1shorewall-lite(8) shorewall-lite(8)
2
6 shorewall-lite - Administration tool for Shoreline Firewall Lite
7 (Shorewall-lite)
8
10 shorewall-lite [trace| debug] [nolock] [-options] allow address
11 shorewall-lite [trace| debug[nolock]] [-options] clear
12 shorewall-lite [trace| debug[nolock]] [-options] drop address
13 shorewall-lite [trace| debug] [-options] dump [-x] [-m]
14 shorewall-lite [trace| debug[nolock]] [-options] forget [filename]
15 shorewall-lite [trace| debug] [-options] help
16 shorewall-lite [trace| debug] [-options] hits
17 shorewall-lite [trace| debug] [-options] ipcalc {address mask |
18 address/ vlsm}
19 shorewall-lite [trace| debug] [-options] iprange address1 - address2
20 shorewall-lite [trace| debug[nolock]] [-options] logdrop address
21 shorewall-lite [trace| debug] [-options] logwatch [-m] [refresh-
22 interval]
23 shorewall-lite [trace| debug[nolock]] [-options] logreject address
24 shorewall-lite [trace| debug[nolock]] [-options] reject address
25 shorewall-lite [trace| debug[nolock]] [-options] restart[-n]
26 shorewall-lite [trace| debug[nolock]] [-options] restore [filename]
27 shorewall-lite [trace| debug[nolock]] [-options] save [filename]
28 shorewall-lite [trace| debug] [-options] show [-x] [-t { filter|
29 mangle| nat| raw}] [[chain] chain ...]
30 shorewall-lite [trace| debug] [-options] show [-f] capabilities
31 shorewall-lite [trace| debug] [-options] show
32 {actions|classifiers|connections|config|macros|zones}
33 shorewall-lite [trace| debug] [-options] show [-x] {mangle|nat}
34 shorewall-lite [trace| debug] [-options] show tc
35 shorewall-lite [trace| debug] [-options] show [-m] log
36 shorewall-lite [trace| debug[nolock]] [-options] start [-n] [-f]
37 shorewall-lite [trace| debug[nolock]] [-options] stop
38 shorewall-lite [trace| debug] [-options] status
39 shorewall-lite [trace| debug] [-options] version
40
42 The shorewall-lite utility is used to control the Shoreline Firewall
43 (Shorewall) Lite.
44
46 The trace and debug options are used for debugging. See
47 ⟨http://www.shorewall.net/starting_and_stopping.htm#Trace⟩.
48 The nolock option prevents the command from attempting to acquire the
50 Shorewall Lite lockfile. It is useful if you need to include shorewall-
51 lite commands in the started extension script.
52 The options control the amount of output that the command produces.
54 They consist of a sequence of the letters v and q. If the options are
55 omitted, the amount of output is determined by the setting of the VER‐
56 BOSITY parameter in shorewall.conf ⟨shorewall.conf.html⟩ (5). Each v
57 adds one to the effective verbosity and each q subtracts one from the
58 effective VERBOSITY. Anternately, v may be followed immediately with
59 one of -1,0,1,2 to specify a specify VERBOSITY. There may be no white
60 space between v and the VERBOSITY.
61 The options may also include the letter t which causes all progress
63 messages to be timestamped.
64
66 The available commands are listed below.
67 add Adds a list of hosts or subnets to a dynamic zone usually used
69 with VPN's.
70 The interface argument names an interface defined in the shore‐
72 wall-interfaces ⟨shorewall-interfaces.html⟩ (5) file. A host-
73 list is comma-separated list whose elements are a host or net‐
74 work address.
75 Caution
76 The add command is not very robust. If there are errors in the
78 host-list, you may see a large number of error messages yet a
79 subsequent shorewall show zones command will indicate that all
80 hosts were added. If this happens, replace add by delete and run
81 the same command again. Then enter the correct command.
82 allow Re-enables receipt of packets from hosts previously blacklisted
84 by a drop, logdrop, reject, or logreject command.
85 clear Clear will remove all rules and chains installed by Shorewall
87 Lite. The firewall is then wide open and unprotected. Existing
88 connections are untouched. Clear is often used to see if the
89 firewall is causing connection problems.
90 delete The delete command reverses the effect of an earlier add com‐
92 mand.
93 The interface argument names an interface defined in the shore‐
95 wall-interfaces ⟨shorewall-interfaces.html⟩ (5) file. A host-
96 list is comma-separated list whose elements are a host or net‐
97 work address.
98 drop Causes traffic from the listed addresses to be silently dropped.
100 dump Produces a verbose report about the firewall configuration for
102 the purpose of problem analysis.
103 The -x option causes actual packet and byte counts to be dis‐
105 played. Without that option, these counts are abbreviated. The
106 -m option causes any MAC addresses included in Shorewall Lite
107 log messages to be displayed.
108 forget Deletes /var/lib/shorewall-lite/filename and /var/lib/shorewall-
110 lite/save. If no filename is given then the file specified by
111 RESTOREFILE in shorewall-lite.conf ⟨shorewall-lite.conf.html⟩
112 (5) is assumed.
113 help Displays a syntax summary.
115 hits Generates several reports from Shorewall Lite log messages in
117 the current log file.
118 ipcalc Ipcalc displays the network address, broadcast address, network
120 in CIDR notation and netmask corresponding to the input[s].
121 iprange
123 Iprange decomposes the specified range of IP addresses into the
124 equivalent list of network/host addresses.
125 logdrop
127 Causes traffic from the listed addresses to be logged then dis‐
128 carded.
129 logwatch
131 Monitors the log file specified by theLOGFILE option in shore‐
132 wall-lite.conf ⟨shorewall-lite.conf.html⟩ (5) and produces an
133 audible alarm when new Shorewall Lite messages are logged. The
134 -m option causes the MAC address of each packet source to be
135 displayed if that information is available. The refresh-interval
136 specifies the time in seconds between screen refreshes. You can
137 enter a negative number by preceding the number with "--" (e.g.,
138 shorewall-lite logwatch -- -30). In this case, when a packet
139 count changes, you will be prompted to hit any key to resume
140 screen refreshes.
141 logreject
143 Causes traffic from the listed addresses to be logged then re‐
144 jected.
145 reset All the packet and byte counters in the firewall are reset.
147 restart
149 Restart is similar to shorewall-lite stop followed by shorewall-
150 lite start. Existing connections are maintained. The -n option
151 causes Shorewall to avoid updating the routing table(s).
152 restore
154 Restore Shorewall Lite to a state saved using the shorewall-lite
155 save command. Existing connections are maintained. The filename
156 names a restore file in /var/lib/shorewall-lite created using
157 shorewall-lite save; if no filename is given then Shorewall Lite
158 will be restored from the file specified by the RESTOREFILE op‐
159 tion in shorewall-lite.conf ⟨shorewall-lite.conf.html⟩ (5).
160 save The dynamic blacklist is stored in /var/lib/shorewall-lite/save.
162 The state of the firewall is stored in /var/lib/shorewall-
163 lite/filename for use by the shorewall-lite restore and shore‐
164 wall-lite -f start commands. If filename is not given then the
165 state is saved in the file specified by the RESTOREFILE option
166 in shorewall-lite.conf ⟨shorewall-lite.conf.html⟩ (5).
167 show The show command can have a number of different arguments:
169 actions
171 Produces a report about the available actions (built-in,
172 standard and user-defined).
173 capabilities
175 Displays your kernel/iptables capabilities. The -f option
176 causes the display to be formatted as a capabilities file
177 for use with compile -e.
178 [ [ chain ] chain ... ]
180 The rules in each chain are displayed using the iptables
181 -L chain -n -v command. If no chain is given, all of the
182 chains in the filter table are displayed. The -x option
183 is passed directly through to iptables and causes actual
184 packet and byte counts to be displayed. Without this op‐
185 tion, those counts are abbreviated. The -t option speci‐
186 fies the Netfilter table to display. The default is fil‐
187 ter.
188 If the t option and the chain keyword are both omitted
190 and any of the listed chains do not exist, a usage mes‐
191 sage will be displayed.
192 classifiers
194 Displays information about the packet classifiers defined
195 on the system as a result of traffic shaping configura‐
196 tion.
197 config Dispays distribution-specific defaults.
199 connections
201 Displays the IP connections currently being tracked by
202 the firewall.
203 macros Displays information about each macro defined on the
205 firewall system.
206 mangle Displays the Netfilter mangle table using the command
208 iptables -t mangle -L -n -v.The -x option is passed di‐
209 rectly through to iptables and causes actual packet and
210 byte counts to be displayed. Without this option, those
211 counts are abbreviated.
212 nat Displays the Netfilter nat table using the command ipta‐
214 bles -t nat -L -n -v.The -x option is passed directly
215 through to iptables and causes actual packet and byte
216 counts to be displayed. Without this option, those counts
217 are abbreviated.
218 tc Displays information about queuing disciplines, classes
220 and filters.
221 zones Displays the current composition of the Shorewall Lite
223 zones on the system.
224 start Start shorewall Lite. Existing connections through shorewall-
226 lite managed interfaces are untouched. New connections will be
227 allowed only if they are allowed by the firewall rules or poli‐
228 cies. If -f is specified, the saved configuration specified by
229 the RESTOREFILE option in shorewall-lite.conf
230 ⟨shorewall-lite.conf.html⟩ (5) will be restored if that saved
231 configuration exists and has been modified more recently than
232 the files in /etc/shorewall.
233 The -n option causes Shorewall to avoid updating the routing ta‐
235 ble(s).
236 stop Stops the firewall. All existing connections, except those list‐
238 ed in shorewall-routestopped ⟨shorewall-routestopped.html⟩ (5)
239 or permitted by the ADMINISABSENTMINDED option in shore‐
240 wall.conf(5), are taken down. The only new traffic permitted
241 through the firewall is from systems listed in shorewall-
242 routestopped ⟨shorewall-routestopped.html⟩ (5) or by ADMINISAB‐
243 SENTMINDED.
244 status Produces a short report about the state of the Shorewall-config‐
246 ured firewall.
247 version
249 Displays Shorewall-lite's version.
250
252 /etc/shorewall-lite/
253
255 ⟨http://www.shorewall.net/starting_and_stopping_shorewall.htm⟩
256 shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5),
258 shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shore‐
259 wall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-
260 netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-
261 providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shore‐
262 wall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-
263 tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-
264 tos(5), shorewall-tunnels(5), shorewall-zones(5)
265 19 May 2008 shorewall-lite(8)