SHOREWALL(8) | Administrative Commands | SHOREWALL(8) |
shorewall - Administration tool for Shoreline Firewall (Shorewall)
shorewall[6][-lite] [trace|debug [nolock]] [options] add { interface[:host-list]... zone | zone host-list }
shorewall[6][-lite] [trace|debug [nolock]] [options] allow address
shorewall[6][-lite] [trace|debug [nolock]] [options] blacklist address [option ...]
shorewall[6][-lite] [trace|debug [nolock]] [options] call function [parameter ...]
shorewall[6] [trace|debug] [options] [check | ck ] [-e] [-d] [-p] [-r] [-T] [-i] [directory]
shorewall[6][-lite] [trace|debug [nolock]] [options] clear [-f]
shorewall[6][-lite] [trace|debug [nolock]] [options] close { open-number | sourcedest [protocol [ port ]]}
shorewall[6] [trace|debug] [options] [compile | co ] [-e] [-c] [-d] [-p] [-T] [-i] [directory] [pathname]
shorewall[6][-lite] [trace|debug [nolock]] [options] delete { interface[:host-list]... zone | zone host-list }
shorewall[6][-lite] [trace|debug [nolock]] [options] disable { interface | provider }
shorewall[6][-lite] [trace|debug [nolock]] [options] drop address
shorewall[6][-lite] [trace|debug] [options] dump [-x] [-l] [-m] [-c]
shorewall[6][-lite] [trace|debug [nolock]] [options] enable { interface | provider }
shorewall[6] [trace|debug [nolock]] [options] export [directory1] [user@]system[:directory2]
shorewall[6][-lite] [trace|debug [nolock]] [options] forget [filename]
shorewall[6][-lite] [trace|debug] [options] help
shorewall[-lite] [trace|debug] [options] hits [-t]
shorewall[-lite] [trace|debug] [options] ipcalc {address mask | address/vlsm}
shorewall[-lite] [trace|debug] [options] iprange address1-address2
shorewall[6][-lite] [trace|debug] [options] iptrace iptables match expression
shorewall[6][-lite] [trace|debug [nolock]] [options] logdrop address
shorewall[6][-lite] [trace|debug] [options] logwatch [-m] [refresh-interval]
shorewall[6][-lite] [trace|debug [nolock]] [options] logreject address
shorewall[6][-lite] [trace|debug] [options] noiptrace iptables match expression
shorewall[6][-lite] [options] open source dest [ protocol [ port ] ]
shorewall[6][-lite] [trace|debug [nolock]] [options] reenable { interface | provider }
shorewall[6][-lite] [trace|debug [nolock]] [options] reject address
shorewall[6][-lite] [trace|debug [nolock]] [options] reload [-n] [-p [-d]] [-f] [-c] [-T] [-i] [-C] [directory]
shorewall[6] [trace|debug] [options] remote-getcaps [-s] [-R] [-r root-user-name] [-T] [-i] [[-D]directory] [system]
shorewall[6] [trace|debug] [options] remote-getrc [-s] [-c] [-r root-user-name] [-T] [-i] [[-D]directory] [system]
shorewall[6] [trace|debug] [options] remote-start [-s] [-c] [-r root-user-name] [-T] [-i] [[-D]directory] [system]
shorewall[6] [trace|debug] [options] remote-reload [-s] [-c] [-r root-user-name] [-T] [-i] [[-D]directory] [system]
shorewall[6] [trace|debug] [options] remote-restart [-s] [-c] [-r root-user-name] [-T] [-i] [[-D]directory] [system]
shorewall[6][-lite] [trace|debug [nolock]] [options] reset [chain ...]
shorewall[6][-lite] [trace|debug [nolock]] [options] restart [-n] [-p [-d]] [-f] [-c] [-T] [-i] [-C] [directory]
shorewall[6][-lite] [trace|debug [nolock]] [options] restore [-n] [-p] [-C] [filename]
shorewall[6][-lite] [trace|debug [nolock]] [options] run command [parameter ...]
shorewall[6] [trace|debug [nolock]] [options] safe-restart [-d] [-p] [-t timeout] [directory]
shorewall[6] [trace|debug] [options] safe-start [-d] [-p] [-t timeout] [directory]
shorewall[6][-lite] [trace|debug [nolock]] [options] save [-C] [filename]
shorewall[6][-lite] [trace|debug [nolock]] [options] savesets
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-x] {bl|blacklists}
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-b] [-x] [-l] [-t {filter|mangle|nat|raw}] [chain...]
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-f] capabilities
shorewall[6] [options] {show | list | ls } [-f] {actions|macros}
shorewall[6] [trace|debug] [options] {show | list | ls } action action
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } {classifiers|connections|config|events|filters|ip|ipa|ipsec|zones|policies|marks}
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } event event
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-c] routing
shorewall[6] [trace|debug] [options] {show | list | ls } macro macro
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-x] {mangle|nat|raw}
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } saves
shorewall[6][-lite] [trace|debug] [options] {show | list | ls } [-m] log
shorewall[6][-lite] [trace|debug [nolock]] [options] start [-n] [-f] [-p] [-c] [-T [-i]] [-C] [directory]
shorewall[6][-lite] [trace|debug [nolock]] [options] stop [-f]
shorewall[6][-lite] [trace|debug] [options] status [-i]
shorewall[6] [trace|debug [nolock]] [options] try directory [timeout]
shorewall[6] [trace|debug] [options] update [-b] [-d] [-r] [-T] [-a] [-i] [-A] [directory]
shorewall[6][-lite] [trace|debug] [options] version [-a]
Beginning with Shorewall 5.1.0, the shorewall utility is used to control the Shoreline Firewall (Shorewall), Shorewall Firewall 6 (Shorewall6), Shorewall Firewall Lite (Shorewall-lite) and Shorewall Firewall 6 Lite (Shorewall6-lite). The utility may be accessed under four different names:
shorewall
shorewall6
shorewall-lite
shorewall6-lite
Prior to Shorewall 5.1.0, these four commands were implemented as four separate program, each of which controlled only a single firewall package. This manpage serves to document both the Shorewall 5.1 and Shorewall 5.0 CLI.
The trace and debug options are used for debugging. See http://www.shorewall.net/starting_and_stopping_shorewall.htm#Trace[1].
The nolock option prevents the command from attempting to acquire the Shorewall lockfile. It is useful if you need to include shorewall commands in /etc/shorewall/started.
Other options are:
-4
-6
-l
With all four firewall products (Shorewall, Shorewall6, Shorewall-lite and Shorewall6-lite) installed, the following table shows the correspondence between the name used to invoke the command and the shorewall command with the above three options.
Table 1. All four products installed
The next table shows the correspondence when only Shorewall-lite and Shorewall6-lite are installed.
Table 2. Only Shorewall-lite and Shorewall6-lite installed
-v[verbosity]
When no verbosity is specified, each instance of this option causes 1 to be added to the effective verbosity. When verbosity (-1,0,1 or 2) is given, the command is executed at the specified VERBOSITY. There may be no white-space between -v and the verbosity.
-q
Each instance of this option causes 1 to be subtracted from the effective verbosity.
-t
The available commands are listed below.
add { interface[:host-list]... zone | zone host-list }
The interface argument names an interface defined in the shorewall-interfaces[4](5) (shorewall6-interfaces[5](5))file. A host-list is comma-separated list whose elements are host or network addresses..if n .sp
Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall-zones[6](5),shorewall6-zones[7](5)) allows a single ipset to handle entries for multiple interfaces. When that option is specified for a zone, the add command has the alternative syntax in which the zone name precedes the host-list.
allow address
blacklist address [ option ... ]
If the disconnect option is specified in the DYNAMIC_BLACKLISTING setting, then the effective VERBOSITY determines the amount of information displayed:
call function [ parameter ... ]
The function is first searched for in lib.base, lib.common, lib.cli and lib.cli-std. If it is not found, the call command is passed to the generated script to be executed.
check [-e] [-d] [-p] [-r] [-T] [-i] [directory]
Compiles the configuration in the specified directory and discards the compiled output script. If no directory is given, then /etc/shorewall is assumed.
The -e option causes the compiler to look for a file named capabilities. This file is produced using the command shorewall-lite show -f capabilities > capabilities on a system with Shorewall Lite installed.
The -d option causes the compiler to be run under control of the Perl debugger.
The -p option causes the compiler to be profiled via the Perl -wd:DProf command-line option.
The -r option was added in Shorewall 4.5.2 and causes the compiler to print the generated ruleset to standard out.
The -T option was added in Shorewall 4.4.20 and causes a Perl stack trace to be included with each compiler-generated error and warning message.
The -i option was added in Shorewall 4.6.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf[2](5) (shorewall6.conf[3](5)).
clear [-f]
If -f is given, the command will be processed by the compiled script that executed the last successful start, restart or reload command if that script exists.
close { open-number | source dest [ protocol [ port ] ] }
When the second form of the command is used, the parameters must match those given in the earlier open command.
This command requires that the firewall be in the started state and that DYNAMIC_BLACKLIST=Yes in shorewall.conf (5)[2].
compile [-e] [-c] [-d] [-p] [-T] [-i] [ directory ] [ pathname ]
Compiles the current configuration into the executable file pathname. If a directory is supplied, Shorewall will look in that directory first for configuration files. If the pathname is omitted, the file firewall in the VARDIR (normally /var/lib/shorewall/) is assumed. A pathname of '-' causes the compiler to send the generated script to it's standard output file. Note that '-v-1' is usually specified in this case (e.g., shorewall -v-1 compile -- -) to suppress the 'Compiling...' message normally generated by /sbin/shorewall.
When -e is specified, the compilation is being performed on a system other than where the compiled script will run. This option disables certain configuration options that require the script to be compiled where it is to be run. The use of -e requires the presence of a configuration file named capabilities which may be produced using the command shorewall-lite show -f capabilities > capabilities on a system with Shorewall Lite installed
The -c option was added in Shorewall 4.5.17 and causes conditional compilation of a script. The script specified by pathname (or implied if pathname is omitted) is compiled if it doesn't exist or if there is any file in the directory or in a directory on the CONFIG_PATH that has a modification time later than the file to be compiled. When no compilation is needed, a message is issued and an exit status of zero is returned.
The -d option causes the compiler to be run under control of the Perl debugger.
The -p option causes the compiler to be profiled via the Perl -wd:DProf command-line option.
The -T option was added in Shorewall 4.4.20 and causes a Perl stack trace to be included with each compiler-generated error and warning message.
The -i option was added in Shorewall 4.6.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf[2](5) (shorewall6.conf[3](5)).
delete { interface[:host-list]... zone | zone host-list }
The interface argument names an interface defined in the shorewall-interfaces[4](5) (shorewall6-interfaces[5](5) file. A host-list is comma-separated list whose elements are a host or network address.
Beginning with Shorewall 4.5.9, the dynamic_shared zone option (shorewall-zones[6](5), shorewall6-zones[8](5)) allows a single ipset to handle entries for multiple interfaces. When that option is specified for a zone, the delete command has the alternative syntax in which the zone name precedes the host-list.
disable { interface | provider }
Beginning with Shorewall 4.5.10, this command may be used with any optional network interface. interface may be either the logical or physical name of the interface. The command removes any routes added from shorewall-routes[9](5) (shorewall6-routes[10](5))and any traffic shaping configuration for the interface.
drop address
dump [-x] [-l] [-m] [-c]
The -x option causes actual packet and byte counts to be displayed. Without that option, these counts are abbreviated.
The -m option causes any MAC addresses included in Shorewall log messages to be displayed.
The -l option causes the rule number for each Netfilter rule to be displayed.
The -c option causes the route cache to be dumped in addition to the other routing information.
enable { interface | provider }
Beginning with Shorewall 4.5.10, this command may be used with any optional network interface. interface may be either the logical or physical name of the interface. The command sets /proc entries for the interface, adds any route specified in shorewall-routes[9](5) (shorewall6-routes[10](5)) and installs the interface's traffic shaping configuration, if any.
export [ directory1 ] [ user@]system[:directory2 ]
If directory1 is omitted, the current working directory is assumed.
Allows a non-root user to compile a shorewall script and stage it on a system (provided that the user has access to the system via ssh). The command is equivalent to:
/sbin/shorewall compile -e directory1 directory1/firewall &&\
scp directory1/firewall directory1/firewall.conf [user@]system:[directory2]
In other words, the configuration in the specified (or defaulted) directory is compiled to a file called firewall in that directory. If compilation succeeds, then firewall and firewall.conf are copied to system using scp.
forget [ filename ]
help
hits [-t]
ipcalc { address mask | address/vlsm }
iprange address1-address2
iptrace iptables match expression
The iptables match expression must be one or more matches that may appear in both the raw table OUTPUT and raw table PREROUTING chains.
The log message destination is determined by the currently-selected IPv4 or IPv6 logging backend[11].
list
logdrop address
logwatch [-m] [ refresh-interval ]
logreject address
ls
noiptrace iptables match expression
The iptables match expression must be one given in the iptrace command being canceled.
open source dest [ protocol [ port ] ]
The source and dest parameters may each be specified as all if you don't wish to restrict the connection source or destination respectively. Otherwise, each must contain a host or network address or a valid DNS name.
The protocol may be specified either as a number or as a name listed in /etc/protocols. The port may be specified numerically or as a name listed in /etc/services.
To reverse the effect of a successful open command, use the close command with the same parameters or simply restart the firewall.
Example: To open the firewall for SSH connections to address 192.168.1.1, the command would be:
shorewall open all 192.168.1.1 tcp 22
To reverse that command, use:
shorewall close all 192.168.1.1 tcp 22
reenable{ interface | provider }
reject address
reload [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [ directory ]
Shorewall and Shorewall6
The -n option causes Shorewall to avoid updating the routing table(s).
The -p option causes the connection tracking table to be flushed; the conntrack utility must be installed to use this option.
The -d option causes the compiler to run under the Perl debugger.
The -f option suppresses the compilation step and simply reused the compiled script which last started/restarted Shorewall, provided that /etc/shorewall and its contents have not been modified since the last start/restart.
The -c option was added in Shorewall 4.4.20 and performs the compilation step unconditionally, overriding the AUTOMAKE setting in shorewall.conf[2](5) (Shorewall and Shorewall6 only). When both -f and -c are present, the result is determined by the option that appears last.
The -T option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each compiler-generated error and warning message.
The -i option was added in Shorewall 4.6.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf[2](5) (shorewall6.conf[3](5))..
The -C option was added in Shorewall 4.6.5 and is only meaningful when AUTOMAKE=Yes in shorewall.conf[2](5) (shorewall6.conf[3](5)). If an existing firewall script is used and if that script was the one that generated the current running configuration, then the running netfilter configuration will be reloaded as is so as to preserve the iptables packet and byte counters.
Shorewall-lite and Shorewall6-lite
The -n option causes Shorewall to avoid updating the routing table(s).
The -p option causes the connection tracking table to be flushed; the conntrack utility must be installed to use this option.
The -C option was added in Shorewall 4.6.5 If the existing firewall script is the one that generated the current running configuration, then the running netfilter configuration will be reloaded as is so as to preserve the iptables packet and byte counters.
remote-getcaps [-R] [-r root-user-name] [ [ -D ] directory ] [ system ]
if -R is included, the remote shorewallrc file is also copied to directory.
If -r is included, it specifies that the root user on system is named root-user-name rather than "root".
remote-getrc [-c] [-r root-user-name] [ [ -D ] directory ] [ system ]
if -c is included, the remote capabilities are also copied to directory, as is done by the remote-getcaps command.
If -r is included, it specifies that the root user on system is named root-user-name rather than "root".
remote-start [-n] [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ] directory ] [ system ]
If directory is omitted, the current working directory is assumed. Allows a non-root user to compile a shorewall script and install it on a system (provided that the user has root access to the system via ssh). The command is equivalent to:
/sbin/shorewall compile -e directory directory/firewall &&\
scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
ssh root@system '/sbin/shorewall-lite start'
In other words, the configuration in the specified (or defaulted) directory is compiled to a file called firewall in that directory. If compilation succeeds, then firewall is copied to system using scp. If the copy succeeds, Shorewall Lite on system is started via ssh. Beginning with Shorewall 5.0.13, if system is omitted, then the FIREWALL option setting in shorewall.conf[12](5) (shorewall6.conf(5)[3]) is assumed. In that case, if you want to specify a directory, then the -D option must be given.
The -n option causes Shorewall to avoid updating the routing table(s).
If -s is specified and the start command succeeds, then the remote Shorewall-lite configuration is saved by executing shorewall-lite save via ssh.
if -c is included, the command shorewall[6]-lite show capabilities -f > /var/lib/shorewall[6]-lite/capabilities is executed via ssh then the generated file is copied to directory using scp. This step is performed before the configuration is compiled.
If -r is included, it specifies that the root user on system is named root-user-name rather than "root".
The -T option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each compiler-generated error and warning message.
remote-reload [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ] directory ] [ system ]
If directory is omitted, the current working directory is assumed. Allows a non-root user to compile a shorewall script and install it on a system (provided that the user has root access to the system via ssh). The command is equivalent to:
/sbin/shorewall compile -e directory directory/firewall &&\
scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
ssh root@system '/sbin/shorewall-lite reload'
In other words, the configuration in the specified (or defaulted) directory is compiled to a file called firewall in that directory. If compilation succeeds, then firewall is copied to system using scp. If the copy succeeds, Shorewall Lite on system is restarted via ssh. Beginning with Shorewall 5.0.13, if system is omitted, then the FIREWALL option setting in shorewall6.conf(5)[13] (shorewall6.conf[3](5)) is assumed. In that case, if you want to specify a directory, then the -D option must be given.
If -s is specified and the restart command succeeds, then the remote Shorewall-lite configuration is saved by executing shorewall-lite save via ssh.
if -c is included, the command shorewall-lite show capabilities -f > /var/lib/shorewall-lite/capabilities is executed via ssh then the generated file is copied to directory using scp. This step is performed before the configuration is compiled.
If -r is included, it specifies that the root user on system is named root-user-name rather than "root".
The -T option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each compiler-generated error and warning message.
The -i option was added in Shorewall 4.6.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf[2](5) (shorewall6.conf[3](5)).
remote-restart [-s] [-c] [-r root-user-name] [-T] [-i] [ [ -D ] directory ] [ system ]
If directory is omitted, the current working directory is assumed. Allows a non-root user to compile a shorewall script and install it on a system (provided that the user has root access to the system via ssh). The command is equivalent to:
/sbin/shorewall compile -e directory directory/firewall &&\
scp directory/firewall directory/firewall.conf root@system:/var/lib/shorewall-lite/ &&\
ssh root@system '/sbin/shorewall-lite restart'
In other words, the configuration in the specified (or defaulted) directory is compiled to a file called firewall in that directory. If compilation succeeds, then firewall is copied to system using scp. If the copy succeeds, Shorewall Lite on system is restarted via ssh. Beginning with Shorewall 5.0.13, if system is omitted, then the FIREWALL option setting in shorewall6.conf(5)[13] (shorewall6.conf[3](5)) is assumed. In that case, if you want to specify a directory, then the -D option must be given.
If -s is specified and the restart command succeeds, then the remote Shorewall-lite configuration is saved by executing shorewall-lite save via ssh.
if -c is included, the command shorewall-lite show capabilities -f > /var/lib/shorewall-lite/capabilities is executed via ssh then the generated file is copied to directory using scp. This step is performed before the configuration is compiled.
If -r is included, it specifies that the root user on system is named root-user-name rather than "root".
The -T option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each compiler-generated error and warning message.
The -i option was added in Shorewall 4.6.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf[2](5) (shorewall6.conf[3](5).
reset [chain, ...]
Beginning with Shorewall 5.0.0, chain may be composed of both a table name and a chain name separated by a colon (e.g., mangle:PREROUTING). Chain names following that don't include a table name are assumed to be in that same table. If no table name is given in the command, the filter table is assumed.
restart [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [ directory ]
Shorewall and Shorewall6
The -n option causes Shorewall to avoid updating the routing table(s).
The -p option causes the connection tracking table to be flushed; the conntrack utility must be installed to use this option.
The -d option causes the compiler to run under the Perl debugger.
The -f option suppresses the compilation step and simply reused the compiled script which last started/restarted Shorewall, provided that /etc/shorewall and its contents have not been modified since the last start/restart.
The -c option was added in Shorewall 4.4.20 and performs the compilation step unconditionally, overriding the AUTOMAKE setting in shorewall.conf[2](5). When both -f and -c are present, the result is determined by the option that appears last.
The -T option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each compiler-generated error and warning message.
The -i option was added in Shorewall 4.6.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf[2](5).
The -C option was added in Shorewall 4.6.5 and is only meaningful when AUTOMAKE=Yes in shorewall.conf[2](5). If an existing firewall script is used and if that script was the one that generated the current running configuration, then the running netfilter configuration will be reloaded as is so as to preserve the iptables packet and byte counters.
Shorewall-lite and Shorewall6-lite
The -p option causes the connection tracking table to be flushed; the conntrack utility must be installed to use this option.
The -C option was added in Shorewall 4.6.5 If the existing firewall script is the one that generated the current running configuration, then the running netfilter configuration will be reloaded as is so as to preserve the iptables packet and byte counters.
restore [-n] [-p] [-C] [ filename ]
The -p option, added in Shorewall 4.6.5, causes the connection tracking table to be flushed; the conntrack utility must be installed to use this option.
The -C option was added in Shorewall 4.6.5. If the -C option was specified during shorewall save, then the counters saved by that operation will be restored.
run command [ parameter ... ]
Before executing the command, the script will detect the configuration, setting all SW_* variables and will run your init extension script with $COMMAND = 'run'.
If there are files in the CONFIG_PATH that were modified after the current firewall script was generated, the following warning message is issued:
safe-reload [-d] [-p] [-t timeout ] [ directory ]
Only allowed if Shorewall is running. The current configuration is saved in /var/lib/shorewall/safe-reload (see the save command below) then a shorewall reload is done. You will then be prompted asking if you want to accept the new configuration or not. If you answer "n" or if you fail to answer within 60 seconds (such as when your new configuration has disabled communication with your terminal), the configuration is restored from the saved configuration. If a directory is given, then Shorewall will look in that directory first when opening configuration files.
Beginning with Shorewall 4.5.0, you may specify a different timeout value using the -t option. The numeric timeout may optionally be followed by an s, m or h suffix (e.g., 5m) to specify seconds, minutes or hours respectively. If the suffix is omitted, seconds is assumed.
safe-restart [-d] [-p] [-t timeout ] [ directory ]
Beginning with Shorewall 4.5.0, you may specify a different timeout value using the -t option. The numeric timeout may optionally be followed by an s, m or h suffix (e.g., 5m) to specify seconds, minutes or hours respectively. If the suffix is omitted, seconds is assumed.
safe-start [-d] [-p] [-ttimeout ] [ directory ]
Beginning with Shorewall 4.5.0, you may specify a different timeout value using the -t option. The numeric timeout may optionally be followed by an s, m or h suffix (e.g., 5m) to specify seconds, minutes or hours respectively. If the suffix is omitted, seconds is assumed.
This command is available in Shorewall and Shorewall6 only.
save [-C] [ filename ]
The -C option, added in Shorewall 4.6.5, causes the iptables packet and byte counters to be saved along with the chains and rules.
savesets
show
action action
actions
bl|blacklists [-x]
[-f] capabilities
[-b] [-x] [-l] [-t {filter|mangle|nat|raw}] [ chain... ]
The -b ('brief') option causes rules which have not been used (i.e. which have zero packet and byte counts) to be omitted from the output. Chains with no rules displayed are also omitted from the output.
The -l option causes the rule number for each Netfilter rule to be displayed.
If the -t option and the chain keyword are both omitted and any of the listed chains do not exist, a usage message is displayed.
classifiers|filters
config
connections [filter_parameter ...]
If the conntrack utility is installed, beginning with Shorewall 4.6.11 the set of connections displayed can be limited by including conntrack filter parameters (-p , -s, --dport, etc). See conntrack(8) for details.
event event
events
ip
ipa
ipsec
[-m] log
macros
macro macro
[-x] mangle
marks
[-x] nat
opens
policies
rc
[-c] routing
[-x] raw
saves
tc
zones
start [-n] [-p] [-d] [-f] [-c] [-T] [-i] [-C] [ directory ]
Shorewall and Shorewall6
Update: In Shorewall 4.4.20, a new LEGACY_FASTSTART option was added to shorewall.conf[2](5) (shorewall6.conf[3](5)). When LEGACY_FASTSTART=No, the modification times of files in /etc/shorewall are compared with that of /var/lib/shorewall/firewall (the compiled script that last started/restarted the firewall).
The -n option causes Shorewall to avoid updating the routing table(s).
The -p option causes the connection tracking table to be flushed; the conntrack utility must be installed to use this option.
The -c option was added in Shorewall 4.4.20 and performs the compilation step unconditionally, overriding the AUTOMAKE setting in shorewall.conf[2](5) (shorewall6.conf[3](5)). When both -f and -care present, the result is determined by the option that appears last.
The -T option was added in Shorewall 4.5.3 and causes a Perl stack trace to be included with each compiler-generated error and warning message.
The -i option was added in Shorewall 4.6.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf(5)[2] (shorewall6.conf[3](5)).
The -C option was added in Shorewall 4.6.5 and is only meaningful when the -f option is also specified. If the previously-saved configuration is restored, and if the -C option was also specified in the save command, then the packet and byte counters will be restored.
Shorewall-lite and Shorewall6-lite
The -p option causes the connection tracking table to be flushed; the conntrack utility must be installed to use this option.
The -n option prevents the firewall script from modifying the current routing configuration.
The -f option was added in Shorewall 4.6.5. If the RESTOREFILE named in shorewall.conf[12](5) exists, is executable and is not older than the current filewall script, then that saved configuration is restored.
The -C option was added in Shorewall 4.6.5 and is only meaningful when the -f option is also specified. If the previously-saved configuration is restored, and if the -C option was also specified in the save command, then the packet and byte counters will be restored.
stop [-f]
If -f is given, the command will be processed by the compiled script that executed the last successful start, restart or reload command if that script exists.
status [-i]
The -i option was added in Shorewall 4.6.2 and causes the status of each optional or provider interface to be displayed.
try directory [ timeout ]
If Shorewall[6] is started then the firewall state is saved to a temporary saved configuration (/var/lib/shorewall/.try). Next, if Shorewall[6] is currently started then a restart command is issued using the specified configuration directory; otherwise, a start command is performed using the specified configuration directory. if an error occurs during the compilation phase of the restart or start, the command terminates without changing the Shorewall[6] state. If an error occurs during the restart phase, then a shorewall restore is performed using the saved configuration. If an error occurs during the start phase, then Shorewall is cleared. If the start/restart succeeds and a timeout is specified then a clear or restore is performed after timeout seconds.
Beginning with Shorewall 4.5.0, the numeric timeout may optionally be followed by an s, m or h suffix (e.g., 5m) to specify seconds, minutes or hours respectively. If the suffix is omitted, seconds is assumed.
update [-d] [-r] [-T] [-a] [-i] [-A] [ directory ]
Added in Shorewall 4.4.21 and causes the compiler to update /etc/shorewall/shorewall.conf then validate the configuration. The update will add options not present in the old file with their default values, and will move deprecated options with non-defaults to a deprecated options section at the bottom of the file. Your existing shorewall.conf file is renamed shorewall.conf.bak.
The command was extended over the years with a set of options that caused additional configuration updates.
In each case, the old file is renamed with a .bak suffix.
In Shorewall 5.0.0, the options were eliminated and the update command performs all of the updates described above.
WARNING: "Omitted rules and compiler directives were not translated
The -i option was added in Shorewall 4.6.0 and causes a warning message to be issued if the current line contains alternative input specifications following a semicolon (";"). Such lines will be handled incorrectly if INLINE_MATCHES is set to Yes in shorewall.conf[2](5).
The -A option is included for compatibility with Shorewall 4.6 and is equivalent to specifying the -i option.
For a description of the other options, see the check command above.
version [-a]
In general, when a command succeeds, status 0 is returned; when the command fails, a non-zero status is returned.
The status command returns exit status as follows:
0 - Firewall is started.
3 - Firewall is stopped or cleared
4 - Unknown state; usually means that the firewall has never been started.
Two environmental variables are recognized by Shorewall:
SHOREWALL_INIT_SCRIPT
SW_LOGGERTAG
/etc/shorewall/*
/etc/shorewall6/*
04/11/2019 | Administrative Commands |