<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>shorewall-lite</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="refentry" lang="en" xml:lang="en"><a id="id257168"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>shorewall-lite — Administration tool for Shoreline Firewall Lite (Shorewall-lite)</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [<code class="option">nolock</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">allow</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">clear</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">drop</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">dump</code> [<code class="option">-x</code>] [<code class="option">-m</code>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">forget</code> [<em class="replaceable"><code>filename</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">help</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">hits</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">ipcalc</code> { <em class="replaceable"><code>address</code></em> <em class="replaceable"><code>mask</code></em> | <em class="replaceable"><code>address</code></em>/<em class="replaceable"><code>vlsm</code></em> }</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">iprange</code> <em class="replaceable"><code>address1</code></em><code class="option">-</code><em class="replaceable"><code>address2</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">logdrop</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">logwatch</code> [<code class="option">-m</code>] [<em class="replaceable"><code>refresh-interval</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">logreject</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">reject</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">restart</code> [<code class="option">-n</code>] </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">restore</code> [<em class="replaceable"><code>filename</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">save</code> [<em class="replaceable"><code>filename</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-x</code>] [<code class="option">-t</code> {<code class="option">filter</code>|<code class="option">mangle</code>|<code class="option">nat</code>|<code class="option">raw</code>}] [[<code class="option">chain</code>] <em class="replaceable"><code>chain</code></em>... ]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-f</code>] <code class="option">capabilities</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> {<code class="option">actions|classifiers|connections|config|macros|zones</code>}</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-x</code>] {<code class="option">mangle|nat</code>}</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> <code class="option">tc</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-m</code>] <code class="option">log</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">start</code> [<code class="option">-n</code>] [<code class="option">-f</code>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">stop</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">status</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">version</code> </p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id258139"></a><h2>Description</h2><p>The shorewall-lite utility is used to control the Shoreline Firewall (Shorewall) Lite.</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id258150"></a><h2>Options</h2><p>The <code class="option">trace</code> and <code class="option">debug</code> options are used for debugging. See <a class="ulink" href="http://www.shorewall.net/starting_and_stopping.htm#Trace" target="_self">http://www.shorewall.net/starting_and_stopping.htm#Trace</a>.</p><p>The nolock <code class="option">option</code> prevents the command from attempting to acquire the Shorewall Lite lockfile. It is useful if you need to include <span class="command"><strong>shorewall-lite</strong></span> commands in the <code class="filename">started</code> extension script.</p><p>The <span class="emphasis"><em>options</em></span> control the amount of output that the command produces. They consist of a sequence of the letters <span class="bold"><strong>v</strong></span> and <span class="bold"><strong>q</strong></span>. If the options are omitted, the amount of output is determined by the setting of the VERBOSITY parameter in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5). Each <span class="bold"><strong>v</strong></span> adds one to the effective verbosity and each <span class="bold"><strong>q</strong></span> subtracts one from the effective VERBOSITY. Anternately, <span class="bold"><strong>v</strong></span> may be followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may be no white space between <span class="bold"><strong>v</strong></span> and the VERBOSITY.</p><p>The <span class="emphasis"><em>options</em></span> may also include the letter <code class="option">t</code> which causes all progress messages to be timestamped.</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id258244"></a><h2>Commands</h2><p>The available commands are listed below.</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>add</strong></span></span></dt><dd><p>Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.</p><p>The <span class="emphasis"><em>interface</em></span> argument names an interface defined in the <a class="ulink" href="shorewall-interfaces.html" target="_self">shorewall-interfaces</a>(5) file. A <span class="emphasis"><em>host-list</em></span> is comma-separated list whose elements are a host or network address.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>The <span class="command"><strong>add</strong></span> command is not very robust. If there are errors in the <em class="replaceable"><code>host-list</code></em>, you may see a large number of error messages yet a subsequent <span class="command"><strong>shorewall show zones</strong></span> command will indicate that all hosts were added. If this happens, replace <span class="command"><strong>add</strong></span> by <span class="command"><strong>delete</strong></span> and run the same command again. Then enter the correct command.</p></div></dd><dt><span class="term"><span class="bold"><strong>allow</strong></span></span></dt><dd><p>Re-enables receipt of packets from hosts previously blacklisted by a <span class="bold"><strong>drop</strong></span>, <span class="bold"><strong>logdrop</strong></span>, <span class="bold"><strong>reject</strong></span>, or <span class="bold"><strong>logreject</strong></span> command.</p></dd><dt><span class="term"><span class="bold"><strong>clear</strong></span></span></dt><dd><p>Clear will remove all rules and chains installed by Shorewall Lite. The firewall is then wide open and unprotected. Existing connections are untouched. Clear is often used to see if the firewall is causing connection problems.</p></dd><dt><span class="term"><span class="bold"><strong>delete</strong></span></span></dt><dd><p>The delete command reverses the effect of an earlier <span class="bold"><strong>add</strong></span> command.</p><p>The <span class="emphasis"><em>interface</em></span> argument names an interface defined in the <a class="ulink" href="shorewall-interfaces.html" target="_self">shorewall-interfaces</a>(5) file. A <span class="emphasis"><em>host-list</em></span> is comma-separated list whose elements are a host or network address.</p></dd><dt><span class="term"><span class="bold"><strong>drop</strong></span></span></dt><dd><p>Causes traffic from the listed <span class="emphasis"><em>address</em></span>es to be silently dropped.</p></dd><dt><span class="term"><span class="bold"><strong>dump</strong></span></span></dt><dd><p>Produces a verbose report about the firewall configuration for the purpose of problem analysis.</p><p>The <span class="bold"><strong>-x</strong></span> option causes actual packet and byte counts to be displayed. Without that option, these counts are abbreviated. The <span class="bold"><strong>-m</strong></span> option causes any MAC addresses included in Shorewall Lite log messages to be displayed.</p></dd><dt><span class="term"><span class="bold"><strong>forget</strong></span></span></dt><dd><p>Deletes /var/lib/shorewall-lite/<span class="emphasis"><em>filenam</em></span>e and /var/lib/shorewall-lite/save. If no <span class="emphasis"><em>filename</em></span> is given then the file specified by RESTOREFILE in <a class="ulink" href="shorewall-lite.conf.html" target="_self">shorewall-lite.conf</a>(5) is assumed.</p></dd><dt><span class="term"><span class="bold"><strong>help</strong></span></span></dt><dd><p>Displays a syntax summary.</p></dd><dt><span class="term"><span class="bold"><strong>hits</strong></span></span></dt><dd><p>Generates several reports from Shorewall Lite log messages in the current log file.</p></dd><dt><span class="term"><span class="bold"><strong>ipcalc</strong></span></span></dt><dd><p>Ipcalc displays the network address, broadcast address, network in CIDR notation and netmask corresponding to the input[s].</p></dd><dt><span class="term"><span class="bold"><strong>iprange</strong></span></span></dt><dd><p>Iprange decomposes the specified range of IP addresses into the equivalent list of network/host addresses.</p></dd><dt><span class="term"><span class="bold"><strong>logdrop</strong></span></span></dt><dd><p>Causes traffic from the listed <span class="emphasis"><em>address</em></span>es to be logged then discarded.</p></dd><dt><span class="term"><span class="bold"><strong>logwatch</strong></span></span></dt><dd><p>Monitors the log file specified by theLOGFILE option in <a class="ulink" href="shorewall-lite.conf.html" target="_self">shorewall-lite.conf</a>(5) and produces an audible alarm when new Shorewall Lite messages are logged. The <span class="bold"><strong>-m</strong></span> option causes the MAC address of each packet source to be displayed if that information is available. The <em class="replaceable"><code>refresh-interval</code></em> specifies the time in seconds between screen refreshes. You can enter a negative number by preceding the number with "--" (e.g., <span class="command"><strong>shorewall-lite logwatch -- -30</strong></span>). In this case, when a packet count changes, you will be prompted to hit any key to resume screen refreshes.</p></dd><dt><span class="term"><span class="bold"><strong>logreject</strong></span></span></dt><dd><p>Causes traffic from the listed <span class="emphasis"><em>address</em></span>es to be logged then rejected.</p></dd><dt><span class="term"><span class="bold"><strong>reset</strong></span></span></dt><dd><p>All the packet and byte counters in the firewall are reset.</p></dd><dt><span class="term"><span class="bold"><strong>restart</strong></span></span></dt><dd><p>Restart is similar to <span class="bold"><strong>shorewall-lite stop</strong></span> followed by <span class="bold"><strong>shorewall-lite start</strong></span>. Existing connections are maintained. The <code class="option">-n</code> option causes Shorewall to avoid updating the routing table(s).</p></dd><dt><span class="term"><span class="bold"><strong>restore</strong></span></span></dt><dd><p>Restore Shorewall Lite to a state saved using the <span class="bold"><strong>shorewall-lite save</strong></span> command. Existing connections are maintained. The <span class="emphasis"><em>filename</em></span> names a restore file in /var/lib/shorewall-lite created using <span class="bold"><strong>shorewall-lite save</strong></span>; if no <span class="emphasis"><em>filename</em></span> is given then Shorewall Lite will be restored from the file specified by the RESTOREFILE option in <a class="ulink" href="shorewall-lite.conf.html" target="_self">shorewall-lite.conf</a>(5).</p></dd><dt><span class="term"><span class="bold"><strong>save</strong></span></span></dt><dd><p>The dynamic blacklist is stored in /var/lib/shorewall-lite/save. The state of the firewall is stored in /var/lib/shorewall-lite/<span class="emphasis"><em>filename</em></span> for use by the <span class="bold"><strong>shorewall-lite restore</strong></span> and <span class="bold"><strong>shorewall-lite -f start</strong></span> commands. If <span class="emphasis"><em>filename</em></span> is not given then the state is saved in the file specified by the RESTOREFILE option in <a class="ulink" href="shorewall-lite.conf.html" target="_self">shorewall-lite.conf</a>(5).</p></dd><dt><span class="term"><span class="bold"><strong>show</strong></span></span></dt><dd><p>The show command can have a number of different arguments:</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>actions</strong></span></span></dt><dd><p>Produces a report about the available actions (built-in, standard and user-defined).</p></dd><dt><span class="term"><span class="bold"><strong>capabilities</strong></span></span></dt><dd><p>Displays your kernel/iptables capabilities. The <span class="bold"><strong>-f</strong></span> option causes the display to be formatted as a capabilities file for use with <span class="bold"><strong>compile -e</strong></span>.</p></dd><dt><span class="term">[ [ <code class="option">chain</code> ] <span class="emphasis"><em>chain</em></span> ... ]</span></dt><dd><p>The rules in each <span class="emphasis"><em>chain</em></span> are displayed using the <span class="bold"><strong>iptables -L</strong></span> <span class="emphasis"><em>chain</em></span> <span class="bold"><strong>-n -v</strong></span> command. If no <span class="emphasis"><em>chain</em></span> is given, all of the chains in the filter table are displayed. The <span class="bold"><strong>-x</strong></span> option is passed directly through to iptables and causes actual packet and byte counts to be displayed. Without this option, those counts are abbreviated. The <span class="bold"><strong>-t</strong></span> option specifies the Netfilter table to display. The default is <span class="bold"><strong>filter</strong></span>.</p><p>If the <span class="bold"><strong>t</strong></span> option and the <code class="option">chain</code> keyword are both omitted and any of the listed <em class="replaceable"><code>chain</code></em>s do not exist, a usage message will be displayed.</p></dd><dt><span class="term"><span class="bold"><strong>classifiers</strong></span></span></dt><dd><p>Displays information about the packet classifiers defined on the system as a result of traffic shaping configuration.</p></dd><dt><span class="term"><span class="bold"><strong>config</strong></span></span></dt><dd><p>Dispays distribution-specific defaults.</p></dd><dt><span class="term"><span class="bold"><strong>connections</strong></span></span></dt><dd><p>Displays the IP connections currently being tracked by the firewall.</p></dd><dt><span class="term"><span class="bold"><strong>macros</strong></span></span></dt><dd><p>Displays information about each macro defined on the firewall system.</p></dd><dt><span class="term"><span class="bold"><strong>mangle</strong></span></span></dt><dd><p>Displays the Netfilter mangle table using the command <span class="bold"><strong>iptables -t mangle -L -n -v</strong></span>.The <span class="bold"><strong>-x</strong></span> option is passed directly through to iptables and causes actual packet and byte counts to be displayed. Without this option, those counts are abbreviated.</p></dd><dt><span class="term"><span class="bold"><strong>nat</strong></span></span></dt><dd><p>Displays the Netfilter nat table using the command <span class="bold"><strong>iptables -t nat -L -n -v</strong></span>.The <span class="bold"><strong>-x</strong></span> option is passed directly through to iptables and causes actual packet and byte counts to be displayed. Without this option, those counts are abbreviated.</p></dd><dt><span class="term"><span class="bold"><strong>tc</strong></span></span></dt><dd><p>Displays information about queuing disciplines, classes and filters.</p></dd><dt><span class="term"><span class="bold"><strong>zones</strong></span></span></dt><dd><p>Displays the current composition of the Shorewall Lite zones on the system.</p></dd></dl></div></dd><dt><span class="term"><span class="bold"><strong>start</strong></span></span></dt><dd><p>Start shorewall Lite. Existing connections through shorewall-lite managed interfaces are untouched. New connections will be allowed only if they are allowed by the firewall rules or policies. If <span class="bold"><strong>-f</strong></span> is specified, the saved configuration specified by the RESTOREFILE option in <a class="ulink" href="shorewall-lite.conf.html" target="_self">shorewall-lite.conf</a>(5) will be restored if that saved configuration exists and has been modified more recently than the files in /etc/shorewall.</p><p>The <code class="option">-n</code> option causes Shorewall to avoid updating the routing table(s).</p></dd><dt><span class="term"><span class="bold"><strong>stop</strong></span></span></dt><dd><p>Stops the firewall. All existing connections, except those listed in <a class="ulink" href="shorewall-routestopped.html" target="_self">shorewall-routestopped</a>(5) or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5), are taken down. The only new traffic permitted through the firewall is from systems listed in <a class="ulink" href="shorewall-routestopped.html" target="_self">shorewall-routestopped</a>(5) or by ADMINISABSENTMINDED.</p></dd><dt><span class="term"><span class="bold"><strong>status</strong></span></span></dt><dd><p>Produces a short report about the state of the Shorewall-configured firewall.</p></dd><dt><span class="term"><span class="bold"><strong>version</strong></span></span></dt><dd><p>Displays Shorewall-lite's version.</p></dd></dl></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id259347"></a><h2>FILES</h2><p>/etc/shorewall-lite/</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id259357"></a><h2>See ALSO</h2><p><a class="ulink" href="http://www.shorewall.net/starting_and_stopping_shorewall.htm" target="_self">http://www.shorewall.net/starting_and_stopping_shorewall.htm</a></p><p>shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</p></div></div></body></html>