<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>shorewall</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="refentry" lang="en" xml:lang="en"><a id="id257527"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>shorewall — Administration tool for Shoreline Firewall (Shorewall)</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">add</code> <em class="replaceable"><code>interface</code></em>[:<em class="replaceable"><code>host-list</code></em>]... <em class="replaceable"><code>zone</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">allow</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">check</code> [<code class="option">-e</code>] [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<code class="option">-d</code>] [<code class="option">-p</code>] [<em class="replaceable"><code>directory</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">clear</code> [<code class="option">-f</code>] </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">compile</code> [<code class="option">-e</code>] [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<code class="option">-d</code>] [<code class="option">-p</code>] [<em class="replaceable"><code>directory</code></em>] <em class="replaceable"><code>pathname</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">delete</code> <em class="replaceable"><code>interface</code></em>[:<em class="replaceable"><code>host-list</code></em>]... <em class="replaceable"><code>zone</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">drop</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">dump</code> [<code class="option">-x</code>] [<code class="option">-m</code>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">export</code> [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<em class="replaceable"><code>directory1</code></em>] [<em class="replaceable"><code>user</code></em>@]<em class="replaceable"><code>system</code></em>[<code class="option">:</code><em class="replaceable"><code>directory2</code></em>] </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">forget</code> [<em class="replaceable"><code>filename</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">help</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">hits</code> [<code class="option">-t</code>] </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">ipcalc</code> { <em class="replaceable"><code>address</code></em> <em class="replaceable"><code>mask</code></em> | <em class="replaceable"><code>address</code></em>/<em class="replaceable"><code>vlsm</code></em> }</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">iprange</code> <em class="replaceable"><code>address1</code></em><code class="option">-</code><em class="replaceable"><code>address2</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">load</code> [<code class="option">-s</code>] [<code class="option">-c</code>] [<code class="option">-r</code> <em class="replaceable"><code>root-user-name</code></em>] [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<em class="replaceable"><code>directory</code></em>] <em class="replaceable"><code>system</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">logdrop</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">logwatch</code> [<code class="option">-m</code>] [<em class="replaceable"><code>refresh-interval</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">logreject</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">refresh</code> [<em class="replaceable"><code>chain</code></em>...] </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">reject</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">reload</code> [<code class="option">-s</code>] [<code class="option">-c</code>] [<code class="option">-r</code> <em class="replaceable"><code>root-user-name</code></em>] [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<em class="replaceable"><code>directory</code></em>] <em class="replaceable"><code>system</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">reset</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">restart</code> [<code class="option">-n</code>] [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<em class="replaceable"><code>directory</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">restore</code> [<em class="replaceable"><code>filename</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">safe-restart</code> [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<code class="option">-d</code>] [<code class="option">-p</code>] [<em class="replaceable"><code>directory</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">safe-start</code> [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<code class="option">-d</code>] [<code class="option">-p</code>] [<em class="replaceable"><code>directory</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">save</code> [<em class="replaceable"><code>filename</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-x</code>] [<code class="option">-t</code> {<code class="option">filter</code>|<code class="option">mangle</code>|<code class="option">nat</code>|<code class="option">raw</code>}] [[<code class="option">chain</code>] <em class="replaceable"><code>chain</code></em>... ]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-f</code>] <code class="option">capabilities</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> {<code class="option">actions|classifiers|connections|config|macros|zones</code>}</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-x</code>] {<code class="option">mangle|nat</code>}</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> <code class="option">tc</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-m</code>] <code class="option">log</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">start</code> [<code class="option">-n</code>] [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<code class="option">-f</code>] [<em class="replaceable"><code>directory</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">stop</code> [<code class="option">-f</code>] </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">status</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">try</code> [<code class="option">-C</code> <code class="option">{shell|perl}</code>] <em class="replaceable"><code>directory</code></em> [<em class="replaceable"><code>timeout</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">version</code> [<code class="option">-a</code>] </p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id303810"></a><h2>Description</h2><p>The shorewall utility is used to control the Shoreline Firewall (Shorewall).</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id303820"></a><h2>Options</h2><p>The <code class="option">trace</code> and <code class="option">debug</code> options are used for debugging. See <a class="ulink" href="http://www.shorewall.net/starting_and_stopping.htm#Trace" target="_self">http://www.shorewall.net/starting_and_stopping.htm#Trace</a>.</p><p>The nolock <code class="option">option</code> prevents the command from attempting to acquire the Shorewall lockfile. It is useful if you need to include <span class="command"><strong>shorewall</strong></span> commands in <code class="filename">/etc/shorewall/started</code>.</p><p>The <span class="emphasis"><em>options</em></span> control the amount of output that the command produces. They consist of a sequence of the letters <span class="bold"><strong>v</strong></span> and <span class="bold"><strong>q</strong></span>. If the options are omitted, the amount of output is determined by the setting of the VERBOSITY parameter in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5). Each <span class="bold"><strong>v</strong></span> adds one to the effective verbosity and each <span class="bold"><strong>q</strong></span> subtracts one from the effective VERBOSITY. Anternately, <span class="bold"><strong>v</strong></span> may be followed immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may be no white space between <span class="bold"><strong>v</strong></span> and the VERBOSITY.</p><p>The <span class="emphasis"><em>options</em></span> may also include the letter <code class="option">t</code> which causes all progress messages to be timestamped.</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id303915"></a><h2>Commands</h2><p>The available commands are listed below.</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>add</strong></span></span></dt><dd><p>Adds a list of hosts or subnets to a dynamic zone usually used with VPN's.</p><p>The <span class="emphasis"><em>interface</em></span> argument names an interface defined in the <a class="ulink" href="shorewall-interfaces.html" target="_self">shorewall-interfaces</a>(5) file. A <span class="emphasis"><em>host-list</em></span> is comma-separated list whose elements are host or network addresses.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>The <span class="command"><strong>add</strong></span> command is not very robust. If there are errors in the <em class="replaceable"><code>host-list</code></em>, you may see a large number of error messages yet a subsequent <span class="command"><strong>shorewall show zones</strong></span> command will indicate that all hosts were added. If this happens, replace <span class="command"><strong>add</strong></span> by <span class="command"><strong>delete</strong></span> and run the same command again. Then enter the correct command.</p></div></dd><dt><span class="term"><span class="bold"><strong>allow</strong></span></span></dt><dd><p>Re-enables receipt of packets from hosts previously blacklisted by a <span class="bold"><strong>drop</strong></span>, <span class="bold"><strong>logdrop</strong></span>, <span class="bold"><strong>reject</strong></span>, or <span class="bold"><strong>logreject</strong></span> command.</p></dd><dt><span class="term"><span class="bold"><strong>check</strong></span></span></dt><dd><p>Compiles the configuraton in the specified <span class="emphasis"><em>directory</em></span> and discards the compiled output script. If no <span class="emphasis"><em>directory</em></span> is given, then /etc/shorewall is assumed.</p><p>The <span class="bold"><strong>-e</strong></span> option causes the compiler to look for a file named capabilities. This file is produced using the command <span class="bold"><strong>shorewall-lite show -f capabilities > capabilities</strong></span> on a system with Shorewall Lite installed.</p><p>The <code class="option">-C</code> option determines the compiler to use (Shorewall-shell or Shorewall-perl). If not specified, the SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the compiler to use.</p><p>The <code class="option">-d</code> option only works when the compiler is Shorewall-perl. It causes the compiler to be run under control of the Perl debugger.</p><p>The <code class="option">-p</code> option only works when the compiler is Shorewall-perl. It causes the compiler to be profiled via the Perl <code class="option">-wd:DProf</code> command-line option.</p></dd><dt><span class="term"><span class="bold"><strong>clear</strong></span></span></dt><dd><p>Clear will remove all rules and chains installed by Shorewall. The firewall is then wide open and unprotected. Existing connections are untouched. Clear is often used to see if the firewall is causing connection problems.</p><p>The <code class="option">-f</code> option was added in Shorewall 4.0.3. If <code class="option">-f</code> is given, the command will be processed by the compiled script that executed the last successful <span class="bold"><strong>start</strong></span>, <span class="bold"><strong>restart</strong></span> or <span class="bold"><strong>refresh</strong></span> command if that script exists.</p></dd><dt><span class="term"><span class="bold"><strong>compile</strong></span></span></dt><dd><p>Compiles the current configuration into the executable file <span class="emphasis"><em>pathname</em></span>. If a directory is supplied, Shorewall will look in that directory first for configuration files.</p><p>When -e is specified, the compilation is being performed on a system other than where the compiled script will run. This option disables certain configuration options that require the script to be compiled where it is to be run. The use of -e requires the presense of a configuration file named <code class="filename">capabilities</code> which may be produced using the command <span class="bold"><strong>shorewall-lite show -f capabilities > capabilities</strong></span> on a system with Shorewall Lite installed</p><p>The <code class="option">-C</code> option determines the compiler to use (Shorewall-shell or Shorewall-perl). If not specified, the SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the compiler to use.</p><p>The <code class="option">-d</code> option only works when the compiler is Shorewall-perl. It causes the compiler to be run under control of the Perl debugger.</p><p>The <code class="option">-p</code> option only works when the compiler is Shorewall-perl. It causes the compiler to be profiled via the Perl <code class="option">-wd:DProf</code> command-line option.</p></dd><dt><span class="term"><span class="bold"><strong>delete</strong></span></span></dt><dd><p>The delete command reverses the effect of an earlier <span class="bold"><strong>add</strong></span> command.</p><p>The <span class="emphasis"><em>interface</em></span> argument names an interface defined in the <a class="ulink" href="shorewall-interfaces.html" target="_self">shorewall-interfaces</a>(5) file. A <span class="emphasis"><em>host-list</em></span> is comma-separated list whose elements are a host or network address.</p></dd><dt><span class="term"><span class="bold"><strong>drop</strong></span></span></dt><dd><p>Causes traffic from the listed <span class="emphasis"><em>address</em></span>es to be silently dropped.</p></dd><dt><span class="term"><span class="bold"><strong>dump</strong></span></span></dt><dd><p>Produces a verbose report about the firewall configuration for the purpose of problem analysis.</p><p>The <span class="bold"><strong>-x</strong></span> option causes actual packet and byte counts to be displayed. Without that option, these counts are abbreviated. The <span class="bold"><strong>-m</strong></span> option causes any MAC addresses included in Shorewall log messages to be displayed.</p></dd><dt><span class="term"><span class="bold"><strong>export</strong></span></span></dt><dd><p>If <span class="emphasis"><em>directory1</em></span> is omitted, the current working directory is assumed.</p><p>The <code class="option">-C</code> option determines the compiler to use (Shorewall-shell or Shorewall-perl). If not specified, the SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the compiler to use.</p><p>Allows a non-root user to compile a shorewall script and stage it on a system (provided that the user has access to the system via ssh). The command is equivalent to:</p><pre class="programlisting"> <span class="bold"><strong>/sbin/shorewall compile -e</strong></span> <span class="emphasis"><em>directory1</em></span> <span class="emphasis"><em>directory1</em></span><span class="bold"><strong>/firewall &&\</strong></span> <span class="bold"><strong>scp</strong></span> directory1<span class="bold"><strong>/firewall</strong></span> <span class="emphasis"><em>directory1</em></span><span class="bold"><strong>/firewall.conf</strong></span> [<span class="emphasis"><em>user</em></span>@]<span class="bold"><strong>system</strong></span>:[<span class="emphasis"><em>directory2</em></span>]</pre><p>In other words, the configuration in the specified (or defaulted) directory is compiled to a file called firewall in that directory. If compilation succeeds, then firewall and firewall.conf are copied to <span class="emphasis"><em>system</em></span> using scp.</p></dd><dt><span class="term"><span class="bold"><strong>forget</strong></span></span></dt><dd><p>Deletes /var/lib/shorewall/<span class="emphasis"><em>filenam</em></span>e and /var/lib/shorewall/save. If no <span class="emphasis"><em>filename</em></span> is given then the file specified by RESTOREFILE in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) is assumed.</p></dd><dt><span class="term"><span class="bold"><strong>help</strong></span></span></dt><dd><p>Displays a syntax summary.</p></dd><dt><span class="term"><span class="bold"><strong>hits</strong></span></span></dt><dd><p>Generates several reports from Shorewall log messages in the current log file. If the <code class="option">-t</code> option is included, the reports are restricted to log messages generated today.</p></dd><dt><span class="term"><span class="bold"><strong>ipcalc</strong></span></span></dt><dd><p>Ipcalc displays the network address, broadcast address, network in CIDR notation and netmask corresponding to the input[s].</p></dd><dt><span class="term"><span class="bold"><strong>iprange</strong></span></span></dt><dd><p>Iprange decomposes the specified range of IP addresses into the equivalent list of network/host addresses.</p></dd><dt><span class="term"><span class="bold"><strong>load</strong></span></span></dt><dd><p>If <span class="emphasis"><em>directory</em></span> is omitted, the current working directory is assumed. Allows a non-root user to compile a shorewall script and install it on a system (provided that the user has root access to the system via ssh). The command is equivalent to:</p><pre class="programlisting"> <span class="bold"><strong>/sbin/shorewall compile -e</strong></span> <span class="emphasis"><em><em class="replaceable"><code>directory</code></em></em></span> <em class="replaceable"><code>directory</code></em><span class="bold"><strong>/firewall &&\</strong></span> <span class="bold"><strong>scp</strong></span> <span class="emphasis"><em>directory</em></span><span class="bold"><strong>/firewall</strong></span> <span class="emphasis"><em>directory</em></span><span class="bold"><strong>/firewall.conf</strong></span> <span class="bold"><strong>root@</strong></span><em class="replaceable"><code>system</code></em><span class="bold"><strong>:/var/lib/shorewall-lite/ &&\</strong></span> <span class="bold"><strong>ssh root@</strong></span><em class="replaceable"><code>system</code></em> <span class="bold"><strong>'/sbin/shorewall-lite start'</strong></span></pre><p>In other words, the configuration in the specified (or defaulted) directory is compiled to a file called firewall in that directory. If compilation succeeds, then firewall is copied to <em class="replaceable"><code>system</code></em> using scp. If the copy succeeds, Shorewall Lite on <em class="replaceable"><code>system</code></em> is started via ssh.</p><p>If <span class="bold"><strong>-s</strong></span> is specified and the <span class="bold"><strong>start</strong></span> command succeeds, then the remote Shorewall-lite configuration is saved by executing <span class="bold"><strong>shorewall-lite save</strong></span> via ssh.</p><p>if <span class="bold"><strong>-c</strong></span> is included, the command <span class="bold"><strong>shorewall-lite show capabilities -f > /var/lib/shorewall-lite/capabilities</strong></span> is executed via ssh then the generated file is copied to <em class="replaceable"><code>directory</code></em> using scp. This step is performed before the configuration is compiled.</p><p>If <code class="option">-r</code> is included, it specifies that the root user on <em class="replaceable"><code>system</code></em> is named <em class="replaceable"><code>root-user-name</code></em> rather than "root".</p><p>The <code class="option">-C</code> option determines the compiler to use (Shorewall-shell or Shorewall-perl). If not specified, the SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the compiler to use.</p></dd><dt><span class="term"><span class="bold"><strong>logdrop</strong></span></span></dt><dd><p>Causes traffic from the listed <span class="emphasis"><em>address</em></span>es to be logged then discarded.</p></dd><dt><span class="term"><span class="bold"><strong>logwatch</strong></span></span></dt><dd><p>Monitors the log file specified by the LOGFILE option in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) and produces an audible alarm when new Shorewall messages are logged. The <span class="bold"><strong>-m</strong></span> option causes the MAC address of each packet source to be displayed if that information is available. The <em class="replaceable"><code>refresh-interval</code></em> specifies the time in seconds between screen refreshes. You can enter a negative number by preceding the number with "--" (e.g., <span class="command"><strong>shorewall logwatch -- -30</strong></span>). In this case, when a packet count changes, you will be prompted to hit any key to resume screen refreshes.</p></dd><dt><span class="term"><span class="bold"><strong>logreject</strong></span></span></dt><dd><p>Causes traffic from the listed <span class="emphasis"><em>address</em></span>es to be logged then rejected.</p></dd><dt><span class="term"><span class="bold"><strong>refresh</strong></span></span></dt><dd><p>Shorewall-shell: The rules involving the the black list, ECN control rules, and traffic shaping are recreated to reflect any changes made to your configuration files. Existing connections are untouched.</p><p>Shorewall-perl: All steps performed by <span class="command"><strong>restart</strong></span> are performed by <span class="command"><strong>refresh</strong></span> with the exception that <span class="command"><strong>refresh</strong></span> only recreates the chains specified in the command while <span class="command"><strong>restart</strong></span> recreates the entire Netfilter ruleset. If no <em class="replaceable"><code>chain</code></em> is given, the static blacklisting chain <span class="bold"><strong>blacklst</strong></span> is assumed.</p><p><span class="bold"><strong>Note</strong></span>: Specifying chains in the command requires Shorewall-perl 4.0.3 or later. Earlier versions only refresh the blacklst chain</p><p>The listed chains are assumed to be in the filter table. You can refresh chains in other tables by prefixing the chain name with the table name followed by ":" (e.g., nat:net_dnat). Chain names which follow are assumed to be in that table until the end of the list or until an entry in the list names another table. Built-in chains such as FORWARD may not be refreshed.</p><p>Example:</p><pre class="programlisting"><span class="command"><strong>shorewall refresh net2fw nat:net_dnat</strong></span> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</pre></dd><dt><span class="term"><span class="bold"><strong>reload</strong></span></span></dt><dd><p>If <span class="emphasis"><em>directory</em></span> is omitted, the current working directory is assumed. Allows a non-root user to compile a shorewall script and install it on a system (provided that the user has root access to the system via ssh). The command is equivalent to:</p><pre class="programlisting"> <span class="bold"><strong>/sbin/shorewall compile -e</strong></span> <span class="emphasis"><em>directory</em></span> <span class="emphasis"><em>directory</em></span><span class="bold"><strong>/firewall &&\</strong></span> <span class="bold"><strong>scp</strong></span> <span class="emphasis"><em>directory</em></span><span class="bold"><strong>/firewall</strong></span> <span class="emphasis"><em>directory</em></span><span class="bold"><strong>/firewall.conf</strong></span> <span class="bold"><strong>root@</strong></span><span class="emphasis"><em>system</em></span><span class="bold"><strong>:/var/lib/shorewall-lite/ &&\</strong></span> <span class="bold"><strong>ssh root@</strong></span><span class="emphasis"><em>system</em></span> <span class="bold"><strong>'/sbin/shorewall-lite restart'</strong></span></pre><p>In other words, the configuration in the specified (or defaulted) directory is compiled to a file called firewall in that directory. If compilation succeeds, then firewall is copied to <span class="emphasis"><em>system</em></span> using scp. If the copy succeeds, Shorewall Lite on <span class="emphasis"><em>system</em></span> is restarted via ssh.</p><p>If <span class="bold"><strong>-s</strong></span> is specified and the <span class="bold"><strong>restart</strong></span> command succeeds, then the remote Shorewall-lite configuration is saved by executing <span class="bold"><strong>shorewall-lite save</strong></span> via ssh.</p><p>if <span class="bold"><strong>-c</strong></span> is included, the command <span class="bold"><strong>shorewall-lite show capabilities -f > /var/lib/shorewall-lite/capabilities</strong></span> is executed via ssh then the generated file is copied to <span class="emphasis"><em>directory</em></span> using scp. This step is performed before the configuration is compiled.</p><p>If <code class="option">-r</code> is included, it specifies that the root user on <em class="replaceable"><code>system</code></em> is named <em class="replaceable"><code>root-user-name</code></em> rather than "root".</p><p>The <code class="option">-C</code> option determines the compiler to use (Shorewall-shell or Shorewall-perl). If not specified, the SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the compiler to use.</p></dd><dt><span class="term"><span class="bold"><strong>reset</strong></span></span></dt><dd><p>All the packet and byte counters in the firewall are reset.</p></dd><dt><span class="term"><span class="bold"><strong>restart</strong></span></span></dt><dd><p>Restart is similar to <span class="bold"><strong>shorewall stop</strong></span> followed by <span class="bold"><strong>shorewall start</strong></span>. Existing connections are maintained. If a <span class="emphasis"><em>directory</em></span> is included in the command, Shorewall will look in that <span class="emphasis"><em>directory</em></span> first for configuration files.</p><p>The <code class="option">-n</code> option causes Shorewall to avoid updating the routing table(s).</p><p>The <code class="option">-C</code> option determines the compiler to use (Shorewall-shell or Shorewall-perl). If not specified, the SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the compiler to use.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If you use Shorewall's multi-ISP feature, you are stronly advised against using the -C option of the <span class="command"><strong>safe-restart</strong></span> command when switching between Shorewall-shell and Shorewall-perl. The only supported way to switch compilers is to <span class="command"><strong>shorewall stop</strong></span> followed by <span class="command"><strong>shorewall safe-start -C</strong></span> <em class="replaceable"><code>compiler</code></em></p></div></dd><dt><span class="term"><span class="bold"><strong>restore</strong></span></span></dt><dd><p>Restore Shorewall to a state saved using the <span class="bold"><strong>shorewall save</strong></span> command. Existing connections are maintained. The <span class="emphasis"><em>filename</em></span> names a restore file in /var/lib/shorewall created using <span class="bold"><strong>shorewall save</strong></span>; if no <span class="emphasis"><em>filename</em></span> is given then Shorewall will be restored from the file specified by the RESTOREFILE option in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5).</p></dd><dt><span class="term"><span class="bold"><strong>safe-restart</strong></span></span></dt><dd><p>Only allowed if Shorewall is running. The current configuration is saved in /var/lib/shorewall/safe-restart (see the save command below) then a <span class="bold"><strong>shorewall restart</strong></span> is done. You will then be prompted asking if you want to accept the new configuration or not. If you answer "n" or if you fail to answer within 60 seconds (such as when your new configuration has disabled communication with your terminal), the configuration is restored from the saved configuration. If a directory is given, then Shorewall will look in that directory first when opening configuration files.</p><p>The <code class="option">-C</code> option determines the compiler to use (Shorewall-shell or Shorewall-perl). If not specified, the SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the compiler to use.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If you use Shorewall's multi-ISP feature, you are stronly advised against using the -C option of the <span class="command"><strong>safe-restart</strong></span> command when switching between Shorewall-shell and Shorewall-perl. The only supported way to switch compilers is to <span class="command"><strong>shorewall stop</strong></span> followed by <span class="command"><strong>shorewall safe-start -C</strong></span> <em class="replaceable"><code>compiler</code></em></p></div></dd><dt><span class="term"><span class="bold"><strong>safe-start</strong></span></span></dt><dd><p>Shorewall is started normally. You will then be prompted asking if everything went all right. If you answer "n" or if you fail to answer within 60 seconds (such as when your new configuration has disabled communication with your terminal), a shorewall clear is performed for you. If a directory is given, then Shorewall will look in that directory first when opening configuration files.</p><p>The <code class="option">-C</code> option determines the compiler to use (Shorewall-shell or Shorewall-perl). If not specified, the SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the compiler to use.</p></dd><dt><span class="term"><span class="bold"><strong>save</strong></span></span></dt><dd><p>The dynamic blacklist is stored in /var/lib/shorewall/save. The state of the firewall is stored in /var/lib/shorewall/<span class="emphasis"><em>filename</em></span> for use by the <span class="bold"><strong>shorewall restore</strong></span> and <span class="bold"><strong>shorewall -f start</strong></span> commands. If <span class="emphasis"><em>filename</em></span> is not given then the state is saved in the file specified by the RESTOREFILE option in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5).</p></dd><dt><span class="term"><span class="bold"><strong>show</strong></span></span></dt><dd><p>The show command can have a number of different arguments:</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>actions</strong></span></span></dt><dd><p>Produces a report about the available actions (built-in, standard and user-defined).</p></dd><dt><span class="term"><span class="bold"><strong>capabilities</strong></span></span></dt><dd><p>Displays your kernel/iptables capabilities. The <span class="bold"><strong>-f</strong></span> option causes the display to be formatted as a capabilities file for use with <span class="bold"><strong>compile -e</strong></span>.</p></dd><dt><span class="term">[ [ <code class="option">chain</code> ] <span class="emphasis"><em>chain</em></span>... ]</span></dt><dd><p>The rules in each <span class="emphasis"><em>chain</em></span> are displayed using the <span class="bold"><strong>iptables -L</strong></span> <span class="emphasis"><em>chain</em></span> <span class="bold"><strong>-n -v</strong></span> command. If no <span class="emphasis"><em>chain</em></span> is given, all of the chains in the filter table are displayed. The <span class="bold"><strong>-x</strong></span> option is passed directly through to iptables and causes actual packet and byte counts to be displayed. Without this option, those counts are abbreviated. The <span class="bold"><strong>-t</strong></span> option specifies the Netfilter table to display. The default is <span class="bold"><strong>filter</strong></span>.</p><p>If the <span class="bold"><strong>t</strong></span> option and the <code class="option">chain</code> keyword are both omitted and any of the listed <em class="replaceable"><code>chain</code></em>s do not exist, a usage message is displayed.</p></dd><dt><span class="term"><span class="bold"><strong>classifiers</strong></span></span></dt><dd><p>Displays information about the packet classifiers defined on the system as a result of traffic shaping configuration.</p></dd><dt><span class="term"><span class="bold"><strong>config</strong></span></span></dt><dd><p>Dispays distribution-specific defaults.</p></dd><dt><span class="term"><span class="bold"><strong>connections</strong></span></span></dt><dd><p>Displays the IP connections currently being tracked by the firewall.</p></dd><dt><span class="term"><span class="bold"><strong>log</strong></span></span></dt><dd><p>Displays the last 20 Shorewall messages from the log file specified by the LOGFILE option in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5). The <span class="bold"><strong>-m</strong></span> option causes the MAC address of each packet source to be displayed if that information is available.</p></dd><dt><span class="term"><span class="bold"><strong>macros</strong></span></span></dt><dd><p>Displays information about each macro defined on the firewall system.</p></dd><dt><span class="term"><span class="bold"><strong>mangle</strong></span></span></dt><dd><p>Displays the Netfilter mangle table using the command <span class="bold"><strong>iptables -t mangle -L -n -v</strong></span>.The <span class="bold"><strong>-x</strong></span> option is passed directly through to iptables and causes actual packet and byte counts to be displayed. Without this option, those counts are abbreviated.</p></dd><dt><span class="term"><span class="bold"><strong>nat</strong></span></span></dt><dd><p>Displays the Netfilter nat table using the command <span class="bold"><strong>iptables -t nat -L -n -v</strong></span>.The <span class="bold"><strong>-x</strong></span> option is passed directly through to iptables and causes actual packet and byte counts to be displayed. Without this option, those counts are abbreviated.</p></dd><dt><span class="term"><span class="bold"><strong>tc</strong></span></span></dt><dd><p>Displays information about queuing disciplines, classes and filters.</p></dd><dt><span class="term"><span class="bold"><strong>zones</strong></span></span></dt><dd><p>Displays the current composition of the Shorewall zones on the system.</p></dd></dl></div></dd><dt><span class="term"><span class="bold"><strong>start</strong></span></span></dt><dd><p>Start shorewall. Existing connections through shorewall managed interfaces are untouched. New connections will be allowed only if they are allowed by the firewall rules or policies. If a <em class="replaceable"><code>directory</code></em> is included in the command, Shorewall will look in that <span class="emphasis"><em>directory</em></span> first for configuration files. If <span class="bold"><strong>-f</strong></span> is specified, the saved configuration specified by the RESTOREFILE option in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) will be restored if that saved configuration exists and has been modified more recently than the files in /etc/shorewall. When <span class="bold"><strong>-f</strong></span> is given, a <em class="replaceable"><code>directory</code></em> may not be specified.</p><p>The <code class="option">-n</code> option causes Shorewall to avoid updating the routing table(s).</p><p>The <code class="option">-C</code> option determines the compiler to use (Shorewall-shell or Shorewall-perl). If not specified, the SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the compiler to use.</p></dd><dt><span class="term"><span class="bold"><strong>stop</strong></span></span></dt><dd><p>Stops the firewall. All existing connections, except those listed in <a class="ulink" href="shorewall-routestopped.html" target="_self">shorewall-routestopped</a>(5) or permitted by the ADMINISABSENTMINDED option in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5), are taken down. The only new traffic permitted through the firewall is from systems listed in <a class="ulink" href="shorewall-routestopped.html" target="_self">shorewall-routestopped</a>(5) or by ADMINISABSENTMINDED.</p><p>The <code class="option">-f</code> option was added in Shorewall 4.0.3. If <code class="option">-f</code> is given, the command will be processed by the compiled script that executed the last successful <span class="bold"><strong>start</strong></span>, <span class="bold"><strong>restart</strong></span> or <span class="bold"><strong>refresh</strong></span> command if that script exists.</p></dd><dt><span class="term"><span class="bold"><strong>status</strong></span></span></dt><dd><p>Produces a short report about the state of the Shorewall-configured firewall.</p></dd><dt><span class="term"><span class="bold"><strong>try</strong></span></span></dt><dd><p>If Shorewall is started then the firewall state is saved to a temporary saved configuration (<code class="filename">/var/lib/shorewall/.try</code>). Next, if Shorewall is currently started then a <span class="bold"><strong>restart</strong></span> command is issued; otherwise, a <span class="bold"><strong>start</strong></span> command is performed. if an error occurs during the compliation phase of the <span class="bold"><strong>restart</strong></span> or <span class="bold"><strong>start</strong></span>, the command terminates without changing the Shorewall state. If an error occurs during the <span class="bold"><strong>restart</strong></span> phase, then a <span class="bold"><strong>shorewall restore</strong></span> is performed using the saved configuration. If an error occurs during the <span class="bold"><strong>start</strong></span> phase, then Shorewall is cleared. If the <span class="bold"><strong>start</strong></span>/<span class="bold"><strong>restart</strong></span> succeeds and a <em class="replaceable"><code>timeout</code></em> is specified then a <span class="bold"><strong>clear</strong></span> or <span class="bold"><strong>restore</strong></span> is performed after <em class="replaceable"><code>timeout</code></em> seconds.</p><p>The <code class="option">-C</code> option determines the compiler to use (Shorewall-shell or Shorewall-perl). If not specified, the SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the compiler to use.</p></dd><dt><span class="term"><span class="bold"><strong>version</strong></span></span></dt><dd><p>Displays Shorewall's version. If the <code class="option">-a</code> option is included, the versions of Shorewall-shell and/or Shorewall-perl will also be displayed.</p></dd></dl></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id305848"></a><h2>FILES</h2><p>/etc/shorewall/</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id305857"></a><h2>See ALSO</h2><p><a class="ulink" href="http://www.shorewall.net/starting_and_stopping_shorewall.htm" target="_self">http://www.shorewall.net/starting_and_stopping_shorewall.htm</a></p><p>shorewall-accounting(5), shorewall-actions(5), shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5), shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5), shorewall-nat(5), shorewall-netmap(5), shorewall-params(5), shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5), shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5), shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5), shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5), shorewall-zones(5)</p></div></div></body></html>