<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>shorewall</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="refentry" lang="en" xml:lang="en"><a id="id257527"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>shorewall — Administration tool for Shoreline Firewall
(Shorewall)</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">add</code> <em class="replaceable"><code>interface</code></em>[:<em class="replaceable"><code>host-list</code></em>]... <em class="replaceable"><code>zone</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">allow</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">check</code> [<code class="option">-e</code>] [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<code class="option">-d</code>] [<code class="option">-p</code>] [<em class="replaceable"><code>directory</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">clear</code> [<code class="option">-f</code>] </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">compile</code> [<code class="option">-e</code>] [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<code class="option">-d</code>] [<code class="option">-p</code>] [<em class="replaceable"><code>directory</code></em>] <em class="replaceable"><code>pathname</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">delete</code> <em class="replaceable"><code>interface</code></em>[:<em class="replaceable"><code>host-list</code></em>]... <em class="replaceable"><code>zone</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">drop</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">dump</code> [<code class="option">-x</code>] [<code class="option">-m</code>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">export</code> [<code class="option">-C</code>
<code class="option">{shell|perl}</code>] [<em class="replaceable"><code>directory1</code></em>] [<em class="replaceable"><code>user</code></em>@]<em class="replaceable"><code>system</code></em>[<code class="option">:</code><em class="replaceable"><code>directory2</code></em>] </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">forget</code> [<em class="replaceable"><code>filename</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">help</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">hits</code> [<code class="option">-t</code>] </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">ipcalc</code> { <em class="replaceable"><code>address</code></em>
<em class="replaceable"><code>mask</code></em> | <em class="replaceable"><code>address</code></em>/<em class="replaceable"><code>vlsm</code></em> }</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">iprange</code> <em class="replaceable"><code>address1</code></em><code class="option">-</code><em class="replaceable"><code>address2</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">load</code> [<code class="option">-s</code>] [<code class="option">-c</code>] [<code class="option">-r</code> <em class="replaceable"><code>root-user-name</code></em>] [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<em class="replaceable"><code>directory</code></em>] <em class="replaceable"><code>system</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">logdrop</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">logwatch</code> [<code class="option">-m</code>] [<em class="replaceable"><code>refresh-interval</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">logreject</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">refresh</code> [<em class="replaceable"><code>chain</code></em>...] </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">reject</code> <em class="replaceable"><code>address</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">reload</code> [<code class="option">-s</code>] [<code class="option">-c</code>] [<code class="option">-r</code> <em class="replaceable"><code>root-user-name</code></em>] [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<em class="replaceable"><code>directory</code></em>] <em class="replaceable"><code>system</code></em> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">reset</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">restart</code> [<code class="option">-n</code>] [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<em class="replaceable"><code>directory</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">restore</code> [<em class="replaceable"><code>filename</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">safe-restart</code> [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<code class="option">-d</code>] [<code class="option">-p</code>] [<em class="replaceable"><code>directory</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">safe-start</code> [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<code class="option">-d</code>] [<code class="option">-p</code>] [<em class="replaceable"><code>directory</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">save</code> [<em class="replaceable"><code>filename</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-x</code>] [<code class="option">-t</code>
{<code class="option">filter</code>|<code class="option">mangle</code>|<code class="option">nat</code>|<code class="option">raw</code>}] [[<code class="option">chain</code>] <em class="replaceable"><code>chain</code></em>... ]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-f</code>] <code class="option">capabilities</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> {<code class="option">actions|classifiers|connections|config|macros|zones</code>}</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-x</code>] {<code class="option">mangle|nat</code>}</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> <code class="option">tc</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">show</code> [<code class="option">-m</code>] <code class="option">log</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">start</code> [<code class="option">-n</code>] [<code class="option">-C</code> <code class="option">{shell|perl}</code>] [<code class="option">-f</code>] [<em class="replaceable"><code>directory</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">stop</code> [<code class="option">-f</code>] </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">status</code> </p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code> [<code class="option">nolock</code>]] [-<em class="replaceable"><code>options</code></em>] <code class="option">try</code> [<code class="option">-C</code> <code class="option">{shell|perl}</code>] <em class="replaceable"><code>directory</code></em> [<em class="replaceable"><code>timeout</code></em>]</p></div><div class="cmdsynopsis"><p><code class="command">shorewall</code> [<code class="option">trace</code>|<code class="option">debug</code>] [-<em class="replaceable"><code>options</code></em>] <code class="option">version</code> [<code class="option">-a</code>] </p></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id303810"></a><h2>Description</h2><p>The shorewall utility is used to control the Shoreline Firewall
(Shorewall).</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id303820"></a><h2>Options</h2><p>The <code class="option">trace</code> and <code class="option">debug</code> options are
used for debugging. See <a class="ulink" href="http://www.shorewall.net/starting_and_stopping.htm#Trace" target="_self">http://www.shorewall.net/starting_and_stopping.htm#Trace</a>.</p><p>The nolock <code class="option">option</code> prevents the command from
attempting to acquire the Shorewall lockfile. It is useful if you need to
include <span class="command"><strong>shorewall</strong></span> commands in
<code class="filename">/etc/shorewall/started</code>.</p><p>The <span class="emphasis"><em>options</em></span> control the amount of output that
the command produces. They consist of a sequence of the letters <span class="bold"><strong>v</strong></span> and <span class="bold"><strong>q</strong></span>. If the
options are omitted, the amount of output is determined by the setting of
the VERBOSITY parameter in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5). Each <span class="bold"><strong>v</strong></span> adds one to the effective verbosity and each
<span class="bold"><strong>q</strong></span> subtracts one from the effective
VERBOSITY. Anternately, <span class="bold"><strong>v</strong></span> may be followed
immediately with one of -1,0,1,2 to specify a specify VERBOSITY. There may
be no white space between <span class="bold"><strong>v</strong></span> and the
VERBOSITY.</p><p>The <span class="emphasis"><em>options</em></span> may also include the letter
<code class="option">t</code> which causes all progress messages to be
timestamped.</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id303915"></a><h2>Commands</h2><p>The available commands are listed below.</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>add</strong></span></span></dt><dd><p>Adds a list of hosts or subnets to a dynamic zone usually used
with VPN's.</p><p>The <span class="emphasis"><em>interface</em></span> argument names an interface
defined in the <a class="ulink" href="shorewall-interfaces.html" target="_self">shorewall-interfaces</a>(5)
file. A <span class="emphasis"><em>host-list</em></span> is comma-separated list whose
elements are host or network addresses.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p>The <span class="command"><strong>add</strong></span> command is not very robust. If
there are errors in the <em class="replaceable"><code>host-list</code></em>,
you may see a large number of error messages yet a subsequent
<span class="command"><strong>shorewall show zones</strong></span> command will indicate
that all hosts were added. If this happens, replace
<span class="command"><strong>add</strong></span> by <span class="command"><strong>delete</strong></span> and run the
same command again. Then enter the correct command.</p></div></dd><dt><span class="term"><span class="bold"><strong>allow</strong></span></span></dt><dd><p>Re-enables receipt of packets from hosts previously
blacklisted by a <span class="bold"><strong>drop</strong></span>, <span class="bold"><strong>logdrop</strong></span>, <span class="bold"><strong>reject</strong></span>, or <span class="bold"><strong>logreject</strong></span> command.</p></dd><dt><span class="term"><span class="bold"><strong>check</strong></span></span></dt><dd><p>Compiles the configuraton in the specified
<span class="emphasis"><em>directory</em></span> and discards the compiled output
script. If no <span class="emphasis"><em>directory</em></span> is given, then
/etc/shorewall is assumed.</p><p>The <span class="bold"><strong>-e</strong></span> option causes the
compiler to look for a file named capabilities. This file is
produced using the command <span class="bold"><strong>shorewall-lite show
-f capabilities > capabilities</strong></span> on a system with
Shorewall Lite installed.</p><p>The <code class="option">-C</code> option determines the compiler to use
(Shorewall-shell or Shorewall-perl). If not specified, the
SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the
compiler to use.</p><p>The <code class="option">-d</code> option only works when the compiler is
Shorewall-perl. It causes the compiler to be run under control of
the Perl debugger.</p><p>The <code class="option">-p</code> option only works when the compiler is
Shorewall-perl. It causes the compiler to be profiled via the Perl
<code class="option">-wd:DProf</code> command-line option.</p></dd><dt><span class="term"><span class="bold"><strong>clear</strong></span></span></dt><dd><p>Clear will remove all rules and chains installed by Shorewall.
The firewall is then wide open and unprotected. Existing connections
are untouched. Clear is often used to see if the firewall is causing
connection problems.</p><p>The <code class="option">-f</code> option was added in Shorewall 4.0.3.
If <code class="option">-f</code> is given, the command will be processed by
the compiled script that executed the last successful <span class="bold"><strong>start</strong></span>, <span class="bold"><strong>restart</strong></span> or <span class="bold"><strong>refresh</strong></span> command if that script exists.</p></dd><dt><span class="term"><span class="bold"><strong>compile</strong></span></span></dt><dd><p>Compiles the current configuration into the executable file
<span class="emphasis"><em>pathname</em></span>. If a directory is supplied, Shorewall
will look in that directory first for configuration files.</p><p>When -e is specified, the compilation is being performed on a
system other than where the compiled script will run. This option
disables certain configuration options that require the script to be
compiled where it is to be run. The use of -e requires the presense
of a configuration file named <code class="filename">capabilities</code>
which may be produced using the command <span class="bold"><strong>shorewall-lite show -f capabilities >
capabilities</strong></span> on a system with Shorewall Lite
installed</p><p>The <code class="option">-C</code> option determines the compiler to use
(Shorewall-shell or Shorewall-perl). If not specified, the
SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the
compiler to use.</p><p>The <code class="option">-d</code> option only works when the compiler is
Shorewall-perl. It causes the compiler to be run under control of
the Perl debugger.</p><p>The <code class="option">-p</code> option only works when the compiler is
Shorewall-perl. It causes the compiler to be profiled via the Perl
<code class="option">-wd:DProf</code> command-line option.</p></dd><dt><span class="term"><span class="bold"><strong>delete</strong></span></span></dt><dd><p>The delete command reverses the effect of an earlier <span class="bold"><strong>add</strong></span> command.</p><p>The <span class="emphasis"><em>interface</em></span> argument names an interface
defined in the <a class="ulink" href="shorewall-interfaces.html" target="_self">shorewall-interfaces</a>(5)
file. A <span class="emphasis"><em>host-list</em></span> is comma-separated list whose
elements are a host or network address.</p></dd><dt><span class="term"><span class="bold"><strong>drop</strong></span></span></dt><dd><p>Causes traffic from the listed <span class="emphasis"><em>address</em></span>es
to be silently dropped.</p></dd><dt><span class="term"><span class="bold"><strong>dump</strong></span></span></dt><dd><p>Produces a verbose report about the firewall configuration for
the purpose of problem analysis.</p><p>The <span class="bold"><strong>-x</strong></span> option causes actual
packet and byte counts to be displayed. Without that option, these
counts are abbreviated. The <span class="bold"><strong>-m</strong></span>
option causes any MAC addresses included in Shorewall log messages
to be displayed.</p></dd><dt><span class="term"><span class="bold"><strong>export</strong></span></span></dt><dd><p>If <span class="emphasis"><em>directory1</em></span> is omitted, the current
working directory is assumed.</p><p>The <code class="option">-C</code> option determines the compiler to use
(Shorewall-shell or Shorewall-perl). If not specified, the
SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the
compiler to use.</p><p>Allows a non-root user to compile a shorewall script and stage
it on a system (provided that the user has access to the system via
ssh). The command is equivalent to:</p><pre class="programlisting"> <span class="bold"><strong>/sbin/shorewall compile -e</strong></span> <span class="emphasis"><em>directory1</em></span> <span class="emphasis"><em>directory1</em></span><span class="bold"><strong>/firewall &&\</strong></span>
<span class="bold"><strong>scp</strong></span> directory1<span class="bold"><strong>/firewall</strong></span> <span class="emphasis"><em>directory1</em></span><span class="bold"><strong>/firewall.conf</strong></span> [<span class="emphasis"><em>user</em></span>@]<span class="bold"><strong>system</strong></span>:[<span class="emphasis"><em>directory2</em></span>]</pre><p>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall and firewall.conf
are copied to <span class="emphasis"><em>system</em></span> using scp.</p></dd><dt><span class="term"><span class="bold"><strong>forget</strong></span></span></dt><dd><p>Deletes /var/lib/shorewall/<span class="emphasis"><em>filenam</em></span>e and
/var/lib/shorewall/save. If no <span class="emphasis"><em>filename</em></span> is
given then the file specified by RESTOREFILE in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) is
assumed.</p></dd><dt><span class="term"><span class="bold"><strong>help</strong></span></span></dt><dd><p>Displays a syntax summary.</p></dd><dt><span class="term"><span class="bold"><strong>hits</strong></span></span></dt><dd><p>Generates several reports from Shorewall log messages in the
current log file. If the <code class="option">-t</code> option is included, the
reports are restricted to log messages generated today.</p></dd><dt><span class="term"><span class="bold"><strong>ipcalc</strong></span></span></dt><dd><p>Ipcalc displays the network address, broadcast address,
network in CIDR notation and netmask corresponding to the
input[s].</p></dd><dt><span class="term"><span class="bold"><strong>iprange</strong></span></span></dt><dd><p>Iprange decomposes the specified range of IP addresses into
the equivalent list of network/host addresses.</p></dd><dt><span class="term"><span class="bold"><strong>load</strong></span></span></dt><dd><p>If <span class="emphasis"><em>directory</em></span> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</p><pre class="programlisting"> <span class="bold"><strong>/sbin/shorewall compile -e</strong></span> <span class="emphasis"><em><em class="replaceable"><code>directory</code></em></em></span> <em class="replaceable"><code>directory</code></em><span class="bold"><strong>/firewall &&\</strong></span>
<span class="bold"><strong>scp</strong></span> <span class="emphasis"><em>directory</em></span><span class="bold"><strong>/firewall</strong></span> <span class="emphasis"><em>directory</em></span><span class="bold"><strong>/firewall.conf</strong></span> <span class="bold"><strong>root@</strong></span><em class="replaceable"><code>system</code></em><span class="bold"><strong>:/var/lib/shorewall-lite/ &&\</strong></span>
<span class="bold"><strong>ssh root@</strong></span><em class="replaceable"><code>system</code></em> <span class="bold"><strong>'/sbin/shorewall-lite start'</strong></span></pre><p>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<em class="replaceable"><code>system</code></em> using scp. If the copy succeeds,
Shorewall Lite on <em class="replaceable"><code>system</code></em> is started via
ssh.</p><p>If <span class="bold"><strong>-s</strong></span> is specified and the
<span class="bold"><strong>start</strong></span> command succeeds, then the
remote Shorewall-lite configuration is saved by executing <span class="bold"><strong>shorewall-lite save</strong></span> via ssh.</p><p>if <span class="bold"><strong>-c</strong></span> is included, the
command <span class="bold"><strong>shorewall-lite show capabilities -f
> /var/lib/shorewall-lite/capabilities</strong></span> is executed via
ssh then the generated file is copied to
<em class="replaceable"><code>directory</code></em> using scp. This step is
performed before the configuration is compiled.</p><p>If <code class="option">-r</code> is included, it specifies that the root
user on <em class="replaceable"><code>system</code></em> is named
<em class="replaceable"><code>root-user-name</code></em> rather than "root".</p><p>The <code class="option">-C</code> option determines the compiler to use
(Shorewall-shell or Shorewall-perl). If not specified, the
SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the
compiler to use.</p></dd><dt><span class="term"><span class="bold"><strong>logdrop</strong></span></span></dt><dd><p>Causes traffic from the listed <span class="emphasis"><em>address</em></span>es
to be logged then discarded.</p></dd><dt><span class="term"><span class="bold"><strong>logwatch</strong></span></span></dt><dd><p>Monitors the log file specified by the LOGFILE option in
<a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) and
produces an audible alarm when new Shorewall messages are logged.
The <span class="bold"><strong>-m</strong></span> option causes the MAC
address of each packet source to be displayed if that information is
available. The <em class="replaceable"><code>refresh-interval</code></em> specifies
the time in seconds between screen refreshes. You can enter a
negative number by preceding the number with "--" (e.g.,
<span class="command"><strong>shorewall logwatch -- -30</strong></span>). In this case, when a
packet count changes, you will be prompted to hit any key to resume
screen refreshes.</p></dd><dt><span class="term"><span class="bold"><strong>logreject</strong></span></span></dt><dd><p>Causes traffic from the listed <span class="emphasis"><em>address</em></span>es
to be logged then rejected.</p></dd><dt><span class="term"><span class="bold"><strong>refresh</strong></span></span></dt><dd><p>Shorewall-shell: The rules involving the the black list, ECN
control rules, and traffic shaping are recreated to reflect any
changes made to your configuration files. Existing connections are
untouched.</p><p>Shorewall-perl: All steps performed by
<span class="command"><strong>restart</strong></span> are performed by
<span class="command"><strong>refresh</strong></span> with the exception that
<span class="command"><strong>refresh</strong></span> only recreates the chains specified in
the command while <span class="command"><strong>restart</strong></span> recreates the entire
Netfilter ruleset. If no <em class="replaceable"><code>chain</code></em> is given,
the static blacklisting chain <span class="bold"><strong>blacklst</strong></span> is assumed.</p><p><span class="bold"><strong>Note</strong></span>: Specifying chains in
the command requires Shorewall-perl 4.0.3 or later. Earlier versions
only refresh the blacklst chain</p><p>The listed chains are assumed to be in the filter table. You
can refresh chains in other tables by prefixing the chain name with
the table name followed by ":" (e.g., nat:net_dnat). Chain names
which follow are assumed to be in that table until the end of the
list or until an entry in the list names another table. Built-in
chains such as FORWARD may not be refreshed.</p><p>Example:</p><pre class="programlisting"><span class="command"><strong>shorewall refresh net2fw nat:net_dnat</strong></span> #Refresh the 'net2loc' chain in the filter table and the 'net_dnat' chain in the nat table</pre></dd><dt><span class="term"><span class="bold"><strong>reload</strong></span></span></dt><dd><p>If <span class="emphasis"><em>directory</em></span> is omitted, the current
working directory is assumed. Allows a non-root user to compile a
shorewall script and install it on a system (provided that the user
has root access to the system via ssh). The command is equivalent
to:</p><pre class="programlisting"> <span class="bold"><strong>/sbin/shorewall compile -e</strong></span> <span class="emphasis"><em>directory</em></span> <span class="emphasis"><em>directory</em></span><span class="bold"><strong>/firewall &&\</strong></span>
<span class="bold"><strong>scp</strong></span> <span class="emphasis"><em>directory</em></span><span class="bold"><strong>/firewall</strong></span> <span class="emphasis"><em>directory</em></span><span class="bold"><strong>/firewall.conf</strong></span> <span class="bold"><strong>root@</strong></span><span class="emphasis"><em>system</em></span><span class="bold"><strong>:/var/lib/shorewall-lite/ &&\</strong></span>
<span class="bold"><strong>ssh root@</strong></span><span class="emphasis"><em>system</em></span> <span class="bold"><strong>'/sbin/shorewall-lite restart'</strong></span></pre><p>In other words, the configuration in the specified (or
defaulted) directory is compiled to a file called firewall in that
directory. If compilation succeeds, then firewall is copied to
<span class="emphasis"><em>system</em></span> using scp. If the copy succeeds,
Shorewall Lite on <span class="emphasis"><em>system</em></span> is restarted via
ssh.</p><p>If <span class="bold"><strong>-s</strong></span> is specified and the
<span class="bold"><strong>restart</strong></span> command succeeds, then the
remote Shorewall-lite configuration is saved by executing <span class="bold"><strong>shorewall-lite save</strong></span> via ssh.</p><p>if <span class="bold"><strong>-c</strong></span> is included, the
command <span class="bold"><strong>shorewall-lite show capabilities -f
> /var/lib/shorewall-lite/capabilities</strong></span> is executed via
ssh then the generated file is copied to
<span class="emphasis"><em>directory</em></span> using scp. This step is performed
before the configuration is compiled.</p><p>If <code class="option">-r</code> is included, it specifies that the root
user on <em class="replaceable"><code>system</code></em> is named
<em class="replaceable"><code>root-user-name</code></em> rather than "root".</p><p>The <code class="option">-C</code> option determines the compiler to use
(Shorewall-shell or Shorewall-perl). If not specified, the
SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the
compiler to use.</p></dd><dt><span class="term"><span class="bold"><strong>reset</strong></span></span></dt><dd><p>All the packet and byte counters in the firewall are
reset.</p></dd><dt><span class="term"><span class="bold"><strong>restart</strong></span></span></dt><dd><p>Restart is similar to <span class="bold"><strong>shorewall
stop</strong></span> followed by <span class="bold"><strong>shorewall
start</strong></span>. Existing connections are maintained. If a
<span class="emphasis"><em>directory</em></span> is included in the command, Shorewall
will look in that <span class="emphasis"><em>directory</em></span> first for
configuration files.</p><p>The <code class="option">-n</code> option causes Shorewall to avoid
updating the routing table(s).</p><p>The <code class="option">-C</code> option determines the compiler to use
(Shorewall-shell or Shorewall-perl). If not specified, the
SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the
compiler to use.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If you use Shorewall's multi-ISP feature, you are stronly
advised against using the -C option of the
<span class="command"><strong>safe-restart</strong></span> command when switching between
Shorewall-shell and Shorewall-perl. The only supported way to
switch compilers is to <span class="command"><strong>shorewall stop</strong></span> followed
by <span class="command"><strong>shorewall safe-start -C</strong></span>
<em class="replaceable"><code>compiler</code></em></p></div></dd><dt><span class="term"><span class="bold"><strong>restore</strong></span></span></dt><dd><p>Restore Shorewall to a state saved using the <span class="bold"><strong>shorewall save</strong></span> command. Existing connections
are maintained. The <span class="emphasis"><em>filename</em></span> names a restore
file in /var/lib/shorewall created using <span class="bold"><strong>shorewall save</strong></span>; if no
<span class="emphasis"><em>filename</em></span> is given then Shorewall will be
restored from the file specified by the RESTOREFILE option in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5).</p></dd><dt><span class="term"><span class="bold"><strong>safe-restart</strong></span></span></dt><dd><p>Only allowed if Shorewall is running. The current
configuration is saved in /var/lib/shorewall/safe-restart (see the
save command below) then a <span class="bold"><strong>shorewall
restart</strong></span> is done. You will then be prompted asking if you
want to accept the new configuration or not. If you answer "n" or if
you fail to answer within 60 seconds (such as when your new
configuration has disabled communication with your terminal), the
configuration is restored from the saved configuration. If a
directory is given, then Shorewall will look in that directory first
when opening configuration files.</p><p>The <code class="option">-C</code> option determines the compiler to use
(Shorewall-shell or Shorewall-perl). If not specified, the
SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the
compiler to use.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>If you use Shorewall's multi-ISP feature, you are stronly
advised against using the -C option of the
<span class="command"><strong>safe-restart</strong></span> command when switching between
Shorewall-shell and Shorewall-perl. The only supported way to
switch compilers is to <span class="command"><strong>shorewall stop</strong></span> followed
by <span class="command"><strong>shorewall safe-start -C</strong></span>
<em class="replaceable"><code>compiler</code></em></p></div></dd><dt><span class="term"><span class="bold"><strong>safe-start</strong></span></span></dt><dd><p>Shorewall is started normally. You will then be prompted
asking if everything went all right. If you answer "n" or if you
fail to answer within 60 seconds (such as when your new
configuration has disabled communication with your terminal), a
shorewall clear is performed for you. If a directory is given, then
Shorewall will look in that directory first when opening
configuration files.</p><p>The <code class="option">-C</code> option determines the compiler to use
(Shorewall-shell or Shorewall-perl). If not specified, the
SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the
compiler to use.</p></dd><dt><span class="term"><span class="bold"><strong>save</strong></span></span></dt><dd><p>The dynamic blacklist is stored in /var/lib/shorewall/save.
The state of the firewall is stored in
/var/lib/shorewall/<span class="emphasis"><em>filename</em></span> for use by the
<span class="bold"><strong>shorewall restore</strong></span> and <span class="bold"><strong>shorewall -f start</strong></span> commands. If
<span class="emphasis"><em>filename</em></span> is not given then the state is saved
in the file specified by the RESTOREFILE option in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5).</p></dd><dt><span class="term"><span class="bold"><strong>show</strong></span></span></dt><dd><p>The show command can have a number of different
arguments:</p><div class="variablelist"><dl><dt><span class="term"><span class="bold"><strong>actions</strong></span></span></dt><dd><p>Produces a report about the available actions (built-in,
standard and user-defined).</p></dd><dt><span class="term"><span class="bold"><strong>capabilities</strong></span></span></dt><dd><p>Displays your kernel/iptables capabilities. The
<span class="bold"><strong>-f</strong></span> option causes the display
to be formatted as a capabilities file for use with <span class="bold"><strong>compile -e</strong></span>.</p></dd><dt><span class="term">[ [ <code class="option">chain</code> ] <span class="emphasis"><em>chain</em></span>...
]</span></dt><dd><p>The rules in each <span class="emphasis"><em>chain</em></span> are
displayed using the <span class="bold"><strong>iptables
-L</strong></span> <span class="emphasis"><em>chain</em></span> <span class="bold"><strong>-n -v</strong></span> command. If no
<span class="emphasis"><em>chain</em></span> is given, all of the chains in the
filter table are displayed. The <span class="bold"><strong>-x</strong></span> option is passed directly through to
iptables and causes actual packet and byte counts to be
displayed. Without this option, those counts are abbreviated.
The <span class="bold"><strong>-t</strong></span> option specifies the
Netfilter table to display. The default is <span class="bold"><strong>filter</strong></span>.</p><p>If the <span class="bold"><strong>t</strong></span> option and the
<code class="option">chain</code> keyword are both omitted and any of the
listed <em class="replaceable"><code>chain</code></em>s do not exist, a usage
message is displayed.</p></dd><dt><span class="term"><span class="bold"><strong>classifiers</strong></span></span></dt><dd><p>Displays information about the packet classifiers
defined on the system as a result of traffic shaping
configuration.</p></dd><dt><span class="term"><span class="bold"><strong>config</strong></span></span></dt><dd><p>Dispays distribution-specific defaults.</p></dd><dt><span class="term"><span class="bold"><strong>connections</strong></span></span></dt><dd><p>Displays the IP connections currently being tracked by
the firewall.</p></dd><dt><span class="term"><span class="bold"><strong>log</strong></span></span></dt><dd><p>Displays the last 20 Shorewall messages from the log
file specified by the LOGFILE option in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5). The
<span class="bold"><strong>-m</strong></span> option causes the MAC
address of each packet source to be displayed if that
information is available.</p></dd><dt><span class="term"><span class="bold"><strong>macros</strong></span></span></dt><dd><p>Displays information about each macro defined on the
firewall system.</p></dd><dt><span class="term"><span class="bold"><strong>mangle</strong></span></span></dt><dd><p>Displays the Netfilter mangle table using the command
<span class="bold"><strong>iptables -t mangle -L -n
-v</strong></span>.The <span class="bold"><strong>-x</strong></span> option
is passed directly through to iptables and causes actual
packet and byte counts to be displayed. Without this option,
those counts are abbreviated.</p></dd><dt><span class="term"><span class="bold"><strong>nat</strong></span></span></dt><dd><p>Displays the Netfilter nat table using the command
<span class="bold"><strong>iptables -t nat -L -n -v</strong></span>.The
<span class="bold"><strong>-x</strong></span> option is passed directly
through to iptables and causes actual packet and byte counts
to be displayed. Without this option, those counts are
abbreviated.</p></dd><dt><span class="term"><span class="bold"><strong>tc</strong></span></span></dt><dd><p>Displays information about queuing disciplines, classes
and filters.</p></dd><dt><span class="term"><span class="bold"><strong>zones</strong></span></span></dt><dd><p>Displays the current composition of the Shorewall zones
on the system.</p></dd></dl></div></dd><dt><span class="term"><span class="bold"><strong>start</strong></span></span></dt><dd><p>Start shorewall. Existing connections through shorewall
managed interfaces are untouched. New connections will be allowed
only if they are allowed by the firewall rules or policies. If a
<em class="replaceable"><code>directory</code></em> is included in the command,
Shorewall will look in that <span class="emphasis"><em>directory</em></span> first for
configuration files. If <span class="bold"><strong>-f</strong></span> is
specified, the saved configuration specified by the RESTOREFILE
option in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5)
will be restored if that saved configuration exists and has been
modified more recently than the files in /etc/shorewall. When
<span class="bold"><strong>-f</strong></span> is given, a
<em class="replaceable"><code>directory</code></em> may not be specified.</p><p>The <code class="option">-n</code> option causes Shorewall to avoid
updating the routing table(s).</p><p>The <code class="option">-C</code> option determines the compiler to use
(Shorewall-shell or Shorewall-perl). If not specified, the
SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the
compiler to use.</p></dd><dt><span class="term"><span class="bold"><strong>stop</strong></span></span></dt><dd><p>Stops the firewall. All existing connections, except those
listed in <a class="ulink" href="shorewall-routestopped.html" target="_self">shorewall-routestopped</a>(5)
or permitted by the ADMINISABSENTMINDED option in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5), are taken down.
The only new traffic permitted through the firewall is from systems
listed in <a class="ulink" href="shorewall-routestopped.html" target="_self">shorewall-routestopped</a>(5)
or by ADMINISABSENTMINDED.</p><p>The <code class="option">-f</code> option was added in Shorewall 4.0.3.
If <code class="option">-f</code> is given, the command will be processed by
the compiled script that executed the last successful <span class="bold"><strong>start</strong></span>, <span class="bold"><strong>restart</strong></span> or <span class="bold"><strong>refresh</strong></span> command if that script exists.</p></dd><dt><span class="term"><span class="bold"><strong>status</strong></span></span></dt><dd><p>Produces a short report about the state of the
Shorewall-configured firewall.</p></dd><dt><span class="term"><span class="bold"><strong>try</strong></span></span></dt><dd><p>If Shorewall is started then the firewall state is saved to a
temporary saved configuration
(<code class="filename">/var/lib/shorewall/.try</code>). Next, if Shorewall
is currently started then a <span class="bold"><strong>restart</strong></span>
command is issued; otherwise, a <span class="bold"><strong>start</strong></span> command is performed. if an error
occurs during the compliation phase of the <span class="bold"><strong>restart</strong></span> or <span class="bold"><strong>start</strong></span>, the command terminates without
changing the Shorewall state. If an error occurs during the
<span class="bold"><strong>restart</strong></span> phase, then a <span class="bold"><strong>shorewall restore</strong></span> is performed using the
saved configuration. If an error occurs during the <span class="bold"><strong>start</strong></span> phase, then Shorewall is cleared. If
the <span class="bold"><strong>start</strong></span>/<span class="bold"><strong>restart</strong></span> succeeds and a
<em class="replaceable"><code>timeout</code></em> is specified then a <span class="bold"><strong>clear</strong></span> or <span class="bold"><strong>restore</strong></span> is performed after
<em class="replaceable"><code>timeout</code></em> seconds.</p><p>The <code class="option">-C</code> option determines the compiler to use
(Shorewall-shell or Shorewall-perl). If not specified, the
SHOREWALL_COMPILER setting in <a class="ulink" href="shorewall.conf.html" target="_self">shorewall.conf</a>(5) determines the
compiler to use.</p></dd><dt><span class="term"><span class="bold"><strong>version</strong></span></span></dt><dd><p>Displays Shorewall's version. If the <code class="option">-a</code>
option is included, the versions of Shorewall-shell and/or
Shorewall-perl will also be displayed.</p></dd></dl></div></div><div class="refsect1" lang="en" xml:lang="en"><a id="id305848"></a><h2>FILES</h2><p>/etc/shorewall/</p></div><div class="refsect1" lang="en" xml:lang="en"><a id="id305857"></a><h2>See ALSO</h2><p><a class="ulink" href="http://www.shorewall.net/starting_and_stopping_shorewall.htm" target="_self">http://www.shorewall.net/starting_and_stopping_shorewall.htm</a></p><p>shorewall-accounting(5), shorewall-actions(5),
shorewall-blacklist(5), shorewall-hosts(5), shorewall-interfaces(5),
shorewall-ipsec(5), shorewall-maclist(5), shorewall-masq(5),
shorewall-nat(5), shorewall-netmap(5), shorewall-params(5),
shorewall-policy(5), shorewall-providers(5), shorewall-proxyarp(5),
shorewall-route_rules(5), shorewall-routestopped(5), shorewall-rules(5),
shorewall.conf(5), shorewall-tcclasses(5), shorewall-tcdevices(5),
shorewall-tcrules(5), shorewall-tos(5), shorewall-tunnels(5),
shorewall-zones(5)</p></div></div></body></html>
