shorewall - the Shoreline firewall, an iptables based firewall

shorewall [debug|trace] [nolock] [-c <directory>] [-q] [-f] <command>

Copyright (C) 1999-2005 by Tom Eastep <teastep@shorewall.net>

The Shoreline Firewall, more commonly known as Shorewall, is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.

debug|trace

Set up the debug mode (sets the -x shell option).

nolock

Tells Shorewall not to acquire the lock file ($STATEDIR/lock). Used by programs issuing Shorewall commands when those programs already have the lock file.

-c directory

Look for configuration files in directory instead of /etc/shorewall/.

-f

If the file /var/lib/shorewall/restore is present shorewall restore the state of the firewall when /var/lib/shorewall/restore was created. Note: this option can be used only with the start command.

-n

This option, when used with start, stop and restart forces Shorewall to not alter the routing in any way.

-q

Quiet mode.

start

Starts the firewall.

stop

Stops the firewall. The only traffic permitted through the firewall is from systems listed in /etc/shorewall/routestopped.

restart

Stops the firewall (if it's running) and then starts it again.

reset

Reset the packet and byte counters in the firewall.

clear

Remove all rules and chains installed by the firewall.

refresh

Refresh the rules involving the broadcast addresses of firewall interfaces, the black list, traffic control rules and ECN control rules.

save

Creates a script /var/lib/shorewall/restore which when run will restore the state of the firewall to its current state.

restore

Runs the /var/lib/shorewall/restore created by the Shorewall save command.

forget

Removes the /var/lib/shorewall/restore script created by the save command and the dynamic blacklist save file (/var/lib/shorewall/save).

safe-start

Starts the firewall then prompts you to ask you if everything looks ok. If you answer "no" or if you don't answer within 60 seconds, a "shorewall clear" is executed.

safe-restart

Saves your current configuration to /var/lib/shorewall/safe-restart then issues a "shorewall restart"; It then prompts you to ask if you if you want to accept the new configuration. If you answer "no" or if you don't answer within 60 seconds, the configuration is restored to its prior state.

status

Rports the status of the firewall (started or not started).

dump

Produces a verbose report about the firewall (iptables -L -n -v).

show [key]

Produces a verbose report about the firewall (iptable -L -n -v), key can be one of the following:

chain

Produces a verbose report about the chain (iptable -L chain -n -v)

nat

Produces a verbose report about the nat table (iptables -t nat -L -n -v).

tos

Produces a verbose report about the mangle table (iptables -t mangle -L -n -v).

log

Display the last 20 packet log entries.

connections

Displays the IP connections currently being tracked by the firewall.

tc

Displays information about the traffic control/shaping configuration

dynamic

Displays the dynamic blacklisting configuration

hits

Produces several reports about the Shorewall packet log messages in the current log file named in the $LOGFILE variable in /etc/shorewall/shorewall.conf.

version

Displays the installed version number.

check

Performs a cursory validation of the zones, interfaces, hosts, rules and policy files. CAUTION: this command is totally unsuppored and does not parse and validate the generated iptables commands. Even though the command completes successfully, the configuration may fail to start. Problem reports that complain about errors that the command does not detect will not be accepted.

try configuration-directory [timeout]

Restarts Shorewall using the configuration found in configuration-directory and if an error occurs or if the timeout option is given and the new configuration has been up for that many seconds then Shorewall is restarted using the standard configuration.

logwatch

Monitors the $LOGFILE and produces an audible alarm when new Shorewall messages are logged.

Shorewall can handle blacklists dynamically:

drop <ipaddresslist>

Inserts ipaddresslist into the blacklist using the DENY policy.

reject <ipaddresslist>

Inserts ipaddresslist into the blacklist using the REJECT policy

allow <ipaddresslist>

Removes ipaddresslist from the blacklist.

save

saves the dynamic blacklisting configuration so that it will be automatically restored the next time that the firewall is restarted. This command also creates the /var/lib/shorewall/restore script as described above.

Shorewall's zones can be altered dynamically:

add <interface>[:host] <zone>

Adds the specified interface (and host if included) to the specified zone.

del <interface>[:host] <zone>

Deletes the specified interface (and host if included) from the specified zone.

ipcalc [<address> <mask> | <address/vlsm>]

Displays the network address, broadcast address, network in CIDR notation and netmask corresponding to the input[s].

iprange address1-address2

Decomposes the specified range of IP addresses into the equivalent list of network/host addresses.

iptables(8)

/etc/shorewall/

The default configuration directory. Common default configurations provided by the author are installed under /usr/share/shorewall/.

shorewall.conf

Main Shorewall's configuration file.

params

Set shell variables that can be used in some of the other configuration files.

zones

Define the network zones.

interfaces

Tells the firewall which of your firewall's network interfaces are connected to which zone.

hosts

Defines zones in terms of subnets and/or individual IP addresses.

policy

Describes the firewall policies that control the traffic between zones.

rules

Defines exceptions to the policies.

masq

Defines classical IP Masquerading and Source Network Address Translation (SNAT).

proxyarp

Defines Proxy ARP.

nat

Defines static NAT rules.

tunnels

Defines IPSec, GRE, IPIP and PPTP tunnels with end-points on the firewall.

tcrules

Defines marks to classify packet for traffic shaping.

modules

Contains commands for loading the kernel modules required by Shorewall-defined firewall rules.

tos

Defines Type of Service field in packet headers based on packet source, packet destination, protocol, source port and destination port.

blacklist

Defines static blacklists.

rfc1918

Defines the treatment of packets under the norfc1918 interface option (it is installed under /ysr/share/shorewall).

bogons

Defines the treatment of packets under the nobogons interface option (it is installed under /ysr/share/shorewall).

routestopped

Defines the hosts that are accessible from the firewall when the firewall is stopped.

maclist

Associates MAC addresses with interfaces and optionally associates IP addresses with MAC addresses.

netmap

init

Contains a list of commands that will be executed at the beginning of a "shorewall start" or "shorewall restart" command.

initdone

Contains a list of commands that will be executed early in the process of Shorewall configuration, after the old configuration has been cleared.

start

Contains a list of commands that will be executed after Shorewall has been started or restarted.

stop

Contains a list of commands that will be executed at the beginning of a "shorewall stop" command.

stopped

Contains a list of commands that will be executed at the completion of a "shorewall stop" command.

ecn

Lists the destinations for which you want to disable ECN.

users

Associates local users and/or groups to Shorewall "User Sets".

userset

Controls access by individual users to other network hosts from the firewall system.

accounting

Contains rules for traffic accounting.

actions and action.template

Files in /etc/shorewall and /usr/share/shorewall respectively that allow you to define your own actions for rules in /etc/shorewall/rules.

actions.std and action.*

Files in /usr/share/shorewall that define the actions included as a standard part of Shorewall.

macro.*

Macros definition (introduced in Shorewall 3.0.0).

Tom Eastep <teastep@shorewall.net>