<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><title>Operating Shorewall and Shorewall Lite</title><link rel="stylesheet" href="html.css" type="text/css" /><meta name="generator" content="DocBook XSL Stylesheets V1.73.2" /></head><body><div class="article" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title"><a id="id292602"></a>Operating Shorewall and Shorewall Lite</h2></div><div><div class="authorgroup"><div class="author"><h3 class="author"><span class="firstname">Tom</span> <span class="surname">Eastep</span></h3></div></div></div><div><p class="copyright">Copyright © 2004, 2005, 2006, 2007 Thomas M. Eastep</p></div><div><div class="legalnotice"><a id="id257922"></a><p>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“<span class="quote"><a class="ulink" href="GnuCopyright.htm" target="_self">GNU Free Documentation
License</a></span>”.</p></div></div><div><p class="pubdate">2008/12/15</p></div></div><hr /></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="section"><a href="#CLI">/sbin/shorewall and /sbin/shorewall-lite</a></span></dt><dt><span class="section"><a href="#Starting">Starting, Stopping and Clearing</a></span></dt><dt><span class="section"><a href="#Init">/etc/init.d/shorewall and /etc/init.d/shorewall-lite</a></span></dt><dt><span class="section"><a href="#Trace">Tracing Command Execution and other Debugging Aids</a></span></dt><dt><span class="section"><a href="#Boot">Having Shorewall Start Automatically at Boot Time</a></span></dt><dt><span class="section"><a href="#Saved">Saving a Working Configuration for Error Recovery and Fast
Startup</a></span></dt><dt><span class="section"><a href="#AddDirectories">Additional Configuration Directories</a></span></dt><dt><span class="section"><a href="#AltConfig">Alternate Configuration Directories</a></span></dt><dt><span class="section"><a href="#Commands">Commands</a></span></dt><dt><span class="section"><a href="#State">Shorewall State Diagram</a></span></dt></dl></div><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><p><span class="bold"><strong>This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that
release</strong></span>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="CLI"></a>/sbin/shorewall and /sbin/shorewall-lite</h2></div></div></div><p><code class="filename">/sbin/shorewall</code> is the program that you use to
interact with Shorewall. Normally the root user's PATH includes
<code class="filename">/sbin</code> and the program can be run from a shell prompt
by simply typing <span class="command"><strong>shorewall</strong></span> followed by a
command.</p><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>In some releases of KDE, the default configuration of the
<span class="bold"><strong>konsole</strong></span> program is brain dead with
respect to the "Root Console". It executes the command "su" where it
should execute "su -"; the latter will cause a login shell to be created
which will in turn set PATH properly. You can correct this problem as
follows:</p><div class="orderedlist"><ol type="1"><li><p>Click on "Settings" on the toolbar and select "Configure
Konsole"</p></li><li><p>Select the "Session" tab.</p></li><li><p>Click on "Root Console"</p></li><li><p>Change the Execute command from "su" to "su -"</p></li><li><p>Click on "Save Session"</p></li><li><p>Click on "Ok"</p></li></ol></div></div><p>To see a list of supported commands, use the <span class="command"><strong>help</strong></span>
command:</p><pre class="programlisting"><span class="command"><strong>shorewall help</strong></span></pre><p>To get further information about a particular command, use the
<span class="command"><strong>man</strong></span> command:</p><pre class="programlisting"><span class="command"><strong>man shorewall</strong></span>
</pre><p>The program <span class="bold"><strong>/sbin/shorewall-lite</strong></span>
performs a similar role with Shorewall-lite.</p><p>For a more complete description of the files and directories
involved in Shorewall and Shorewall-lite, see the <a class="ulink" href="Anatomy.html" target="_self">Shorewall Anatomy article</a>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Starting"></a>Starting, Stopping and Clearing</h2></div></div></div><p>As explained in the <a class="ulink" href="Introduction.html" target="_self">Introduction</a>, Shorewall is not something
that runs all of the time in your system. Nevertheless, for integrating
Shorewall into your initialization scripts it is useful to speak of
<em class="firstterm">starting</em> Shorewall and
<span class="emphasis"><em>stopping</em></span> Shorewall.</p><div class="itemizedlist"><ul type="disc"><li><p>Shorewall is started using the <span class="command"><strong>shorewall
start</strong></span> command. Once the start command completes
successfully, Netfilter is configured as described in your Shorewall
configuration files. If there is an error during <span class="command"><strong>shorewall
start</strong></span>, then if you have a <em class="firstterm">saved
configuration</em> then that configuration is restored.
Otherwise, an implicit <span class="command"><strong>shorewall stop</strong></span> is
executed.</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Beginning with Shorewall 3.1, <span class="command"><strong>shorewall
start</strong></span> is implemented as a <em class="firstterm">compile and
go</em>; that is, the configuration is compiled and if there
are no compilation errors then the resulting compiled script is
executed. If there are compilation errors, the command is aborted
and the state of the firewall is not altered.</p></div></li><li><p>Shorewall is stopped using the <span class="command"><strong>shorewall stop</strong></span>
command.</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>The <span class="command"><strong>shorewall stop</strong></span> command does not remove
all Netfilter rules and open your firewall for all traffic to pass.
It rather places your firewall in a safe state defined by the
contents of your <a class="ulink" href="manpages/shorewall-routestopped.html" target="_self">/etc/shorewall/routestopped</a>
file and the setting of ADMINISABSENTMINDED in <a class="ulink" href="manpages/shorewall.conf.html" target="_self">/etc/shorewall/shorewall.conf</a>.</p></div></li><li><p>If you want to remove all Netfilter rules and open your firewall
for all traffic to pass, use the <span class="command"><strong>shorewall clear</strong></span>
command.</p></li><li><p>If you change your configuration and want to install the
changes, use the <span class="command"><strong>shorewall restart </strong></span>command.</p></li></ul></div><p>For additional information, see the<a class="link" href="#State" title="Shorewall State Diagram"> Shorewall
State Diagram</a> section.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Init"></a>/etc/init.d/shorewall and /etc/init.d/shorewall-lite</h2></div></div></div><p>Because of the different requirements of distribution packaging
systems, the behavior of <code class="filename">/etc/init.d/shorewall</code> and
<code class="filename">/etc/init.d/shorewall-lite</code> is not consistent between
distributions. As an example, when using the distribution Shorewall
packages on <span class="trademark">Debian</span>™ and
<span class="trademark">Ubuntu</span>™ systems, running
<span class="command"><strong>/etc/init.d/shorewall stop</strong></span> will actually execute the
command <span class="command"><strong>/sbin/shorewall clear</strong></span> rather than
<span class="command"><strong>/sbin/shorewall stop</strong></span>! So don't expect the meaning of
<span class="emphasis"><em>start</em></span>, <span class="emphasis"><em>stop</em></span>,
<span class="emphasis"><em>restart</em></span>, etc. to be consistent between
<code class="filename">/sbin/shorewall</code> (or
<code class="filename">/sbin/shorewall-lite</code>) and your init scripts unless
you got your Shorewall package from shorewall.net.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Trace"></a>Tracing Command Execution and other Debugging Aids</h2></div></div></div><p>If you include the word <span class="bold"><strong>trace</strong></span> as
the first parameter to an <code class="filename">/sbin/shorewall</code> command
that transfers control to
<code class="filename">/usr/share/shorewall/firewall</code>, execution of the
latter program will be traced to STDERR.</p><div class="example"><a id="trace"></a><p class="title"><b>Example 1. Tracing <span class="command">shorewall start</span></b></p><div class="example-contents"><p>To trace the execution of <span class="command"><strong>shorewall start</strong></span> and
write the trace to the file <code class="filename">/tmp/trace</code>, you would
enter:</p><pre class="programlisting"><span class="command"><strong>shorewall trace start 2> /tmp/trace</strong></span></pre><div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Note</h3><p>If you are running Shorewall-perl, the <span class="bold"><strong>trace</strong></span> keyword does not result in a trace of
the execution of the Shorewall-perl compiler. It rather causes
additional diagnostic information to be included in warning and
error messages generated by the compiler.</p></div><p>Beginning with Shorewall 4.0.5, you may also include the word
<span class="bold"><strong>debug</strong></span> as the first argument to the
<code class="filename">/sbin/shorewall</code> and
<code class="filename">/sbin/shorewall-lite</code> commands.</p><pre class="programlisting"><span class="command"><strong>shorewall debug restart</strong></span></pre><p>In
most cases, <span class="bold"><strong>debug</strong></span> is a synonym for
<span class="bold"><strong>trace</strong></span>. The exceptions are:</p><div class="itemizedlist"><ul type="disc"><li><p><span class="bold"><strong>debug</strong></span> is ignored by the
Shorewall-perl compiler.</p></li><li><p><span class="bold"><strong>debug</strong></span> causes altered behavior
of scripts generated by the Shorewall-perl compiler. These scripts
normally use<span class="command"><strong> iptables-restore</strong></span> to install the
Netfilter ruleset but with <span class="bold"><strong>debug</strong></span>,
the commands normally passed to <span class="command"><strong>iptables-restore</strong></span>
in its input file are passed individually to
<span class="command"><strong>iptables</strong></span>. This is a diagnostic aid which allows
identifying the individual command that is causing
<span class="command"><strong>iptables-restore</strong></span> to fail; it should be used when
iptables-restore fails when executing a <span class="command"><strong>COMMIT</strong></span>
command.</p></li></ul></div><div class="warning" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Warning</h3><p>The <span class="bold"><strong>debug</strong></span> feature is strictly
for problem analysis. When <span class="bold"><strong>debug</strong></span> is
used:</p><div class="orderedlist"><ol type="1"><li><p>The firewall is made 'wide open' before the rules are
applied.</p></li><li><p>The <code class="filename">routestopped</code> file is not
consulted.</p></li><li><p>The rules are applied in the canonical
<span class="command"><strong>iptables-restore</strong></span> order. So if you need
critical hosts to be always available during start/restart, you
may not be able to use <span class="bold"><strong>debug</strong></span>.</p></li></ol></div></div></div></div><br class="example-break" /></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Boot"></a>Having Shorewall Start Automatically at Boot Time</h2></div></div></div><p>The .rpm, .deb and .tgz all try to configure your startup scripts so
that Shorewall will start automatically at boot time. If you are using the
<span class="command"><strong>install.sh </strong></span>script from the .tgz and it cannot determine
how to configure automatic startup, a message to that effect will be
displayed. You will need to consult your distribution's documentation to
see how to integrate the <code class="filename">/etc/init.d/shorewall</code> script
into the distribution's startup mechanism.</p><div class="caution" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Caution</h3><div class="itemizedlist"><ul type="disc"><li><p>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by editing
<code class="filename">/etc/shorewall/shorewall.conf</code> and setting
STARTUP_ENABLED=Yes.. Note: Users of the .deb package must rather
edit <code class="filename">/etc/default/shorewall</code> and set
“<span class="quote">startup=1</span>”.</p></li><li><p>If you use dialup or some flavor of PPP where your IP
address can change arbitrarily, you may want to start the firewall
in your <span class="command"><strong>/etc/ppp/ip-up.local</strong></span> script. I
recommend just placing “<span class="quote"><span class="command"><strong>/sbin/shorewall
restart</strong></span></span>” in that script.</p></li></ul></div></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Saved"></a>Saving a Working Configuration for Error Recovery and Fast
Startup</h2></div></div></div><p>Once you have Shorewall working the way that you want it to, you can
use <span class="command"><strong>shorewall save</strong></span> to <em class="firstterm">save</em> the
commands necessary to recreate that configuration in a <em class="firstterm">restore
script</em>.</p><p>In its simplest form, the save command is just:</p><pre class="programlisting"><span class="command"><strong>shorewall save</strong></span></pre><p>That command creates the default restore script,
<code class="filename">/var/lib/shorewall/restore</code>. The default may be
changed using the RESTOREFILE option in <a class="ulink" href="manpages/shorewall.conf.html" target="_self">/etc/shorewall/shorewall.conf</a>.
A different file name may also be specified in the <span class="command"><strong>save</strong></span>
command:</p><pre class="programlisting"><span class="command"><strong>shorewall save <filename></strong></span></pre><p>Where <<span class="emphasis"><em>filename</em></span>> is a simple file name
(no slashes).</p><p>Once created, the default restore script serves several useful
purposes:</p><div class="itemizedlist"><ul type="disc"><li><p>If you change your configuration and there is an error when you
try to restart Shorewall, the restore script will be run to restore
your firewall to working order.</p></li><li><p>Bootup is faster (although with Shorewall-perl, the difference
is minimal). The -f option of the start command (e.g.,
<span class="command"><strong>shorewall -f start</strong></span>) causes Shorewall to look for
the default restore script and if it exists, the script is run. When
using Shorewall-shell, this is much faster than starting Shorewall
using the normal mechanism of reading the configuration files and
running <span class="command"><strong>iptables</strong></span> dozens or even hundreds of
times.</p><p><code class="filename">Under Shorewall versions < 4.0.0,
/etc/init.d/shorewall</code>
(<code class="filename">/etc/rc.d/rc.firewall</code>) uses the -f option when
it is processing a request to start Shorewall. Beginning with
Shorewall 4.0.0, the default is to not use -f. If you wish to change
the default, you must set the OPTIONS shell variable in either
<code class="filename">/etc/default/shorewall</code> or
<code class="filename">/etc/sysconfig/shorewall</code> (if your distribution
provides neither of these files, you must create one or the other).
For example, to continue to use -f under Shorewall 4.0.0 and later,
you would have:</p><pre class="programlisting">OPTIONS="-f"</pre></li><li><p>The <span class="command"><strong>shorewall restore</strong></span> command can be used at
any time to quickly configure the firewall.</p><pre class="programlisting"><span class="command"><strong>shorewall restore [ <filename> ]</strong></span></pre><p>If no <<span class="emphasis"><em>filename</em></span>> is given, the
default restore script is used. Otherwise, the script
<code class="filename">/var/lib/shorewall/<filename></code> is
used.</p></li></ul></div><p>The ability to have multiple restore scripts means that you can save
different Shorewall firewall configurations and switch between them
quickly using the <span class="command"><strong>restore</strong></span> command.</p><p>Restore scripts may be removed using the <span class="command"><strong>shorewall
forget</strong></span> command:</p><pre class="programlisting"><span class="command"><strong>shorewall forget [ <filename> ]</strong></span></pre><p>If no <<span class="emphasis"><em>filename</em></span>> is given, the default
restore script is removed. Otherwise,
<code class="filename">/var/lib/shorewall/<filename></code> is removed (of
course, you can also use the Linux <span class="command"><strong>rm</strong></span> command from the
shell prompt to remove these files).</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="AddDirectories"></a>Additional Configuration Directories</h2></div></div></div><p>The CONFIG_PATH setting in
<code class="filename">/etc/shorewall/shorewall.conf</code> determines where
Shorewall looks for configuration files. The default setting is
CONFIG_PATH=<code class="filename">/etc/shorewall</code>:<code class="filename">/usr/share/shorewall</code> which means that
<code class="filename">/etc/shorewall</code> is searched first
and if the file is not found then <code class="filename">/usr/share/shorewall</code> is searched. You can
change the value of CONFIG_PATH to cause additional directories to be
searched but CONFIG_PATH should <span class="emphasis"><em>always</em></span> include both
<code class="filename">/etc/shorewall</code> and <code class="filename">/usr/share/shorewall</code>.</p><p>When an alternate configuration directory is specified as described
in the <a class="link" href="#AddDirectories" title="Additional Configuration Directories">next section</a>, that directory
is searched <span class="emphasis"><em>before</em></span> those directories listed in
CONFIG_PATH.</p><p>Example - Search <code class="filename">/etc/shorewall</code>, <code class="filename">/etc/shorewall/actiondir</code> and <code class="filename">/usr/share/shorewall</code> in that order:</p><pre class="programlisting">CONFIG_PATH=/etc/shorewall:/etc/shorewall/actiondir:/usr/share/shorewall</pre><p>The above is the setting that I once used to allow me to place all
of my user-defined 'action.' files in <code class="filename">/etc/shorewall/actiondir</code>.</p></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="AltConfig"></a>Alternate Configuration Directories</h2></div></div></div><p>As explained <a class="link" href="#AddDirectories" title="Additional Configuration Directories">above</a>, Shorewall
normally looks for configuration files in the directories specified by the
CONFIG_PATH option in <code class="filename">/etc/shorewall/shorewall.conf</code>. The
<span class="command"><strong>shorewall start</strong></span>, <span class="command"><strong>shorewall restart</strong></span>,
<span class="command"><strong>shorewall check</strong></span>, and <span class="command"><strong>shorewall try
</strong></span>commands allow you to specify an additional directory for
Shorewall to check before looking in the directories listed in
CONFIG_PATH.</p><pre class="programlisting"> <span class="command"><strong>shorewall {start|restart|check} <configuration-directory></strong></span>
<span class="command"><strong>shorewall try <configuration-directory> [ <timeout> ]</strong></span></pre><p>If a <span class="emphasis"><em><configuration-directory</em></span>> is
specified, each time that Shorewall is going to read a file, it will first
look in the<span class="emphasis"><em> <configuration-directory></em></span> . If the
file is present in the
<span class="emphasis"><em><configuration-directory>,</em></span> that file will be
used; otherwise, the directories in the CONFIG_PATH will be searched. When
changing the configuration of a production firewall, I recommend the
following:</p><div class="itemizedlist"><ul type="disc"><li><p>If you haven't saved the current working configuration, do so
using <span class="command"><strong>shorewall save</strong></span>.</p></li><li><p><span class="command"><strong>mkdir /etc/test</strong></span></p></li><li><p><span class="command"><strong>cd /etc/test</strong></span></p></li><li><p><copy any files that you need to change from /etc/shorewall
to . and change them here></p></li><li><p><span class="command"><strong>shorewall check ./</strong></span></p></li><li><p><correct any errors found by check and check again></p></li><li><p><span class="command"><strong>shorewall restart ./</strong></span></p></li></ul></div><p>If the <span class="command"><strong>restart</strong></span> fails, your configuration will be
restored to its state at the last <span class="command"><strong>shorewall
save</strong></span>.</p><p>When the new configuration works then just:</p><div class="itemizedlist"><ul type="disc"><li><p><span class="command"><strong>cp -f * /etc/shorewall</strong></span></p></li><li><p><span class="command"><strong>cd</strong></span></p></li><li><p><span class="command"><strong>rm -rf /etc/test</strong></span></p></li><li><p><span class="command"><strong>shorewall save</strong></span></p></li></ul></div><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>Shorewall requires that the file
<code class="filename">/etc/shorewall/shorewall.conf</code> to always exist.
Certain global settings are always obtained from that file. If you
create alternative configuration directories, do not remove
/etc/shorewall/shorewall.conf.</p></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Commands"></a>Commands</h2></div></div></div><p>The general form of a command in Shorewall 4.0 is:</p><div class="blockquote"><blockquote class="blockquote"><p><span class="command"><strong>shorewall [ <options> ] <command> [
<command options> ] [ <argument> ... ]</strong></span></p><p>Available options are:</p><div class="variablelist"><dl><dt><span class="term">-c <directory></span></dt><dd><p>Specifies an <a class="link" href="#AltConfig" title="Alternate Configuration Directories">alternate
configuration directory</a>. Use of this option is
deprecated.</p></dd><dt><span class="term">-f</span></dt><dd><p>Specifies fast restart. See the <span class="command"><strong>start</strong></span>
command below.</p></dd><dt><span class="term">-n</span></dt><dd><p>Prevents the command from changing the firewall system's
routing configuration.</p></dd><dt><span class="term">-q</span></dt><dd><p>Reduces the verbosity level (see VERBOSITY setting in <a class="ulink" href="manpages/shorewall.conf.htmlig" target="_self">shorewall.conf</a>). May
be repeated (e.g., "-qq") with each instance reducing the
verbosity level by one.</p></dd><dt><span class="term">-v</span></dt><dd><p>Increases the verbosity level (see VERBOSITY setting in
<a class="ulink" href="manpages/shorewall.conf.htmlig" target="_self">shorewall.conf</a>). May
be repeated (e.g., "-qq") with each instance increasing the
verbosity level by one.</p></dd><dt><span class="term">-x</span></dt><dd><p>Causes all iptables -L commands to display actual packet and
byte counts.</p></dd><dt><span class="term">-t</span></dt><dd><p>All progress messages are timestamped with the date and
time.</p></dd></dl></div><p>In addition, the <span class="command"><strong>-q</strong></span> and <span class="command"><strong>-v</strong></span>
options may be repeated to make the output less or more verbose
respectively. The default level of verbosity is determined by the
setting of the VERBOSITY option in
<code class="filename">/etc/shorewall/shorewall.conf</code>.</p><p>For Shorewall Lite, the general command form is:</p><p><span class="command"><strong>shorewall-lite [ <options> ] <command> [
<command options> ] [ <argument> ... ]</strong></span></p><p>where the options are the same as with Shorewall.</p><p>The complete documentation for each command may be found in the
<a class="ulink" href="manpages/shorewall.html" target="_self">shorewall</a> and <a class="ulink" href="manpages/shorewall-lite.html" target="_self">shorewall-lite</a> man
pages.</p></blockquote></div></div><div class="section" lang="en" xml:lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="State"></a>Shorewall State Diagram</h2></div></div></div><p>The Shorewall State Diagram is depicted below.</p><div align="center"><img src="images/State_Diagram.png" align="middle" /></div><div class="informaltable"><table border="1"><colgroup><col /><col /><col /></colgroup><thead><tr><th align="center">/sbin/shorewall Command</th><th align="center">Resulting /usr/share/shorewall/firewall
Command</th><th align="center">Effect if the Command Succeeds</th></tr></thead><tbody><tr><td>shorewall start</td><td>firewall start</td><td>The system filters packets based on your current Shorewall
Configuration</td></tr><tr><td>shorewall stop</td><td>firewall stop</td><td>Only traffic to/from hosts listed in /etc/shorewall/hosts
is passed to/from/through the firewall. If ADMINISABSENTMINDED=Yes
in /etc/shorewall/shorewall.conf then in addition, all existing
connections are retained and all connection requests from the
firewall are accepted.</td></tr><tr><td>shorewall restart</td><td>firewall restart</td><td>Logically equivalent to “<span class="quote">firewall stop;firewall
start</span>”</td></tr><tr><td>shorewall add</td><td>firewall add</td><td>Adds a host or subnet to a dynamic zone</td></tr><tr><td>shorewall delete</td><td>firewall delete</td><td>Deletes a host or subnet from a dynamic zone</td></tr><tr><td>shorewall refresh</td><td>firewall refresh</td><td>Reloads rules dealing with static blacklisting, traffic
control and ECN.</td></tr><tr><td>shorewall reset</td><td>firewall reset</td><td>Resets traffic counters</td></tr><tr><td>shorewall clear</td><td>firewall clear</td><td>Removes all Shorewall rules, chains, addresses, routes and
ARP entries.</td></tr><tr><td>shorewall try</td><td>firewall -c <new configuration> restart If
unsuccessful then firewall start (standard configuration) If
timeout then firewall restart (standard configuration)</td><td> </td></tr></tbody></table></div><p>The only time that a program other than
<span class="command"><strong>/usr/share/shorewall[-lite[/firewall</strong></span> performs a state
transition itself is when the <span class="command"><strong>shorewall[-lite] restore</strong></span>
command is executed. In that case, the
<span class="command"><strong>/var/lib/shorewall[-lite]/restore</strong></span> program sets the
state to "Started".</p><p>With any command that involves compilation, there is no state
transition while the compiler is running. If compilation fails, the state
remains unchanged.</p><p>Also, <span class="command"><strong>shorewall start</strong></span> and <span class="command"><strong>shorewall
restart</strong></span> involve compilation followed by execution of the
compiled script. So it is the compiled script that performs the state
transition in these commands rather than
<span class="command"><strong>/usr/share/shorewall/firewall</strong></span>.</p><p>The compiled script is placed in <code class="filename">/var/lib/shorewall</code> and is named either
<code class="filename">.start</code> or <code class="filename">.restart</code> depending on
the command.</p></div></div></body></html>
