<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>shorewall-lite</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="refentry" lang="en" xml:lang="en"><a id="id257168"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>shorewall-lite — Administration tool for Shoreline Firewall Lite
(Shorewall-lite)</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [<code class="option">nolock</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">allow</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">clear</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">drop</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">dump</code> [<code class="option">-x</code>] [<code class="option">-m</code>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">forget</code> [<em class="replaceable"><code>filename</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">help</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">hits</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">ipcalc</code> { <em class="replaceable"><code>address</code></em>
<em class="replaceable"><code>mask</code></em> | <em class="replaceable"><code>address</code></em>/<em class="replaceable"><code>vlsm</code></em> }</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">iprange</code> <em class="replaceable"><code>address1</code></em><code class="option">-</code><em class="replaceable"><code>address2</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">logdrop</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">logwatch</code> [<code class="option">-m</code>] [<em class="replaceable"><code>refresh-interval</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">logreject</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">reject</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">restart</code> [<code class="option">-n</code>] </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">restore</code> [<em class="replaceable"><code>filename</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">save</code> [<em class="replaceable"><code>filename</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-x</code>] [<code class="option">-t</code>
{<code class="option">filter</code>|<code class="option">mangle</code>|<code class="option">nat</code>|<code class="option">raw</code>}] [[<code class="option">chain</code>] <em class="replaceable"><code>chain</code></em>... ]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-f</code>] <code class="option">capabilities</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> {<code class="option">actions|classifiers|connections|config|macros|zones</code>}</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-x</code>] {<code class="option">mangle|nat</code>}</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> <code class="option">tc</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-m</code>] <code class="option">log</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">start</code> [<code class="option">-n</code>] [<code class="option">-f</code>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">stop</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">status</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall-lite</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">version</code> </p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id258139"></a><h2>Description</h2><p>The shorewall-lite utility is used to control the Shoreline Firewall
(Shorewall) Lite.</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id258150"></a><h2>Options</h2><p>The <code class="option">trace</code> and <code class="option">debug</code> options are
used for debugging. See <a class="ulink" href="http://www.shorewall.net/starting_and_stopping.htm#Trace" target="_self">http://www.shorewall.net/starting_and_stopping.htm#Trace</a>.</p><p>The nolock <code class="option">option</code> prevents the command from
attempting to acquire the Shorewall Lite lockfile. It is useful if you
need to include <span class="command"><strong>shorewall-lite</strong></span> commands in the
<code class="filename">started</code> extension script.</p><p>The <span class="emphasis"><em>options</em></span> control the amount of output that
the command produces. They consist of a sequence of the letters <span class="bold"><strong>v</strong></span> and <span class="bold"><strong>q</strong></span>. If the
options are omitted, the amount of output is determined by the setting of
the VERBOSITY parameter in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5). Each <span class="bold"><strong>v</strong></span> adds one to the effective verbosity and each
<span class="bold"><strong>q</strong></span> subtracts one from the effective
VERBOSITY. Anternately, <span class="bold"><strong>v</strong></span> may be followed
immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
be no white space between <span class="bold"><strong>v</strong></span> and the
VERBOSITY.</p><p>The <span class="emphasis"><em>options</em></span> may also include the letter
<code class="option">t</code> which causes all progress messages to be
timestamped.</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id258244"></a><h2>Commands</h2><p>The available commands are listed below.</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>add</strong></span></span></dt><dd><p>Adds a list of hosts or subnets to a dynamic zone usually used
with VPN's.</p><p>The <span class="emphasis"><em>interface</em></span> argument names an interface
defined in the <a class="ulink" href="shorewall-interfaces.html" target="_self">shorewall-interfaces</a>(5)
file. A <span class="emphasis"><em>host-list</em></span> is comma-separated list whose
elements are a host or network address.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>The <span class="command"><strong>add</strong></span> command is not very robust. If
there are errors in the <em class="replaceable"><code>host-list</code></em>,
you may see a large number of error messages yet a subsequent
<span class="command"><strong>shorewall show zones</strong></span> command will indicate
that all hosts were added. If this happens, replace
<span class="command"><strong>add</strong></span> by <span class="command"><strong>delete</strong></span> and run the
same command again. Then enter the correct command.</p></div></dd><dt><span class="term"><span class="bold"><strong>allow</strong></span></span></dt><dd><p>Re-enables receipt of packets from hosts previously
blacklisted by a <span class="bold"><strong>drop</strong></span>, <span class="bold"><strong>logdrop</strong></span>, <span class="bold"><strong>reject</strong></span>, or <span class="bold"><strong>logreject</strong></span> command.</p></dd><dt><span class="term"><span class="bold"><strong>clear</strong></span></span></dt><dd><p>Clear will remove all rules and chains installed by Shorewall
Lite. The firewall is then wide open and unprotected. Existing
connections are untouched. Clear is often used to see if the
firewall is causing connection problems.</p></dd><dt><span class="term"><span class="bold"><strong>delete</strong></span></span></dt><dd><p>The delete command reverses the effect of an earlier <span class="bold"><strong>add</strong></span> command.</p><p>The <span class="emphasis"><em>interface</em></span> argument names an interface
defined in the <a class="ulink" href="shorewall-interfaces.html" target="_self">shorewall-interfaces</a>(5)
file. A <span class="emphasis"><em>host-list</em></span> is comma-separated list whose
elements are a host or network address.</p></dd><dt><span class="term"><span class="bold"><strong>drop</strong></span></span></dt><dd><p>Causes traffic from the listed <span class="emphasis"><em>address</em></span>es
to be silently dropped.</p></dd><dt><span class="term"><span class="bold"><strong>dump</strong></span></span></dt><dd><p>Produces a verbose report about the firewall configuration for
the purpose of problem analysis.</p><p>The <span class="bold"><strong>-x</strong></span> option causes actual
packet and byte counts to be displayed. Without that option, these
counts are abbreviated. The <span class="bold"><strong>-m</strong></span>
option causes any MAC addresses included in Shorewall Lite log
messages to be displayed.</p></dd><dt><span class="term"><span class="bold"><strong>forget</strong></span></span></dt><dd><p>Deletes /var/lib/shorewall-lite/<span class="emphasis"><em>filenam</em></span>e
and /var/lib/shorewall-lite/save. If no
<span class="emphasis"><em>filename</em></span> is given then the file specified by
RESTOREFILE in <a class="ulink" href="shorewall-lite.conf.html" target="_self">shorewall-lite.conf</a>(5) is
assumed.</p></dd><dt><span class="term"><span class="bold"><strong>help</strong></span></span></dt><dd><p>Displays a syntax summary.</p></dd><dt><span class="term"><span class="bold"><strong>hits</strong></span></span></dt><dd><p>Generates several reports from Shorewall Lite log messages in
the current log file.</p></dd><dt><span class="term"><span class="bold"><strong>ipcalc</strong></span></span></dt><dd><p>Ipcalc displays the network address, broadcast address,
network in CIDR notation and netmask corresponding to the
input[s].</p></dd><dt><span class="term"><span class="bold"><strong>iprange</strong></span></span></dt><dd><p>Iprange decomposes the specified range of IP addresses into
the equivalent list of network/host addresses.</p></dd><dt><span class="term"><span class="bold"><strong>logdrop</strong></span></span></dt><dd><p>Causes traffic from the listed <span class="emphasis"><em>address</em></span>es
to be logged then discarded.</p></dd><dt><span class="term"><span class="bold"><strong>logwatch</strong></span></span></dt><dd><p>Monitors the log file specified by theLOGFILE option in <a class="ulink" href="shorewall-lite.conf.html" target="_self">shorewall-lite.conf</a>(5) and
produces an audible alarm when new Shorewall Lite messages are
logged. The <span class="bold"><strong>-m</strong></span> option causes the
MAC address of each packet source to be displayed if that
information is available. The
<em class="replaceable"><code>refresh-interval</code></em> specifies the time in
seconds between screen refreshes. You can enter a negative number by
preceding the number with "--" (e.g., <span class="command"><strong>shorewall-lite
logwatch -- -30</strong></span>). In this case, when a packet count
changes, you will be prompted to hit any key to resume screen
refreshes.</p></dd><dt><span class="term"><span class="bold"><strong>logreject</strong></span></span></dt><dd><p>Causes traffic from the listed <span class="emphasis"><em>address</em></span>es
to be logged then rejected.</p></dd><dt><span class="term"><span class="bold"><strong>reset</strong></span></span></dt><dd><p>All the packet and byte counters in the firewall are
reset.</p></dd><dt><span class="term"><span class="bold"><strong>restart</strong></span></span></dt><dd><p>Restart is similar to <span class="bold"><strong>shorewall-lite
stop</strong></span> followed by <span class="bold"><strong>shorewall-lite
start</strong></span>. Existing connections are maintained. The
<code class="option">-n</code> option causes Shorewall to avoid updating the
routing table(s).</p></dd><dt><span class="term"><span class="bold"><strong>restore</strong></span></span></dt><dd><p>Restore Shorewall Lite to a state saved using the <span class="bold"><strong>shorewall-lite save</strong></span> command. Existing
connections are maintained. The <span class="emphasis"><em>filename</em></span> names
a restore file in /var/lib/shorewall-lite created using <span class="bold"><strong>shorewall-lite save</strong></span>; if no
<span class="emphasis"><em>filename</em></span> is given then Shorewall Lite will be
restored from the file specified by the RESTOREFILE option in <a class="ulink" href="shorewall-lite.conf.html" target="_self">shorewall-lite.conf</a>(5).</p></dd><dt><span class="term"><span class="bold"><strong>save</strong></span></span></dt><dd><p>The dynamic blacklist is stored in
/var/lib/shorewall-lite/save. The state of the firewall is stored in
/var/lib/shorewall-lite/<span class="emphasis"><em>filename</em></span> for use by the
<span class="bold"><strong>shorewall-lite restore</strong></span> and
<span class="bold"><strong>shorewall-lite -f start</strong></span> commands.
If <span class="emphasis"><em>filename</em></span> is not given then the state is
saved in the file specified by the RESTOREFILE option in <a class="ulink" href="shorewall-lite.conf.html" target="_self">shorewall-lite.conf</a>(5).</p></dd><dt><span class="term"><span class="bold"><strong>show</strong></span></span></dt><dd><p>The show command can have a number of different
arguments:</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>actions</strong></span></span></dt><dd><p>Produces a report about the available actions (built-in,
standard and user-defined).</p></dd><dt><span class="term"><span class="bold"><strong>capabilities</strong></span></span></dt><dd><p>Displays your kernel/iptables capabilities. The
<span class="bold"><strong>-f</strong></span> option causes the display
to be formatted as a capabilities file for use with <span class="bold"><strong>compile -e</strong></span>.</p></dd><dt><span class="term">[ [ <code class="option">chain</code> ] <span class="emphasis"><em>chain</em></span>
... ]</span></dt><dd><p>The rules in each <span class="emphasis"><em>chain</em></span> are
displayed using the <span class="bold"><strong>iptables
-L</strong></span> <span class="emphasis"><em>chain</em></span> <span class="bold"><strong>-n -v</strong></span> command. If no
<span class="emphasis"><em>chain</em></span> is given, all of the chains in the
filter table are displayed. The <span class="bold"><strong>-x</strong></span> option is passed directly through to
iptables and causes actual packet and byte counts to be
displayed. Without this option, those counts are abbreviated.
The <span class="bold"><strong>-t</strong></span> option specifies the
Netfilter table to display. The default is <span class="bold"><strong>filter</strong></span>.</p><p>If the <span class="bold"><strong>t</strong></span> option and the
<code class="option">chain</code> keyword are both omitted and any of the
listed <em class="replaceable"><code>chain</code></em>s do not exist, a usage
message will be displayed.</p></dd><dt><span class="term"><span class="bold"><strong>classifiers</strong></span></span></dt><dd><p>Displays information about the packet classifiers
defined on the system as a result of traffic shaping
configuration.</p></dd><dt><span class="term"><span class="bold"><strong>config</strong></span></span></dt><dd><p>Dispays distribution-specific defaults.</p></dd><dt><span class="term"><span class="bold"><strong>connections</strong></span></span></dt><dd><p>Displays the IP connections currently being tracked by
the firewall.</p></dd><dt><span class="term"><span class="bold"><strong>macros</strong></span></span></dt><dd><p>Displays information about each macro defined on the
firewall system.</p></dd><dt><span class="term"><span class="bold"><strong>mangle</strong></span></span></dt><dd><p>Displays the Netfilter mangle table using the command
<span class="bold"><strong>iptables -t mangle -L -n
-v</strong></span>.The <span class="bold"><strong>-x</strong></span> option
is passed directly through to iptables and causes actual
packet and byte counts to be displayed. Without this option,
those counts are abbreviated.</p></dd><dt><span class="term"><span class="bold"><strong>nat</strong></span></span></dt><dd><p>Displays the Netfilter nat table using the command
<span class="bold"><strong>iptables -t nat -L -n -v</strong></span>.The
<span class="bold"><strong>-x</strong></span> option is passed directly
through to iptables and causes actual packet and byte counts
to be displayed. Without this option, those counts are
abbreviated.</p></dd><dt><span class="term"><span class="bold"><strong>tc</strong></span></span></dt><dd><p>Displays information about queuing disciplines, classes
and filters.</p></dd><dt><span class="term"><span class="bold"><strong>zones</strong></span></span></dt><dd><p>Displays the current composition of the Shorewall Lite
zones on the system.</p></dd></dl></div></dd><dt><span class="term"><span class="bold"><strong>start</strong></span></span></dt><dd><p>Start shorewall Lite. Existing connections through
shorewall-lite managed interfaces are untouched. New connections
will be allowed only if they are allowed by the firewall rules or
policies. If <span class="bold"><strong>-f</strong></span> is specified, the
saved configuration specified by the RESTOREFILE option in <a class="ulink" href="shorewall-lite.conf.html" target="_self">shorewall-lite.conf</a>(5) will
be restored if that saved configuration exists and has been modified
more recently than the files in /etc/shorewall.</p><p>The <code class="option">-n</code> option causes Shorewall to avoid
updating the routing table(s).</p></dd><dt><span class="term"><span class="bold"><strong>stop</strong></span></span></dt><dd><p>Stops the firewall. All existing connections, except those
listed in <a class="ulink" href="shorewall-routestopped.html" target="_self">shorewall-routestopped</a>(5)
or permitted by the ADMINISABSENTMINDED option in shorewall.conf(5),
are taken down. The only new traffic permitted through the firewall
is from systems listed in <a class="ulink" href="shorewall-routestopped.html" target="_self">shorewall-routestopped</a>(5)
or by ADMINISABSENTMINDED.</p></dd><dt><span class="term"><span class="bold"><strong>status</strong></span></span></dt><dd><p>Produces a short report about the state of the
Shorewall-configured firewall.</p></dd><dt><span class="term"><span class="bold"><strong>version</strong></span></span></dt><dd><p>Displays Shorewall-lite's version.</p></dd></dl></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id259347"></a><h2>FILES</h2><p>/etc/shorewall-lite/</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id259357"></a><h2>See ALSO</h2><p><a class="ulink" href="http://www.shorewall.net/starting_and_stopping_shorewall.htm" target="_self">http://www.shorewall.net/starting_and_stopping_shorewall.htm</a></p><p>shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</p></div></div></body></html>
