the event that a
1045 system failure occurs prior to issuing a stop command.
1046
1047 show
1048 The show command can have a number of different arguments:
1049
1050 action action
1051 Lists the named action file. Available on Shorewall and
1052 Shorewall6 only.
1053
1054 actions
1055 Produces a report about the available actions (built-in,
1056 standard and user-defined). Available on Shorewall and
1057 Shorewall6 only.
1058
1059 bl|blacklists [-x]
1060 Added in Shorewall 4.6.2. Displays the dynamic chain along with
1061 any chains produced by entries in shorewall-blrules(5). The -x
1062 option is passed directly through to iptables and causes actual
1063 packet and byte counts to be displayed. Without this option,
1064 those counts are abbreviated.
1065
1066 [-f] capabilities
1067 Displays your kernel/iptables capabilities. The -f option
1068 causes the display to be formatted as a capabilities file for
1069 use with compile -e.
1070
1071 [-b] [-x] [-l] [-t {filter|mangle|nat|raw}] [ chain... ]
1072 The rules in each chain are displayed using the iptables -L
1073 chain -n -v command. If no chain is given, all of the chains in
1074 the filter table are displayed. The -x option is passed
1075 directly through to iptables and causes actual packet and byte
1076 counts to be displayed. Without this option, those counts are
1077 abbreviated. The -t option specifies the Netfilter table to
1078 display. The default is filter.
1079
1080 The -b ('brief') option causes rules which have not been used
1081 (i.e. which have zero packet and byte counts) to be omitted
1082 from the output. Chains with no rules displayed are also
1083 omitted from the output.
1084
1085 The -l option causes the rule number for each Netfilter rule to
1086 be displayed.
1087
1088 If the -t option and the chain keyword are both omitted and any
1089 of the listed chains do not exist, a usage message is
1090 displayed.
1091
1092 classifiers|filters
1093 Displays information about the packet classifiers defined on
1094 the system as a result of traffic shaping configuration.
1095 Beginning with Shorewall 5.2.8, this command is deprecated, as
1096 its output is included in the information displayed by the
1097 'show tc' command.
1098
1099 config
1100 Displays distribution-specific defaults.
1101
1102 connections [filter_parameter ...]
1103 Displays the IP connections currently being tracked by the
1104 firewall.
1105
1106 If the conntrack utility is installed, beginning with Shorewall
1107 4.6.11 the set of connections displayed can be limited by
1108 including conntrack filter parameters (-p , -s, --dport, etc).
1109 See conntrack(8) for details.
1110
1111 event event
1112 Added in Shorewall 4.5.19. Displays the named event.
1113
1114 events
1115 Added in Shorewall 4.5.19. Displays all events.
1116
1117 ip
1118 Displays the system's IPv4 configuration.
1119
1120 ipa
1121 Added in Shorewall 4.4.17. Displays the per-IP accounting
1122 counters (shorewall-accounting[7] (5),
1123 shorewall6-accounting[7](5)).
1124
1125 ipsec
1126 Added in Shorewall 5.1.0. Displays the contents of the IPSEC
1127 Security Policy Database (SPD) and Security Association
1128 Database (SAD). SAD keys are not displayed.
1129
1130 [-m] log
1131 Displays the last 20 Shorewall messages from the log file
1132 specified by the LOGFILE option in shorewall.conf[1](5)
1133 (shorewall6.conf[1](5)). The -m option causes the MAC address
1134 of each packet source to be displayed if that information is
1135 available.
1136
1137 macros
1138 Displays information about each macro defined on the firewall
1139 system (Shorewall and Shorewall6 only)
1140
1141 macro macro
1142 Added in Shorewall 4.4.6. Displays the file that implements the
1143 specified macro (usually /usr/share/shorewall/macro.macro).
1144 Available only in Shorewall and Shorewall6.
1145
1146 [-x] mangle
1147 Displays the Netfilter mangle table using the command iptables
1148 -t mangle -L -n -v. The -x option is passed directly through to
1149 iptables and causes actual packet and byte counts to be
1150 displayed. Without this option, those counts are abbreviated.
1151
1152 marks
1153 Added in Shorewall 4.4.26. Displays the various fields in
1154 packet marks giving the min and max value (in both decimal and
1155 hex) and the applicable mask (in hex).
1156
1157 [-x] nat
1158 Displays the Netfilter nat table using the command iptables -t
1159 nat -L -n -v. The -x option is passed directly through to
1160 iptables and causes actual packet and byte counts to be
1161 displayed. Without this option, those counts are abbreviated.
1162
1163 opens
1164 Added in Shorewall 4.5.8. Displays the iptables rules in the
1165 'dynamic' chain created through use of the open command..
1166
1167 policies
1168 Added in Shorewall 4.4.4. Displays the applicable policy
1169 between each pair of zones. Note that implicit intrazone ACCEPT
1170 policies are not displayed for zones associated with a single
1171 network where that network doesn't specify routeback.
1172
1173 rc
1174 Added in Shorewall 5.2.0. Displays the contents of
1175 $SHAREDIR/shorewall/shorewallrc.
1176
1177 [-c] routing
1178 Displays the system's IPv4 routing configuration. The -c option
1179 causes the route cache to be displayed along with the other
1180 routing information.
1181
1182 [-x] raw
1183 Displays the Netfilter raw table using the command iptables -t
1184 raw -L -n -v. The -x option is passed directly through to
1185 iptables and causes actual packet and byte counts to be
1186 displayed. Without this option, those counts are abbreviated.
1187
1188 saves
1189 Added in Shorewall 5.2.0. Lists snapshots created by the save
1190 command. Each snapshot is listed with the date and time when it
1191 was taken. If there is a snapshot with the name specified in
1192 the RESTOREFILE option in shorewall.conf(5[6]), that snapshot
1193 is listed as the default snapshot for the restore command.
1194
1195 tc
1196 Displays information about queuing disciplines, classes and
1197 filters.
1198
1199 zones
1200 Displays the current composition of the Shorewall zones on the
1201 system.
1202
1203 start [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [-D] [ directory ]
1204
1205 Shorewall and Shorewall6
1206 Start shorewall[6]. Existing connections through shorewall
1207 managed interfaces are untouched. New connections will be
1208 allowed only if they are allowed by the firewall rules or
1209 policies. If a directory is included in the command, Shorewall
1210 will look in that directory first for configuration files. If
1211 -f is specified, the saved configuration specified by the
1212 RESTOREFILE option in shorewall.conf[1](5)
1213 (shorewall6.conf[1](5)) will be restored if that saved
1214 configuration exists and has been modified more recently than
1215 the files in /etc/shorewall. When -f is given, a directory may
1216 not be specified.
1217
1218 Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was
1219 added to shorewall.conf[1](5) (shorewall6.conf[1](5)). When
1220 LEGACY_FASTSTART=No, the modification times of files in
1221 /etc/shorewall are compared with that of
1222 /var/lib/shorewall/firewall (the compiled script that last
1223 started/restarted the firewall).
1224
1225 The -n option causes Shorewall to avoid updating the routing
1226 table(s).
1227
1228 The -p option causes the connection tracking table to be
1229 flushed; the conntrack utility must be installed to use this
1230 option.
1231
1232 The -c option was added in Shorewall 4.4.20 and performs the
1233 compilation step unconditionally, overriding the AUTOMAKE
1234 setting in shorewall.conf[1](5) (shorewall6.conf[1](5)). When
1235 both -f and -care present, the result is determined by the
1236 option that appears last.
1237
1238 The -T option was added in Shorewall 4.5.3 and causes a Perl
1239 stack trace to be included with each compiler-generated error
1240 and warning message.
1241
1242 The -i option was added in Shorewall 4.6.0 and causes a warning
1243 message to be issued if the current line contains alternative
1244 input specifications following a semicolon (";"). Such lines
1245 will be handled incorrectly if INLINE_MATCHES is set to Yes in
1246 shorewall.conf(5)[1] (shorewall6.conf[1](5)).
1247
1248 The -C option was added in Shorewall 4.6.5 and is only
1249 meaningful when the -f option is also specified. If the
1250 previously-saved configuration is restored, and if the -C
1251 option was also specified in the save command, then the packet
1252 and byte counters will be restored.
1253
1254 The -D option was added in Shoewall 5.2.4 and causes the
1255 compiler to write a large amount of debugging information to
1256 standard output.
1257
1258 Shorewall-lite and Shorewall6-lite
1259 Start Shorewall[6] Lite. Existing connections through
1260 shorewall[6]-lite managed interfaces are untouched. New
1261 connections will be allowed only if they are allowed by the
1262 firewall rules or policies.
1263
1264 The -p option causes the connection tracking table to be
1265 flushed; the conntrack utility must be installed to use this
1266 option.
1267
1268 The -n option prevents the firewall script from modifying the
1269 current routing configuration.
1270
1271 The -f option was added in Shorewall 4.6.5. If the RESTOREFILE
1272 named in shorewall.conf[6](5) exists, is executable and is not
1273 older than the current filewall script, then that saved
1274 configuration is restored.
1275
1276 The -C option was added in Shorewall 4.6.5 and is only
1277 meaningful when the -f option is also specified. If the
1278 previously-saved configuration is restored, and if the -C
1279 option was also specified in the save command, then the packet
1280 and byte counters will be restored.
1281
1282 stop
1283 Stops the firewall. All existing connections, except those listed
1284 in shorewall-stoppedrules[8](5) or permitted by the
1285 ADMINISABSENTMINDED option in shorewall.conf[1] The only new
1286 traffic permitted through the firewall is from systems listed in
1287 shorewall-stoppedrules[8](5) or by ADMINISABSENTMINDED.
1288
1289 status [-i]
1290 Produces a short report about the state of the Shorewall-configured
1291 firewall.
1292
1293 The -i option was added in Shorewall 4.6.2 and causes the status of
1294 each optional or provider interface to be displayed.
1295
1296 try directory [ timeout ]
1297 This command is available in Shorewall and Shorewall6 only.
1298
1299 If Shorewall[6] is started then the firewall state is saved to a
1300 temporary saved configuration (/var/lib/shorewall/.try). Next, if
1301 Shorewall[6] is currently started then a restart command is issued
1302 using the specified configuration directory; otherwise, a start
1303 command is performed using the specified configuration directory.
1304 if an error occurs during the compilation phase of the restart or
1305 start, the command terminates without changing the Shorewall[6]
1306 state. If an error occurs during the restart phase, then a
1307 shorewall restore is performed using the saved configuration. If an
1308 error occurs during the start phase, then Shorewall is cleared. If
1309 the start/restart succeeds and a timeout is specified then a clear
1310 or restore is performed after timeout seconds.
1311
1312 Beginning with Shorewall 4.5.0, the numeric timeout may optionally
1313 be followed by an s, m or h suffix (e.g., 5m) to specify seconds,
1314 minutes or hours respectively. If the suffix is omitted, seconds is
1315 assumed.
1316
1317 update [-d] [-r] [-T] [-a] [-i] [-A] [ directory ]
1318 This command is available only in Shorewall and Shorewall6.
1319
1320 Added in Shorewall 4.4.21 and causes the compiler to update
1321 /etc/shorewall/shorewall.conf then validate the configuration. The
1322 update will add options not present in the old file with their
1323 default values, and will move deprecated options with non-defaults
1324 to a deprecated options section at the bottom of the file. Your
1325 existing shorewall.conf file is renamed shorewall.conf.bak.
1326
1327 The command was extended over the years with a set of options that
1328 caused additional configuration updates.
1329
1330 • Convert an existing blacklist file into an equivalent blrules
1331 file.
1332
1333 • Convert an existing routestopped file into an equivalent
1334 stoppedrules file.
1335
1336 • Convert existing tcrules and tos files into an equivalent
1337 mangle file.
1338
1339 • Convert an existing notrack file into an equivalent conntrack
1340 file.
1341
1342 • Convert FORMAT, SECTION and COMMENT entries into ?FORMAT,
1343 ?SECTION and ?COMMENT directives.
1344
1345 In each case, the old file is renamed with a .bak suffix.
1346
1347 In Shorewall 5.0.0, the options were eliminated and the update
1348 command performs all of the updates described above.
1349
1350 Important
1351 There are some notable restrictions with the update command:
1352
1353 1. Converted rules will be appended to the existing file; if
1354 there is no existing file in the CONFIG_PATH, one will be
1355 created in the directory specified in the command or in the
1356 first entry in the CONFIG_PATH (normally /etc/shorewall)
1357 otherwise.
1358
1359 2. Existing comments in the file being converted will not be
1360 transferred to the output file.
1361
1362 3. With the exception of the notrack->conntrack conversion,
1363 INCLUDEd files will be expanded inline in the output file.
1364
1365 4. Columns in the output file will be separated by a single
1366 tab character; there is no attempt made to otherwise align
1367 the columns.
1368
1369 5. Prior to Shorewall 5.0.15, shell variables will be expanded
1370 in the output file.
1371
1372 6. Prior to Shorewall 5.0.15, lines omitted by compiler
1373 directives (?if ...., etc.) will not appear in the output
1374 file.
1375
1376 Important
1377 Because the translation of the 'blacklist' and
1378 'routestopped' files is not 1:1, omitted lines and
1379 compiler directives are not transferred to the
1380 converted files. If either are present, the compiler
1381 issues a warning:
1382
1383 WARNING: "Omitted rules and compiler directives were not translated
1384 The -a option causes the updated shorewall.conf file to be
1385 annotated with documentation.
1386
1387 The -i option was added in Shorewall 4.6.0 and causes a warning
1388 message to be issued if the current line contains alternative input
1389 specifications following a semicolon (";"). Such lines will be
1390 handled incorrectly if INLINE_MATCHES is set to Yes in
1391 shorewall.conf[1](5).
1392
1393 The -A option is included for compatibility with Shorewall 4.6 and
1394 is equivalent to specifying the -i option.
1395
1396 For a description of the other options, see the check command
1397 above.
1398
1399 version [-a]
1400 Displays Shorewall's version. The -a option is included for
1401 compatibility with earlier Shorewall releases and is ignored.
1402
1404 In general, when a command succeeds, status 0 is returned; when the
1405 command fails, a non-zero status is returned.
1406
1407 The status command returns exit status as follows:
1408
1409 0 - Firewall is started.
1410
1411 3 - Firewall is stopped or cleared
1412
1413 4 - Unknown state; usually means that the firewall has never been
1414 started.
1415
1417 Two environmental variables are recognized by Shorewall:
1418
1419 SHOREWALL_INIT_SCRIPT
1420 When set to 1, causes Std out to be redirected to the file
1421 specified in the STARTUP_LOG option in shorewall.conf(5)[6].
1422
1423 SW_LOGGERTAG
1424 Added in Shorewall 5.0.8. When set to a non-empty value, that value
1425 is passed to the logger utility in its -t (--tag) option.
1426
1428 /etc/shorewall/*
1429
1430 /etc/shorewall6/*
1431
1433 https://shorewall.org/starting_and_stopping_shorewall.htm[9]
1434 - Describes operational aspects of Shorewall.
1435 shorewall-files(5)[10] -
1436 Describes the various configuration files along with features
1437 and
1438 conventions common to those files.
1439 shorewall-names(5)[11] -
1440 Describes naming of objects within a Shorewall configuration.
1441 shorewall-addresses(5)[12] -
1442 Describes how to specify addresses within a Shorewall
1443 configuration.
1444 shorewall-exclusion(5)[13] -
1445 Describes how to exclude certain hosts and/or networks from
1446 matching a
1447 rule.
1448 shorewall-nesting(5)[14]
1449 - Describes how to nest one Shorewall zone inside another.
1450
1452 1. shorewall.conf
1453 https://shorewall.org/manpages//manpages/shorewall.conf.html
1454
1455 2. shorewall-interfaces
1456 https://shorewall.org/manpages//manpages/shorewall-interfaces.html
1457
1458 3. shorewall-zones
1459 https://shorewall.org/manpages//manpages/shorewall-zones.html
1460
1461 4. shorewall-routes
1462 https://shorewall.org/manpages//manpages/shorewall-routes.html
1463
1464 5. logging backend
1465 https://shorewall.org/manpages//shorewall_logging.html#Backends
1466
1467 6. shorewall.conf
1468 https://shorewall.org/manpages/shorewall.conf.html
1469
1470 7. shorewall-accounting
1471 https://shorewall.org/manpages//manpages/shorewall-accounting.html
1472
1473 8. shorewall-stoppedrules
1474 https://shorewall.org/manpages//manpages/shorewall-stoppedrules.html
1475
1476 9. https://shorewall.org/starting_and_stopping_shorewall.htm
1477 https://shorewall.org/manpages//starting_and_stopping_shorewall.htm
1478
1479 10. shorewall-files(5)
1480 https://shorewall.org/manpages/shorewall-files.html
1481
1482 11. shorewall-names(5)
1483 https://shorewall.org/manpages/shorewall-names.html
1484
1485 12. shorewall-addresses(5)
1486 https://shorewall.org/manpages/shorewall-addresses.html
1487
1488 13. shorewall-exclusion(5)
1489 https://shorewall.org/manpages/shorewall-exclusion.html
1490
1491 14. shorewall-nesting(5)
1492 https://shorewall.org/manpages/shorewall-nesting.html
1493
1494
1495
1496Administrative Commands 09/24/2020 SHOREWALL(8)