man shorewall (Administration système) - the Shoreline firewall, an iptables based firewall

NAME

shorewall - the Shoreline firewall, an iptables based firewall

SYNOPSIS

shorewall [debug|trace] [nolock] [-c <directory>] [-q] [-f] <command>

COPYRIGHT

Copyright (C) 1999-2005 by Tom Eastep <teastep@shorewall.net>

DESCRIPTION

The Shoreline Firewall, more commonly known as Shorewall, is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.

OPTIONS

debug|trace
Set up the debug mode (sets the -x shell option).
nolock
Tells Shorewall not to acquire the lock file ($STATEDIR/lock). Used by programs issuing Shorewall commands when those programs already have the lock file.
-c directory
Look for configuration files in directory instead of /etc/shorewall/.
-f
If the file /var/lib/shorewall/restore is present shorewall restore the state of the firewall when /var/lib/shorewall/restore was created. Note: this option can be used only with the start command.
-n
This option, when used with start, stop and restart forces Shorewall to not alter the routing in any way.
-q
Quiet mode.

STARTUP COMMAND

start
Starts the firewall.
stop
Stops the firewall. The only traffic permitted through the firewall is from systems listed in /etc/shorewall/routestopped.
restart
Stops the firewall (if it's running) and then starts it again.
reset
Reset the packet and byte counters in the firewall.
clear
Remove all rules and chains installed by the firewall.
refresh
Refresh the rules involving the broadcast addresses of firewall interfaces, the black list, traffic control rules and ECN control rules.
save
Creates a script /var/lib/shorewall/restore which when run will restore the state of the firewall to its current state.
restore
Runs the /var/lib/shorewall/restore created by the Shorewall save command.
forget
Removes the /var/lib/shorewall/restore script created by the save command and the dynamic blacklist save file (/var/lib/shorewall/save).
safe-start
Starts the firewall then prompts you to ask you if everything looks ok. If you answer "no" or if you don't answer within 60 seconds, a "shorewall clear" is executed.
safe-restart
Saves your current configuration to /var/lib/shorewall/safe-restart then issues a "shorewall restart"; It then prompts you to ask if you if you want to accept the new configuration. If you answer "no" or if you don't answer within 60 seconds, the configuration is restored to its prior state.

MONITORING COMMAND

status
Rports the status of the firewall (started or not started).
dump
Produces a verbose report about the firewall (iptables -L -n -v).
show [key]
Produces a verbose report about the firewall (iptable -L -n -v), key can be one of the following:
chain
Produces a verbose report about the chain (iptable -L chain -n -v)
nat
Produces a verbose report about the nat table (iptables -t nat -L -n -v).
tos
Produces a verbose report about the mangle table (iptables -t mangle -L -n -v).
log
Display the last 20 packet log entries.
connections
Displays the IP connections currently being tracked by the firewall.
tc
Displays information about the traffic control/shaping configuration
dynamic
Displays the dynamic blacklisting configuration
hits
Produces several reports about the Shorewall packet log messages in the current log file named in the $LOGFILE variable in /etc/shorewall/shorewall.conf.
version
Displays the installed version number.
check
Performs a cursory validation of the zones, interfaces, hosts, rules and policy files. CAUTION: this command is totally unsuppored and does not parse and validate the generated iptables commands. Even though the command completes successfully, the configuration may fail to start. Problem reports that complain about errors that the command does not detect will not be accepted.
try configuration-directory [timeout]
Restarts Shorewall using the configuration found in configuration-directory and if an error occurs or if the timeout option is given and the new configuration has been up for that many seconds then Shorewall is restarted using the standard configuration.
logwatch
Monitors the $LOGFILE and produces an audible alarm when new Shorewall messages are logged.

DYNAMIC BLACKLIST COMMAND

Shorewall can handle blacklists dynamically:

drop <ipaddresslist>
Inserts ipaddresslist into the blacklist using the DENY policy.
reject <ipaddresslist>
Inserts ipaddresslist into the blacklist using the REJECT policy
allow <ipaddresslist>
Removes ipaddresslist from the blacklist.
save
saves the dynamic blacklisting configuration so that it will be automatically restored the next time that the firewall is restarted. This command also creates the /var/lib/shorewall/restore script as described above.

DYNAMIC ZONES COMMAND

Shorewall's zones can be altered dynamically:

add <interface>[:host] <zone>
Adds the specified interface (and host if included) to the specified zone.
del <interface>[:host] <zone>
Deletes the specified interface (and host if included) from the specified zone.

MISC COMMAND

ipcalc [<address> <mask> | <address/vlsm>]
Displays the network address, broadcast address, network in CIDR notation and netmask corresponding to the input[s].
iprange address1-address2
Decomposes the specified range of IP addresses into the equivalent list of network/host addresses.

SEE ALSO

CONFIGURATION FILES

/etc/shorewall/
The default configuration directory. Common default configurations provided by the author are installed under /usr/share/shorewall/.
shorewall.conf
Main Shorewall's configuration file.
params
Set shell variables that can be used in some of the other configuration files.
zones
Define the network zones.
interfaces
Tells the firewall which of your firewall's network interfaces are connected to which zone.
hosts
Defines zones in terms of subnets and/or individual IP addresses.
policy
Describes the firewall policies that control the traffic between zones.
rules
Defines exceptions to the policies.
masq
Defines classical IP Masquerading and Source Network Address Translation (SNAT).
proxyarp
Defines Proxy ARP.
nat
Defines static NAT rules.
tunnels
Defines IPSec, GRE, IPIP and PPTP tunnels with end-points on the firewall.
tcrules
Defines marks to classify packet for traffic shaping.
modules
Contains commands for loading the kernel modules required by Shorewall-defined firewall rules.
tos
Defines Type of Service field in packet headers based on packet source, packet destination, protocol, source port and destination port.
blacklist
Defines static blacklists.
rfc1918
Defines the treatment of packets under the norfc1918 interface option (it is installed under /ysr/share/shorewall).
bogons
Defines the treatment of packets under the nobogons interface option (it is installed under /ysr/share/shorewall).
routestopped
Defines the hosts that are accessible from the firewall when the firewall is stopped.
maclist
Associates MAC addresses with interfaces and optionally associates IP addresses with MAC addresses.
netmap
init
Contains a list of commands that will be executed at the beginning of a "shorewall start" or "shorewall restart" command.
initdone
Contains a list of commands that will be executed early in the process of Shorewall configuration, after the old configuration has been cleared.
start
Contains a list of commands that will be executed after Shorewall has been started or restarted.
stop
Contains a list of commands that will be executed at the beginning of a "shorewall stop" command.
stopped
Contains a list of commands that will be executed at the completion of a "shorewall stop" command.
ecn
Lists the destinations for which you want to disable ECN.
users
Associates local users and/or groups to Shorewall "User Sets".
userset
Controls access by individual users to other network hosts from the firewall system.
accounting
Contains rules for traffic accounting.
actions and action.template
Files in /etc/shorewall and /usr/share/shorewall respectively that allow you to define your own actions for rules in /etc/shorewall/rules.
actions.std and action.*
Files in /usr/share/shorewall that define the actions included as a standard part of Shorewall.
macro.*
Macros definition (introduced in Shorewall 3.0.0).

AUTHORS

Tom Eastep <teastep@shorewall.net>