shorewall.8

sharewall is very good

.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBCaution\fR
.ps -1
.br
The
\fBadd\fR
command is not very robust\&. If there are errors in the
\fIhost\-list\fR, you may see a large number of error messages yet a subsequent
\fBshorewall show zones\fR
command will indicate that all hosts were added\&. If this happens, replace
\fBadd\fR
by
\fBdelete\fR
and run the same command again\&. Then enter the correct command\&.
.sp .5v
.EM yellow
.RE
.RE
.PP
\fBallow\fR
.RS 4
Re\-enables receipt of packets from hosts previously blacklisted by a
\fBdrop\fR,
\fBlogdrop\fR,
\fBreject\fR, or
\fBlogreject\fR
command\&.
.RE
.PP
\fBcheck\fR
.RS 4
Compiles the configuraton in the specified
\fIdirectory\fR
and discards the compiled output script\&. If no
\fIdirectory\fR
is given, then /etc/shorewall is assumed\&.
.sp
The
\fB\-e\fR
option causes the compiler to look for a file named capabilities\&. This file is produced using the command
\fBshorewall\-lite show \-f capabilities > capabilities\fR
on a system with Shorewall Lite installed\&.
.sp
The
\fB\-C\fR
option determines the compiler to use (Shorewall\-shell or Shorewall\-perl)\&. If not specified, the SHOREWALL_COMPILER setting in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) determines the compiler to use\&.
.sp
The
\fB\-d\fR
option only works when the compiler is Shorewall\-perl\&. It causes the compiler to be run under control of the Perl debugger\&.
.sp
The
\fB\-p\fR
option only works when the compiler is Shorewall\-perl\&. It causes the compiler to be profiled via the Perl
\fB\-wd:DProf\fR
command\-line option\&.
.RE
.PP
\fBclear\fR
.RS 4
Clear will remove all rules and chains installed by Shorewall\&. The firewall is then wide open and unprotected\&. Existing connections are untouched\&. Clear is often used to see if the firewall is causing connection problems\&.
.sp
The
\fB\-f\fR
option was added in Shorewall 4\&.0\&.3\&. If
\fB\-f\fR
is given, the command will be processed by the compiled script that executed the last successful
\fBstart\fR,
\fBrestart\fR
or
\fBrefresh\fR
command if that script exists\&.
.RE
.PP
\fBcompile\fR
.RS 4
Compiles the current configuration into the executable file
\fIpathname\fR\&. If a directory is supplied, Shorewall will look in that directory first for configuration files\&.
.sp
When \-e is specified, the compilation is being performed on a system other than where the compiled script will run\&. This option disables certain configuration options that require the script to be compiled where it is to be run\&. The use of \-e requires the presense of a configuration file named
\FCcapabilities\F[]
which may be produced using the command
\fBshorewall\-lite show \-f capabilities > capabilities\fR
on a system with Shorewall Lite installed
.sp
The
\fB\-C\fR
option determines the compiler to use (Shorewall\-shell or Shorewall\-perl)\&. If not specified, the SHOREWALL_COMPILER setting in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) determines the compiler to use\&.
.sp
The
\fB\-d\fR
option only works when the compiler is Shorewall\-perl\&. It causes the compiler to be run under control of the Perl debugger\&.
.sp
The
\fB\-p\fR
option only works when the compiler is Shorewall\-perl\&. It causes the compiler to be profiled via the Perl
\fB\-wd:DProf\fR
command\-line option\&.
.RE
.PP
\fBdelete\fR
.RS 4
The delete command reverses the effect of an earlier
\fBadd\fR
command\&.
.sp
The
\fIinterface\fR
argument names an interface defined in the
\m[blue]\fBshorewall\-interfaces\fR\m[]\&\s-2\u[2]\d\s+2(5) file\&. A
\fIhost\-list\fR
is comma\-separated list whose elements are a host or network address\&.
.RE
.PP
\fBdrop\fR
.RS 4
Causes traffic from the listed
\fIaddress\fRes to be silently dropped\&.
.RE
.PP
\fBdump\fR
.RS 4
Produces a verbose report about the firewall configuration for the purpose of problem analysis\&.
.sp
The
\fB\-x\fR
option causes actual packet and byte counts to be displayed\&. Without that option, these counts are abbreviated\&. The
\fB\-m\fR
option causes any MAC addresses included in Shorewall log messages to be displayed\&.
.RE
.PP
\fBexport\fR
.RS 4
If
\fIdirectory1\fR
is omitted, the current working directory is assumed\&.
.sp
The
\fB\-C\fR
option determines the compiler to use (Shorewall\-shell or Shorewall\-perl)\&. If not specified, the SHOREWALL_COMPILER setting in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) determines the compiler to use\&.
.sp
Allows a non\-root user to compile a shorewall script and stage it on a system (provided that the user has access to the system via ssh)\&. The command is equivalent to:
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
    \fB/sbin/shorewall compile \-e\fR \fIdirectory1\fR \fIdirectory1\fR\fB/firewall &&\e\fR
    \fBscp\fR directory1\fB/firewall\fR \fIdirectory1\fR\fB/firewall\&.conf\fR [\fIuser\fR@]\fBsystem\fR:[\fIdirectory2\fR]
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
In other words, the configuration in the specified (or defaulted) directory is compiled to a file called firewall in that directory\&. If compilation succeeds, then firewall and firewall\&.conf are copied to
\fIsystem\fR
using scp\&.
.RE
.PP
\fBforget\fR
.RS 4
Deletes /var/lib/shorewall/\fIfilenam\fRe and /var/lib/shorewall/save\&. If no
\fIfilename\fR
is given then the file specified by RESTOREFILE in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) is assumed\&.
.RE
.PP
\fBhelp\fR
.RS 4
Displays a syntax summary\&.
.RE
.PP
\fBhits\fR
.RS 4
Generates several reports from Shorewall log messages in the current log file\&. If the
\fB\-t\fR
option is included, the reports are restricted to log messages generated today\&.
.RE
.PP
\fBipcalc\fR
.RS 4
Ipcalc displays the network address, broadcast address, network in CIDR notation and netmask corresponding to the input[s]\&.
.RE
.PP
\fBiprange\fR
.RS 4
Iprange decomposes the specified range of IP addresses into the equivalent list of network/host addresses\&.
.RE
.PP
\fBload\fR
.RS 4
If
\fIdirectory\fR
is omitted, the current working directory is assumed\&. Allows a non\-root user to compile a shorewall script and install it on a system (provided that the user has root access to the system via ssh)\&. The command is equivalent to:
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
    \fB/sbin/shorewall compile \-e\fR \fI\fIdirectory\fR\fR \fIdirectory\fR\fB/firewall &&\e\fR
    \fBscp\fR \fIdirectory\fR\fB/firewall\fR \fIdirectory\fR\fB/firewall\&.conf\fR \fBroot@\fR\fIsystem\fR\fB:/var/lib/shorewall\-lite/ &&\e\fR
    \fBssh root@\fR\fIsystem\fR \fB\'/sbin/shorewall\-lite start\'\fR
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
In other words, the configuration in the specified (or defaulted) directory is compiled to a file called firewall in that directory\&. If compilation succeeds, then firewall is copied to
\fIsystem\fR
using scp\&. If the copy succeeds, Shorewall Lite on
\fIsystem\fR
is started via ssh\&.
.sp
If
\fB\-s\fR
is specified and the
\fBstart\fR
command succeeds, then the remote Shorewall\-lite configuration is saved by executing
\fBshorewall\-lite save\fR
via ssh\&.
.sp
if
\fB\-c\fR
is included, the command
\fBshorewall\-lite show capabilities \-f > /var/lib/shorewall\-lite/capabilities\fR
is executed via ssh then the generated file is copied to
\fIdirectory\fR
using scp\&. This step is performed before the configuration is compiled\&.
.sp
If
\fB\-r\fR
is included, it specifies that the root user on
\fIsystem\fR
is named
\fIroot\-user\-name\fR
rather than "root"\&.
.sp
The
\fB\-C\fR
option determines the compiler to use (Shorewall\-shell or Shorewall\-perl)\&. If not specified, the SHOREWALL_COMPILER setting in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) determines the compiler to use\&.
.RE
.PP
\fBlogdrop\fR
.RS 4
Causes traffic from the listed
\fIaddress\fRes to be logged then discarded\&. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2
(5)\&.
.RE
.PP
\fBlogwatch\fR
.RS 4
Monitors the log file specified by the LOGFILE option in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) and produces an audible alarm when new Shorewall messages are logged\&. The
\fB\-m\fR
option causes the MAC address of each packet source to be displayed if that information is available\&. The
\fIrefresh\-interval\fR
specifies the time in seconds between screen refreshes\&. You can enter a negative number by preceding the number with "\-\-" (e\&.g\&.,
\fBshorewall logwatch \-\- \-30\fR)\&. In this case, when a packet count changes, you will be prompted to hit any key to resume screen refreshes\&.
.RE
.PP
\fBlogreject\fR
.RS 4
Causes traffic from the listed
\fIaddress\fRes to be logged then rejected\&. Logging occurs at the log level specified by the BLACKLIST_LOGLEVEL setting in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2
(5)\&.
.RE
.PP
\fBrefresh\fR
.RS 4
Shorewall\-shell: The rules involving the the black list, ECN control rules, and traffic shaping are recreated to reflect any changes made to your configuration files\&. Existing connections are untouched\&.
.sp
Shorewall\-perl: All steps performed by
\fBrestart\fR
are performed by
\fBrefresh\fR
with the exception that
\fBrefresh\fR
only recreates the chains specified in the command while
\fBrestart\fR
recreates the entire Netfilter ruleset\&. If no
\fIchain\fR
is given, the static blacklisting chain
\fBblacklst\fR
is assumed\&.
.sp
\fBNote\fR: Specifying chains in the command requires Shorewall\-perl 4\&.0\&.3 or later\&. Earlier versions only refresh the blacklst chain
.sp
The listed chains are assumed to be in the filter table\&. You can refresh chains in other tables by prefixing the chain name with the table name followed by ":" (e\&.g\&., nat:net_dnat)\&. Chain names which follow are assumed to be in that table until the end of the list or until an entry in the list names another table\&. Built\-in chains such as FORWARD may not be refreshed\&.
.sp
Example:
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
\fBshorewall refresh net2fw nat:net_dnat\fR #Refresh the \'net2loc\' chain in the filter table and the \'net_dnat\' chain in the nat table
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
Beginning with Shorewall 4\&.1, the
\fBrefresh\fR
command has slightly different behavior\&. When no chain name is given to the
\fBrefresh\fR
command, the mangle table is refreshed along with the blacklist chain (if any)\&. This allows you to modify
\FC/etc/shorewall/tcrules \F[]and install the changes using
\fBrefresh\fR\&.
.RE
.PP
\fBreload\fR
.RS 4
If
\fIdirectory\fR
is omitted, the current working directory is assumed\&. Allows a non\-root user to compile a shorewall script and install it on a system (provided that the user has root access to the system via ssh)\&. The command is equivalent to:
.sp
.if n \{\
.RS 4
.\}
.fam C
.ps -1
.nf
.BB lightgray
    \fB/sbin/shorewall compile \-e\fR \fIdirectory\fR \fIdirectory\fR\fB/firewall &&\e\fR
    \fBscp\fR \fIdirectory\fR\fB/firewall\fR \fIdirectory\fR\fB/firewall\&.conf\fR \fBroot@\fR\fIsystem\fR\fB:/var/lib/shorewall\-lite/ &&\e\fR
    \fBssh root@\fR\fIsystem\fR \fB\'/sbin/shorewall\-lite restart\'\fR
.EB lightgray
.fi
.fam
.ps +1
.if n \{\
.RE
.\}
.sp
In other words, the configuration in the specified (or defaulted) directory is compiled to a file called firewall in that directory\&. If compilation succeeds, then firewall is copied to
\fIsystem\fR
using scp\&. If the copy succeeds, Shorewall Lite on
\fIsystem\fR
is restarted via ssh\&.
.sp
If
\fB\-s\fR
is specified and the
\fBrestart\fR
command succeeds, then the remote Shorewall\-lite configuration is saved by executing
\fBshorewall\-lite save\fR
via ssh\&.